Decode PDF /ASCIIHexDecode encoding

[SysAdMini]

I have found a couple of pdf files in the last days which can't be decoded by the usual tools.
Wepawet fails, manual analysis doesn't work because pdftk and Malzilla's inflater are unable to uncompress those files.

An example of such a file is

Code: [Select]

ispiritatus.cn/lider/sploit/pdf.pdfwhich is part of an exploit kit.

The reason why all these tools fail is the encryption method "/ASCIIHexDecode".
This encoding method is probably unsupported.

But there is a solution - Didier Stevens' pdf-parser.py

run:
pdf-parser.py -f -w pdf.pdf > uncompressed.txt

Extract the js code from the output analyze it by Malzilla or Wepawet.

Result:
http://wepawet.cs.ucsb.edu/view.php?hash=5f066d2b88dfe8a595be849737a5ab11&type=js

[RS-232]

Haven't been in the need of using it myself yet,but then again,I have no reason to doubt it will get the trick done:
http://security-labs.org/origami/

Articles/papers etc...
http://esec.fr.sogeti.com/blog/
http://security-labs.org/fred/

[SysAdMini]

Thanks for the hint. Origami looks interesting.
When I look at the examples

http://esec.fr.sogeti.com/blog/index.php?2009/06/19/66-creating-streams-in-pdf-with-origami

I guess bad guys use it too. 

Same technique like my example pdf.

/Filter [/ASCIIHexDecode /FlateDecode]

So probably the encoding filter ASCIIHexDecode is not the problem for pdftk, but the combination of more than one filter.

[SysAdMini]

Didier Stevens sent me an explanation why most tools fail decoding, but his pdf-parser.py doesn't.

According to the PDF standard, ASCIIHexDecode is hex code terminated by a ">" character.
But in these PDFs, it's not terminated by the ">" character. He came across this obfuscation technique before,
and that's why pdf-parser.py supports it   

[mercutio]

This is now fixed on wepawet, for example:

• hxxp://abdherf.ru/pic/arChar.pdf
  http://wepawet.cs.ucsb.edu/view.php?hash=f7d94785b1dc5117599617e55587aac2&t=1255035302&type=js
  
• hxxp://adobeservices.ru/afhopq.pdf
  http://wepawet.cs.ucsb.edu/view.php?hash=cb2dacf44573d50634e0603d27477399&t=1255028252&type=js
  
• hxxp://day-evryday.cn/fgklmz.pdf
  http://wepawet.cs.ucsb.edu/view.php?hash=4beee7c85999eb5a6e8a723a68a7361b&t=1255033376&type=js
  
• hxxp://goodshoot1.com/boBAn.pdf
  http://wepawet.cs.ucsb.edu/view.php?hash=f87563d31c4a59745daee8c46266e074&t=1255027921&type=js
  
• hxxp://gooversbaiters.com/f2ansal/cfiklmoy.pdf
  http://wepawet.cs.ucsb.edu/view.php?hash=f171698fab0457c54f6d7fafc866d23a&t=1255027728&type=js
  
• hxxp://ispiritatus.cn/lider/sploit/pdf.pdf
  http://wepawet.cs.ucsb.edu/view.php?hash=3bc8ccf67d1e23fe83e87ff815785dde&t=1255028022&type=js
• hxxp://pipisechka.com/sleep/aehlnr.pdf
  http://wepawet.cs.ucsb.edu/view.php?hash=051b7271ffcb7374d624aa1992c9b56e&t=1255027958&type=js
  
• hxxp://updatedownloadcenter2.com/bcdij.pdf
  http://wepawet.cs.ucsb.edu/view.php?hash=e3543cbe33e339aa0f34f667c56e75c1&t=1255026238&type=js
  
• hxxp://www.day-gray.cn/eily.pdf
  http://wepawet.cs.ucsb.edu/view.php?hash=da83a8eae199f8ad62cf6ab463f94c0e&t=1255028330&type=js
  

[al]

Hi at all, this my first post.

First time that I try to analyze a malicious pdf (similar at the previous post). In attach the pdf.pdf. The "stream section" seems encoded with /ASCIIHexDecode /FlateDecode. I tried to pdf-parsey.py (last version) but doesn't works fine:

 <<
   /Length 6220
   /Filter [
   /ASCIIHexDecode /FlateDecode]
 >>

ASCIIHexDecode decompress failed

Instead Wepawet works good (http://wepawet.cs.ucsb.edu/view.php?hash=3569fd0e6cf79a6771a8e2295b152fd4&type=js), but I would like study it manually.

Any tips?

Thank you very much,
AL

/EDIT by SysAdmini

Attachment removed

[SysAdMini]

Instead Wepawet works good (http://wepawet.cs.ucsb.edu/view.php?hash=3569fd0e6cf79a6771a8e2295b152fd4&type=js), but I would like study it manually.

Any tips?

Quick description:

-run pdf-parser.py -f  pdf.pdf > pdf.txt
-now you find obfuscated js in pdf.txt starting with "app[" and ending with ", 100);'
-copy this block into Malzilla's misc decoder tab
-replace \\x by %, then click "Decode Hex"
-now you have the decoded javascript code, it contains 2 different exploits
-copy one of the shellcode blocks  %uEBE9%u0001%u5600...%u3F70%u3D72%u0000 into clipboard
-mark everything in misc decoder tab and paste clipboard content into misc decoder tab
-click on "UCS2  to Hex"
-copy all
-goto "Shellcode analyzer" , right click, "Paste as Hex"
-now you can see the payload urls

[al]

Thank you very very much for this moment.

Is it a problem if I can't see the start "app["?

# grep "app\[" pdf.txt
#

mmh.. according to me pdf-parser.py doesn't works for this file...

Thank you

[SysAdMini]

Thank you very very much for this moment.

Is it a problem if I can't see the start "app["?

# grep "app\[" pdf.txt
#

mmh.. according to me pdf-parser.py doesn't works for this file...

Thank you

I guess you are running an outdated version of pdf-parser.
Another member had the same problem a few days ago.

http://www.malwaredomainlist.com/forums/index.php?topic=3473.0