1
00:00:00,540 --> 00:00:01,860
Hello and welcome.

2
00:00:02,580 --> 00:00:11,000
In this video, I'm going to show you how I do the analysis on Mel PDAF to you.

3
00:00:11,760 --> 00:00:21,180
So go and download this and create a folder in this Melbourne hotel and call it zero two dash flat and

4
00:00:21,180 --> 00:00:23,010
put your zip file there.

5
00:00:24,330 --> 00:00:39,980
After that, go to the malware folder, the two left folder and then unzip the zip code on the password

6
00:00:39,990 --> 00:00:42,690
is cracking lessons dot com.

7
00:00:49,860 --> 00:00:59,970
After unzipping it, you will see a new subfolder column, underscore PDF, underscore two, if you

8
00:00:59,970 --> 00:01:04,770
open it, you will see the malicious PDF file over there.

9
00:01:07,300 --> 00:01:10,340
As you can see, the name of the file is important.

10
00:01:12,160 --> 00:01:19,110
The first thing we use is to extract the metadata from this file.

11
00:01:20,440 --> 00:01:22,780
So we use the EXIF to.

12
00:01:25,520 --> 00:01:31,790
I need to enter the new folder first and then use the to.

13
00:01:34,820 --> 00:01:42,350
On the fire, the first thing you notice is that this was created.

14
00:01:44,800 --> 00:01:47,170
With two high tech shop.

15
00:01:48,470 --> 00:01:58,700
As shown in the producer properties, and then you will notice the creation that these two 017 April

16
00:01:58,890 --> 00:01:59,480
21.

17
00:02:00,560 --> 00:02:11,540
Next thing we do is run the scan on it, so called Yaara, it a dash to the option to suppress warnings

18
00:02:12,410 --> 00:02:15,800
and provide a path to the Larousse.

19
00:02:20,470 --> 00:02:23,180
Which is in the index here.

20
00:02:25,660 --> 00:02:35,800
And finally, the name of the father press enter and Yaro do the scan and you will see that Yaara has

21
00:02:35,800 --> 00:02:44,920
produced something which is not very helpful, is just showing us that the big numbers inside these

22
00:02:44,940 --> 00:02:53,800
--, but did not detect any embedded files or embedded JavaScript YARE did not show anything

23
00:02:53,800 --> 00:03:03,310
of importance, probably because citing this PDF file that will be embedded and zipped zipped inside

24
00:03:03,310 --> 00:03:06,950
it or compress, then Yaara will not be able to scan it.

25
00:03:07,600 --> 00:03:12,470
So in order to dig deeper, we were using a tool called PPTA.

26
00:03:13,120 --> 00:03:14,850
So I'll open a new window.

27
00:03:16,010 --> 00:03:20,000
And navigate to the location of how a malware.

28
00:03:25,000 --> 00:03:36,010
So our NBPA here, kiddush ition interactive mode, so they will be able to do additional commands from

29
00:03:36,010 --> 00:03:39,270
the command line PPTA if necessary.

30
00:03:42,550 --> 00:03:50,990
And PDP pdf has shown us that there is one version of this PDF inside.

31
00:03:51,550 --> 00:03:54,220
Therefore, it is version zero.

32
00:03:54,460 --> 00:04:03,010
Sometimes there can be multiple versions and there is a section called Catalog and catalog is normally

33
00:04:03,400 --> 00:04:03,850
indexed.

34
00:04:03,850 --> 00:04:06,510
So I will cite the PDF.

35
00:04:07,480 --> 00:04:15,490
There is also the takes three streams and they are three encoded objects, three, five, seven and

36
00:04:15,490 --> 00:04:15,910
three.

37
00:04:17,020 --> 00:04:25,690
And Prime Minister shows that there is an object with embedded JavaScript code, which is object number

38
00:04:25,690 --> 00:04:26,160
five.

39
00:04:26,920 --> 00:04:33,820
In addition to that, they are also suspicious elements or connection, which is subject.

