Malicious PDF File Analysis Example


Suspicious PDF files can be checked either with the help of antiviruses or manually using third-party utilities. Often, anti-virus scanners are not so effective when it comes to malicious PDF files containing encrypted shell code, which typically exploits vulnerabilities in Adobe Acrobat Reader zero day. Before starting the analysis, we will get acquainted with the structure of the PDF document, which is better to understand how the shell code works and where.

Suspicious unlock PDF online files can be checked either with the help of antiviruses or manually using third-party utilities. Often, anti-virus scanners are not so effective when it comes to malicious PDF files containing encrypted shell code, which typically exploits vulnerabilities in Adobe Acrobat Reader zero day. Before starting the analysis, we will get acquainted with the structure of the PDF document, which is better to understand how the shell code works and where.

PDF document structure
Headline
The first line indicates the version by which the PDF file was created. For example,% PDF-1.4 means that the file was created in the fourth version.

Body
The body of the PDF file includes objects that form the contents of the document. Objects are fonts, images, annotations, and text. In addition, the user can add invisible objects or elements. Objects may relate to functions, such as animations or security related functions. The body of a PDF file supports two types of numbers - integer and real.

Cross reference table (xref table)
This table contains all references to objects and elements supported by the PDF format. In addition, the cross-reference table allows you to view the contents of the remaining pages. When the user changes the file, the table is updated automatically.

The final part
The final part contains links to the cross-reference table and always ends with the word % % EOF, which means that the file has ended. The final part may contain links to other pages.

Creating a malicious PDF via Metastploit
After we briefly got acquainted with the structure of the unlock PDF file, we will install the old version of Adobe Acrobat Reader (9.4.6 or 10-10.1.1) with the vulnerability Adobe U3D Memory Corruption Vulnerability. We will create a malicious PDF file using Metasploilt. The analysis will be based on the KALI Linux distribution. Open a terminal and type msfconsole. For everything to work without a hitch, you need to set some variables.
After choosing the type of exploit, you must specify the payload that will be used during the exploitation of the vulnerability on the remote machine. Then open in Meterpreter.
One of the parameters when creating the file is LHOST, where the IP address of our machine is entered (to find out the IP address, you can enter the ifconfig command in another terminal). After setting the parameters, we indicate the type of exploit and create a malicious PDF file.

Malware analysis
We go into the folder with the malicious file and enter the command / usr / bin / peepdf –f msf.pdf. The –f option causes the utility to ignore all errors. First, we see a highlighted object “object 15” with JavaScript code. Next is a single object 4 with two elements: / AcroForm and / OpenAction. The final object is / U3D, indicating that the PDF is trying to exploit a known vulnerability. We will view the found objects in the interactive console. Enter the command / usr / bin / peepdf –i msf.pdf.

Security methods
Here are some ways to protect against malicious files:
·         Filter email and web page content.
·         Using an intrusion prevention system.
·         JavaScript prohibition.
·         Prevent the display of PDF files in browsers.
·         Deny access to the file system and network resources for applications designed to read PDF files.

Comments

Post a Comment

Popular posts from this blog

How to Convert JPG to PDF Online

Image
Converting multiple images into a single PDF file may be needed in different situations. When creating a compendium from scanned lectures or a virtual version of a book, combining photos into a single file for convenient sending by e-mail or messenger, etc. In order to combine two JPG files into PDF, you do not need to download and install programs - you can use online services that allow you to configure image compression, page orientation, image size and location, as well as set a password for opening PDF. PDFbeaver Allows You to Convert JPG to PDF Document A free online service PDFbeaver.com. The easiest option to create a PDF format from two or more images in one click. There is no restriction in the usage of this tool you don’t have to register. This is very easy to use, due to that anyone can use this tool to convert files without damaging the resolution, size of JPG files.  Conversion is carried out in two steps: ·       ...
Read more

Keep Your PDF Secure with PDF Beaver

Image
A Portable Document Format is one of the widely accepted and used file formats. This Document support multimedia files webpages, Web link, HTML, Excel, Word and PPT and much more. The user can protect their important and confidential information into PDF file format. PDF Beaver is having advanced and modified security features. These tools convert the any type of format into single PDF file. A user can convert the Word or Excel to PDF file format and vice versa. The PDF tools can make the documents secure by protecting them with password-protected security features. The converter tools enable you to set the password security settings in the documents. There is a simple procedure to follow for any kind of PDF document. A computer user can click on the 'Start' button and go to the path specifying 'Programs'. PDF Beaver tool keep secure your PDF and content. The tool make the user more flexible in transmitting confidential data to the correct destination. It's ...
Read more

Tips to encrypt documents and PDF files with Office

Image
Microsoft Office allows you to encrypt your documents or secure your PDF files, which makes it possible to protect your document with a password. In other words, if you set a password on a document, then no one can open it without it. In this article we’ll tell you how to password protect documents and PDF files. The instruction was created in Office 2016 but is suitable for other versions of the office. How secure is it to password protect a document? In Office 2007 and above, Microsoft took security more seriously and switched to Advanced Encryption Standard (AES). Now, if you set a password for a document, it will be very difficult to crack it, and in theory your document will be completely safe. In document protection, you can set a password for editing a document. That is, a person without a password will be able to view documents, but not edit. This type of protection can be easily cracked and removed. Therefore, if you set a password, then it is desirable f...
Read more