PDF + maldoc1 = maldoc2

Published: 2015-08-26
Last Updated: 2015-08-27 09:02:52 UTC
by Didier Stevens (Version: 1)
2 comment(s)

I received another example of a PDF file that contains a malicious MS Office document. Sample (MD5 0c044fd59cc6ccc28a48937bc69cc0c4).

This time I want to focus on the analysis of such a sample.

First we run pdfid to identify the sample.

It contains JavaScript and an embedded file. Let's take a look at the JavaScript first with pdf-parser.

Remark that the JavaScript is not obfuscated this time. It's simple, just two lines: these 2 statements export the embedded file to a temporary folder, and then launch it (provided the user clicks OK on the warnings).

So let's take a look at the embedded file with pdf-parser. We use option -H to get more info on the streams (the embedded file), like the hashes.

The embedded file is most likely a ZIP file (magic number PK). Looking at object 9, we see that the name is 2.docm.

The .docm file format indicates that it is a MS Office Word document with VBA macros. We can extract it and analyze it with oledump. Here we do this with a pipe, e.g. without writing the .docm file to disk. We dump the embedded file to stdout (-d -) and pipe it into oledump which analyses it with the vba plugin.


Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords: maldoc pdf
2 comment(s)


Would disabling macros in Office thwart this type of malware? If not, what controls can be used to defend against this? Would you happen to have a copy so we can test our malware defenses for detection/blocking?
Yes, disabling macros would stop this. But of course, this can impact your organization. There are other options than just blocking all macros. For example allowing signed macros.

And you can also block this at the PDF level by disabling JavaScript in Adobe Reader. This blocks it earlier in the kill chain, and many organizations I know are much less impacted by disabling JavaScript in Adobe Reader than disabling macros in MS Office.

We don't make malware available for download, but I shared the hash so that you can look for it on malware analysis sites like malwr.

Diary Archives