This post is to be continued...
According to Villy (thanks, Villy :)) the file contains two
embedded pdfs - one small with js exploiting CVE-2009-4324 and one
larger clean file. There is also a xored exe between those two files.
It is a very nice package.
From:[Redacted] [mailto:[Redacted]@gmail.com]
Sent: 2010-02-10 10:08 AM
Subject: Rep. Mike Castle
Attached is an invitation for a February 15 reception honoring Rep. Mike Castle (R-De) in his candidacy for the U.S. Senate. I hope you will be able to join us.
Although his expected Democrat opponent has dropped out of the race, the New Castle County Executive has already announced his intention to seek the Democractic nomination. Hence, Mike's political situation is strong, but the Democrats are expected to make a full scale contest out of this race.
Presuming your support, Mike will make a great contribution in the Senate for Delaware and the Country.
Please send your response to me at: [Redacted]@gmail.com
All best,
[Redacted]
[Redacted]
[Redacted]@ssd.com
Direct: +1.[Redacted]
Fax: +1.[Redacted]
Mobile: +[Redacted]
Squire Sanders Public Advocacy, LLC
a wholly owned non-law firm affiliate of
Squire, Sanders & Dempsey L.L.P.
Suite 500
1201 Pennsylvania Avenue, N.W.
Washington, D.C. 20004
sspa.ssd.com
Squire Sanders|Legal Counsel Worldwide
32 Offices in 15 Countries
Cincinnati • Cleveland • Columbus • Houston • Los Angeles • Miami • New York • Palo Alto • Phoenix • San Francisco • Tallahassee • Tampa • Tysons Corner • Washington DC • West Palm Beach | Bogotá+ • Buenos Aires+ • Caracas • La Paz+ • Lima+ • Panamá+ • Rio de Janeiro • Santiago+ • Santo Domingo • São Paulo | Bratislava • Brussels • Bucharest+ • Budapest • Dublin+ • Frankfurt • Kyiv • London • Moscow • Prague • Riyadh+ • Warsaw | Beijing • Hong Kong • Shanghai • Tokyo
+Independent Network Firm
NOTICE: This email message and all attachments transmitted with it are intended solely for the use of the addressees and may contain legally privileged, protected or confidential information. If you have received this message in error, please notify the sender immediately by email reply and please delete this message from your computer and destroy any copies.
IRS Circular 230 Notice: To comply with U.S. Treasury regulations, we advise you that any U.S. federal tax advice included in this communication is not intended or written to be used, and cannot be used, to avoid any U.S. federal tax penalties or to promote, market, or recommend to another party any transaction or matter.
Original PDF
http://www.virustotal.com/analisis/70f43ed12ff8c48156f5d1ad9e09f12ecbcff77f64bbc8a2f58566e3e9f3c06f-1265828519
File Invitation_to_Mike_Castle_Event.p received on 2010.02.10 19:01:59 (UTC)
Result:
1/41 (2.44%)
Sophos 4.50.0 2010.02.10
Mal/PDFEx-D
File size: 325206 bytes
MD5 : 7775e7ade13d73919e8dca4695ae7d0a
The first unpacked pdf 1.pdf with CVE-2009-4324
http://www.virustotal.com/analisis/e83a2b658f404731e314a8646e258d17a383ac474564c3d5f6ccd36ad2a93c3d-1266008863
Result: 5/41 (12.2%)
Loading server information...
Avast 4.8.1351.0 2010.02.12
JS:Pdfka-gen
BitDefender 7.2 2010.02.12
Exploit.PDF-JS.Gen
GData 19 2010.02.12
Exploit.PDF-JS.Gen
nProtect 2009.1.8.0 2010.02.12
Exploit.PDF-JS.Gen.C02
Sunbelt 5671 2010.02.11
Exploit.PDF-JS.Gen (v)
File size: 7221 bytes
MD5...: caf3ff27a9688097cf13906c117513ef
1.pdf shellcode (again by Villy)