Malware Hash Query

This utility queries our own database, VirusTotal.com, TheatExpert.com, and Team-CYMRU for known malware hashes and links to analysis reports.

Hash:


File: UnEncrypted.pdf
File size: 39229 bytes
File type: PDF document, version 1.7
MD5: 5e810b49f879007610f4156afb1a29c8
SHA1: e2ed10cb5b57a151ea09ebb154cec9eaf4540a3a
SHA256: 23cc600e193c0ae98472a0c17c018771b50503a6c437efdc4bfd8f9d0b17e4ce
SSDEEP: 768:q95QBBYXL9r0cuMW4jtOSW74nmRq8j99bsKpjaIZCp8:qbQBBYXL9RjjW7rRLj0d1p8
Reported: 2010-07-25 01:58:58
Detection engine: 195
Result: Embedded Flash Exploit CVE-2010-1297 pad.swf variant a
Confidence: 100
Scan hits: 8

Detected entities:

Embedded Flash Exploit CVE-2010-1297 pad.swf variant a show hexdump

Embedded Flash may be suspicious show hexdump
Embedded Flash may be suspicious show hexdump
Embedded Flash may be suspicious show hexdump
Javascript obfuscation using eval [ FlateDecode ] show hexdump
Javascript obfuscation using String.fromCharCode [ FlateDecode ] show hexdump
Javascript obfuscation using String.fromCharCode [ FlateDecode ] show hexdump
PDF suspicious use Adobe Shockwave Flash in a PDF show hexdump

RepositoryStatusMore Info

vicheck.ca

Embedded Flash Exploit CVE-2010-1297 pad.swf variant a
Confidence: 100
Scan hits: 8

Search type: block
Matching: full
Type: Embedded Flash Exploit CVE-2010-1297 pad.swf variant a

VirusTotal.com

New/Nothing Found

none

ThreatExpert.com

New/Nothing Found

none

Team-CYMRU.org

New/Nothing Found

none


Shellcode Scan:

Shellcode not found.


Exploit Scan:

Exploit: block - Embedded Flash Exploit CVE-2010-1297 pad.swf variant a found @0.

Extracted 45103 bytes of Javascript code or XFA block.

JavaScript available on request.

Sandbox report: hide/show

Remember to check statically extracted executables at the bottom of this report as the dynamic sandbox analysis may not have successfully run the exploit and the statically extracted files will have more information.

Dropped FileSize

C:\[Documents and Settings]\[Current User]\Application Data\Adobe\Acrobat\9.0\UserCache.bin
cef4076cc28e2a24b6de6e161077d8fb

18180 bytes

C:\[Documents and Settings]\[Current User]\Local Settings\Application Data\Adobe\Color\ACECache10.lst
5b3b4cc483a144422545a4cecef36390

1565 bytes

C:\[WINDOWS]\system32\d3d9caps.dat
6984a899ab3d9d9523f5ae95df840e6f

664 bytes

C:\[WINDOWS]\system32\d3d8caps.dat
6f0d65f9c2c368c013f005250a29f3f3

768 bytes

C:\[WINDOWS]\system32\d3d9caps.tmp
127a5780d24aac4a7ddf762c19adbdab

664 bytes

C:\[Documents and Settings]\All Users\Application Data\Microsoft\Dr Watson\user.dmp
42e6d392f4bb197ebe15885e7f95ad28

28161 bytes

C:\[Documents and Settings]\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log
cb66d62bd13bf8a5fcf2d1d35c33fd90

63814 bytes


Registry Item Created

HKEY_LOCAL_MACHINE\System\Acrobatviewercpp304

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Installer\Migrated

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Originals

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\AVGeneral

HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat

HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\9.0

HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\9.0\DiskCabs

HKEY_CURRENT_USER\Software\Adobe\Adobe Synchronizer\9.0

HKEY_CURRENT_USER\Software\Adobe\Adobe Synchronizer\9.0\Acrobat.com

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Collab

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Collab\cDocumentCenter

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Collab\cDocumentCenter\cSettings

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Collab\cEmailDistribution

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Collab\cEmailDistribution\cSettings

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Collab\cInitiationWizardFirstLaunch

HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication

HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib

HKEY_LOCAL_MACHINE\Software\Adobe\Acrobat Reader\9.0\AdobeViewer


Mutex Created

2AC1A572DB6944B0A65C38C4140AF2F45400655711C

Acrobat Instance Mutex

Global\AcrobatViewerIsRunning

DDrawWindowListMutex

__DDrawExclMode__

__DDrawCheckExclMode__


Domains or IPs

none


Outgoing ConnectionsPortMethod

none


MethodDownloaded URL

none


PCAP Tcpdump: hide/show

PCAP Raw DNS Queries

none



Comments (0): show/hide