This starts a series of post leading up to my pdf talk at the next belgian issa and owasp chapter event. Its important to have the right tools to analyze suspect documents. It performs deep malware analysis and generates comprehensive and detailed analysis reports. This cheat sheet outlines tips and tools for analyzing malicious documents, such as microsoft office, rtf and adobe acrobat pdf files. It depends on the vulnerabilities in the software which will be parsing it. We start with a very simple, poc malicious pdf file you could even analyze this poc file with notepad or vi to lay out the fundamentals, and then work through more complex examples.
Currently, the main malware infection vehicle remains the classic malicious document attached to an email. Analyzing pdf malware part 1 trustwave spiderlabs trustwave. Pdf files by looking at their characteristics in order to add some intelligence into the determination of them being malicious or benign. Malicious pdf files are frequently used as part of targeted and massscale computer attacks. For my tenth blog post, im going to analyze some malicious office documents. The discovery by security researchers in march 2018 of a pdf sample that contains exploits for two zeroday vulnerabilities has confirmed that exploiting pdf readers is still considered a viable attack vector by, presumably, more advanced threat actors. Sandsprite software reverse engineering services tools. Malicious documents pdf analysis in 5 steps reverse. As previously mentioned, in march 2018 researchers discovered a pdf sample that contains two zeroday exploits targeting acrobat reader and acrobat, and older windows versions, respectively cve20184990 and cve20188120.
Peepdf is a tool to analyze pdf files, helping to show objectsstreams, encodedecode streams, modify all of them, obtain different versions, show and modify metadata, execution of javascript and shellcodes. This cheat sheet outlines tips and tools for analyzing malicious documents, such as. Analyze and track recent activity on the system identify all recent activity in context. Creating new pdf documents is very easy and the volume of pdf documents identi ed as malicious has grown beyond the capabilities of security researchers to analyze by hand. So for example, pdf reader that you are using potentially contains a buffer overflow vulnerability, then an attacker can construct a special pdf file to exploit that vulnerability.
A pdf file is essentially just a header, some objects inbetween, and then a trailer. Every time you feel a file is suspicious or you receive a file from an untrusted source, its recommended to scan it with one of these online services before to open it. Examine the document for anomalies, such as risky tags, scripts, or other anomalous aspects. By the way, having them manually analyze a file is the only way to be absolutely certain that its safe. Cybercriminals use many different tactics to breach an organizations network defenses, and delivering infected pdf files, typically via email, remains a very common and dangerous threat. Yesterday, i downloaded a malicious pdf file for my regular analysis. To get a general sense for how to analyze with malicious pdf files, take a. Parse existing documents, modify them and recompile them. Automated malware analysis joe sandbox cloud basic. Im sure that their pdf parser is extremely secure, so.
Pdfstreamdumper is a free, open source tool to analyze malicious pdf documents. If it has been analyzed the staff will have assigned it a verdict of normal, unknown, or malicious. Some pdf files dont have a header or trailer, but that is rare. This workshop will teach you the fundamentals you need to know to analyze malicious pdf documents. Peepdf is a tool for forensic analysis of pdf documents. Malicious pdf analysis evasion techniques trendlabs. Path path to directoryfiles to be scanned optional arguments. The approach for analyzing office documents is similar to process of examining pdf files. This particular type of evasion is meant to hide from analysis tools. Recently these files are secure, popular and reliable documents used by attackers as an instrument. The malicious documents were found in the wild in 2016 and were mostly distributed via phishing mails. Tools used include pdfid, pdfparser, and pdf stream. Im sure that their pdf parser is extremely secure, so you shouldnt feel bad about possibly infecting them. Detect variants of cve20075659, cve20093953, cve20093959, cve20090927, cve20082992, cve20094324, cve2009.
Search for possible malicious elements and then extract and decode those elements for further analysis. It can also examine pdf files for malicious javascript artifacts. Locate embedded code, such as shellcode, vba macros, javascript or other suspicious objects. Attackers continue to use malicious pdf files as part of targeted attacks and massscale clientside exploitation. Exefilter can filter scripts from office and pdf files. When the malware finds that some functions are not defined. If they find it to be unknown or malicious then id advise getting rid of the file. Analysing malicious pdf documents using dockerized tools. In the below section we will see how we can use the officemalscanner to analyze such malicious documents.
Pdfstreamdumper also includes a javascript interface that allows you to work live with acrobat scripts. Analyzing a pdf file involves examining, decoding, and extracting the contents of suspicious pdf objects that may be used to exploit a vulnerability in adobe reader and execute a malicious payload. Lets see a list of my favorite tools for analyzing microsoft office and pdf files. Quick and dirty malicious pdf analysis security for real. For demonstration purposes, i will generate an example malicious pdf document using metasploit, featuring the useafterfree media.
