Links updated: Jan 18, 2023
Email message text
Fw: U.S. ship thwarts second pirate attack November 18, 2009
michael.gillenwater
To: Undisclosed-Recipient:;
Sent: 11/18/2009 10:38 AM
>>
>>
>>> FYI
>>>
>>>
>>> ----- Original Message -----
>>> From: "Antweiler"
>>> To:
>>> Sent: Wednesday, November 18, 2009 4:40 AM
>>> Subject:Today: U.S. ship thwarts second pirate attack
Wepawet analysis
http://wepawet.cs.ucsb.edu/view.php?hash=0b9e08970966b28ad05300038a16ba22&type=js
Virustotal https://www.virustotal.com/gui/file/5464cfb7c8912c0dbc8b97ac342efd1b39561dba1cb47f69ee70114c7908565a/details
Analysis report for U.S. ship thwarts second pirate attack November 18, 2009.pdf
Sample Overview
File U.S. ship thwarts second pirate attack November 18, 2009.pdf
MD5 0b9e08970966b28ad05300038a16ba22
Analysis Started 2009-11-18 07:50:52
Report Generated 2009-11-18 07:50:57
JSAND version 1.03.02
Detection results
Detector Result
JSAND 1.03.02 malicious
Exploits
Name Description Reference
Adobe Collab overflow Multiple Adobe Reader and Acrobat buffer overflows CVE-2007-5659
Adobe getIcon Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object CVE-2009-0927
Virustotal analysis of 11-18-2009
File Fw_U.S._ship_thwarts_second_pirat received on 2009.11.18 15:40:04 (UTC)
Current status: finished
Result: 5/41 (12.20%)
Compact Print results Antivirus Version Last Update Result
Antiy-AVL 2.0.3.7 2009.11.18 Exploit/Win32.Pidief
BitDefender 7.2 2009.11.18 Exploit.PDF-JS.Gen
F-Secure 9.0.15370.0 2009.11.17 Exploit.PDF-JS.Gen
Sunbelt 3.2.1858.2 2009.11.17 Exploit.PDF-JS.Gen (v)
Additional information
File size: 171008 bytes
MD5 : 343e57c06907e6584f91f6545fcb87e7
SHA1 : 75084a8388a0da1dbb782d4ee6d82f2b9099c2a6
SHA256: bafec9171da2d776058428cb2f64e9c3f2493e723b05c76f7b9b15546d321a62
TrID : File type identification
Outlook Message (58.9%)
Outlook Form Template (34.4%)
Generic OLE2 / Multistream Compound File (6.6%)
ssdeep: 3072:JyJk6yqquauN1YyQhEooogewUmtL6rUWgMLCNaGKVsO37aNCmL61EvAgeY/:QogV3KUWgMmNaGKVsOMTpA/Y/
PEiD : -
packers (F-Prot): rtf
Virustotal scan of 11-25- 2009
File Fw_U.S._ship_thwarts_second_pirat received on 2009.11.25 05:50:23 (UTC)
Result: 16/41 (39.03%)
Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.11.25 Exploit.PDF-JS!IK
Antiy-AVL 2.0.3.7 2009.11.24 Exploit/Win32.Pidief
BitDefender 7.2 2009.11.25 Exploit.PDF-JS.Gen
ClamAV 0.94.1 2009.11.25 Exploit.PDF-2075
Comodo 3026 2009.11.25 UnclassifiedMalware
eSafe 7.0.17.0 2009.11.24 Win32.Pidief.C
F-Secure 9.0.15370.0 2009.11.24 Exploit.PDF-JS.Gen
GData 19 2009.11.25 Exploit.PDF-JS.Gen
Ikarus T3.1.1.74.0 2009.11.25 Exploit.PDF-JS
Kaspersky 7.0.0.125 2009.11.25 Exploit.JS.Pdfka.aow
McAfee 5812 2009.11.24 Exploit-PDF.aa
McAfee+Artemis 5812 2009.11.24 Exploit-PDF.aa
Sophos 4.47.0 2009.11.25 Troj/PDFJs-FA
Sunbelt 3.2.1858.2 2009.11.25 Exploit.PDF-JS.Gen (v)
Symantec 1.4.4.12 2009.11.25 Trojan.Pidief.C
TrendMicro 9.0.0.1003 2009.11.25 TROJ_PIDIEF.OG
Header
Microsoft Mail Internet Headers Version 2.0
Received: from xxx.xxx.xxx ([xx.xx.xx.xx]) by smtp.xxx.xxx with Microsoft SMTPSVC(6.0.3790.3959);
Wed, 18 Nov 2009 10:38:02 -0500
