Analyzing malicious PDF documents

Published: 2009-05-24
Last Updated: 2009-05-24 05:38:42 UTC
by Raul Siles (Version: 1)
2 comment(s)

As we announced in a recent ISC diary, Adobe is changing its patching model and strategy, but it seems still JavaScript will be enabled by default in Adobe Acrobat and Reader. As a consequence, I foreshadow more PDF vulnerabilities, exploits and attacks in the near future (let's hope I'm wrong).

On the one hand, I've been actively using PDF exploits in recent penetration tests, emulating the real-world attacks we have seen in the wild and described in several ISC diaries during the last 2-3 years (you can get most of them using the following search in Google: "pdf site:isc.sans.org"). Both, the open-source Metasploit Framework, and commercial pen-testing tools, like Core Impact, include these capabilties.

On the other hand, we need to be able to disect these malicious files when we are the target . The Hakin9 magazine has made available this week (for free) a great introductory article on the internal formatting of PDF files and how to analyze malicious PDF documents, those exploiting a vulnerability in the embedded JavaScript interpreter (very common), by Didier Stevens (a well known PDF expert we've mentioned regarding previous PDF vulnerabilities):

"Anatomy of Malicious PDF Documents". Didier Stevens. Hakin9 magazine.

In order to get a copy of the article, in PDF format (What a coincidence! Is it malicious or not?  ), you just need to provide an e-mail address. Do not forget to download the RTF document with the code listing (link on the right hand side).

This article is a must read and great starting point for incident handlers interested on increasing their skills to analyze malicious PDF documents. If you want to start practicing today, before being a target, generate a malicious PDF document in Metasploit and analyze it. For more advanced inspection, I encourage you to use some specific PDF analysis tools.

--
Raul Siles
www.raulsiles.com

Keywords: Acrobat adobe pdf
2 comment(s)

Comments

The website seems to be down at the moment. http://downforeveryoneorjustme.com/hakin9.org

But on the subject of analyzing pdf files I just use a simple php script to gzuncompress( the contents of the stream, since that is all Flat Encoding in pdf's is.
It seems the site is up again. Thanks.

Diary Archives