Didier Stevens

Tuesday 18 May 2010

Quickpost: More Malformed PDFs

Filed under: Malware,PDF,Quickpost — Didier Stevens @ 12:05

Here’s a heads up for some malicious PDF samples that are deliberately malformed to avoid detection.

The most important case is the missing endobj keyword:

Adobe Reader will happily parse a PDF where the object are not terminated with endobj, but my pdf-parser won’t. I’ll have to update the parser to deal with this case.

The cross-reference table can also be omitted:

This is not an issue for my parser.

And then I also received a sample with a stream object, where the case of the endstream object was wrong: Endstream. First we assumed Adobe Reader was not case-sensitive for the endstream keyword, but I found out it can actually parse a stream object with missing endstream keyword:

This is an issue for my parser.

4 Comments »

  1. In the case where endobj is missing, what defines the end of the object?

    Comment by Bryan — Friday 21 May 2010 @ 15:13

  2. @Bryan As Adobe Reader can’t render a PDF with omitted endobj and XREF table, I assume it uses the XREF table to calculate the size of the objects.

    Comment by Didier Stevens — Monday 24 May 2010 @ 8:12

  3. [...] you used my pdf-parser, you’ve also encountered a problem. The objects lack the endobj keyword. A simple solution: add the missing keyword and extract the stream with my parser. The stream is [...]

    Pingback by Solving the Win7 Puzzle « Didier Stevens — Friday 25 June 2010 @ 9:39

  4. [...] video) 2010-04-22: Will there be new viruses exploiting /Launch vulnerability in PDF? 2010-05-18: Quickpost: More Malformed PDFs 2010-06-08: Analysis of a Zero-day Exploit for Adobe Flash and Reader (CVE-2010-1297) [...]

    Pingback by Security PDF-related links in 2010: analyses and tools — Wednesday 10 August 2011 @ 0:55


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 236 other followers

%d bloggers like this: