After a bit of playing with pdf-parser.py, I think it is CVE-2009-4324. Maybe something else, you are welcome to check :) I thought it was CVE-2009-1862 first just based on how some antivirus providers detected it but I was wrong. Wepawet did not detect it as malicious, same situation as Bojan had -see Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324
I also first got the same error
I think the screenshot below shows that it is CVE-2009-4324
The message was titled [研討會]2010 Being Global and Local研討會
The message date was Mon, 4 Jan 2010 15:57:28 +0800 The message identifier was
Virustotal
http://www.virustotal.com/analisis/6341588926166ce800a238d1a669d27f45ec6b193f8f620c169c54c4e1fa3ca3-1262718161
File Being_Global_and_Local_Conference received on 2010.01.05 19:02:41 (UTC)
Result: 7/41 (17.07%)
Antivirus Version Last Update Result
BitDefender 7.2 2010.01.05 Exploit.PDF-JS.Gen
F-Secure 9.0.15370.0 2010.01.05 Exploit.PDF-JS.Gen
GData 19 2010.01.05 Exploit.PDF-JS.Gen
Kaspersky 7.0.0.125 2010.01.05 Exploit.JS.Pdfka.adn
McAfee-GW-Edition 6.8.5 2010.01.05 Heuristic.BehavesLike.PDF.Shellcode.Z
Microsoft 1.5302 2010.01.05 Exploit:JS/Heapspray
nProtect 2009.1.8.0 2010.01.05 Exploit.PDF-JS.Gen.C02
Additional information
File size: 222161 bytes
MD5 : 08b89c0b7949b1d2017356b1bbb75f6a
Wepawet
http://wepawet.iseclab.org/view.php?hash=08b89c0b7949b1d2017356b1bbb75f6a&type=js
File Being Global and Local_Conference Agenda.pdf
MD5 08b89c0b7949b1d2017356b1bbb75f6a
Analysis Started 2010-01-05 11:21:59
Report Generated 2010-01-05 11:22:32
Jsand 1.03.02 benign :(
PDF contents Payload
desktop.exe
Registry entry "HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{11CDF7EC-651B-76AA-AD69-4005FE080DE8}\stubpath" (created) :
New entry was set to
Registry entry "HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{11CDF7EC-651B-76AA-AD69-4005FE080DE8}\stubpath" (created) :
New entry was set to
Process iexplore.exe
Number of running instances during logon time changed: 1 instead of 0
Process desktop.exe
Process detected for the first time (2 instances)
Anubis test
http://anubis.iseclab.org/?action=result&task_id=191c487ec1f466e04017de7fcf8b3167c&format=html
| Analysis Reason: |
desktop.exe wrote to the virtual memory of this process |
| Filename: |
Explorer.EXE |
| MD5: |
12896823fb95bfb3dc9b46bcaedc9923 |
| SHA-1: |
9d2bf84874abc5b6e9a2744b7865c193c08d362f |
| File Size: |
1033728 Bytes |
| Command Line: |
C:\WINDOWS\Explorer.EXE |
| - DNS Queries: |
|---|
| Name
|
Query Type
|
Query Result
|
Successful
|
Protocol
|
| chipone.1dumb.com |
DNS_TYPE_A |
0.0.0.0 |
1 |
|
| chiptwo.myFTP.info |
DNS_TYPE_A |
0.0.0.0 |
1 |
|
| dtone.3d-game.com |
DNS_TYPE_A |
64.156.29.35 |
1 |
Unknown TCP Traffic:
from ANUBIS:1038 to 64.156.29.35:443
State: Normal establishment and termination - Transferred outbound Bytes: 65 - Transferred inbound Bytes: 0
Data sent:
3d00 0000 91e3 1c11 82bd cab6 9241 f6b8 =............A..
33df b1a6 5914 3f01 d09c 3303 032c e943 3...Y.?...3..,.C
1580 1f9c 2dfe 808b 1182 de4d 0187 6a10 ....-......M..j.
TCP Connection Attempts:
|
from ANUBIS:1038
to 64.156.29.35:443 |
http://www.threatexpert.com/report.aspx?md5=1fc67927ab4588cc21f71bda010cbd4a
Headers
....Received: from microsoft72cc5 (60-248-102-9.HINET-IP.hinet.net [60.248.102.9])
by msr18.hinet.net (8.9.3/8.9.3) with ESMTP id PAA02138;
Mon, 4 Jan 2010 15:57:37 +0800 (CST)
Message-ID:
From: =?big5?B?pXikaqxGqna+x6h0?=
To:
Subject: =?big5?B?W6zjsFG3fF0yMDEwIEJlaW5nIEdsb2JhbCBhbmQgTG9jYWys47BRt3w=?=
Date: Mon, 4 Jan 2010 15:57:28 +0800
Hostname: 60-248-102-9.hinet-ip.hinet.net
ISP: CHTD, Chunghwa Telecom Co., Ltd.
Organization: Jia Teng System Co., Ltd.
Country: Taiwan
City: Taipei
No comments:
Post a Comment