Scribd
Upload
48 views

Lab 2

The document analyzes two malicious files: a PDF containing JavaScript code that executes on opening and a DOC file containing malicious macros. Static and behavioral analysis techniques are used to analyze the files, including using virus total to search hashes, pdfid.py to analyze PDF objects, pdf-parser.py to view the JavaScript code, and oledump.py to extract macros from the DOC. The analysis reveals malicious JavaScript code in the PDF that executes on opening and malicious macro code in the DOC that checks if the file is read-only before executing.

Uploaded by

Vadim Ciubotaru
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
48 views

Lab 2

The document analyzes two malicious files: a PDF containing JavaScript code that executes on opening and a DOC file containing malicious macros. Static and behavioral analysis techniques are used to analyze the files, including using virus total to search hashes, pdfid.py to analyze PDF objects, pdf-parser.py to view the JavaScript code, and oledump.py to extract macros from the DOC. The analysis reveals malicious JavaScript code in the PDF that executes on opening and malicious macro code in the DOC that checks if the file is read-only before executing.

Uploaded by

Vadim Ciubotaru
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

MINISTERUL EDUCAȚIEI ȘI CERCETĂRII

Universitatea Tehnică a Moldovei


Facultatea Calculatoare Informatică și Microelectronică
Departamentul Ingineria Software și Automatică
Programul de studii: Securitate Informațională

RAPORT
La disciplina: AMID

Lucrare de laborator 2
"Conceptele ingineriei inverse. Analiza statica, dinamica si de
comportament. Tehnici de protectie in programele malitioase"

.
Student: Ciubotaru Vadim, SI-211M
Evaluator: Persianov Svetoslav

Chișinău, 2021
1. Malicious PDF
SHA256 000c07e3b9954d3fb92986bbbc3fb057e01fe06132a9a65226f0539b89a9cd07
MD5 9397770de7ae8b180d582869087fdadd
Every downloaded file we need to check with antivirus or on virus total. In this case virus total
find hash of this file like malicious.

Image 1 – Pdf on virus total

With pdfid.py we find all objects in the pdf file. In this case the interesting things that script find
are “/JavaScript” and “/OpenAction”. If these objects are present maybe pdf have a javascript
code in it and it will be executed on opening pdf.

Image 2 – pdfid.py utility

2
Let’s check what object is “/JacaScript”. With command “pdf-parser.py malicious-pdf.bin” we see
all objects.

Image 3 – JavaScript object


Object “4 0” “/Action” has reference to object “/JS 5 0 R” and has some code.

Image 4 – JS code

3
2. Malicious Doc
MD5 0a253bf970e5239a341bc3583baa34e3
SHA256 8dc970c1aeaf7d53f4ed9aaecca5f7de962fe1b5d3a2aee2c3b5b656e566a7ca
Searching by hash on virus total, find that file is a malicious doc.

Image 5 – Hash search on virus total

Image 6 – Malicious doc information

“oledump.py” find 2 macros, let’s check them.


4
We see the malicious code that call the function “QhQEBJEHTy” from macros 8.

Image 7 – Macros number 7


Malicious code check if the doc is opened in read only, the code is not executed.

Image 8 – Macros number 8

You might also like