Malware Hash Query

This utility queries our own database, VirusTotal.com, TheatExpert.com, and Team-CYMRU for known malware hashes and links to analysis reports.

Hash:


File: exploit.pdf
File size: 116039 bytes
File type: PDF document, version 1.6
MD5: ee81327f15db183f83815754fbfad5dd
SHA1: 4c87590143b18ef1684a45f93a55467470bf4620
SHA256: e0b1e369f9fde0b8bfa85b0a45697636ee1154cb51879d85b1241cf8304dcb75
SSDEEP: 1536:gkbvjjW7rRLj0HdNmb2G0/qZt67Ua2Bkw8WFbaR87S7bhwvu:hbrjCrRLoL/8t6AapwhFOR87oh6u
Reported: 2010-07-12 09:48:45
Detection engine: 196
Result: Embedded Flash Exploit CVE-2010-1297 variant g
Confidence: 100
Scan hits: 12

Embedded Executable:

XOR encryption: Yes
Bitwise ROL cipher: No
Replacement cipher: Yes
Mathematical substitution cipher: No

Search type: block
Matching: full
Key Length: 256 bytes
Key Unique Sum: 3888 More
Key Location: @60672 bytes
Key Accuracy: 0.00%
Fuzzy Errors: 0
File XOR Offset: @0 bytes
XOR Key normalized hash: More
XOR Key:
Cipher Key:


Detected entities:

Embedded Flash Exploit CVE-2010-1297 variant g show hexdump

Embedded Flash may be suspicious show hexdump
Javascript obfuscation using eval [ FlateDecode | FlateDecode ] show hexdump
PDF suspicious use Adobe Shockwave Flash in a PDF show hexdump
Embedded Executable: LoadLibraryA [81298] show hexdump
Embedded Executable: GetProcAddress [81314] show hexdump
Embedded Executable: GetModuleHandleA [81332] show hexdump
Embedded Executable: CloseHandle [81352] show hexdump
Embedded Executable: CreateFileA [81378] show hexdump
Embedded Executable: ExitProcess [82074] show hexdump
Embedded Executable: GetMessageA [82406] show hexdump
Embedded Executable: RegOpenKeyExA [82630] show hexdump

RepositoryStatusMore Info

vicheck.ca

Embedded Flash Exploit CVE-2010-1297 variant g
Confidence: 100
Scan hits: 12

VirusTotal.com

New/Nothing Found

none

ThreatExpert.com

New/Nothing Found

none

Team-CYMRU.org

New/Nothing Found

none


Shellcode Scan:

Shellcode not found.


Exploit Scan:

Exploit: block - Embedded Flash Exploit CVE-2010-1297 variant g found @0.

Extracted 9494 bytes of Javascript code or XFA block.

JavaScript available on request.

Sandbox report: hide/show

Remember to check statically extracted executables at the bottom of this report as the dynamic sandbox analysis may not have successfully run the exploit and the statically extracted files will have more information.

Dropped FileSize

C:\[Documents and Settings]\[Current User]\Application Data\Adobe\Acrobat\9.0\UserCache.bin
cef4076cc28e2a24b6de6e161077d8fb

18180 bytes

C:\[Documents and Settings]\[Current User]\Local Settings\Application Data\Adobe\Color\ACECache10.lst
3d61e6d4ea0eda586d0b9882ee37ab2d

1565 bytes

C:\[WINDOWS]\system32\d3d9caps.dat
18e0c27b66e11fa9546fb1d2b6ab117b

664 bytes

C:\[WINDOWS]\system32\d3d8caps.dat
ee63072079299a31f2e751dceefc0585

768 bytes

C:\[WINDOWS]\system32\d3d9caps.tmp
5e5aaf47d0a1b1b1daf9301b714c64bc

664 bytes

c:\a.exe
23876a91a7510e5c39e39670f5b9343d

72560 bytes

c:\a.pdf
36710aef65cf5b4ccae81b2842821dbd

1243 bytes

C:\[WINDOWS]\system32\srvlic.dll
e94e4e5023c51a7a37a02a3db5802944

20480 bytes

C:\[WINDOWS]\fxsst.dll
da0ce7a6c134d45e63c61c301ba13c25

40960 bytes

C:\[Documents and Settings]\[Current User]\Application Data\Adobe\Acrobat\9.0\SharedDataEvents-journal
0dc6a9031ac82abc157607807f163cce

