Lab 19-3 Solutions

Short Answers

  1. The PDF contains an example of CVE-2008-2992: buffer overflow related to Adobe Reader’s util.printf JavaScript implementation.

  2. The shellcode is encoded using JavaScript’s percent-encoding and is stored along with the JavaScript in the PDF.

  3. The shellcode manually imports the following functions:

    • LoadLibraryA

    • CreateProcessA

    • TerminateProcess

    • GetCurrentProcess

    • GetTempPathA

    • SetCurrentDirectoryA

    • CreateFileA

    • GetFileSize

    • SetFilePointer

    • ReadFile

    • WriteFile

    • CloseHandle

    • GlobalAlloc

    • GlobalFree

    • ShellExecuteA

  4. The shellcode creates the files %TEMP%\foo.exe and %TEMP%\bar.pdf.

  5. The shellcode extracts two files stored encoded within the malicious PDF and writes them to the user’s %TEMP% directory. It executes the foo.exe file and opens the bar.pdf

Get Practical Malware Analysis now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.