My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus




No obvious symptoms.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Lutas Andrei Vlad, virus researcher

Technical Description:

This malicious JavaScript may come bundled inside a PDF document.


When an infected PDF is opened, the JavaScript will get executed and will perform the following actions:

The first step involves decrypting the rest of the script, responsible for spraying the shell-code at a specific address, inside the attacked process.
It will then place several NOP (No OPeration) instructions at the begging of the code, in order to avoid receiving execution at an invalid address.
The exploit code (~450 B) will first decrypt its encrypted body, locate several API functions it needs and then it will download a file from http://netcorb[removed]/load.php, saving it under the name "~.exe", in the current folder. After a successful download, it will launch the file. The downloaded executable may be subject to change, and at the time of writing, the link was dead.

The detection name stands for the infected PDF file and infected JavaScripts.