Thursday, February 21, 2013

Using PDFExaminer to analyse Mandiant_APT2_Report.pdf

Here's a quick walkthrough on using PDFExaminer to triage the Mandiant_APT2_Report.pdf file reported by @9bplus on his blog.

We've added a new feature to specify the user password for these types of encrypted documents to our command line version of the PDFExaminer:

$ php pdfex.php  -p "hello" Mandiant_APT2_Report.pdf summary key key_length
summary=72.0@1090: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
29.0@4378: suspicious.warning: object contains JavaScript
38.0@9351: suspicious.warning: object contains JavaScript
39.0@10793: suspicious.warning: object contains JavaScript
50.0@15082: suspicious.flash addFrameScript
50.0@15082: suspicious.flash Embedded Flash
50.0@15082: suspicious.flash Embedded Flash define obj
56.0@17726: suspicious.warning: object contains JavaScript
49.0@1095: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

First - the flash file stands our pretty quickly:
$ md5 14a6e24977ff6e7e8a8661aadfa1a1f3/obj-50-gen-0-dup-15082-*
MD5 (14a6e24977ff6e7e8a8661aadfa1a1f3/ = 21351c1165e65d2ec10ef60eb1d54fd6
MD5 (14a6e24977ff6e7e8a8661aadfa1a1f3/ = 254b68d890b500bbe54902f5bf24cf32
MD5 (14a6e24977ff6e7e8a8661aadfa1a1f3/obj-50-gen-0-dup-15082-b1f31dc205e46ae6fbdb5ee10c1ce7a6.flash) = b1f31dc205e46ae6fbdb5ee10c1ce7a6

The compressed Flash file with MD5 254b68d890b500bbe54902f5bf24cf32 was previously submitted to Virustotal:

SHA256: f9202a5cd9007c62a212a33809815fddd498c78f8ea667415a9cacbc7aed313c
File name: s.txt
Detection ratio: 12 / 42
Analysis date: 2012-08-21 09:22:42 UTC ( 6 months ago )

Now that the PDF is decrypted, we can keep working through it. Object 64 is a whopping 315K, that one we'll run through Cryptam since in seems to be an encrypted exe:

$ php cryptam.php 14a6e24977ff6e7e8a8661aadfa1a1f3/ summary has_exe key
summary=94: string.This program cannot be run in DOS mode
27750: string.GetCommandLineA
27936: string.GetProcAddress
28544: string.EnterCriticalSection
27690: string.CloseHandle
27676: string.CreateFileA
27734: string.KERNEL32
20995: string.ExitProcess

There we can see a one byte XOR=0x12 exe is encoded in Object 64. The MZ header is incomplete, so the exe is not automatically extracted. We run the Cryptam multi tool to do this:

php cryptam_multi.php 14a6e24977ff6e7e8a8661aadfa1a1f3/ -xor 12

A quick strings shows a few interesting things:
AVG Firewall Asks for Confirmation

And a google search leads to the Contagio blog:
and the same domain as @9bplus found - itsec[.]eicp[.]net. These attackers previously targeted MacOS and PCs with themes related to Tibet independance.

That's all for now. 

No comments:

Post a Comment