Another viral file available for download (pdf file)

Discussion in 'Anti-Virus' started by Virus Guy, Nov 10, 2011.

  1. Virus Guy

    Virus Guy Guest

    This came in today (again as an e-mail link).

    http://www.fileden. com/files/2008/7/19/2010382/078F9.ZIP

    Password is "a" (no quotes).

    I uploaded it to VT a few hours ago (VT had never seen it before).
    Detection rate was 3/43 at that time. Current detection rate is 5/43.

    The link in the e-mail was this:


    The download URL for the actual pdf file was this:


    (warning - it's still working as of this writing)

    Not sure if this is a new or old PDF exploit. It looks to be perhaps
    not so much a PDF exploit as a javascript exploit.
    Virus Guy, Nov 10, 2011
    1. Advertisements

  2. This is definitely one that Ant could sink his teeth into.

    I got past some of the obfuscation and could see exploits based upon Adobe versions with
    these JavaScript snippets...


    else if(lv==7.1)

    else if((lv>=9.1)||(lv<=9.2)||(lv>=8.13)||(lv<=8.17)


    I had problems with the section...

    and getting...

    var payload=unescape(bjsg);
    David H. Lipman, Nov 11, 2011
    1. Advertisements

  3. Virus Guy

    Virus Guy Guest


    I did a search for the URL supplying the pdf file, and found only this:

    Looks like a gold mine of links.
    Virus Guy, Nov 11, 2011
  4. Malekal_morte would know what it is about. Would you like me to ask him ?
    David H. Lipman, Nov 11, 2011
  5. Virus Guy

    Virus Guy Guest

    You know the owner of that site?

    You might want to tell him that almost all the links on that page are

    Except these:


    (2 AV apps detect an exploit in that file)


    (no detection at all for that one)


    (nor this one)
    Virus Guy, Nov 11, 2011
  6. I know Malekal, just not well.

    I'll drop him a message.
    David H. Lipman, Nov 11, 2011
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.