Author Topic: Decode PDF /ASCIIHexDecode encoding  (Read 13855 times)

0 Members and 1 Guest are viewing this topic.

September 29, 2009, 08:32:03 pm
Read 13855 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
I have found a couple of pdf files in the last days which can't be decoded by the usual tools.
Wepawet fails, manual analysis doesn't work because pdftk and Malzilla's inflater are unable to uncompress those files.

An example of such a file is
Code: [Select]
ispiritatus.cn/lider/sploit/pdf.pdfwhich is part of an exploit kit.

The reason why all these tools fail is the encryption method "/ASCIIHexDecode".
This encoding method is probably unsupported.

But there is a solution - Didier Stevens' pdf-parser.py

run:
pdf-parser.py -f -w pdf.pdf > uncompressed.txt

Extract the js code from the output analyze it by Malzilla or Wepawet.

Result:
http://wepawet.cs.ucsb.edu/view.php?hash=5f066d2b88dfe8a595be849737a5ab11&type=js
Ruining the bad guy's day

September 30, 2009, 01:15:06 am
Reply #1

RS-232

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 165
Haven't been in the need of using it myself yet,but then again,I have no reason to doubt it will get the trick done:
http://security-labs.org/origami/

Articles/papers etc...
http://esec.fr.sogeti.com/blog/
http://security-labs.org/fred/
Only for the "fun" of it...rs-232 aka sowhat-x aka younameit ;-)
http://www.youtube.com/watch?v=fADjY97_KTw

September 30, 2009, 07:09:32 pm
Reply #2

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Thanks for the hint. Origami looks interesting.
When I look at the examples

http://esec.fr.sogeti.com/blog/index.php?2009/06/19/66-creating-streams-in-pdf-with-origami

I guess bad guys use it too.  ;)

Same technique like my example pdf.

/Filter [/ASCIIHexDecode /FlateDecode]

So probably the encoding filter ASCIIHexDecode is not the problem for pdftk, but the combination of more than one filter.
Ruining the bad guy's day

September 30, 2009, 09:17:57 pm
Reply #3

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Didier Stevens sent me an explanation why most tools fail decoding, but his pdf-parser.py doesn't.

According to the PDF standard, ASCIIHexDecode is hex code terminated by a ">" character.
But in these PDFs, it's not terminated by the ">" character. He came across this obfuscation technique before,
and that's why pdf-parser.py supports it   ;)
Ruining the bad guy's day


October 29, 2009, 10:06:07 pm
Reply #5

al

  • Newbie

  • Offline
  • *

  • 2
Hi at all, this my first post.

First time that I try to analyze a malicious pdf (similar at the previous post). In attach the pdf.pdf. The "stream section" seems encoded with /ASCIIHexDecode /FlateDecode. I tried to pdf-parsey.py (last version) but doesn't works fine:

 <<
   /Length 6220
   /Filter [
   /ASCIIHexDecode /FlateDecode]
 >>

ASCIIHexDecode decompress failed

Instead Wepawet works good (http://wepawet.cs.ucsb.edu/view.php?hash=3569fd0e6cf79a6771a8e2295b152fd4&type=js), but I would like study it manually.

Any tips?

Thank you very much,
AL

/EDIT by SysAdmini

Attachment removed

October 29, 2009, 10:43:02 pm
Reply #6

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335

Instead Wepawet works good (http://wepawet.cs.ucsb.edu/view.php?hash=3569fd0e6cf79a6771a8e2295b152fd4&type=js), but I would like study it manually.

Any tips?


Quick description:

-run pdf-parser.py -f  pdf.pdf > pdf.txt
-now you find obfuscated js in pdf.txt starting with "app[" and ending with ", 100);'
-copy this block into Malzilla's misc decoder tab
-replace \\x by %, then click "Decode Hex"
-now you have the decoded javascript code, it contains 2 different exploits
-copy one of the shellcode blocks  %uEBE9%u0001%u5600...%u3F70%u3D72%u0000 into clipboard
-mark everything in misc decoder tab and paste clipboard content into misc decoder tab
-click on "UCS2  to Hex"
-copy all
-goto "Shellcode analyzer" , right click, "Paste as Hex"
-now you can see the payload urls
Ruining the bad guy's day

October 29, 2009, 10:53:30 pm
Reply #7

al

  • Newbie

  • Offline
  • *

  • 2
Thank you very very much for this moment.

Is it a problem if I can't see the start "app["?

# grep "app\[" pdf.txt
#

mmh.. according to me pdf-parser.py doesn't works for this file... :(

Thank you

October 29, 2009, 11:02:14 pm
Reply #8

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Thank you very very much for this moment.

Is it a problem if I can't see the start "app["?

# grep "app\[" pdf.txt
#

mmh.. according to me pdf-parser.py doesn't works for this file... :(

Thank you

I guess you are running an outdated version of pdf-parser.
Another member had the same problem a few days ago.

http://www.malwaredomainlist.com/forums/index.php?topic=3473.0
Ruining the bad guy's day