Malicious PDF File Analysis Example


Suspicious PDF files can be checked either with the help of antiviruses or manually using third-party utilities. Often, anti-virus scanners are not so effective when it comes to malicious PDF files containing encrypted shell code, which typically exploits vulnerabilities in Adobe Acrobat Reader zero day. Before starting the analysis, we will get acquainted with the structure of the PDF document, which is better to understand how the shell code works and where.

Suspicious unlock PDF online files can be checked either with the help of antiviruses or manually using third-party utilities. Often, anti-virus scanners are not so effective when it comes to malicious PDF files containing encrypted shell code, which typically exploits vulnerabilities in Adobe Acrobat Reader zero day. Before starting the analysis, we will get acquainted with the structure of the PDF document, which is better to understand how the shell code works and where.

PDF document structure
Headline
The first line indicates the version by which the PDF file was created. For example,% PDF-1.4 means that the file was created in the fourth version.

Body
The body of the PDF file includes objects that form the contents of the document. Objects are fonts, images, annotations, and text. In addition, the user can add invisible objects or elements. Objects may relate to functions, such as animations or security related functions. The body of a PDF file supports two types of numbers - integer and real.

Cross reference table (xref table)
This table contains all references to objects and elements supported by the PDF format. In addition, the cross-reference table allows you to view the contents of the remaining pages. When the user changes the file, the table is updated automatically.

The final part
The final part contains links to the cross-reference table and always ends with the word % % EOF, which means that the file has ended. The final part may contain links to other pages.

Creating a malicious PDF via Metastploit
After we briefly got acquainted with the structure of the unlock PDF file, we will install the old version of Adobe Acrobat Reader (9.4.6 or 10-10.1.1) with the vulnerability Adobe U3D Memory Corruption Vulnerability. We will create a malicious PDF file using Metasploilt. The analysis will be based on the KALI Linux distribution. Open a terminal and type msfconsole. For everything to work without a hitch, you need to set some variables.
After choosing the type of exploit, you must specify the payload that will be used during the exploitation of the vulnerability on the remote machine. Then open in Meterpreter.
One of the parameters when creating the file is LHOST, where the IP address of our machine is entered (to find out the IP address, you can enter the ifconfig command in another terminal). After setting the parameters, we indicate the type of exploit and create a malicious PDF file.

Malware analysis
We go into the folder with the malicious file and enter the command / usr / bin / peepdf –f msf.pdf. The –f option causes the utility to ignore all errors. First, we see a highlighted object “object 15” with JavaScript code. Next is a single object 4 with two elements: / AcroForm and / OpenAction. The final object is / U3D, indicating that the PDF is trying to exploit a known vulnerability. We will view the found objects in the interactive console. Enter the command / usr / bin / peepdf –i msf.pdf.

Security methods
Here are some ways to protect against malicious files:
·         Filter email and web page content.
·         Using an intrusion prevention system.
·         JavaScript prohibition.
·         Prevent the display of PDF files in browsers.
·         Deny access to the file system and network resources for applications designed to read PDF files.

Comments

Post a Comment

Popular posts from this blog

Converting PPT to PDF

Image
It is very easy to convert a PPT to PDF, there are many programs that can do it. But the best program to use in converting a PowerPoint file to PDF is PDF. PDF Beaver a family of programs designed to view, create, manipulate and manage files in PDF. PDF Beaver is a free trial version which you can use for a period of time. To convert PPT to PDF you need to run Adobe acrobat. Go through the PDF , click "File" in the menu bar and in the drop down list that appears choose "Create PDF" and then select "From File". A selection box will pop up allowing you to get into the folder that contains the PowerPoint file you want to convert. select your PPT file and click the "Open" button. PDF Beaver will immediately start converting your file after you click the "Open" button. The amount of time it will take to convert a PPT file will depend on the number of slides in it. Depending on your computer's speed and the contents of each slide, it
Read more

PDF Beaver - All-in-all solution for Converting files to PDF

Image
Microsoft Excel is used for working with spreadsheets. In addition to distributing data into cells, it allows you to perform mathematical functions and build the corresponding diagrams. It is capable of loading data from external sources and databases. The structure of the final document as a result becomes quite complex and contains both internal and external links. The above factors make it difficult for you to maintain workflow in Excel format. To be 100% sure that the recipient will be able to open the documents you sent, it makes sense to convert Excel documents to PDF before sending them by e-mail. For this purpose, we have designed an advanced online conversion tool to make conversion process easy for you. Quickly convert spreadsheets to PDF by PDF Beaver We offer you Free Excel to PDF Converter that allows you to convert your Excel documents to PDF files in just couple of seconds. Designed specifically for use with the popular manufacturer, PDF Beaver Converter is
Read more

Secure Your PDF Data by Encrypting Your PDF File

Image
Encrypting your PDF file allows you to protect the sensitive and private information in your your files even if you share the file over the Internet or through email. We discuss the possible ways of securing this file using encryption techniques and the advantages of each technique. Since PDF files are being used increasingly by even major organizations to convey and share technical information, many of which are possibly of a sensitive nature, it is very important for creators and users to understand how they can make these files secure to protect private or sensitive information. Fortunately, Adobe has already thought of these possibilities and has provided several techniques using which you can ensure the security of your files. For example, you could use digital signatures in documents or forms that need verification or approval, documents can be certified so that no subsequent changes can be made and of course, passwords can be added to the document making it impossible for a
Read more