Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Analyzing malicious PDF documents InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Analyzing malicious PDF documents

Published: 2009-05-24
Last Updated: 2009-05-24 05:38:42 UTC
by Raul Siles (Version: 1)
2 comment(s)

As we announced in a recent ISC diary, Adobe is changing its patching model and strategy, but it seems still JavaScript will be enabled by default in Adobe Acrobat and Reader. As a consequence, I foreshadow more PDF vulnerabilities, exploits and attacks in the near future (let's hope I'm wrong).

On the one hand, I've been actively using PDF exploits in recent penetration tests, emulating the real-world attacks we have seen in the wild and described in several ISC diaries during the last 2-3 years (you can get most of them using the following search in Google: "pdf"). Both, the open-source Metasploit Framework, and commercial pen-testing tools, like Core Impact, include these capabilties.

On the other hand, we need to be able to disect these malicious files when we are the target . The Hakin9 magazine has made available this week (for free) a great introductory article on the internal formatting of PDF files and how to analyze malicious PDF documents, those exploiting a vulnerability in the embedded JavaScript interpreter (very common), by Didier Stevens (a well known PDF expert we've mentioned regarding previous PDF vulnerabilities):

"Anatomy of Malicious PDF Documents". Didier Stevens. Hakin9 magazine.

In order to get a copy of the article, in PDF format (What a coincidence! Is it malicious or not?  ), you just need to provide an e-mail address. Do not forget to download the RTF document with the code listing (link on the right hand side).

This article is a must read and great starting point for incident handlers interested on increasing their skills to analyze malicious PDF documents. If you want to start practicing today, before being a target, generate a malicious PDF document in Metasploit and analyze it. For more advanced inspection, I encourage you to use some specific PDF analysis tools.

Raul Siles

Keywords: Acrobat adobe pdf
2 comment(s)
Diary Archives