Malware Hash Query

This utility queries our own database, VirusTotal.com, TheatExpert.com, and Team-CYMRU for known malware hashes and links to analysis reports.

Hash:


File: helpc.pdf
File size: 38686 bytes
File type: PDF document, version 1.7
MD5: 306d7e608a52121aa4508e9901e4072e
SHA1: 05dea96f68eeb7daf962a4a918f883f3f51e74ee
SHA256: c6e63bc1aa53660114bf12685608bbc0e4c1487f9e8871c1cbbc002b682bcdef
SSDEEP: 768:NwKIUo6wJAfc1nNzFfNsdRXVRf58C70SbyFGiVj/jxpUScEZWqe:9IUj01DfKx7fmCvyvVncwWqe
Reported: 2010-07-23 23:36:11
Detection engine: 195
Result: Embedded Flash Exploit CVE-2010-1297 pad.swf variant a
Confidence: 100
Scan hits: 5

Detected entities:

Embedded Flash Exploit CVE-2010-1297 pad.swf variant a show hexdump

Embedded Flash may be suspicious show hexdump
Javascript obfuscation using eval [ PDF Standard Encryption | FlateDecode ] show hexdump
Javascript obfuscation using String.fromCharCode [ PDF Standard Encryption | FlateDecode ] show hexdump
Javascript obfuscation using String.fromCharCode [ PDF Standard Encryption | FlateDecode ] show hexdump

RepositoryStatusMore Info

vicheck.ca

Embedded Flash Exploit CVE-2010-1297 pad.swf variant a
Confidence: 100
Scan hits: 5

Search type: block
Matching: full
Type: Embedded Flash Exploit CVE-2010-1297 pad.swf variant a
Cipher Key:

VirusTotal.com

New/Nothing Found

none

ThreatExpert.com

New/Nothing Found

none

Team-CYMRU.org

New/Nothing Found

none


Shellcode Scan:

Shellcode not found.


Exploit Scan:

Exploit: genexploit - Embedded Flash may be suspicious found @2569.

Extracted 45103 bytes of Javascript code or XFA block.

JavaScript available on request.

Sandbox report: hide/show

Remember to check statically extracted executables at the bottom of this report as the dynamic sandbox analysis may not have successfully run the exploit and the statically extracted files will have more information.

Dropped FileSize

C:\[Documents and Settings]\[Current User]\Application Data\Adobe\Acrobat\9.0\UserCache.bin
cef4076cc28e2a24b6de6e161077d8fb

18180 bytes

C:\[Documents and Settings]\[Current User]\Local Settings\Application Data\Adobe\Color\ACECache10.lst
c3c17b7bccab4dfc1fa35c09475df720

1565 bytes

C:\[WINDOWS]\system32\d3d9caps.dat
6984a899ab3d9d9523f5ae95df840e6f

664 bytes

C:\[WINDOWS]\system32\d3d8caps.dat
c2f6aeeaf0f2aa12a196cc41c5e95b1f

768 bytes

C:\[WINDOWS]\system32\d3d9caps.tmp
127a5780d24aac4a7ddf762c19adbdab

664 bytes

C:\[Documents and Settings]\All Users\Application Data\Microsoft\Dr Watson\user.dmp
25ba90cd04116e15bb781bb4012ad0ce

28607 bytes

C:\[Documents and Settings]\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log
e22e5cb4221aa7076627d480c21be73b

64194 bytes


Registry Item Created

HKEY_LOCAL_MACHINE\System\Acrobatviewercpp304

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Installer\Migrated

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Originals

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\AVGeneral

HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat

HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\9.0

HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\9.0\DiskCabs

HKEY_CURRENT_USER\Software\Adobe\Adobe Synchronizer\9.0

HKEY_CURRENT_USER\Software\Adobe\Adobe Synchronizer\9.0\Acrobat.com

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Collab

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Collab\cDocumentCenter

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Collab\cDocumentCenter\cSettings

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Collab\cEmailDistribution

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Collab\cEmailDistribution\cSettings

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Collab\cInitiationWizardFirstLaunch

HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication

HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib

HKEY_LOCAL_MACHINE\Software\Adobe\Acrobat Reader\9.0\AdobeViewer


Mutex Created

2AC1A572DB6944B0A65C38C4140AF2F44200655711C

Acrobat Instance Mutex

Global\AcrobatViewerIsRunning

DDrawWindowListMutex

__DDrawExclMode__

__DDrawCheckExclMode__


Domains or IPs

none


Outgoing ConnectionsPortMethod

none


MethodDownloaded URL

none


PCAP Tcpdump: hide/show

PCAP Raw DNS Queries

none



Comments (0): show/hide