HomeAnalyzing Malicious PDFs
Page 1 of 1
Analyzing Malicious PDFs
by Admin Tue Dec 10, 2013 11:24 am
PDF files have become very common in everyday work. It’s hard to imagine business proposals without PDFs. The PDF format is used in almost all companies to share business deals, company brochures, and even invitations.
The PDF has ability to deliver rich contents (static and dynamic) . Combined, these elements can deliver a visually appealing, interactive, and portable document. While we have all benefited from this feature-rich information-sharing venue, there exists a darker side. The dynamic PDF capabilities mentioned above can and have been used to house malicious content. In previous years, cybercriminals embedded malicious script to install malware and steal user credentials.
Normally, the PDF malware’s malicious behavior is in a script that is embedded In PDF files. The scripts that are responsible for malicious behavior can be written in a scripting language that PDF supports. JavaScript is the most popular for this purpose. In most cases, the embedded scripts are responsible for dropper functionality, or else there is a need to install an OS-based malware on the victim’s system.
The general structure of a PDF file is composed of the following code components:
Boolean values, representing true or false
Numbers
Strings
Names
Arrays, ordered collections of objects
Dictionaries, collections of objects indexed by names
Streams, usually containing large amounts of data
The null object
Execute Malware with PDF
A launch action launches an application or opens or prints a document. We can use one of the many Adobe Acrobat exploits in the Metasploit framework to embed an exe with PDF.
cmd will be opened by using the above launch action.
We can embed the malware in our PDF by using JavaScript because JavaScript commonly uses heap spray to exploit.
When we open any malicious PDF file, it will execute the JavaScript and it exploits the JavaScript; after that, the shell code is processed and a Trojan will be executed from the Internet.
Create a Malicious PDF File with Metasploit
We are going to be using the Adobe Reader “util.printf()” JavaScript function stack buffer overflow vulnerability to create a malicious PDF file. Adobe Reader is prone to a stack-based buffer-overflow vulnerability.
Open msfconsole and execute the following command.
Once we have all the options set the way we want, we run “exploit” to create our malicious file.
We can see that our PDF file was created. You can access this PDF by using the given path. If no files are visible, press CTRL and H together to find hidden files and folders.
Before we send the malicious file to our victim, we need to set up a listener to capture this reverse connection.
As the victim opens the malicious file, the session with the victim has been established and we can access the victim’s system by using meterpreter
Every time you feel a file is suspicious or you receive a file from an untrusted source, it’s recommended that you scan it with one of the following online services before you open it. Online PDF analyzers makes our work easier. We just have to submit the malicious PDF file and the online analyzer starts scanning the uploaded PDF for several known exploits.
Wepawet is a service for detecting and analyzing web-based malware. It currently handles Flash, JavaScript, and PDF files. To use Wepawet, just go to http://wepawet.iseclab.org. Upload a sample or specify a URL and the resource will be analyzed and a report will be generated.
The PDF has ability to deliver rich contents (static and dynamic) . Combined, these elements can deliver a visually appealing, interactive, and portable document. While we have all benefited from this feature-rich information-sharing venue, there exists a darker side. The dynamic PDF capabilities mentioned above can and have been used to house malicious content. In previous years, cybercriminals embedded malicious script to install malware and steal user credentials.
Normally, the PDF malware’s malicious behavior is in a script that is embedded In PDF files. The scripts that are responsible for malicious behavior can be written in a scripting language that PDF supports. JavaScript is the most popular for this purpose. In most cases, the embedded scripts are responsible for dropper functionality, or else there is a need to install an OS-based malware on the victim’s system.
The general structure of a PDF file is composed of the following code components:
Boolean values, representing true or false
Numbers
Strings
Names
Arrays, ordered collections of objects
Dictionaries, collections of objects indexed by names
Streams, usually containing large amounts of data
The null object
Execute Malware with PDF
A launch action launches an application or opens or prints a document. We can use one of the many Adobe Acrobat exploits in the Metasploit framework to embed an exe with PDF.
cmd will be opened by using the above launch action.
We can embed the malware in our PDF by using JavaScript because JavaScript commonly uses heap spray to exploit.
When we open any malicious PDF file, it will execute the JavaScript and it exploits the JavaScript; after that, the shell code is processed and a Trojan will be executed from the Internet.
Create a Malicious PDF File with Metasploit
We are going to be using the Adobe Reader “util.printf()” JavaScript function stack buffer overflow vulnerability to create a malicious PDF file. Adobe Reader is prone to a stack-based buffer-overflow vulnerability.
Open msfconsole and execute the following command.
Once we have all the options set the way we want, we run “exploit” to create our malicious file.
We can see that our PDF file was created. You can access this PDF by using the given path. If no files are visible, press CTRL and H together to find hidden files and folders.
Before we send the malicious file to our victim, we need to set up a listener to capture this reverse connection.
As the victim opens the malicious file, the session with the victim has been established and we can access the victim’s system by using meterpreter
Every time you feel a file is suspicious or you receive a file from an untrusted source, it’s recommended that you scan it with one of the following online services before you open it. Online PDF analyzers makes our work easier. We just have to submit the malicious PDF file and the online analyzer starts scanning the uploaded PDF for several known exploits.
Wepawet is a service for detecting and analyzing web-based malware. It currently handles Flash, JavaScript, and PDF files. To use Wepawet, just go to http://wepawet.iseclab.org. Upload a sample or specify a URL and the resource will be analyzed and a report will be generated.
Admin- Admin
- Posts : 107
Join date : 2013-12-07
Age : 40
Location : United Kingdom -
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum