Malware Domain List
Malware Related => Malware Analysis => Topic started by: binary on October 21, 2009, 01:32:49 pm
-
Hi Guys
Was running thro a malicious PDF and found that there was a stream that I believe was FlateDecode 'd. Pls can you indicate on how to decode them. I've already run that malicious pdf against wepawet and it reported to be malicious (Adobe util.printf overflow Stack-based buffer overflow in Adobe Acrobat and Reader via crafted format string argument in util.printf)
Edit: Attached the sample stream that I was able to fetch from the malicious pdf file.
Thanks
Binary
-
I need the complete pdf to look at it.
Have you already tried the usual tools for decoding ?
www.accesspdf.com/pdftk/
pdftk mydoc.pdf output mydoc.txt uncompress
http://blog.didierstevens.com/programs/pdf-tools/
pdf-parser.py -f mydoc.pdf
-
Just a note, PDFTK doesn't seem to work on Vista :( (I used FileInsight instead)
-
Here it goes....
password - infected
-
Just a note, PDFTK doesn't seem to work on Vista :( (I used FileInsight instead)
pdftk works on Vista. Believe me. ;)
-
Here it goes....
password - infected
pdftk failed to decode the stream. pdf-parser.py works.
url in shellcode is
http://vk-mastersoft.cn/load.php?a=a&st=Internet&e=2
-
Just a note, PDFTK doesn't seem to work on Vista :( (I used FileInsight instead)
pdftk works on Vista. Believe me. ;)
It always seems to fail for me lately?
-
Thanks for your replies guys,
I'm still not able to decode the stream, Please can you advise what switches did you use to decode this stuff with pdf-parser.py?
-
Thanks for your replies guys,
I'm still not able to decode the stream, Please can you advise what switches did you use to decode this stuff with pdf-parser.py?
Don't you read my messages ? ;)
http://www.malwaredomainlist.com/forums/index.php?topic=3473.msg12744#msg12744
-
I did exactly the same but it didn't work :S
pdf-parser -f malicious.pf > out.txt
Attached is the output
-
I did exactly the same but it didn't work :S
pdf-parser -f malicious.pf > out.txt
Attached is the output
Hmm, that's strange. It should look like my output.
-
Would it be possible to attach your version of pdf-parser?
Thanks
-
Would it be possible to attach your version of pdf-parser?
Send by PM. What python version do you use ? When I started pdf-parser on python v3.0, I got some errors.
So have installed python v2.6.
-
I use a cygwin version - Python 2.5.2
-
Just a note, PDFTK doesn't seem to work on Vista :( (I used FileInsight instead)
pdftk works on Vista. Believe me. ;)
forgot to mention, I found out why .... I was using an outdated version.