1
00:00:00,760 --> 00:00:10,840
Hello and welcome back to Lessons Ago, we did analysis of the file, that PDF, that perfusing using

2
00:00:11,350 --> 00:00:19,960
I.D. and PDF passa, and then now we are going to continue the analysis using another to be.

3
00:00:21,640 --> 00:00:23,260
So let me clear the screen.

4
00:00:25,150 --> 00:00:28,690
So to do that, we take the common B PDF.

5
00:00:30,410 --> 00:00:40,490
Followed by the option dashi, which means interactive mode and the meaning of right, so that we can

6
00:00:40,490 --> 00:00:48,500
dump the suspicious file, which we, if ever we find any see, and a blinking cursor here, there is

7
00:00:48,500 --> 00:00:51,540
a prompt meaning that we are in interactive mode.

8
00:00:52,130 --> 00:00:59,900
So now if you scroll down, you can see the report even gives us the hash Amde five, Shahd one shot

9
00:00:59,900 --> 00:01:00,470
five, six.

10
00:01:01,130 --> 00:01:04,280
And the version of the PD is one point three.

11
00:01:05,120 --> 00:01:11,030
And below that we can see it has found that this is version zero.

12
00:01:12,080 --> 00:01:19,840
Now, -- can have multiple versions, but usually the PDF reader who only used the latest version

13
00:01:20,390 --> 00:01:24,860
now in this particular -- only version, one version.

14
00:01:24,890 --> 00:01:26,690
Therefore, it is pushing zero.

15
00:01:27,320 --> 00:01:34,790
And inside you find there is one main section, the catalog section, which is idee one, and they are

16
00:01:34,790 --> 00:01:36,020
14 objects.

17
00:01:36,260 --> 00:01:39,980
And here all of the objects, Heidi, from one to 14.

18
00:01:40,460 --> 00:01:46,210
And there are two streams within this Profar object 11 and object 13.

19
00:01:46,640 --> 00:01:54,170
And and they are to encode it objects in here, which is subject 11 and 13, which are the streams.

20
00:01:54,800 --> 00:02:01,610
And then in the yellow text here, you can see objects be suspicious elements.

21
00:02:02,060 --> 00:02:08,780
And it has found two JavaScript code, which is an object, one in Object 13.

22
00:02:09,260 --> 00:02:18,230
And he lists all the suspicious objects and you can see what connection name JavaScript at the bottom

23
00:02:18,230 --> 00:02:18,590
here.

24
00:02:18,800 --> 00:02:21,550
We will see something interesting.

25
00:02:21,830 --> 00:02:25,630
The name of the vulnerability is to survive this here.

26
00:02:25,640 --> 00:02:32,450
We can now go online and check what the details of this vulnerability and probably use the information

27
00:02:32,450 --> 00:02:39,590
to help us avoid using an older version of the reader which might contain this vulnerability.

28
00:02:42,970 --> 00:02:50,680
So now that we know that his JavaScript in the object here object objecting, you can go ahead and take

29
00:02:50,680 --> 00:02:54,190
a look at the object itself, which is objecting.

30
00:02:54,970 --> 00:03:02,050
So to do that, you can go through the interactive command line here and type the combined object,

31
00:03:02,500 --> 00:03:07,070
followed by the object that we wish to inspect and enter.

32
00:03:07,750 --> 00:03:10,810
And here you show us the JavaScript.

33
00:03:12,160 --> 00:03:19,180
And he has also automatically decoded an uncompress it for us and show us the JavaScript.

34
00:03:19,600 --> 00:03:27,730
Now, if he wanted to examine this in a standard editor like we should to your code, which we used

35
00:03:27,730 --> 00:03:29,610
earlier, we can do that too.

36
00:03:30,130 --> 00:03:39,460
All we need to do is redirect the output, objecting to a file so we can call this file maybe objective

37
00:03:39,850 --> 00:03:45,060
and then underscore two four version two that the G.

38
00:03:45,190 --> 00:03:46,680
S and enter.

39
00:03:47,380 --> 00:03:48,670
And now we come back here.

40
00:03:48,680 --> 00:03:55,000
We see there is another file and you can double click it and open it with visuals to your code.

41
00:03:55,540 --> 00:03:59,650
And you will notice that there are two identical files.

42
00:03:59,650 --> 00:04:07,510
Now I send it the new file which you just created, has got some additional tax here, which are the

43
00:04:07,510 --> 00:04:10,710
output tax so we can delete it manually.

44
00:04:11,080 --> 00:04:13,330
So go here and delete this.

45
00:04:15,080 --> 00:04:24,880
And this and now we are left with the pure JavaScript function that they selected from this video for.

46
00:04:28,180 --> 00:04:35,860
So now you can study the JavaScript and try to understand what he's doing since you have now got the

47
00:04:35,860 --> 00:04:36,760
JavaScript here.

48
00:04:37,330 --> 00:04:48,190
Now another thing you can do with her of BP, since you have the hasher, you can actually copy this

49
00:04:48,190 --> 00:04:57,280
hash and go to various total and check it up so I can directly computers and then open my browser from

50
00:04:57,280 --> 00:04:57,760
here.

51
00:05:02,200 --> 00:05:04,510
And head over to Vivus, Toto.

52
00:05:07,170 --> 00:05:12,000
And then click on search and paste the hasher and enter.

53
00:05:14,050 --> 00:05:23,170
And you will see he has a long list of the name of the exploit, so this is how it can be use of this

54
00:05:23,740 --> 00:05:30,700
PDF PDF is so easy to use compared to the PDAF ID and PDF.

55
00:05:30,700 --> 00:05:43,120
Pazz in Feigin PDF, possibly we need it to manually perform the analysis, but in PDF we can do it

56
00:05:43,120 --> 00:05:45,930
so easily and so far have just a few months.

57
00:05:46,570 --> 00:05:47,070
So.

58
00:05:48,550 --> 00:05:56,010
So remember when you're doing analysis, if you are using player ID and PDF password, you need to be

59
00:05:56,020 --> 00:06:04,910
manually starting Previdi as triaging and then to get the suspicious report, if any.

60
00:06:05,110 --> 00:06:11,880
And then once you're for anything suspicious, then you will use Pozzo and you need to hunt it on the

61
00:06:11,920 --> 00:06:13,030
suspicious objects.

62
00:06:13,810 --> 00:06:21,820
But if you wanted to do it fast and quick, then you can go straight to the PDF now added commands you

63
00:06:21,820 --> 00:06:28,740
can secure PDF you can to help here and then you can see all the available commands that you can use

64
00:06:29,230 --> 00:06:35,050
now to this this PDF PDF Technical Moncrieffe or here.

65
00:06:41,320 --> 00:06:48,280
So now that we have managed to extract the JavaScript, remember to save your JavaScript and in a nice

66
00:06:48,640 --> 00:06:55,010
video and come upcoming videos, we will analyze this, extract that malicious JavaScript.

67
00:06:55,420 --> 00:06:57,460
So that's all for this lesson.

68
00:06:57,760 --> 00:06:59,200
Thank you for watching.