Then after 3 days Adobe confirmed bug and released advisory
MD5 Hash: 4BB64C1DA2F73DA11F331A96D55D63E2
My analysis of crsenvironscan.xls
There are no vulnerabilities in MS Office, there is a vulnerability in embeded swf as was described below.
1) There are embeded swf
(target file name f:\sm.swf)
This swf provide heap spray and then load second swf
view source code
it allocates memory
NOP Slide =14141414
then loads second swf.
2) second.swf consist bug
File created possibly by using a fuzzer from
looks like there are bugs exist when flash player attempts to parse a swf file.
Unknown opcode 152. Unknown opcode 84.
(detailed analysis will be provided soon)
this is EmbededExec shellcode,not encrypted.
Shellcode search for exe between
cmp dword ptr [eax], 47422E43h cmp dword ptr [eax+4], 19890604h
hex code "432e424704068919" and
cmp dword ptr [eax], 4B635546h cmp dword ptr [eax+4], 19820424h
hex code "4655634b24048219"
if point view on this
as for me, that looks like some string and date
C.GB 1989/06/04 - it may mean 1989-06-04 Tiananmen, Beijing, China
FucK 1982/04/24 - ?
If you have any ideas, post in comments
Encryption of exe is interesting.
First 4 bytes of exe header writed from shellcode
then encrypted date decrypts using this algo
where eax - size of exe
xor [ebx], al inc ebx dec eax inc ebx dec eax cmp eax, 0
This is for the first time I see such encryption in exploits found in the wild.
This is used to bypass scanners, which searches for the exe header.
size 46,048 bytes
Download Payload File a.exe
pass: infected Virustotal 0/43
Information from PEiD InstallShield AFW [CAB SFX]
Sample download link
password : infected
Other samples you can get from Mila Parkour site: