PDF Analysis using PDFStreamDumper
PDFStreamDumper is a PDF analyzer developed by Sandsprite’s David Zimmer. He has added quite a bit of useful functions to make this an all-in-one, go-to tool as you’ll soon see.
Here’s a spear-phish email that contains a malicious PDF file attachment:
This PDF file is quite unusual. When you view it in Notepad, you normally can see readable strings and the magic bytes at the beginning. In this case, the PDF file has been altered:
Using a hex editor, we can see the familiar attributes that make up a PDF file:
When you open the PDF file using Adobe Acrobat Reader < 9.4, it notices that the PDF file is damaged and then repairs it. When it does so, the program crashes since it's just been compromised by the exploit and the shellcode executes.
Let's open the PDF file using PDFStreamDumper and click on "Exploits_Scan" from the menu bar:
Down at the bottom of the stream, we can see a bunch of hex characters. This looks like shellcode to me. We can either save the decompressed stream to a text file by right-clicking on the object to the left.
Or, we can select the hex code and press control-c on our keyboard. Let’s do the latter and now click on “Load” from the main menu then click on “Shellcode File”.
This brings up a new window. The main section is blank so we paste the hex code. We need to tell the program that this is hex so we select the characters then click on “Add % to HexString” under the “Manual_Escapes” menu.
Since this is presumed to be shellcode, we can use the options under the “Shellcode_Analysis” menu. I tried to dump the shellcode using the top three options but it didn’t work. Let’s see if this is XOR-encrypted so select the hex characters then choose “Xor_Bruteforcer”:
Bingo! It is encrypted using the XOR key of “0xF0”. You can see the dropbox.com download and execute link:
Checking that executable against VirusTotal shows that it’s likely a banking Trojan.