1 00:00:00,650 --> 00:00:02,210 Hello and welcome back. 2 00:00:02,570 --> 00:00:12,650 In this video, we are going to do that particular on analyzing PDF document, which you have already 3 00:00:12,650 --> 00:00:19,630 downloaded from an earlier lesson called that PDF, that period. 4 00:00:20,300 --> 00:00:26,780 And we are going to use three tools, which we looked at in the previous lesson. 5 00:00:27,350 --> 00:00:33,230 That is PDF idee, PDF Passa and be PDF. 6 00:00:34,350 --> 00:00:42,390 So the first thing we do is to run PDAF I.D., so I typedef. 7 00:00:44,030 --> 00:00:55,580 I'd tell you why, because this is a Python script, followed by the name of the video that I want to 8 00:00:55,730 --> 00:01:02,450 get into, and it shows the result of the analysis. 9 00:01:03,140 --> 00:01:12,650 The first line shows that there is a prayer here with this string percentage PDAF dash one point three, 10 00:01:13,190 --> 00:01:17,480 and this means the version of it within one point three. 11 00:01:18,630 --> 00:01:27,000 And 13 objects, 14 objects altogether and two streams going down. 12 00:01:27,510 --> 00:01:32,050 We will see that these are all the objects that has been detected. 13 00:01:33,660 --> 00:01:39,970 Of particular interest will be the ocean object. 14 00:01:40,980 --> 00:01:43,140 The open ocean object is the. 15 00:01:44,150 --> 00:01:50,990 Directive, the object will cost PDF to execute something when the PDAF is open. 16 00:01:51,950 --> 00:01:57,800 And then if you looked up further, we will see that there are JavaScript embedded in these files, 17 00:01:58,670 --> 00:02:06,830 so most probably the operation will run the JavaScript that is listed here. 18 00:02:07,340 --> 00:02:17,300 So these are the important objects that we have found from this preliminary analysis using PDF, Heidi. 19 00:02:17,750 --> 00:02:22,800 The next to that, we will form a PDF parser. 20 00:02:22,970 --> 00:02:24,890 So let's open a new terminal. 21 00:02:28,260 --> 00:02:32,910 And navigate to the folder that contains our malicious PDA file. 22 00:02:41,650 --> 00:02:44,080 Now will run BTX Pusser. 23 00:02:46,480 --> 00:02:57,550 Don't be shy and we will use the search option and we will search for one of the objects that has been 24 00:02:57,550 --> 00:03:03,060 found by PDF, which is the open ocean object. 25 00:03:03,850 --> 00:03:10,240 So here we specify open ocean, not that it is case in sensitive. 26 00:03:12,330 --> 00:03:15,540 And followed by the name of the father and hit Enter. 27 00:03:17,180 --> 00:03:26,740 And from here, we see that he has found the open ocean, which is having the object is one of ocean 28 00:03:26,750 --> 00:03:29,840 zero and it is of a type catalogue. 29 00:03:30,830 --> 00:03:35,240 And inside here, these are details of the open ocean object. 30 00:03:36,110 --> 00:03:44,810 And between the left and right arrows, he shows what object, what is the content of the open ocean. 31 00:03:45,590 --> 00:03:54,350 And we see Dave is a JavaScript, G.S. JavaScript, and he also shows us part of the string that is 32 00:03:54,350 --> 00:03:56,240 found in the JavaScript. 33 00:03:57,380 --> 00:04:09,200 So this tells us that when this PDF is open, he will use the open ocean object to execute a JavaScript 34 00:04:10,040 --> 00:04:12,630 which is having this function. 35 00:04:13,460 --> 00:04:20,390 Now, the fundi JavaScript, we have found that it is present within this file and confirm the next 36 00:04:20,390 --> 00:04:27,860 thing we do is we will use parser to search for the JavaScript object. 37 00:04:29,730 --> 00:04:40,470 JavaScript is, if you remember, was also found in PDF, Heidi, so let us clear the screen and repeat 38 00:04:40,470 --> 00:04:40,920 the same. 39 00:04:40,920 --> 00:04:49,980 Come on, just move your Ibaraki press on it and then here we change the name of the object that we 40 00:04:49,980 --> 00:04:54,770 wish to search for gain javascript and hit enter. 