Here’s a quick walkthrough on using PDFExaminer to triage the Mandiant_APT2_Report.pdf file reported by @9bplus on his blog.
We’ve added a new feature to specify the user password for these types of encrypted documents to our command line version of the PDFExaminer:
$ php pdfex.php -p “hello” Mandiant_APT2_Report.pdf summary key key_length
summary=72.0@1090: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
29.0@4378: suspicious.warning: object contains JavaScript
38.0@9351: suspicious.warning: object contains JavaScript
39.0@10793: suspicious.warning: object contains JavaScript
50.0@15082: suspicious.flash addFrameScript
50.0@15082: suspicious.flash Embedded Flash
50.0@15082: suspicious.flash Embedded Flash define obj
56.0@17726: suspicious.warning: object contains JavaScript
49.0@1095: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
key=1cb6525c0c
key_length=40
First – the flash file stands our pretty quickly:
$ md5 14a6e24977ff6e7e8a8661aadfa1a1f3/obj-50-gen-0-dup-15082-*
MD5 (14a6e24977ff6e7e8a8661aadfa1a1f3/obj-50-gen-0-dup-15082-21351c1165e65d2ec10ef60eb1d54fd6.stream) = 21351c1165e65d2ec10ef60eb1d54fd6
MD5 (14a6e24977ff6e7e8a8661aadfa1a1f3/obj-50-gen-0-dup-15082-254b68d890b500bbe54902f5bf24cf32.stream) = 254b68d890b500bbe54902f5bf24cf32
MD5 (14a6e24977ff6e7e8a8661aadfa1a1f3/obj-50-gen-0-dup-15082-b1f31dc205e46ae6fbdb5ee10c1ce7a6.flash) = b1f31dc205e46ae6fbdb5ee10c1ce7a6
The compressed Flash file with MD5 254b68d890b500bbe54902f5bf24cf32 was previously submitted to Virustotal:
| SHA256: | f9202a5cd9007c62a212a33809815fddd498c78f8ea667415a9cacbc7aed313c |
| File name: | s.txt |
| Detection ratio: | 12 / 42 |
| Analysis date: | 2012-08-21 09:22:42 UTC ( 6 months ago ) |
Exploit:SWF/CVE-2011-0611
Now that the PDF is decrypted, we can keep working through it. Object 64 is a whopping 315K, that one we’ll run through Cryptam since in seems to be an encrypted exe:
$ php cryptam.php 14a6e24977ff6e7e8a8661aadfa1a1f3/obj-64-gen-0-dup-37244-9a21e72e04a011b2a6b50b31b7978bfd.stream summary has_exe key
summary=94: string.This program cannot be run in DOS mode
27750: string.GetCommandLineA
27936: string.GetProcAddress
28544: string.EnterCriticalSection
27690: string.CloseHandle
27676: string.CreateFileA
27734: string.KERNEL32
20995: string.ExitProcess
has_exe=1
key=12
There we can see a one byte XOR=0x12 exe is encoded in Object 64. The MZ header is incomplete, so the exe is not automatically extracted. We run the Cryptam multi tool to do this:
php cryptam_multi.php 14a6e24977ff6e7e8a8661aadfa1a1f3/obj-64-gen-0-dup-37244-9a21e72e04a011b2a6b50b31b7978bfd.stream -xor 12
A quick strings shows a few interesting things:
AVG Firewall Asks for Confirmation
0x1A7B4C9F
And a google search leads to the Contagio blog:
Win32/Trojan.Agent.AXMO
and the same domain as @9bplus found – itsec[.]eicp[.]net. These attackers previously targeted MacOS and PCs with themes related to Tibet independance.
That’s all for now.