Hi everyone!

In attached zip:

swf.swf - original swf file
swf-unpacked.swf - unpacked swf file (zlib)
BinaryData.as, Main.as - results of Sothink SWF Decompiler
data.bin - binary results of XOR in ActionScript

From that point I can't find shellcode and the URL, from where executable is downloading.

Please help! Thanks!

in this case, Flasm (http://www.nowrap.de/flasm.html) might be more useful than SWF Decompiler

Thanks, but I've used it and it outputs:



so, the problem is not in decompiling swf file.
The problem is to analyze binary data, that AS3 puts in memory (loadBytes)
and to find shellcode there!

binarydata.as shold decrypted again to SWF. tomorrow will see

ps. data.bin is invalid unicode

ok, did it. finally we have little different SWF, which we discussed before here in forum.

here are run_able shellcodes. but internet-address not responds with Malware.
Bad!?

Hi!,

i would like to know if you have any information about the vulnerability this swf is trying to exploit (CVE perhaps).

Thanks in advanced!.

can you provide me the link to the previous discussion thread?.

NO-NO-NO! previous discussion thread is strictly secure ~=)
btw, THAT "Marcos", no said even single "thanks" ?! whu_ze_fu!?

ok, so can you tell me if this is a known and public vulnerability or a 0-day?, do you have any information, link to adv, cve?.

NO-NO-NO! << you not guess joke.
http://www.woodmann.com/forum/showthread.php?t=12399

hahaha ok!, thanks!!!