Lab 19-3 Solutions

Short Answers

  1. The PDF contains an example of CVE-2008-2992: buffer overflow related to Adobe Reader’s util.printf JavaScript implementation.

  2. The shellcode is encoded using JavaScript’s percent-encoding and is stored along with the JavaScript in the PDF.

  3. The shellcode manually imports the following functions:

    • LoadLibraryA

    • CreateProcessA

    • TerminateProcess

    • GetCurrentProcess

    • GetTempPathA

    • SetCurrentDirectoryA

    • CreateFileA

    • GetFileSize

    • SetFilePointer

    • ReadFile

    • WriteFile

    • CloseHandle

    • GlobalAlloc

    • GlobalFree

    • ShellExecuteA

  4. The shellcode creates the files %TEMP%\foo.exe and %TEMP%\bar.pdf.

  5. The shellcode extracts two files stored encoded within the malicious PDF and writes them to the user’s %TEMP% directory. It executes the foo.exe file and opens the bar.pdf

Get Practical Malware Analysis now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.