Against PDF Exploit using /ASCII85Decode /FlateDecode

Common malicious PDF (Portable Document Formate) file that crafted with malicious JavaScript can be encrypts or obfuscated using /FlateDecode filter to hide from normal analysis. However, from recently discoveries, evolution for encrypt method malicious codes become more complex with combination /FlateDecode and /ASCII85Decode in malicious PDF .

The ASCII85Decode filter look like following way

<< /Length 5982 /Filter [/ASCII85Decode /FlateDecode] >>
stream
Gb"/+99SDH%D7Q/TEY@k_Vp\<]U4Zh0FON1!g"N*;Qm*44Pob*U:Nun&r8b-anMFbIfJ0;J,emXs%Mss ;SK>ZLF\)Xr/Oj9p%`l^Vs")f>]HS&s7s5!r&rsc5Q>ZJha?K)a728>d=(9Tqt%9:T"i[Z`YE"Dch"a]

To decrypt ASCII85Decode code, I am using "pdf-parsey.py" python script that contributed from Didier Steven. Latest "pdf-parsey.py"support ASCII85Decode filter and ASCIIHexDecode.




Besides that, Malzilla hunting tool's Javascript Decode function used to de-obfuscate JavaScript that extracted from "pdf-parsey.py".





This crafted malicious PDF file contains combination from several Adobe Acrobat/Reader vulnerabilities and depend of version for Adobe.

-Adobe Collab overflow
-Adobe util.printf overflow
-Adobe getIcon



The shell code inside the PDF file will download three malware from Internet after decode using UCS2 decoder. However, those three files can't be downloaded due to Error 404.

http://geroyvoin.cn/1/cfhnps3.exe
http://geroyvoin.cn/1/ortx3.exe
http://geroyvoin.cn/1/dqy3.exe







This malicious PDF (md5= e9a51c87186fe86ffe411d9c64c565a7) was submitted to Virustotal with only get minor detection from different security vendors (7/41 = 17.07%).




geroyvoin.cn IP Address: 213.163.84.28

Domains sharing same IP Address:
ake.kz
amr.kz
bmt.tw
crd.tw
dmr.tw
esli.tw
freednsman.com
jkk.tw
molo.tw
ocd.kz
orep.tw
rmi.tw
rnw.kz
sockslab.net
sovi.tw
trafficshop.tw
trustedtrf.info
www.bmt.tw
www.crd.tw
www.esli.tw
www.jkk.tw
www.molo.tw
www.nikodomain.info
www.orep.tw
www.rmi.tw
www.rnw.kz
www.trafficshop.tw
xbl.kz

--X0ends