Here is another small trick that malicious PDFs use. The PDF contains
JavaScript code similar to the following:
var part1="pe";
var part2="Ty";
var part3="o";
var part4="get";
var part5="xOf";
var fun1= event["tar"+part4]["z"+part3+part3+"m"+part2+part1];
fun1 = varka_tipo[1]+"nde"+part5;
var fun2 = "fromCharCode";
var keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" +
"abcdefghijklmnopqrstuvwxyz" +
"0123456789"+
"+/=";
function decode(input) {
...
enc1 = keyStr[fun1](input.charAt(i++));
...
}
var code = decode("Q2!#$ %^&5a...#$ %^&o=!#$ %^&");
eval(code);
This script sets up some variables that are used in a decoding
routine. As usual, the routine decodes a long string and the
result is then interpreted via eval().
The interesting part is how fun1 is computed. Undoing the simple
obfuscation shows that it is initialized to event.target.zoomType.
Now, event.target is a reference to the Doc object. The Doc object’s
property zoomType contains the current zoom type of the document. The
documentation lists 7 possible values:
- NoVary
- FitPage
- FitWidth
- FitHeight
- FitVisibleWidth
- Preferred
- ReflowWidth
Adobe Reader seems to return FitWidth by default.
The next step in the script extracts the second character from the zoom
type string (the letter i) and concatenates to other strings to obtain
indexOf.
A long way to get an i…
Full story: Marco’s Blog
Related Posts
- Malicious PDF trick: XFA
Another trick that is becoming more and more common in malicious PDF
files consists of storing the actual malicious content (for example,
JavaScript code that exploits some vulnerability) into XFA for... - Malicious PDF trick: getPageNthWord
PDF exploits are becoming more and more sophisticated. In particular,
they often rely on creative techniques to avoid detection and slow
analysis. For a couple of examples, see
Julia Wolf's and
Danie... - Malicious PDF trick: multiple filters
Another simple trick that is often used by malicious PDF files consists
of embedding the malicious JavaScript code in a PDF stream hidden below
several stream filters.
Here is an example:
4 0 obj
&l... - Malicious Spam on the increase again
Malware distribution via email is far from dead. While we had a distinctly quiet period from October 2010 to March 2011, our stats show the bot herders are gearing up again with the proportion o... - Yahoo! PH Purple Hunt 2.0 Ad Compromised
Earlier the other day, I was browsing through the Yahoo! PH site and the Yahoo! Purple Hunt 2.0 ad caught my attention.Curious as I am, I clicked on the ad and surprisingly my browser downloaded a sus... - Facebook Events, Credits, and Passwords Being Used for Attacks
Facebook has expanded its range of service offerings, making the site so much more than a place where users can interact with one another. It has been said several times that Facebook is bound to repl... - Google Chrome-Protecting users from malicious downloads
Google has introduced a new feature for its Chrome browser that will display a warning if a user attempts to download a suspected malicious executable file.
The Chrome team are enhancing the impl... - Spotify application serves malicious ads
Today it was reported that Spotify, the popular streaming music service, displayed malicious ads to users of their Free version. The ads lead to websites that used the Blackhole Exploit Kit to infect ... - Malicious Spam Campaign Preys on Japanese Disaster
There is a large-scale malicious spam campaign going on currently. The spam comes in a few different types, one of which imitates a Twitter notification. The subjects of the spam varies, but sadly, ... - BSNL, Bangalore website yet another victim of malicious code injection
BSNL, Bangalore telecom district has become yet another victim of poor website security and has been infected with malicious JavaScript code. This time, the code points to a malicious domain used by t...
Posted on 29 January 2011. Tags: Malicious, Trick, zoomType
