Monday, August 30, 2010

encrypted pdf part 2 - with the online pdf examiner and object dissector

A couple posts ago I talked about do-it-yourself AESV2 PDF decryption, now it's time to get into the analysis of the PDF Javascript payload. The free online PDF Examiner 1.0 is very helpful to handle the parsing of the PDF and locating the objects that have weird obfuscated Javascript (you can use our PDF analysis tool here.)

After uploading the PDF at, we get the following page which highlights that object 47 generation 0 has some javascript obfuscation going on:

In the left column you can see objects which have something bad detected in them, show up as red, objects with streams of any sort of content show up as green, and the smaller xref and document info objects are grey and of minimal value to finding the exploits. As you can see below when you click on the suspected bad object, we are presented with a hex view which clearly shows we've found a Javascript block (remember this would also normally have been tricky to track down with other PDF parsers as this is also AES V2 128 bit encrypted).

Now keeping with the on-the-go quick analysis we've designed these online tools for - you can click the View Obj Raw to see the decoded object's content for an easy copy-paste:

The javascript object isn't super pretty to look at:
Now Javascript in exploits is usually pretty messy, we can copy paste the above code over to which has a great online tool to clean up that messy js code.

Now here's where we can see there's all sorts of messy obfuscated code using some mathematical tricks to evade decoding. However, notice the eval in the last line of the code? We can save a lot of time by simply changing the eval to document.write and let the attacker's code work against them:

Then over to our PC, we can create a simple javascript html file to open in our favorite browser:

Opening this in a web browser reveals the de-obfuscated javascript:
And over to the javascript beautifier again:

We can clearly see the potpourri of exploits we've been presented with: -> is CVE-2009-4324
util.printd("DAbRSENUPTBrlwPSTcwaybxlFnvNzcMRwJvG", new Date()) -> is CVE-2008-2992
Collab.collectEmailInfo -> CVE-2007-5659
app.doc.Collab.getIcon -> CVE-2009-0927

The deobfuscation also revealed the shellcode, we're not going to get into that here, but will remind everyone that we have a online nasm viewer (with our own annotations) over at which also lets you add an xor key to try unpacking the shellcode yourself.

That's all for now :)

No comments:

Post a Comment