PDF malware adopts another obfuscation trick in attempt to avoid detection

[SysAdMini]

http://nakedsecurity.sophos.com/2012/04/05/ccittfax-pdf-malware/

Filters are used by PDFs to compress or store data to either make the file smaller (Flate, CCITTFax) or allow it to be read as text (ASCIIHex).

By combining the filters in weird ways the malware author hopes to bypass detection by malware scanners and deliver a malicious payload to the victim.

example
http://wepawet.cs.ucsb.edu/view.php?hash=e44cc8b05cbca3500848285095704f8b&type=js

[adityasawant28]

Hello,

Please check : hxxp://file.allitebooks.com/20160104/JavaScript%20Concurrency.pdf

Size: 1714620 bytes
MD5: 1a2348c186c8b5c8b4a07a08d70e4957
Sha1: 73565f3a46c44487c11ea701783e8c150b73ba27
Sha256: f86b701f25823b9be8916974b01c1e141d7d801e3fb96f416803e13ed4bb9104
ssdeep: 24576:95xT7fEtdDA4LcQBS8M7hP/SVTEMDfbZIogpWBK+Pkuys0792:9v8nDnYKS8MZKV3DfmoWWBRkO0p2
Type: PDF document, version 1.6.

Detection: Malware [12]

Summary:
632.0@491775: suspicious.obfuscation using charCodeAt
632.0@491775: suspicious.obfuscation using String.fromCharCode
831.0@710564: suspicious.obfuscation using eval

Used malwaretracker.com for analysis, not sure if they give trusted information. Manually checked the file, obj 2038 looks suspicious.

Thanks,
Aditya

[dlipman]

You uploaded this file, twice, early this AM in another location.  I subsequently examined it.

It's a PDF on JavaScript Concurrency.  It is not a malicious PDF nor even suspicious.

Virus Total Report

[adityasawant28]

Hello,

There is a possibility that the person who created this file is using a different obfuscation technique which bypasses most of the anti virus softwares and is not detected by online file examining tools.

If these technique is added to the database of Virus Total then they will show this file as malicious.

Just a thought. :-)

Thanks,
Aditya

[dlipman]

is using a different obfuscation technique

On what ?

There is no content that would need to be obfuscated.

If you can not indicate what is or would need to be obfuscated then the conjecture is FUD.  In other words...
If one is to speculate that there may be a case of "a different obfuscation technique" then one must show show what the content is that would be the object of that obfuscation.