![]() Then looking deeper we can use pdf-parser.py to display the contents of the 6 objects. This means the PDF file contains XFA forms which might indicate it is malicious. No JavaScript mentioned but it contains /AcroForm and /XFA elements. In this case the first observations shows the PDF file contains 6 objects and 2 streams. The previously mentioned cheat sheet contain some of these keywords. One of those tools is Pdfid which can show several keywords used in PDF files that could be used to exploit vulnerabilities. One technique is using Didier Stevens suite of tools to analyze the content of the PDF and look for suspicious elements. Let’s go through each one of the mentioned steps to find information on the malicious PDF key characteristics and its capabilities. The file on Virus Total was only detected by 6 of the 55 AV engines. This vulnerability found by Felipe Manzano exploits an integer overflow in several versions of the Adobe Reader when parsing BMP files compressed with RLE8 encoded in PDF forms. The email contained an attachment with a malicious PDF file that took advantage of Adobe Reader Javascript engine to exploit CVE-2013-2729. The other day I received one of those emails that was part of a mass mailing campaign. In order to practice these skills and to illustrate an introduction to the tools and techniques, below is the analysis of a malicious PDF using these steps. Analyze shellcode and determine what is does.Ī summary of tools and techniques using REMnux to analyze malicious documents are described in the cheat sheet compiled by Lenny, Didier and others.By using REMnux distro the steps are described by Lenny Zeltser as being: In case of a malicious PDF files there are 5 steps. So, which steps could an incident handler or malware analyst perform to analyze such files? Furthermore, it can help to be better prepared and identify future security incidents and how to contain, eradicate and recover from those threats. When analyzing this kind of files an incident handler can determine the worst it can do, its capabilities and key characteristics. All this features and capabilities are translated in a huge attack surface!įrom a security incident response perspective the knowledge about how to do a detailed analysis of such malicious files can be quite useful. In case the PDF file contains JavaScript, the malicious code is used to trigger a vulnerability and to execute shellcode. Usage of JavaScript is a popular vector of attack because it can be hidden in the streams using different techniques making detection harder. PDF files can contain multimedia content and support JavaScript and ActionScript trough Flash objects. These streams are compressed and the PDF standard supports several algorithms including ASCIIHexDecode, ASCI85Decode, LZWDecode, FlateDecode, RunLengthDecode, CCITTFaxDecode, DCTCDecode called Filters. For example, within objects there are streams that can be used to store data of any type of size. The language is very rich and complex which means the same information can be encoded and obfuscated in many ways. One key component is the body which might contains all kinds of content type objects that make parsing attractive for vulnerability researchers and exploit developers. In some circumstances the vulnerability could be exploited without opening the file and just by having a malicious file on the hard drive as described by Didier Stevens.įrom a 100 feet view a PDF file is composed by a header, body, reference table and trailer. The Internet Storm Center Handler Bojan Zdrnja wrote a good summary about one of these shellcodes. This shellcode normally downloads and executes a malicious file from the Internet. This might cause the application to corrupt memory on the stack or heap causing it to run arbitrary code known as shellcode. Then, for example, If the user opens a PDF malicious file, it typically executes JavaScript that exploits a vulnerability when Adobe Reader parses the crafted file. By reaching the victim mailbox, this attack vector will leverage social engineering techniques to lure the user to click/open the document. However, a malicious PDF or MS Office document might be very successful passing trough Firewalls, Intrusion Prevention Systems, Anti-spam, Anti-virus and other security controls. Most enterprise networks perimeters are protected and contain several security filters and mechanism that block threats. In regards to malicious PDF files the security industry saw a significant increase of vulnerabilities after the second half of 2008 which might be related to Adobe Systems r elease of the specifications, format structure and functionality of PDF files. In other words, a malicious PDF or MS Office document received via e-mail or opened trough a browser plug-in. Mass mailing or targeted campaigns that use common files to host or exploit code have been and are a very popular vector of attack.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |