Wednesday, November 18, 2009

Nov.18 PDF attack. U.S. ship thwarts second pirate attack November 18, 2009.pdf Nov 18, 2009 10:38:02 AM from michael.gillenwater@dhs.gov (Spoofed sender)


Download the malicious pdf (password protected, you have to contact me for the password)
http://www.mediafire.com/?ul3dzn5zqum
Email message text

Fw: U.S. ship thwarts second pirate attack November 18, 2009
michael.gillenwater
To: Undisclosed-Recipient:;
Sent: 11/18/2009 10:38 AM
>>
>>
>>> FYI
>>>
>>>
>>> ----- Original Message -----
>>> From: "Antweiler"
>>> To:
>>> Sent: Wednesday, November 18, 2009 4:40 AM
>>> Subject:Today: U.S. ship thwarts second pirate attack

Wepawet analysis
http://wepawet.cs.ucsb.edu/view.php?hash=0b9e08970966b28ad05300038a16ba22&type=js
Analysis report for U.S. ship thwarts second pirate attack November 18, 2009.pdf
Sample Overview
File    U.S. ship thwarts second pirate attack November 18, 2009.pdf
MD5    0b9e08970966b28ad05300038a16ba22
Analysis Started    2009-11-18 07:50:52
Report Generated    2009-11-18 07:50:57
JSAND version    1.03.02
Detection results
Detector    Result
JSAND 1.03.02    malicious

Exploits
Name    Description    Reference


Adobe Collab overflow    Multiple Adobe Reader and Acrobat buffer overflows    CVE-2007-5659

Adobe getIcon    Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object    CVE-2009-0927







Virustotal analysis of 11-18-2009

File Fw_U.S._ship_thwarts_second_pirat received on 2009.11.18 15:40:04 (UTC)
Current status: finished
Result: 5/41 (12.20%)
Compact Print results  Antivirus Version Last Update Result

Antiy-AVL 2.0.3.7 2009.11.18 Exploit/Win32.Pidief
BitDefender 7.2 2009.11.18 Exploit.PDF-JS.Gen
F-Secure 9.0.15370.0 2009.11.17 Exploit.PDF-JS.Gen
Sunbelt 3.2.1858.2 2009.11.17 Exploit.PDF-JS.Gen (v)
Additional information

File size: 171008 bytes
MD5   : 343e57c06907e6584f91f6545fcb87e7
SHA1  : 75084a8388a0da1dbb782d4ee6d82f2b9099c2a6
SHA256: bafec9171da2d776058428cb2f64e9c3f2493e723b05c76f7b9b15546d321a62
TrID  : File type identification
Outlook Message (58.9%)
Outlook Form Template (34.4%)
Generic OLE2 / Multistream Compound File (6.6%)
ssdeep: 3072:JyJk6yqquauN1YyQhEooogewUmtL6rUWgMLCNaGKVsO37aNCmL61EvAgeY/:QogV3KUWgMmNaGKVsOMTpA/Y/
PEiD  : -
packers (F-Prot): rtf

Virustotal scan of 11-25- 2009

File Fw_U.S._ship_thwarts_second_pirat received on 2009.11.25 05:50:23 (UTC)

Result: 16/41 (39.03%)

Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.11.25 Exploit.PDF-JS!IK
Antiy-AVL 2.0.3.7 2009.11.24 Exploit/Win32.Pidief
BitDefender 7.2 2009.11.25 Exploit.PDF-JS.Gen
ClamAV 0.94.1 2009.11.25 Exploit.PDF-2075
Comodo 3026 2009.11.25 UnclassifiedMalware
eSafe 7.0.17.0 2009.11.24 Win32.Pidief.C
F-Secure 9.0.15370.0 2009.11.24 Exploit.PDF-JS.Gen
GData 19 2009.11.25 Exploit.PDF-JS.Gen
Ikarus T3.1.1.74.0 2009.11.25 Exploit.PDF-JS
Kaspersky 7.0.0.125 2009.11.25 Exploit.JS.Pdfka.aow
McAfee 5812 2009.11.24 Exploit-PDF.aa
McAfee+Artemis 5812 2009.11.24 Exploit-PDF.aa
Sophos 4.47.0 2009.11.25 Troj/PDFJs-FA
Sunbelt 3.2.1858.2 2009.11.25 Exploit.PDF-JS.Gen (v)
Symantec 1.4.4.12 2009.11.25 Trojan.Pidief.C
TrendMicro 9.0.0.1003 2009.11.25 TROJ_PIDIEF.OG

Header

Microsoft Mail Internet Headers Version 2.0
Received: from xxx.xxx.xxx ([xx.xx.xx.xx]) by smtp.xxx.xxx with Microsoft SMTPSVC(6.0.3790.3959);
  Wed, 18 Nov 2009 10:38:02 -0500
Received: from mail201.messagelabs.com ([216.82.254.211]) by  xxx.xxx.xxx with InterScan Message Security Suite; Wed, 18 Nov 2009 10:37:59 -0500
X-VirusChecked: Checked
X-Env-Sender: michael.gillenwater@dhs.gov
X-Msg-Ref: server-12.tower-201.messagelabs.com!1258558676!33333671!1
X-StarScan-Version: 6.2.4; banners=-,-,xxx.xxx
X-Originating-IP: [204.174.223.60]
X-SpamReason: No, hits=3.5 required=7.0 tests=BODY_RANDOM_LONG,
  FORGED_MUA_OUTLOOK,MIME_BASE64_TEXT
Received: (qmail 30388 invoked from network); 18 Nov 2009 15:37:57 -0000
Received: from metroplex.netnation.com (HELO metroplex.netnation.com) (204.174.223.60)
  by server-12.tower-201.messagelabs.com with SMTP; 18 Nov 2009 15:37:57 -0000
Received: from [202.58.65.132] (helo=hp693d2d99f37a)
 by metroplex.netnation.com with esmtpa (Exim 4.52)
 id 1NAmbE-0005Zq-IL; Wed, 18 Nov 2009 07:37:45 -0800
Message-ID: <3A632A35307E43509FD57ABB97FA64BE@hp693d2d99f37a>

From: "michael.gillenwater"
To:
Subject: Fw: U.S. ship thwarts second pirate attack November 18, 2009
Date: Wed, 18 Nov 2009 11:18:54 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="----=_NextPart_000_0088_01CA6840.EA1F35B0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.4548
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4325
Return-Path: michael.gillenwater@dhs.gov
X-OriginalArrivalTime: 18 Nov 2009 15:38:02.0831 (UTC) FILETIME=[1D6F75F0:01CA6865]
------=_NextPart_000_0088_01CA6840.EA1F35B0
Content-Type: text/plain;
 charset="gb2312"
Content-Transfer-Encoding: base64
------=_NextPart_000_0088_01CA6840.EA1F35B0
Content-Type: application/octet-stream;
 name="U.S. ship thwarts second pirate attack November 18, 2009.pdf"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="U.S. ship thwarts second pirate attack November 18, 2009.pdf"
------=_NextPart_000_0088_01CA6840.EA1F35B0--
X-EsetId: 1E05CF29094670690103CF7C02123C

No comments:

Post a Comment