Tuesday, December 22, 2009

Dec 22 Exploit/Zordle.gen Attack of the Day US China Statement from spoofed sender Tue, 22 Dec 2009 22:26:45



Download infected US China Statement.pdf (Password protected archive, please contact me if you need the password) 




The message sender was
    Spoofed
 message recipients were
    XXX@XXX.XXX
The message was titled US China Statement.
The message date was Tue, 22 Dec 2009 22:26:45 +0800 The message identifier was <08db01ca8312$f3b7a7f0$9301a8c0@testacb8580da5>
The virus or unauthorised code identified in the email is:
>>> Possible MalWare 'Exploit/Zordle.gen' found in
>>> '5964330_4X_PM6_EMS_MA-OCTET=2DSTREAM__US=20China=20Statement.pdf'.
>>> Heuristics score: 201





 File US_China_Statement.pdf received on 2009.12.23 05:26:05 (UTC)
http://www.virustotal.com/analisis/6282ca81d955b745397edf2b36e87da1c45f87fd1895caa583d31a6c264dddfc-1261545965
Result: 9/41 (21.96%)
a-squared    4.5.0.43    2009.12.22    Exploit.HTML.IframeBof!IK
AntiVir    7.9.1.122    2009.12.22    HTML/Silly.Gen
BitDefender    7.2    2009.12.23    Exploit.PDF-JS.Gen
F-Secure    9.0.15370.0    2009.12.23    Exploit.PDF-JS.Gen
GData    19    2009.12.22    Exploit.PDF-JS.Gen
Ikarus    T3.1.1.79.0    2009.12.22    Exploit.HTML.IframeBof
McAfee-GW-Edition    6.8.5    2009.12.23    Script.Silly.Gen
NOD32    4710    2009.12.22    PDF/Exploit.Gen
Norman    6.04.03    2009.12.22    HTML/Shellcode.H
    -
Additional information
File size: 146890 bytes
MD5...: eacc43771bb556750af231f1d02c0a08
SHA1..: 44a859b70c9012373060578cfdb20683a2cdd693
SHA256: 6282ca81d955b745397edf2b36e87da1c45f87fd1895caa583d31a6c264dddfc

Wepawet
http://wepawet.cs.ucsb.edu/view.php?hash=eacc43771bb556750af231f1d02c0a08&type=js
Sample Overview
File US China Statement.pdf
MD5 eacc43771bb556750af231f1d02c0a08
Analysis Started 2009-12-22 21:42:08
Report Generated 2009-12-22 21:42:10
Jsand 1.03.02 benign :(

Update Jan. 25, 2010
ViCheck.ca
https://www.vicheck.ca/md5query.php?hash=eacc43771bb556750af231f1d02c0a08
Encrypted embedded executable with a key of 256 bytes.
Search type: xor
Matching: fuzzy
Key Length: 256 bytes
Key Location: @977 bytes
Key Accuracy: 75.00%
Fuzzy Errors: 2
File XOR Offset: @209 bytes
Type: Embedded Executable


Headers
Received: (qmail 4149 invoked from network); 22 Dec 2009 14:28:15 -0000
Received: from msr40.hinet.net (HELO msr40.hinet.net) (168.95.4.140)
  by XXXXXXX SMTP; 22 Dec 2009 14:28:15 -0000
Received: from testacb8580da5 ([61.218.155.5])
    by msr40.hinet.net (8.9.3/8.9.3) with ESMTP id WAA16408
    for XXXXXXX; Tue, 22 Dec 2009 22:27:54 +0800 (CST)
From: SpoofedSender
Message-ID: <08db01ca8312$f3b7a7f0$9301a8c0@testacb8580da5>
To: XXXXXXXXX
Subject: US China Statement.
Date: Tue, 22 Dec 2009 22:26:45 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_08B9_01CA8355.D7D575B0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180


Hostname: 61.218.155.5
ISP: CHTD, Chunghwa Telecom Co., Ltd.
Organization: Xiang He Machinery Co., Ltd.
Geo-Location Information
Country: Taiwan  
State/Region: 04
City: Taichung

No comments:

Post a Comment