Author Topic: Need help with Flash in PDF file (attachment included)  (Read 5028 times)

0 Members and 1 Guest are viewing this topic.

October 29, 2009, 10:25:48 pm
Read 5028 times


  • Jr. Member

  • Offline
  • **

  • 11
Hey guys im stumped.  I can do fine with decoding javascript in a pdf, obfuscated javascript, filterdecode/flatedecode inside a pdf, but my knowledge of flash is very limited.

I sent this file to wepawet which doesn't give me any clues.  I used swftools to convert from pdf to swf, then resubmited the .swf to wepawet and no help.

I used SWFdecompiler, swfdump.exe, nemo 440.  I think maybe the closest i got to figuring this out was doing a swfdump and getting hex dumps of the flash parts, but it seems xor'd.  I tried using the usual strings (http, exe,dll, etc) and i am stumped.  Im not sure what to do.  This file is 5/40 on virustotal.

The common names is "Trojan.SWF.HeapSpray.B". which confirms the flash. I noticed several sections of the document repeated over and over, so that might possibly be the heap spray part?

password is "infected"

October 29, 2009, 11:23:26 pm
Reply #1


  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day