Friday, October 30, 2009

Another Malicious PDF

Sooner now I was laying my hands on another malicious PDF file. Below is a sample of the JAVASCRIPT that was extracted from the PDF file.

I feed the extracted JAVASCRIPT on to MALZILLA and off we go to analyze it. This particular PDF had 5 sects of JAVASCRIPT embedded into it. But mainly the first set of JAVASCRIPT is all that we are going to look into. Taking look at the JAVASCRIPT it looked like there was a function that was written to replace certain parts of variable.

var lookEtcTheory = isDeAs.replace(/[\\?@\\!#\\$]/g, \'\');

There was also an EVAL function that we happily convert to document.write(), coz we are happy to have the output printed on to the MALZILLA window, do not want them to be executed or you can also quickly use MALZILLA to override EVAL function like this.

I also noticed that on the whole there was a particular variable that was wrapped with \'. We quickly replace them with ' (apostrophe).

In addition to replacing the above we also have to replace rn with "" (nothing) and retur with return.
After all these we RUN the script that will return us the data (after all replacings). We take a closer look at the returned data and we find that it has three distinct sects of unicode data. Sample unicode data from MALZILLA.

Copy the unicode data and put them on the MISC DECODERS section of MALZILLA and convert them to hex by clicking UCS2 to HEX button. Doing so will generate HEX data. Save the HEX data to the file by clicking HEX TO FILE. Analyze the saved HEX file using STRINGS and it will give you the URL from where the malware is downloaded from and additional data such as imported functions.

Download the decoded extracted JAVASCRIPT here -

Download the readable JAVASCRIPT here -

Hope that helps someone :)

No comments:

Post a Comment