Thursday, March 17, 2011

Analyzing malware packaged in malicious PDF files

Great post from research.zscaler.com

It explains how to analyze a  PDF that contains malicious code.  The following steps are followed during the analysis.


- Analyze/Extract the different objects from the PDF file.  The file contains javascript code in this case.
- Use Malzilla to evaluate the javascript code and extract the shellcode that is Unicode encoded.
- Decode the shellcode to obtain a valid executable binary.
- Use a debugger ( OllyDbg) to analyze the binary. The analyst extracts the XOred code from the binary.
- Use a debugger again to analyze the extracted code. It contacts a website to download the second stage and infect the host computer.

No comments:

Post a Comment