Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

PDF + maldoc1 = maldoc2

Published: 2015-08-26
Last Updated: 2015-08-27 09:02:52 UTC
by Didier Stevens (Version: 1)
2 comment(s)

I received another example of a PDF file that contains a malicious MS Office document. Sample (MD5 0c044fd59cc6ccc28a48937bc69cc0c4).

This time I want to focus on the analysis of such a sample.

First we run pdfid to identify the sample.

It contains JavaScript and an embedded file. Let's take a look at the JavaScript first with pdf-parser.

Remark that the JavaScript is not obfuscated this time. It's simple, just two lines: these 2 statements export the embedded file to a temporary folder, and then launch it (provided the user clicks OK on the warnings).

So let's take a look at the embedded file with pdf-parser. We use option -H to get more info on the streams (the embedded file), like the hashes.

The embedded file is most likely a ZIP file (magic number PK). Looking at object 9, we see that the name is 2.docm.

The .docm file format indicates that it is a MS Office Word document with VBA macros. We can extract it and analyze it with oledump. Here we do this with a pipe, e.g. without writing the .docm file to disk. We dump the embedded file to stdout (-d -) and pipe it into oledump which analyses it with the vba plugin.


Didier Stevens
Microsoft MVP Consumer Security

Keywords: maldoc pdf
2 comment(s)
Diary Archives