Malware Analysis for PDF Files | TryHackMe MAL: REMnux – The Redux

We covered analysing malicious macro’s, PDF’s and Memory forensics of a victim of Jigsaw Ransomware; all done using the Linux-based REMnux toolset apart of my Malware Analysis series. This also solves TryHackMe MAL: REMnux – The Redux room.

OSCP Study Notes

Malware Analysis Study Notes

Overview

• The tutorial focuses on analyzing malicious PDF files for embedded JavaScript or code that could potentially harm systems.
• Tasks covered:
  1. PDF Analysis: Identify suspicious elements in PDFs.
  2. JavaScript Extraction: Extract embedded JavaScript or malicious scripts from the files.
  3. File Inspection: Use tools to examine and validate findings.

Tools and Setup

1. Remnux OS:
   • A Linux distribution for malware analysis.
   • Accessible via browser or SSH.
2. PDF Analysis Tool (peepdf):
   • Used to identify and extract malicious scripts or embedded objects from PDF files.
3. VirusTotal:
   • An online service for scanning files for malware.

What is Live Malware Analysis

Before performing any live analysis, make sure to take a backup of the compromised host and isolate it from the network. While performing the live analysis, always use your own tools as attackers tend to modify existing tools after compromising their target.
In case you are analyzing Windows machine, mount a USB with known good tools.
If you are analyzing Linux machine, again use a USB with clean tools and mount it to /mnt/ and then add the tools the environment variables to invoke them without the need to specify the path. i,e:

export PATH=/mnt/usb/bin:/mnt/usb/sbin 

export LD_LIBRARY_PATH=/mnt/usb/lib:/mnt/usb/lib64

PDF Analysis & Reverse Engineering

PDF files are often embedded with malicious code by attackers. Knowing if a pdf file is malicious or not starts by analyzing the embedded code.
peepdf
Display embedded code

root@kali:peepdf demo.pdf

Extracting the embedded code

root@kali:echo 'extract js > demo2.pdf' > extracted_javascript.txt

root@kali:peepdf -s extracted_javascript.txt demo.pdf

root@kali:cat demo2.pdf

Packing and Unpacking

Packer’s use an executable as a source and output’s it to another executable. This executable will have had some modifications made depending on the packer. For example, the new executable could be compressed and/or obfuscated by using mathematics.

Legitimate software developers use packing to reduce the size of their applications and to ultimately protect their work from being stolen. It is, however, a double-edged sword, malware authors reap the benefits of packing to make the reverse engineering and detection of the code hard to impossible.

Packed files have a few characteristics that may indicate whether or not they are packed:

• Remember about file entropy? Packed files will have a high entropy!
• There are very few “Imports”, packed files may only have “GetProcAddress” and “LoadLibrary”.
• The executable may have sections named after certain packers such as UPX.

Task Breakdown

1. Initial Setup

• Deploy the Remnux machine and access it via browser or SSH.
• Locate the tasks directory (/home/desktop/tasks) which contains the sample PDF files for analysis.

2. PDF File Analysis

Step 1: Analyze non-suspicious.pdf using peepdf.

• Command: peepdf <filename>
• The tool reveals file metadata (e.g., SHA-256 checksum) and identifies suspicious elements:
  • JavaScript (JS) presence: Found in one instance.
  • Open actions and suspicious scripts.

Step 2: Extract JavaScript.

• Use peepdf to extract embedded JavaScript into a separate text file.
• Command to extract script:

peepdf -s <script-file> <filename>

• View the extracted JavaScript for potential harm.
  • Example: The script might pop an alert with a harmless message.

Step 3: Upload the file to VirusTotal for additional scanning.

• Results showed:
  • The PDF contained JavaScript, but it was not flagged as malicious by most scanners.

3. Analyzing advert.pdf

Step 1: Analyze for suspicious elements.

• Command: peepdf advert.pdf
• Findings:
  • Multiple suspicious elements (e.g., JavaScript instances).
  • The file also includes an embedded PDF as an attachment.

Step 2: Extract JavaScript and view its purpose.

• The script tries to open a handle or save another PDF file (e.g., non-suspicious.pdf).
• Commands:

peepdf -s <script-file> advert.pdf

Step 3: Examine behavior.

• Open the PDF to observe its behavior:
  • A prompt suggests saving another embedded file.
  • Analyze the secondary file (non-suspicious.pdf) to check if it contains additional suspicious scripts.

Step 4: VirusTotal Scanning.

• Both advert.pdf and the extracted file (non-suspicious.pdf) are uploaded to VirusTotal:
  • Results confirmed malicious characteristics in advert.pdf.
  • The secondary file was less harmful but suspicious.

Key Findings

1. Malicious PDF Behavior:
   • Embedded JavaScript can trigger harmful actions, such as saving additional files or executing commands.
2. Importance of Analysis:
   • Extracting and examining scripts is crucial before opening files.
3. Automation Limitations:
   • Virus scanners may not detect all malicious behaviors, emphasizing the need for manual analysis.

Room Answers | TryHackMe MAL: REMnux – The Redux

How many types of categories of “Suspicious elements” are there in “notsuspicious.pdf”
3

Use peepdf to extract the javascript from “notsuspicious.pdf”. What is the flag?

THM{Luckily_This_Isn’t_Harmful}

How many types of categories of “Suspicious elements” are there in “advert.pdf”

6

Now use peepdf to extract the javascript from “advert.pdf”. What is the value of “cName”?

notsuspicious

What is the name of the Macro for “DefinitelyALegitInvoice.doc”

DefoLegit

What is tWhat is the URL the Macro in “Taxes2020.doc” would try to launch?

http://tryhackme.com/notac2cserver.sh

What is the highest file entropy a file can have?

8

What is the lowest file entropy a file can have?

0

Name a common packer that can be used for applications?

UPX

Video Walkthrough | TryHackMe MAL: REMnux – The Redux