Version 4 April 2011 - 11,355+ Malicious documents - archive for signature testing and research

NEWER collection is here http://contagiodump.blogspot.com/2013/03/16800-clean-and-11960-malicious-files.html

Here is a collection of malicious PDF, DOC, XLS, PPT, PPS files that can be used for testing your product signatures, en masse analysis or as a malware aquarium starter kit.

Files are NOT password protected inside the archive but there is = added to their extensions. Remove = if you need to run them. 

1) COLLECTION 1 - 240   251 files (70 MB) - Email attachments from targeted attacks
Contagio collection (many but not all are posted on Contagio). These are email attachments - 99% of them are from targeted or spear phishing attacks. It contains COLLECTION 2 (0-Day files). Sorted by CVE+DateReceived -- New

2) COLLECTION 2 - 7 10 files (3 MB) - Zero day files
Collection of files that were original 0-day files - first received by Contagio or posted online (see PDF threats on the Malware Tracker blog for the timeline) Sorted by CVE+DateReceived --New

3) COLLECTION 3 (from Stephan Chenette) - 118 Files (5MB) - Web exploit pdf files +

4) COLLECTION 4 (from Stephan Chenette) - 10,980 Files (243 MB) - Web exploit pdf (I think they all are pdf) files
Awesome and huge collection of files (COLLECTION 3 and 4) kindly provided by Stephan the Great ;), creator of the Fireshark, the web analysis tool.  These files were collected online and mostly come from exploit packs and drive-by exploits. Sorted by SHA1 Hash  -- New
5) COLLECTION 5 Non-Malicious PDF Collection (from Stephan Chenette) - 6,052 clean files (1.4GB)  to make sure your product does not detect them as bad (There is no password on the zip with clean PDFs)--New

6) COLLECTION 6 - http://contagiodump.blogspot.com/2011/03/request-for-samples.html - a few targeted attack samples there

P.S. If  this was not enough and you want "MOAR", check out Links and resources for malware samples

  Download COLLECTION-1   |   Download COLLECTION-2  | Download COLLECTION-3 |  Download COLLECTION-4 | Download NON-MALICIOUS-COLLECTION-5

Password protected archives, email me if you need the password.

See what is included in each collection below:

Aug 3 CVE-2010-0188 PDF Asian Regionalism and US Policy

CVE-2010-0188 Unspecified vulnerability in Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors


UPDATE August 11,2010 Many thanks to binjo (@binjo), xanda (@xanda), Matthew de Carteret (@lordparody) and Tyler M from Vicheck.ca for additional information/analysis of the attachment

Download  126939c66f62baaa0784d4e7f5b4d973 Asian_Regionalism_and_US_Policy  and all the files listed below as a password protected archive (please contact me for the password if you need it)

From: XXXXXXXX [mailto:XXXXXXXXXXX@yahoo.com]
Sent: Tuesday, August 03, 2010 8:18 AM
To: XXXXXXXXXXXX
Subject: Asian Regionalism and US Policy

Dear All,

Recently I read an excellent article.

Maybe you are interested in it.

FYI.

Best,
XXXXXX

 File Asian_Regionalism_and_US_Policy.p received on 2010.08.05 05:00:51 (UTC)

http://www.virustotal.com/analisis/d4323260646038181015f91cc83fc310b9f4901bb2c187cc5580ff15ae798737-1280984451
Result: 7/41 (17.08%)
Authentium    5.2.0.5    2010.08.05    JS/CVE-0188
BitDefender    7.2    2010.08.05    Exploit.PDF-JS.Gen
F-Prot    4.6.1.107    2010.08.05    JS/CVE-0188
F-Secure    9.0.15370.0    2010.08.05    Exploit.PDF-JS.Gen
GData    21    2010.08.05    Exploit.PDF-JS.Gen
Microsoft    1.6004    2010.08.04    Exploit:Win32/Pdfjsc.gen!B
nProtect    2010-08-04.01    2010.08.04    Exploit.PDF-JS.Gen
Additional information
File size: 168331 bytes
MD5...: 126939c66f62baaa0784d4e7f5b4d973

Headers

Received: from [173.244.197.210] by web120020.mail.ne1.yahoo.com via HTTP; Tue, 03 Aug 2010 05:17:59 PDT
X-Mailer: YahooMailClassic/11.2.4 YahooMailWebService/0.8.105.279950
Date: Tue, 3 Aug 2010 05:17:59 -0700
From: "XXXXXXXXXXX"
Subject: Asian Regionalism and US Policy
To: XXXXXXXXXXX
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1610185150-1280837879=:30394"

Tor
Hostname:    anonymizer2.torservers.net
ISP:    Hosting Services
Organization:    Hosting Services
Proxy:    Confirmed proxy server. (Read about proxy servers)
State/Region:    Utah
City:    Providence

=============

 Test on WinXP XP 2 Adobe 8 and 9.3.0

Created files
%tmp%\1.dat

File: 1.dat
Size: 168331
MD5:  126939C66F62BAAA0784D4E7F5B4D973 (same as the PDF itself)

%tmp%\A9R3302.tmp

File A9R3302.tmp
Size: 358
MD5:  AD395DBE5B8E5005CF87EC6B0958AB09

%tmp%\jackjon.exe

File: jackjon.exe
Size: 0
MD5:  D41D8CD98F00B204E9800998ECF8427E

Jul 29 CVE-2010-0188 PDF Defense New Thinks

CVE-2010-0188 Unspecified vulnerability in Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors

Download  5e0e5951ca4626a891344e38e0085d58 Defense_Attache.pdf  as a password protected archive (please contact me for the password if you need it)

From: Gillian Medina [mailto:gillianmedina@hotmail.com]
Sent: Thursday, July 29, 2010 4:31 AM
To: randolph.strong@us.army.mil
Subject: Defense New Thinks

Defense New Thinks 

  File Defense_Attache.pdf received on 2010.08.02 03:25:36 (UTC)

http://www.virustotal.com/analisis/c6a606ebb758ed5f7e552019d656dab7cda723617819f583ceef797cfc9cfbf5-1280719536
Result: 11/42 (26.2%)
Antiy-AVL    2.0.3.7    2010.08.02    Exploit/Win32.Pidief
Avast    4.8.1351.0    2010.08.02    PDF:CVE-2010-0188
Avast5    5.0.332.0    2010.08.02    PDF:CVE-2010-0188
DrWeb    5.0.2.03300    2010.08.02    Exploit.PDF.1046
eTrust-Vet    36.1.7753    2010.07.31    PDF/CVE-2010-0188!exploit
GData    21    2010.08.02    PDF:CVE-2010-0188
Ikarus    T3.1.1.84.0    2010.08.02    Exploit.Win32.Pidief
Kaspersky    7.0.0.125    2010.08.02    Exploit.Win32.Pidief.dci
McAfee-GW-Edition    2010.1    2010.08.01    Heuristic.BehavesLike.PDF.Suspicious.L
NOD32    5331    2010.08.01    a variant of PDF/CVE-2010-0188
Sophos    4.56.0    2010.08.02    Troj/PDFJs-II
Additional information
File size: 73708 bytes
MD5...: 5e0e5951ca4626a891344e38e0085d58

Headers
Received: from SNT133-W12 ([65.55.90.71]) by snt0-omc2-s32.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
     Thu, 29 Jul 2010 01:31:18 -0700
Message-ID:
Return-Path: gillianmedina@hotmail.com
Content-Type: multipart/mixed;
    boundary="_e55064e7-b368-4f85-ab6f-7c8fd62fce86_"
X-Originating-IP: [113.225.75.65]
From: Gillian Medina
To:
Subject: Defense New Thinks
Date: Thu, 29 Jul 2010 01:31:18 -0700
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 29 Jul 2010 08:31:18.0425 (UTC) FILETIME=[6A87E890:01CB2EF8]

Hostname:    113.225.75.65
ISP:    China Unicom Liaoning province network
Organization:    China Unicom Liaoning province network
Type:    Broadband
Assignment:    Static IP
State/Region:    Liaoning
City:    Shenyang

This IP is on many blacklists http://www.robtex.com/ip/113.225.75.65.html#blacklists

Jul 7 CVE-2010-0188 PDF Britain intelligence service started analysis of the spy radio

CVE-2010-0188 Unspecified vulnerability in Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors

The message attachment name says "Britain intelligence service started analysis of the spy radio". Then the body says "internal info".

While it can lure in a few readers, I'd say it is a very inane attempt to get into the targeted attack business. In general, I have not seen any high quality (zero day-low detection) or well designed targeted messages that would be clearly originating in Russia (not to say they don't exist). If you did see any convincing targeted attacks that were or looked like they were from Russia and they are as good as these, please let me know. I have a few more editorial comments regarding espionage in general and targeted attacks in particular, but I should probably leave them out and let you have fun with the attachment. Let me know if you find anything extra interesting inside (M).

Download  bfa67a03fd7d88b9b7ebeb5cae3cd95aac as a password protected archive (please contact me for the password if you need it)

 -----Original Message-----
From: usadog@mail.ru [mailto:usadog@mail.ru]
Sent: Wednesday, July 07, 2010 5:56 AM
To: aa@minprom.gov.ru
Subject: Britan razvedka mi5 vstupila v rassledovanie racci shpiona

vnutr.infa.

 File Britan_razvedka_mi5_vstupila_v_ra  received on 2010.07.07 17:10:19 (UTC)
http://www.virustotal.com/analisis/d788e52e6999e1a162d04ebc9d211f1c1d6ca41636a97709b058d44ba2f70829-1278522619
Result: 15/41 (36.59%)
AntiVir     8.2.4.10     2010.07.07     EXP/Pidief.529300
Authentium     5.2.0.5     2010.07.07     JS/Pdfka.AD
Avast     4.8.1351.0     2010.07.07     PDF:CVE-2010-0188
Avast5     5.0.332.0     2010.07.07     PDF:CVE-2010-0188
BitDefender     7.2     2010.07.07     Exploit.TIFF.Gen
eTrust-Vet     36.1.7690     2010.07.07     PDF/Pidief.RV
F-Prot     4.6.1.107     2010.07.07     JS/Pdfka.AD
F-Secure     9.0.15370.0     2010.07.07     Exploit.TIFF.Gen
McAfee     5.400.0.1158     2010.07.07     Exploit-PDF.q.gen!stream
McAfee-GW-Edition     2010.1     2010.07.05     Heuristic.BehavesLike.PDF.Suspicious.O
PCTools     7.0.3.5     2010.07.07     Trojan.Pidief
Sophos     4.54.0     2010.07.07     Troj/PDFJs-II
Symantec     20101.1.0.89     2010.07.07     Trojan.Pidief.I
VirusBuster     5.0.27.0     2010.07.06     Exploit.JS.Pdfka.T
Additional information
File size: 531530 bytes
MD5   : bfa67a03fd7d88b9b7ebeb5cae3cd95a

Jul 6 CVE-2010-1297 PDF EPA's Water Sampling Report from spoofed OCSPP@epa.gov

CVE-2010-1297 Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, Adobe AIR before 2.0.2.12610, and authplay.dll in Adobe Reader and Acrobat 9.x through 9.3.2 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted SWF content, as exploited in the wild in June 2010.

