Reading this awesome article in corelan blog, where they discuss the analysis of the infamous zeus botnet, i realised that being able to analyze the pdf format in order to isolate the malicious code is an important skill for a security professional nowadays. How do attackers turn a pdf into a malicious attack vector. Microsoft security researchers analyze suspicious files to determine if they are threats, unwanted applications, or normal files. Sans digital forensics and incident response blog how to. Pdf portable document format is a widely used file format, and often utilized as a vehicle for malicious behavior. Take the following steps to download the malware sample file, verify that the file is forwarded for wildfire analysis, and view the analysis results. One of the goals of the cincan project is to provide tools that automate the repetitive tasks of malware analysis using practices familiar from continuous integration to enable rapid creation, augmentation, correlation and sharing of analysis and threat intelligence. Hackers distributing malicious pdf with rakhni ransomware. Analysing malicious pdf documents using dockerized tools. Pdf files can contain other embedded and encrypted pdf files. These word documents contain malicious visual basic for applications vba code, called macros. Whether a file is malicious or not, does not depend on the file extension in this case pdf. Leveraging falcon sandbox to detect and analyze malicious.
Contagio is a collection of the latest malware samples, threats, observations, and analyses. Wepawet by ucsb computer security lab is an automated tool for identifying malicious clientside components in the form of pdf, flash and javascript. Pdf malicious pdf files recently considered one of the most. Zac, it uses the pdf launch feature to call on the embedded script batscript. A collection of malware samples caught by several honeypots i manage. After this, we can use spidermonkey to deobfuscate the script located in the sample.
Pdf is one of the most prevalent method for remote exploitation as victims can be easily sent targeted socially engineered emails with pdf attachments, or links to pdf files on websites, or driveby exploitation via adding malicious pdfs to websites. Finaldeobfuscation and detection of malicious pdf files. The presence or absence of these keywords will help you to decide if a pdf file is potentially malicious and requires further analysis, or if it is benign and requires no analysis. Today, i will show you how to analyze and troubelshoot a corrupted or malicious pdf document. Detect variants of cve20075659, cve20093953, cve20093959, cve20090927, cve20082992, cve20094324, cve2009.
Reader after opening the malicious pdf file, a shellcode will be executed to install a. Before proceeding further, it is highly recommended that you to read this article pdf overview peering into the internals of pdf reference 1 for better understanding. Initial analysis you cant trust anybody these days, people use to say. Some of these have been analyzed and are discussed in this paper. Malicious documents pdf analysis in 5 steps mass mailing or targeted campaigns that use common files to host or exploit code have been and are a very popular vector of attack. In this exercise i will be using sample pdf file for illustration purposes which you can download from here reference 2. The malware dropped by these malicious pdfs is not associated with miniduke, but it is associated with ongoing apt campaigns. We build the adversarial samples by injecting the malware. Mycert of cybersecurity malaysia has collected samples of malicious pdf files. I have analyzed a large pdf using didier stevens pdfid tool.
We use cookies and similar technologies to recognize your repeat visits and preferences, to measure the effectiveness of campaigns, and improve our websites. Analyzing pdf and office documents delivered via malspam. The ubiquitousness of pdf over the internet has rendered pdf as a major vector for malware distribution. A pdf file is essentially just a header, some objects inbetween, and then a trailer. Files are not password protected inside the archive but there is added to their extensions. I found something strange in the pdf file than the other malicious pdf files. Lets start by creating our malicious pdf file for use in this client side exploit. Analysing malicious pdf documents using dockerized tools heli sutinen 01.
The example i uploaded used flash, rather than pdf, so jsunpack didnt locate malicious artifacts in this case. It depends on the vulnerabilities in the software which will be parsing it. Below we can see that the pdfextract tool has extracted 2 pdf streams, 2 scripts from the sample pdf file and dump it to mentioned locations. List of malicious pdf files you should not open make. Malicious documents pdf analysis in 5 steps count upon.
Pdf current threats the chart below contains an overview of the most common pdf exploit threats. The list includes pdf examiner, jsunpack, wepawet and gallus. Adobe reader comes with support for javscript embedded in pdf file. When the file is subsequently loaded, it executes the embedded and malicious pdf. A pattern recognition system for malicious pdf files. A newly discovered malicious pdf sample distributing rakhni ransomware family and hackers now added new cryptomining capabilities to infect victims to perform both operations based on the targeted system power. This enables attackers to hide malicious pdf files inside other pdf files, fooling segs and antivirus scanners by preventing them from evaluating the encrypted pdf. The downloaded file contains the script and a malicious pdf sample with a shellcode that tries to download and execute some malicious code. Pdf malicious pdf files detection using structural and javascript. Removing malware from a malicious pdf file information. Even if you were somehow able to know exactly what that pdf files malicious content is capable of, theres no way to ensure it hasnt been tampered with to masquerade. Pdf with embedded doc dropping eicar didier stevens. Malicious pdf file samples are collected from the contagiodump 9.
Premium security complete protection against all internet threats. Hackers can simply add malicious javascript code to the pdf file to. This time we will extract everything in the sample pdf and not just javascript like below. Analyzing a pdf file involves examining, decoding, and extracting the contents of suspicious pdf objects that may be used to exploit a vulnerability in adobe reader and execute a malicious payload. Once we have all the options set the way we want, we run exploit to create our malicious file. Automate malware pdf analysis and step through the objects of a malicious pdf. Fully automated falcon sandbox analysis of a malicious pdf containing zeroday exploits. There is an increasing number of tools that are designed to assist with this process. Dissect pdf streams to discover new and known exploits. The eicar standard antivirus test file or eicar test file is a computer file that was developed by the european institute for computer antivirus research eicar and computer antivirus research organization caro, to. We see that our pdf file was created in a subdirectory.
Over at the sans isc diary i wrote a diary entry on the analysis of a pdf file that contains a malicious doc file. Getting owned by malicious pdf analysis sans institute. These online tools automate the scanning of pdf files to identify malicious components. It can also examine pdf files for malicious javascript artifacts. For testing purposes, i created a pdf file that contains a doc file that drops the eicar test file. In other words, a malicious pdf or ms office document received via email or opened trough a browser plugin. For better learning it is advised you to try dissecting sample pdf file using the. Submit a file for malware analysis microsoft security. The emails were sent with a link to a pdf file or by attaching the malicious pdf file directly to trap victim to open the files. So for example, pdf reader that you are using potentially contains a buffer overflow vulnerability, then an attacker can construct a special pdf file to exploit that vulnerability. Support for basic pdf javascript obfuscation, encrypted pdfs rsa, aesv2, revision 5 aesv3.
Pdf examiner by malware tracker is able to scan the uploaded pdf for sveral known expoits, allows the user to explore the structure of the file, as well as examine, decode and dump. Free malware sample sources for researchers malware researchers frequently seek malware samples to analyze threat techniques and develop defenses. Malicious pdf files are frequently used as part of targeted and. This signature detects attempts to download malicious pdf files which can perform various harmful activities on users systems. By default, those macros will not execute when opened with microsoft office 20 and older, unless a user clicks the enable content button. The first category of malicious documents are malicious macro documents. As previously mentioned, in march 2018 researchers discovered a pdf sample that contains two zeroday exploits targeting acrobat reader and acrobat, and older windows versions, respectively cve20184990 and cve20188120. Creating and analyzing a malicious pdf file with pdf. Stevens, a belgian security researcher, has published a paper on the analysis of malicious pdf files. The pdf file contains javascript that extracts and opens the doc file with user approval. For these reasons, its good to know how to analyze pdf files, but analysts first need a basic understanding of a pdf before they deem it malicious. Eset researchers identified a malicious pdf sample that revealed that the sample exploited two unknown vulnerabilities, a remotecode execution vulnerability in adobe reader and a. Here is a collection of malicious pdf, doc, xls, ppt, pps files that can be used for testing your product signatures, en masse analysis or as a malware aquarium starter kit.
The worm component also carries the rootkit file bp. Examine the document for anomalies, such as risky tags, scripts, or other anomalous aspects. Malicious email attachments protection from infected pdf. The file was sent to its targets as an attachment to an email message that looked like this. Free antivirus basic protection for all your devices free security basic protection for all your devices free antivirus basic protection for all your devices free antivirus basic protection for all your devices. Upload a sample or specify a url and the resource will be analyzed and a. Code issues 0 pull requests 0 actions projects 0 security insights. Analysis of malicious documents part 5 infosec resources. For more information, read the submission guidelines. Some pdf files dont have a header or trailer, but that is rare.
In this blogpost i examine some malicious office and pdf documents and i will give you some information about their analysis process and detection of malicious. Contact me via email see my profile for the passwords or the password scheme. In addition to downloading samples from known malicious urls, researchers can obtain malware samples from the following free sources. The file was using a different kind of technique and i was not aware about it.
The pdfparser tool allows you to immediately decode the content of the object with filter and store it to a file with d for further analysis. Submit files you think are malware or files that you believe have been incorrectly classified as malware. We have created the pdf file with an exe file embedded with it. This is a very common method used by hackers to install malicious software on your system and gain access to it. For our sample, well use the malicious pdf file the obama administration and the middle east. Now that i know there is malicious content in the pdf, what can i do to remove it. Pdf files are great for users, and crafted pdfs are great for cybercriminals. You touched on it in the middle of your question, using a vm or isolated machine is obviously a far safer way of opening that pdf.
Distributing malware inside adobe pdf documents the. A collection of malware samples and relevant dissection information, most probably referenced from. An example of a targeted attack is instead of just crashing adobe acrobat. But after some googling i found that the same technique was exposed in 2010 so it was not a new technique. Yesterday, i downloaded a malicious pdf file for my regular analysis. Rakhni ransomware family active since 20 and malware authors now added some now future with mining capabilities. In this video, security researcher and expert on malicious pdf files didier stevens discusses how these files work and offers protection tips. Do you know that a simple task such as opening pdf files can infect your computer with malware. To launch the pdf parser type pdfparser email protected. Malicious pdfs revealing the techniques behind the attacks. Palo alto networks provides sample malware files that you can use to test a wildfire configuration. Security researchers at sophos urge users not to give in to ransom demand.
470 319 1539 1509 1621 911 196 1634 764 1117 526 237 350 1261 1254 88 63 1136 592 487 656 542 737 559 56 393 657 1100 344 955 770 1014 212 200 1004 122 1 546 1368 440 351 1040