Received: from mail201.messagelabs.com ([216.82.254.211]) by xxx.xxx.xxx with InterScan Message Security Suite; Wed, 18 Nov 2009 10:37:59 -0500
X-VirusChecked: Checked
X-Env-Sender: michael.gillenwater@dhs.gov
X-Msg-Ref: server-12.tower-201.messagelabs.com!1258558676!33333671!1
X-StarScan-Version: 6.2.4; banners=-,-,xxx.xxx
X-Originating-IP: [204.174.223.60]
X-SpamReason: No, hits=3.5 required=7.0 tests=BODY_RANDOM_LONG,
FORGED_MUA_OUTLOOK,MIME_BASE64_TEXT
Received: (qmail 30388 invoked from network); 18 Nov 2009 15:37:57 -0000
Received: from metroplex.netnation.com (HELO metroplex.netnation.com) (204.174.223.60)
by server-12.tower-201.messagelabs.com with SMTP; 18 Nov 2009 15:37:57 -0000
Received: from [202.58.65.132] (helo=hp693d2d99f37a)
by metroplex.netnation.com with esmtpa (Exim 4.52)
id 1NAmbE-0005Zq-IL; Wed, 18 Nov 2009 07:37:45 -0800
Message-ID: <3A632A35307E43509FD57ABB97FA64BE@hp693d2d99f37a>
From: "michael.gillenwater"
To:
Subject: Fw: U.S. ship thwarts second pirate attack November 18, 2009
Date: Wed, 18 Nov 2009 11:18:54 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0088_01CA6840.EA1F35B0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.4548
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4325
Return-Path: michael.gillenwater@dhs.gov
X-OriginalArrivalTime: 18 Nov 2009 15:38:02.0831 (UTC) FILETIME=[1D6F75F0:01CA6865]
------=_NextPart_000_0088_01CA6840.EA1F35B0
Content-Type: text/plain;
charset="gb2312"
Content-Transfer-Encoding: base64
------=_NextPart_000_0088_01CA6840.EA1F35B0
Content-Type: application/octet-stream;
name="U.S. ship thwarts second pirate attack November 18, 2009.pdf"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="U.S. ship thwarts second pirate attack November 18, 2009.pdf"
------=_NextPart_000_0088_01CA6840.EA1F35B0--
X-EsetId: 1E05CF29094670690103CF7C02123C
Analysis report for U.S. ship thwarts second pirate attack November 18, 2009.pdf
Sample Overview
File U.S. ship thwarts second pirate attack November 18, 2009.pdf
MD5 0b9e08970966b28ad05300038a16ba22
Analysis Started 2009-11-18 07:50:52
Report Generated 2009-11-18 07:50:57
JSAND version 1.03.02
Detection results
Detector Result
JSAND 1.03.02 malicious
Exploits
Name Description Reference
Adobe Collab overflow Multiple Adobe Reader and Acrobat buffer overflows CVE-2007-5659
Adobe getIcon Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object CVE-2009-0927
Virustotal analysis of 11-18-2009
File Fw_U.S._ship_thwarts_second_pirat received on 2009.11.18 15:40:04 (UTC)
Current status: finished
Result: 5/41 (12.20%)
Compact Print results Antivirus Version Last Update Result
Antiy-AVL 2.0.3.7 2009.11.18 Exploit/Win32.Pidief
BitDefender 7.2 2009.11.18 Exploit.PDF-JS.Gen
F-Secure 9.0.15370.0 2009.11.17 Exploit.PDF-JS.Gen
Sunbelt 3.2.1858.2 2009.11.17 Exploit.PDF-JS.Gen (v)
Additional information
File size: 171008 bytes
MD5 : 343e57c06907e6584f91f6545fcb87e7
SHA1 : 75084a8388a0da1dbb782d4ee6d82f2b9099c2a6
SHA256: bafec9171da2d776058428cb2f64e9c3f2493e723b05c76f7b9b15546d321a62
TrID : File type identification
Outlook Message (58.9%)
Outlook Form Template (34.4%)