Download  719cf2bab291da52e495b86929b7ea7d  and 0733c4e2122cdfcfdd4699a3cbdc8b40  as a password protected archive (contact me if you need the password)

From: Office of Chemical Safety and Pollution Prevention, EPA [mailto:OCSPP@epa.gov]
Sent: Tuesday, July 06, 2010 5:31 AM
To: XXXXXXXXXXXXX
Subject: EPA's Water Sampling Report
Importance: High

EPA surface water samples collected June 17 - 26, 2010 along the Gulf Coast did not reveal elevated levels of chemicals found in oil.

Surface water results collected May 21 through June 24, 2010 along the coast of Louisiana were measured for two of the chemicals associated with dispersants (2-Butoxyethanol and 2-Ethylhexyl Alcohol).
Why is EPA sampling and monitoring the water?

EPA’s water sampling process includes the collection of the sample, laboratory analyses and data verification (which ensures high quality data). These steps take about 7 days to complete before the data can be posted on EPA’s website. As such, the data EPA posts is not representative of current conditions but rather is a snapshot in time for a given location. We continue to take water samples and will post data as soon as it becomes available.
My water tastes or smells different.  What should I do?

You can contact the Joint Information Center, or JIC, located in the heart of the response effort. The JIC is a coordination center for federal, state and local responding agencies. You may call the JIC at 985-902-5231.


 File water_update_part2.pdf received on 2010.07.07 11:39:21 (UTC)
http://www.virustotal.com/analisis/8f60aa88853eec6e0ffce6ea2a8916a597ff105b6e4a087454b2a9bfa82ef4c8-1278502761
Result: 14/41 (34.15%)
AntiVir    8.2.4.10    2010.07.07    EXP/CVE-2010-1297
Antiy-AVL    2.0.3.7    2010.07.07    Exploit/SWF.CVE-2010-1297
Avast    4.8.1351.0    2010.07.06    JS:Pdfka-AIX
Avast5    5.0.332.0    2010.07.06    JS:Pdfka-AIX

eTrust-Vet    36.1.7690    2010.07.07    SWF/CVE-2010-1297.A!exploit
F-Secure    9.0.15370.0    2010.07.07    Exploit.PDF-Name.Gen
GData    21    2010.07.07    Exploit.PDF-Name.Gen
Kaspersky    7.0.0.125    2010.07.07    Exploit.SWF.CVE-2010-1297.a
McAfee-GW-Edition    2010.1    2010.07.05    Heuristic.BehavesLike.PDF.Suspicious.O
nProtect    2010-07-07.01    2010.07.07    Exploit.PDF-Name.Gen
PCTools    7.0.3.5    2010.07.07    Trojan.Pidief
Sophos    4.54.0    2010.07.07    Mal/PDFEx-D
Symantec    20101.1.0.89    2010.07.07    Trojan.Pidief.J
Additional information
File size: 427577 bytes
MD5...: 719cf2bab291da52e495b86929b7ea7d

 File water_update_part1.pdf received on 2010.07.06 12:56:30 (UTC)
http://www.virustotal.com/analisis/1cffccaf528a882f781fb179a32356bfb176d683059c89faf81d7a51687330e0-1278420990
Result: 14/41 (34.15%)
AntiVir     8.2.4.2     2010.07.06     EXP/CVE-2010-1297
Antiy-AVL     2.0.3.7     2010.07.06     Exploit/SWF.CVE-2010-1297
Avast     4.8.1351.0     2010.07.06     JS:Pdfka-AIX
Avast5     5.0.332.0     2010.07.06     JS:Pdfka-AIX
BitDefender     7.2     2010.07.06     Exploit.PDF-Name.Gen
eTrust-Vet     36.1.7688     2010.07.06     SWF/CVE-2010-1297.A!exploit
F-Secure     9.0.15370.0     2010.07.06     Exploit.PDF-Name.Gen
GData     21     2010.07.06     Exploit.PDF-Name.Gen
Kaspersky     7.0.0.125     2010.07.06     Exploit.SWF.CVE-2010-1297.a
McAfee-GW-Edition     2010.1     2010.07.05     Heuristic.BehavesLike.PDF.Suspicious.O
nProtect     2010-07-06.01     2010.07.06     Exploit.PDF-Name.Gen
PCTools     7.0.3.5     2010.07.06     Trojan.Pidief
Sophos     4.54.0     2010.07.06     Mal/PDFEx-D
Symantec     20101.1.0.89     2010.07.06     Trojan.Pidief.J
Additional information
File size: 531280 bytes
MD5   : 0733c4e2122cdfcfdd4699a3cbdc8b40


Headers

Received: from pacificteaze.com (HELO ESMTP) (68.122.214.114)
  by XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Received: from SRV001([10.1.0.25]) by SMTPSRV (AIMC 2.9.5.7)with SMTP id tm393855644;
From: "Office of Chemical Safety and Pollution Prevention, EPA"
To: XXXXXXXXXXXXXXXXXXXX
Subject: EPA's Water Sampling Report
Sender: "Office of Chemical Safety and Pollution Prevention, EPA"
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="= Multipart Boundary 0706100230"
Date: Tue, 6 Jul 2010 02:30:59 -0700
X-Priority: 2
Priority: urgent
X-MSMail-Priority: High
Message-ID: <20100706093059109.2D45410B3A2B4742@server1>
X-Scanned: By Symantec Anti-Virus Scan Engine
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
68.122.214.114

Hostname:    pacificteaze.com
ISP:    SBC Internet Services
Organization:    Pacific Teaze
Proxy:    None detected
Type:    Broadband
Assignment:    Static IP
 Country:    United States
State/Region:    California
City:    Chatsworth

July 01 CVE-2009-4324 PDF draft document from ly203972@gmail.com

CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009. 

Download d3c23ff3f116f0f80cb8d3e0e1496d93 ATT58351.pdf  as a password protected archive (contact me if you need the password)

From: 楊千惠 [mailto:ly203972@gmail.com]
Sent: Thursday, July 01, 2010 10:57 PM
Subject: 輸入文件初稿，請參考！

提供輸入文件議題之粗淺資料，請大家參考指教。加油！ 

From: Yang Qianhui [mailto: ly203972@gmail.com]Sent: Thursday, July 01, 2010 10:57 PM
Subject: draft document..
 Issue of providing superficial information on the input file, please refer to teach. Come on!

 File ATT58351.pdf received on 2010.07.04 03:26:21 (UTC)
http://www.virustotal.com/analisis/310f2caa515f58c48b355a3813b48512201d419495f8410e97c8c9e8512da0a1-1278213981
Result: 12/41 (29.27%)
Antivirus     Version     Last Update     Result
a-squared    5.0.0.31    2010.07.03    Exploit.JS.Pdfka!IK
AntiVir    8.2.4.2    2010.07.02    EXP/Pidief.244965
BitDefender    7.2    2010.07.04    Exploit.PDF-JS.Gen
CAT-QuickHeal    11.00    2010.06.30    Exploit.PDF.FlateDecode
DrWeb    5.0.2.03300    2010.07.04    Exploit.PDF.687
F-Prot    4.6.1.107    2010.07.03    JS/ShellCode.X.gen
F-Secure    9.0.15370.0    2010.07.03    Exploit.PDF-JS.Gen
GData    21    2010.07.04    Exploit.PDF-JS.Gen
Ikarus    T3.1.1.84.0    2010.07.03    Exploit.JS.Pdfka
McAfee-GW-Edition    2010.1    2010.07.02    Heuristic.BehavesLike.JS.BufferOverflow.A
Norman    6.05.10    2010.07.03    JS/Shellcode.FL
nProtect    2010-07-03.02    2010.07.03    Exploit.PDF-JS.Gen
Additional information
File size: 272098 bytes
MD5...: d3c23ff3f116f0f80cb8d3e0e1496d93 


Vicheck result
PDF Exploit call to media.newPlayer CVE-2009-4324 
https://www.vicheck.ca/malware.php?hash=d3c23ff3f116f0f80cb8d3e0e1496d93 

Jul 01 CVE-2009-4324 results of press conference from chwenwen@ntu.edu.tw

CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009.

Download 949265ee1d3e587152a23311a85b3be9 ATT49937.pdf  as a password protected archive (contact me if you need the password)

-----Original Message-----
From: chwenwen@ntu.edu.tw [mailto:chwenwen@ntu.edu.tw]
Sent: Thursday, July 01, 2010 10:15 AM
To: XXXXXXXXXXXXXXX
Cc: XXXXXXXXXXXXXXXXXXXX
Subject: 第五次江陳會談成果記者會本會賴主委講話稿

各位專家學者，您好：
  謹寄送第五次江陳會談成果記者會本會賴主委講話稿，請參考，謝謝。
陸委會聯絡處敬上
                                              99.07.01

From: chwenwen@ntu.edu.tw [mailto: chwenwen@ntu.edu.tw]
Sent: Thursday, July 01, 2010 10:15 AM
To: XXXXXXXXXXXXXXXXXXXX
Cc: XXXXXXXXXXXXXX
Subject: results of the fifth meeting press conference Jiang Chen Lai-chairman of the Council speeches

The experts and scholars, Hello:
  Would like to send the results of the fifth meeting press conference Jiang Chen Lai-chairman of the Council speeches, see, thank you.
Sincerely, MAC Liaison
                                              99.07.01

  File ATT49937.pdf received on 2010.07.04 04:20:55 (UTC)
http://www.virustotal.com/analisis/cd4deed862ab102e7fbccc85ee87b09fbb3e6374b51b99f97c904abd4b590f01-1278217255
Result: 9/41 (21.96%)
a-squared    5.0.0.31    2010.07.03    Trojan.SWF.HeapSpray!IK
Avast    4.8.1351.0    2010.07.03    JS:Pdfka-gen
Avast5    5.0.332.0    2010.07.03    JS:Pdfka-gen
BitDefender    7.2    2010.07.04    Trojan.SWF.HeapSpray.C
F-Prot    4.6.1.107    2010.07.03    JS/Pdfka.V
F-Secure    9.0.15370.0    2010.07.03    Trojan.SWF.HeapSpray.C
GData    21    2010.07.04    Trojan.SWF.HeapSpray.C
Ikarus    T3.1.1.84.0    2010.07.03    Trojan.SWF.HeapSpray
McAfee-GW-Edition    2010.1    2010.07.02    Heuristic.BehavesLike.PDF.Suspicious.O
File size: 270909 bytes
MD5...: 949265ee1d3e587152a23311a85b3be9

 Vicheck.ca results
PDF Exploit call to media.newPlayer CVE-2009-4324
https://www.vicheck.ca/md5query.php?hash=949265ee1d3e587152a23311a85b3be9


Headers

Received: from wmail1.cc.ntu.edu.tw (HELO wmail1.cc.ntu.edu.tw) (140.112.2.161)
  by XXXXXXXXXXXXXXXXXXXXXX
Received: from localhost (localhost [127.0.0.1])
    by wmail1.cc.ntu.edu.tw (Postfix) with ESMTP id 5D3F135E83D;
    Thu,  1 Jul 2010 22:15:01 +0800 (CST)
Received: from 218.94.121.180 ([218.94.121.180]) by wmail1.cc.ntu.edu.tw
 (Horde Framework) with HTTP; Thu, 01 Jul 2010 22:15:01 +0800
Message-ID: <20100701221501.13862298y1rjpnmt@wmail1.cc.ntu.edu.tw>
Date: Thu, 1 Jul 2010 22:15:01 +0800
Disposition-Notification-To: chwenwen@ntu.edu.tw
From: chwenwen@ntu.edu.tw
To: XXXXXXXXXXXXX
CC: =XXXXXXXXXXXXXXX
Subject: =?big5?b?ssSkraa4pr+zr7d8vc2mqKpHsE+qzLd8pbu3fL/gpUSpZcG/uNy9Wg==?=
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=_1ziwulawet45"
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) H3 (4.3.5) 
218.94.121.180
Hostname:    218.94.121.180
ISP:    Data Communication Division
Organization:    CHINANET jiangsu province network
Proxy:    None detected
Type:    Broadband
Assignment:    Static IP
Country:    China
State/Region:    Beijing
City:    Beijing 

Jul 01 CVE-2010-0188 PDF phone calls from imxjih@limousinehire.za.net

CVE-2010-0188 Unspecified vulnerability in Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors

Download PhoneCalls.pdf a38a70821c62be2996ac1c28575f2fd2  ac as a password protected archive (please contact me for the password if you need it)

-----Original Message-----
From: james [mailto:imxjih@limousinehire.za.net]
Sent: Thursday, July 01, 2010 6:18 PM
To: XXXXXXXXXXXXXXX
Cc: XXXXXXXXXX XXXXXXXXXXXXX XXXXXXXXXXXXX
Subject: phone calls

Hey man..

Remember all those long distance phone calls we made.
Well I got my telephone bill and WOW.
Please help me and look at the bill see which calls where yours ok..


 File PhoneCalls.pdf received on 2010.07.04 03:49:02 (UTC)
http://www.virustotal.com/analisis/61c1eb84397b0f4459e73b6e91ef2fc768d14967ea1a7ef5bf712464d7ce0869-1278215342
Result: 18/41 (43.91%)
a-squared    5.0.0.31    2010.07.03    Exploit.Win32.Pidief!IK
AntiVir    8.2.4.2    2010.07.02    EXP/Pidief.haa
Avast    4.8.1351.0    2010.07.03    PDF:CVE-2010-0188
Avast5    5.0.332.0    2010.07.03    PDF:CVE-2010-0188
BitDefender    7.2    2010.07.04    Exploit.TIFF.Gen
eTrust-Vet    36.1.7684    2010.07.03    PDF/CVE-2010-0188!exploit
F-Secure    9.0.15370.0    2010.07.03    Exploit.TIFF.Gen
GData    21    2010.07.04    Exploit.TIFF.Gen
Ikarus    T3.1.1.84.0    2010.07.03    Exploit.Win32.Pidief
Kaspersky    7.0.0.125    2010.07.04    Exploit.Win32.Pidief.dci
McAfee    5.400.0.1158    2010.07.04    Exploit-PDF.pp!stream
McAfee-GW-Edition    2010.1    2010.07.02    Exploit-PDF.pp!stream
Microsoft    1.5902    2010.07.03    Exploit:Win32/Pdfjsc.gen!B
PCTools    7.0.3.5    2010.07.02    Trojan.Pidief
Sophos    4.54.0    2010.07.03    Troj/PDFJs-II
Symantec    20101.1.0.89    2010.07.04    Trojan.Pidief.I
TrendMicro    9.120.0.1004    2010.07.04    TROJ_PDFJSC.AR
TrendMicro-HouseCall    9.120.0.1004    2010.07.04    TROJ_PDFJSC.AR
Additional information
File size: 2616 bytes
MD5...: a38a70821c62be2996ac1c28575f2fd2

Headers
 Received: from 201-34-210-6.gnace703.dsl.brasiltelecom.net.br (HELO 201-34-210-6.gnace703.dsl.brasiltelecom.net.br) (201.34.210.6)
  by XXXXXXXXXXXXXXXXXXXXXXXXXXX
Date: Thu, 1 Jul 2010 19:17:31 -0300
Message-ID: <000e01cb196b$32fcbb50$00426d68@uryqmxukq>
From: james
To:
CC: XXXXXXXXXXXX
Subject: phone calls
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------4016D0ETO0O036L"

Hostname:    201-34-210-6.gnace703.dsl.brasiltelecom.net.br
ISP:    Brasil Telecom S/A - Filial Distrito Federal
Organization:    Brasil Telecom S/A - Filial Distrito Federal
Type:    Broadband
Assignment:    Dynamic IP
Country:    Brazil
State/Region:    Goias

Jun 30 CVE-2010-1297 PDF 2020 National Defense Industrial Strategy Forum from techdm@csistdup.org.tw

CVE-2010-1297 Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, Adobe AIR before 2.0.2.12610, and authplay.dll in Adobe Reader and Acrobat 9.x through 9.3.2 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted SWF content, as exploited in the wild in June 2010.

Download  497bd7eb4be6ae9b68c624e3fb594502 2020.pdf  as a password protected archive (contact me if you need the password)

 File 2020.pdf received on 2010.07.04 05:20:15 (UTC)
http://www.virustotal.com/analisis/000c6d021e9678184f059dd1dfacf75558bdd3f62e259e789836005efbf0e6b1-1278220815
Result: 14/41 (34.15%)
a-squared    5.0.0.31    2010.07.03    Exploit.SWF.CVE-2010-1297!IK
AntiVir    8.2.4.2    2010.07.02    EXP/CVE-2010-1297
Antiy-AVL    2.0.3.7    2010.07.02    Exploit/SWF.CVE-2010-1297
Avast    4.8.1351.0    2010.07.03    JS:Pdfka-AIX
Avast5    5.0.332.0    2010.07.03    JS:Pdfka-AIX
BitDefender    7.2    2010.07.04    Exploit.PDF-Name.Gen
eTrust-Vet    36.1.7684    2010.07.03    SWF/CVE-2010-1297.A!exploit
F-Secure    9.0.15370.0    2010.07.03    Exploit.PDF-Name.Gen
GData    21    2010.07.04    Exploit.PDF-Name.Gen
Ikarus    T3.1.1.84.0    2010.07.03    Exploit.SWF.CVE-2010-1297
Kaspersky    7.0.0.125    2010.07.04    Exploit.SWF.CVE-2010-1297.a
McAfee-GW-Edition    2010.1    2010.07.02    Heuristic.BehavesLike.PDF.Suspicious.O
nProtect    2010-07-04.01    2010.07.04    Exploit.PDF-Name.Gen
Sophos    4.54.0    2010.07.04    Mal/PDFEx-D
Additional information
File size: 237302 bytes
MD5...: 497bd7eb4be6ae9b68c624e3fb594502


Headers
Received: from mta-101.dothome.co.kr (HELO mta-101.dothome.co.kr) (211.239.118.134)
  by XXXXXXXXXXXXXXXXX
X-AuthUser: aks@a-one.co.kr
Received: from techdm ([218.234.32.224]:4032)
    by mta-101.dothome.co.kr with [XMail 1.22 PassKorea090507 ESMTP Server]
     ...
    Wed, 30 Jun 2010 23:21:06 +0900
Message-ID: <1975e5623c$23fce32a$0ae1d8b4@techdm212af2ce2>
From: "???K??"
To: XXXXXXXXXXXXXXX
Subject: =?big5?B?MjAyMLDqqL6s7KfesqO3frWmsqS9177CrKGwyg==?=
Date: Wed, 30 Jun 2010 22:07:21 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_000B_01CB18A0.9EBCFA10"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579

218.234.32.224

 Hostname:    218.234.32.224
ISP:    Hanaro Telecom Co.
Organization:    ARO INFORMATION TECH
Type:    Broadband
Assignment:    Static IP
Country:    Korea, Republic of
State/Region:    Soul-t'ukpyolsi
City:    Seocho

From: §õ¨K©É [mailto:techdm@csistdup.org.tw]
Sent: Wednesday, June 30, 2010 10:07 AM
To: XXXXXXXXXXXX
Subject: 2020國防科技產業策略論壇活動

 中山科學研究院預計於99年7月29日(星期四)AM09：30於本院龍園研究園區W48館
舉辦「2020國防科技產業策略論壇」活動，歡迎聯盟成員及各界人士踴躍報名參加。

一、論壇目的：
中科院預計99年7月29日於龍園研究園區舉辦「2020年國防科技產業策略論壇」活
動，主題為「整合產學科技能量，推動國防科技產業」，子題分別為 (一)結合週
邊園區、發展軍通科技。(二)轉化國防科技、創造產業價值。(三)引進民間資源、
建構自主國防。
本活動將邀請行政院科技顧問組萬執秘其超主持、工業局、技術處、中小企業處及
軍備局等主管擔任共同主持人，聽取國防科技產業聯盟成員(產業及學界)對未來年
國防科技能量釋出及參與國防研發機會之寶貴意見，期望透過此次活動整合出產學
研策略方向與共識，完成2020年我國國防科技產業發展策略報告，提供政府主管產
業(經濟部)及國防決策單位(國防部)，作為推動國防產業及發展軍民通用科技政策
之參考。

二、活動日期及地點
1.日期：99年7月29日(星期四)
2.時間：上午09：30至下午15：30
3.地點：龍園研究園區w48館一樓(國際會議廳)

三、報名方式
1.傳真：03-4117119
2.E-mail：techdm@csistdup.org.tw

四、報名截止：99年7月15日

五、聯絡人：李沛怡小姐：電話：03-4712201轉32982

Jun 28 CVE-2010-1297 Global Economic Policies and Prospects from xxx.crisisgroup.org

CVE-2010-1297 Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, Adobe AIR before 2.0.2.12610, and authplay.dll in Adobe Reader and Acrobat 9.x through 9.3.2 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted SWF content, as exploited in the wild in June 2010.

Download  6932d141916cd95e3acaa3952c7596e4  Global.pdf   as a password protected archive (contact me if you need the password)

-----Original Message-----

From: Daniel Pinkston [mailto:XXXXXXXXXXXXXX]

Sent: Monday, June 28, 2010 12:49 PM

To: sitrep@crisisgroup.org

Subject: Global Economic Policies and Prospects

The attachment is quite useful for you .

