To do:
1. find malicious file
2. find JS if there is any (or other object possible used for attack)
3. decode it - to get as much info as it's possible.
4. if not finished - go to step 2.
Two files to analyse you will find on mentioned before(1) Contagio's Blog.
First case:
Let's check object(s) contains JS:
PDF> object 7 > C:\1.txt
...will save it to file. Open this file in your favorite editor and 'beauty' the code a little bit:
Ok, so now we will get the idea...
Now we know how this code is obfuscated. Let's prepare "decoder" :)
Ok good, printable version should now contains decoded string. Checking:
hm... Almost good, but almost it's not enough ;) We need to rewrite this for() loop.
And now we can see that this is (again commented ;) ) code with exploit for Adobe Acrobat.
Beauty again:
Good. Now after few minutes we can get the original exploit:
That's all for case one. :)
Second case:
New sample from Contagio's Blog, and again as a "first stage of checking"
we will use peepdf.py to analyse it:
Ok, now we can see some object(s) also containing JS code. Let's check JS this code:
In object 13 we will find more JS, so we need to extract it to TXT file again to beauty or analyse it later. Let's do it (PDF> object 13 > c:\yourFile.txt). Below is the screen from this action:
We can see that this code needs to be sanitized, so we will do it in Malzilla (unicode decoder in "Misc decoders"):
Malzilla again in action:
After decoding the rest in Burp's Decoder, we can find the real content of this exploit:
Checking online for resources like that, we can easily find proof of concept code, here or here for example.
After those 2 cases explained, you should now be able to check if your spam contains some "interesting" PDF files ;)
(* Remember ;)
if you can't check it, you can always send it to me: zipped with password 'infected'.)
Cheers ;)
o/
No comments:
Post a Comment
What do You think...?