Garage4hackers Forum - Malicious PDF analysis

Part 3

Extracting Javascript

To extract javascript for object first we need to decompress the zlib compressed data, only then the javascript would make sense. Pdf-parser.py was used to decompress and extract the javascript code. The below screenshots show the pdf-parser otuput.

Uploaded with ImageShack.us

The below screenshot shows just the extracted javascript code. But again this code is obfuscated.

Uploaded with ImageShack.us

After beautifying the data, the output looks little better , but still obfuscated as show in the below screenshot, the obfuscation technique is used to confuse the analyts and to prevent the security devices from detecting.

Uploaded with ImageShack.us

When you look at the javascript code above you will find that all the text in blue (marked by /* and */) is a multiline comment in javascript, removing that will not affect the javascript code in anyway, this is just there to confuse the analysts. After deleting all the multiline comment you will find that the javascript now makes sense as shown in the below screenshost

Uploaded with ImageShack.us

now we have the javascript, executing this code with spidermonkey gives an error, as shown below: The reason for this is javascript is trying to access “this.creator” which is adobe specific object, In this case the attacker has split the javascript across multiple objects (multi stage), this is again another technique used to confuse the analysts, this.creator references the creator object (marked by /Creator tag in the pdf document). This /Creator tag usually contains the string which identifies the creator of the pdf document.