Malware Domain List

Malware Related => Malware Analysis => Topic started by: binary on October 20, 2009, 03:31:14 pm

Title: Malicious PDF
Post by: binary on October 20, 2009, 03:31:14 pm
Hi All,

I've done some reversing on this PDF and looks like it downloads something from hxxp://boomroot.ru/svy/load.php?a=a&st=InternetExplorer6.0%7CWindowsXP&e=3 / e=1 / e=2. Used pdftk to extract the javascript and malzilla to analyze. My first analysis :D .

Correct me if am wrong here, there are actually three sects of unicode strings? "\u0039" is this way of representation is a unicode representation? Please can you correct me... :)

Edit: Added the attachment

Thanks
Binary
Title: Re: Malicious PDF
Post by: h4h4h4h4 on October 20, 2009, 04:55:29 pm
Yes there are 3 different unicode encoded strings, and they are all slightly different. 

There are 3 exploits in the pdf, each with shellcode to go along with it:

Collab.collectEmailInfo exploit

downloads from
--boomroot.ru/svy/load.php?a=a&st=Internet Explorer 6.0|Windows XP&e=2

util.printf exploit

downloads from
--boomroot.ru/svy/load.php?a=a&st=Internet Explorer 6.0|Windows XP&e=1


Collab.getIcon exploit

downloads from
--/boomroot.ru/svy/load.php?a=a&st=Internet Explorer 6.0|Windows XP&e=3


Good that u noticed the e=1,e=2,e=3 at the end of each exploit.  Lets them keep track of which exploit downloads more frequently and stat tracking.
Title: Re: Malicious PDF
Post by: MysteryFCM on October 20, 2009, 04:56:52 pm
\u is USC2.

PDFTK wouldn't deal with it here, but uncompressed it with FileInsight to find Malzilla would only deal with the first half, not the second .... so;

http://wepawet.cs.ucsb.edu/view.php?hash=ba0378b8e8e61ca6864767b0ce51336b&type=js