Didier stevens malicious pdf

I am not sure how todays versions of readers handle this but its a good method of using pdf features in malicious ways. Introduction one of the most unknown file formats for most it people is the pdf portable document format format type. Basically he embeds an executable and has it launch when opening the file. Although the pdf language was not designed to allow arbitrary code execution, implementation and design flaws in popular reader applications make it possible for criminals to infect machines via pdf documents. Malicious documents pdf analysis in 5 steps reverse. Files based on reader were exploited in almost 49 per cent of the targeted attacks of 2009, compared with about 39 per cent that took aim at microsoft word.

September 1, 2019 the title says it all this is a document i shared with my brucon workshop attendees. A day in the life of a malware analyst didier stevens. There are many features in the pdf that can be used in malicious ways without exploiting a vulnerability. Originally developed as a universally compatible file format based on the postscript format, it has become a highlyregarded international format to share documents and information in a structured way. Pdfid shows us that there are three objects, but more importantly it counts js and javascript occurrences which also matches up with what we see in the strings dump. Didier stevens will familiarize you with pdfid and pdfparser, two essential tools for pdf analysis he authored. This represented a shift, as previously cve20103333 was the most commonly used word vulnerability. Page 2 of 2 opened suspicious pdf file attached in email. Malicious pdf detection, svm, evasion attacks, gradientdescent, feature selections, adversarial learning abstract. At this point, didier does not provide a public poc exploit. I know, this is a pdf document, youve to appreciate the. Alright so we have a pdf we want to examine, in my example its one that didier had created. In 2012, didier founded his own company didier stevens labs. Additional text and analysis by kyle wilhoit throughout 2012, we saw a wide variety of apt campaigns leverage an exploit in microsoft word cve20120158.

Spring training 2016 analysing malicious documents. Virus bulletin malicious pdfs served by exploit kits. From a 100 feet view a pdf file is composed by a header, body, reference table and trailer. Quick and dirty malicious pdf analysis security for real. Ive found a couple of pdf documents without xref or trailer, but these are rare btw, this is not an indication of a malicious pdf document. Didier is a pioneer in malicious pdf document research, and has developed several tools to help with the analysis of malicious pdf documents. But stevens found a way to get an embedded executable to run. Do not forget to download the rtf document with the code listing link on the right hand side. While we continue to see cve20120158 in heavy use, we have noticed increasing use of an exploit for.

In this video, security researcher and expert on malicious pdf files didier stevens discusses how these files work and offers protection tips. By comparison, in 2008, acrobat was targeted in almost 29 per cent of attacks and word was exploited by almost 35 per cent. Im didier stevens and work as a senior analyst for nviso. Pdf readers from adobe systems and foxit dont allow embedded executables to run directly, wrote didier stevens on his security blog. This includes malware analysis and incident response. There are two methods we can use to remove this encoding and get at the actual javascript. Malicious pdfs usually spread through spam emails, depending on uneducated users to open the pdf attachment. Malicious documents for blue and red teams brucon 2018. Malicious pdf analysis workshop screencasts didier stevens. If pdfid showed any of these suspicious elements, i would use didiers pdfparser or another favorite, pdfstreamdumper to take a closer look at the objects contained in the pdf. Pdf the most common malware vector schneier on security. Examine the document for anomalies, such as risky tags, scripts, or other anomalous aspects. In order to get a copy of the article, in pdf format what a coincidence. The presence or absence of these keywords will help you to decide if a pdf file is potentially malicious and requires further analysis, or if it is benign and requires no analysis.

A pdf file that contains no malicious code, just a social engineering trick to get you to click on a link. We start with a very simple, poc malicious pdf file you could even analyze this poc file with notepad or vi to lay out the fundamentals, and then work through more complex examples. Malware detection in pdf files using machine learning. For testing purposes, i created a pdf file that contains a doc file that drops the eicar test file. Net, mcsesecurity, mcitp windows server 2008, rhct, ccnp security, oswp, wcna is a senior analyst working at nviso didier is a pioneer in malicious pdf document research and malicious ms office documents analysis, and has. The first is to run didier stevens pdf tools to see what the file contains. Malicious pdf file doesnt need a software vulnerability. Pdf versions malicious content distribution attack reverse engineering security uncategorized december 23, 2014 january 9, 2019 while attack vectors based on malicious pdf are a well known topic sans, didiers tools, understanding how those vectors are spread up nowadays is an interesting research at least in my personal opinion. Pdf tools by didier stevens is the classic toolkit that established the foundation for our understanding of the pdf analysis process. Collect some pdf object information to begin the analysis using didier stevens pdfid. In this post, im going to illustrate how i analyze a suspicious pdf file. Malicious pdf documents explained ieee security and privacy.

The pdfs will generally execute malicious code when opened, exploiting a vulnerability in an outdated version of adobe reader or java to open a backdoor into the system. Running a second tool, pdfid from didier stevens confirms what we are seeing in the previous strings output by displaying the structure of the objects and actions. The title says it all this is a document i shared with my brucon workshop attendees. Analyzing malicious documents this cheat sheet outlines tips and tools for analyzing malicious documents, such as microsoft office, rtf and adobe acrobat pdf files. Malicious documents pdf analysis in 5 steps count upon.

In some circumstances the vulnerability could be exploited without opening the file and just by having a malicious file on the hard drive as described by didier stevens. Malicious pdf analysis ebook, didier stevens 20100929. I wont provide the malicious pdf but easy enough to find one in a search didier stevens pdf and ole python scripts didiers full software list here my software. The first method i usually use is to run the pdf through the filter option in pdfparser. Didier stevens is a pioneer in malicious pdf document research and malicious ms office documents analysis, and has developed several tools to help with the analysis of malicious documents like pdf. Checking for maliciousness in acroform objects on pdf. Didier stevens microsoft mvp consumer security, sans isc senior handler, grem giac reverse engineering malware, gcih, cissp, gsspc, mcsd. Besides producing patches to fix bugs, pdf reader producers use security features such as dep and aslr, and start using sandboxing, to protect your machine. These pdf files modify adobes launch file warning which is prompted to the user before opening embedded nonpdf. First im going to analyze this document with my tools, and after that im going to show you some of the mitigations put in place by adobe and microsoft. Infosec handlers diary blog sans internet storm center. View all posts by didier stevens published december 28, 2016.

Didier is a pioneer in malicious pdf document research and malicious ms office documents analysis, and has developed several tools to help with the analysis of malicious documents like pdf and ms office files. You can find his open source security tools on his it security related blog at blog view full schedule related sessions. Didier stevens microsoft mvp, sans isc handler, wireshark certified network analyst, is a senior analyst working at nviso. Analyzing a simple, pureascii malicious pdf file now, before i loose your interest in pdf file analysis by explaining too much in too great detail before we get into the actual analysis of a real, inthewild malicious pdf file, i want to perform an analysis of a malicious pdf file that requires no dedicated tools, only an ascii editor. After didier stevens revealed about pdf launch social engineering attack that could be used to launch applications from pdf files, we have received malicious pdf files which use this technique doc. Conway shows how he was able to build a malicious pdf document with the executable code. Attackers abuse bugs in pdf reader software to execute malware when users view malicious pdf documents with a preferred pdf reader. Pdf feature is dangerous tapcis web forums didier stevens, who probably knows the pdf format better then most and has written some great pdf analysis tools, published a very interesting and concerning blog post 1.

475 1535 1525 341 1556 719 942 244 48 441 734 215 1583 633 699 786 257 958 535 150 515 495 735 23 989 858 1647 1544 44 690 659 1469 195 1096 1330 426 968 46 870 180 1380 224 869