Friday, August 13, 2010

Aug 13 CVE-2009-4324 PDF Letter



Download :53c39496579bcbda962d93734552397b info.pdf as a password protected archive (contact me if you need the password)

Download analysis files by Tom 

From spoofed address.

Headers

Received: from B-A7F64A4BB7EC4 (60-251-61-88.HINET-IP.hinet.net [60.251.61.88])
    by msr40.hinet.net (8.9.3/8.9.3) with ESMTP id KAA16513
    for xxxxxxxxxxxxxxxx; Fri, 13 Aug 2010 10:33:21 +0800 (CST)
Reply-To: xxxxxxxxxxxxxxxxxxxxxx
From: xxxxxxxxxxxxxxxxxxxxxxxxx
To: xxxxxxxxxxxxxxxx
Subject: Letter from XXX
Date: Fri, 13 Aug 2010 10:33:19 +0800
Message-ID:
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_10081310330437422578431_000"
X-Priority: 3
X-Mailer: DreamMail 4.4.1.0

60.251.61.88
Hostname:    60-251-61-88.hinet-ip.hinet.net
ISP:    CHTD, Chunghwa Telecom Co., Ltd.
Organization:    CHTD, Chunghwa Telecom Co., Ltd.
Assignment:    Static IP
Country:    Taiwan 

File name:info.pdf
http://www.virustotal.com/file-scan/report.html?id=e27948456c74ea0ed36a18091a66bd5641a5d1033f8d7893803475a661105bc9-1282002524
Submission date:2010-08-16 23:48:44 (UTC)
13 /42 (31.0%)
Authentium     5.2.0.5     2010.08.16     JS/Pdfka.V
Avast     4.8.1351.0     2010.08.16     JS:Pdfka-gen
Avast5     5.0.332.0     2010.08.16     JS:Pdfka-gen
AVG     9.0.0.851     2010.08.16     Exploit.PDF
BitDefender     7.2     2010.08.17     Exploit.PDF-JS.Gen
DrWeb     5.0.2.03300     2010.08.17     Exploit.PDF.1301
eTrust-Vet     36.1.7794     2010.08.16     PDF/CVE-2010-1297.B!exploit
F-Prot     4.6.1.107     2010.08.16     JS/Pdfka.V
F-Secure     9.0.15370.0     2010.08.17     Exploit.PDF-JS.Gen
GData     21     2010.08.17     Exploit.PDF-JS.Gen
Kaspersky     7.0.0.125     2010.08.16     Exploit.JS.Pdfka.cqx
Norman     6.05.11     2010.08.16     JS/Shellcode.IZ
nProtect     2010-08-16.02     2010.08.16     Exploit.PDF-JS.Gen
MD5   : 53c39496579bcbda962d93734552397b

 

CVE-2009-4324

Analysis files from Tom

The exe-file has been ciphered: xor ah,C1, rol ah,1.
List of included files
  • exe_decrypt.bin
  • exe_encrypt.bin
  • new_pdf.pdf
  • shell_code.dec
File name:exe_decrypt.bin
http://www.virustotal.com/file-scan/report.html?id=a4a596451d8d29a95ba11a5d9f0be4659f8e3acc6f6730c0b77fc9da07ccd154-1283224992
Submission date:
7/ 43 (16.3%)
AhnLab-V3    2010.08.31.00    2010.08.31    Win-Trojan/Agent.36864.BOH
AVG    9.0.0.851    2010.08.30    Generic18.BHJW
Fortinet    4.1.143.0    2010.08.30    W32/RSdroper.B!tr
McAfee    5.400.0.1158    2010.08.31    Downloader-BIJ
McAfee-GW-Edition    2010.1B    2010.08.31    Downloader-BIJ
Microsoft    1.6103    2010.08.30    TrojanDownloader:Win32/Buzus.C
Norman    6.05.11    2010.08.30    W32/Malware
Additional information
Show all
MD5   : ff188adc3be1cfb178c04e66fdfb31a8

File name:
exe_encrypt.bin
http://www.virustotal.com/file-scan/report.html?id=02b2735b9de1bab65d9839971e953de647aa8faec1bee4ea8a09ad9bab1e6e40-1283225061
Result:
1/ 43 (2.3%)
SUPERAntiSpyware    4.40.0.1006    2010.08.31    Rogue.Agent/Gen-Nullo[BIN]
MD5   : 79b7652c371afcc3ef3c449e8c6c4d61

File name:
shell_code.dec
http://www.virustotal.com/file-scan/report.html?id=081b1ac4f134c20daac762aaaee21184d2953ebe01988ce341622a400a9f9a3d-1283225511
Result:
7/ 43 (16.3%)
AVG    9.0.0.851    2010.08.30    Exploit.PDF
Kaspersky    7.0.0.125    2010.08.30    Exploit.JS.Pdfka.cqx
Microsoft    1.6103    2010.08.30    Exploit:Win32/Pdfjsc.HH
Norman    6.05.11    2010.08.30    JS/Shellcode.IZ
TrendMicro    9.120.0.1004    2010.08.30    JS_SHELLCODE.SM
TrendMicro-HouseCall    9.120.0.1004    2010.08.31    JS_SHELLCODE.SM
VBA32    3.12.14.0    2010.08.30    Exploit.JS.Pdfka.cqx
MD5   : 604585dc238662462b1b1efce8fb924c

File name:
new_pdf.pdf


No comments:

Post a Comment