Tuesday, February 26, 2013

Yara Scanning added to command line tools

We've pushed out updates to PDFExaminer and Cryptam command line versions tonight that include Yara scanning capability, unlike running the standard Yara tool, using our Yara plugin in PDFExaminer and Cryptam allow you to look deeper inside document files.

PDFExaminer CLI - Yara Related Features

  • Run Yara signatures against decoded streams such as FlateDecode, AsciiHex85, CCITTFaxDecode, and many more.
  • Run Yara signatures against decrypted streams of RC4/AES encrypted PDFs
  • Run Yara signatures against decrypted parameter strings.

Cryptam CLI - Yara Related Features

  • Run Yara signatures against all the subfiles of OpenXML format documents such as docx, xlsx, pptx.
  • Run Yara signatures against decoded RTF datastreams
  • Run Yara signatures against automatically decrypted embedded executables and dropped clean documents.
Automate your triage of incoming targeted APT attacks.  Scan a malware RTF file, extract the executables, and identify the implant or intrusion set TTP with your own Yara signatures all in one step.

More Yara integration to follow on our web-based version too. More info on Yara here.

Thursday, February 21, 2013

Using PDFExaminer to analyse Mandiant_APT2_Report.pdf

Here's a quick walkthrough on using PDFExaminer to triage the Mandiant_APT2_Report.pdf file reported by @9bplus on his blog.

We've added a new feature to specify the user password for these types of encrypted documents to our command line version of the PDFExaminer:

$ php pdfex.php  -p "hello" Mandiant_APT2_Report.pdf summary key key_length
summary=72.0@1090: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
29.0@4378: suspicious.warning: object contains JavaScript
38.0@9351: suspicious.warning: object contains JavaScript
39.0@10793: suspicious.warning: object contains JavaScript
50.0@15082: suspicious.flash addFrameScript
50.0@15082: suspicious.flash Embedded Flash
50.0@15082: suspicious.flash Embedded Flash define obj
56.0@17726: suspicious.warning: object contains JavaScript
49.0@1095: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

First - the flash file stands our pretty quickly:
$ md5 14a6e24977ff6e7e8a8661aadfa1a1f3/obj-50-gen-0-dup-15082-*
MD5 (14a6e24977ff6e7e8a8661aadfa1a1f3/obj-50-gen-0-dup-15082-21351c1165e65d2ec10ef60eb1d54fd6.stream) = 21351c1165e65d2ec10ef60eb1d54fd6
MD5 (14a6e24977ff6e7e8a8661aadfa1a1f3/obj-50-gen-0-dup-15082-254b68d890b500bbe54902f5bf24cf32.stream) = 254b68d890b500bbe54902f5bf24cf32
MD5 (14a6e24977ff6e7e8a8661aadfa1a1f3/obj-50-gen-0-dup-15082-b1f31dc205e46ae6fbdb5ee10c1ce7a6.flash) = b1f31dc205e46ae6fbdb5ee10c1ce7a6

The compressed Flash file with MD5 254b68d890b500bbe54902f5bf24cf32 was previously submitted to Virustotal:

SHA256: f9202a5cd9007c62a212a33809815fddd498c78f8ea667415a9cacbc7aed313c
File name: s.txt
Detection ratio: 12 / 42
Analysis date: 2012-08-21 09:22:42 UTC ( 6 months ago )

Now that the PDF is decrypted, we can keep working through it. Object 64 is a whopping 315K, that one we'll run through Cryptam since in seems to be an encrypted exe:

$ php cryptam.php 14a6e24977ff6e7e8a8661aadfa1a1f3/obj-64-gen-0-dup-37244-9a21e72e04a011b2a6b50b31b7978bfd.stream summary has_exe key
summary=94: string.This program cannot be run in DOS mode
27750: string.GetCommandLineA
27936: string.GetProcAddress
28544: string.EnterCriticalSection
27690: string.CloseHandle
27676: string.CreateFileA
27734: string.KERNEL32
20995: string.ExitProcess

There we can see a one byte XOR=0x12 exe is encoded in Object 64. The MZ header is incomplete, so the exe is not automatically extracted. We run the Cryptam multi tool to do this:

php cryptam_multi.php 14a6e24977ff6e7e8a8661aadfa1a1f3/obj-64-gen-0-dup-37244-9a21e72e04a011b2a6b50b31b7978bfd.stream -xor 12

A quick strings shows a few interesting things:
AVG Firewall Asks for Confirmation

And a google search leads to the Contagio blog:
and the same domain as @9bplus found - itsec[.]eicp[.]net. These attackers previously targeted MacOS and PCs with themes related to Tibet independance.

That's all for now. 

Wednesday, February 13, 2013

New PDF Zero Day

We are currently investigating a new Adobe Zero Day which does bypass the Sandbox protections of Reader 11.0.1 as reported by FireEye. We anticipate a patch to be released very quickly.

We recommend avoiding opening any PDF received by email or from a website until Adobe releases more information.

PDFExaminer does detect the zero day PDF as suspicious due to the use of JavaScript obfuscation techniques used such as eval.