• Malicious PDF analysis

    by
    m0nna
    Published on 09-11-2011 08:00 PM
    1 Comment Comments
    Part 5

    Shellcode analysis

    Now its time to analyze the shellcode to know its capabilities, the below screeshot shows the extracted shellcode



    Uploaded with ImageShack.us

    the shellcode was converted to exe for further analysis, the below screenshot shows the conversion, the converted exe is called converted_shellcode.exe



    Uploaded with ImageShack.us

    looks at the strings and opening the convered exe in a debugger/hexeditor, you can say that the shellcode is used as a downloader, in the below screenshots you can also see referecnes to a malicious website (grinchalina8.com), the google search on that website shows that this site is malicious and also you can see references to api calls which is used by downloader and also reference to an exe (pdfupd.exe).
    In this case the “LoadLibraryA” api call is used to load urlmon.dll, then uses the api call “UrlDownloadToFileA” to download the exe file “pdfupd.exe” and then it uses “WinExec” api call to execute the downloaded executable.



    Uploaded with ImageShack.us



    Uploaded with ImageShack.us



    Uploaded with ImageShack.us

    With this i complete my analysis, i hope this will help beginners like me understand the analysis of malicious pdf document. :-)

    Malicious PDF analysis Tutorial Part 1
    Malicious PDF analysis Tutorial Part 2
    Malicious PDF analysis Tutorial Part 3 Extracting Javascript
    Malicious PDF analysis Tutorial Part 4
    Part 5 Malicious PDF analysis Tutorial Shellcode analysis
    This article was originally published in forum thread: Malicious PDF analysis started by m0nna View original post
    Comments 1 Comment
    1. fb1h2s's Avatar
      fb1h2s - 09-12-2011, 12:34 AM


      Looks like you were dealing with a phoenix kit.

  • G4H Twitter

  • Latest Posts

    amolnaik4

    Research Resources for MS SharePoint

    This page contains research notes on Microsoft’s SharePoint MOSS and WSS.

    Link:
    https://www.owasp.org/index.php/Research_for_SharePoint_%28MOSS%29

    amolnaik4 Today, 12:25 PM Go to last post
    b0nd

    Lolz, with the title "About Admin" I thought...

    Lolz, with the title "About Admin" I thought Admins of garage have been exposed ;)

    @hazard74, there is always a proper "way" to ask - you need to discover that. It's not that Pentesters don't have...

    b0nd Today, 09:10 AM Go to last post
    hazard74

    Ok, Anant Shrivastava. Im Sorry :)

    Ok, Anant Shrivastava.

    Im Sorry :)

    hazard74 Yesterday, 06:19 PM Go to last post
    Anant Shrivastava

    not exactly this format but a simmilar kind of a...

    not exactly this format but a simmilar kind of a format i have seen as part of malware. This url format was used to get the commands from the remote server. there was a whole bunch of domain names in...

    Anant Shrivastava Yesterday, 05:30 PM Go to last post
    Immaturedevil

    Hi Neo, Thanks for your comment. I have...

    Hi Neo,

    Thanks for your comment. I have already done that... but no success..as these URLs are not recognized by search engines as such. getting some info if anyone has come across with URLs in...

    Immaturedevil Yesterday, 05:21 PM Go to last post