This time we will check 2 PDF's (because I decide that it will be more fun than just posting about one ;)). Beside that - those 2 files contains different method for delivering the payload, so we will check all of them.
1. find malicious file
2. find JS if there is any (or other object possible used for attack)
3. decode it - to get as much info as it's possible.
4. if not finished - go to step 2.
Two files to analyse you will find on mentioned before(1) Contagio's Blog.
Let's check object(s) contains JS:
PDF> object 7 > C:\1.txt
...will save it to file. Open this file in your favorite editor and 'beauty' the code a little bit:
Ok, so now we will get the idea...
Now we know how this code is obfuscated. Let's prepare "decoder" :)
Ok good, printable version should now contains decoded string. Checking:
hm... Almost good, but almost it's not enough ;) We need to rewrite this for() loop.
And now we can see that this is (again commented ;) ) code with exploit for Adobe Acrobat.
Good. Now after few minutes we can get the original exploit:
That's all for case one. :)
New sample from Contagio's Blog, and again as a "first stage of checking"
we will use peepdf.py to analyse it:
Ok, now we can see some object(s) also containing JS code. Let's check JS this code:
In object 13 we will find more JS, so we need to extract it to TXT file again to beauty or analyse it later. Let's do it (PDF> object 13 > c:\yourFile.txt). Below is the screen from this action:
We can see that this code needs to be sanitized, so we will do it in Malzilla (unicode decoder in "Misc decoders"):
Malzilla again in action:
After decoding the rest in Burp's Decoder, we can find the real content of this exploit:
Checking online for resources like that, we can easily find proof of concept code, here or here for example.
After those 2 cases explained, you should now be able to check if your spam contains some "interesting" PDF files ;)
(* Remember ;)
if you can't check it, you can always send it to me: zipped with password 'infected'.)