Didier Stevens

Monday 20 October 2008

Analyzing a Malicious PDF File

Filed under: Malware,PDF — Didier Stevens @ 21:43

This starts a series of post leading up to my PDF talk at the next Belgian ISSA and OWASP chapter event. I’ll be publishing a couple of my PDF tools.

Next video shows how I use my PDF parser to analyze a malicious PDF file, and extract the shell code.

Searching for keyword javascript yields 2 indirect objects referencing /JavaScript objects. The JavaScript is executed through an automatic annotation (/AA) when the page is rendered (e.g. when the PDF document is opened, as it contains only one page). Decompressing the second /JavaScript object (34) displays the code.

collectEmailInfo is an undocument Adobe Acrobat JavaScript method with a vulnerability (fixed in Adobe Acrobat Reader 8.1.2). My Spidermonkey helps me to extract the shell code.

YouTube, Vimeo and hires Xvid.

Blog at WordPress.com.