Yet another PDF Analyz3r

[A blog post by Ahmad Azizan, practical student @ MyCERT]

Until today, the attack on client-side through Adobe Reader’s vulnerabilities are not slowing down. Even though the patches for known Adobe Reader’s vulnerabilities has been released to public for quite a moment, but there is still a lot of  website that hosted the malicious PDF files to unsuspecting users.

A malicious PDF file usually embedded with JavaScript to exploit Adobe Reader’s vulnerabilities, namely like util.printf, Collab.getIcon, and Collab.collectEmailInfo. These exploits are usually crafted to allow buffer overflow when the PDF file is opened. Consequently, a payload that is in the JavaScript will be executed allowing the malware (i.e. bot) to be downloaded and installed silently in user’s PC.

Analyzing PDF files is a quite challenging task (to some!) without the tools and basic understanding of PDF component structure, since the attacker have hundreds of obfuscation techniques to make their malicious code harder to read. When the analyze process took place, the embedded JavaScript usually be deflated and encoded into unreadable content, thus needing suitable tools to inflate and decode for further analysis.

As to make my analyzing process easier, I am currently developing an application to automatically analyze PDF file, which called PDF analyz3r. PDF analyz3r is written in ruby-language which automatically deflates the PDF content, interpret JavaScript code inside the PDF file, and subsequently get the payload to determine its behavior and potential URL of malware download. PDF analyz3r currently support inflation for single or cascaded filters of FlateDecode, ASCIIHexDecode, and ASCII85Decode.

PDF analyz3r is currently under heavy development, however, it is still usable, and from my test result, out of 29, 24 malicious PDF file were successfully analyzed and detected.

Here are some of the sample analyses (uncompress passwd : analyz3r):

Send me an email if you have sample to analyze with PDF analyz3r. I would be pleased to give you the output. Until next time, always make sure you are surfing with updated gears. In whatever you do, always try to be safe

Leave a Reply