Malware Hash Query

This utility queries our own database, VirusTotal.com, TheatExpert.com, and Team-CYMRU for known malware hashes and links to analysis reports.

Hash:


File: Letter of Intent For Dalai Lama's China-Tibet Dialogue.pdf
File size: 405615 bytes
File type: PDF document, version 1.7
MD5: aba6f3c89f3cdcd6dc294e2b1c503d28
SHA1: dc338c0153acbe8c32e8d2b314764b4715d4b083
SHA256: a0d496bdc21d9c308a6fbe63df66c2d236b83cd43161732b36cdaf6397d94416
SSDEEP: 6144:yEK3B+4AKEm/WuNXh5tP74jyX1vXFq+vx8ghckxyrIwPMgZEMflnFJ:yEvFm/Wuh1kjyJFR8gKkxyrIWjZEMZ
Reported: 2009-09-06 03:09:32
Detection engine: 195
Result: Embedded Flash Exploit CVE-2010-1297 kp.swf variant b
Confidence: 100
Scan hits: 15

Embedded Executable:

XOR encryption: Yes
Bitwise ROL cipher: No
Replacement cipher: No
Mathematical substitution cipher: No

Search type: block
Matching: full
Key Length: 256 bytes
Key Unique Sum: 32640 More
Key Location: @49152 bytes
Key Accuracy: 100.00%
Fuzzy Errors: 0
File XOR Offset: @0 bytes
XOR Key normalized hash: 9b7e14df2ffe3c32566f3fff8481c6f2 More
XOR Key:


Detected entities:

Embedded Flash Exploit CVE-2010-1297 kp.swf variant b show hexdump

Embedded Flash may be suspicious show hexdump
Embedded Flash may be suspicious show hexdump
Javascript obfuscation using eval [ FlateDecode | FlateDecode ] show hexdump
Javascript obfuscation using String.replace [ FlateDecode ] show hexdump
Embedded Executable: This program cannot be run in DOS mode [2230] show hexdump
Embedded Executable: ExitProcess [27167] show hexdump
Embedded Executable: user32.dll [29664] show hexdump
Embedded Executable: GetModuleHandleA [30682] show hexdump
Embedded Executable: KERNEL32 [30700] show hexdump
Embedded Executable: GetCommandLineA [30734] show hexdump
Embedded Executable: CloseHandle [30796] show hexdump
Embedded Executable: GetProcAddress [30824] show hexdump
Embedded Executable: CreateFileA [31236] show hexdump
Embedded Executable: LoadLibraryA [31250] show hexdump

RepositoryStatusMore Info

vicheck.ca

Embedded Flash Exploit CVE-2010-1297 kp.swf variant b
Confidence: 100
Scan hits: 15

VirusTotal.com

New/Nothing Found

none

ThreatExpert.com

New/Nothing Found

none

Team-CYMRU.org

New/Nothing Found

none


Shellcode Scan:

Shellcode not found.


Exploit Scan:

Exploit: block - Embedded Flash Exploit CVE-2010-1297 kp.swf variant b found @0.

Extracted 5738 bytes of Javascript code or XFA block.

JavaScript available on request.

Sandbox report: hide/show

Remember to check statically extracted executables at the bottom of this report as the dynamic sandbox analysis may not have successfully run the exploit and the statically extracted files will have more information.

Dropped FileSize

C:\[Documents and Settings]\[Current User]\Application Data\Adobe\Acrobat\9.0\SharedDataEvents-journal
b61987a3273755aae3b8ce2befd48d2b

512 bytes

C:\[Documents and Settings]\[Current User]\Application Data\Adobe\Acrobat\9.0\SharedDataEvents-journal
e2d560ed64cc26610824985cbbcd8380

2576 bytes

C:\[WINDOWS]\system32\d3d9caps.tmp
003df0c7ea0661106f4ca9fa45e4ae86

664 bytes

C:\[WINDOWS]\system32\d3d8caps.dat
5e80cd7b126a4d79e6583e1ce726bdfd

768 bytes

C:\[WINDOWS]\system32\d3d9caps.dat
5db75802369f6065b904494f85419fa4

664 bytes

C:\[Documents and Settings]\[Current User]\Application Data\Adobe\Acrobat\9.0\SharedDataEvents-journal
64cafedefa88aa2120cb9b8fd2d5959d

512 bytes

C:\[Documents and Settings]\[Current User]\Application Data\Adobe\Acrobat\9.0\SharedDataEvents-journal
9c4417748c85f63fe0a6a6de8e5e76cb

512 bytes

C:\[Documents and Settings]\[Current User]\Application Data\Adobe\Acrobat\9.0\SharedDataEvents-journal
3497155e49a898fd66a910fb14214b5b

512 bytes

C:\[Documents and Settings]\[Current User]\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst
4545ba0d47ef4605920e9d690473cb9d

7979 bytes

C:\[Documents and Settings]\[Current User]\Application Data\Adobe\Acrobat\9.0\AdobeCMapFnt09.lst
d0a4f4770cfe6f223488378c30f0ecf3

508 bytes

C:\[Documents and Settings]\[Current User]\Application Data\Adobe\Acrobat\9.0\UserCache.bin
86570e970ecc097425b4218aa79e9d72

18180 bytes

C:\[Documents and Settings]\[Current User]\LOCALS~1\Temp\ArmUI.ini
cb77e48b92c9053ee810ce4fd9a5513b

142194 bytes


Registry Item Created

HKEY_CURRENT_USER\Software\Adobe\Adobe Synchronizer\9.0\Acrobat.com

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Collab

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Collab\cDocumentCenter

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Collab\cDocumentCenter\cSettings

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Collab\cEmailDistribution

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Collab\cEmailDistribution\cSettings

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Collab\cInitiationWizardFirstLaunch

HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication

HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib

HKEY_LOCAL_MACHINE\System\WSZXSGANXFJVAYSXYQGNXKQY

HKEY_LOCAL_MACHINE\Software\Adobe\Acrobat Reader\9.0\AdobeViewer

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\AdobeViewer

HKEY_CURRENT_USER\Software\Adobe\Adobe Synchronizer\9.0

HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\9.0\DiskCabs

HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\9.0

HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\AVGeneral

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Originals

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Installer\Migrated

HKEY_LOCAL_MACHINE\System\Acrobatviewercpp304


Mutex Created

__DDrawCheckExclMode__

__DDrawExclMode__

DDrawWindowListMutex

Global\AcrobatViewerIsRunning

Acrobat Instance Mutex

2AC1A572DB6944B0A65C38C4140AF2F44fc0655711C


Domains or IPs

none


Outgoing ConnectionsPortMethod

none


MethodDownloaded URL

none


PCAP Tcpdump: hide/show

PCAP Raw DNS Queries

clkmfd001.ws

li1i16b0.com



Comments (0): show/hide