Malware Hash Query

This utility queries our own database, VirusTotal.com, TheatExpert.com, and Team-CYMRU for known malware hashes and links to analysis reports.

Hash:


File: Agenda_For_Summit.pdf
File size: 969405 bytes
File type: PDF document, version 1.7
MD5: 2beab5cfd84c929938f396e927c62e1c
SHA1: 0f4d87411a1e358a6593543e79640de5083ddda2
SHA256: 21599e80cfebac0068c761cef1ee070281c076a52c1a1213b834649d8e54abda
SSDEEP: 12288:3jvrEPHp6ZOEaUWCD/LdDB1LbWDFhg1hfqXT0IakRo6AX0WP1HZ81DKvm9PeV/3N:3jDOHIZxauD1/MDICgEAEWhLm92nv1
Reported: 2010-06-24 16:42:08
Detection engine: 195
Result: Embedded Flash Exploit CVE-2010-1297 variant e
Confidence: 100
Scan hits: 19

Embedded Executable:

XOR encryption: Yes
Bitwise ROL cipher: No
Replacement cipher: No
Mathematical substitution cipher: No

Search type: block
Matching: full
Key Length: 1 bytes
Key Unique Sum: 133 More
Key Location: @0 bytes
Key Accuracy: 100.00%
Fuzzy Errors: 0
File XOR Offset: @0 bytes
XOR Key normalized hash: 3ef815416f775098fe977004015c6193 More
XOR Key:


Detected entities:

Embedded Flash Exploit CVE-2010-1297 variant e show hexdump

PDF Javascript heap spray shellcode [ FlateDecode ] show hexdump
Embedded Flash may be suspicious show hexdump
Embedded Flash may be suspicious [ FlateDecode ] show hexdump
PDF obfuscation of filter names show hexdump
Embedded Executable: This program cannot be run in DOS mode [39246] show hexdump
Embedded Executable: user32.dll [69048] show hexdump
Embedded Executable: CreateProcessA [69492] show hexdump
Embedded Executable: GetEnvironmentVariableA [69530] show hexdump
Embedded Executable: CloseHandle [69578] show hexdump
Embedded Executable: GetProcAddress [69638] show hexdump
Embedded Executable: GetModuleHandleA [69656] show hexdump
Embedded Executable: CreateFileA [69700] show hexdump
Embedded Executable: KERNEL32 [69736] show hexdump
Embedded Executable: GetCommandLineA [69780] show hexdump
Embedded Executable: ExitProcess [69812] show hexdump
Embedded Executable: LoadLibraryA [70220] show hexdump
Embedded Executable: EnterCriticalSection [149849] show hexdump
Embedded Executable: GetMessageA [157541] show hexdump

RepositoryStatusMore Info

vicheck.ca

Embedded Flash Exploit CVE-2010-1297 variant e
Confidence: 100
Scan hits: 19

VirusTotal.com

New/Nothing Found

none

ThreatExpert.com

New/Nothing Found

none

Team-CYMRU.org

New/Nothing Found

none


Shellcode Scan:

Shellcode not found.


Exploit Scan:

Exploit: block - Embedded Flash Exploit CVE-2010-1297 variant e found @0.

Extracted 4685 bytes of Javascript code or XFA block.

JavaScript available on request.

Sandbox report: hide/show

Remember to check statically extracted executables at the bottom of this report as the dynamic sandbox analysis may not have successfully run the exploit and the statically extracted files will have more information.

Dropped FileSize

C:\[Documents and Settings]\[Current User]\Application Data\Adobe\Acrobat\9.0\UserCache.bin
cef4076cc28e2a24b6de6e161077d8fb

18180 bytes

C:\[Documents and Settings]\[Current User]\Local Settings\Application Data\Adobe\Color\ACECache10.lst
7f6883c2b85fcc28cca19e4a122260cf

1565 bytes

C:\[Documents and Settings]\[Current User]\Application Data\Adobe\Acrobat\9.0\SharedDataEvents-journal
66fd09201e3d4e2c4452358f037c66db

512 bytes

C:\[Documents and Settings]\[Current User]\Application Data\Adobe\Acrobat\9.0\SharedDataEvents
129418a1bf871ee64b32c4bac4eb9ac3

3072 bytes

C:\[Documents and Settings]\[Current User]\Application Data\Adobe\Acrobat\9.0\SharedDataEvents-journal
9fb3a0d748913091b358af8753313799

2576 bytes

C:\[Documents and Settings]\[Current User]\Application Data\Adobe\Acrobat\9.0\SharedDataEvents-journal
5ca866394f44619b81590319ff9e9e8c

512 bytes

C:\[Documents and Settings]\[Current User]\Application Data\Adobe\Acrobat\9.0\SharedDataEvents-journal
272227c0bf71a78b0eef8f9a59df7567

512 bytes

C:\[Documents and Settings]\[Current User]\Application Data\Adobe\Acrobat\9.0\SharedDataEvents-journal
6b1833a12c6a4c27b3a46a6297424394

512 bytes

C:\[Documents and Settings]\[Current User]\Application Data\Adobe\Acrobat\9.0\SharedDataEvents-journal
c73cb94808e1e6598ef53b4093172938

512 bytes

C:\[Documents and Settings]\[Current User]\LOCALS~1\Temp\ArmUI.ini
cb77e48b92c9053ee810ce4fd9a5513b

142194 bytes


Registry Item Created

HKEY_LOCAL_MACHINE\System\Acrobatviewercpp304

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Installer\Migrated

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Originals

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\AVGeneral

HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat

HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\9.0

HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\9.0\DiskCabs

HKEY_CURRENT_USER\Software\Adobe\Adobe Synchronizer\9.0

HKEY_LOCAL_MACHINE\System\WSZXSGANXFJVAYSXYQGNXKQY

HKEY_LOCAL_MACHINE\Software\Adobe\Acrobat Reader\9.0\AdobeViewer


Mutex Created

2AC1A572DB6944B0A65C38C4140AF2F46200655711C

Acrobat Instance Mutex

Global\AcrobatViewerIsRunning

2AC1A572DB6944B0A65C38C4140AF2F462001C4C948

2AC1A572DB6944B0A65C38C4140AF2F462001C4C660

2AC1A572DB6944B0A65C38C4140AF2F462001C4C6C4

2AC1A572DB6944B0A65C38C4140AF2F462001C4C784

2AC1A572DB6944B0A65C38C4140AF2F462001C4C908

2AC1A572DB6944B0A65C38C4140AF2F462001C4CAA8

2AC1A572DB6944B0A65C38C4140AF2F462001C4CA20

2AC1A572DB6944B0A65C38C4140AF2F462001C4C8D4

2AC1A572DB6944B0A65C38C4140AF2F462001C4C69C

2AC1A572DB6944B0A65C38C4140AF2F462001C4C688


Domains or IPs

none


Outgoing ConnectionsPortMethod

none


MethodDownloaded URL

none


PCAP Tcpdump: hide/show

PCAP Raw DNS Queries

none



Comments (0): show/hide