The above screenshots show some of the interesting blocks and which were used to uncover the malicious code inside. The “pdf-parser.py” tool has some very good options to parse the certain objects inside the file. I looked at the documentation of the tool and some of the options looked valuable to me. Here are some options and documentation directly copied from PDF Tools site.
“Filter option applies the filter(s) to the stream. For the moment, only FlateDecode is supported (e.g. zlib decompression). The raw option makes pdf-parser output raw data (e.g. not the printable Python representation). Objects outputs the data of the indirect object which ID was specified. This ID is not version dependent. If more than one object have the same ID (disregarding the version), all these objects will be outputted.”
This is what we need for running against suspicious blocks or objects inside PDF file. I then ran a command against this object tag ID 110 using command like,
D:\ >pdf-parser.py --object=110 --raw –filter malicious-file.pdf > output.log
Now, from this it was easy to work. I opened Malzilla (malware hunting) tool and copied above script into decoder section of the tool. I ran the ‘Run Script’ button and found another script but it was in readable format. Here how it looked:
Let’s copy this and put it in a text file so that we can able to see whole script. This is a screenshot of full script used in the PDF file,
That’s it for now. Happy hunting!!!