1
00:00:00,650 --> 00:00:02,210
Hello and welcome back.

2
00:00:02,570 --> 00:00:12,650
In this video, we are going to do that particular on analyzing PDF document, which you have already

3
00:00:12,650 --> 00:00:19,630
downloaded from an earlier lesson called that PDF, that period.

4
00:00:20,300 --> 00:00:26,780
And we are going to use three tools, which we looked at in the previous lesson.

5
00:00:27,350 --> 00:00:33,230
That is PDF idee, PDF Passa and be PDF.

6
00:00:34,350 --> 00:00:42,390
So the first thing we do is to run PDAF I.D., so I typedef.

7
00:00:44,030 --> 00:00:55,580
I'd tell you why, because this is a Python script, followed by the name of the video that I want to

8
00:00:55,730 --> 00:01:02,450
get into, and it shows the result of the analysis.

9
00:01:03,140 --> 00:01:12,650
The first line shows that there is a prayer here with this string percentage PDAF dash one point three,

10
00:01:13,190 --> 00:01:17,480
and this means the version of it within one point three.

11
00:01:18,630 --> 00:01:27,000
And 13 objects, 14 objects altogether and two streams going down.

12
00:01:27,510 --> 00:01:32,050
We will see that these are all the objects that has been detected.

13
00:01:33,660 --> 00:01:39,970
Of particular interest will be the ocean object.

14
00:01:40,980 --> 00:01:43,140
The open ocean object is the.

15
00:01:44,150 --> 00:01:50,990
Directive, the object will cost PDF to execute something when the PDAF is open.

16
00:01:51,950 --> 00:01:57,800
And then if you looked up further, we will see that there are JavaScript embedded in these files,

17
00:01:58,670 --> 00:02:06,830
so most probably the operation will run the JavaScript that is listed here.

18
00:02:07,340 --> 00:02:17,300
So these are the important objects that we have found from this preliminary analysis using PDF, Heidi.

19
00:02:17,750 --> 00:02:22,800
The next to that, we will form a PDF parser.

20
00:02:22,970 --> 00:02:24,890
So let's open a new terminal.

21
00:02:28,260 --> 00:02:32,910
And navigate to the folder that contains our malicious PDA file.

22
00:02:41,650 --> 00:02:44,080
Now will run BTX Pusser.

23
00:02:46,480 --> 00:02:57,550
Don't be shy and we will use the search option and we will search for one of the objects that has been

24
00:02:57,550 --> 00:03:03,060
found by PDF, which is the open ocean object.

25
00:03:03,850 --> 00:03:10,240
So here we specify open ocean, not that it is case in sensitive.

26
00:03:12,330 --> 00:03:15,540
And followed by the name of the father and hit Enter.

27
00:03:17,180 --> 00:03:26,740
And from here, we see that he has found the open ocean, which is having the object is one of ocean

28
00:03:26,750 --> 00:03:29,840
zero and it is of a type catalogue.

29
00:03:30,830 --> 00:03:35,240
And inside here, these are details of the open ocean object.

30
00:03:36,110 --> 00:03:44,810
And between the left and right arrows, he shows what object, what is the content of the open ocean.

31
00:03:45,590 --> 00:03:54,350
And we see Dave is a JavaScript, G.S. JavaScript, and he also shows us part of the string that is

32
00:03:54,350 --> 00:03:56,240
found in the JavaScript.

33
00:03:57,380 --> 00:04:09,200
So this tells us that when this PDF is open, he will use the open ocean object to execute a JavaScript

34
00:04:10,040 --> 00:04:12,630
which is having this function.

35
00:04:13,460 --> 00:04:20,390
Now, the fundi JavaScript, we have found that it is present within this file and confirm the next

36
00:04:20,390 --> 00:04:27,860
thing we do is we will use parser to search for the JavaScript object.

37
00:04:29,730 --> 00:04:40,470
JavaScript is, if you remember, was also found in PDF, Heidi, so let us clear the screen and repeat

38
00:04:40,470 --> 00:04:40,920
the same.

