Didier Stevens

Sunday 26 September 2010

Free Malicious PDF Analysis E-book

Filed under: Forensics,Malware,PDF — Didier Stevens @ 8:41

The title says it all…

This is a document I shared with my Brucon workshop attendees.

I know, this is a PDF document, you’ve to appreciate the irony 😉

56 Comments »

  1. Why not host a unzipped pdf with a docs.google.com/viewer?url= link?

    Comment by WndSks — Sunday 26 September 2010 @ 9:05

  2. @WndSks I’m old school.

    Comment by Didier Stevens — Sunday 26 September 2010 @ 9:16

  3. @WndSks Seriously… I know several large corporations that block access to Google Docs.

    Comment by Didier Stevens — Sunday 26 September 2010 @ 9:39

  4. Any easter eggs in the PDF?

    Comment by Larry Seltzer — Sunday 26 September 2010 @ 13:07

  5. @Larry Seltzer Nope, just an export from OpenOffice to PDF/A.

    Comment by Didier Stevens — Sunday 26 September 2010 @ 13:26

  6. I went to the workshop on Friday and it was really good one of the best bits of brucon. Well worth a read

    Comment by lavamunky — Sunday 26 September 2010 @ 15:01

  7. Thanks, Didier

    Comment by Scav3nger — Sunday 26 September 2010 @ 15:22

  8. Didier, thanks for writing this document

    Comment by Timo — Sunday 26 September 2010 @ 17:13

  9. […] en este taller practico, los asistentes dotados de sus portátiles, maquinas virtuales y una copia del eBook escrito por Didier, debían analizar diferentes amenazas contenidas dentro de los archivos […]

    Pingback by eBook sobre Analisis de PDF’s Maliciosos — Sunday 26 September 2010 @ 20:24

  10. Thanks for putting it online ! The workshop was great 🙂 !

    Comment by bartblaze — Sunday 26 September 2010 @ 20:44

  11. Another gem. Keep up the great work! And BTW I just love the irony. Shows a healthy sense of humor. Maybe it should also be a “test”.. popping up a (harmless) message for vulnerable installations? Just a thought. LoL

    Comment by KraZyMiKe — Sunday 26 September 2010 @ 20:51

  12. looks like link ro zip file didnt work for me 😦 maybe for many request and high load of server ….

    Comment by b_h — Monday 27 September 2010 @ 0:54

  13. @b_h What error message did you get? Anyways, please try again, I just tested.

    Comment by Didier Stevens — Monday 27 September 2010 @ 8:56

  14. […] Didier Steven a mis à disposition gratuitement un document PDF de 23 pages sur l’analyse de fichiers PDF malicieux. […]

    Pingback by [PDF] Ebook gratuit : Malicious PDF Analysis — Monday 27 September 2010 @ 11:35

  15. TY Didier!
    ..and.. a PDF about PDF security.. I like the irony 😉

    Comment by cyberbofh — Monday 27 September 2010 @ 13:23

  16. […] weist der Sicherheitsexperte Didier Stevens in einem kostenlosen eBook hin (ironischer Weise ebenfalls im pdf-Format). Die 23 Seiten richten sich an eine geschäftliche […]

    Pingback by Schadhafte pdf-Dateien identifizieren » Software » lesen.net — Monday 27 September 2010 @ 17:55

  17. […] Malicious PDF Analysis – Free E-bookhttp://isc.sans.edu/diary.html?storyid=9613https://blog.didierstevens.com/2010/09/26/free-malicious-pdf-analysis-e-book/ […]

    Pingback by Malicious PDF Analysis - Free E-book - Harry Waldron - Corporate IT Security — Monday 27 September 2010 @ 19:14

  18. […] Stevens, a Belgian security researcher, has published a paper on the analysis of malicious PDF files.  (The downloadable file from the previous link is a […]

    Pingback by Analyzing Malicious PDF Files « Rich's Random Walks — Monday 27 September 2010 @ 19:49

  19. Great guide for those getting started with PDF analysis. I’ve been looking at malicious PDF files for a bit and still learned one or two new things!

