Monday, July 19, 2010

this.numpages PDF Javascript

May be most of us would have seen this already spreading in the wild. Malicious Javascripts embedded in the PDF files to be using the this.numpages trick to obfuscate their code. One such PDF was found exploiting the known vulnerabilities in Adobe.

This trick involves in getting the number of pages in the PDF document using the numpages method and using it as a key to decrypt the encrypted javascript. BTW the javascript is encrypted using the simple XOR method. As shown in the screenshot(in the rectangular red box) we can see the use of the numpages method and the same output of the method to be used to as a key for decrypting the encrypted javascript.

I uploaded the PDF to Wepawet, but unfortunately it wasn't able to flag the malicious content. See you in another blog post, binaryhax0r.

No comments:

Post a Comment