Wednesday, December 2, 2009

Dec.2 PDF attack. Re-Remarks of President Barack Obama from damien.tomkins@gmail.com Wed, 2 Dec 2009 22:22:04


Download the infected pdf (password protected archive, you have to contact me for the password)


The message sender was
damien.tomkins@gmail.com

The message originating IP was 209.85.222.112 The message recipients were
   ouruser@ourdomain.xxx

The message was titled Re-Remarks of President Barack Obama The message date was Wed, 2 Dec 2009 22:22:04 +0800 The message identifier was
The virus or unauthorised code identified in the email is:
F-Secure Security Platform version 1.12  build 6412 Copyright (c) 1999-2007 F-Secure Corporation. All Rights Reserved.

Scan started at Wed Dec  2 14:23:01 2009 Database version: 2009-12-02_15

attach/7815385_4X_AR_PA3__Remarks=20of=20President=20Barack=20Obama.pdf: Infected: Exploit.JS.Pdfka.amp [AVP]

Scan ended at Wed Dec  2 14:23:01 2009
3 files scanned
1 file infected





Apparently, sent to a listserv member.

From: Tomkins Damien [mailto:damien.tomkins@gmail.com]
Sent: 2009-12-02 09:22
To: areger@uhrp.org
Cc: many addresses [Removed]@nbr.org; [Removed]@mac.com; [Removed]@aol.com; [Removed]@gmail.com; [Removed]@gmail.com; @afpc.org;  [Removed]@emergingmarketsgroup.com; [Removed]@frb.gov; [Removed]@hotmail.com; [Removed]@mail.doc.gov; [Removed]@mail.house.gov; [Removed]@mail.house.gov; [Removed]@practicalsmallprojects.com; cohlandt@rand.org; [Removed]@rand.org; [Removed]@state.gov; [Removed]@yahoo.com; [Removed]@georgetown.edu; [Removed]@american.edu

Subject: Re-Remarks of President Barack Obama
http://www.virustotal.com/analisis/d83237a5196a6f98f9c58868324ab13c19919e94f9ab9f83d1756d5c86622f58-1260286917
*****The attachment password is "damien"
Remarks of President Barack Obama.rar contains a pdf file with the same name


File Remarks_of_President_Barack_Obama received on 2009.12.08 15:41:57 (UTC)
Result: 8/41 (19.52%)
Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.08 Exploit.JS.Pdfka!IK
Authentium 5.2.0.5 2009.12.02 PDF/Pidief.O
ClamAV 0.94.1 2009.12.08 Exploit.PDF-2089
eSafe 7.0.17.0 2009.12.08 PDF.Exploit.4
F-Secure 9.0.15370.0 2009.12.07 Exploit.PDF-JS.Gen
Ikarus T3.1.1.74.0 2009.12.08 Exploit.JS.Pdfka
Kaspersky 7.0.0.125 2009.12.08 Exploit.JS.Pdfka.amp
Sunbelt 3.2.1858.2 2009.12.08 Exploit.PDF-JS.Gen (v)

Additional information
File size: 148263 bytes
MD5...: b89fa058250ab69b2d15dbcc4332d320
SHA1..: 5506c024feedd17a5e10f37c1b0144b5d3081413
SHA256: d83237a5196a6f98f9c58868324ab13c19919e94f9ab9f83d1756d5c86622f58
ssdeep: 768:ZVsDIcaLjJgtPoSfiDfWR5tPjcu2bwANqkix4cHVsg:TKaLlgtPZfiD4G7bw
4pWt

PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set


Wepawet analysis comes up with a different attachment name, apparently they just renamed it.
http://wepawet.iseclab.org/view.php?hash=b89fa058250ab69b2d15dbcc4332d320&type=js

File
Talking Points on PRC AF 60th Anniversary.pdf
MD5
b89fa058250ab69b2d15dbcc4332d320
Analysis Started
2009-11-24 06:42:14
Report Generated
2009-11-24 06:42:38
Jsand version
1.03.02

Detection results

Detector
Result
Jsand 1.03.02
malicious

Adobe Collab overflow
Multiple Adobe Reader and Acrobat buffer overflows
CVE-2007-5659
Adobe getIcon
Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object
CVE-2009-0927

No comments:

Post a Comment