What malware is this?

polonus · August 27, 2011, 9:13pm

Look at this: http://wepawet.iseclab.org/view.php?hash=f5f5edaa03c9a328734a20a71f91d842&t=1314478740&type=js
Detected here: http://urlquery.net/report.php?id=2080
http://www.virustotal.com/url-scan/report.html?id=f5f5edaa03c9a328734a20a71f91d842-1314470742
polonus

Pondus · August 27, 2011, 9:24pm

It is a pdf exploit. This PDF is generated by “Blackhole exploit kit”.

VirusTotal - 4229b.pdf
http://www.virustotal.com/file-scan/report.html?id=5c7a5910c52c40fe72ec2ccdc7cdb9a2171c23e3a9c244e50d0b4112d1ef7f91-1314479431

Asyn · August 27, 2011, 9:28pm

Report 2011-08-27 22:46:15 (GMT 1)
Website vorvwe.com
Domain Hash fb5483674f5e0d81b485f959c2617bde
IP Address 217.116.198.25 [SCAN]
IP Hostname -
IP Country TR (Turkey)
AS Number 49879
AS Name HOSTHANE ISIK Bilgisayar Internet ve Yayincil…
Detections 8 / 23 (35 %)
Status DANGEROUS

http://amada.abuse.ch/?search=vorvwe.com
http://hosts-file.net/?s=vorvwe.com
http://www.malwaredomainlist.com/mdl.php?search=vorvwe.com
http://www.malwareblacklist.com/searchClearingHouse.php?search=vorvwe.com

polonus · August 27, 2011, 10:05pm

Hi Pondus & Asyn,

Nice write up on this embedded generic pdf exploit here: http://feliam.wordpress.com/2010/01/13/generic-pdf-exploit-hider-embedpdf-py-and-goodbye-av-detection-012010/ (link author: feliam on pdf security blog)
Good avast seems to detect this embedded variant now, see: http://www.virustotal.com/file-scan/report.html?id=43a1c87d38ab3e8b16bdef3ab676a059a48b63e5154cd11e9416ab40219c0258-1312667401

polonus

What malware is this?

Announcements