Marco Cova's Blog » Malicious PDF trick: multiple filters

Feed

Tags

Malicious PDF trick: multiple filters

February 22, 2010

Another simple trick that is often used by malicious PDF files consists of embedding the malicious JavaScript code in a PDF stream hidden below several stream filters.

Here is an example:

4 0 obj
<<
    /Length 2839
    /Filter [ /ASCIIHexDecode
        /LZWDecode
        /ASCII85Decode
        /RunLengthDecode
        /FlateDecode ]
>>stream
80124E6422E89C7A3517958CC302316CDE
...
08220861102A8595D813C3187E07C40400>
endstream
endobj

The stream's contents are decoded applying the specified 5 filters in order (ASCIIHexDecode, LZWDecode, ASCII85Decode, RunLengthDecode, and FlateDecode).

See this Wepawet report to find out what happens after the decoding is done. These malicious PDFs seem to also have decent detection on VirusTotal (6/41, at the time of writing).

Posted by marco in malware, pdf, wepawet

To leave a comment, complete the form below. Mandatory fields are marked *.

marco

Menu:

Feed

Archives

Tags

Malicious PDF trick: multiple filters