0
1
00:00:10,240 --> 00:00:16,990
Welcome back to another video. In the previous videos, we looked at a few command-line tools for analyzing
1

2
00:00:16,990 --> 00:00:18,100
PDF files.
2

3
00:00:18,130 --> 00:00:22,770
We looked at PDFid and how it can give us some better information about the pdf file.
3

4
00:00:22,900 --> 00:00:29,200
And we also looked at PDF parser as to how we used them to analyze and extract different malicious
4

5
00:00:29,200 --> 00:00:31,380
components of the pdf file
5

6
00:00:31,510 --> 00:00:36,520
In this video I want to quickly introduce you to another powerful tool and it has a GUI interface as
6

7
00:00:36,520 --> 00:00:37,270
well.
7

8
00:00:37,270 --> 00:00:42,220
Again it's a part of your flare pdf repository so you don't really have to download it from anywhere
8

9
00:00:42,220 --> 00:00:42,740
else.
9

10
00:00:42,970 --> 00:00:46,680
And in case you don't have flare set up you can obviously download that tool.
10

11
00:00:46,720 --> 00:00:48,530
It's called PDF stream dumper
11

12
00:00:48,580 --> 00:00:53,330
You can search it on google and you can find the official link from there and you can download it.
12

13
00:00:53,380 --> 00:00:55,110
So let`s launch PDf strean dumper.
13

14
00:00:55,150 --> 00:00:58,790
It has a very simple UI and it has a bunch of options.
14

15
00:00:58,810 --> 00:01:00,160
It has a Javascript UI selection.
15

16
00:01:00,150 --> 00:01:01,810
It has un-escape selection.
16

17
00:01:01,810 --> 00:01:05,790
So this basically translates everything that is in an un-escape format.
17

18
00:01:05,830 --> 00:01:09,330
It helps you put your manual escapes as well.
18

19
00:01:09,430 --> 00:01:11,650
It looks for goto-object streams.
19

20
00:01:11,660 --> 00:01:15,430
It helps you search helps you find/replace.
20

21
00:01:15,590 --> 00:01:18,360
So these are some of the features of PDF stream dumper.
21

22
00:01:18,570 --> 00:01:24,770
Let us go ahead and open a PDF file and see how it looks in PDF stream dumper and up till we launch our file
22

23
00:01:24,770 --> 00:01:26,150
example1.pdf
23

24
00:01:26,150 --> 00:01:30,530
So it basically lists all the objects in hierarchal order.
24

25
00:01:30,530 --> 00:01:33,760
So again we start with the bottom part.
25

26
00:01:33,770 --> 00:01:40,370
If you remember our introductory video about PDF file formats where we talked about PDF tools basically
26

27
00:01:40,880 --> 00:01:45,770
parsing the PDF files from downwards where did it first locate the cross-reference table and from
27

28
00:01:45,770 --> 00:01:48,510
there they started looking into the different objects.
28

29
00:01:48,770 --> 00:01:53,310
So if you look here that's the xref object and then there are a bunch of other objects as well.
29

30
00:01:53,480 --> 00:01:57,010
And it says that the total kind of objects is 27.
30

31
00:01:57,110 --> 00:02:03,140
So it means that the body will have somewhere around twenty six objects inside it.
31

32
00:02:03,560 --> 00:02:10,430
OK so let us come back to the first object on top here to start just looking randomly into each of these
32

33
00:02:10,430 --> 00:02:15,360
objects and see what content they have.
33

34
00:02:15,360 --> 00:02:19,710
So this object basically contains a bunch of text.
34

35
00:02:19,710 --> 00:02:29,190
I think PDF stream dumper also translates the stream data the raw stream data into actual meaningful
35

36
00:02:29,190 --> 00:02:37,440
texts which is not possible when you are using PDF parser. As we keep moving down
36

37
00:02:41,420 --> 00:02:42,740
you'll see bunch of information.
37

38
00:02:42,740 --> 00:02:46,250
Here is another stream of data are present inside it.
38

39
00:02:49,890 --> 00:02:56,700
I'm mainly interested in the Javascript element which we captured while using PDF parser
39

40
00:02:56,700 --> 00:02:57,610
as well.
40

41
00:02:58,730 --> 00:03:01,510
OK so here is embedded JS.
41

42
00:03:01,640 --> 00:03:07,260
And he pointed to object number 24 and on object number 24 has the javascript.
42

43
00:03:07,280 --> 00:03:09,550
It's the same one that we saw in the previous video.
43

44
00:03:09,830 --> 00:03:16,990
So one good thing which we can do with PDF stream dumper is that we can basically select the un escape
44

45
00:03:16,990 --> 00:03:25,910
part and we can just click on un-escape selection and will immediately give you the actual readable
45

46
00:03:25,930 --> 00:03:29,600
ASCII format of what was there in the unescape code
46

47
00:03:29,790 --> 00:03:34,820
So this was not possible when we were doing PDF stream dumper but we'll have to look into different ways.
47

48
00:03:34,830 --> 00:03:40,560
For example we have to manually create a javascript file just escape a document or tried and parse this
48

49
00:03:40,560 --> 00:03:42,410
entire thing and then it would translate.
49

50
00:03:42,420 --> 00:03:45,980
But here in PDF stream dumper you could just do it automatically.
50

51
00:03:45,980 --> 00:03:52,530
All you have to do is just select the characters which are there inside the un-escape and just click
51

52
00:03:52,530 --> 00:03:56,820
on an un-escape selection and it will translate everything for you.
52

53
00:03:56,820 --> 00:04:01,400
So the another important feature that I wanted to show you is the javascript UI feature.
53

54
00:04:01,470 --> 00:04:07,170
So once you reach to the object where javascript is present just click on the javascript UI and launch
54

55
00:04:07,230 --> 00:04:10,800
a separate panel and you can see the javascript here.
55

56
00:04:10,800 --> 00:04:16,890
So in order to have it running all you have to do is just get rid of the extra characters here and prepare
56

57
00:04:16,950 --> 00:04:22,970
a simple javascript out of it and you can actually decode the entire thing yourself.
57

58
00:04:23,130 --> 00:04:28,680
In this example the decoding element is pretty straightforward so I don't think it will be very difficult
58

59
00:04:28,680 --> 00:04:34,890
to decode even by using the un-escaped selection but at times the javascript's can be really complicated
59

60
00:04:35,190 --> 00:04:40,220
and that's where this javascript emulator can be really handy in PDF stream dumper.
60

61
00:04:40,440 --> 00:04:47,330
So we've got rid of extra characters there to see what else is extra here so we don't need this.
61

62
00:04:47,370 --> 00:04:56,730
remove the extra brackets as well
62

63
00:04:57,030 --> 00:04:59,790
let us add document.
63

64
00:04:59,950 --> 00:05:00,760
.write.
64

65
00:05:02,050 --> 00:05:08,950
And close the brackets now let`s click on run and that's it.
65

66
00:05:08,950 --> 00:05:11,370
Here you see the result a document.write.
66

67
00:05:11,590 --> 00:05:14,850
And that's the data that it actually prints.
67

68
00:05:14,860 --> 00:05:21,670
So, people who are not familiar with javascript, document.write is nothing but a print statement
68

69
00:05:21,790 --> 00:05:27,290
which gets you an output of whatever you has passed inside it.
69

70
00:05:27,550 --> 00:05:32,150
So this is how you'll deobfuscate the javascript using PDF stream dumper.
70

71
00:05:32,170 --> 00:05:32,800
Thanks for watching.