Sunday, 1 March 2015

[EN] Analyzing Malicious PDF

Reading Contagio Blog I found few examples of malicious PDF files.

Today we will check one of them. :)

During PDF analysis many times we will use peepdf and Malzilla.
Also this time, those tool will help us to understand what's going on with
our PDF file.

Let's run peepdf on this file. As we can see there is some JavaScript object.
Let's examine this by "object 7" command:

Now we will save this object in 1.txt on C: drive:

Let's grab JS code from our txt file, and check if we can decode it in Malzilla:

First decoded eval() shows us some encoded payload...

Second one is just:


Ok, let's back to our first decoded eval(), that one with payload. Let see
more code (in Notepad++ ). Maybe we will understand how this exploit works
just by reading the code? ;)

And yes :D because in the code we can find even comments;]

So, yes, it looks like a heap spray sploit for Adobe Acrobat Reader < 9.

If you want to learn more, how to protect your self against this kind of vulnerabilities,
check also this or this page

If you will find some weird PDF file in your mailbox, and you don't know how to check
if it's safe to open - let me check it and send it via email (with password 'infected').

Of course you can send me other filetypes as well - MS Office/EXE/DLL/.NET...
You name it.

Thanks ;)

No comments:

Post a Comment

What do You think...?