Monday, 2 March 2015

[EN] Analysing malicious PDF - part 2

This time we will check 2 PDF's (because I decide that it will be more fun than just posting about one ;)). Beside that - those 2 files contains different method for delivering the payload, so we will check all of them.

To do:
1. find malicious file
2. find JS if there is any (or other object possible used for attack)
3. decode it - to get as much info as it's possible.
4. if not finished - go to step 2.

Two files to analyse you will find on mentioned before(1) Contagio's Blog.

First case:

Let's check object(s) contains JS:

PDF> object 7 > C:\1.txt 

...will save it to file. Open this file in your favorite editor and 'beauty' the code a little bit:

 Ok, so now we will get the idea...

Now we know how this code is obfuscated. Let's prepare "decoder" :)

Ok good, printable version should now contains decoded string. Checking:

hm... Almost good, but almost it's not enough ;) We need to rewrite this for() loop.

Better! Now we need to unescape() the code in a safe way. Change eval() to document.write() again:

And now we can see that this is (again commented ;) ) code with exploit for Adobe Acrobat.

Beauty again:

Good. Now after few minutes we can get the original exploit:

That's all for case one. :)

Second case:

New sample from Contagio's Blog, and again as a "first stage of checking"
we will use to analyse it:

Ok, now we can see some object(s) also containing JS code. Let's check JS this code:

In object 13 we will find more JS, so we need to extract it to TXT file again to beauty or analyse it later. Let's do it (PDF> object 13 > c:\yourFile.txt). Below is the screen from this action:

We can see that this code needs to be sanitized, so we will do it in Malzilla (unicode decoder in "Misc decoders"):

Malzilla again in action:

After decoding the rest in Burp's Decoder, we can find the real content of this exploit:

Checking online for resources like that, we can easily find proof of concept code, here or here for example.

After those 2 cases explained, you should now be able to check if your spam contains some "interesting" PDF files ;)

(* Remember ;)
if you can't check it, you can always send it to me: zipped with password 'infected'.)

Cheers ;)


No comments:

Post a Comment

What do You think...?