I was still writing my analysis when Alienvault posted CVE-2012-1535: Adobe Flash being exploited in the wild and mine would be pretty much the repeat of the same. I don't like repeating so I will just post the samples and link to Jaime Biasco's article. As you see from SSDeep they are nearly identical in size, exploit, and payload. All Word documents were authored by "Mark" and have same strings and indicators present as in the analyzed file.
CVE #
Unspecified vulnerability in Adobe Flash Player before 11.3.300.271 on Windows and Mac OS X and before 11.2.202.238 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted SWF content, as exploited in the wild in August 2012 with SWF content in a Word document.
Download
919708b75b1087f863b6b49a71eb133d
MedalTop10.doc MedalTop10.doc
3072:hHNqm9x2CAUTfK4TSwQ59LJWKMFjBKFyimr9VZf2y6:htqAcCAUDK4TVoxJXKjBKFyXr9VZS
------------------------------------------------------
c0c83fe9f21560c3be8dd13876c11098
page 1-2.doc
3072:hHNqm9x2CAUTaK4TSwQ59LJWKMFjBKFy+w1KIeLwhtqAcCAU2K4TVoxJXKjBKFy+vw
------------------------------------------------------
65090678746d74b4f32cc5977e2bad95
tickets.doc
3072:hHNqm9x2CAUTMKFThwQ59LJWKMFjBKFN4tBYVglzIeLwhtqAcCAUIKFTioxJXKjBKFN4tOVgzw
------------------------------------------------------
d512d9544907a3589eba64f196aec0d7
TYBRIN Project Review Report_Aug 12.doc
3072:hHNqm9x2CAUTkKAbTLwQ59LJWKMFjBKFyabQlzIeLw:htqAcCAUIKSTUoxJXKjBKFyabQzw
------------------------------------------------------
8b47310c168f22c72a263437f2d246d0
Message_from_PerInge.doc
3072:hHNqm9x2CAUT5KAbTLwQ59LJWKMFjBKFyabQlzIeLwhtqAcCAU1KSTUoxJXKjBKFyabQzw
------------------------------------------------------
ad3aa76dd54f6be847b927855be16c61
Running Mate.doc
3072:hHNqm9x2CAUTDKRTnwQ59LJWKMFjBKFaeoLzIeLw:htqAcCAUXKRTwoxJXKjBKFaeoNw
------------------------------------------------------
7e3770351aed43fd6c5cab8e06dc0300
iPhone 5 Battery.doc
3072:hHNqm9x2CAUTuKRTnwQ59LJWKMFjBKFS/JEVglzIeLw:htqAcCAUCKRTwoxJXKjBKFShEVgzw
------------------------------------------------------
Automatic scans
SHA256: 2904c0f9786253e4a7327e816cbbb173274f056d074ad8259f79af2216363333
SHA1: c0a8ce03dc262ddef0c8a74b4619f17ba164b9d7
MD5: 919708b75b1087f863b6b49a71eb133d
File size: 291.5 KB ( 298496 bytes )
File type: MS Word Document
Tags: cve-2012-1535 doc exploit
Detection ratio: 9 / 42
Analysis date: 2012-08-17 02:20:33 UTC ( 2 hours, 57 minutes ago )
AhnLab-V3 Dropper/Cve-2012-1535 20120816
Avast SWF:CVE-2012-1535 [Expl] 20120816
Commtouch MSWord/SWFDropper.A!Camelot 20120817
GData SWF:CVE-2012-1535 20120817
Kaspersky Exploit.SWF.Agent.gq 20120817
Microsoft Exploit:SWF/ShellCode.G 20120817
nProtect Exploit/W32.CVE-2012-1535.298496.B 20120816
Sophos Troj/SwfExp-BB 20120817
TrendMicro-HouseCall - 20120817
ViRobot SWF.A.EX-Agent.298496 20120816
SHA1: c0a8ce03dc262ddef0c8a74b4619f17ba164b9d7
