Oct. 2 PDF attack of the day. Fwd: U.S. Assiatance to North Korea from mark.manyin@gmail.com Fri, 2 Oct 2009 22:22:06

CVE-2009-0658 Buffer overflow - non-JavaScript function call and possibly an embedded JBIG2 image stream, as exploited in the wild in February 2009 by Trojan.Pidief.E. 

Links updated: Jan 18, 2023

Download 028ebdeea729a8c18ca1406ff102088d U.S. Assiatance to North Korea.pdf (Password protected archive. Please contact me if you need the password)

From: Mark Manyin [mailto:mark.manyin@gmail.com]
Sent: Friday, October 02, 2009 10:22 AM
Subject: Fwd: U.S. Assiatance to North Korea

Dear Colleagues,

I was able to secure permission to forward you the attached report on U.S. Assiatance to North Korea. We intentionally kept it short report, in hopes that it would increase its readership.

Please share with your colleagues. Also, please share their comments, observations and questions.

Best,

Mark Manyin
Specialist in Asian Affairs
Congressional Research Service
7-7653

The message sender was
    mark.manyin@gmail.com

The message originating IP was 209.85.222.117 The message recipients were
xxx@xxx.xxx

The message was titled Fwd: U.S. Assiatance to North Korea The message date was Fri, 2 Oct 2009 22:22:06 +0800 The message identifier was <1aa371b60910020722l10e85dd1v7b8fb8b4f05514bc@mail.gmail.com>
The virus or unauthorised code identified in the email is:
F-Secure Security Platform version 1.12  build 6412 Copyright (c) 1999-2007 F-Secure Corporation. All Rights Reserved.

Scan started at Fri Oct  2 14:40:46 2009 Database version: 2009-10-02_07

attach/5965436_3X_PM5_EMS_MA-PDF__U.S.=20Assiatance=20to=20North=20Korea.pdf: Infected: Exploit.Win32.Pidief.bvw [AVP]

Scan ended at Fri Oct  2 14:40:46 2009
2 files scanned
1 file infected

Virustotal scan

December 11, 2009
https://www.virustotal.com/gui/file/c32927c1a9825e52ff2577995e9e963ff5128edf6fc6d4c6ed256baff1494c6e
 File 5bfed5b2e91e3266570013e6afe1e3285c4c846d received on 2009.11.08 14:51:11 (UTC)
Current status: finished
Result: 11/40 (27.50%)
a-squared     4.5.0.41     2009.11.08     Exploit.Win32.Pidief!IK
Antiy-AVL     2.0.3.7     2009.11.05     Exploit/Win32.Pidief
Avast     4.8.1351.0     2009.11.08     PDF:CVE-2009-0658
BitDefender     7.2     2009.11.08     Exploit.PDF-JBIG2Decode.Gen
ClamAV     0.94.1     2009.11.08     Exploit.PDF-528
F-Secure     9.0.15370.0     2009.11.04     Exploit.PDF-JBIG2Decode.Gen
GData     19     2009.11.08     PDF:CVE-2009-0658
Ikarus     T3.1.1.74.0     2009.11.08     Exploit.Win32.Pidief
Kaspersky     7.0.0.125     2009.11.08     Exploit.Win32.Pidief.bvw
McAfee-GW-Edition     6.8.5     2009.11.08     Heuristic.BehavesLike.PDF.Suspicious.Z
Sophos     4.47.0     2009.11.08     Troj/PDFEx-CB
-
Additional information
File size: 213183 bytes
MD5   : 028ebdeea729a8c18ca1406ff102088d
SHA1  : 5bfed5b2e91e3266570013e6afe1e3285c4c846d
SHA256: c32927c1a9825e52ff2577995e9e963ff5128edf6fc6d4c6ed256baff1494c6e
TrID  : File type identification
Adobe Portable Document Format (100.0%)

Update December 17, 2009 - rescan
https://www.virustotal.com/gui/file/c32927c1a9825e52ff2577995e9e963ff5128edf6fc6d4c6ed256baff1494c6e

U.S._Assiatance_to_North_Korea.pd received on 2009.12.17 03:55:38 (UTC)

a-squared    4.5.0.43    2009.12.17    Exploit.Win32.Pidief!IK
AhnLab-V3    5.0.0.2    2009.12.17    PDF/Exploit-JBIG2
Antiy-AVL    2.0.3.7    2009.12.17    Exploit/Win32.Pidief
Avast    4.8.1351.0    2009.12.17    PDF:CVE-2009-0658
BitDefender    7.2    2009.12.17    Exploit.PDF-JBIG2Decode.Gen
ClamAV    0.94.1    2009.12.17    Exploit.PDF-528
eSafe    7.0.17.0    2009.12.16    PDF exploit CVE-2009-0658
F-Secure    9.0.15370.0    2009.12.17    Exploit.PDF-JBIG2Decode.Gen
GData    19    2009.12.17    PDF:CVE-2009-0658
Ikarus    T3.1.1.78.0    2009.12.17    Exploit.Win32.Pidief
Kaspersky    7.0.0.125    2009.12.17    Exploit.Win32.Pidief.bvw
McAfee-GW-Edition    6.8.5    2009.12.17    Heuristic.BehavesLike.PDF.Suspicious.Z

Additional information
File size: 213183 bytes
MD5...: 028ebdeea729a8c18ca1406ff102088d
SHA1..: 5bfed5b2e91e3266570013e6afe1e3285c4c846d
SHA256: c32927c1a9825e52ff2577995e9e963ff5128edf6fc6d4c6ed256baff1494c6e
ssdeep: 1536:R0UcAfDbhnNkiUqFmZb77YSxmq35tO/ZKDg5n7q1y65R0UcAfDGyhnNi:lr
bhnWiPIb77XxB35tO/ADPnr7hn0 

Wepawet rescan
Sample Overview
File U.S. Assiatance to North Korea.pdf
MD5 028ebdeea729a8c18ca1406ff102088d
Analysis Started 2009-12-16 20:13:40
Report Generated 2009-12-16 20:13:44
Jsand version 1.03.02

Detection results
Detector Result
Jsand 1.03.02 malicious

Exploits
Name Description Reference
JBIG2 Vulnerability Vulnerability in the processing of JBIG2 streams embedded in PDF files SA33901 
https://s3.amazonaws.com/contagio.deependresearch.org/read/SA33901_CVE-2009-0658_secunia.com_pdf_SA33901_BA.pdf