Author Topic: Malicious PDF  (Read 4871 times)

0 Members and 1 Guest are viewing this topic.

October 20, 2009, 03:31:14 pm
Read 4871 times


  • Jr. Member

  • Offline
  • **

  • 15
Hi All,

I've done some reversing on this PDF and looks like it downloads something from hxxp:// / e=1 / e=2. Used pdftk to extract the javascript and malzilla to analyze. My first analysis :D .

Correct me if am wrong here, there are actually three sects of unicode strings? "\u0039" is this way of representation is a unicode representation? Please can you correct me... :)

Edit: Added the attachment

There are only 10 kinds of people in this world, those who understand binary and those who don't

October 20, 2009, 04:55:29 pm
Reply #1


  • Jr. Member

  • Offline
  • **

  • 11
Yes there are 3 different unicode encoded strings, and they are all slightly different. 

There are 3 exploits in the pdf, each with shellcode to go along with it:

Collab.collectEmailInfo exploit

downloads from Explorer 6.0|Windows XP&e=2

util.printf exploit

downloads from Explorer 6.0|Windows XP&e=1

Collab.getIcon exploit

downloads from
--/ Explorer 6.0|Windows XP&e=3

Good that u noticed the e=1,e=2,e=3 at the end of each exploit.  Lets them keep track of which exploit downloads more frequently and stat tracking.

October 20, 2009, 04:56:52 pm
Reply #2


  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
\u is USC2.

PDFTK wouldn't deal with it here, but uncompressed it with FileInsight to find Malzilla would only deal with the first half, not the second .... so;

Steven Burn
I.T. Mate / hpHosts /