![]() ![]() Origami-PDF: Ruby tool to analyze and generate malicious PDFs.Wepawet: online resource to analayse PDF/Javascript/Flash files (generates a report).PDFTricks: a (non-exhaustive) list of PDF source code obfuscation methods.peepdf: A Python tool to explore PDFs (find out if they are malicious).Julia Wolf's presentation about PDF malware obfuscation.Jay Berkenbilt's QPDF: utility for content-preserving PDF transformations (useful command to unpack all/most compressed objects inside a PDF:.Part 1 (of many) of Didier Stevens' PDF Malware Screencasts (on YouTube).Since this topic (obfuscating and hiding malicious JavaScript code in harmlessly looking PDF files) seems to becoming more and more popular with malware authors, let me list some tools and websites which proofed to be helpful to anyone who's a beginner in dissecting this type of threats: Your problem seems to be with analyzing of this JavaScript. It looks like you have already extracted the JavaScript from the PDF. I imagine that this notation with long variable/function names and hidden text characters is to confuse scanners that look for these type of things.Ĭan someone tell me what this is called with the %u4141? I have successfully uncompressed the PDF file and gotten the plaintext JavaScript source code, but it the code itself if kind of hidden in this syntax I haven't seen before.Ĭode example: This is what the majority of the code looks like var bDWXfJFLrOqFuydrq = unescape ![]() ![]() I have a PDF file that I know for a fact contains a JavaScript script file that does something malicious, not really sure what at this point.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |