Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Analyzing malicious PDF documents - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Analyzing malicious PDF documents

As we announced in a recent ISC diary, Adobe is changing its patching model and strategy, but it seems still JavaScript will be enabled by default in Adobe Acrobat and Reader. As a consequence, I foreshadow more PDF vulnerabilities, exploits and attacks in the near future (let's hope I'm wrong).

On the one hand, I've been actively using PDF exploits in recent penetration tests, emulating the real-world attacks we have seen in the wild and described in several ISC diaries during the last 2-3 years (you can get most of them using the following search in Google: "pdf"). Both, the open-source Metasploit Framework, and commercial pen-testing tools, like Core Impact, include these capabilties.

On the other hand, we need to be able to disect these malicious files when we are the target . The Hakin9 magazine has made available this week (for free) a great introductory article on the internal formatting of PDF files and how to analyze malicious PDF documents, those exploiting a vulnerability in the embedded JavaScript interpreter (very common), by Didier Stevens (a well known PDF expert we've mentioned regarding previous PDF vulnerabilities):

"Anatomy of Malicious PDF Documents". Didier Stevens. Hakin9 magazine.

In order to get a copy of the article, in PDF format (What a coincidence! Is it malicious or not?  ), you just need to provide an e-mail address. Do not forget to download the RTF document with the code listing (link on the right hand side).

This article is a must read and great starting point for incident handlers interested on increasing their skills to analyze malicious PDF documents. If you want to start practicing today, before being a target, generate a malicious PDF document in Metasploit and analyze it. For more advanced inspection, I encourage you to use some specific PDF analysis tools.

Raul Siles

Raul Siles

152 Posts
May 24th 2009
The website seems to be down at the moment.

But on the subject of analyzing pdf files I just use a simple php script to gzuncompress( the contents of the stream, since that is all Flat Encoding in pdf's is.

7 Posts
It seems the site is up again. Thanks.
Raul Siles

152 Posts

Sign Up for Free or Log In to start participating in the conversation!