39
00:04:40,920 --> 00:04:49,980
Come on, just move your Ibaraki press on it and then here we change the name of the object that we

40
00:04:49,980 --> 00:04:54,770
wish to search for gain javascript and hit enter.

41
00:04:56,220 --> 00:05:02,550
And now you will see that there are three JavaScript that has been found.

42
00:05:03,180 --> 00:05:05,760
The first one is the object, one we have just seen.

43
00:05:07,260 --> 00:05:09,030
The second one is object seven.

44
00:05:10,500 --> 00:05:17,550
And then the third one is subject to all these three are referencing JavaScript and objects seven inside

45
00:05:17,550 --> 00:05:27,780
it you will see that it is referencing four objects which is listed for here, which is JavaScript then.

46
00:05:28,290 --> 00:05:31,800
So Objects Seven refers to Object Ten.

47
00:05:33,600 --> 00:05:41,820
I.A. is also making a further reference to an object 13 and 13 is also JavaScript.

48
00:05:42,400 --> 00:05:50,710
So now we need to dig further into object segment and object to since Objects seven is referring to

49
00:05:50,710 --> 00:05:53,620
Object 10, we need to investigate Object 10.

50
00:05:54,450 --> 00:06:00,680
And since Object Job is also referring to object, I think we also need to reference objective.

51
00:06:01,390 --> 00:06:03,820
So that is now open at the terminal.

52
00:06:08,250 --> 00:06:11,690
Go to the folder containing our malware.

53
00:06:18,870 --> 00:06:33,930
And we are going to repeat the scan brief passer by, and this time we are going to search for objects.

54
00:06:34,120 --> 00:06:37,140
So we need to change the option to object.

55
00:06:38,430 --> 00:06:48,450
And we specify Object 10, which is listed here, followed by the name of their player.

56
00:06:49,380 --> 00:06:51,090
And also here you find an object.

57
00:06:51,090 --> 00:06:57,720
Tengu refers to object, which has codenames object, and it is not calling you script.

58
00:06:58,740 --> 00:07:06,860
So object your as you can see from here in the previous scan, previous search refers to object 13.

59
00:07:07,290 --> 00:07:09,840
So ultimately move object 10.

60
00:07:11,510 --> 00:07:20,180
Now, an object here refers to object hitting this suggest, which is actually in object 13, so we

61
00:07:20,180 --> 00:07:21,430
should go to object 13.

62
00:07:21,980 --> 00:07:28,010
So we repeat the search this time to object to object 13.

63
00:07:29,660 --> 00:07:38,930
And finally, we found out JavaScript and the object that in itself has a filter with barometer flattened

64
00:07:38,940 --> 00:07:45,990
content, which means it is easily compressed and he has a line or one thousand one hundred eighty three

65
00:07:45,990 --> 00:07:46,410
bytes.

66
00:07:48,970 --> 00:07:59,380
So by default, PDAF pastor does not filter or play any of the of the parameters in the filter, but

67
00:07:59,380 --> 00:08:04,410
we can tell it to do so so we can repeat the same command.

68
00:08:04,690 --> 00:08:18,940
But this time we will tell the pastor to use the filter that we have and also to DSW to output the raw

69
00:08:19,000 --> 00:08:21,970
format without any formatting.

70
00:08:22,610 --> 00:08:32,120
So you press enter now and you see this is the output after it has applied the filter to Uncompress

71
00:08:32,140 --> 00:08:41,320
it and you can see here the JavaScript code and you can also see the carriage return new line which

72
00:08:41,320 --> 00:08:46,050
is in Turkey and some function and escape function.

73
00:08:46,540 --> 00:08:53,890
And if you scroll down you can see some very interesting function Colletta info as well.

74
00:08:55,270 --> 00:09:02,830
So now we know that he has got this JavaScript which you can see, but it is not properly nicely formatted

75
00:09:02,830 --> 00:09:04,310
and it's difficult to read.

