PDF analysis - By a newbie

Ask your beginner questions here.
Post Reply
BitTwist127
Posts: 3
Joined: Wed May 31, 2017 1:26 pm

PDF analysis - By a newbie

Post by BitTwist127 » Thu Jun 01, 2017 1:52 pm

I'm looking into some malware we got via a phish attempt. I've used several tools to look into the PDF (peepdf, pdf-parser). I've found that the pdf has an OpenAction to run javascript. I've tracked down the javascript (fairly well, it bounces around everywhere inside the file). It seems the sample eventually calls: this.exportDataObject({cName:"badfile.mdoc", nLaunch:2});

Seems to me this PDF drops a mdoc file (Macro enabled word file) and then asks the user to open it.

I think the mdoc file is stored in object 14. However, when I pull out object 14 and create a file from it it seems corrupted.

The PDF also has several large javascript sections, I've attached them. One of these functions is a encode / decode function. I'm wondering if the decode function needs to run against the mdoc in some way prior to it being written? It is odd though as I don't see the decode (or encode) functions actually being called anywhere (am I missing it?), so perhaps it is just abandoned code?

I'm also attaching a copy of the malware, please understand the attached PDF is malware. I understand I can attach it here so long as I'm clear that it contains badness.

Can anyone give me some tips on how to get the mdoc file extracted so that I can further my analsis?

PS. this is my first analysis so hopefully I'm not WAY off base...


Thanks for any help/tips!
You do not have the required permissions to view the files attached to this post.

futex
Posts: 6
Joined: Tue Dec 17, 2013 12:06 pm

Re: PDF analysis - By a newbie

Post by futex » Thu Jun 01, 2017 3:55 pm

You can extract all the streams with pdfextract command line from origami tool.
As you say, inside there is a word file with a macro, the macro is launch when the file is open in Word, and try to download malware from:

hxxp://oliverkuo.com.au/fgJds2U
hxxp://minnessotaswordfishh.com/af/fgJds2U
hxxp://elateplaza.com/fgJds2U

The sample is here: https://www.virustotal.com/en/file/d5bd ... /analysis/

It's seem to be a ransomware.

BitTwist127
Posts: 3
Joined: Wed May 31, 2017 1:26 pm

Re: PDF analysis - By a newbie

Post by BitTwist127 » Thu Jun 01, 2017 6:07 pm

This is great, thank you very much. Do you mind sharing what you used to open the docm file? Was it a analysis tool, or did you just open it from MS Word? (I tried oletools but it failed for me)

EDIT:
I got oledump to open it... looks good, thanks for the pointers.
futex wrote:You can extract all the streams with pdfextract command line from origami tool.
As you say, inside there is a word file with a macro, the macro is launch when the file is open in Word, and try to download malware from:

hxxp://oliverkuo.com.au/fgJds2U
hxxp://minnessotaswordfishh.com/af/fgJds2U
hxxp://elateplaza.com/fgJds2U

The sample is here: https://www.virustotal.com/en/file/d5bd ... /analysis/

It's seem to be a ransomware.

Antelox
Posts: 241
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Re: PDF analysis - By a newbie

Post by Antelox » Mon Jun 05, 2017 8:26 am

You can use just peepdf to extract the docm from the PDF. Check the following blogpost to see how to do it:
By the way the binary downloaded by the docm is Jaff ransomware.

BR,

Antelox

BitTwist127
Posts: 3
Joined: Wed May 31, 2017 1:26 pm

Re: PDF analysis - By a newbie

Post by BitTwist127 » Mon Jun 05, 2017 1:01 pm

Nice blog, different C&C than the one I have. Also I tried that very command with peepdf and I don't get a complete file. If I compare the file size with the one I get from the other tool it is several KB smaller. The sample I uploaded above also has obfuscation on writing the stream. Thanks for the feedback though, I'll take another look at exporting with peepdf as it would be nice to be able to use a single tool.






Antelox wrote:You can use just peepdf to extract the docm from the PDF. Check the following blogpost to see how to do it:
By the way the binary downloaded by the docm is Jaff ransomware.

BR,

Antelox

Post Reply