CWSandbox

Malicious PDFs Analysis Continued

Monday, January 12. 2009

After my initial posting about the possibility to analyze PDF files with CWSandbox we received a few more such samples. In all cases the PDF file exploits a vulnerability in Acrobat Reader once the file is opened. With the help of CWSandbox it is possible to observe this exploit and also the actions of the malware after the compromise (e.g., downloading of additional malware from another server). Please find below three additional examples of such reports:

https://cwsandbox.org/?page=report&analysisid=879663&password=vqtgp

https://cwsandbox.org/?page=report&analysisid=878305&password=utxuc

https://cwsandbox.org/?page=report&analysisid=878393&password=pmviw

If you happen to have more malicious PDFs, please submit them at cwsandbox.org :-)

Posted by Thorsten Holz in CWSandbox, malware at 13:18 | Comment (1) | Trackbacks (0)

About

This weblog deals with IT-security related stuff and honeypots / honeynets in particular. In addition, the main focus is on malware and bots / botnets.

The blog is maintained by Thorsten Holz (Twitter: @thorstenholz). I work as an assistant professor at Ruhr-University Bochum and am also affiliated with the International Secure Systems Lab. I am one of the founders of the German Honeynet Project and obtained a doctorate from the Laboratory for Dependable Distributed Systems (University of Mannheim) in May 2009. You can reach me at thorsten.holz [at] gmail.com

Together with Niels Provos, I wrote a book on honeypots:

Calendar