Sincerely

Daniel  A. Pinkston, Ph.D.

North East Asia Deputy Project Director

ph: +XXXXXXXXXXX

Mobile: XXXXXXXXXXXX

  File Global.pdf received on 2010.07.04 03:03:52 (UTC)
http://www.virustotal.com/analisis/ab8a06d95935b07ad241c17d2c0bd2855e0ee77b24611805cd95fd4871052311-1278212632
Result: 16/41 (39.03%)
Antivirus     Version     Last Update     Result
a-squared    5.0.0.31    2010.07.03    Exploit.SWF.CVE-2010-1297!IK
AntiVir    8.2.4.2    2010.07.02    EXP/CVE-2010-1297
Antiy-AVL    2.0.3.7    2010.07.02    Exploit/SWF.CVE-2010-1297
Avast    4.8.1351.0    2010.07.03    JS:Pdfka-AIX
Avast5    5.0.332.0    2010.07.03    JS:Pdfka-AIX
BitDefender    7.2    2010.07.04    Exploit.PDF-Name.Gen
eTrust-Vet    36.1.7684    2010.07.03    SWF/CVE-2010-1297.A!exploit
F-Secure    9.0.15370.0    2010.07.03    Exploit.PDF-Name.Gen
GData    21    2010.07.04    Exploit.PDF-Name.Gen
Ikarus    T3.1.1.84.0    2010.07.03    Exploit.SWF.CVE-2010-1297
Kaspersky    7.0.0.125    2010.07.04    Exploit.SWF.CVE-2010-1297.a
McAfee-GW-Edition    2010.1    2010.07.02    Heuristic.BehavesLike.PDF.Suspicious.O
nProtect    2010-07-03.02    2010.07.03    Exploit.PDF-Name.Gen
Sophos    4.54.0    2010.07.03    Mal/PDFEx-D
TrendMicro    9.120.0.1004    2010.07.03    TROJ_PDFSWF.C
TrendMicro-HouseCall    9.120.0.1004    2010.07.04    TROJ_PDFSWF.C
Additional information
File size: 492149 bytes
MD5...: 6932d141916cd95e3acaa3952c7596e4

Headers
Received: from mail.crisisweb.org (HELO mail.crisisweb.org) (217.64.242.146)
  by XXXXXXXXXXXXXXXXXXXXXXXXXXX
Received: from apaitpdc.apaitonline.org ([12.11.239.25]) by mail.crisisweb.org with Microsoft SMTPSVC(6.0.3790.4675);
     Mon, 28 Jun 2010 18:49:32 +0200
Received: from 127.0.0.1 ([127.0.0.1]) by apaitpdc.apaitonline.org with Microsoft SMTPSVC(6.0.3790.4675);
     Mon, 28 Jun 2010 09:49:13 -0700
To: ""
From: "Daniel Pinkston"
Subject: Global Economic Policies and Prospects
X-Mailer: Ghost Mail 5.1 http://ay.home.ml.org/
X-Priority: 3 (Normal)
Return-Path: XXXXXXXXXXXXXXXXXXXXXXXXX
Message-ID:
X-OriginalArrivalTime: 28 Jun 2010 16:49:13.0640 (UTC) FILETIME=[D6BDB280:01CB16E1]
Date: Mon, 28 Jun 2010 09:49:13 -0700
X-TM-AS-Product-Ver: SMEX-8.6.0.1168-6.000.1038-17472.004
X-TM-AS-Result: No--11.273500-5.000000-31
X-TM-AS-User-Approved-Sender: No
X-TM-AS-User-Blocked-Sender: No
MIME-Version: 1.0
X-ConvertedToMime: 1

12.11.239.25

Hostname:    apaitpdc.apaitonline.org
ISP:    AT&T WorldNet Services
Organization:    ACC-ASIAN PACIFIC AIDS INTERVENT
Proxy:    None detected
Type:    Corporate
Assignment:    Static IP
Services:    Web Server (1 or more domains)
Geolocation Information
State/Region:    California
City:    Los Angeles

Jun 27 CVE-2009-0927 PDF Discussion on cross-strait maritime cooperation

CVE-2009-0927 Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object, a different vulnerability than CVE-2009-0658. 

Download  6e14c7a424c2eef7f37810ff65650837 ATT27173.pdf as a password protected archive (contact me if you need the password)

 File ATT27173.pdf received on 2010.07.04 05:42:18 (UTC)
http://www.virustotal.com/analisis/6ed5186f31852eb5533670ae0d08737940148fe8587bdc44c5474426d92362c7-1278222138
Result: 11/41 (26.83%)
Antivirus     Version     Last Update     Result
Avast    4.8.1351.0    2010.07.03    JS:Pdfka-AIX
Avast5    5.0.332.0    2010.07.03    JS:Pdfka-AIX
BitDefender    7.2    2010.07.04    Exploit.PDF-JS.Gen
eSafe    7.0.17.0    2010.06.30    Win32.Pidief.D
F-Secure    9.0.15370.0    2010.07.03    Exploit.PDF-JS.Gen
GData    21    2010.07.04    Exploit.PDF-JS.Gen
Kaspersky    7.0.0.125    2010.07.04    Exploit.JS.Pdfka.cnj
McAfee-GW-Edition    2010.1    2010.07.02    Heuristic.BehavesLike.JS.BufferOverflow.D
nProtect    2010-07-04.01    2010.07.04    Exploit.PDF-JS.Gen
PCTools    7.0.3.5    2010.07.02    Trojan.Pidief
Symantec    20101.1.0.89    2010.07.04    Trojan.Pidief.D
Additional information
File size: 132181 bytes
MD5...: 6e14c7a424c2eef7f37810ff65650837