40
00:04:33,910 --> 00:04:43,480
You have some names collecting intel and this could be embedded names so that it false and also JavaScript

41
00:04:43,480 --> 00:04:51,210
in danger and also some embedded file in object, 13 11 incantatory.

42
00:04:51,880 --> 00:05:02,520
So you first examine the operation operation, remember, will cost the border to execute whatever is

43
00:05:02,530 --> 00:05:04,050
stated in the operation.

44
00:05:04,510 --> 00:05:09,490
So let's try to re type object, followed by the object number.

45
00:05:10,450 --> 00:05:12,760
And you can see here the object.

46
00:05:13,570 --> 00:05:20,880
There is an open action on JavaScript and JavaScript is an object file and that that is what we see.

47
00:05:21,430 --> 00:05:29,670
In addition to that, there is also a reference to a name identifier, which is subject 11.

48
00:05:29,950 --> 00:05:33,470
And if you see up here, 11 embedded files.

49
00:05:34,150 --> 00:05:38,140
So before we look at your JavaScript, that is trace object eleven.

50
00:05:38,950 --> 00:05:45,850
So we type object eleven and you see the object eleven has a further reference to object then.

51
00:05:46,420 --> 00:05:50,980
So let's go for object 10 now and it's interesting.

52
00:05:51,280 --> 00:06:03,880
And immediately we see that under the names identifier there is a macro document that C m is a Microsoft

53
00:06:04,090 --> 00:06:06,700
document that has got macros in it.

54
00:06:07,060 --> 00:06:09,730
That means it has got embedded script inside it.

55
00:06:10,150 --> 00:06:18,370
So it might appear that this PDF document has got hidden Microsoft document, which has in turn got

56
00:06:18,850 --> 00:06:27,420
macro it and that could be malicious if we see that this macro document is referring to Object four,

57
00:06:27,850 --> 00:06:29,890
so you can trace object for now.

58
00:06:32,080 --> 00:06:37,900
And there is further confirmation of the object for which is the M document.

59
00:06:38,290 --> 00:06:43,270
And we also notice that he references object three.

60
00:06:43,930 --> 00:06:44,820
So let's see one.

61
00:06:45,050 --> 00:06:45,820
Object three.

62
00:06:51,390 --> 00:06:54,990
And we see the object through some binary data.

63
00:06:55,030 --> 00:07:02,610
That's why we see all these junk characters here so we can just press cue on a keyboard to get out of

64
00:07:02,610 --> 00:07:09,810
this listing and type in again and go back to the main information screen we can see here.

65
00:07:10,110 --> 00:07:20,550
The object is the embedded file, which contains to see em Microsoft document, which has a macro script

66
00:07:20,560 --> 00:07:21,100
inside it.

67
00:07:21,720 --> 00:07:26,300
Let us now examine the JavaScript Object five.

68
00:07:27,060 --> 00:07:28,590
So just take five

69
00:07:31,770 --> 00:07:37,150
and we find that this object five is a zip and go that far.

70
00:07:37,680 --> 00:07:47,400
So the script contains this JavaScript function is finished probably to show some kind of dialogue and

71
00:07:47,400 --> 00:07:50,310
to receive the response from the user.

72
00:07:51,120 --> 00:07:59,430
And we also see in export data object and this is what object is a JavaScript function, as you can

73
00:07:59,430 --> 00:08:00,420
refer from here.

74
00:08:02,250 --> 00:08:07,050
I also provide additional resources for your reference data.

75
00:08:07,050 --> 00:08:08,180
I support object.

76
00:08:08,190 --> 00:08:11,580
If you scroll down, you can see your description here.

77
00:08:11,650 --> 00:08:17,430
The explanation of this function JavaScript function is.

78
00:08:18,600 --> 00:08:24,480
To accept in the name of the father that you want to exploit as far as a barometer, the end launch

79
00:08:24,480 --> 00:08:29,910
parameter, so the energy parameter is to according to this description.

