Download infected US China Statement.pdf (Password protected archive, please contact me if you need the password) 
The message sender was
Spoofed
message recipients were
XXX@XXX.XXX
The message was titled US China Statement.
The message date was Tue, 22 Dec 2009 22:26:45 +0800 The message identifier was <08db01ca8312$f3b7a7f0$9301a8c0@testacb8580da5>
The virus or unauthorised code identified in the email is:
>>> Possible MalWare 'Exploit/Zordle.gen' found in
>>> '5964330_4X_PM6_EMS_MA-OCTET=2DSTREAM__US=20China=20Statement.pdf'.
>>> Heuristics score: 201
File US_China_Statement.pdf received on 2009.12.23 05:26:05 (UTC)
http://www.virustotal.com/analisis/6282ca81d955b745397edf2b36e87da1c45f87fd1895caa583d31a6c264dddfc-1261545965
Result: 9/41 (21.96%)
a-squared 4.5.0.43 2009.12.22 Exploit.HTML.IframeBof!IK
AntiVir 7.9.1.122 2009.12.22 HTML/Silly.Gen
BitDefender 7.2 2009.12.23 Exploit.PDF-JS.Gen
F-Secure 9.0.15370.0 2009.12.23 Exploit.PDF-JS.Gen
GData 19 2009.12.22 Exploit.PDF-JS.Gen
Ikarus T3.1.1.79.0 2009.12.22 Exploit.HTML.IframeBof
McAfee-GW-Edition 6.8.5 2009.12.23 Script.Silly.Gen
NOD32 4710 2009.12.22 PDF/Exploit.Gen
Norman 6.04.03 2009.12.22 HTML/Shellcode.H
-
Additional information
File size: 146890 bytes
MD5...: eacc43771bb556750af231f1d02c0a08
SHA1..: 44a859b70c9012373060578cfdb20683a2cdd693
SHA256: 6282ca81d955b745397edf2b36e87da1c45f87fd1895caa583d31a6c264dddfc
Wepawet
http://wepawet.cs.ucsb.edu/view.php?hash=eacc43771bb556750af231f1d02c0a08&type=js
Sample Overview
File US China Statement.pdf
MD5 eacc43771bb556750af231f1d02c0a08
Analysis Started 2009-12-22 21:42:08
Report Generated 2009-12-22 21:42:10
Jsand 1.03.02 benign :(
Update Jan. 25, 2010
ViCheck.cahttps://www.vicheck.ca/md5query.php?hash=eacc43771bb556750af231f1d02c0a08
Encrypted embedded executable with a key of 256 bytes.
Search type: xor
Matching: fuzzy
Key Length: 256 bytes
Key Location: @977 bytes
Key Accuracy: 75.00%
Fuzzy Errors: 2
File XOR Offset: @209 bytes
Type: Embedded Executable
Matching: fuzzy
Key Length: 256 bytes
Key Location: @977 bytes
Key Accuracy: 75.00%
Fuzzy Errors: 2
File XOR Offset: @209 bytes
Type: Embedded Executable
Headers
Received: (qmail 4149 invoked from network); 22 Dec 2009 14:28:15 -0000Received: from msr40.hinet.net (HELO msr40.hinet.net) (168.95.4.140)
by XXXXXXX SMTP; 22 Dec 2009 14:28:15 -0000
Received: from testacb8580da5 ([61.218.155.5])
by msr40.hinet.net (8.9.3/8.9.3) with ESMTP id WAA16408
for XXXXXXX; Tue, 22 Dec 2009 22:27:54 +0800 (CST)
From: SpoofedSender
Message-ID: <08db01ca8312$f3b7a7f0$9301a8c0@testacb8580da5>
To: XXXXXXXXX
Subject: US China Statement.
Date: Tue, 22 Dec 2009 22:26:45 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_08B9_01CA8355.D7D575B0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Hostname: 61.218.155.5
ISP: CHTD, Chunghwa Telecom Co., Ltd.
Organization: Xiang He Machinery Co., Ltd.
Geo-Location Information
Country: Taiwan
State/Region: 04
City: Taichung
No comments:
Post a Comment