41 00:04:56,220 --> 00:05:02,550 And now you will see that there are three JavaScript that has been found. 42 00:05:03,180 --> 00:05:05,760 The first one is the object, one we have just seen. 43 00:05:07,260 --> 00:05:09,030 The second one is object seven. 44 00:05:10,500 --> 00:05:17,550 And then the third one is subject to all these three are referencing JavaScript and objects seven inside 45 00:05:17,550 --> 00:05:27,780 it you will see that it is referencing four objects which is listed for here, which is JavaScript then. 46 00:05:28,290 --> 00:05:31,800 So Objects Seven refers to Object Ten. 47 00:05:33,600 --> 00:05:41,820 I.A. is also making a further reference to an object 13 and 13 is also JavaScript. 48 00:05:42,400 --> 00:05:50,710 So now we need to dig further into object segment and object to since Objects seven is referring to 49 00:05:50,710 --> 00:05:53,620 Object 10, we need to investigate Object 10. 50 00:05:54,450 --> 00:06:00,680 And since Object Job is also referring to object, I think we also need to reference objective. 51 00:06:01,390 --> 00:06:03,820 So that is now open at the terminal. 52 00:06:08,250 --> 00:06:11,690 Go to the folder containing our malware. 53 00:06:18,870 --> 00:06:33,930 And we are going to repeat the scan brief passer by, and this time we are going to search for objects. 54 00:06:34,120 --> 00:06:37,140 So we need to change the option to object. 55 00:06:38,430 --> 00:06:48,450 And we specify Object 10, which is listed here, followed by the name of their player. 56 00:06:49,380 --> 00:06:51,090 And also here you find an object. 57 00:06:51,090 --> 00:06:57,720 Tengu refers to object, which has codenames object, and it is not calling you script. 58 00:06:58,740 --> 00:07:06,860 So object your as you can see from here in the previous scan, previous search refers to object 13. 59 00:07:07,290 --> 00:07:09,840 So ultimately move object 10. 60 00:07:11,510 --> 00:07:20,180 Now, an object here refers to object hitting this suggest, which is actually in object 13, so we 61 00:07:20,180 --> 00:07:21,430 should go to object 13. 62 00:07:21,980 --> 00:07:28,010 So we repeat the search this time to object to object 13. 63 00:07:29,660 --> 00:07:38,930 And finally, we found out JavaScript and the object that in itself has a filter with barometer flattened 64 00:07:38,940 --> 00:07:45,990 content, which means it is easily compressed and he has a line or one thousand one hundred eighty three 65 00:07:45,990 --> 00:07:46,410 bytes. 66 00:07:48,970 --> 00:07:59,380 So by default, PDAF pastor does not filter or play any of the of the parameters in the filter, but 67 00:07:59,380 --> 00:08:04,410 we can tell it to do so so we can repeat the same command. 68 00:08:04,690 --> 00:08:18,940 But this time we will tell the pastor to use the filter that we have and also to DSW to output the raw 69 00:08:19,000 --> 00:08:21,970 format without any formatting. 70 00:08:22,610 --> 00:08:32,120 So you press enter now and you see this is the output after it has applied the filter to Uncompress 71 00:08:32,140 --> 00:08:41,320 it and you can see here the JavaScript code and you can also see the carriage return new line which 72 00:08:41,320 --> 00:08:46,050 is in Turkey and some function and escape function. 73 00:08:46,540 --> 00:08:53,890 And if you scroll down you can see some very interesting function Colletta info as well. 74 00:08:55,270 --> 00:09:02,830 So now we know that he has got this JavaScript which you can see, but it is not properly nicely formatted 75 00:09:02,830 --> 00:09:04,310 and it's difficult to read. 76 00:09:04,840 --> 00:09:13,000 So we need to Dumela to a separate file and analyze it with suitable JavaScript editor. 