Friday, October 14, 2011

analyzing e1730268df98c7877d16beda98839694.pdf


md5 - e1730268df98c7877d16beda98839694



1. Strings
PDF version 1.3, xref table indicates 8 objects.


2. Running pdf.py
View output here. (https://gist.github.com/2c5c59d98143f06f071b)
object 3 contains javascript tag. object 5 and 7 are similar as follows.
obj 5 0: 
tag Length = 54                                   (TAGVAL)
tag Filter                                        (TAGVAL)
tag FlateDecode                                   (ENDTAG)

obj 7 0: 
tag Length = 586                                  (TAGVAL)
tag Filter                                        (TAGVAL)
tag FlateDecode                                   (ENDTAG)
However, pdf.py only detects javascript inside object 7.


3. Analyzing the javascript dump
Seems to be a typical heap overflow. The shellcode is obtained(https://gist.github.com/a2b4eb46c5c568b919a0).


4. Analyzing shellcode
Using distorm and some regex with python I get this(https://gist.github.com/c826e5fa89029f114b98).
0x00000000 (02) 2bc9                 SUB ECX, ECX
0x00000002 (02) b11f                 MOV CL, 0x1f
0x00000004 (05) bd0c36c59b           MOV EBP, 0x9bc5360c
0x00000009 (02) dbc5                 FCMOVNB ST0, ST5
0x0000000b (04) d97424f4             FNSTENV [ESP-0xc]
0x0000000f (01) 5a                   POP EDX
0x00000010 (03) 83eafc               SUB EDX, -0x4
0x00000013 (03) 316a0b               XOR [EDX+0xb], EBP
0x00000016 (03) 036a07               ADD EBP, [EDX+0x7]
Ok so the decryption is going to change the instruction "ADD EBP, [EDX+0x7]". So, Ill just run the whole thing in libemu and check its output.


There seems to be to WinExec to execute "calc.exe" and to ExitProcess. However, it seems that there is some tampering with LdrData - to hide imported dlls? #TODO

No comments:

Post a Comment