[go: up one dir, main page]
Scribd
Upload
55 views12 pages

Basic Static Malware Analysis On Linux

The document outlines a basic static malware analysis procedure for two suspicious PDF files using tools like pdfid, pdfparser, and peepdf on a Linux environment. After preparing the environment and collecting the samples, the analysis revealed that the first PDF contained JavaScript objects, indicating potential malicious activity, while the second PDF was also determined to be malicious after further inspection. Ultimately, both PDFs were confirmed to be malicious based on the analysis conducted.

Uploaded by

Omar Hassan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
55 views12 pages

Basic Static Malware Analysis On Linux

The document outlines a basic static malware analysis procedure for two suspicious PDF files using tools like pdfid, pdfparser, and peepdf on a Linux environment. After preparing the environment and collecting the samples, the analysis revealed that the first PDF contained JavaScript objects, indicating potential malicious activity, while the second PDF was also determined to be malicious after further inspection. Ultimately, both PDFs were confirmed to be malicious based on the analysis conducted.

Uploaded by

Omar Hassan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

Basic Static Malware Analysis on Linux

WE Innovate X Zero$ploit
Supervised by : Zeyad Waleed
Prepared by : Omar Hassan
Required Task
Two suspicious PDF hashes to investigate & analyze using peepdf pdfid pdfparser
SHA-256
cd9421c332a2b90b26152f0e85a7db621306cd1daa70f30af3210895d2aeb577

5eaa1f5305f4c25292dff29257cd3e14ba3f956f6f8ddb206c0ee3e09af8244e

Prerequisites : Ubuntu Machine

Setting Recommended
RAM 3-4 GB
Disk 15-20 GB
CPU 1-2 Cores
Network NAT

Phase 1: Environment Preparation

$ sudo apt update && sudo apt upgrade -y


$ sudo apt install python2 –y
$ curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-
pip.py
$ sudo python2 get-pip.py
$ sudo apt install p7zip-full
Installing the tools
Pdfid & pdfparser are both available on DidierStevensSuite.git while peepdf is on peepdf.git

$ cd Downloads/
$ git clone https://github.com/DidierStevens/DidierStevensSuite.git
$ git clone https://github.com/jesparza/peepdf.git

Phase 2: Collecting the Samples


MAKE SURE TO ISOLATE YOU VIRTUAL MACHINE AFTER THE DOWNLOAD
Go to Malware Bazaar to download the samples, after that it is recommended to change the
network adapter to host only.
I created a directory inside Downloads/ to extract the zip file inside , you can
skip this process if you want and do as the following :

$ cd Downloads/
$ 7z x -pinfected
cd9421c332a2b90b26152f0e85a7db621306cd1daa70f30af3210895d2aeb577.zip
$ 7z x -pinfected
5eaa1f5305f4c25292dff29257cd3e14ba3f956f6f8ddb206c0ee3e09af8244e.zip
Phase 3: Basic Static Analysis with pdfid

$ cd DidierStevensSuite/
$ python2 pdfid.py
../malware_lab/cd9421c332a2b90b26152f0e85a7db621306cd1daa70f30af3210
895d2aeb577.pdf
Suspicious Indicators

 /JS: 1
 /JavaScript: 2
This PDF has JavaScript objects. That’s a red flag because many malicious PDFs use
embedded JavaScript for exploits.

Now onto the 2nd Sample

$ cd DidierStevensSuite/
$ python2 pdfid.py
../malware_lab/cd9421c332a2b90b26152f0e85a7db621306cd1daa70f30af3210
895d2aeb577.pdf

No suspicious Indicator was found


Phase 4: Inspecting Objects pdfparser

$ python2 pdf-parser.py
../malware_lab/cd9421c332a2b90b26152f0e85a7db621306cd1daa70f30af3210
895d2aeb577.pdf >> pdfparser_firstSample.txt
Instead of analyzing everything manually you can facilitate this process using AI and getting
the result.

Same goes in with the second sample

$ python2 pdf-parser.py
../malware_lab/5eaa1f5305f4c25292dff29257cd3e14ba3f956f6f8ddb206c0ee
3e09af8244e.pdf >> pdfparser_secondSample.txt
Phase 5: Interactive Deep dive with peepdf

$ cd peepdf/
$ python2 peepdf.py
../malware_lab/cd9421c332a2b90b26152f0e85a7db621306cd1daa70f30af3210
895d2aeb577.pdf
FINAL VERDICT : Malicious

Same goes in with the second sample

$ python2 peepdf.py
../malware_lab/5eaa1f5305f4c25292dff29257cd3e14ba3f956f6f8ddb206c0ee
3e09af8244e.pdf
But wait…

Obj 62 has an URI entry that was missed by the other tools , lets check this object using
pdfparser & see where the url takes us.

$ python2 pdf-parser.py
../malware_lab/5eaa1f5305f4c25292dff29257cd3e14ba3f956f6f8ddb206c0ee3e
09af8244e.pdf -O -o 62

It appears the url was shortened too , lets check it on VirusTotal.


FINAL VERDICT : Malicious

Both PDF’s are Malicious

You might also like