Malware Hash Query

This utility queries our own database, VirusTotal.com, TheatExpert.com, and Team-CYMRU for known malware hashes and links to analysis reports.

Hash:


File: Agenda.PDF
File size: 969401 bytes
File type: PDF document, version 1.7
MD5: fb2523d17b3fa3b19a914bf23a61827c
SHA1: 56f5860791d10a21a0dec632cabd2ca69997b6e0
SHA256: 5d312ec870b42302798324e88e49ff82ab607ca93bbf1300335d03c6bd71c7b3
SSDEEP: 12288:3jvrEdKTXq66ZOqWCD/LdDB1LbWDFhg1hfqXT0IakRo6AX0WP1HZ81DKvm9PeV/5:3jDEyXUZXD1/MDICgEAEWhLm92nvh
Reported: 2010-06-22 06:20:56
Detection engine: 195
Result: Embedded Flash Exploit CVE-2010-1297 variant e
Confidence: 100
Scan hits: 19

Embedded Executable:

XOR encryption: Yes
Bitwise ROL cipher: No
Replacement cipher: No
Mathematical substitution cipher: No

Search type: block
Matching: full
Key Length: 1 bytes
Key Unique Sum: 133 More
Key Location: @0 bytes
Key Accuracy: 100.00%
Fuzzy Errors: 0
File XOR Offset: @0 bytes
XOR Key normalized hash: 3ef815416f775098fe977004015c6193 More
XOR Key:


Detected entities:

Embedded Flash Exploit CVE-2010-1297 variant e show hexdump

PDF Javascript heap spray shellcode [ FlateDecode ] show hexdump
Embedded Flash may be suspicious show hexdump
Embedded Flash may be suspicious [ FlateDecode ] show hexdump
PDF obfuscation of filter names show hexdump
Embedded Executable: This program cannot be run in DOS mode [39246] show hexdump
Embedded Executable: user32.dll [69048] show hexdump
Embedded Executable: CreateProcessA [69492] show hexdump
Embedded Executable: GetEnvironmentVariableA [69530] show hexdump
Embedded Executable: CloseHandle [69578] show hexdump
Embedded Executable: GetProcAddress [69638] show hexdump
Embedded Executable: GetModuleHandleA [69656] show hexdump
Embedded Executable: CreateFileA [69700] show hexdump
Embedded Executable: KERNEL32 [69736] show hexdump
Embedded Executable: GetCommandLineA [69780] show hexdump
Embedded Executable: ExitProcess [69812] show hexdump
Embedded Executable: LoadLibraryA [70220] show hexdump
Embedded Executable: EnterCriticalSection [187700] show hexdump
Embedded Executable: GetMessageA [195392] show hexdump

RepositoryStatusMore Info

vicheck.ca

Embedded Flash Exploit CVE-2010-1297 variant e
Confidence: 100
Scan hits: 19

VirusTotal.com

New/Nothing Found

none

ThreatExpert.com

New/Nothing Found

none

Team-CYMRU.org

New/Nothing Found

none


Shellcode Scan:

Shellcode not found.


Exploit Scan:

Exploit: block - Embedded Flash Exploit CVE-2010-1297 variant e found @0.

Extracted 4685 bytes of Javascript code or XFA block.

JavaScript available on request.

Sandbox report: hide/show

Remember to check statically extracted executables at the bottom of this report as the dynamic sandbox analysis may not have successfully run the exploit and the statically extracted files will have more information.

Dropped FileSize

none


Registry Item Created

none


Mutex Created

none


Domains or IPs

none


Outgoing ConnectionsPortMethod

none


MethodDownloaded URL

none


PCAP Tcpdump: hide/show

PCAP Raw DNS Queries

none



Comments (0): show/hide