Didier Stevens

Thursday 7 March 2019

Analyzing a Phishing PDF with /ObjStm

Filed under: maldoc,Malware,My Software,PDF — Didier Stevens @ 0:00

I got hold of a phishing PDF where the /URI is hiding inside a stream object (/ObjStm).

First I start the analysis with pdfid.py:

There is no /URI reported, but remark that the PDF contains 5 stream objects (/ObjStm). These can contain /URIs. In the past, I would search and decompress these stream objects with pdf-parser.py, and then pipe the result through pdfid.py, in order to detect /URIs (or other objects that require further analysis).

Since pdf-parser.py version 0.7.0, I prefer another method: using option -O to let pdf-parser.py extract and parse the objects inside stream objects.

With option -a (here combined with option -O), I can get statistics and keywords just like with pdfid:

Now I can see that there is a /URI inside the PDF (object 43).

Thus I can use option -k to get the value of /URI entries, combined with option -O to look inside stream objects:

And here I have the /URI.

Another method, is to select object 43:

From this output, we also see that object 43 is inside stream object 16.

Remark: if you use option -O on a PDF that does not contain stream objects (/ObjStm), pdf-parser will behave as if you didn’t provide this option. Hence, if you want, you can always use option -O to analyze PDFs.

5 Comments »

  1. […] Didier Stevens Analyzing a Phishing PDF with /ObjStm  […]

    Pingback by Week 10 – 2019 – This Week In 4n6 — Sunday 10 March 2019 @ 0:16

  2. […] Blog post: Analyzing a Phishing PDF with /ObjStm […]

    Pingback by Analyzing a Phishing PDF with /ObjStm – Didier Stevens Videos — Monday 11 March 2019 @ 9:02

  3. […] Analyzing a Phishing PDF with /ObjStm […]

    Pingback by Overview of Content Published in March | Didier Stevens — Monday 1 April 2019 @ 0:00

  4. Hi Didier.
    Last month I got a pdf file where mutools list some URIs… gibberish.
    The extracted urls contains spurious characters, like parenthesis and slashes.

    A first guess: the urls aren’t fully parsed, they seems to me fragments of the pdf syntax.
    Fool me I didn’t keep the file.

    Questions:
    * did you see this case? can pdfid decode ?
    * do you need some specimen ? I can try to search for the pdf.

    Comment by Massimo Sala — Saturday 4 January 2020 @ 11:03

  5. I’m not familiar with that tool. If your pdf is on VirusTotal, please share the hash.

    Comment by Didier Stevens — Saturday 4 January 2020 @ 11:28


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.