marco
blog
Menu:
Malicious PDF trick: zoomType
November 14, 2010
Here is another small trick that malicious PDFs use. The PDF contains JavaScript code similar to the following:
var part1="pe";
var part2="Ty";
var part3="o";
var part4="get";
var part5="xOf";
var fun1= event["tar"+part4]["z"+part3+part3+"m"+part2+part1];
fun1 = varka_tipo[1]+"nde"+part5;
var fun2 = "fromCharCode";
var keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" +
"abcdefghijklmnopqrstuvwxyz" +
"0123456789"+
"+/=";
function decode(input) {
...
enc1 = keyStr[fun1](input.charAt(i++));
...
}
var code = decode("Q2!#$%^&5a...#$%^&o=!#$%^&");
eval(code);
This script sets up some variables that are used in a decoding routine. As usual, the routine decodes a long string and the result is then interpreted via eval().
The interesting part is how fun1 is computed. Undoing the simple
obfuscation shows that it is initialized to event.target.zoomType.
Now, event.target is a reference to the Doc object. The Doc object's
property zoomType contains the current zoom type of the document. The
documentation lists 7 possible values:
- NoVary
- FitPage
- FitWidth
- FitHeight
- FitVisibleWidth
- Preferred
- ReflowWidth
Adobe Reader seems to return FitWidth by default.
The next step in the script extracts the second character from the zoom
type string (the letter i) and concatenates to other strings to obtain
indexOf.
A long way to get an i...
To leave a comment, complete the form below. Mandatory fields are marked *.