i Malware Analysis – File Evasion ( Part 2 ) – All things in moderation

# Malware Analysis – File Evasion ( Part 2 )

In the previous part, I think I have revealed a little dirty part that I often do with PE file to evade Antivirus Signature or their Emulator. Like you know, PE file is the last part we left on our victim system, but to exploit the victim system we need something before that. I want to mention Microsoft Office, some dirty JavaScripts or PDF files…

### JavaScript

Hackers often manipulate victims through JavaScript-based exploits for their vulnerabilities. Some browsers like Chrome, Firefox, Internet Explore… can be attacked by an iframe injection or even trick them to visit a vulnerable website. They have used JavaScript because it is a very open language that allows code creation on the fly, and Antivirus softwares find it hard to detect them. As well as the creation of them are unusual, constructs and code patterns though valid but that are difficult to read and interpret by humans even JavaScript Programmers (but easy to run for a JavaScript interpreter).

To illustrate this, I will show you how I often obfuscate my JavaScript Code. In this case, I only take a “pure code” as an example.

My JavaScript code inside HTML tag is here:

<!DOCTYPE html>
<html>
<body>

<script>
function NewObject(prefix)
{
var count=0;
this.SayHello=function(msg)
{
count++;
}
this.GetCount=function()
{
return count;
}
}
var obj=new NewObject("Message : ");
obj.SayHello("You are welcome.");
</script>

</body>
</html>


You can test my code on this website: http://www.w3schools.com/html/tryit.asp?filename=tryhtml_intro . Many of us have known this site. 🙂

Click green button – RUN on this website, we will see a popup with a message: “You are welcome” show up. Everything is like usual, and you totally understand the easy code above, right? 😀

But when I go to this site https://javascriptobfuscator.com/Javascript-Obfuscator.aspx and ofuscate my code, it became:

var _0x9167=["\x53\x61\x79\x48\x65\x6C\x6C\x6F","\x47\x65\x74\x43\x6F\x75\x6E\x74","\x4D\x65\x73\x73\x61\x67\x65\x20\x3A\x20","\x59\x6F\x75\x20\x61\x72\x65\x20\x77\x65\x6C\x63\x6F\x6D\x65\x2E"];function NewObject(_0xd678x2){var _0xd678x3=0;this[_0x9167[0]]= function(_0xd678x4){_0xd678x3++;alert(_0xd678x2+ _0xd678x4)};this[_0x9167[1]]= function(){return _0xd678x3}}var obj= new NewObject(_0x9167[2]);obj.SayHello(_0x9167[3])



For now, I think even a professional programmer still can’t understand what is that.
I think programmers often use YUI Compressor . I suggest you guys should try it.
And to test my code, I usually use The Compiler from Google to compile my code before I use it to test with some compromise systems.

At this place, we can use some little tricks like: escape/ unescape , execute code via a call to eval , …
Antivirus companies have many solutions to deal with JavaScript, but if we put enough ofuscation algorithm together, they can’t stop us.

### Portable Document Format ( PDF )

The Portable Document Format (PDF) is a file format used to present documents in a manner independent of application software, hardware, and operating systems.[2] Each PDF file encapsulates a complete description of a fixed-layout flat document, including the text, fonts, graphics, and other information needed to display it.

That is what Wikipedia said about PDF file. But for me, I will do a real job here to show you how deal with a PDF file and evade Antivirus.

First of all, you guys need to know about the format of a PDF file. It follows this format:

1 0 obj <</Filter /FlateDecode >>
stream
…data…
endstream
endobj
2 0 obj
…
endobj


Both tags are closed with **endstream ** and **endobj **, and then a new object have been created. What follows is a stream tag indicating that anything following it is the object’s data.

• I have a dirty PDF here. Its SHA256 hash is: a05a9adb177bbb5bf80802ee3af6077b67ae44ba43a5d9329fc494342a6fa512. And it has 26/55 engines that can detect it on VirusTotal .

• If there are objects with the same numbers (for example, two objects with the same object number)? The last object is the one that will be used, and the previous ones are ignored. So I create a fake object before “the real 13 object”.
13 0 obj
<</Filter /AsciiHexDecode /FlateDecode /FlateDecode /FlateDecode /FlateDecode >>



With this trick, I only let 9 more Antivirus down this time.. it turns out 14/54 engines can detect it on VirusTotal, but we got Kaspersky down . 😀
You can recheck it via its new hash: 51b2a013c831fb25fd224f1310abc3cde72ed79f3e062d87116d1cd81acbacd6

• Additionally, I want to try hard, so I play another trick. This time I create a redirect object to deal Bitdefender and some AVs left. This object will make many Antivirus fail.
14 0 obj << /JS 13 0 R /S /JavaScript >> endobj



And our result: 8/54 engines left, and you could check it via its hash: c99a9c694152b0ea1e251dfdcedb74269d5d4ffef173d5e219a5d6058edee591

You can see the Anvirus left, they are not famous AVs. Especially, Kaspersky and BitDefender are DOWN.

In this post, I think I have shown you how to deal with JavaScript and PDF files to bypass Antivirus. For some security reasons, I haven’t explained why I chose the 13 and 14 object, but you can ask me why at anytime here. Just leave your comment, I always answer for your education purpose. 😉