Pages

Wednesday, November 25, 2009

Nov.25 PDF attack. Letter on Taiwan from rupertjhc@gmail.com Nov 25, 2009 11:23 AM


Download the infected PDF (password protected, you have to contact me for the password)
This one is quite interesting:



From Rupert Hammond-Chambers [rupertjhc@gmail.com]
To ouruser@ourdomain.xxx
Sent: Wednesday, November 25, 2009 9:54 AM
Subject Letter on Taiwan

Dear Colleagues,

I first would like to extend my heartfelt gratitude for the support that you and other members of Congress have demonstrated to the Republic of China (Taiwan) over the last 30 years. Despite the absence of official relations, our common goals and interests remain strong.
Our nation has attempted to purchase follow-on F-16s since 2006 to upgrade our national defense by replacing our F-5s and other antiquated equipment and thereby respond to the growing threat that the People’s Republic of China (PRC) and its military’s modernization efforts represents to peace and security in the Taiwan Strait. We respectively ask you to support our clear military need to upgrade our F-16 force by supporting a follow-on sale of F-16s. Your support will contribute immeasurably to America and Taiwan’s shared interest in democracy and peace and security in the Taiwan Strait.
Sincerely yours,

Rupert

--
Rupert Hammond-Chambers
President
US-Taiwan Business Council
________________________________
1700 North Moore Street, Suite 1703
Arlington, Virginia 22209
United States of America
Telephone: (703) 465-2930
Mobile: (202) 445-4777
Facsimile: (703) 465-2937
www.us-taiwan.org






The message sender was

rupertjhc@gmail.com

The message originating IP was 209.85.216.124 The message recipients were

XXXXXXXXXXXXXXX


The message was titled Letter on Taiwan

The message date was Wed, 25 Nov 2009 22:54:26 +0800 The message identifier was <41b1e51c0911250654q1699e232w4f1a180d1f7c3ce4@mail.gmail.com>

The virus or unauthorised code identified in the email is: Possible MalWare 'Exploit/Zordle.gen' found in; '5963968_3X_PM5_EMS_MA-PDF__Letter=20F=2D16.pdf'. Heuristics score: 201


Wepawet analysis

http://wepawet.cs.ucsb.edu/view.php?hash=ca79bb9846a56e73f6df1bba7854d196&type=js

Sample Overview

File  Letter F-16.pdf
Jsand version
   
1.03.02 Detection results
Detector Result
Jsand 1.03.02 suspicious

Virustotal analysis

 http://www.virustotal.com/analisis/e610960bbaec15337fcdb42bde1317a435a3f578fcd856f3306825a2e1b3d855-1259261136

Antivirus      Version      Last Update      Result

AntiVir    7.9.1.78    2009.11.26    HTML/Rce.Gen
McAfee-GW-Edition    6.8.5    2009.11.26    Heuristic.Script.Rce
Microsoft    1.5302    2009.11.26    Exploit:Win32/ShellCode.A
NOD32    4639    2009.11.26    PDF/Exploit.Gen
Norman    6.03.02    2009.11.25    JS/ShellCode.C

Additional information

File size: 240596 bytes
MD5...: ca79bb9846a56e73f6df1bba7854d196

SHA1..: 3bfc2ed6bd6fd22c3fd3173be6bd0ed9503d9756
SHA256: e610960bbaec15337fcdb42bde1317a435a3f578fcd856f3306825a2e1b3d855
ssdeep: 3072:NqbDNcV4iKs/jbhVXNqEDgUz/8w2hKmVVjmCjakmogHF95piiXP79T/wZap
NBGr4:WG4yfhVXNrgUYwiV1moGXnN79TxNBGmf

Update: December 27 Virustotal scan
File Letter_F-16.pdf received on 2009.12.28 05:15:05 (UTC)
 Result: 20/40 (50.00%)
Compact Compact
Print results Print results
Antivirus     Version     Last Update     Result
a-squared     4.5.0.43     2009.12.28     Exploit.Win32.ShellCode!IK
AntiVir     7.9.1.122     2009.12.28     HTML/Rce.Gen
Antiy-AVL     2.0.3.7     2009.12.25     Exploit/Win32.Pidief
Authentium     5.2.0.5     2009.12.28     PDF/Expl.FH
BitDefender     7.2     2009.12.28     Trojan.Script.239952
ClamAV     0.94.1     2009.12.28     Exploit.PDF-2516
Comodo     3390     2009.12.28     UnclassifiedMalware
F-Secure     9.0.15370.0     2009.12.28     Trojan.Script.239952
GData     19     2009.12.26     Trojan.Script.239952
Ikarus     T3.1.1.79.0     2009.12.28     Exploit.Win32.ShellCode
Kaspersky     7.0.0.125     2009.12.28     Exploit.Win32.Pidief.cwq
McAfee-GW-Edition     6.8.5     2009.12.28     Heuristic.Script.Rce
Microsoft     1.5302     2009.12.26     Exploit:JS/Mult.CM
NOD32     4720     2009.12.27     PDF/Exploit.Gen
Norman     6.04.03     2009.12.27     JS/ShellCode.C
PCTools     7.0.3.5     2009.12.28     Trojan.Pidief
Sophos     4.49.0     2009.12.28     Troj/PDFJs-FM
Sunbelt     3.2.1858.2     2009.12.27     Exploit.PDF-JS.Gen (v)
Symantec     1.4.4.12     2009.12.28     Trojan.Pidief.E
TrendMicro     9.120.0.1004     2009.12.28     Expl_ShellCodeSM

Additional information
File size: 240596 bytes
MD5   : ca79bb9846a56e73f6df1bba7854d196

Update January 26, 2010
ViCheck
 https://www.vicheck.ca/md5query.php?hash=ca79bb9846a56e73f6df1bba7854d196
Encrypted embedded executable with a key of 1 bytes.
Exploit method detected as pdfexploit - Javascript obfuscation using unescape

No comments:

Post a Comment