Obfuscation and (non-)detection of malicious PDF files

by **Admin** Tue Dec 10, 2013 11:39 am

Some techniques to obfuscate and hide malicious PDF files:
It's possible to use some malformations in the documents,and the PDF specification itself in order to keep the files hidden from Antivirus engines and parsers. Bad guys can effectively use it to create an undetectable exploit and use it as an attacking vector. Some of the techniques are the following:

Using the /Names and /AcroForm elements of the Catalog object to execute code when the document is opened, instead of the /OpenAction element.

If the malicious content is stored in a string object it's possible to hide it thanks to the octal codification.
However, if the content is stored in a stream object some unknown filters can be applied, like /JBIG2Decode or /DCTDecode, avoiding the most used, like /FlateDecode and /ASCIIHexDecode. Avast researchers found recently that this is something that cyberdelinquents are already using in the wild.

In the case of /FlateDecode and /LZWDecode filters it's possible to define some parameters in order to make the analysis more difficult.
Split up the malicious code in several parts and store them in different locations of the document. In the case of Javascript code it's possible to store them in the /Names element of the Catalog. Also some specific functions can be used to retrieve some elements of the document, like getAnnots, getPageNthWord, etc.

Avoid the endobj tag at the final of the objects to cheat the parsers.
Put null bytes in the header of the document.

Compressing the malicious objects in the so-called object streams to add an additional obfuscation level.

Encrypt the document with the “default password”.
Embed the malicious file in a legit one. It's possible to open the malicious file automatically when the legit document is opened.