× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: dd41efa629c7f7f876362c5ca6d570be6b83728a2ce8ecbef65bdb89cb402b0f
File name: Moh2010_dec.swf
Detection ratio: 3 / 34
Analysis date: 2012-09-16 08:47:13 UTC ( 6 years, 7 months ago ) View latest
Antivirus Result Update
Avast SWF:Dropper [Heur] 20120916
GData SWF:Dropper 20120916
Microsoft Exploit:SWF/CVE-2010-2884.B 20120916
AntiVir 20120915
Antiy-AVL 20120911
AVG 20120915
BitDefender 20120916
ByteHero 20120910
CAT-QuickHeal 20120915
ClamAV 20120916
Commtouch 20120915
Comodo 20120916
Emsisoft 20120916
eSafe 20120914
ESET-NOD32 20120915
F-Prot 20120915
Fortinet 20120830
Ikarus 20120916
Jiangmin 20120916
K7AntiVirus 20120915
Kaspersky 20120916
McAfee-GW-Edition 20120915
Norman 20120915
Panda 20120915
Rising 20120914
Sophos AV 20120916
SUPERAntiSpyware 20120911
TheHacker 20120915
TotalDefense 20120914
TrendMicro 20120916
TrendMicro-HouseCall 20120916
VIPRE 20120916
ViRobot 20120915
VirusBuster 20120915
The file being studied is a SWF file! SWF files deliver vector graphics, text, video, and sound over the Internet.
Commonly abused SWF properties
The studied SWF file makes use of ActionScript3, some exploits have been found in the past targeting the ActionScript Virtual Machine. ActionScript has also been used to force unwanted redirections and other badness. Note that many legitimate flash files may also use it to implement rich content and animations.
Opens or replaces a window in the application that contains the Flash Player container with the contents of a given URL using the navigateToURL ActionScript function.
Contains ActionScript code to request and retrieve content from Internet URLs.
The studied SWF file makes use of the loadBytes ActionScript3 functionality, commonly used to load other files and arbitrary code at runtime.
The studied SWF file contains noticeably long strings of hex characters, this commonly reveals encoding of malicious code in hex format, which will then be transformed into binary via the hexToBin function.
The studied SWF file contains noticeably long base64 streams, this commonly reveals encoding of malicious code in base64 format, which will then be transformed into binary. It could also just be encoded images.
The studied SWF file performs environment identification.
The flash file uses methods of the ExternalInterface class to communicate with the external host of the Flash plugin, such as the web browser.
The flash file seems to embed javascript code. In combination with the ExternalInterface class usage, this code might be trying to modify the DOM of the parent URL embedding the file.
The flash file seems to be performing some sort of HTML iframe injection or makes use of iframes.
SWF Properties
SWF version
9
Frame size
0.0x0.0 px
Frame count
1
Duration
0.083 seconds
File attributes
ActionScript3
Unrecognized SWF tags
0
Total SWF tags
3
ActionScript 3 Packages
flash.display
flash.events
flash.external
flash.net
flash.system
flash.text
flash.utils
Suspicious strings
ExifTool file metadata
MIMEType
application/x-shockwave-flash

ImageSize
0x0

FileType
SWF

Megapixels
0.0

FrameRate
12

FlashVersion
9

FileTypeExtension
swf

Compressed
False

ImageWidth
0

Duration
0.08 s

FlashAttributes
ActionScript3

FrameCount
1

ImageHeight
0

File identification
MD5 e7ced808b16692f57229a2e21c476be8
SHA1 1ef8911390b4b724191d10fc30120d7532998f1e
SHA256 dd41efa629c7f7f876362c5ca6d570be6b83728a2ce8ecbef65bdb89cb402b0f
ssdeep
192:iJ4Z6XtFDC6Cy12jiy/tQ0RgAfBOEm3OnlT3gngOrYOBYrD1A57+hbMyiMQwApKl:iJ86XtFDEiol8Ej49YOc6IbYckfXvm

File size 13.8 KB ( 14123 bytes )
File type Flash
Magic literal
Macromedia Flash data, version 9

TrID Macromedia Flash Player Movie (100.0%)
Tags
ext-interface flash cve-2012-4969 exploit capabilities long-hex iframe cve-2010-2884 loadbytes

VirusTotal metadata
First submission 2012-09-16 08:47:13 UTC ( 6 years, 7 months ago )
Last submission 2013-11-15 17:23:17 UTC ( 5 years, 5 months ago )
File names Moh2010_dec.swf
Decoded SWF.exe
E7CED808B16692F57229A2E21C476BE8
1mNiYksQ5.vbs
E7CED808B16692F57229A2E21C476BE8.dat
Decoded Moh2012_decoded.sw
aa
dec.swf
Decoded SWF
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!