The message sender was
damien.tomkins@gmail.com
The message originating IP was 209.85.222.112 The message recipients were
ouruser@ourdomain.xxx
The message was titled Re-Remarks of President Barack Obama The message date was Wed, 2 Dec 2009 22:22:04 +0800 The message identifier was
The virus or unauthorised code identified in the email is:
F-Secure Security Platform version 1.12 build 6412 Copyright (c) 1999-2007 F-Secure Corporation. All Rights Reserved.
Scan started at Wed Dec 2 14:23:01 2009 Database version: 2009-12-02_15
attach/7815385_4X_AR_PA3__Remarks=20of=20President=20Barack=20Obama.pdf: Infected: Exploit.JS.Pdfka.amp [AVP]
Scan ended at Wed Dec 2 14:23:01 2009
3 files scanned
1 file infected
Apparently, sent to a listserv member.
From: Tomkins Damien [mailto:damien.tomkins@gmail.com]
Sent: 2009-12-02 09:22
To: areger@uhrp.org
Cc: many addresses [Removed]@nbr.org; [Removed]@mac.com; [Removed]@aol.com; [Removed]@gmail.com; [Removed]@gmail.com; @afpc.org; [Removed]@emergingmarketsgroup.com; [Removed]@frb.gov; [Removed]@hotmail.com; [Removed]@mail.doc.gov; [Removed]@mail.house.gov; [Removed]@mail.house.gov; [Removed]@practicalsmallprojects.com; cohlandt@rand.org; [Removed]@rand.org; [Removed]@state.gov; [Removed]@yahoo.com; [Removed]@georgetown.edu; [Removed]@american.edu
Subject: Re-Remarks of President Barack Obama
http://www.virustotal.com/analisis/d83237a5196a6f98f9c58868324ab13c19919e94f9ab9f83d1756d5c86622f58-1260286917
*****The attachment password is "damien"
Remarks of President Barack Obama.rar contains a pdf file with the same name
File Remarks_of_President_Barack_Obama received on 2009.12.08 15:41:57 (UTC)
Result: 8/41 (19.52%)
Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.08 Exploit.JS.Pdfka!IK
Authentium 5.2.0.5 2009.12.02 PDF/Pidief.O
ClamAV 0.94.1 2009.12.08 Exploit.PDF-2089
eSafe 7.0.17.0 2009.12.08 PDF.Exploit.4
F-Secure 9.0.15370.0 2009.12.07 Exploit.PDF-JS.Gen
Ikarus T3.1.1.74.0 2009.12.08 Exploit.JS.Pdfka
Kaspersky 7.0.0.125 2009.12.08 Exploit.JS.Pdfka.amp
Sunbelt 3.2.1858.2 2009.12.08 Exploit.PDF-JS.Gen (v)
Additional information
File size: 148263 bytes
MD5...: b89fa058250ab69b2d15dbcc4332d320
SHA1..: 5506c024feedd17a5e10f37c1b0144b5d3081413
SHA256: d83237a5196a6f98f9c58868324ab13c19919e94f9ab9f83d1756d5c86622f58
ssdeep: 768:ZVsDIcaLjJgtPoSfiDfWR5tPjcu2bwANqkix4cHVsg:TKaLlgtPZfiD4G7bw
4pWt
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
Wepawet analysis comes up with a different attachment name, apparently they just renamed it.
http://wepawet.iseclab.org/view.php?hash=b89fa058250ab69b2d15dbcc4332d320&type=js
File | Talking Points on PRC AF 60th Anniversary.pdf |
---|---|
MD5 | b89fa058250ab69b2d15dbcc4332d320 |
Analysis Started | 2009-11-24 06:42:14 |
Report Generated | 2009-11-24 06:42:38 |
Jsand version | 1.03.02 |
Detection results
Detector | Result |
---|---|
Jsand 1.03.02 | malicious |
Adobe Collab overflow | Multiple Adobe Reader and Acrobat buffer overflows | CVE-2007-5659 |
Adobe getIcon | Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object | CVE-2009-0927 |
No comments:
Post a Comment