Malware Hash Query

This utility queries our own database, VirusTotal.com, TheatExpert.com, and Team-CYMRU for known malware hashes and links to analysis reports.

Hash:


File: Asian Regionalism and US Policy.pdf
File size: 168331 bytes
File type: PDF document, version 1.8
MD5: 126939c66f62baaa0784d4e7f5b4d973
SHA1: af5a9fb44e4de0805cab5aca45700fa923754573
SHA256: d4323260646038181015f91cc83fc310b9f4901bb2c187cc5580ff15ae798737
SSDEEP: 3072:bz/6U6+yd9fDTNoUAoy4hf8yiDpCkPzXuRG/QiZTdQ3vVKnNHlxY4vmI+:br6P+ydjoUHzX4plgLeQ3QNbFml
Reported: 2010-08-05 06:24:59
Detection engine: 198
Result: PDF Exploit metasploit version of TIFF overflow CVE-2010-0188
Confidence: 100
Scan hits: 9

Embedded Executable:

XOR encryption: Yes
Bitwise ROL cipher: Yes
Replacement cipher: No
Mathematical substitution cipher: No

Search type: pdfexploit
Matching: full
ROL shift: 1
Key Length: 256 bytes
Key Unique Sum: 32540 More
Key Location: @3840 bytes
Key Accuracy: 80.86%
Fuzzy Errors: 6
File XOR Offset: @0 bytes
XOR Key normalized hash: 424014462a0c1e59c211c686d7cb9392 More
XOR Key:


Detected entities:

PDF Exploit metasploit version of TIFF overflow CVE-2010-0188 [ FlateDecode | Base64Encoded ] show hexdump

Shellcode NOP Sled [ FlateDecode | Base64Encoded ] show hexdump
Embedded Executable: This program cannot be run in DOS mode [3658] show hexdump
Embedded Executable: KERNEL32 [4912] show hexdump
Embedded Executable: Advapi32.dll [4925] show hexdump
Embedded Executable: LoadLibraryA [4963] show hexdump
Embedded Executable: GetProcAddress [4979] show hexdump
Embedded Executable: ExitProcess [5042] show hexdump

RepositoryStatusMore Info

vicheck.ca

PDF Exploit metasploit version of TIFF overflow CVE-2010-0188
Confidence: 100
Scan hits: 9

VirusTotal.com

New/Nothing Found

none

ThreatExpert.com

New/Nothing Found

none

Team-CYMRU.org

New/Nothing Found

none


Shellcode Scan: show/hide


Exploit Scan:

Exploit: pdfexploit - PDF Exploit metasploit version of TIFF overflow CVE-2010-0188 found @8366.

Extracted 25258 bytes of Javascript code or XFA block.

JavaScript available on request.

Sandbox report: hide/show

Remember to check statically extracted executables at the bottom of this report as the dynamic sandbox analysis may not have successfully run the exploit and the statically extracted files will have more information.

Dropped FileSize

none


Registry Item Created

none


Mutex Created

none


Domains or IPs

none


Outgoing ConnectionsPortMethod

none


MethodDownloaded URL

none


PCAP Tcpdump: hide/show

PCAP Raw DNS Queries

none



Comments (0): show/hide