77 00:09:13,450 --> 00:09:19,390 So to do that we can repeat the command, but this time we are going to put clear clearly screen. 78 00:09:19,810 --> 00:09:21,150 This time we are going to done. 79 00:09:21,520 --> 00:09:28,330 So we put a dash dum dum and then the name of the file that we wish to be caught. 80 00:09:29,170 --> 00:09:40,030 We would call LBJ 13 dogs and enter and it gives some output, some some output references and as well 81 00:09:40,030 --> 00:09:42,870 as a new file so far. 82 00:09:42,880 --> 00:09:48,420 And we can do here, as you can see this, a new file will be Dr. King. 83 00:09:49,030 --> 00:09:57,670 And then if we see here in the GUI, we can see habituating and we can open it by clicking and opening 84 00:09:57,670 --> 00:09:59,280 the officials to you could. 85 00:10:02,120 --> 00:10:09,650 Visual Studio could play nicely for me, the whole thing, so that we can easily really and over here 86 00:10:09,650 --> 00:10:12,890 we see that there is a function. 87 00:10:14,270 --> 00:10:21,770 Will the office get a name and some other escape functions as well, another function? 88 00:10:21,800 --> 00:10:26,870 Here is a look here and there is another function called Lepton info. 89 00:10:27,330 --> 00:10:29,330 So there's one more thing we can do. 90 00:10:29,510 --> 00:10:30,710 We update passa. 91 00:10:31,460 --> 00:10:33,380 So VFP pdf. 92 00:10:33,630 --> 00:10:37,270 So you have managed to extract the JavaScript function. 93 00:10:38,000 --> 00:10:43,700 So let me show you how you can use the PDF and YAARA together. 94 00:10:44,720 --> 00:10:55,470 So to do that we typedef parser not be and then pass it the dash y option, which means to use their 95 00:10:55,490 --> 00:11:02,410 YAARA rules to scan and then we specify the location of the arrows itself. 96 00:11:05,910 --> 00:11:10,480 The index Yaffa, followed by the name of the --. 97 00:11:10,530 --> 00:11:13,340 You want to scan and now you can enter. 98 00:11:14,880 --> 00:11:24,730 And if we use Tiara's scan and he has found a match, he says that the issue possible exploit object 99 00:11:24,730 --> 00:11:25,310 13. 100 00:11:26,370 --> 00:11:34,760 And it is a stream object and it is compress a filter flat line one thousand one hundred three base. 101 00:11:35,250 --> 00:11:44,250 And you remember earlier on when we scan this file that pdaf yaara, if you did not see this, that 102 00:11:44,250 --> 00:11:48,180 is because this stream is compressed. 103 00:11:48,750 --> 00:11:57,600 Now when you use PDF, possibly Bedfast was smart enough to be able to uncompress the stream using the 104 00:11:57,600 --> 00:12:05,700 filter and then because he has uncompress accuracy bortolotti look inside the stream and detect that 105 00:12:06,030 --> 00:12:06,720 exploit. 106 00:12:07,380 --> 00:12:10,890 So this output here object is exactly what we saw. 107 00:12:11,280 --> 00:12:18,890 When we get manual analysis using the PDF parser earlier. 108 00:12:19,350 --> 00:12:28,140 If you have a problem with using pure passive you Desh, why some of you may find that some errors, 109 00:12:28,410 --> 00:12:35,300 some errors about unable to open include files or other kinds of errors. 110 00:12:35,940 --> 00:12:45,480 Can you watch how another video following this video on how you can fix that error and then once you 111 00:12:45,480 --> 00:12:54,930 fix that error, you can come back to this project and we will use another different to be PDF to analyze 112 00:12:54,930 --> 00:12:55,980 this file. 113 00:12:56,700 --> 00:12:57,800 Thank you for watching. 114 00:12:57,810 --> 00:12:59,580 I'll see you in the next one.