Reading Time : 4min
PDF format is the de-facto standard in exchanging documents online. Such popularity, however, has also attracted cyber criminals in spreading malware to unsuspecting users. The ability to generate malicious pdf files to distribute malware is a functionality that has been built into many exploit kits. As users are less cautious about opening PDF files, the malicious PDF file has become quite a successful attack vector. The network traffic is captured in lala.pcap contains network traffic related to a typical malicious PDF file attack, in which an unsuspecting user opens a compromised web page, which redirects the user’s web browser to a URL of a malicious PDF file. As the PDF plug-in of the browser opens the PDF, the unpatched version of Adobe Acrobat Reader is exploited and, as a result, downloads and silently installs malware on the user’s machine.
Q1: How many URL path(s) are involved in this incident?
Ans: 6
Detail: opening file in Wireshark and applying the filter “http.request.full_uri” provide us with 6 unique URLs (5th and 7th are duplicate)
Q2: What is the URL which contains the JS code?
Ans: http://blog.honeynet.org.my/forensic_challenge/
Detail: open file “index.html” contains javascript code and the file reside within the path above
Q3: What is the URL hidden in the JS code?
Ans: http://blog.honeynet.org.my/forensic_challenge/getpdf.php
Detail: debug the javascript inside index.html file by placing breakpoing at “GaDemee(ZeJexn);” which is actually eval() function, and read the contents
Q4: What is the MD5 hash of the PDF file contained in the packet?
Ans: 659cf4c6baa87b082227540047538c2a
Detail: export the packet bytes for the file and get md5 hash using nay tool of choice
Q5: How many object(s) are contained inside the PDF file?
Ans: 19
Detail: you can get this by using pdfid
Q6: How many filtering schemes are used for the object streams?
Ans: 4
Detail: these can be found by using “pdf-parser.py -s filter <pdf filepath/name>”
Q7: What is the number of the ‘object stream’ that might contain malicious JS code?
Ans: 5
Detail: by opening pdf file inside PDFStremDumper we can see that object 5 contains obfuscated javascript
Q8: Analyzing the PDF file. What ‘object-streams’ contain the JS code responsible for executing the shellcodes? The JS code is divided into two streams. Format: two numbers separated with ‘,’. Put the numbers in ascending order
Ans: 7,9
Detail: as seen in screenshot of question 7 that the javascript in object 5 is calling app.doc.syncAnnotScan() and app.doc.getAnnots() functions to get data from annotation refferences, to get the reffernces we can use this command “pdf-parser -s annot <pdf filepath/name>” and we will see object 6 refferenceing to object 7 and object 8 refferencing to object 9 both of these objects contain obfuscated data.
Q9: The JS code responsible for executing the exploit contains shellcodes that drop malicious executable files. What is the full path of malicious executable files after being dropped by the malware on the victim machine?
Ans: c:\WINDOWS\system32\a.exe
Detail: In question 7 we can see that inside object 5 javascript was taking data from object 7 & 9 and was performing replace action on certain characters, we can do that manually by copying data from object 7 & 9 and pasting it to a simple text file. by using find and replace option in text editor we can replace those character. and we will end up with hex.
and if we convert the hex to ascii it will change into four differnt exploits code containing shellcodes.
all we need to do now is copy shellcode data and save it inside text file. then scan this file using scdbg “scdbg -f <filename.txt>”
Q10: The PDF file contains another exploit related to CVE-2010-0188. What is the URL of the malicious executable that the shellcode associated with this exploit drop?
Ans: http://blog.honeynet.org.my/forensic_challenge/the_real_malware.exe
Detail: as you can see in previous answer the shellcode get exe file from this URL and saves it as a.exe
Q11: How many CVEs are included in the PDF file?
Ans: 5
Detail: there are total 5 CVEs 1 used in javascript in object 5 and 4 inside object 7 & 9