Today we take a look at a pdf exploit malware (md5 is 1cf1128b9190d7344c200e1e944d7abf).
First of all let’s open the pdf file with a text editor and dig into it:
As we can see from the object definition, we have a stream compressed with zlib:
We can code a small python script that will do all the dirty work (decompress and make code readable) for us.
The following is our stream after decompression:
It decodes this stream by replacing (using a global replacement ‘z’ with ‘%’) with the regexp “/z/g,’%’” so it calls unescape and finally it calls eval.
Our uncompressed stream fixed is (click on the following images to enlarge):
At the beginning of the function, we have an anti-debug trick:
If we take a closer look at this function, we can notice that the key is built only by using the number chars into this function code. Here is a small python script that extracts the key:
key = ""
for i in range(0, len(data)):
if data[i] >= '0' and data[i] <= '9':
key += data[i]
Let’s look at the final functions (we just focus on the relevant parts).
First of all, the exploit is related to an old version of Adobe Reader as we can see in the following snippet:
Another interesting part is this function in which it handles the shellcode:
We can obtain the website which it connects to download the malware from the shellcode:
At this time this website seems to be offline, so no further analysis can be done on the downloaded malware.
The exploit used is related to an old vulnerability that is reported here.
Ok that’s all… see you next post 🙂