Analysis of malicious PDFby

Abdul Adil

Open Info.sec Community

Disclaimer: Either me or the organizers are not responsible for any damages or any sort of actions that you made with the provided information.

Who am i?

• Information security enthusiast & Developer.

• Certified in OCJP ,CEH.

• You can reach me at:

Codestudio8.wordpress.com

Linkedin.com/in/abduladil02

Facebook.com/abduladil02

Twitter.com/abduladil02

Abdul.Adil@connectica.in or AbdulAdil02@gmail.com

What your going learn?

• What is a pdf?

• Internals of PDF.

• Strings of pdf.

• Scanning pdf’s with virus total.

• Demo.

• Conclusion.

What is a pdf?

• It stands for Portable Document Format(PDF).

• Extension of portable document format is “.pdf”.

• Is a file format used to present documents in a manner independent of application software, hardware, and operating systems.

• Developed by Adobe Systems in the year 1991.

• Interactive features like acroforms , rich media…

• Current version of pdf is 1.7 was released in 2011.

First Malware of PDF

• PDF attachments carrying viruses were first discovered in 2001.

• The virus, named OUTLOOK.PDFWorm or Peachy, uses Microsoft Outlook to send itself as an attachment to an Adobe PDF file.

• It was activated with Adobe Acrobat, but not with Acrobat Reader.

Structure of pdf

Internals of pdf

• Header: this probably the most simple section. It is made of a single line which specifies the PDF languageversion eg:1.1.

• Body: which generally contains the most part of the PDF code. This section is made of a list of objects whichdescribes how the final document will look.

• cross reference table: this table contains all the data required to the PDF management software (e.g. areader) in order to access directly any document object without having to read throughout the file to findthis object. Starts with ‘Xref’.

• Trailer: Any PDF software management application always begins to read from the end of the file where this last section is located. The trailer contains different essential data, which are from the top to the bottom of the trailer:

a. the number of objects contained in the file (field /Size),

b. the ID of the file root document (field /Root),

c. the offset (in bytes) of the cross reference table (the line just above the %%EOF line).

Xref table structure

14 objects

Object is free

Object is in use

Take a close look before you proceed!

Tools to analyze pdf files

• You can download from http://blog.didierstevens.com/programs/pdf-tools/

• Pdf-parser.py: This tool will parse a PDF document to identify the fundamental elements used in the analyzed file. It will not render a PDF document.

• Pdfid.py: This tool is not a PDF parser, but it will scan a file to look for certain PDF keywords, allowing you to identify PDF documents that contain (for example) JavaScript or execute an action when opened. PDFiD will also handle name obfuscation.

• Other tools:PeePdf.py

• Online tools:

a. Virustotal.com

b. wepawet(http://wepawet.iseclab.org)

c. pdfexaminer(www.malwaretracker.com)

d. jsunpack.jeek.org

e. pdf stream dumper.

Strings in pdf

• obj,endobj,stream,endstream,xref,trailer,startxref,/Page,/Encrypt,/ObjStm,/JS,/JavaScript,/AA,/OpenAction,/JBIG2Decode,/RichMedia,/Launch,/XFA.

• Almost every PDF documents will contain the first 7 words (objthrough startxref), and to a lesser extent stream and endstream.

• /Page gives an indication of the number of pages in the PDF document. Most malicious PDF document have only one page eg.Youwon a lottery mail.

• /Encrypt indicates that the PDF document has DRM or needs a password to be read.

• /ObjStm counts the number of object streams. An object stream is a stream object that can contain other objects, and can therefore be used to obfuscate objects (by using different filters).

Strings in pdf

• /JS and /JavaScript indicate that the PDF document contains JavaScript. Almost all malicious PDF documents that I’ve found in the wild contain JavaScript (to exploit a JavaScript vulnerability and/or to execute a heap spray). Of course, you can also find JavaScript in PDF documents without malicious intend.

• /AA and /OpenAction indicate an automatic action to be performed when the page/document is viewed. All malicious PDF documents with JavaScript I’ve seen in the wild had an automatic action to launch the JavaScript without user interaction.

Demo

• Let’s see a demo

1.Pdf-parser.py

2.pdfid.py

3.Peepdf

4.Metasploit

Just a glance malicious action snippet

Drawbacks in pdfid.py

• Because PDFiD is just a string scanner (supporting name obfuscation), it will also generate false positives. For example, a simple text file starting with %PDF-1.1 and containing words from the list will also be identified as a PDF document.

What you can do?

• Scan pdf files with anti-malware application.

• Scan with online scanners like virustotal.com and malwr.com(cuckoo).

You can’t stop stupidity!!