We would like to show you a description here but the site wont allow us. There is an increasing number of tools that are designed to assist with this process. We apply the methodology to malicious portable document format pdf documents and present an indepth study of how current pdf evasions affect 41 stateoftheart malware scanners. Getting owned by malicious pdf analysis sans institute this paper is from the sans institute reading room site. For these reasons, its good to know how to analyze pdf files, but analysts first need a basic understanding of a pdf before they deem it malicious. To show the power of how msf can be used in client side exploits we will use a story. The confirm on read permission should be used on files whose contents are considered confidential. Pdf stream dumper is a free tool for analyzing suspicious pdf files, and is an excellent complement to the tools and approaches i outlined in the analyzing malicious documents cheat sheet. For this introductory walkthrough, i will use a malicious pdf file that i.
The last line of the document must contain the %%eof marker endof file. Analyzing suspicious pdf files with pdf stream dumper. While we continue to see cve20120158 in heavy use, we have noticed increasing use of an exploit for. Next video shows how i use my pdf parser to analyze a malicious pdf file, and extract the shell code. Although simple in theory, parsing followed by analysis of such files is resourceintensive and may even be impossible due to several obfuscation and readerspecific. Instead it compares the file you upload against thousands of malicious pdf files in our repository.
Such popularity, however, has also attracted cyber criminals in spreading malware to unsuspecting users. If you let somebody else execute code on your computer, then it is. Infected pdf files continue to plague security personnel responsible for detecting and containing malicious email attachments. Conversely, flash exploits dropped from 40% in 1q09 to 18% in 4q09. Pdf format is the defacto standard in exchanging documents online.
This feature may be used to hide a malicious pdf file within a normal pdf file, to fool many antivirus engines. This cheat sheet outlines tips and tools for analyzing malicious documents, such as microsoft office, rtf and adobe acrobat pdf files. Thanks to their flexible logical structure, an attack can be hidden in several ways, and easily deceive protection mechanisms based on file. As we have already discussed, metasploit has many uses and another one we will discuss here is client side exploits. We have created the pdf file with an exe file embedded with it. A pdf file is essentially just a header, some objects inbetween, and then a trailer. In this article series, we will learn about the two primary document types through which the malicious documents spread, i.
Distributing malware inside adobe pdf documents the. Over at the sans isc diary i wrote a diary entry on the analysis of a pdf file that contains a malicious doc file. In order to maximize the suggested frameworks contribution, it should be deployed in strategic nodes such as isps and gateways of large organizations over the internet. The modus operandi involved is in lurking people to open malicious pdf files by using social engineering attack s. We will also see the structure of these documents as that needs to be understood first to know what all the different propertiesartifacts are used by malware authors to embed their code. Creating and analyzing a malicious pdf file with pdf. When running the malicious software removal tool, during. Getting owned by malicious pdf analysis by mahmud ab rahman august 30, 2010. In other words, a malicious pdf or ms office document received via email or opened trough a browser plugin. For testing purposes, i created a pdf file that contains a doc file that drops the eicar test file. Using this feature we can begin to see shared coded samples among malicious files or trends due to malicious author coding styles.
Analyzing a pdf file involves examining, decoding, and extracting the contents of suspicious pdf objects that may be used to exploit a vulnerability in adobe reader and execute a malicious payload. Recently, microsoft malware protection center released a list of commonly infected pdf files that have been detected over the past few months. The ability to generate malicious pdf files to distribute malware is functionality that has been built into many exploit kits. Detection of malicious pdf files and directions for. This is a series of articles about file formats and related security issues. Figure 2 illustrates the framework and the process of detecting and acquiring new malicious pdf files by maintaining the updatability of the antivirus and detection model. This represented a shift, as previously cve20103333 was the most commonly used word vulnerability. Trailer specifies the location of the xref table and of other objects.
Pdf files are so common today it is hard to imagine or remember what life was like without them. Automatic detection of malicious pdf files using dynamic analysis ahmad bazzi1 and yoshikuni onozato2 1graduate school of engineering, gunma university, japan 2division of electronics and informatics, faculty of science and technology, gunma university, japan abstract malicious nonexecutable les are being increasingly used to break into users computers. The emails were sent with a link to a pdf file or by attaching the malicious pdf file directly to trap victim to open the files. Am i right, or can you really get infected by a malicious pdf file. First, we will need a tool called pdf stream dumper, so download it. Many people dont pay enough attention to the fact that pdf files can contain viruses and open them without scanning them.
The use of malicious pdf files that exploit vulnerabilities in wellknown pdf readers has become a popular vector for targeted attacks, for which few efficient approaches exist. Figure 1 illustrates the basic file structure of a pdf file. Direct a web browser to a malicious website that contains code that installs a backdoor. So for example, pdf reader that you are using potentially contains a buffer overflow vulnerability, then an attacker can construct a special pdf file to exploit that vulnerability. In this video, security researcher and expert on malicious pdf files didier stevens discusses how these files work and offers protection tips. Business proposals, product manuals, legal documents, and online game guides are just a sampling of places we see the portable document format. When malicious software removal tool finishes, message is no malicious software was found.
Thanks to their flexible logical structure, an attack can be hidden in several ways, and easily deceive protection mechanisms. Some pdf files dont have a header or trailer, but that is rare. The exploit is designed to trick the targeted application into executing the attackers payload, which is usually concealed within the office document as shellcode. The pdf file contains javascript that extracts and opens the doc file with user approval. The last two years was not so good for adobe acrobat reader users especially for those using versions prior to. Using my pdf parser to analyze a malicious pdf file and to extract the shell code. It depends on the vulnerabilities in the software which will be parsing it. Hack into computers using malicious pdf documents embedded with payloads. In the case of malicious pdf files, if a particular sample pdf file becomes widely spread if enough people are pwned by it, then av vendors will get a copy of the file and av scanners will start detecting it. Malicious pdf files i got a warning from a coworker about viruses in pdf files. Ensemble learning for detection of malicious content. Advanced detection tool for pdf threats springerlink.
Cybercriminals use many different tactics to breach an organizations network defenses, and delivering infected pdf files, typically via email, remains a very common and dangerous threat. I always thought that you could only get a virus from a program file, and pdfs are just for viewing. If we put on our malicious hacker hats for a moment, lets consider the potential for harm. Automatic detection of malicious pdf files using dynamic. Additional text and analysis by kyle wilhoit throughout 2012, we saw a wide variety of apt campaigns leverage an exploit in microsoft word cve20120158. Once we have all the options set the way we want, we run exploit to create our malicious file. Malicious documents pdf analysis in 5 steps mass mailing or targeted campaigns that use common files to host or exploit code have been and are a very popular vector of attack. Lets start by creating our malicious pdf file for use in this client side exploit. Another way to execute malicious code as part of an office document involves exploiting vulnerabilities in a microsoft office application. Malicious documents pdf analysis in 5 steps count upon. Being able to analyze pdfs to understand the associated threats is an increasingly important skill for security. Malicious email attachments protection from infected pdf.
Whether a file is malicious or not, does not depend on the file extension in this case pdf. How malicious code can run in microsoft office documents. Keeping pace with the creation of new malicious pdf files. We see that our pdf file was created in a subdirectory. Lets see whats inside that malicious pdf, and lets try to extract the malicious payload were still with the calc. List of malicious pdf files you should not open make. This eliminates the possibility that a malicious program can read or alter a protected file without first getting permission from the user. Pdf files have proved to be excellent malicious code bearing vectors. To launch the pdf parser type pdf parser email protected. Malicious code is any code added, changedor removedfrom a software system in order to intentionally cause harm or subvert the intended function of the system. A lot of attacks w ere observed trying to abuse the bug by hosting malicious pdf files on the internet. The emails modified by the attacker to inject the exploit and shellcode using a javascript code.