1 00:00:00,760 --> 00:00:10,840 Hello and welcome back to Lessons Ago, we did analysis of the file, that PDF, that perfusing using 2 00:00:11,350 --> 00:00:19,960 I.D. and PDF passa, and then now we are going to continue the analysis using another to be. 3 00:00:21,640 --> 00:00:23,260 So let me clear the screen. 4 00:00:25,150 --> 00:00:28,690 So to do that, we take the common B PDF. 5 00:00:30,410 --> 00:00:40,490 Followed by the option dashi, which means interactive mode and the meaning of right, so that we can 6 00:00:40,490 --> 00:00:48,500 dump the suspicious file, which we, if ever we find any see, and a blinking cursor here, there is 7 00:00:48,500 --> 00:00:51,540 a prompt meaning that we are in interactive mode. 8 00:00:52,130 --> 00:00:59,900 So now if you scroll down, you can see the report even gives us the hash Amde five, Shahd one shot 9 00:00:59,900 --> 00:01:00,470 five, six. 10 00:01:01,130 --> 00:01:04,280 And the version of the PD is one point three. 11 00:01:05,120 --> 00:01:11,030 And below that we can see it has found that this is version zero. 12 00:01:12,080 --> 00:01:19,840 Now, -- can have multiple versions, but usually the PDF reader who only used the latest version 13 00:01:20,390 --> 00:01:24,860 now in this particular -- only version, one version. 14 00:01:24,890 --> 00:01:26,690 Therefore, it is pushing zero. 15 00:01:27,320 --> 00:01:34,790 And inside you find there is one main section, the catalog section, which is idee one, and they are 16 00:01:34,790 --> 00:01:36,020 14 objects. 17 00:01:36,260 --> 00:01:39,980 And here all of the objects, Heidi, from one to 14. 18 00:01:40,460 --> 00:01:46,210 And there are two streams within this Profar object 11 and object 13. 19 00:01:46,640 --> 00:01:54,170 And and they are to encode it objects in here, which is subject 11 and 13, which are the streams. 20 00:01:54,800 --> 00:02:01,610 And then in the yellow text here, you can see objects be suspicious elements. 21 00:02:02,060 --> 00:02:08,780 And it has found two JavaScript code, which is an object, one in Object 13. 22 00:02:09,260 --> 00:02:18,230 And he lists all the suspicious objects and you can see what connection name JavaScript at the bottom 23 00:02:18,230 --> 00:02:18,590 here. 24 00:02:18,800 --> 00:02:21,550 We will see something interesting. 25 00:02:21,830 --> 00:02:25,630 The name of the vulnerability is to survive this here. 26 00:02:25,640 --> 00:02:32,450 We can now go online and check what the details of this vulnerability and probably use the information 27 00:02:32,450 --> 00:02:39,590 to help us avoid using an older version of the reader which might contain this vulnerability. 28 00:02:42,970 --> 00:02:50,680 So now that we know that his JavaScript in the object here object objecting, you can go ahead and take 29 00:02:50,680 --> 00:02:54,190 a look at the object itself, which is objecting. 30 00:02:54,970 --> 00:03:02,050 So to do that, you can go through the interactive command line here and type the combined object, 31 00:03:02,500 --> 00:03:07,070 followed by the object that we wish to inspect and enter. 32 00:03:07,750 --> 00:03:10,810 And here you show us the JavaScript. 33 00:03:12,160 --> 00:03:19,180 And he has also automatically decoded an uncompress it for us and show us the JavaScript. 34 00:03:19,600 --> 00:03:27,730 Now, if he wanted to examine this in a standard editor like we should to your code, which we used 35 00:03:27,730 --> 00:03:29,610 earlier, we can do that too. 36 00:03:30,130 --> 00:03:39,460 All we need to do is redirect the output, objecting to a file so we can call this file maybe objective 37 00:03:39,850 --> 00:03:45,060 and then underscore two four version two that the G. 38 00:03:45,190 --> 00:03:46,680 S and enter. 39 00:03:47,380 --> 00:03:48,670 And now we come back here. 40 00:03:48,680 --> 00:03:55,000 We see there is another file and you can double click it and open it with visuals to your code. 41 00:03:55,540 --> 00:03:59,650 And you will notice that there are two identical files. 42 00:03:59,650 --> 00:04:07,510 Now I send it the new file which you just created, has got some additional tax here, which are the 43 00:04:07,510 --> 00:04:10,710 output tax so we can delete it manually. 44 00:04:11,080 --> 00:04:13,330 So go here and delete this. 45 00:04:15,080 --> 00:04:24,880 And this and now we are left with the pure JavaScript function that they selected from this video for. 46 00:04:28,180 --> 00:04:35,860 So now you can study the JavaScript and try to understand what he's doing since you have now got the 47 00:04:35,860 --> 00:04:36,760 JavaScript here. 48 00:04:37,330 --> 00:04:48,190 Now another thing you can do with her of BP, since you have the hasher, you can actually copy this 49 00:04:48,190 --> 00:04:57,280 hash and go to various total and check it up so I can directly computers and then open my browser from 50 00:04:57,280 --> 00:04:57,760 here. 51 00:05:02,200 --> 00:05:04,510 And head over to Vivus, Toto. 52 00:05:07,170 --> 00:05:12,000 And then click on search and paste the hasher and enter. 53 00:05:14,050 --> 00:05:23,170 And you will see he has a long list of the name of the exploit, so this is how it can be use of this 54 00:05:23,740 --> 00:05:30,700 PDF PDF is so easy to use compared to the PDAF ID and PDF. 55 00:05:30,700 --> 00:05:43,120 Pazz in Feigin PDF, possibly we need it to manually perform the analysis, but in PDF we can do it 56 00:05:43,120 --> 00:05:45,930 so easily and so far have just a few months. 57 00:05:46,570 --> 00:05:47,070 So. 58 00:05:48,550 --> 00:05:56,010 So remember when you're doing analysis, if you are using player ID and PDF password, you need to be 59 00:05:56,020 --> 00:06:04,910 manually starting Previdi as triaging and then to get the suspicious report, if any. 60 00:06:05,110 --> 00:06:11,880 And then once you're for anything suspicious, then you will use Pozzo and you need to hunt it on the 61 00:06:11,920 --> 00:06:13,030 suspicious objects. 62 00:06:13,810 --> 00:06:21,820 But if you wanted to do it fast and quick, then you can go straight to the PDF now added commands you 63 00:06:21,820 --> 00:06:28,740 can secure PDF you can to help here and then you can see all the available commands that you can use 64 00:06:29,230 --> 00:06:35,050 now to this this PDF PDF Technical Moncrieffe or here. 65 00:06:41,320 --> 00:06:48,280 So now that we have managed to extract the JavaScript, remember to save your JavaScript and in a nice 66 00:06:48,640 --> 00:06:55,010 video and come upcoming videos, we will analyze this, extract that malicious JavaScript. 67 00:06:55,420 --> 00:06:57,460 So that's all for this lesson. 68 00:06:57,760 --> 00:06:59,200 Thank you for watching.