Wednesday, December 2, 2009

Dec.2 PDF attack. Re-Remarks of President Barack Obama from Wed, 2 Dec 2009 22:22:04

Download the infected pdf (password protected archive, you have to contact me for the password)

The message sender was

The message originating IP was The message recipients were

The message was titled Re-Remarks of President Barack Obama The message date was Wed, 2 Dec 2009 22:22:04 +0800 The message identifier was
The virus or unauthorised code identified in the email is:
F-Secure Security Platform version 1.12  build 6412 Copyright (c) 1999-2007 F-Secure Corporation. All Rights Reserved.

Scan started at Wed Dec  2 14:23:01 2009 Database version: 2009-12-02_15

attach/7815385_4X_AR_PA3__Remarks=20of=20President=20Barack=20Obama.pdf: Infected: Exploit.JS.Pdfka.amp [AVP]

Scan ended at Wed Dec  2 14:23:01 2009
3 files scanned
1 file infected

Apparently, sent to a listserv member.

From: Tomkins Damien []
Sent: 2009-12-02 09:22
Cc: many addresses [Removed]; [Removed]; [Removed]; [Removed]; [Removed];;  [Removed]; [Removed]; [Removed]; [Removed]; [Removed]; [Removed]; [Removed];; [Removed]; [Removed]; [Removed]; [Removed]; [Removed]

Subject: Re-Remarks of President Barack Obama
*****The attachment password is "damien"
Remarks of President Barack Obama.rar contains a pdf file with the same name

File Remarks_of_President_Barack_Obama received on 2009.12.08 15:41:57 (UTC)
Result: 8/41 (19.52%)
Antivirus Version Last Update Result
a-squared 2009.12.08 Exploit.JS.Pdfka!IK
Authentium 2009.12.02 PDF/Pidief.O
ClamAV 0.94.1 2009.12.08 Exploit.PDF-2089
eSafe 2009.12.08 PDF.Exploit.4
F-Secure 9.0.15370.0 2009.12.07 Exploit.PDF-JS.Gen
Ikarus T3. 2009.12.08 Exploit.JS.Pdfka
Kaspersky 2009.12.08 Exploit.JS.Pdfka.amp
Sunbelt 3.2.1858.2 2009.12.08 Exploit.PDF-JS.Gen (v)

Additional information
File size: 148263 bytes
MD5...: b89fa058250ab69b2d15dbcc4332d320
SHA1..: 5506c024feedd17a5e10f37c1b0144b5d3081413
SHA256: d83237a5196a6f98f9c58868324ab13c19919e94f9ab9f83d1756d5c86622f58
ssdeep: 768:ZVsDIcaLjJgtPoSfiDfWR5tPjcu2bwANqkix4cHVsg:TKaLlgtPZfiD4G7bw

PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set

Wepawet analysis comes up with a different attachment name, apparently they just renamed it.

Talking Points on PRC AF 60th Anniversary.pdf
Analysis Started
2009-11-24 06:42:14
Report Generated
2009-11-24 06:42:38
Jsand version

Detection results

Jsand 1.03.02

Adobe Collab overflow
Multiple Adobe Reader and Acrobat buffer overflows
Adobe getIcon
Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object

No comments:

Post a Comment