Using PDFExaminer to analyse Mandiant_APT2_Report.pdf

Here’s a quick walkthrough on using PDFExaminer to triage the Mandiant_APT2_Report.pdf file reported by @9bplus on his blog.

We’ve added a new feature to specify the user password for these types of encrypted documents to our command line version of the PDFExaminer:

$ php pdfex.php  -p “hello” Mandiant_APT2_Report.pdf summary key key_length
summary=72.0@1090: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
29.0@4378: suspicious.warning: object contains JavaScript
38.0@9351: suspicious.warning: object contains JavaScript
39.0@10793: suspicious.warning: object contains JavaScript
50.0@15082: suspicious.flash addFrameScript
50.0@15082: suspicious.flash Embedded Flash
50.0@15082: suspicious.flash Embedded Flash define obj
56.0@17726: suspicious.warning: object contains JavaScript
49.0@1095: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
key=1cb6525c0c
key_length=40

First – the flash file stands our pretty quickly:
$ md5 14a6e24977ff6e7e8a8661aadfa1a1f3/obj-50-gen-0-dup-15082-*
MD5 (14a6e24977ff6e7e8a8661aadfa1a1f3/obj-50-gen-0-dup-15082-21351c1165e65d2ec10ef60eb1d54fd6.stream) = 21351c1165e65d2ec10ef60eb1d54fd6
MD5 (14a6e24977ff6e7e8a8661aadfa1a1f3/obj-50-gen-0-dup-15082-254b68d890b500bbe54902f5bf24cf32.stream) = 254b68d890b500bbe54902f5bf24cf32
MD5 (14a6e24977ff6e7e8a8661aadfa1a1f3/obj-50-gen-0-dup-15082-b1f31dc205e46ae6fbdb5ee10c1ce7a6.flash) = b1f31dc205e46ae6fbdb5ee10c1ce7a6

The compressed Flash file with MD5 254b68d890b500bbe54902f5bf24cf32 was previously submitted to Virustotal:

SHA256: f9202a5cd9007c62a212a33809815fddd498c78f8ea667415a9cacbc7aed313c
File name: s.txt
Detection ratio: 12 / 42
Analysis date: 2012-08-21 09:22:42 UTC ( 6 months ago )

 Exploit:SWF/CVE-2011-0611

Now that the PDF is decrypted, we can keep working through it. Object 64 is a whopping 315K, that one we’ll run through Cryptam since in seems to be an encrypted exe:

$ php cryptam.php 14a6e24977ff6e7e8a8661aadfa1a1f3/obj-64-gen-0-dup-37244-9a21e72e04a011b2a6b50b31b7978bfd.stream summary has_exe key
summary=94: string.This program cannot be run in DOS mode
27750: string.GetCommandLineA
27936: string.GetProcAddress
28544: string.EnterCriticalSection
27690: string.CloseHandle
27676: string.CreateFileA
27734: string.KERNEL32
20995: string.ExitProcess
has_exe=1
key=12

There we can see a one byte XOR=0x12 exe is encoded in Object 64. The MZ header is incomplete, so the exe is not automatically extracted. We run the Cryptam multi tool to do this:

php cryptam_multi.php 14a6e24977ff6e7e8a8661aadfa1a1f3/obj-64-gen-0-dup-37244-9a21e72e04a011b2a6b50b31b7978bfd.stream -xor 12

A quick strings shows a few interesting things:
AVG Firewall Asks for Confirmation
0x1A7B4C9F

And a google search leads to the Contagio blog:
Win32/Trojan.Agent.AXMO
and the same domain as @9bplus found – itsec[.]eicp[.]net. These attackers previously targeted MacOS and PCs with themes related to Tibet independance.

That’s all for now. 

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips