Web2Secure: Web Security Blog

We are non-funded group of security enthusiast who contributes and updates to community with latest security treats. Use and handle whatever links shared within website could be harmful to your systems with own risks. Feel free to use the contents for commercial or non-commercial purposes. We're very appreciating if using our useful information’s to your website by referring back to this original website. Donation or clicking on ads is most welcome to continue maintains costs for this website.

Saturday, September 26, 2009

Against PDF Exploit /ASCIIHexDecode /FlateDecode

PDF exploit file that crafted with malicious code that obfuscated with /ASCII85Decode and /FlateDecode are common nowadays to escape detection from normal analysis. However, recent encryption using /ASCIIHexDecode method are gaining popular.

The /ASCIIHexDecode

Related output message decrypted using "pdf-parsey.py" that contributed from Didier Steven, will be paste to Mazilla's decoder. The codes similar like figure below.

The eval() result will be end like figure below

The shellcode will downloading three malware file with different name after decoded using UCS2 decoder.

Links to download malicious files:

trombocit.com/fr2/bksv3.exe

trombocit.com/fr2/ahkmpswy3.exe

trombocit.com/fr2/cmrv3.exe

trombocit.com = 211.95.78.119

Domains sharing same IP address:

abbcp.cn

bobunium.com

byblegum.biz

hubbabybba.biz

netvisao.biz

poppka.net

ppp3ppp.biz

soft-nintend.biz

trombocit.com

Web2Secure: Web Security Blog

Pages

Saturday, September 26, 2009

Against PDF Exploit /ASCIIHexDecode /FlateDecode

0 comments: