{"id":5516,"date":"2010-11-18T14:25:51","date_gmt":"2010-11-18T13:25:51","guid":{"rendered":"http:\/\/www.corelan.be:8800\/?p=5516"},"modified":"2010-11-18T14:25:51","modified_gmt":"2010-11-18T13:25:51","slug":"malicious-pdf-analysis-from-price-zip-to-flashplayer-exe","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2010\/11\/18\/malicious-pdf-analysis-from-price-zip-to-flashplayer-exe\/","title":{"rendered":"Malicious pdf analysis : from price.zip to flashplayer.exe"},"content":{"rendered":"

Introduction<\/h3>\n

This morning, my generic attachment filter<\/a> for MS Exchange reported about 100 emails that have been put in quarantine because they contained a small zip file :<\/p>\n

\"image\"<\/a><\/p>\n

Email header :<\/p>\n

Received: from hosting1.i-excom.net ([87.106.13.96])  \n   18 Nov 2010 10:23:47 +0100\nReceived: (qmail 558 invoked from network);\n   18 Nov 2010 10:22:46 +0100\nReceived: from 41-135-4-212.dsl.mweb.co.za (HELO 192.168.2.3) (41.135.4.212) \n         by hosting1.i-excom.net with<\/span> SMTP;\n   18 Nov 2010 10:22:43 +0100\nReceived: from [10.10.0.11] by 192.168.2.3 id ib1m4s-000JkE-00;\n   Thu, 18 Nov2010 11:49:01 +0200\nMessage-ID: <009601cb8704$ef9f3b00$0b000a0a@192.168.2.3>\nFrom: <pichi5@ozu.es>\nTo: <xxxxxxxxxxxxxxxx>\nSubject: Re: lista de precios!\nDate<\/span>: Thu, 18 Nov 2010 11:49:01 +0200\nMIME-Version: 1.0\nContent-Type: multipart\/mixed;\n   boundary="----------B21C218F271B9A77<\/span>"\nReturn-Path: pichi5@ozu.es<\/pre>\n
When looking inside the zip file, I found a small pdf file\u2026  I immediately figured this file was up to no good, so it was time to get my hands dirty \ud83d\ude42<\/p>\n
This morning, VirusTotal reports that the pdf file is clean (0\/43)\u2026  But that doesn't mean anything, does it.<\/p>\n
When running the same analysis again (4 hours later), only 2 vendors seem to be catching it : PCTools and Symantec :<\/p>\n
\"image\"<\/a><\/p>\n
What follows are some short notes about the malicious pdf analysis :<\/p>\n
Analysing the pdf file<\/h3>\n
First, I ran pdfid.py and pdf-parser.py<\/a> against the pdf file. <\/p>\n
pdfif.py shows that the file contains javascript :<\/p>\n
root@bt:\/pentest\/pdf# .\/pdfid.py price.pdf\nPDFiD 0.0.11 price.pdf\n PDF Header: %PDF-1.3\n obj                    3\n endobj                 3\n stream                 0\n endstream              0\n xref                   1\n trailer                1\n startxref              1\n \/Page                  0\n \/Encrypt               0\n \/ObjStm                0\n \/JS                    1\n \/JavaScript            2\n \/AA                    0\n \/OpenAction            0\n \/AcroForm              0\n \/JBIG2Decode           0\n \/RichMedia             0\n \/Launch                0\n \/Colors > 2^24         0<\/pre>\n
Both "strings" and "pdf-parser.py" indicate that there are 2 "interesting" objects :<\/p>\n
object 1 0 : contains javascript code<\/h4>\n
\"image\"<\/a><\/p>\n
object 3 0 : contains a big array (\/Producer tag)<\/h4>\n
\"image\"<\/a><\/p>\n
At first sight, I would expect that the the javascript code will use the array one way or another to reproduce payload & execute it\u2026 Let's figure out how it's been done :<\/p>\n
De-obfuscating & Re-assembling the original payload<\/h3>\n
The javascript code was slightly obfuscated and will<\/p>\n