Author Topic: Please help  (Read 2723 times)

0 Members and 1 Guest are viewing this topic.

July 07, 2010, 06:28:20 am
Read 2723 times

kristofer_nolen

  • Newbie

  • Offline
  • *

  • 6
Please could some one help me what is happening here with this malicious pdf?

http://jsunpack.jeek.org/dec/go?report=1ad3f9ed9f22dd732fd6798a8f3f86b7a0098b22

regards,
kris

July 07, 2010, 07:53:01 am
Reply #1

parody

  • Private Forum
  • Jr. Member

  • Offline
  • *

  • 27
From first glance the PDF has an embedded flash file in it. I grabbed the sample from the download link on the jsunpack site and parsed the input_upload file with pdf-parser.

Code: [Select]
<</T#79p#65/#45mb#65d#64ed#46i#6c#65/Len#67#74#68 26774>>
stream
CWSxy|T7}Y0Yb

Code: [Select]
}
util.printd("jbBFAXmYeqFJUPOXePHkjhAybWoldsgWfmBw", new Date());
util.printd("noCXCPHRXLpZKyNpKJJWxBkvpjKLYwpMfmCG", new Date());
try{eval("thi"+"s.m"+"ed"+"ia"+".n"+"ew"+"Pl"+"ay"+"er(n"+"ull)");}
catch(e) {}
util.printd(sc2, new Date());
}

few exploits used in this sample too. Lots of potential extra data in "PDF Comment" lines.

I'll update if I spot more details.

July 07, 2010, 10:13:57 am
Reply #2

kristofer_nolen

  • Newbie

  • Offline
  • *

  • 6
Hi parody,

Thanks for your immediate reply. I was able to see all the contents which you have mentioned. I too used pdf parser tool, however i was not able to view any malicious URL.

Please could you explain me about spider monkey  :). i am a newbie to vulnerabilities and it would be great if you explain how to use spider monkey to extract the shellcode and where to download it.

I am running on win XP.

Thanks in advance
Kris


July 07, 2010, 10:42:31 am
Reply #3

parody

  • Private Forum
  • Jr. Member

  • Offline
  • *

  • 27
I'd recommend building a linux guest VM using a raw install like ubuntu or redhat ..  or using a prebuilt image like BackTrack and installing a couple tools on it like pdf-parser which everyone knows and loves ;P  I'd also suggest origami and pdfminer also install the jsunpack package too. jsunpack uses the spider monkey package to analyze the javascript. You can also use malzilla for decoding javascript.

I would advise not doing too much PDF activity on a window host to prevent unintentional infection.

Didier Stevens did a blog post with a modified spidermonkey and includes links and instructions on getting it to work for analyzing the javascript from websites or PDF.

http://blog.didierstevens.com/programs/spidermonkey/