Generic OLE2 / Multistream Compound File (6.6%)
ssdeep: 3072:JyJk6yqquauN1YyQhEooogewUmtL6rUWgMLCNaGKVsO37aNCmL61EvAgeY/:QogV3KUWgMmNaGKVsOMTpA/Y/
PEiD : -
packers (F-Prot): rtf
Virustotal scan of 11-25- 2009
File Fw_U.S._ship_thwarts_second_pirat received on 2009.11.25 05:50:23 (UTC)
Result: 16/41 (39.03%)
Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.11.25 Exploit.PDF-JS!IK
Antiy-AVL 2.0.3.7 2009.11.24 Exploit/Win32.Pidief
BitDefender 7.2 2009.11.25 Exploit.PDF-JS.Gen
ClamAV 0.94.1 2009.11.25 Exploit.PDF-2075
Comodo 3026 2009.11.25 UnclassifiedMalware
eSafe 7.0.17.0 2009.11.24 Win32.Pidief.C
F-Secure 9.0.15370.0 2009.11.24 Exploit.PDF-JS.Gen
GData 19 2009.11.25 Exploit.PDF-JS.Gen
Ikarus T3.1.1.74.0 2009.11.25 Exploit.PDF-JS
Kaspersky 7.0.0.125 2009.11.25 Exploit.JS.Pdfka.aow
McAfee 5812 2009.11.24 Exploit-PDF.aa
McAfee+Artemis 5812 2009.11.24 Exploit-PDF.aa
Sophos 4.47.0 2009.11.25 Troj/PDFJs-FA
Sunbelt 3.2.1858.2 2009.11.25 Exploit.PDF-JS.Gen (v)
Symantec 1.4.4.12 2009.11.25 Trojan.Pidief.C
TrendMicro 9.0.0.1003 2009.11.25 TROJ_PIDIEF.OG
Header
Microsoft Mail Internet Headers Version 2.0
Received: from xxx.xxx.xxx ([xx.xx.xx.xx]) by smtp.xxx.xxx with Microsoft SMTPSVC(6.0.3790.3959);
Wed, 18 Nov 2009 10:38:02 -0500
Received: from mail201.messagelabs.com ([216.82.254.211]) by xxx.xxx.xxx with InterScan Message Security Suite; Wed, 18 Nov 2009 10:37:59 -0500
X-VirusChecked: Checked
X-Env-Sender: michael.gillenwater@dhs.gov
X-Msg-Ref: server-12.tower-201.messagelabs.com!1258558676!33333671!1
X-StarScan-Version: 6.2.4; banners=-,-,xxx.xxx
X-Originating-IP: [204.174.223.60]
X-SpamReason: No, hits=3.5 required=7.0 tests=BODY_RANDOM_LONG,
FORGED_MUA_OUTLOOK,MIME_BASE64_TEXT
Received: (qmail 30388 invoked from network); 18 Nov 2009 15:37:57 -0000
Received: from metroplex.netnation.com (HELO metroplex.netnation.com) (204.174.223.60)
by server-12.tower-201.messagelabs.com with SMTP; 18 Nov 2009 15:37:57 -0000
Received: from [202.58.65.132] (helo=hp693d2d99f37a)
by metroplex.netnation.com with esmtpa (Exim 4.52)
id 1NAmbE-0005Zq-IL; Wed, 18 Nov 2009 07:37:45 -0800
Message-ID: <3A632A35307E43509FD57ABB97FA64BE@hp693d2d99f37a>
From: "michael.gillenwater"
To:
Subject: Fw: U.S. ship thwarts second pirate attack November 18, 2009
Date: Wed, 18 Nov 2009 11:18:54 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0088_01CA6840.EA1F35B0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.4548
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4325
Return-Path: michael.gillenwater@dhs.gov
X-OriginalArrivalTime: 18 Nov 2009 15:38:02.0831 (UTC) FILETIME=[1D6F75F0:01CA6865]
------=_NextPart_000_0088_01CA6840.EA1F35B0
Content-Type: text/plain;
charset="gb2312"
Content-Transfer-Encoding: base64
------=_NextPart_000_0088_01CA6840.EA1F35B0
Content-Type: application/octet-stream;
name="U.S. ship thwarts second pirate attack November 18, 2009.pdf"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="U.S. ship thwarts second pirate attack November 18, 2009.pdf"
------=_NextPart_000_0088_01CA6840.EA1F35B0--
X-EsetId: 1E05CF29094670690103CF7C02123C
No comments:
Post a Comment