{ "id": "4de4d1d9-e132-4e84-9084-501326dc9283", "created_at": "2026-04-06T00:14:42.658153Z", "updated_at": "2026-04-10T13:11:50.483688Z", "deleted_at": null, "sha1_hash": "456904561d006cc6615f14b992b6811d9fd2cebd", "title": "Sep 28 CVE-2010-3333 Manuscript with Taidoor (Trojan.Matryoshka by CyberESI)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 135215, "plain_text": "Sep 28 CVE-2010-3333 Manuscript with Taidoor\r\n(Trojan.Matryoshka by CyberESI)\r\nArchived: 2026-04-05 13:41:54 UTC\r\nSep 28 CVE-2010-3333 Manuscript with Taidoor (Trojan.Matryoshka by CyberESI)\r\nCyberESI\r\nJared Myers from CyberESI posted a fantastic detailed analysis of Taidoor trojan variant he called Trojan.\r\nMatryoshka for being just a container/carrier for another malicious file \"Trojan.Einstein\". See Trojan.Matryoshka\r\nand Trojan.Einstein   The trojan arrived in a malicious RTF attachment CVE-2010-3333 from a a spoofed address\r\nof the National Chengchi University / NCCU of Taiwan. The actual sending host was a server  IBM111, which is\r\nused by a particular group of attackers and is seen quite frequently. This sample was donated by a reader but I\r\nhave a lot of IBM111-produced attachments if you are after them.\r\nCommon Vulnerabilities and Exposures (CVE)number\r\nCVE-2010-3333 \r\nStack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office\r\n2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter\r\nfor Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka \"RTF Stack\r\nBuffer Overflow Vulnerability\r\n \r\n   General File Information\r\nFile Name: 過程論的觀點分析六方會談 審查意見.doc\r\nFile Size: 61455 bytes \r\nMD5: 8406c1ae494add6e4f0e78b476fb4db0 \r\nhttp://contagiodump.blogspot.com/2011/10/sep-28-cve-2010-3333-manuscript-with.html\r\nPage 1 of 4\n\nDownload\r\nMessage + Headers\r\nFrom: 戰略學刊 [mailto:95273503@nccu.edu.tw]\r\nSent: Wednesday, September 28, 2011 5:22 AM\r\nSubject: 稿件\r\n如附檔,請收悉。\r\nFrom: Strategy Journal [mailto: 95273503@nccu.edu.tw]\r\nSent: Wednesday, September 28, 2011 5:22 AM\r\nSubject: manuscript\r\nSuch as the attached file, please acknowledge receipt.\r\nThe viewpoint of the process of six-party talks on the review comments\r\nReceived: from IBM111 (60-249-219-82.HINET-IP.hinet.net [60.249.219.82])\r\nxxxxxxxxxxxxxx; Wed,\r\n 28 Sep 2011 17:22:14 +0800 (CST)\r\nDate: Wed, 28 Sep 2011 17:21:43 +0800\r\nFrom: =?big5?B?vtSypL7HpVo=?= \u003c95273503@nccu.edu.tw\u003e\r\nSubject: =?big5?B?vVql8w==?=\r\nxxxxxxxxxxxxxxxxxxxxx\r\nMessage-id: \u003c051c01cc7dc0$15472a40$c900a8c0@IBM111\u003e\r\nMIME-version: 1.0\r\nX-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2180\r\nX-Mailer: Microsoft Outlook Express 6.00.2900.2180\r\nContent-type: multipart/mixed; boundary=\"Boundary_(ID_6HJcv7WYiwyCKpqySxUA2g)\"\r\nX-Priority: 3\r\nX-MSMail-priority: Normal\r\nSender\r\n60.249.219.82\r\n60-249-219-82.HINET-IP.hinet.net\r\nDa Shi Yung Co., Ltd\r\nTainan County County Taiwan\r\nTaiwan\r\nAutomated Scans\r\nhttp://contagiodump.blogspot.com/2011/10/sep-28-cve-2010-3333-manuscript-with.html\r\nPage 2 of 4\n\ndoc\r\nhttp://www.virustotal.com/file-scan/report.html?\r\nid=ca3744ae693409b2f8addd3de99c1ccae0bc8c709678ea357898bd02e8fb362a-1317347501\r\nSubmission date:2011-09-30 01:51:41 (UTC)\r\nAntiVir     7.11.15.74     2011.09.29     EXP/CVE-2010-3333\r\nAntiy-AVL     2.0.3.7     2011.09.29     Exploit/MSWord.CVE-2010-3333\r\nAvast     6.0.1289.0     2011.09.30     RTF:CVE-2010-3333 [Expl]\r\nAVG     10.0.0.1190     2011.09.30     Suspicion: unknown virus\r\nBitDefender     7.2     2011.09.30     Exploit.RTF.Gen\r\nClamAV     0.97.0.0     2011.09.30     PUA.RFT.EmbeddedOLE\r\nCommtouch     5.3.2.6     2011.09.30     CVE-2010-3333!Camelot\r\nDrWeb     5.0.2.03300     2011.09.30     Exploit.Rtf.based\r\nF-Secure     9.0.16440.0     2011.09.30     Exploit.RTF.Gen\r\nFortinet     4.3.370.0     2011.09.30     Data/CVE20103333.A!exploit\r\nGData     22     2011.09.30     Exploit.RTF.Gen\r\nKaspersky     9.0.0.837     2011.09.30     Exploit.MSWord.CVE-2010-3333.r\r\nMicrosoft     1.7702     2011.09.29     Exploit:Win32/CVE-2010-3333\r\nnProtect     2011-09-29.01     2011.09.29     Exploit.RTF.Gen\r\nPCTools     8.0.0.5     2011.09.30     HeurEngine.MaliciousExploit\r\nSophos     4.69.0     2011.09.30     Troj/RTFDrp-C\r\nSymantec     20111.2.0.82     2011.09.30     Bloodhound.Exploit.366\r\nTrendMicro     9.500.0.1008     2011.09.29     Possible_ARTIEF\r\nTrendMicro-HouseCall     9.500.0.1008     2011.09.30     Possible_ARTIEF\r\nVIPRE     10616     2011.09.30     Exploit.RTF.CVE-2010-3333 (v)\r\nMD5   : 8406c1ae494add6e4f0e78b476fb4db0\r\nPayload\r\nFile name:payload.exe\r\nSubmission date:2011-10-06 12:39:32 (UTC)\r\nResult:17 /42 (40.5%)\r\nhttp://www.virustotal.com/file-scan/report.html?\r\nid=53d03f3db44d40de762ca445b85011a93e6b549788c5713862e42eed173eefa3-1317904772\r\nAhnLab-V3     2011.10.05.00     2011.10.05     Backdoor/Win32.CSon\r\nAntiVir     7.11.15.137     2011.10.06     TR/Hijacker.Gen\r\nAVG     10.0.0.1190     2011.10.06     BackDoor.Generic14.AJZQ\r\nBitDefender     7.2     2011.10.06     Trojan.CryptRedol.Gen.3\r\nDrWeb     5.0.2.03300     2011.10.06     Trojan.Taidoor\r\nEmsisoft     5.1.0.11     2011.10.06     Backdoor.Win32.Simbot!IK\r\nhttp://contagiodump.blogspot.com/2011/10/sep-28-cve-2010-3333-manuscript-with.html\r\nPage 3 of 4\n\neTrust-Vet     36.1.8602     2011.10.06     -\r\nF-Secure     9.0.16440.0     2011.10.06     Trojan.CryptRedol.Gen.3\r\nGData     22     2011.10.06     Trojan.CryptRedol.Gen.3\r\nIkarus     T3.1.1.107.0     2011.10.06     Backdoor.Win32.Simbot\r\nKaspersky     9.0.0.837     2011.10.06     HEUR:Trojan.Win32.Generic\r\nMicrosoft     1.7702     2011.10.06     Backdoor:Win32/Simbot.gen\r\nNOD32     6521     2011.10.06     a variant of Win32/Injector.JQA\r\nnProtect     2011-10-06.01     2011.10.06     Trojan.CryptRedol.Gen.3\r\nPanda     10.0.3.5     2011.10.05     Suspicious file\r\nRising     23.77.04.01     2011.09.30     Suspicious\r\nSymantec     20111.2.0.82     2011.10.06     Suspicious.Cloud.5\r\nVBA32     3.12.16.4     2011.10.06     TrojanDownloader.Rubinurd.f\r\nMD5   : d24a5c27628327da1cea545be2f99756\r\nSource: http://contagiodump.blogspot.com/2011/10/sep-28-cve-2010-3333-manuscript-with.html\r\nhttp://contagiodump.blogspot.com/2011/10/sep-28-cve-2010-3333-manuscript-with.html\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "http://contagiodump.blogspot.com/2011/10/sep-28-cve-2010-3333-manuscript-with.html" ], "report_names": [ "sep-28-cve-2010-3333-manuscript-with.html" ], "threat_actors": [ { "id": "71b19e59-b5f7-4bc6-816d-194be0f02af0", "created_at": "2022-10-25T16:07:24.301036Z", "updated_at": "2026-04-10T02:00:04.928222Z", "deleted_at": null, "main_name": "Taidoor", "aliases": [ "Budminer", "Earth Aughisky", "G0015" ], "source_name": "ETDA:Taidoor", "tools": [ "Dripion", "Masson", "Taidoor", "simbot" ], "source_id": "ETDA", "reports": null }, { "id": "50bd4a6c-7542-4bdd-8b37-ab468fc428ef", "created_at": "2023-01-06T13:46:38.998658Z", "updated_at": "2026-04-10T02:00:03.176186Z", "deleted_at": null, "main_name": "Taidoor", "aliases": [ "G0015", "Earth Aughisky" ], "source_name": "MISPGALAXY:Taidoor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "478e9b27-39b9-49e4-a3c5-81569a767275", "created_at": "2022-10-25T15:50:23.417339Z", "updated_at": "2026-04-10T02:00:05.41593Z", "deleted_at": null, "main_name": "Taidoor", "aliases": [ "Taidoor" ], "source_name": "MITRE:Taidoor", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434482, "ts_updated_at": 1775826710, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/456904561d006cc6615f14b992b6811d9fd2cebd.pdf", "text": "https://archive.orkl.eu/456904561d006cc6615f14b992b6811d9fd2cebd.txt", "img": "https://archive.orkl.eu/456904561d006cc6615f14b992b6811d9fd2cebd.jpg" } }