Download CVE-2009-4324 samples (Password protected archives. Use the same password you used on the samples above or contact me for the password)
Details: 99年(春節)消費者福利表.pdf - c61c231d93d3bd690dd04b6de7350abb
From: 國防部福利總處 [mailto:gwsm01@gwsm.gov.tw]
Sent: 2009-12-28 8:03 AM
To: xxxxxx
Subject: 檢送國防部福利總處99年(春節)消費者福利表文件乙份,請查照!
詳情登陸國防部福利總處 http://www.gwsm.gov.tw/
服務專線: (02)2392-2377
地址:臺北市信義路一段3號
郵政信箱:台北郵政90036號信箱
網頁維護:綜合資訊組 分機:709
From: National Ministry of Defense Office [mailto: gwsm01@gwsm.gov.tw]
Sent: 2009-12-28 8:03 AM
To: XXXX
Subject: Inspection Department, National Ministry of Defense to send New Year gift of consumer welfare table file, please see attached!
Details of the visit National Ministry of Defense Office http://www.gwsm.gov.tw
Service hotline: (02) 2392-2377
Address: Xinyi Road, Taipei, No. 3,
PO Box: Taipei Post Office Box No. 90036
Web Maintenance: Integrated Information Unit Ext: 709
Headers
Received: from gwsm (61-219-229-222.HINET-IP.hinet.net [61.219.229.222])by msr15.hinet.net (8.9.3/8.9.3) with ESMTP id WAA17650
for xxxxxxxx
; Mon, 28 Dec 2009 22:08:05 +0800 (CST)
Message-ID: <1975e5623c$23fce32a$0ae1d8b4@gwsm01212af2ce2>
From: "°ê¨¾³¡ºÖ§QÁ`³B"
To: xxxxxxxxx
Subject: =?big5?B?wMuwZbDqqL6zobrWp1HBYLNCOTmmfiisS7hgKa74tk+qzLrWp1Gq7aTlpfOkQQ==?=
=?big5?B?pfcsvdCsZLfTIQ==?=
Date: Mon, 28 Dec 2009 21:02:36 +0800
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
Virustotal
http://www.virustotal.com/analisis/6bb20b347d5f07c42450c07719acfe156346b46e9de3477d198d803f7b367b27-1262030725
File 99_____________________________.p received on 2009.12.28 20:05:25 (UTC)
Result: 5/41 (12.20%)
nProtect 2009.1.8.0 2009.12.28 Exploit.PDF-JS.Gen.C02
PCTools 7.0.3.5 2009.12.28 HeurEngine.MaliciousExploit
Sophos 4.49.0 2009.12.28 Troj/PDFJs-B
Sunbelt 3.2.1858.2 2009.12.28 Exploit.PDF-JS.Gen (v)
Symantec 1.4.4.12 2009.12.28 Bloodhound.Exploit.288
-
Additional information
File size: 127728 bytes
MD5 : c61c231d93d3bd690dd04b6de7350abb
Wepawet
http://wepawet.cs.ucsb.edu/view.php?hash=c61c231d93d3bd690dd04b6de7350abb&type=js
Analysis report for 99年(春節)消費者�利表.pdf
File 99年(春節)消費者�利表.pdf
MD5 c61c231d93d3bd690dd04b6de7350abb
Analysis Started 2009-12-28 12:22:07
Report Generated 2009-12-28 12:22:12
Jsand 1.03.02 malicious
Exploits
Name Description Reference
doc.media.newPlayer Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2 CVE-2009-4324
Sender 61.219.229.222
Hostname:61-219-229-222.hinet-ip.hinet.net
ISP:CHTD, Chunghwa Telecom Co., Ltd.
Organization:Ung Tzeng Co., Ltd.
Geo-Location Information
Country:Taiwan
State/Region:03
City:Taipei
Latitude:25.0392
Longitude:121.525
http://www.robtex.com/ip/61.219.229.222.html#graph
netname: HINET-TW
descr: CHTD, Chunghwa Telecom Co.,Ltd.
descr: Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
descr: Taipei Taiwan 100
country: TW
admin-c: HN27-AP
tech-c: HN28-AP
remarks: Delegated to HiNet for ADSL subscriber.
remarks: This information has been partially mirrored by APNIC from
remarks: TWNIC. To obtain more specific information, please use the
remarks: TWNIC whois server at whois.twnic.net.
mnt-by: MAINT-TW-TWNIC
changed: **********@twnic.net 20010117
status: ALLOCATED PORTABLE
source: APNIC
person: HINET Network-Adm
address: CHTD, Chunghwa Telecom Co., Ltd.
