Jump to content
Nytro

PDF Analysis using PDFStreamDumper

By Nytro, in Tutoriale in engleza

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

PDF Analysis using PDFStreamDumper

Posted on November 19, 2011 by darryl

PDFStreamDumper is a PDF analyzer developed by Sandsprite's David Zimmer. He has added quite a bit of useful functions to make this an all-in-one, go-to tool as you’ll soon see.

Here’s a spear-phish email that contains a malicious PDF file attachment:

2011-11-19_01.png

This PDF file is quite unusual. When you view it in Notepad, you normally can see readable strings and the magic bytes at the beginning. In this case, the PDF file has been altered:

2011-11-19_02.png

Using a hex editor, we can see the familiar attributes that make up a PDF file:

2011-11-19_03.png

When you open the PDF file using Adobe Acrobat Reader < 9.4, it notices that the PDF file is damaged and then repairs it. When it does so, the program crashes since it's just been compromised by the exploit and the shellcode executes.

Let's open the PDF file using PDFStreamDumper and click on "Exploits_Scan" from the menu bar:

2011-11-19_04.png

In "Stream 25", we can see the Javascript exploit:

2011-11-19_05.png

Down at the bottom of the stream, we can see a bunch of hex characters. This looks like shellcode to me. We can either save the decompressed stream to a text file by right-clicking on the object to the left.

2011-11-19_06.png

Or, we can select the hex code and press control-c on our keyboard. Let's do the latter and now click on "Load" from the main menu then click on "Shellcode File".

2011-11-19_07.png

This brings up a new window. The main section is blank so we paste the hex code. We need to tell the program that this is hex so we select the characters then click on "Add % to HexString" under the "Manual_Escapes" menu.

2011-11-19_08.png

Since this is presumed to be shellcode, we can use the options under the "Shellcode_Analysis" menu. I tried to dump the shellcode using the top three options but it didn’t work. Let’s see if this is XOR-encrypted so select the hex characters then choose "Xor_Bruteforcer":

Bingo! It is encrypted using the XOR key of "0xF0". You can see the dropbox.com download and execute link:

2011-11-19_10.png

Checking that executable against VirusTotal shows that it’s likely a banking Trojan.

2011-11-19_11.png

I’ve just scratched the surface of what this great tool can do. Be sure you check out PDFStreamDumper and his other tools for malware analysis!

Sursa: http://www.kahusecurity.com/2011/pdf-analysis-using-pdfstreamdumper/

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...