This starts a series of post leading up to my PDF talk at the next Belgian ISSA and OWASP chapter event. I’ll be publishing a couple of my PDF tools.
Next video shows how I use my PDF parser to analyze a malicious PDF file, and extract the shell code.
Searching for keyword javascript yields 2 indirect objects referencing /JavaScript objects. The JavaScript is executed through an automatic annotation (/AA) when the page is rendered (e.g. when the PDF document is opened, as it contains only one page). Decompressing the second /JavaScript object (34) displays the code.
collectEmailInfo is an undocument Adobe Acrobat JavaScript method with a vulnerability (fixed in Adobe Acrobat Reader 8.1.2). My Spidermonkey helps me to extract the shell code.
YouTube, Vimeo and hires Xvid.
[...] — Didier Stevens @ 21:38 A malicious PDF file I analyzed a couple of months ago (the one featured in this video) had a corrupted stream object. It uses a /FlateDecode filter, but I could not find a way to [...]
Pingback by The Case of the Corrupted Stream Object « Didier Stevens — Tuesday 21 October 2008 @ 21:40
[...] Software, PDF — Didier Stevens @ 17:19 I’m publishing my pdf-parser tool featured in my last video. Details and download [...]
Pingback by pdf-parser.py « Didier Stevens — Thursday 30 October 2008 @ 17:19
[...] PDF Test-Files Filed under: My Software, PDF — Didier Stevens @ 12:56 As promised, I’m releasing a couple of my PDF tools as a warm-up to my ISSA Belgium and OWASP Belgium [...]
Pingback by Creating PDF Test-Files « Didier Stevens — Sunday 9 November 2008 @ 12:58