512 bytes

C:\[Documents and Settings]\[Current User]\Application Data\Adobe\Acrobat\9.0\SharedDataEvents
129418a1bf871ee64b32c4bac4eb9ac3

3072 bytes

C:\[Documents and Settings]\[Current User]\Application Data\Adobe\Acrobat\9.0\SharedDataEvents-journal
ee1e6872f501a225bfd1e880df75c1f9

512 bytes

C:\[Documents and Settings]\[Current User]\Application Data\Adobe\Acrobat\9.0\SharedDataEvents-journal
4c75a19bdf8adc23138b66348812d97c

512 bytes

C:\[Documents and Settings]\[Current User]\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst
047420dfc6b9cc1c103ce430dacd80ec

7979 bytes

C:\[Documents and Settings]\[Current User]\Application Data\Adobe\Acrobat\9.0\AdobeSysFnt09.lst
ec109485c84bcdb38546d60934110d7c

31877 bytes

C:\[Documents and Settings]\[Current User]\Application Data\Adobe\Acrobat\9.0\AdobeCMapFnt09.lst
e7fd9c62ff1acbe2a49fa5150ca28553

508 bytes

C:\[Documents and Settings]\[Current User]\Application Data\Adobe\Acrobat\9.0\UserCache.bin
67b479424e2a2bc6dcedb6ff1aca98ea

18180 bytes

C:\[Documents and Settings]\[Current User]\LOCALS~1\Temp\ArmUI.ini
cb77e48b92c9053ee810ce4fd9a5513b

142194 bytes


Registry Item Created

HKEY_LOCAL_MACHINE\System\Acrobatviewercpp304

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Installer\Migrated

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Originals

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\AVGeneral

HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat

HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\9.0

HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\9.0\DiskCabs

HKEY_CURRENT_USER\Software\Adobe\Adobe Synchronizer\9.0

HKEY_CURRENT_USER\Software\Adobe\Adobe Synchronizer\9.0\Acrobat.com

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Collab

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Collab\cDocumentCenter

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Collab\cDocumentCenter\cSettings

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Collab\cEmailDistribution

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Collab\cEmailDistribution\cSettings

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Collab\cInitiationWizardFirstLaunch

HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication

HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib

HKEY_LOCAL_MACHINE\Software\Adobe\Acrobat Reader\9.0\AdobeViewer

HKEY_LOCAL_MACHINE\System\Acrobatviewercpp304

HKEY_LOCAL_MACHINE\System\WSZXSGANXFJVAYSXYQGNXKQY


Mutex Created

2AC1A572DB6944B0A65C38C4140AF2F44300655711C

Acrobat Instance Mutex

Global\AcrobatViewerIsRunning

DDrawWindowListMutex

__DDrawExclMode__

__DDrawCheckExclMode__

2AC1A572DB6944B0A65C38C4140AF2F41a80655711C

Acrobat Instance Mutex

Global\AcrobatViewerIsRunning

2AC1A572DB6944B0A65C38C4140AF2F41a80195C948

2AC1A572DB6944B0A65C38C4140AF2F41a80195C660

2AC1A572DB6944B0A65C38C4140AF2F41a80195C6C4

2AC1A572DB6944B0A65C38C4140AF2F41a80195C784

2AC1A572DB6944B0A65C38C4140AF2F41a80195C908

2AC1A572DB6944B0A65C38C4140AF2F41a80195CAA8

2AC1A572DB6944B0A65C38C4140AF2F41a80195CA20

2AC1A572DB6944B0A65C38C4140AF2F41a80195C8D4

2AC1A572DB6944B0A65C38C4140AF2F41a80195C69C

2AC1A572DB6944B0A65C38C4140AF2F41a80195C688


Domains or IPs

none


Outgoing ConnectionsPortMethod

none


MethodDownloaded URL

none


PCAP Tcpdump: hide/show

PCAP Raw DNS Queries

none



Related Files

FileFile typeReport

File:
Invitation.rar
MD5:
3026984137716828cf8f55b10bb00698
SHA1:
8dd9c7f0bb15a2302e4141bc4664dd3109b1d98a
SHA256:
43a54cbc68df3ab9fd16945937b55b29741a9f2dc990e43a0afbfd7320b19441
SSDeep:
1536:/Q+BCFafBfeLJoLOa80xmGLMqVUp7SWPLbsr5KWdRr2LRr0ejR:/Q3FIeLJoOax0pvLjWdRshjR

RAR archive data, v1d, os

Virus Report
file format archive


Comments (0): show/hide