Clicky

Pages

Friday, December 11, 2009

Dec.11 Adobe 0 day CVE-2009-4324 Attack of the Day (#1). Fwd: Reference from christanderson.ma@gmail.com Fri 2009-12-11 01:08


Download infected pdf. (password protected archive. Please contact me for the password)

The message sender was
chrisanderson.ma@gmail.com

The message originating IP was 209.85.223.197 The message recipients were
XXX@XXX.XXX

The message was titled Fwd: reference
The message date was Fri, 11 Dec 2009 15:18:05 +0900 The message identifier was <3b0a7fee0912102218y2a5125b6l647440877727e6cc@mail.gmail.com>
The virus or unauthorised code identified in the email is:
Possible MalWare 'JS/PDFEncoded' found in'5963958_1001X_PA3_APDF__pdf_obj_110_0.js'. Heuristics score: 651




From: Rachel Millstone
Date: Dec 11, 2009 3:12 PM
Subject: reference
To: chrisanderson.ma@gmail.com

Dear All
Please find attached the updated country briefing notes, and staff lists.

Kind regards
Rachel



Virustotal
File note_20091210.pdf received on 2009.12.11 17:35:39 (UTC)
Result: 4/41 (9.76%)

AntiVir 7.9.1.108 2009.12.11 HTML/Malicious.PDF.Gen
eSafe 7.0.17.0 2009.12.10 PDF.Exploit.4
McAfee-GW-Edition 6.8.5 2009.12.11 Script.Malicious.PDF.Gen 
NOD32 4679 2009.12.11 PDF/Exploit.Gen 

Update (December14-2009)
Virustotal
received on 2009.12.15 05:16:00 (UTC)
Result: 8/41 (19.52%)
http://www.virustotal.com/analisis/27cced58a0fcbb0bbe3894f74d3014611039fefdf3bd2b0ba7ad85b18194cffa-1260854160
AntiVir 7.9.1.108 2009.12.14 HTML/Malicious.PDF.Gen
Comodo 3248 2009.12.15 UnclassifiedMalware
eSafe 7.0.17.0 2009.12.14 PDF.Exploit.4
Kaspersky 7.0.0.125 2009.12.15 Exploit.JS.Pdfka.atq
McAfee-GW-Edition 6.8.5 2009.12.15 Script.Malicious.PDF.Gen
NOD32 4688 2009.12.15 PDF/Exploit.Gen
PCTools 7.0.3.5 2009.12.15 Trojan.Pidief
Symantec 1.4.4.12 2009.12.15
Trojan.Pidief.H

Adobe 0 - day  CVE-2009-4324
http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html
http://www.symantec.com/connect/blogs/zero-day-xmas-present







File size: 400918 bytes
MD5...: 61baabd6fc12e01ff73ceacc07c84f9a
SHA1..: 0805d0ae62f5358b9a3f4c1868d552f5c3561b17
SHA256: 27cced58a0fcbb0bbe3894f74d3014611039fefdf3bd2b0ba7ad85b18194cffa
ssdeep: 1536:p0AAH2KthGBjcdBj8VETeePxsT65ZZ3pdx/ves/aQR/875+:prahGV6Bj8V
E9sT6BpfneilR/8k

PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set

http://www.virustotal.com/analisis/27cced58a0fcbb0bbe3894f74d3014611039fefdf3bd2b0ba7ad85b18194cffa-1260552939/27cced58a0fcbb0bbe3894f74d3014611039fefdf3bd2b0ba7ad85b18194cffa-1260552939


http://wepawet.cs.ucsb.edu/view.php?hash=61baabd6fc12e01ff73ceacc07c84f9a&type=js

File note_20091210.pdf
MD5 61baabd6fc12e01ff73ceacc07c84f9a
Analysis Started 2009-12-11 09:50:37
Report Generated 2009-12-11 09:50:41
Jsand version 1.03.02

Jsand 1.03.02 benign :(

Update December 21, 2009

Download all CVE-2009-4324 files together with the binary downloaded from hxxxp://foruminspace.com/documents/dprk/ (Password protected archive. Use the same password you used on the samples above or contact me for the password)


  1. See post with CVE-2009-4324 Sample#0 (Nov. 30, 2009)  note200911.pdf 61baabd6fc12e01ff73ceacc07c84f9a
  2. See post with CVE-2009-4324 sample #1 (Dec 11, 2009) note_20091210.pdf  61baabd6fc12e01ff73ceacc07c84f9a
  3. See post with CVE-2009-4324 sample #2 (Dec. 13, 2009) Outline of Interview.pdf 35e8eeee2b94cbe87e3d3f843ec857f6
  4. See post with CVE-2009-4324 Sample #3 (Dec 18, 2009) merry christmas.pdf  955bade419a9ba9e5650ccb3dda88844
  5. See post with CVE-2009-4324 Sample #4 (Dec 18, 2009) 「寶貝悶」瘋狂照.pdf --renamed to crazyphoto.zip 8950bbedf4a7f1d518e859f9800f9347 
  6. See post with CVE-2009-4324 Sample #5 (Dec 21, 2009) 海基會協商代表團預備性磋商名單.pdf renamed to SEFdiscussionsm.zip.0ab2fd3b6c385049f9eb4a559dbdc8a6


3 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. hey i need to embed hello wold exe in pdf can anyone guide me plz

    ReplyDelete