MD5: 919708b75b1087f863b6b49a71eb133d
File size: 291.5 KB ( 298496 bytes )
File type: MS Word Document
Tags: cve-2012-1535 doc exploit
Detection ratio: 9 / 42
Analysis date: 2012-08-17 02:20:33 UTC ( 2 hours, 57 minutes ago )
AhnLab-V3 Dropper/Cve-2012-1535 20120816
Avast SWF:CVE-2012-1535 [Expl] 20120816
Commtouch MSWord/SWFDropper.A!Camelot 20120817
GData SWF:CVE-2012-1535 20120817
Kaspersky Exploit.SWF.Agent.gq 20120817
Microsoft Exploit:SWF/ShellCode.G 20120817
nProtect Exploit/W32.CVE-2012-1535.298496.B 20120816
Sophos Troj/SwfExp-BB 20120817
TrendMicro-HouseCall - 20120817
ViRobot SWF.A.EX-Agent.298496 20120816
page 1-2.doc
SHA256: 5332fec6d0dc326718152e8c17125ba44f1e4c2c0e8659fc671758501274d0f2
SHA1: f0280d29b42aefeb46555af39af651780001e749
MD5: c0c83fe9f21560c3be8dd13876c11098
File size: 291.5 KB ( 298496 bytes )
File name: page 1-2.doc
File type: MS Word Document
Tags: cve-2012-1535 doc exploit
Detection ratio: 14 / 42
Analysis date: 2012-08-16 14:21:44 UTC ( 14 hours, 58 minutes ago )
AhnLab-V3 Dropper/Cve-2012-1535 20120816
Avast SWF:CVE_2012_1535 [Expl] 20120816
BitDefender Exploit.Shellcode.AV 20120816
Commtouch MSWord/SWFDropper.A!Camelot 20120816
Emsisoft Exploit.SWF.Shellcode!IK 20120816
F-Secure Exploit.Shellcode.AV 20120816
Fortinet W32/Baddoc.B!tr 20120816
GData Exploit.Shellcode.AV 20120816
Ikarus Exploit.SWF.Shellcode 20120816
Kaspersky Exploit.SWF.Agent.gq 20120816
Microsoft Exploit:SWF/ShellCode.G 20120816
nProtect Exploit/W32.CVE-2012-1535.298496.C 20120816
Sophos Troj/SwfExp-BB 20120816
Symantec Trojan.Mdropper 20120816
SHA1: f0280d29b42aefeb46555af39af651780001e749
MD5: c0c83fe9f21560c3be8dd13876c11098
File size: 291.5 KB ( 298496 bytes )
File name: page 1-2.doc
File type: MS Word Document
Tags: cve-2012-1535 doc exploit
Detection ratio: 14 / 42
Analysis date: 2012-08-16 14:21:44 UTC ( 14 hours, 58 minutes ago )
AhnLab-V3 Dropper/Cve-2012-1535 20120816
Avast SWF:CVE_2012_1535 [Expl] 20120816
BitDefender Exploit.Shellcode.AV 20120816
Commtouch MSWord/SWFDropper.A!Camelot 20120816
Emsisoft Exploit.SWF.Shellcode!IK 20120816
F-Secure Exploit.Shellcode.AV 20120816
Fortinet W32/Baddoc.B!tr 20120816
GData Exploit.Shellcode.AV 20120816
Ikarus Exploit.SWF.Shellcode 20120816
Kaspersky Exploit.SWF.Agent.gq 20120816
Microsoft Exploit:SWF/ShellCode.G 20120816
nProtect Exploit/W32.CVE-2012-1535.298496.C 20120816
Sophos Troj/SwfExp-BB 20120816
Symantec Trojan.Mdropper 20120816
65090678746d74b4f32cc5977e2bad95
tickets.doc
SHA256: b88996c2b43400a3ddbaa7f28889f06e85f088e6213ed45fb08b1ada835eb563
SHA1: 8e455149a77006b2ddf2150451a24bc841bae434
MD5: 65090678746d74b4f32cc5977e2bad95
File size: 291.5 KB ( 298496 bytes )
File type: MS Word Document
Detection ratio: 8 / 42
Analysis date: 2012-08-17 05:24:51 UTC ( 0 minutes ago )
AhnLab-V3 Dropper/Cve-2012-1535 20120816