76
00:09:04,840 --> 00:09:13,000
So we need to Dumela to a separate file and analyze it with suitable JavaScript editor.

77
00:09:13,450 --> 00:09:19,390
So to do that we can repeat the command, but this time we are going to put clear clearly screen.

78
00:09:19,810 --> 00:09:21,150
This time we are going to done.

79
00:09:21,520 --> 00:09:28,330
So we put a dash dum dum and then the name of the file that we wish to be caught.

80
00:09:29,170 --> 00:09:40,030
We would call LBJ 13 dogs and enter and it gives some output, some some output references and as well

81
00:09:40,030 --> 00:09:42,870
as a new file so far.

82
00:09:42,880 --> 00:09:48,420
And we can do here, as you can see this, a new file will be Dr. King.

83
00:09:49,030 --> 00:09:57,670
And then if we see here in the GUI, we can see habituating and we can open it by clicking and opening

84
00:09:57,670 --> 00:09:59,280
the officials to you could.

85
00:10:02,120 --> 00:10:09,650
Visual Studio could play nicely for me, the whole thing, so that we can easily really and over here

86
00:10:09,650 --> 00:10:12,890
we see that there is a function.

87
00:10:14,270 --> 00:10:21,770
Will the office get a name and some other escape functions as well, another function?

88
00:10:21,800 --> 00:10:26,870
Here is a look here and there is another function called Lepton info.

89
00:10:27,330 --> 00:10:29,330
So there's one more thing we can do.

90
00:10:29,510 --> 00:10:30,710
We update passa.

91
00:10:31,460 --> 00:10:33,380
So VFP pdf.

92
00:10:33,630 --> 00:10:37,270
So you have managed to extract the JavaScript function.

93
00:10:38,000 --> 00:10:43,700
So let me show you how you can use the PDF and YAARA together.

94
00:10:44,720 --> 00:10:55,470
So to do that we typedef parser not be and then pass it the dash y option, which means to use their

95
00:10:55,490 --> 00:11:02,410
YAARA rules to scan and then we specify the location of the arrows itself.

96
00:11:05,910 --> 00:11:10,480
The index Yaffa, followed by the name of the --.

97
00:11:10,530 --> 00:11:13,340
You want to scan and now you can enter.

98
00:11:14,880 --> 00:11:24,730
And if we use Tiara's scan and he has found a match, he says that the issue possible exploit object

99
00:11:24,730 --> 00:11:25,310
13.

100
00:11:26,370 --> 00:11:34,760
And it is a stream object and it is compress a filter flat line one thousand one hundred three base.

101
00:11:35,250 --> 00:11:44,250
And you remember earlier on when we scan this file that pdaf yaara, if you did not see this, that

102
00:11:44,250 --> 00:11:48,180
is because this stream is compressed.

103
00:11:48,750 --> 00:11:57,600
Now when you use PDF, possibly Bedfast was smart enough to be able to uncompress the stream using the

104
00:11:57,600 --> 00:12:05,700
filter and then because he has uncompress accuracy bortolotti look inside the stream and detect that

105
00:12:06,030 --> 00:12:06,720
exploit.

106
00:12:07,380 --> 00:12:10,890
So this output here object is exactly what we saw.

107
00:12:11,280 --> 00:12:18,890
When we get manual analysis using the PDF parser earlier.

108
00:12:19,350 --> 00:12:28,140
If you have a problem with using pure passive you Desh, why some of you may find that some errors,

109
00:12:28,410 --> 00:12:35,300
some errors about unable to open include files or other kinds of errors.

110
00:12:35,940 --> 00:12:45,480
Can you watch how another video following this video on how you can fix that error and then once you

111
00:12:45,480 --> 00:12:54,930
fix that error, you can come back to this project and we will use another different to be PDF to analyze

112
00:12:54,930 --> 00:12:55,980
this file.

113
00:12:56,700 --> 00:12:57,800
Thank you for watching.

114
00:12:57,810 --> 00:12:59,580
I'll see you in the next one.