Complex Obfuscated JS code in PDF ** fhijafif.cn

Obfuscated Javascript codes in pdf exploit become more complex from day to day, especially Wepawet ( Free service for detecting JavaScript, flash and PDF file) hardly to produce the result. Sample "hereEvenMore.pdf" is one of the example that wepawet unable to produce any exploit and eval code.




Below is the javascript codes that found after filter with FlateDecode method. It look really mess and hardly to understand what algorithm used to decode it.



However, after carefully read though the JavaScript codes, replace function was found. It gave me idea to replace character "!@?" with blank quote to end with result.



Below screen displayed UCS2 codes that can be de-obfuscated.



The de-obfuscated code end with malicious link to "http://fhijafif.cn/fex/update.php?id=2"
Sample "load.exe" submitted to Virustotal end with minor detection rate 4/41 and the "hereEvenMore.pdf" only gain 8/38







fhijafif.cn = 195.88.191.46 (Blacklisted)

Domains sharing the same IP address:

*.drocuwil.cn
*.hnifuzof.cn
*.jagbibiv.cn
*.npeyugux.cn
*.qtorifik.cn
*.smoxewac.cn
*.svefipuj.cn
*.vtuyocew.cn
*.wetyotix.cn
*.xceyadij.cn
bsidiket.cn
cazkafuq.cn
cqodezuz.cn
doflolab.cn
drocuwil.cn
fhijafif.cn
fteqimop.cn
hnifuzof.cn
jagbibiv.cn
lhamedep.cn
ndirekoc.cn
npeyugux.cn
ns1.jagbibiv.cn
ns2.jagbibiv.cn
nvujinaw.cn
qtorifik.cn
smoxewac.cn
svefipuj.cn
vtuyocew.cn
wetyotix.cn
wjaxoxeh.cn
wvahexip.cn
www.drocuwil.cn
www.hnifuzof.cn
www.npeyugux.cn
www.qtorifik.cn
www.smoxewac.cn
www.svefipuj.cn
www.vtuyocew.cn
www.wetyotix.cn
www.xceyadij.cn
xceyadij.cn
yawxowaj.cn
zekxowiv.cn
zyejanag.cn


--X0end