address: Data-Bldg. 6F, No. 21, Sec. 21, Hsin-Yi Rd.,
address: Taipei Taiwan 100
country: TW
phone: +886 2 2322 3495
phone: +886 2 2322 3442
phone: +886 2 2344 3007
fax-no: +886 2 2344 2513
fax-no: +886 2 2395 5671
e-mail: ***********@hinet.net
nic-hdl: HN27-AP
remarks: same as TWNIC nic-handle HN184-TW
mnt-by: MAINT-TW-TWNIC
changed: **********@twnic.net 20000721
source: APNIC
person: HINET Network-Center
address: CHTD, Chunghwa Telecom Co., Ltd.
address: Data-Bldg. 6F, No. 21, Sec. 21, Hsin-Yi Rd.,
address: Taipei Taiwan 100
country: TW
phone: +886 2 2322 3495
phone: +886 2 2322 3442
phone: +886 2 2344 3007
fax-no: +886 2 2344 2513
fax-no: +886 2 2395 5671
e-mail: **************@hinet.net
nic-hdl: HN28-AP
remarks: same as TWNIC nic-handle HN185-TW
mnt-by: MAINT-TW-TWNIC
changed: **********@twnic.net 20000721
source: APNIC
inetnum: 61.219.229.216 - 61.219.229.223
netname: UNG-TZENG-CO-TP-NET
descr: Ung Tzeng Co., Ltd.
descr: Taipei Taiwan
country: TW
admin-c: MLW26-TW
tech-c: MLW26-TW
mnt-by: MAINT-TW-TWNIC
remarks: This information has been partially mirrored by APNIC from
remarks: TWNIC. To obtain more specific information, please use the
remarks: TWNIC whois server at whois.twnic.net.
changed: ***********@hinet.net 20010417
status: ASSIGNED NON-PORTABLE
source: TWNIC
person: Mei Ling Wang
address: Ung Tzeng Co., Ltd.
address: Taipei Taiwan
e-mail: **********@hn.hinet.net
nic-hdl: MLW26-TW
changed: **********@twnic.net.tw20010814
source: TWNIC
Check out http://extraexploit.blogspot.com/2009/12/adobe-cve-2009-4324-in-wild-0day-part_1766.html for a detailed pdf analysis.
Note:
When opened, it gives an error that the file is corrupt but opens it a second later anyway, displaying the text below. It drops at least four additional files in
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
- AcrRd32.exe - generates all files below
http://www.virustotal.com/analisis/e2e3b1bd9b5d3fd8aa4b73d3393e4f00dc6c17ee92ee8cb00471ae0c73db680b-1262068818
- 99¦~(¬K¸`)®ø¶OªÌºÖ§Qªí.pdf - which is the pdf file you will see, it is generated by AcrRd32.exe to make you think there is nothing wrong with the original pdf.
http://www.virustotal.com/analisis/03118aa30820f247c2d0f751ee1a3740241a096cce4f75720fa0ccf35b727463-1262090020
- wuweb.exe - gets generated by AcrRd32.exe
http://www.virustotal.com/analisis/e2e3b1bd9b5d3fd8aa4b73d3393e4f00dc6c17ee92ee8cb00471ae0c73db680b-1262068818 , which generates
- conime.exe in C:\windows\addins
http://www.virustotal.com/analisis/9c55786d595c14662f24d670235ca374e71b1c99c42916c0b6ecf210cb531506-1262091203
and generates traffic to
140.136.202.49:80
Please come back for more information later or check out what extraexploit already found.
text of the pdf
主旨:配合99年(春節)消費者需求,統供品供應商自願免費加裝禮盒供應者,
請依附件格式提出申請。
說明:
一、99 年(春節2 月13 日),本總處預定自99年1月1日起至99 年2 月28 日止
供應禮盒。
二、免費加裝禮盒供應,請注意品質,衛生、安全及檢視方便之需求;並依(附
件1)格式(各檢附4 乘6 彩色照片1 張,背面註明條碼、品名)填送乙份,於
98 年12 月15 日前寄本總處,俾便辦理公告,逾期不予受理。
三、加裝禮盒內容為原議進之單品者,條碼及售價不變,惟單品集合後之加裝禮
盒,須有集合條碼,售價應為量販價並標示「不拆零販售」,禮盒內容及規格,
請參考範例(附件2)詳實填寫,否則不予辦理。
四、凡加裝禮盒之貨品,其檢驗、申配、付款等均按現行規定辦理。
詳情登陸國防部福利總處http://www.gwsm.gov.tw/
PDF 文
No comments:
Post a Comment