Got the attached PDF as a phish. All online sandboxes report it as benign. Checked streams and objects with PDF parser and PEEPDF and noticed a flat decode filter in Object 1. After decoding that object, file grows to 90Mb with two IMAGE sections and couple of interesting JavaScript sections. Network guys are saying that target machine that executed the phish PDF immediately tried to download a payload from hxxp://stat-bdm.com/res/123.exe (now dead), which got blocked.
I am having hard time making sense of the deobfuscated JavaScript from Object 1 (there appears to be nothing interesting anywhere else), and don't see any reference to the URL above. I tried running the PDF locally with CaptureBat and few other real-time analysis tools, but again there was no sign of any downloader activity.
Does anyone have any ideas how to decipher the JavaScript below?
Thanks in advance!
I am having hard time making sense of the deobfuscated JavaScript from Object 1 (there appears to be nothing interesting anywhere else), and don't see any reference to the URL above. I tried running the PDF locally with CaptureBat and few other real-time analysis tools, but again there was no sign of any downloader activity.
Does anyone have any ideas how to decipher the JavaScript below?
Thanks in advance!
Attachments
pw: infected
(48.32 KiB) Downloaded 51 times
(48.32 KiB) Downloaded 51 times
Extracted JS from Object1
(3.39 KiB) Downloaded 50 times
(3.39 KiB) Downloaded 50 times
Last edited by Xylitol on Wed Aug 27, 2014 11:39 pm, edited 1 time in total.
Reason: password protected the .PDF