Extract javascript from pdf file

[SysAdMini]

I've received the question

"How can I extract the javascript from a pdf exploit ?"

several times.

Here is my answer :


download pdftk from http://www.accesspdf.com/pdftk/.

run this from commandline : pdftk yourexploit.pdf output wanteveryoulike.pdf uncompress

The uncompressed pdf is a plain text file and you can copy and paste the javascript code
to your favorite javascript decoder, for example Malzilla.

 

[bobby]

Some more info about the JavaScripts in PDF:
Sometimes the JavaScripts contains shellcode that does not do runtime decoding of its own code, but sometimes the shellcode is not so easy to decode.

I have explained here how to decode the first kind of shellcode:
http://www.malwaredomainlist.com/forums/index.php?topic=2139.0

If you do not get any plain text link after doing UCS2 decoding, then you have a shellcode that will decode itself at runtime.
In that case use the second part of my instructions to save the shellcode to a file.
After that use your favorite debugger to debug the shellcode in order to get the URL.

I'm collecting info on how to make an emulated environment to run these shellcodes, so that we can have some automated decoder for all kind of shellcodes.
There is some working applications for Linux for such tasks, and I'll try to get them working on Windows.
If I get them working, I'll let you know.

[m1573r]

bobby today all shellcodes are simply ripped from milw0rm
or elder stuff. All malware, which i have found uses the same code,
maybe VXers are too lasy to write something new 

[bobby]

@m1573r
Yes and no. Last week I've got shellcode (JS inside PDF) which I do not recognize at all. It does not looks like any encoder from milw0rm. So, there is still someone who does code some riddles for us to solve.

[SysAdMini]

This is a video which demonstrates how to analyze shellcode of malicious pdf files.

http://www.honeynor.no/2008/08/24/analysing-malicious-pdf-documents-and-shellcode/

[bobby]

I've just finished a tool to extract and decompress all the compressed streams from a PDF file.
Please, give it a shoot and tell me if it works with the samples you have:
http://sourceforge.net/project/showfiles.php?group_id=203466

[SysAdMini]

Thanks Bobby,

it works. I found one file which gives an error, but the javascript part was extracted.
So it doesn't matter.

Code: [Select]

hxxp://v2count.net/in/1/output.pdf


stream 1 and 3 have zero size length.

Code: [Select]

Inflater v1.0 by bobby

Numbers in brackets are the beginning and the end adresses of streams

Found stream nr.1 ( $04EF, $04FB)
Inflated stream nr.1

Found stream nr.2 ( $058F, $097E)
Inflated stream nr.2

Found stream nr.3 ( $0A4C, $0A98)
Failed to inflate stream nr.3

Done

[bobby]

The two problematic streams can't be decompressed by some other tools too, so I think it something out of standard zlib compression.
First stream is just a couple of bytes long... strange one.

[bobby]

A serious bug is found in PDF_streams_inflater.
Please immediately delete it from your HDD and download the bugfix version from the same link.
If the files are still not updated on the sourceforge mirrors, please wait until they do.
The filestamps (dates) should be from today.

[bobby]

Linux version of PDF_streams_inflater

Please report bugs if you find some.

[DiFor]

Sorry, but I can not download PDF_streams_inflater not from one server sourceforge, could you upload it somewhere where more, thanks.

[bobby]

Hi,

here it is

[DiFor]

big thx to you. your soft super

[SysAdMini]

Today I've found a pdf file which pdftk was unable to decode.

Code: [Select]

hxxp://suttds.com/spun/pdf.phpBobby's inflater did the job.

[sgres]

Hi,

there is a pdf referenced by www.milw0rm.com, I couldn't extract the javascript! can anyone help me with this issue?

here is the link:

Code: [Select]

http://milw0rm.com/sploits/2009-crashy_the_clown.pdf
Please, be careful! the pdf installs tronjan on your machine.

Thanks

sgres  

MysteryFCM: Embedded URL in BBCode tags