Another viral file available for download (pdf file)

Discussion in 'Anti-Virus' started by Virus Guy, Nov 10, 2011.

  1. Virus Guy

    Virus Guy Guest

    This came in today (again as an e-mail link).

    http://www.fileden. com/files/2008/7/19/2010382/078F9.ZIP

    Password is "a" (no quotes).

    I uploaded it to VT a few hours ago (VT had never seen it before).
    Detection rate was 3/43 at that time. Current detection rate is 5/43.

    The link in the e-mail was this:

    hxxp://belferapp.home.pl/aligner-left.html

    The download URL for the actual pdf file was this:

    hxxp://bqredret.ru/content/1ddfp.php?f=16

    (warning - it's still working as of this writing)

    Not sure if this is a new or old PDF exploit. It looks to be perhaps
    not so much a PDF exploit as a javascript exploit.
     
    Virus Guy, Nov 10, 2011
    #1
    1. Advertisements

  2. This is definitely one that Ant could sink his teeth into.

    I got past some of the obfuscation and could see exploits based upon Adobe versions with
    these JavaScript snippets...

    if((lv==9)||((sv==8)&&(lv<=8.12)))
    geticon()

    else if(lv==7.1)
    printf()

    else if((lv>=9.1)||(lv<=9.2)||(lv>=8.13)||(lv<=8.17)
    util.printd()

    and

    this.media.newPlayer()


    I had problems with the section...
    if(e('1'))bjsg='%u8366%ufce4%u85fc%u75e4.....

    and getting...

    var payload=unescape(bjsg);
     
    David H. Lipman, Nov 11, 2011
    #2
    1. Advertisements

  3. Virus Guy

    Virus Guy Guest

    Heh.

    I did a search for the URL supplying the pdf file, and found only this:

    http://www3.malekal.com/pdf.txt

    Looks like a gold mine of links.
     
    Virus Guy, Nov 11, 2011
    #3
  4. Malekal_morte would know what it is about. Would you like me to ask him ?
     
    David H. Lipman, Nov 11, 2011
    #4
  5. Virus Guy

    Virus Guy Guest

    You know the owner of that site?

    You might want to tell him that almost all the links on that page are
    dead.

    Except these:

    hxxp://rms.adobe.com/read/0600/win_/FRA/read0600win_FRAadbe070a.pdf

    (2 AV apps detect an exploit in that file)

    hxxp://home.vicnet.net.au/%7Elasc/calendar/2nd%20Qurter.pdf

    (no detection at all for that one)

    hxxp://yourbrowsermatters.org/docs/methodology.pdf

    (nor this one)
     
    Virus Guy, Nov 11, 2011
    #5
  6. I know Malekal, just not well.

    I'll drop him a message.
     
    David H. Lipman, Nov 11, 2011
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.