A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #23700  by dlimanov
 Wed Aug 27, 2014 10:57 pm
Got the attached PDF as a phish. All online sandboxes report it as benign. Checked streams and objects with PDF parser and PEEPDF and noticed a flat decode filter in Object 1. After decoding that object, file grows to 90Mb with two IMAGE sections and couple of interesting JavaScript sections. Network guys are saying that target machine that executed the phish PDF immediately tried to download a payload from hxxp://stat-bdm.com/res/123.exe (now dead), which got blocked.
I am having hard time making sense of the deobfuscated JavaScript from Object 1 (there appears to be nothing interesting anywhere else), and don't see any reference to the URL above. I tried running the PDF locally with CaptureBat and few other real-time analysis tools, but again there was no sign of any downloader activity.
Does anyone have any ideas how to decipher the JavaScript below?
Thanks in advance!
Attachments
pw: infected
(48.32 KiB) Downloaded 51 times
Extracted JS from Object1
(3.39 KiB) Downloaded 50 times
Last edited by Xylitol on Wed Aug 27, 2014 11:39 pm, edited 1 time in total. Reason: password protected the .PDF
 #24187  by sysopfb
 Thu Oct 23, 2014 1:46 am
The one I deobfuscated was two parts. So you have that huge image file which is part of the CVE (CVE-2013-2729 if I remember right) and then I had two separate javascript sections using two XFA nodes. The XFA nodes hold the data that the js works on so you have to manipulate the js a bit if you want to get the shellcode out of it. Ultimately all I got was some shellcode that called for the download of the payload, the only thing interesting about it was that the shellcode was flagged by our yara rules as Cridex shellcode. If you want I can post my notes on it when I get to the lab in the morning.
 #24225  by sysopfb
 Sun Oct 26, 2014 1:19 pm
Here's a zip of all my notes and the pdf I worked with. The full shellcode is in there as well if you turn it into an exe and strings it you'll see the url of the follow on download which if I remember correctly was Dyre at the time.
Password is the usual
Attachments
normal pass
(110.29 KiB) Downloaded 46 times