Wepawet
http://wepawet.cs.ucsb.edu/view.php?hash=6e14c7a424c2eef7f37810ff65650837&type=js

Adobe getIcon

Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object

CVE-2009-0927

From: ³Å¼¢©t [mailto:guanpen@gio.gov.tw]
Sent: Sunday, June 27, 2010 9:23 PM
To: achengster@gmail.com
Subject: 兩岸海上合作芻議

釐清當前兩岸合作的理由、方式、目的、地點與自我檢討。
 -----------------------------------------------------------------
中華孫子兵法研究學會
會長傅慰孤

Terrible machine translation :)

From: ³ Å ¼ ¢ © t
[mailto: guanpen@gio.gov.tw]
 Sent: Sunday,June 27, 2010 9:23 PM 
To: achengster@gmail.com 
Subject: Discussion on cross-strait maritime cooperation

Clarify the reasons for the current cross-strait cooperation, methods, purpose, location and self-examination.
 -------------------------------------------------- ---------------Research Institute of Chinese Art of WarFu Wei-ku, president of

Jun 17 Win XP (SP2, SP3) 0-Day - CVE-2010-1885 Samples and analysis links

CVE-2010-1885 The MPC::HexToNum function in helpctr.exe in Microsoft Windows Help and Support Center in Windows XP and Windows Server 2003 does not properly handle malformed escape sequences, which allows remote attackers to bypass the trusted documents whitelist (fromHCP option) and execute arbitrary commands via a crafted hcp:// URL.

Zero Day Vulnerability in Windows Help Center CVE-2010-1885.
Exploit for the “Windows Help Center” of Windows XP ServicePack 2 and ServicePack 3.

• Full Disclosure post by Tavis Ormandy
• Microsoft Security Advisory (2219475)  Vulnerability in Windows Help and Support Center Could Allow Remote Code Execution
• Microsoft Fix-It solution 
• See a good description of this particular malware on  CVE 2010-1885 exploited in the wild by Donato Ferrante - Sophos Labs
• Microsoft Help Center XSS and Command Execution  Metasploit 
• Microsoft Help Center Zero-Day Exploits Loose  by Carolyn Guevarra (Trendlabs malware blog)  
• Video and exploit sequence explanation by Hardez 
• 
  
   
• CVE-2010-1885 Analysis: 
  Exploit methods and files involved are well described in Microsoft Help Center Zero-Day Exploits Loose  by Carolyn Guevarra (Trendlabs malware blog)   You can download all the files described (except o.exe) from the download link below 

Image from Trendlabs malware blog

Download CVE-2010-1885 files listed below as a password protected archive (contact me if you need the password)


 File 62f4daf19da62595609d6a0c0089fcac received on 2010.06.24 04:16:26 (UTC)
Current status: finished
Result: 28/41 (68.29%)
a-squared     5.0.0.30     2010.06.24     Exploit.Win32.CVE-2010-1885!IK
AhnLab-V3     2010.06.24.00     2010.06.24     Exploit/Cve-2010-1885
AntiVir     8.2.4.2     2010.06.23     EXP/CVE-2010-1885
Avast     4.8.1351.0     2010.06.23     HTML:CVE-2010-1885-A
Avast5     5.0.332.0     2010.06.23     HTML:CVE-2010-1885-A
AVG     9.0.0.836     2010.06.23     Generic2_c.AMOL
BitDefender     7.2     2010.06.24     Exploit.CVE-2010-1885.A
CAT-QuickHeal     10.00     2010.06.23     HCP/CVE-2010-1885
Comodo     5198     2010.06.23     UnclassifiedMalware
DrWeb     5.0.2.03300     2010.06.24     Exploit.Hcp
eSafe     7.0.17.0     2010.06.23     Win32.Exploit.HelpOv
eTrust-Vet     36.1.7663     2010.06.24     HTML/HCP.A
F-Secure     9.0.15370.0     2010.06.24     Exploit.CVE-2010-1885.A
GData     21     2010.06.24     Exploit.CVE-2010-1885.A
Ikarus     T3.1.1.84.0     2010.06.24     Exploit.Win32.CVE-2010-1885
Kaspersky     7.0.0.125     2010.06.24     Exploit.HTML.CVE-2010-1885.a
McAfee     5.400.0.1158     2010.06.24     Exploit-HelpOverflow
McAfee-GW-Edition     2010.1     2010.06.23     Exploit-HelpOverflow
Microsoft     1.5902     2010.06.23     Exploit:Win32/CVE-2010-1885.A
NOD32     5223     2010.06.23     HTML/Exploit.CVE-2010-1885
nProtect     2010-06-23.02     2010.06.23     Exploit.CVE-2010-1885.A
PCTools     7.0.3.5     2010.06.24     Exploit.CVE_2010_1885
Sophos     4.54.0     2010.06.24     Mal/HcpExpl-A
Sunbelt     6498     2010.06.24     Exploit.HTML.HCP.a (v)
Symantec     20101.1.0.89     2010.06.24     Bloodhound.Exploit.337
TrendMicro     9.120.0.1004     2010.06.24     TROJ_HCPEXP.A
TrendMicro-HouseCall     9.120.0.1004     2010.06.24     TROJ_HCPEXP.A
ViRobot     2010.6.21.3896     2010.06.24     JS.S.Exploit.1938
Additional information
File size: 1938 bytes
MD5   : 62f4daf19da62595609d6a0c0089fcac