Digital investigation of malicious PDF
In this post we are going to investigate a malicious PDF file , as we all know a PDF file can be infected with embedded objects, JavaScript code, encoded stream to exploit the PDF reader and these days this type of attacks happening very often. We are getting these types of infected PDF very often through Email or from other communication services. I will try to make this post simple as much as possible.
Before we begin investigating our PDF we should first need to know about some basics of PDF file structure
which we need to understand for the analysis.
1. “Header” which contain information about the PDF version.
2. “Body” which contain objects that defined operations performed by the file and embedded data like scripting code,images,text etc.
3.”cross-reference table” it list the offsets inside the file which will be render by the PDF reader.
4. “Trailer” it describe the location of the certain objects inside the body of the PDF and location of the cross-reference table in the file .
For this analysis I have made a malicious PDF which will start a reverse TCP connection on opening.
Now I am going to use peepdf for this, type on terminal : peepdf -i “location of the PDF file” here “i” will give you a console interface for other analysis of the file.
Peepdf will automatically list all the objects inside the file which contain a suspicious elements. As we can see above we have got number of objects containing suspicious elements, i will try to define important elements below.
/OpenAction : It define that an action will be performed on opening the file.
/AA : It is an optional entry that define an action to be performed when a page is open (which is /O entry) or closed (/C entry).
/JS : A text string which contains a JavaScript script to be executed when the action is triggered.
/Launch : This will launch an application or open a file.
/JavaScript : Simply say it defined to execute a JavaScript code.
Analyzing the object in the file
I will first analyze objects with JS code , so let see what’s there . To do this just type in the console “ object 27” and press return then you will get something like below.
Here the /S entry describe the type of action to be perform by the PDF. As we can see it’s going to execute some JavaScript .
Now let’s check other suspicious element with /Launch in the file , so type Object 28.
Above we can clearly see /S tells that it’s going to launch cmd prompt /D tells the location to go within the documents. As we can see above it’s going to system32 folder. Below that it’s searching for the malicious pdf file and after that it will start the PDF file and will launch the embedded code inside it.
Apart from this you can also see the metadata of the PDF file using metadata command which will give us lot of details about the file like modification date, author name etc. It can also give us hint like what the file contain in it.
You can also use js_analyse with the object no to see what the JavaScript is going to execute.You can also type help in the console to see other useful command.
So this was some basic instruction to investigate a PDF file. If you wan to dig deeper you should carefully do keyword-bases analysis to check the indirect object so that we can check the action performed by the file (JavaScript).
Originally published at https://securityevil.blogspot.com.
