MINISTERUL EDUCAȚIEI ȘI CERCETĂRII

Universitatea Tehnică a Moldovei

Facultatea Calculatoare Informatică și Microelectronică
Departamentul Ingineria Software și Automatică
Programul de studii: Securitate Informațională

RAPORT
La disciplina: AMID

Lucrare de laborator 2
"Conceptele ingineriei inverse. Analiza statica, dinamica si de
comportament. Tehnici de protectie in programele malitioase"

.
Student: Ciubotaru Vadim, SI-211M
Evaluator: Persianov Svetoslav

Chișinău, 2021
1. Malicious PDF
SHA256 000c07e3b9954d3fb92986bbbc3fb057e01fe06132a9a65226f0539b89a9cd07
MD5 9397770de7ae8b180d582869087fdadd
Every downloaded file we need to check with antivirus or on virus total. In this case virus total
find hash of this file like malicious.

Image 1 – Pdf on virus total

With pdfid.py we find all objects in the pdf file. In this case the interesting things that script find
are “/JavaScript” and “/OpenAction”. If these objects are present maybe pdf have a javascript
code in it and it will be executed on opening pdf.

Image 2 – pdfid.py utility

2
Let’s check what object is “/JacaScript”. With command “pdf-parser.py malicious-pdf.bin” we see
all objects.

Image 3 – JavaScript object

Object “4 0” “/Action” has reference to object “/JS 5 0 R” and has some code.

Image 4 – JS code

3
2. Malicious Doc
MD5 0a253bf970e5239a341bc3583baa34e3
SHA256 8dc970c1aeaf7d53f4ed9aaecca5f7de962fe1b5d3a2aee2c3b5b656e566a7ca
Searching by hash on virus total, find that file is a malicious doc.

Image 5 – Hash search on virus total

Image 6 – Malicious doc information

“oledump.py” find 2 macros, let’s check them.

4
We see the malicious code that call the function “QhQEBJEHTy” from macros 8.

Image 7 – Macros number 7

Malicious code check if the doc is opened in read only, the code is not executed.

Image 8 – Macros number 8