Author Topic: Malicious PDF  (Read 3685 times)

0 Members and 1 Guest are viewing this topic.

October 20, 2009, 03:31:14 pm
Read 3685 times

binary

  • Jr. Member

  • Offline
  • **

  • 15
Hi All,

I've done some reversing on this PDF and looks like it downloads something from hxxp://boomroot.ru/svy/load.php?a=a&st=InternetExplorer6.0%7CWindowsXP&e=3 / e=1 / e=2. Used pdftk to extract the javascript and malzilla to analyze. My first analysis :D .

Correct me if am wrong here, there are actually three sects of unicode strings? "\u0039" is this way of representation is a unicode representation? Please can you correct me... :)

Edit: Added the attachment

Thanks
Binary
There are only 10 kinds of people in this world, those who understand binary and those who don't

October 20, 2009, 04:55:29 pm
Reply #1

h4h4h4h4

  • Jr. Member

  • Offline
  • **

  • 11
Yes there are 3 different unicode encoded strings, and they are all slightly different. 

There are 3 exploits in the pdf, each with shellcode to go along with it:

Collab.collectEmailInfo exploit

downloads from
--boomroot.ru/svy/load.php?a=a&st=Internet Explorer 6.0|Windows XP&e=2

util.printf exploit

downloads from
--boomroot.ru/svy/load.php?a=a&st=Internet Explorer 6.0|Windows XP&e=1


Collab.getIcon exploit

downloads from
--/boomroot.ru/svy/load.php?a=a&st=Internet Explorer 6.0|Windows XP&e=3


Good that u noticed the e=1,e=2,e=3 at the end of each exploit.  Lets them keep track of which exploit downloads more frequently and stat tracking.

October 20, 2009, 04:56:52 pm
Reply #2

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
\u is USC2.

PDFTK wouldn't deal with it here, but uncompressed it with FileInsight to find Malzilla would only deal with the first half, not the second .... so;

http://wepawet.cs.ucsb.edu/view.php?hash=ba0378b8e8e61ca6864767b0ce51336b&type=js
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net