I'm looking into some malware we got via a phish attempt. I've used several tools to look into the PDF (peepdf, pdf-parser). I've found that the pdf has an OpenAction to run javascript. I've tracked down the javascript (fairly well, it bounces around everywhere inside the file). It seems the sample eventually calls: this.exportDataObject({cName:"badfile.mdoc", nLaunch:2});
Seems to me this PDF drops a mdoc file (Macro enabled word file) and then asks the user to open it.
I think the mdoc file is stored in object 14. However, when I pull out object 14 and create a file from it it seems corrupted.
The PDF also has several large javascript sections, I've attached them. One of these functions is a encode / decode function. I'm wondering if the decode function needs to run against the mdoc in some way prior to it being written? It is odd though as I don't see the decode (or encode) functions actually being called anywhere (am I missing it?), so perhaps it is just abandoned code?
I'm also attaching a copy of the malware, please understand the attached PDF is malware. I understand I can attach it here so long as I'm clear that it contains badness.
Can anyone give me some tips on how to get the mdoc file extracted so that I can further my analsis?
PS. this is my first analysis so hopefully I'm not WAY off base...
Thanks for any help/tips!
Seems to me this PDF drops a mdoc file (Macro enabled word file) and then asks the user to open it.
I think the mdoc file is stored in object 14. However, when I pull out object 14 and create a file from it it seems corrupted.
The PDF also has several large javascript sections, I've attached them. One of these functions is a encode / decode function. I'm wondering if the decode function needs to run against the mdoc in some way prior to it being written? It is odd though as I don't see the decode (or encode) functions actually being called anywhere (am I missing it?), so perhaps it is just abandoned code?
I'm also attaching a copy of the malware, please understand the attached PDF is malware. I understand I can attach it here so long as I'm clear that it contains badness.
Can anyone give me some tips on how to get the mdoc file extracted so that I can further my analsis?
PS. this is my first analysis so hopefully I'm not WAY off base...
Thanks for any help/tips!
Attachments
functions from pdf
(5.71 KiB) Downloaded 23 times
(5.71 KiB) Downloaded 23 times
notes during analysis
(709 Bytes) Downloaded 20 times
(709 Bytes) Downloaded 20 times
Malware Sample!
(60.84 KiB) Downloaded 27 times
(60.84 KiB) Downloaded 27 times