Malware Domain List

Malware Related => Tools of the trade / Internet News => Topic started by: SysAdMini on August 27, 2008, 07:03:31 pm

Title: Extract javascript from pdf file
Post by: SysAdMini on August 27, 2008, 07:03:31 pm
I've received the question

"How can I extract the javascript from a pdf exploit ?"

several times.

Here is my answer :


download pdftk from http://www.accesspdf.com/pdftk/ (http://www.accesspdf.com/pdftk/).

run this from commandline : pdftk yourexploit.pdf output wanteveryoulike.pdf uncompress

The uncompressed pdf is a plain text file and you can copy and paste the javascript code
to your favorite javascript decoder, for example Malzilla.

 
Title: Re: Extract javascript from pdf file
Post by: bobby on August 27, 2008, 09:03:33 pm
Some more info about the JavaScripts in PDF:
Sometimes the JavaScripts contains shellcode that does not do runtime decoding of its own code, but sometimes the shellcode is not so easy to decode.

I have explained here how to decode the first kind of shellcode:
http://www.malwaredomainlist.com/forums/index.php?topic=2139.0

If you do not get any plain text link after doing UCS2 decoding, then you have a shellcode that will decode itself at runtime.
In that case use the second part of my instructions to save the shellcode to a file.
After that use your favorite debugger to debug the shellcode in order to get the URL.

I'm collecting info on how to make an emulated environment to run these shellcodes, so that we can have some automated decoder for all kind of shellcodes.
There is some working applications for Linux for such tasks, and I'll try to get them working on Windows.
If I get them working, I'll let you know.
Title: Re: Extract javascript from pdf file
Post by: m1573r on August 28, 2008, 06:18:16 am
bobby today all shellcodes are simply ripped from milw0rm
or elder stuff. All malware, which i have found uses the same code,
maybe VXers are too lasy to write something new  :)
Title: Re: Extract javascript from pdf file
Post by: bobby on August 28, 2008, 03:00:58 pm
@m1573r
Yes and no. Last week I've got shellcode (JS inside PDF) which I do not recognize at all. It does not looks like any encoder from milw0rm. So, there is still someone who does code some riddles for us to solve.
Title: Re: Extract javascript from pdf file
Post by: SysAdMini on September 21, 2008, 05:38:28 pm
This is a video which demonstrates how to analyze shellcode of malicious pdf files.

http://www.honeynor.no/2008/08/24/analysing-malicious-pdf-documents-and-shellcode/ (http://www.honeynor.no/2008/08/24/analysing-malicious-pdf-documents-and-shellcode/)
Title: Re: Extract javascript from pdf file
Post by: bobby on September 24, 2008, 10:45:21 pm
I've just finished a tool to extract and decompress all the compressed streams from a PDF file.
Please, give it a shoot and tell me if it works with the samples you have:
http://sourceforge.net/project/showfiles.php?group_id=203466
Title: Re: Extract javascript from pdf file
Post by: SysAdMini on September 25, 2008, 07:50:32 am
Thanks Bobby,

it works. I found one file which gives an error, but the javascript part was extracted.
So it doesn't matter.

Code: [Select]
hxxp://v2count.net/in/1/output.pdf


stream 1 and 3 have zero size length.

Code: [Select]
Inflater v1.0 by bobby

Numbers in brackets are the beginning and the end adresses of streams

Found stream nr.1 ( $04EF, $04FB)
Inflated stream nr.1

Found stream nr.2 ( $058F, $097E)
Inflated stream nr.2

Found stream nr.3 ( $0A4C, $0A98)
Failed to inflate stream nr.3

Done

Title: Re: Extract javascript from pdf file
Post by: bobby on September 25, 2008, 10:36:08 am
The two problematic streams can't be decompressed by some other tools too, so I think it something out of standard zlib compression.
First stream is just a couple of bytes long... strange one.
Title: Re: Extract javascript from pdf file
Post by: bobby on November 18, 2008, 05:07:31 pm
A serious bug is found in PDF_streams_inflater.
Please immediately delete it from your HDD and download the bugfix version from the same link.
If the files are still not updated on the sourceforge mirrors, please wait until they do.
The filestamps (dates) should be from today.
Title: Re: Extract javascript from pdf file
Post by: bobby on November 22, 2008, 07:35:15 pm
Linux version of PDF_streams_inflater

Please report bugs if you find some.
Title: Re: Extract javascript from pdf file
Post by: DiFor on January 18, 2009, 11:08:55 am
Sorry, but I can not download PDF_streams_inflater not from one server sourceforge, could you upload it somewhere where more, thanks.
Title: Re: Extract javascript from pdf file
Post by: bobby on January 18, 2009, 11:20:38 am
Hi,

here it is
Title: Re: Extract javascript from pdf file
Post by: DiFor on January 18, 2009, 08:53:33 pm
big thx to you. your soft super ;)
Title: Re: Extract javascript from pdf file
Post by: SysAdMini on January 19, 2009, 05:02:39 pm
Today I've found a pdf file which pdftk was unable to decode.

Code: [Select]
hxxp://suttds.com/spun/pdf.phpBobby's inflater did the job. :)
Title: Re: Extract javascript from pdf file
Post by: sgres on July 14, 2009, 09:33:01 am
Hi,

there is a pdf referenced by www.milw0rm.com, I couldn't extract the javascript! can anyone help me with this issue?

here is the link:

Code: [Select]
http://milw0rm.com/sploits/2009-crashy_the_clown.pdf
Please, be careful! the pdf installs tronjan on your machine.

Thanks

sgres  

MysteryFCM: Embedded URL in BBCode tags
Title: Re: Extract javascript from pdf file
Post by: MysteryFCM on July 14, 2009, 01:15:04 pm
The JS is in plain text in the PDF, so just needs a little cleanup, no de-obfuscating. It also doesn't actually install anything. Just seems to be a PoC for a stack overflow (checking on this confirms it).
Title: Re: Extract javascript from pdf file
Post by: sgres on July 15, 2009, 09:25:12 am
Hi,

Thanks for the reply. :)
 
The problem is that the javascript is encoded in brackets '['! and I don't know how to convert them to plain text.

Another question that I have is that how can I decode UCS2 to binary or hex? and how can I encode my shellcode in UCS2?

Thanks

sgres
Title: Re: Extract javascript from pdf file
Post by: SysAdMini on July 15, 2009, 04:57:05 pm
Another question that I have is that how can I decode UCS2 to binary or hex?

Malzilla (http://malzilla.sourceforge.net/)
Title: Re: Extract javascript from pdf file
Post by: MysteryFCM on July 15, 2009, 05:54:03 pm
and how can I encode my shellcode in UCS2?

We aren't here to help malware authors .... we're here to stop them.