80
00:08:32,080 --> 00:08:40,090
The Acrobat reader received a far to a temporary file location and then asked the operating system to

81
00:08:40,090 --> 00:08:40,570
open it.

82
00:08:41,110 --> 00:08:49,640
That means even after expanding or extracting this far, so other values are zero and one.

83
00:08:49,870 --> 00:08:56,720
But in this case, in our case, the second parameter is two over here.

84
00:08:56,980 --> 00:08:59,950
That means the JavaScript will.

85
00:09:00,870 --> 00:09:08,370
Use this function to exploit this macro document and then launch it.

86
00:09:09,430 --> 00:09:12,530
And he will launch launching from a temporary funding.

87
00:09:12,760 --> 00:09:21,420
So this bit of analysis has shown us that when this PDA opens, you execute open action.

88
00:09:21,820 --> 00:09:25,600
We should then execute JavaScript and JavaScript.

89
00:09:25,600 --> 00:09:32,500
We then export these Macrovision object free and then launch it.

90
00:09:33,160 --> 00:09:39,000
Earlier on, we saw that they are asking fair to detect this, and that is because of this.

91
00:09:39,790 --> 00:09:44,590
So this indicates that this file is compressed file.

92
00:09:45,190 --> 00:09:52,090
It is compressed and embedded inside, and that's why YARE was unable to detect this exploit.

93
00:09:52,960 --> 00:09:59,710
So our next task is to extract this doxie file for analysis.

94
00:09:59,720 --> 00:10:00,870
So let's try that.

95
00:10:00,880 --> 00:10:10,810
Now I'm going to use the tool we have used before called PDF parser, and then I will give it the parameters

96
00:10:10,810 --> 00:10:11,670
of object.

97
00:10:11,680 --> 00:10:19,480
And you're going to specify the object, which is object three and also give it the option to apply

98
00:10:19,480 --> 00:10:20,440
any filters.

99
00:10:20,680 --> 00:10:22,270
And we know that it is futa.

100
00:10:22,420 --> 00:10:29,830
It is compressed because of this flight got here and then we also give it to W so that you will not

101
00:10:29,830 --> 00:10:34,030
go and do any mystery formatting is that he will show the real output.

102
00:10:34,480 --> 00:10:39,880
And we also want to dump the extracted file into another.

103
00:10:39,910 --> 00:10:47,620
Philco will be a three four object three and finally the name of the father and he enter.

104
00:10:52,470 --> 00:11:00,690
OK, so you need to give the full name of the PDF, the command, which is to be behind because this

105
00:11:00,690 --> 00:11:04,680
is Python script and now you have it.

106
00:11:05,520 --> 00:11:10,890
And here you can see that it is the compressed file.

107
00:11:10,890 --> 00:11:18,990
And we were right in giving a dash F parameter in order to apply the filters to anticipate the flattened

108
00:11:19,040 --> 00:11:19,990
code parameter.

109
00:11:20,670 --> 00:11:26,220
And now if you take LASU, we can see the object here.

110
00:11:27,670 --> 00:11:36,910
So in order to find out what type of Phyliss we can use to file FILU, tell us what our Phyliss and

111
00:11:36,910 --> 00:11:46,870
you, Davis and Microsoft Word file and he of two seven plus version, meaning that this Microsoft document

112
00:11:47,050 --> 00:11:51,660
is a new version, which means that it is Harki file.

113
00:11:51,910 --> 00:11:59,500
And so the next step will be to analyze this áng for the lesson they will be studying later.

114
00:12:00,070 --> 00:12:08,160
So we have done we have concluded our objective of this exercise, which is to analyze in a straight

115
00:12:08,170 --> 00:12:10,250
and you file, which we found.

116
00:12:10,900 --> 00:12:12,230
Thank you for watching.

117
00:12:12,280 --> 00:12:14,020
I'll see you in the next one.