{
	"id": "86afc908-6828-455a-aef3-6a8139b1db67",
	"created_at": "2026-04-06T00:11:22.179219Z",
	"updated_at": "2026-04-10T13:11:23.72559Z",
	"deleted_at": null,
	"sha1_hash": "f24cf5248eb9ac9fadca9fa479ed39c84c937541",
	"title": "Analyzing CVE-2011-4369 – Part One",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 37442,
	"plain_text": "Analyzing CVE-2011-4369 – Part One\r\nBy admin\r\nArchived: 2026-04-05 14:37:10 UTC\r\nThe Wayback Machine - https://web.archive.org/web/20150310155151/http://blog.9bplus.com:80/analyzing-cve-2011-4369-part-one/\r\nAdobe pulled a fast one a couple days ago when they pushed out their most recent patch. In doing so they\r\naddressed CVE-2011-2462, but also mentioned another vulnerability that exploited the PRC format (also\r\nrelated to U3D). This additional vulnerability was not one I had come across until a few days ago and\r\nbelow is my initial analysis of the PDF structure, and barebones dynamic analysis. \r\nhttps://www.pdfxray.com/interact/e6db130bb8768a5f65e7e52aa235e66e/\r\nStructure Breakdown\r\nThis PDF does not make use of any encryption or advanced capabilites, but does have an interesting\r\nstructure. The document itself consists on 17 pages which is a key fact to note because it is later used by\r\nthe JavaScript. These pages are defined in object 1 with pages 8-11 being those that reference the PRC\r\nstreams.\r\nLocated within the last object (64) is the JavaScript triggered to run when the document is opened (JS is\r\ncontents for the first page) which will be analyzed later. Located throughout the document are several\r\nobjects containing a stream that defines PRC content. \r\nThe first file dropped on to the system is “AcroRd32Info.cab” which is then expanded using\r\n“C:WINDOWSsystem32expand.exe” that writes “acrord32info.exe”. VirusTotal identifies this file as a\r\ngeneric dropper, but does not provide any malware family. \r\nhttp://www.virustotal.com/file-scan/report.html?id=c6a182f410b4cda0665cd792f0…\r\nAfter writing to “C:WINDOWSsystem32wbemLogswbemprox.log” another file is written to\r\n“C:WINDOWSmsappsnetmgr.exe”. VirusTotal identifies this file as an injector, but again, does not provide\r\nany malware family. Before the main process is terminated a registry value is set so that “netmgr.exe” runs\r\nwhen the system starts. \r\nhttp://www.virustotal.com/file-scan/report.html?id=be14d781b85125a60747249646…\r\nRunning “netmgr.exe” manually creates a process and executes svchost.exe which waits for a few seconds\r\nand then terminates. Within the “netmgr.exe” are references to “http://1.9.32.11/bunny/test.php?\r\nrec=nvista”, but it is unclear what role, if any, this site plays. Part two will include more analysis on the\r\nbinary files dropped by the PDF. \r\nhttps://web.archive.org/web/20150310155151/http://blog.9bplus.com/analyzing-cve-2011-4369-part-one/\r\nPage 1 of 2\n\nSource: https://web.archive.org/web/20150310155151/http://blog.9bplus.com/analyzing-cve-2011-4369-part-one/\r\nhttps://web.archive.org/web/20150310155151/http://blog.9bplus.com/analyzing-cve-2011-4369-part-one/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://web.archive.org/web/20150310155151/http://blog.9bplus.com/analyzing-cve-2011-4369-part-one/"
	],
	"report_names": [
		"analyzing-cve-2011-4369-part-one"
	],
	"threat_actors": [],
	"ts_created_at": 1775434282,
	"ts_updated_at": 1775826683,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f24cf5248eb9ac9fadca9fa479ed39c84c937541.pdf",
		"text": "https://archive.orkl.eu/f24cf5248eb9ac9fadca9fa479ed39c84c937541.txt",
		"img": "https://archive.orkl.eu/f24cf5248eb9ac9fadca9fa479ed39c84c937541.jpg"
	}
}