Tuesday, December 1, 2009

Dec.1 PDF Attack of the day. Russian-Proposed European Security Treaty from sullivanchris81@yahoo.com Tue, 1 Dec 2009 04:30:47


The message sender was
sullivanchris81@yahoo.com

The message originating IP was 98.136.165.26 The message recipients were
XXX@XXX.XXX

The message was titled Russian-Proposed European Security Treaty The message date was Tue, 1 Dec 2009 04:30:47 -0800 (PST) The message identifier was <729208.94960.qm@web112801.mail.gq1.yahoo.com>
The virus or unauthorised code identified in the email is:
F-Secure Security Platform version 1.12 build 6412 Copyright (c) 1999-2007 F-Secure Corporation. All Rights Reserved.

Scan started at Tue Dec 1 12:30:52 2009 Database version: 2009-12-01_03

attach/5964623_3X_PM5_EMS_MA-PDF__European=20Security=20Treaty=2D1.pdf: Infected: Exploit.JS.Pdfka.ara [AVP]
attach/5964623_4X_PM6_EMS_MA-PDF__European=20Security=20Treaty=2D2.pdf: Infected: Exploit.JS.Pdfka.ara [AVP]

Scan ended at Tue Dec 1 12:30:52 2009
3 files scanned
2 files infected

Dear Colleagues,

Just in case you have not seen this, I attached the draft treaty for your infomation. The treaty was posted on the website of the Russian Government.

Hope it will be help for your work.

Regards,

Chris




File 1
Virustotal
File European_Security_Treaty-1.pdf received on 2009.12.11 18:18:23 (UTC)

Result: 16/41 (39.03%)

a-squared 4.5.0.43 2009.12.11 Exploit.Win32.ShellCode!IK
AntiVir 7.9.1.108 2009.12.11 HTML/Rce.Gen
Antiy-AVL 2.0.3.7 2009.12.11 Exploit/Win32.Pidief
BitDefender 7.2 2009.12.11 Trojan.Script.237170
F-Secure 9.0.15370.0 2009.12.11 Trojan.Script.237170
GData 19 2009.12.11 Trojan.Script.237170
Ikarus T3.1.1.74.0 2009.12.11 Exploit.Win32.ShellCode
Kaspersky 7.0.0.125 2009.12.11 Exploit.Win32.Pidief.cwq
McAfee 5829 2009.12.11 Exploit-PDF.q.gen!stream
McAfee+Artemis 5829 2009.12.11 Exploit-PDF.q.gen!stream
McAfee-GW-Edition 6.8.5 2009.12.11 Heuristic.Script.Rce
Microsoft 1.5302 2009.12.11 Exploit:Win32/Pdfdrop.A
NOD32 4680 2009.12.11 PDF/Exploit.Gen
Norman 6.04.03 2009.12.11 JS/ShellCode.C
Sophos 4.48.0 2009.12.11 Troj/PDFJs-FM
TrendMicro 9.100.0.1001 2009.12.11 TROJ_PIDIEF.SMP

File size: 323583 bytes
MD5...: 839be4f806c62456847b2f844df46e81
SHA1..: 31cc7f70d0323ab08bec65726767c36f2821bdb5
SHA256: 1a7d3233571b0639ad2b7247ea509f4fa79400e5d52a001469593ab19953547b
ssdeep: 6144:1ykJZ+49yOBfNEHEhz4yfhVXNrgUYwiV1moGXnN79TxNBGmf:1yk99yof2C
4CITwiUnbFNtf

Wepawet
File European Security Treaty-1.pdf
MD5 839be4f806c62456847b2f844df46e81
Analysis Started 2009-12-11 10:34:01
Report Generated 2009-12-11 10:34:06
Jsand version 1.03.02

Detection results
Detector Result
Jsand 1.03.02 suspicious
http://wepawet.cs.ucsb.edu/view.php?hash=839be4f806c62456847b2f844df46e81&type=js

File 2

Virustotal
 
File European_Security_Treaty-2.pdf received on 2009.12.11 18:18:10 (UTC)

Result: 13/41 (31.71%)

a-squared 4.5.0.43 2009.12.11 Exploit.Win32.ShellCode!IK
AntiVir 7.9.1.108 2009.12.11 HTML/Rce.Gen
Antiy-AVL 2.0.3.7 2009.12.11 Exploit/Win32.Pidief
BitDefender 7.2 2009.12.11 Trojan.Script.237170
F-Secure 9.0.15370.0 2009.12.11 Trojan.Script.237170
GData 19 2009.12.11 Trojan.Script.237170
Ikarus T3.1.1.74.0 2009.12.11 Exploit.Win32.ShellCode
Kaspersky 7.0.0.125 2009.12.11 Exploit.Win32.Pidief.cwq
McAfee-GW-Edition 6.8.5 2009.12.11 Heuristic.Script.Rce
Microsoft 1.5302 2009.12.11 Exploit:Win32/Pdfdrop.A
NOD32 4680 2009.12.11 PDF/Exploit.Gen
Norman 6.04.03 2009.12.11 JS/ShellCode.C
Sophos 4.48.0 2009.12.11 Troj/PDFJs-FM

Additional information
File size: 856683 bytes
MD5...: 5e4d2be5bd907c0806d1044f526fe0c2
SHA1..: 10c0d93ae27803ce006d37dfbabedb15e8e78562
SHA256: 81a7dee4a6b87842b427a60a43af658b1fd2bcdf43a108c66c768017f0de4a46
ssdeep: 24576:tVX09sllTA77sRAmvoICcyroeV1M3MiazM4dEWGcCliMbnZ:tVX0ellTA7
7sRFvoICXroebiJGEWXCE4
http://www.virustotal.com/analisis/81a7dee4a6b87842b427a60a43af658b1fd2bcdf43a108c66c768017f0de4a46-1260555490

Wepawet
File European Security Treaty-2.pdf
MD5 5e4d2be5bd907c0806d1044f526fe0c2
Analysis Started 2009-12-11 10:41:52
Report Generated 2009-12-11 10:41:56
Jsand version 1.03.02

Detection results
Detector Result
Jsand 1.03.02 suspicious 

Vicheck.ca scans

European Security Treaty-1.pdf:
SCAN: PDF Exploit suspicious use of U3D CVE-2009-3953 CVE-2009-3959 (genexploit/full)
REPORT: https://www.vicheck.ca/md5query.php?hash=839be4f806c62456847b2f844df46e81
RESULT: Embedded executable detected.
Encryption level: 1 byte key.
Exploit method detected: genexploit - PDF Exploit suspicious use of U3D CVE-2009-3953 CVE-2009-3959.
Confidence ranking: 100 (12 hits).


European Security Treaty-2.pdf:
SCAN: PDF Exploit suspicious use of U3D CVE-2009-3953 CVE-2009-3959 (genexploit/full)
REPORT: https://www.vicheck.ca/md5query.php?hash=5e4d2be5bd907c0806d1044f526fe0c2
RESULT: Embedded executable detected.
Encryption level: 1 byte key.
Exploit method detected: genexploit - PDF Exploit suspicious use of U3D CVE-2009-3953 CVE-2009-3959.
Confidence ranking: 100 (22 hits).

3 comments:

  1. Do you know the CVE # for this. I can't find it anywhere.

    ReplyDelete