Malware Hash Query

This utility queries our own database, VirusTotal.com, TheatExpert.com, and Team-CYMRU for known malware hashes and links to analysis reports.

Hash:


File: 2020.pdf
File size: 237302 bytes
File type: PDF document, version 1.5
MD5: 497bd7eb4be6ae9b68c624e3fb594502
SHA1: 16dd80c746bb0c90d24f2f4a11a451835f28dd50
SHA256: 000c6d021e9678184f059dd1dfacf75558bdd3f62e259e789836005efbf0e6b1
SSDEEP: 6144:/jaRLgFJHChAU2S1pHojam97jwlvjaRLgW:/jaRLgFlKgIlvjaRLgW
Reported: 2010-07-04 17:38:32
Detection engine: 195
Result: Embedded Flash Exploit CVE-2010-1297 variant f
Confidence: 100
Scan hits: 9

Detected entities:

Embedded Flash Exploit CVE-2010-1297 variant f show hexdump

PDF Exploit call to media.newPlayer CVE-2009-4324 [ FlateDecode ] show hexdump
PDF Exploit suspicious use of util.printd CVE-2008-2992 [ FlateDecode ] show hexdump
PDF Javascript heap spray shellcode [ FlateDecode | FlateDecode ] show hexdump
Embedded Flash may be suspicious show hexdump
Javascript obfuscation using app.setTimeOut to run code [ FlateDecode ] show hexdump
Javascript obfuscation using eval [ FlateDecode | FlateDecode ] show hexdump
Javascript obfuscation using String.replace [ FlateDecode ] show hexdump
PDF obfuscation of filter names show hexdump

RepositoryStatusMore Info

vicheck.ca

Embedded Flash Exploit CVE-2010-1297 variant f
Confidence: 100
Scan hits: 9

Search type: block
Matching: full
Type: Embedded Flash Exploit CVE-2010-1297 variant f

VirusTotal.com

New/Nothing Found

none

ThreatExpert.com

New/Nothing Found

none

Team-CYMRU.org

New/Nothing Found

none


Shellcode Scan:

Shellcode not found.


Exploit Scan:

Exploit: block - Embedded Flash Exploit CVE-2010-1297 variant f found @0.

Extracted 12114 bytes of Javascript code or XFA block.

JavaScript available on request.

Sandbox report: hide/show

Remember to check statically extracted executables at the bottom of this report as the dynamic sandbox analysis may not have successfully run the exploit and the statically extracted files will have more information.

Dropped FileSize

C:\[Documents and Settings]\[Current User]\Application Data\Adobe\Acrobat\9.0\UserCache.bin
cef4076cc28e2a24b6de6e161077d8fb

18180 bytes

C:\[Documents and Settings]\[Current User]\Local Settings\Application Data\Adobe\Color\ACECache10.lst
2275a5c77834fcb230cb3e0287d26455

1565 bytes

C:\[WINDOWS]\system32\d3d9caps.dat
7f502ca49835b25e30da9d9a74891e04

664 bytes

C:\[WINDOWS]\system32\d3d8caps.dat
8e38a41275a0b254ab67e77273fcd19b

768 bytes

C:\[WINDOWS]\system32\d3d9caps.tmp
6a6f4685b8689b4c94716fdebcadc571

664 bytes

C:\[Documents and Settings]\[Current User]\LOCALS~1\Temp\Updater.exe
0500e94d9d37c0f9373b70082712cabc

32768 bytes

C:\[Documents and Settings]\[Current User]\LOCALS~1\Temp\2020°ê¨¾¬ì§Þ²£·~µ¦²¤½×¾ÂÁܽШç.pdf
daf9ed21a237effbd7663f3c625966bb

129696 bytes

C:\[Documents and Settings]\[Current User]\Application Data\Adobe\Acrobat\9.0\SharedDataEvents-journal
cd67627e3ac2209f8662b954c095f072

512 bytes

C:\[Documents and Settings]\[Current User]\Application Data\Adobe\Acrobat\9.0\SharedDataEvents
129418a1bf871ee64b32c4bac4eb9ac3

3072 bytes

C:\[Documents and Settings]\[Current User]\Application Data\Adobe\Acrobat\9.0\SharedDataEvents-journal
a3f066243ecde0a7db60e999440d0882

512 bytes

C:\[Documents and Settings]\[Current User]\Application Data\Adobe\Acrobat\9.0\SharedDataEvents-journal
a010bf23b13b4ab41da851651a0c137e

512 bytes


Registry Item Created

HKEY_LOCAL_MACHINE\System\Acrobatviewercpp304

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Installer\Migrated

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Originals

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\AVGeneral

HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat

HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\9.0

HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\9.0\DiskCabs

HKEY_CURRENT_USER\Software\Adobe\Adobe Synchronizer\9.0

HKEY_CURRENT_USER\Software\Adobe\Adobe Synchronizer\9.0\Acrobat.com

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Collab

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Collab\cDocumentCenter

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Collab\cDocumentCenter\cSettings

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Collab\cEmailDistribution

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Collab\cEmailDistribution\cSettings

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Collab\cInitiationWizardFirstLaunch

HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication

HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib

HKEY_LOCAL_MACHINE\Software\Adobe\Acrobat Reader\9.0\AdobeViewer

HKEY_LOCAL_MACHINE\System\Acrobatviewercpp304

HKEY_LOCAL_MACHINE\System\WSZXSGANXFJVAYSXYQGNXKQY


Mutex Created

2AC1A572DB6944B0A65C38C4140AF2F472c0655711C

Acrobat Instance Mutex

Global\AcrobatViewerIsRunning

DDrawWindowListMutex

__DDrawExclMode__

__DDrawCheckExclMode__

RasPbFile

2AC1A572DB6944B0A65C38C4140AF2F45940655711C

Acrobat Instance Mutex

Global\AcrobatViewerIsRunning


Domains or IPs

tkx.no-xorg.tk

tkx.no-xorg.tk

wpad

196.37.75.39


Outgoing ConnectionsPortMethod

none


MethodDownloaded URL

none


PCAP Tcpdump: hide/show

PCAP Raw DNS Queries

873hgf7xx60.com

tkx.no-xorg.tk



Comments (0): show/hide