Malware Domain List

Malware Related => Malware Analysis => Topic started by: binary on October 21, 2009, 01:32:49 pm

Title: FlateDecode
Post by: binary on October 21, 2009, 01:32:49 pm
Hi Guys

Was running thro a malicious PDF and found that there was a stream that I believe was FlateDecode 'd. Pls can you indicate on how to decode them. I've already run that malicious pdf against wepawet and it reported to be malicious (Adobe util.printf overflow   Stack-based buffer overflow in Adobe Acrobat and Reader via crafted format string argument in util.printf)

Edit: Attached the sample stream that I was able to fetch from the malicious pdf file.

Thanks

Binary
Title: Re: FlateDecode
Post by: SysAdMini on October 21, 2009, 05:06:15 pm
I need the complete pdf to look at it.

Have you already tried the usual tools for decoding ?

www.accesspdf.com/pdftk/
pdftk mydoc.pdf output mydoc.txt uncompress


http://blog.didierstevens.com/programs/pdf-tools/
pdf-parser.py -f mydoc.pdf
Title: Re: FlateDecode
Post by: MysteryFCM on October 22, 2009, 12:49:14 am
Just a note, PDFTK doesn't seem to work on Vista :( (I used FileInsight instead)
Title: Re: FlateDecode
Post by: binary on October 22, 2009, 06:23:15 am
Here it goes....

password - infected
Title: Re: FlateDecode
Post by: SysAdMini on October 22, 2009, 07:19:07 am
Just a note, PDFTK doesn't seem to work on Vista :( (I used FileInsight instead)

pdftk works on Vista. Believe me.  ;)
Title: Re: FlateDecode
Post by: SysAdMini on October 22, 2009, 07:21:46 am
Here it goes....

password - infected

pdftk failed to decode the stream. pdf-parser.py works.

url in shellcode is
Code: [Select]
http://vk-mastersoft.cn/load.php?a=a&st=Internet&e=2
Title: Re: FlateDecode
Post by: MysteryFCM on October 22, 2009, 07:34:06 am
Just a note, PDFTK doesn't seem to work on Vista :( (I used FileInsight instead)

pdftk works on Vista. Believe me.  ;)

It always seems to fail for me lately?
Title: Re: FlateDecode
Post by: binary on October 22, 2009, 08:08:57 am
Thanks for your replies guys,

I'm still not able to decode the stream, Please can you advise what switches did you use to decode this stuff with pdf-parser.py?
Title: Re: FlateDecode
Post by: SysAdMini on October 22, 2009, 09:08:21 am
Thanks for your replies guys,

I'm still not able to decode the stream, Please can you advise what switches did you use to decode this stuff with pdf-parser.py?

Don't you read my messages ?  ;)

http://www.malwaredomainlist.com/forums/index.php?topic=3473.msg12744#msg12744
Title: Re: FlateDecode
Post by: binary on October 22, 2009, 09:39:24 am
I did exactly the same but it didn't work :S

pdf-parser -f malicious.pf > out.txt

Attached is the output
Title: Re: FlateDecode
Post by: SysAdMini on October 22, 2009, 09:47:14 am
I did exactly the same but it didn't work :S

pdf-parser -f malicious.pf > out.txt

Attached is the output

Hmm, that's strange. It should look like my output.
Title: Re: FlateDecode
Post by: binary on October 22, 2009, 09:49:18 am
Would it be possible to attach your version of pdf-parser?

Thanks
Title: Re: FlateDecode
Post by: SysAdMini on October 22, 2009, 10:03:08 am
Would it be possible to attach your version of pdf-parser?


Send by PM. What python version do you use ? When I started pdf-parser on python v3.0, I got some errors.
So have installed python v2.6.
Title: Re: FlateDecode
Post by: binary on October 22, 2009, 10:19:36 am
I  use a cygwin version - Python 2.5.2
Title: Re: FlateDecode
Post by: MysteryFCM on October 26, 2009, 09:16:08 am
Just a note, PDFTK doesn't seem to work on Vista :( (I used FileInsight instead)

pdftk works on Vista. Believe me.  ;)

forgot to mention, I found out why .... I was using an outdated version.