Didier Stevens

Monday 20 October 2008

Analyzing a Malicious PDF File

Filed under: Malware,PDF — Didier Stevens @ 21:43

This starts a series of post leading up to my PDF talk at the next Belgian ISSA and OWASP chapter event. I’ll be publishing a couple of my PDF tools.

Next video shows how I use my PDF parser to analyze a malicious PDF file, and extract the shell code.

Searching for keyword javascript yields 2 indirect objects referencing /JavaScript objects. The JavaScript is executed through an automatic annotation (/AA) when the page is rendered (e.g. when the PDF document is opened, as it contains only one page). Decompressing the second /JavaScript object (34) displays the code.

collectEmailInfo is an undocument Adobe Acrobat JavaScript method with a vulnerability (fixed in Adobe Acrobat Reader 8.1.2). My Spidermonkey helps me to extract the shell code.

YouTube, Vimeo and hires Xvid.

7 Comments »

  1. [...] — Didier Stevens @ 21:38 A malicious PDF file I analyzed a couple of months ago (the one featured in this video) had a corrupted stream object. It uses a /FlateDecode filter, but I could not find a way to [...]

    Pingback by The Case of the Corrupted Stream Object « Didier Stevens — Tuesday 21 October 2008 @ 21:40

  2. [...] Software, PDF — Didier Stevens @ 17:19 I’m publishing my pdf-parser tool featured in my last video. Details and download [...]

    Pingback by pdf-parser.py « Didier Stevens — Thursday 30 October 2008 @ 17:19

  3. [...] PDF Test-Files Filed under: My Software, PDF — Didier Stevens @ 12:56 As promised, I’m releasing a couple of my PDF tools as a warm-up to my ISSA Belgium and OWASP Belgium [...]

    Pingback by Creating PDF Test-Files « Didier Stevens — Sunday 9 November 2008 @ 12:58

  4. [...] the file loader. If you need more information please check Didier Steven’s site and this blog entry, also check Jon Paterson and Dennis Elser blog entry showing how they extracted the shellcode [...]

    Pingback by PDF file loader to extract and analyse shellcode « c0llateral Blog — Wednesday 6 January 2010 @ 23:19

  5. Hello Didier Stevens

    i have encounter this problem how to embed javaScript inside a PDF file. Do you have any best solution.

    Comment by hong chun lin — Wednesday 12 May 2010 @ 6:33

  6. @hong chun lin Take a look at my PDf tools.

    Comment by Didier Stevens — Friday 14 May 2010 @ 10:07

  7. [...] process I used to analyse the PDF is based on Didier’s video which you can find at http://blog.didierstevens.com/2008/10/20/analyzing-a-malicious-pdf-file/. I highly recommend you go and watch it if you’re interested in learning about this stuff. [...]

    Pingback by Solving the Security BSides London Challenge – Number 2 | 4armed — Thursday 21 April 2011 @ 14:39


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

Please log in to WordPress.com to post a comment to your blog.

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Theme: Rubric. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 83 other followers