Avast SWF:CVE-2012-1535 [Expl] 20120816
Commtouch MSWord/SWFDropper.A!Camelot 20120817
GData SWF:CVE-2012-1535 20120817
Kaspersky Exploit.SWF.Agent.gq 20120817
Microsoft Exploit:SWF/ShellCode.G 20120817
Sophos Troj/SwfExp-BB 20120817
Symantec Trojan.Mdropper 20120817
d512d9544907a3589eba64f196aec0d7
TYBRIN Project Review Report_Aug 12.doc
SHA256: 9ebbafd859ccdd87bebf9562d4d15eef05ddc5f939e77e03d2e40591328558da
SHA1: 893b8ddafc1f127f189a439bef5f1e9f46caaeda
MD5: d512d9544907a3589eba64f196aec0d7
File size: 291.5 KB ( 298496 bytes )
File name: TYBRIN Project Review Report_Aug 12.cod
File type: MS Word Document
Detection ratio: 0 / 42
Analysis date: 2012-08-13 23:20:32 UTC ( 3 days, 6 hours ago )
8b47310c168f22c72a263437f2d246d0
Message_from_PerInge.doc
SHA256: d5ad0a664731e1dee43c493c92bf8db2bd6831cf0bd15f89b65e0bbb4a72b35b
SHA1: f58d019756ba41b117f070c8acb9addba6b119fc
MD5: 8b47310c168f22c72a263437f2d246d0
File size: 291.5 KB ( 298496 bytes )
File name: Message_from_PerInge.doc
File type: MS Word Document
Detection ratio: 0 / 39
Analysis date: 2012-08-13 12:36:18 UTC ( 3 days, 16 hours ago )
ad3aa76dd54f6be847b927855be16c61
Running Mate.doc
n/a
7e3770351aed43fd6c5cab8e06dc0300
iPhone 5 Battery.doc
SHA256: 742db588c3cfa416215619db34e168be58846058f7528adee8358bb8b8b68fe3
SHA1: b4562ef0cd54234374ff9d24e0d1b01c1db5e873
MD5: 7e3770351aed43fd6c5cab8e06dc0300
File size: 291.5 KB ( 298496 bytes )
File name: file-4380428_
File type: MS Word Document
Tags: cve-2012-1535 doc exploit
Detection ratio: 15 / 42
Analysis date: 2012-08-17 02:10:07 UTC ( 3 hours, 21 minutes ago )
AhnLab-V3 Dropper/Cve-2012-1535 20120816
Avast SWF:CVE-2012-1535 [Expl] 20120816
Commtouch MSWord/SWFDropper.A!Camelot 20120817
Emsisoft Exploit.SWF.Shellcode!IK 20120817
ESET-NOD32 SWF/Exploit.CVE-2012-1535.A 20120816
F-Prot CVE2012153 20120817
GData SWF:CVE-2012-1535 20120817
Ikarus Exploit.SWF.Shellcode 20120817
Kaspersky Exploit.SWF.Agent.gq 20120817
Microsoft Exploit:SWF/ShellCode.G 20120817
nProtect Exploit/W32.CVE-2012-1535.298496 20120816
Sophos Troj/SwfExp-BB 20120817
Symantec Trojan.Mdropper 20120817
TrendMicro TROJ_MDROP.EVL 20120817
TrendMicro-HouseCall - 20120817
ViRobot DOC.S.CVE-2012-1535.298496 20120816
Mila,
ReplyDeleteSomething went wrong with VT as Sophos detect all 7 files. Thanks for these samples :)
pob
good job,some vendor detect as shellcode,some identified cve No.
ReplyDeleteHello Mila
ReplyDeleteThanks for up blog
are you have html poc or swf poc or action script?
Yesterday Adobe released APSB12-18, which addressed CVE-2012-1535. As noted in the Adobe bulletin, the vulnerability has been actively exploited in the wild, though primarily in targeted attacks wrapped in Microsoft Word documents.
ReplyDeleteWhats the password for the archive?
ReplyDeleteEmail me. Address is in the profile.
Delete