Sunday, May 6, 2012

May 3 - CVE-2012-0779 World Uyghur Congress Invitation.doc

There are already quite a few samples of this recently patched exploit in the wild, including those targeting USA companies. This particular sample is targeting  Uyghur Congress, which is "an international organization aspiring to represent .. exiled Uyghur (Turkish ethnic group) people   both inside and outside of the Xinjiang Autonomous Region of the People's Republic of China." ~ Wikipedia. The text of the email cannot be translated with online translators, but judging by the content of the attachment, it is meant to look like an invitation for the World Uyghur Assembly .

More often than not, interesting samples come at the wrong time, when I cannot analyze them due to various reasons such as being busy with something else. I was planning to look at it this weekend but it did not happen, so here it CVE-2012-0779. Analyze it, write signatures, add detection to your filters. If you post an analysis, please send your link, I add. I will just post a few details about the file.

CVE Information

Adobe Flash Player before and 11.x before on Windows, Mac OS X, and Linux; before on Android 2.x and 3.x; and before on Android 4.x allows remote attackers to execute arbitrary code via a crafted file, related to an "object confusion vulnerability," as exploited in the wild in May 2012.

File Information

File: WUC Invitation Letter Guests.doc
Size: 121872
MD5:  1750A38A44151493B675538A1AC2070B


Download 1750A38A44151493B675538A1AC2070B  (email me if you need the password)
Download dropped file 6fe1634dce1d095d6b8a06757b5b6041  - thanks to Steven K

Also see here  - thanks to C0d3inj3ct

Action Script

Original Message

主题: Norwegiyedin Toygha teklip qilinidighanlarning tizimligi
日期: Fri, 27 Apr 2012 11:46:02 +0800

Xanim tönugun manga, Norwegiye rafto jemiyitidin Arne we ayalini Yapuniyede echilidighan qurultaygha teklip qilishimiz heqqide Dolqun bilen korushushumni we Dolqunning derhal ulargha teklipname ewetishini digenti. Bugun men Dolqun bilen bu toghrida korushtum. Dolqun, "teklipnamining nusxisini Zubeyrege ewetip bergen, uning ustige teklipnamege beribir Xanim qol qoyushi kerek bolghandikin, Amrekidinla ewetilgini yaxshi" deydu. Shunga ularning isim-familisini sizge ewettim. (sizde bar bolishi kerek, shundaq bolsimu ehtiyat yustidin)

Therese Jebsen
Executive Director of the Rafto Foundation
Phone:  +47 55 21 09 31
Mobile: +47 41 51 13 90
E-mail: therese.jebsen(a)

Arne Liljedahl Lynngård

Rfto fondi jemitining sabiq bashlighi,(hazir ezasi)

Telefon: 55 24 42 02

Mobiltelefon : 95 15 22 90

Created Files

Clean decoy
Javascrpt to download

swf compressed

when you uncompress it you, you get
File: essais~.swf
Size: 9162
MD5:  76700F862A0C241B8F4B754F76957BDA

Ascii Strings:
_&Operated by DoSWF:  <<DoSWF - Flash Encryption
Dropped file (I don't have this one)
MD5: 6FE1634DCE1D095D6B8A06757B5B6041 
Application Data\Macromedia\Flash Player\#SharedObjects\temp.exe
Application Data\Macromedia\Flash Player\#SharedObjects\Flash_ActiveX.exe
Application Data\conime.exe

Someone sent a partial SWF analysis - I added his SWF + decompiled Flash file inside the main download zip above
The included zip contains the second stage swf that is embedded in the main one,
and a copy of the decompiled script from it. The script originally had all the
functions and variables set to unicode strings, which have been renamed
for readability. The parameters passed into the top level swf from the doc file


info is the compressed host name, infosize is a variable used to configure the
shellcode and probably the offset in the parent doc file of the embedded exe.

Complete script contained in the doc file below..


File: embedded.swf  Virustotal
Size: 6246
MD5:  847A9CFF5328F85015293BAD2F164F10


GET /essais.swf?info=789c333230d13331d53337d633b3b432313106001afa0338&infosize=00FC0000 HTTP/1.1
Accept: */*
User-Agent: contype

HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 7993
Accept-Ranges: bytes
Content-Disposition: filename="essais.swf";
Last-Modified: Wed, 25 Apr 2012 15:42:37 GMT

Automatic scans

SWF - Virustotal

SHA256:     064c0e1b9157bfcaca62c2f06abd4b51aa289c1b1678c2688b1d7f36cc1335a8
SHA1:     4380b5336fa03554cbc5542a7460f7cc70adc8bb
MD5:     1750a38a44151493b675538a1ac2070b
File size:     119.0 KB ( 121872 bytes )
File name:     WUC Invitation Letter Guests.doc
File type:     MS Word Document
Detection ratio:     6 / 42
Analysis date:     2012-05-07 02:08:31 UTC ( 1 hour, 30 minutes ago )
BitDefender     Exploit.ScriptBridge.Gen     20120507
F-Secure     Exploit.ScriptBridge.Gen     20120507
GData     Exploit.ScriptBridge.Gen     20120507
Ikarus     Exploit.ScriptBridge     20120507
nProtect     Exploit.ScriptBridge.Gen     20120506


  1. oh , Mila, I just know you're the first to post this 0779
    NICE JOB !

  2. It seems there's no password to the ZIP?

  3. Dropped file (I don't have this one) MD5: 6FE1634DCE1D095D6B8A06757B5B6041 // got it, drop me a mail other than gmail who don't allow archive attachement if you want it ;)

    1. Steven K , can you please send password to ''

  4. Search for the network pattern, "/upload/exp.swf" in Google. It will bring you to few examples of the compressed SWF files on jsunpack.

    One instance:

    Even though the malicious site on which this SWF file was hosted is down, you can still download the samples from jsunpack site.

    On a side note, a few of the compressed SWF files are of version 9 and others of version 14.

  5. From the RDF MetaData of the decompressed SWF File:

    Encrypted by DoSWF

  6. Does anyone know how to decrypt the DoSWF encryption of the decompressed swf file? Been looking for a tool, but no luck..

  7. Hello man , you have action script code ? please post in blog

  8. How was the embedded flash found? Since it is an encrypted flash file, how was the shellcode even seen as part of the code? Was it taken out of memory when the flash file was loaded? What flash tools used to extract the action script code in the pastebin link?