Thursday, September 8, 2011

Malicious PDF: Portable Document Files Compresion/Encoding/Obfuscation

Malicious PDF's has increased manifold which are used to infect computers with Malware of execute code when PDF files are opened. We will see various ways how javascript embedded within PDF's can be compressed or encoded to evade detection by IDS/IPS and Anti Virus. Normally many PDF Parsers crash while analyzing the malicious/malformed file but Adobe reader successfully opens the file which leads to infection.

Below is the malicious PDF file viewed in text editor.



PDF Parsers might have issues in analyzing following abnormal files:
1. Portable Document File Format does not strictly abide to its specification.
2. PDF Version might be malformed (NULL value, incomplete value etc) (can see in above pic)
3. May not contain endobj or endstream (atleast one string should be present within an object)
4. May not contain xref table
5. Names may be Encoded (/JavaScript as /J#61vaScript).
6. No %%EOF header
7. There might be multiple %%EOF headers or trailer’s  indicating incremental updates.
8. PDF embedded within other PDF (same object numbers in a single file).
9. Different types of Evasions/ Encoding can be found at

Different Encoding/Compressions Filter types are
/FlateDecode
/ASCIIHexDecode
/ASCII85Decode
/JBIG2Decode
/LZWDecode
/RunLengthDecode
/SCIIHexDecode, 
/CCITTFaxDecode
/DCTDecode
/JPXDecode
This might not be the full list of Filters (not sure) .

Below snapshot shows highly obfuscated  PDF file



Good articles related to PDF's can be found at

For quick analysis of a PDF file you can upload to
http://wepawet.cs.ucsb.edu/

Live malicious PDF files can be found at
http://filex.jeek.org/archive_PDF.zip
Please do not open files in the archive with any of the PDF readers.

Following articles might be of your interest
http://darshanams.blogspot.in/2012/05/cain-and-abel-password-cracking.html
http://darshanams.blogspot.in/2010/09/forensics-1-extracting-image.html
http://darshanams.blogspot.in/2011/05/snort-logging-alerts-to-syslog-server.html

Comments are most welcome :) !!!