Tags: pdf forensic

Rating:

## Pt. 2

For this part, we need to find out the Attackers IP. As there is no connection info in the Autopsy report, I eventually realized, that the pdf itself must contain the attacker IP to send something back to him.

I found this [file](https://github.com/mobmewireless/origami-pdf/blob/master/samples/exploits/cve-2008-2992-utilprintf.rb) that was used to create the pdf but I was not able to find out how to extract the shellcode out of it at first sight. Then I searched a little more and found this [website](https://www.adlice.com/infected-pdf-extract-payload/).

Before using that one, I first wanted to try to do it with https://github.com/PCsXcetra/DerbyCon-2019Files which did not work...

To finally solve the challenge, I installed [PDFStreamDumper](http://sandsprite.com/blogs/index.php?pid=57&uid=7), highlighted the shellcode inside of the pdf (one of the objects at the left)

And then opened the Javascript UI to analyze the shellcode

I ran it and got the IP as the output!


Loaded 400 bytes from file sample.sc
Initialization Complete..
Max Steps: 2000000
Using base offset: 0x401000