Passing stream data through filters flatedecode,asciihexdecode, ascii85decode, lzwdecode and runlengthdecode. Analyzing malicious documents cheat sheet this cheat sheet outlines tips and tools for analyzing malicious documents, such as microsoft office, rtf and adobe acrobat pdf files. Pdf xray is a static analysis tool that allows you to analyze pdf files through a web interface or api. Running javascript in pdf files needs a particular runtime library. It is much better at protecting you from viruses and trojans that have been around for a few days. Support for basic pdf javascript obfuscation, encrypted pdfs rsa, aesv2, revision 5 aesv3. There is an increasing number of tools that are designed to assist with this process. Creating and analyzing a malicious pdf file with pdf. Malicious pdf files are frequently used as part of targeted and massscale computer attacks for these reasons.
Here is an example how i would extract the uncompressed stream of pdf object no. Malicious documents pdf analysis in 5 steps count upon. I found something strange in the pdf file than the other malicious pdf files. This is a great utility as it removes the dependency on microsoft office on the system. For example, i generated statistics for 2 malicious pdf files, and although they were very different in content and size, the statistics were identical, proving that they. May 14, 2019 malicious office documents are often used in targeted attacks against individuals or organizations.
Infected pdf files continue to plague security personnel responsible for detecting and containing malicious email attachments. Oct 20, 2008 using my pdf parser to analyze a malicious pdf file and to extract the shell code. Jun 06, 2017 its important to have the right tools to analyze suspect documents. At this point, there are a few things i do to analyze the attachment before i go any further.
Infosec handlers diary blog sans internet storm center. Their background is also to help explore malicious pdfs but i also find it useful to analyze the structure and contents of benign pdf files. Being able to analyze pdfs to understand the associated threats is an increasingly important skill for security incident responders and digital forensic analysts. Analysis of malicious excel spreadsheet by monnappa k a. The file was using a different kind of technique and i was not aware about it. To launch the pdf parser type pdfparser email protected. For example, i generated statistics for 2 malicious pdf files, and although they were very different in content and size, the statistics were identical, proving that they used the same attack vector and shared the same origin. Apr 21, 2017 peepdf is a tool to analyze pdf files, helping to show objectsstreams, encodedecode streams, modify all of them, obtain different versions, show and modify metadata, execution of javascript and shellcodes. Joe sandbox detects and analyzes potential malicious files and urls on windows, android, mac os, linux, and ios for suspicious activities. May 04, 2011 this note demonstrates several steps for extracting malicious flash from pdf files, so you can analyze it for malware artifacts. Since many email systems automatically block obvious malicious programs, attackers conceal a piece of software called an exploit inside other types of commonly emailed files microsoft word documents, a zip or rar files, adobe pdf documents, or even image and video files.
Malicious documents pdf analysis in 5 steps count upon security. So it is very important to have the right tools to analyze suspect documents. Analyzing pdf and office documents delivered via malspam. Its good to know how to analyze pdf files, but analysts first need a basic understanding of a pdf before they deem it malicious. We have created the pdf file with an exe file embedded with it. Tools used include pdfid, pdf parser, and pdf stream dumper. To get a general sense for how to analyze with malicious pdf files, take a look at my analyzing malicious documents cheat sheet. This is the very same exploit that became public knowledge on 15 december 2009, and we are still waiting for adobe to release a patch, which is due 12 january 2010. Attackers embed malicious code into documents, excel spreadsheets or adobe acrobat pdf files. Nov 20, 20 malicious pdf files are frequently used as part of targeted and massscale computer attacks for these reasons. Aug 05, 20 for these reasons, its good to know how to analyze pdf files, but analysts first need a basic understanding of a pdf before they deem it malicious. This library is part of adobe reader, but most analysis tools do not contain it. Jan 10, 2010 for demonstration purposes, i will generate an example malicious pdf document using metasploit, featuring the useafterfree media.
Analyzing malicious documents cheat sheet sans forensics. Malicious email attachments protection from infected pdf. Analyzing malicious documents cheat sheet lenny zeltser. For these reasons, its good to know how to analyze pdf files, but analysts first need a basic understanding of a pdf before they deem it malicious. How to analyze malicious file downloads netwatcher. Sans digital forensics and incident response blog how to. Malicious office documents are often used in targeted attacks against individuals or organizations. When running the malicious pdf file against the last version of the tool it can show very useful information about the pdf structure, its. To launch the pdf parser type pdf parser email protected.
It breaks down a pdf into its distinct elements allowing you to see into its internal structures. For our purposes, well focus on spam that delivers malicious pdf files or microsoft office attachments to infect victims. As well, it can be used to create onthefly customized pdfs, or to inject evil code into already existing documents. Next video shows how i use my pdf parser to analyze a malicious pdf file, and extract the shell code. Its features also include carving contents of network packet capture pcap files and identifying common clientside exploits. This article contains the analysis details of the malicious spreadsheet that delivered malware to its victim in a spear phishing campaign. Using my pdf parser to analyze a malicious pdf file and to extract the shell code. How to tell if a file is malicious gizmos freeware. Creating and analyzing a malicious pdf file with pdfparser tool.
The goal with this tool is to centralize pdf analysis and begin sharing comments on files that are seen. This note demonstrates several steps for extracting malicious flash from pdf files, so you can analyze it for malware artifacts. The hakin9 magazine has made available this week for free a great introductory article on the internal formatting of pdf files and how to analyze malicious pdf documents, those exploiting a vulnerability in the embedded javascript interpreter very common, by didier stevens a well known pdf expert weve mentioned regarding previous pdf. Oct 20, 2008 this starts a series of post leading up to my pdf talk at the next belgian issa and owasp chapter event. May 01, 2018 the approach for analyzing office documents is similar to process of examining pdf files. Didier stevens will familiarize you with pdfid and pdfparser, two essential tools for pdf analysis he authored. Put it through a pdf viewer that isnt vulnerable to the exploit. The tool uses multiple open source tools and custom code to take a pdf and turn it into a sharable format. Automate malware pdf analysis and step through the objects of a malicious pdf. Use this to identify pdf documents with unusualunexpected objects, or to classify pdf documents. But after some googling i found that the same technique was exposed in 2010 so it was not a new technique. The example i uploaded used flash, rather than pdf, so jsunpack didnt locate malicious artifacts in this case.
Dissect pdf streams to discover new and known exploits. Whether a file is malicious or not, does not depend on the file extension in this case pdf. Leveraging falcon sandbox to detect and analyze malicious. Search for possible malicious elements and then extract and decode those elements for. It aims at providing a scripting tool to generate and analyze malicious pdf files. This paper presents the process of analyzing and detecting malicious content which is docx files. Sep 22, 2014 malicious documents pdf analysis in 5 steps mass mailing or targeted campaigns that use common files to host or exploit code have been and are a very popular vector of attack.
Fully automated falcon sandbox analysis of a malicious pdf containing zeroday exploits. With it you can extract embedded files, scripts, view headers, etc. Mycert of cybersecurity malaysia has collected samples of malicious pdf files. Locate potentially malicious embedded code, such as shellcode, vba macros or javascript. Analyzing malicious documents this cheat sheet outlines tips and tools for reverseengineering malicious documents, such as microsoft office doc, xls, ppt and adobe acrobat pdf files. Peepdf, a new tool from jose miguel esparza, is an excellent addition to the pdf analysis toolkit for examining and decoding suspicious pdfs for this introductory walkthrough, i will take a quick look at the malicious pdf file that i obtained from contagio malware dump. Tool to help analyze pdf files 9 commits 1 branch 0 packages 0 releases fetching contributors. When running the malicious pdf file against the last version of the tool it can show very useful information about the pdf structure, its contents and even detect which vulnerability it triggers in case it has a signature for it.
Analyzing malicious documents useful ms office analysis commands. Best place to identify malicious software activity study running system configuration identify inconsistencies contradictions in system bypass packers, binary obfuscators, rootkits including kernel mode and other hiding tools. Malicious documents pdf analysis in 5 steps mass mailing or targeted campaigns that use common files to host or exploit code have been and are a very popular vector of attack. Som e of these samples have been analyzed and are discussed in this paper. In other words, a malicious pdf or ms office document received via email or opened trough a browser plugin. The access to this course is restricted to eforensics premium or it pack premium subscription word documents, pdfs, photos, and other types of files that are infected with viruses endanger the security of your system every day. From 2007 onward, the pdf document has proven to be a successful vector for malware infections, making up 80% of all exploits found by cisco scansafe in 2009 1. To analyze such malicious documents, a very popular toolkit known as officemalscanner is available. This website gives you access to the community edition of joe sandbox cloud.
231 1251 652 54 1145 247 773 930 1454 1193 499 636 368 529 1150 861 1502 961 467 1292 1043 31 1250 849 1259 591 1130 668 580 718 958 818 1232 871 1430 469 1208 881 455 192