    Comment by Russell Holloway — Wednesday 29 September 2010 @ 14:15

  20. […] asistentes dotados de sus computadoras con todo lo necesario para realizar la tarea y una copia del eBook escrito por Didier, debían analizar diferentes amenazas contenidas dentro de los […]

    Pingback by eBook sobre Analisis de PDF’s | Tux Files — Friday 1 October 2010 @ 3:36

  21. […] en este taller practico, los asistentes dotados de sus portátiles, maquinas virtuales y una copia del eBook escrito por Didier, debían analizar diferentes amenazas contenidas dentro de los archivos […]

    Pingback by eBook sobre Analisis de PDF’s Maliciosos « John Fredy Perez — Friday 1 October 2010 @ 21:38

  22. […] en este taller practico, los asistentes dotados de sus portátiles, maquinas virtuales y una copia del eBook escrito por Didier, debían analizar diferentes amenazas contenidas dentro de los <archivos […]

    Pingback by eBook sobre Analisis de PDF’s Maliciosos « John Fredy Perez — Friday 1 October 2010 @ 22:58

  23. […] Free Malicious PDF Analysis E-book – didierstevens.com This is a document I shared with my Brucon workshop attendees. […]

    Pingback by Week 39 in Review – 2010 | Infosec Events — Monday 4 October 2010 @ 4:17

  24. Thanks for your release Didier. Our group is currently working with malicious files, and we are to follow up on the problem of the possibility for viruses in files users consider secure (such as pdf, mp3 etc) You release have been giving us a lot of information to work with the pdf vulnerabilities, and we would like to thank you for that.

    Comment by Elias Ringhauge — Sunday 17 October 2010 @ 10:06

  25. […] the exercises will be made available on Dediers Webpage. Additionally you can find an ebook about analyzing malicious PDFs on his […]

    Pingback by hack.lu: analysing malicious PDF - ITS Blog — Wednesday 27 October 2010 @ 13:43

  26. Hello didier stevens!

    I´m not sure about what happends in detail in the javascript + shellcode, you wrote on page 7 in “Malicious PDF Analysis E-book”. Can you explain it with comments?

    Comment by Mark — Saturday 4 December 2010 @ 10:36

  27. @Mark

    var shellcode = unescape(“%u00E8%u0000%u5B00%uB38D%u01BB%u0000…”);
    fill string variable shellcode with our shellcode

    var NOPs = unescape(“%u9090”);
    fill string NOPs with a 2-byte long NOP sled

    while (NOPs.length < 0x60000)
    NOPs += NOPs;
    build a very long NOP sled with a while loop

    var blocks = new Array();
    create an array blocks

    for (i = 0; i < 1200; i++)
    blocks[i] = NOPs + shellcode;
    fill the array blocks with 1200 strings consisting of a long NOP sled followed by our shellcode

    Comment by Didier Stevens — Saturday 4 December 2010 @ 19:51

  28. Thanks for the answer, but I’m still not sure about what your code works on the stack.

    What is the first part with shell code used for? (the code you commented on)

    What is util.print used for? (is this the part of the code you use to create the buffer overflow)?

    Comment by Mark — Saturday 11 December 2010 @ 18:16

  29. @Mark util.printf is the function that contained an exploitable bug. Read my article in Hack In The Box magazine, maybe this will male things clear.
    http://magazine.hackinthebox.org/

    Comment by Didier Stevens — Saturday 11 December 2010 @ 19:25

  32. […] Didier Stevens: "Free Malicious PDF Analysis E-book" […]

    Pingback by PDF security under the microscope: A review of OMG-WTF-PDF | Naked Security — Monday 24 January 2011 @ 12:26

  33. what do i get out of doing this? Is it that i can with
    this method write data directly into the heap? Is it
    not possible already?

    Comment by James — Tuesday 25 January 2011 @ 0:19

  34. in “while (NOPs.length < 0×60000)"
    what does 0x60000 represent?

    Comment by Jasper — Tuesday 25 January 2011 @ 1:09

  35. @Jasper 0x60000 is a hexadecimal number.

    Comment by Didier Stevens — Tuesday 25 January 2011 @ 19:39

  36. @James No, you don’t have direct access to the heap from JavaScript.

    Comment by Didier Stevens — Tuesday 25 January 2011 @ 19:40

  37. What is “the heap”? And how is it structured?
    Can I write to it directly?

    Comment by Lucas — Tuesday 25 January 2011 @ 22:11

  38. @Lucas Start with the Wikipedia article https://secure.wikimedia.org/wikipedia/en/wiki/Dynamic_memory_allocation
    You can’t write to it directly from JavaScript. That’s why heap sprays are used.

    Comment by Didier Stevens — Tuesday 25 January 2011 @ 22:13

  39. Thanks, but I´m still not sure if the heap can represent a tree structure. Is that right?

    Comment by Lucas — Tuesday 25 January 2011 @ 22:45

  40. @Lucas I don’t understand what you mean exactly, can you elaborate on what you want to achieve? Building a tree in the heap?

    Comment by Didier Stevens — Wednesday 26 January 2011 @ 17:27

  41. What i mean is:
    The stack can be represented by a stack of books. I know that I can put a book on top of the stack with push or
    remove the book with pop. What I can´t figure out is the datastructure of the heap. How can I add or delete variables from the heap? Can I compare it to a three structure? (that is what I have read it can represent an array or a three structure)

    Comment by Lucas — Wednesday 26 January 2011 @ 22:54

  42. sorry I ment tree structure

    Comment by Lucas — Wednesday 26 January 2011 @ 22:57

  43. @Lucas No it’s not a tree structure, I can’t think of a simple structure that would represent a heap.

    Comment by Didier Stevens — Wednesday 26 January 2011 @ 23:33

  44. How can I add or delete variables from the heap?

    Comment by Lucas — Thursday 27 January 2011 @ 16:38

  45. @Lucas You can’t do that explicitly. When you create a new variable, the JavaScript engine will use the heap to store the variable.

    Comment by Didier Stevens — Thursday 27 January 2011 @ 17:06

  46. Do you know any books where i can read more about the heap that you can recommend?

    Comment by Lucas — Thursday 27 January 2011 @ 17:13

  47. or articles

    Comment by Lucas — Thursday 27 January 2011 @ 17:16

  48. @Lucas There was a talk at Black Hat Europe 2010 about the Adobe Reader heap. Go to the BH site to download the paper & slides.

    Comment by Didier Stevens — Thursday 27 January 2011 @ 17:52

  49. […] (getPageNumWords, getPageNthWord) 2010-09-17: The Rise of PDF Malware (whitepaper) 2010-09-26: Free Malicious PDF Analysis E-book 2010-10-02: Hiding PDF Exploits by embedding PDF files in streams and Flash ROP heapsprays […]

    Pingback by Security PDF-related links in 2010: analyses and tools — Tuesday 10 May 2011 @ 1:23

  50. […] my free e-book on PDF analysis […]

    Pingback by Malicious PDF Analysis Workshop Screencasts « Didier Stevens — Wednesday 25 May 2011 @ 15:59

  51. Thanks for your release Didier. Stempelo

    Comment by Stempelo — Thursday 26 May 2011 @ 6:37

  52. […] terbiasa dengan analisis PDF tentu tahu apa yang harus dilakukan. Namun untuk pemula dapat membaca Free Malicious PDF Analysis oleh Didier […]

    Pingback by A little bit story of CTF « msahputra — Monday 16 January 2012 @ 20:34

  53. […] terbiasa dengan analisis PDF tentu tahu apa yang harus dilakukan. Namun untuk pemula dapat membaca Free Malicious PDF Analysis oleh Didier […]

    Pingback by A little bit story of CTF « Infosec ID — Saturday 4 February 2012 @ 9:00

  54. […] like I do with many of my other tools. This is a work in progress: for the moment, it points to my free PDF analysis e-book that explains the use of pdfid and […]

    Pingback by Update Of My PDF Tools | Didier Stevens — Monday 30 September 2019 @ 19:16

  55. Not to be a pain, but why the /OpenAction call for this doc:

    PDFiD 0.2.7 malicious-pdf-analysis-ebook.pdf
    PDF Header: %PDF-1.4
    obj 1647
    endobj 1647
    stream 38
    endstream 38
    xref 1
    trailer 1
    startxref 1
    /Page 23
    /Encrypt 0
    /ObjStm 0
    /JS 0
    /JavaScript 0
    /AA 0
    /OpenAction 1
    /AcroForm 0
    /JBIG2Decode 0
    /RichMedia 0
    /Launch 0
    /EmbeddedFile 0
    /XFA 0
    /URI 36
    /Colors > 2^24 0

    Triage plugin score: 1.00
    Triage plugin instructions: Sample is likely malicious and requires further analysis

    Good for the goose???

    😉

    Comment by DriveBy 1.0 — Thursday 25 June 2020 @ 14:50


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.