Remark that the JavaScript is not obfuscated this time. Its simple, jPDF + maldoc1 = maldoc2, (Wed, Aug 26th)_HackDig : Dig high-quality web security articles for hackerHackDig" />

HackDig : Dig high-quality web security articles for hacker

PDF + maldoc1 = maldoc2, (Wed, Aug 26th)

2015-08-27 10:40

I received another example of a PDF file that contains a malicious MS Office document. Sample (MD5 0c044fd59cc6ccc28a48937bc69cc0c4).

This time I want to focus on the analysis of such a sample.

First we run pdfid to identify the sample.

It contains JavaScript and an embedded file. Let" />

Remark that the JavaScript is not obfuscated this time. Its simple, just two lines: these 2 statements export the embedded file to a temporary folder, and then launch it (provided the user clicks OK on the warnings).

So let" />

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


Source: ssr;pma&97002=diyrots?lmth.yraid/ude.snas.csi

Read:2477 | Comments:0 | Tags:No Tag

“PDF + maldoc1 = maldoc2, (Wed, Aug 26th)”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud