1. Adobe, who gave us the the ever comfortable PDF..thats the "Portable Document Format" in the early 1990's never thought like how this can become a security threat by the simple action of opening it only....yess!!!this post will give a small insight of how things really work behind the scene in execution of a malicious PDF....
2. So first of all...how a PDF becomes a malicious document?The answer to this question is simple embedding of a JAVA SCRIPT, that is not seen but only executed once a PDF is opened....no antivirus will be able to identify of what malicious thing lies behind a normal PDF that u and me use daily...so if u scan a malicious PDF with your Antivirus,it is veri unlikely to be caught....how do we know then whether a PDF is malicious or not?...thats what this post shows here....I came across a tool known as PDFid in the BACKTRACK R3 that I was running in Virtual Box.
3. Few lines about the tool....this was developed by Didier Stevens who blogs at
http://blog.didierstevens.com/.So this helps us to differentiate between PDF Documents that could be malicious and those that are unlikely to be....The tool is based on the fact that that a typical PDF File comprises of header, objects, cross-reference table (to locate objects), and trailer.So , if there is a tool that can find out if any one of them is available in this PDF...things can become easier...so like for example...if a PDF that has no purpose of embedding or holding a JS inside it,then a eye brow raise is certain as to why should it be there....so PDFid tool comes to rescue us out of this question...First the typical structure of a PDF with its one line explanation is given below :
“/OpenAction” and “/AA” (Additional Action) specifies the script or action to run automatically.
“/Names”, “/AcroForm”, “/Action” can also specify and launch scripts or actions.
“/JavaScript” specifies JavaScript to run.
“/GoTo*” changes the view to a specified destination within the PDF or in another PDF file.
“/Launch” launches a program or opens a document.
“/URI” accesses a resource by its URL.
“/SubmitForm” and “/GoToR” can send data to URL.
“/RichMedia” can be used to embed Flash in PDF.
“/ObjStm” can hide objects inside an Object Stream.
4. So now I have set up a VB machine running BTR3 that would run this tool and find out if the PDF that I have analyzed is malicious or not? These are the screen shots showing a step by step scene of how u do it....
(Click on the Image to ENLARGE)
(Click on the Image to ENLARGE)
(Click on the Image to ENLARGE)
(Click on the Image to ENLARGE)
5. So the last screen shows the final result...for those of you who find this little complicated I will upload a video cast of this soon....