Wednesday, November 25, 2009

Nov.25 PDF attack. Letter on Taiwan from Nov 25, 2009 11:23 AM

Download the infected PDF (password protected, you have to contact me for the password)
This one is quite interesting:

From Rupert Hammond-Chambers []
Sent: Wednesday, November 25, 2009 9:54 AM
Subject Letter on Taiwan

Dear Colleagues,

I first would like to extend my heartfelt gratitude for the support that you and other members of Congress have demonstrated to the Republic of China (Taiwan) over the last 30 years. Despite the absence of official relations, our common goals and interests remain strong.
Our nation has attempted to purchase follow-on F-16s since 2006 to upgrade our national defense by replacing our F-5s and other antiquated equipment and thereby respond to the growing threat that the People’s Republic of China (PRC) and its military’s modernization efforts represents to peace and security in the Taiwan Strait. We respectively ask you to support our clear military need to upgrade our F-16 force by supporting a follow-on sale of F-16s. Your support will contribute immeasurably to America and Taiwan’s shared interest in democracy and peace and security in the Taiwan Strait.
Sincerely yours,


Rupert Hammond-Chambers
US-Taiwan Business Council
1700 North Moore Street, Suite 1703
Arlington, Virginia 22209
United States of America
Telephone: (703) 465-2930
Mobile: (202) 445-4777
Facsimile: (703) 465-2937

The message sender was

The message originating IP was The message recipients were


The message was titled Letter on Taiwan

The message date was Wed, 25 Nov 2009 22:54:26 +0800 The message identifier was <>

The virus or unauthorised code identified in the email is: Possible MalWare 'Exploit/Zordle.gen' found in; '5963968_3X_PM5_EMS_MA-PDF__Letter=20F=2D16.pdf'. Heuristics score: 201

Wepawet analysis

Sample Overview

File  Letter F-16.pdf
Jsand version
1.03.02 Detection results
Detector Result
Jsand 1.03.02 suspicious

Virustotal analysis

Antivirus      Version      Last Update      Result

AntiVir    2009.11.26    HTML/Rce.Gen
McAfee-GW-Edition    6.8.5    2009.11.26    Heuristic.Script.Rce
Microsoft    1.5302    2009.11.26    Exploit:Win32/ShellCode.A
NOD32    4639    2009.11.26    PDF/Exploit.Gen
Norman    6.03.02    2009.11.25    JS/ShellCode.C

Additional information

File size: 240596 bytes
MD5...: ca79bb9846a56e73f6df1bba7854d196

SHA1..: 3bfc2ed6bd6fd22c3fd3173be6bd0ed9503d9756
SHA256: e610960bbaec15337fcdb42bde1317a435a3f578fcd856f3306825a2e1b3d855
ssdeep: 3072:NqbDNcV4iKs/jbhVXNqEDgUz/8w2hKmVVjmCjakmogHF95piiXP79T/wZap

Update: December 27 Virustotal scan
File Letter_F-16.pdf received on 2009.12.28 05:15:05 (UTC)
 Result: 20/40 (50.00%)
Compact Compact
Print results Print results
Antivirus     Version     Last Update     Result
a-squared     2009.12.28     Exploit.Win32.ShellCode!IK
AntiVir     2009.12.28     HTML/Rce.Gen
Antiy-AVL     2009.12.25     Exploit/Win32.Pidief
Authentium     2009.12.28     PDF/Expl.FH
BitDefender     7.2     2009.12.28     Trojan.Script.239952
ClamAV     0.94.1     2009.12.28     Exploit.PDF-2516
Comodo     3390     2009.12.28     UnclassifiedMalware
F-Secure     9.0.15370.0     2009.12.28     Trojan.Script.239952
GData     19     2009.12.26     Trojan.Script.239952
Ikarus     T3.     2009.12.28     Exploit.Win32.ShellCode
Kaspersky     2009.12.28     Exploit.Win32.Pidief.cwq
McAfee-GW-Edition     6.8.5     2009.12.28     Heuristic.Script.Rce
Microsoft     1.5302     2009.12.26     Exploit:JS/Mult.CM
NOD32     4720     2009.12.27     PDF/Exploit.Gen
Norman     6.04.03     2009.12.27     JS/ShellCode.C
PCTools     2009.12.28     Trojan.Pidief
Sophos     4.49.0     2009.12.28     Troj/PDFJs-FM
Sunbelt     3.2.1858.2     2009.12.27     Exploit.PDF-JS.Gen (v)
Symantec     2009.12.28     Trojan.Pidief.E
TrendMicro     2009.12.28     Expl_ShellCodeSM

Additional information
File size: 240596 bytes
MD5   : ca79bb9846a56e73f6df1bba7854d196

Update January 26, 2010
Encrypted embedded executable with a key of 1 bytes.
Exploit method detected as pdfexploit - Javascript obfuscation using unescape

No comments:

Post a Comment