Skip to main content


Showing posts from 2010

More PDF Decryption Enhancements for PDF Examiner

Got rid of a unsigned int issue when calculating the permissions value for some types of encrypted PDFs, if you had any issues with decrypting malware PDFs, try resubmitting to the PDF Examiner. Second update was to handle owner password string literals in octal.

Apparently to get an 4 byte hex of a PHP int you can't just go dechex($permissions), you'll need to go dechex( pow(2, 32)- pow(2, 32)+$permissions) to get the larger unsigned int range. Fun workarounds, but it's at least closer to C than Python ;).

Unconfirmed Adobe PDF zeroday with this.printSeps

Reports on twitter are circulating that a new adobe PDF zero day PoC was posted to Full Disclosure (Nov 3rd, 2010). The file xpl_pdf.bin (MD5 d000e74163e34fc65914676674776284) contains a small JavaScript heap spray and call to this.printSeps which in tests does crash Adobe, it's not clear if this is further vulnerable to exploitation or what version of OS and Acrobat are affected. The exploit itself requires an Adobe version between 8 and 10.

A blog post from earlier this year (April 9th 2010) from a russian blog details the memory access error of using this.printSeps(), which is described as a denial of service bug. Interesting that this bug didn't pop up to a wider audience over the 7 months it was public.

Added initial detection for this potential exploit to PDF Examiner. You can analyze the file in PDF Examiner here. Bad JavaScript is available here.

Adobe PSIRT has reported they are investigating the issue. Mitigation advice has been posted here (such as disable JavaScript i…

Hiding PDF Exploits by embedding PDF files in streams and Flash ROP heapsprays

Another interesting sample that we came across (a901141662b350cd2c7d91268eddbdce) highlights one of the neat features of our online PDF Examiner. Detection and processing of streams which contain an embedded PDF file - it's quite easy now to put the exploits into an embedded PDF and compress or even encrypt the parent PDF file to avoid many AV products detecting the exploit code:

Object 3 has the embedded PDF file, which was extracted and processed automatically - it's linked to and shown to have the CVE-2010-2883 fontfile SING table description name overflow:

Now one of the very interesting things going on in this sample is that there's no javascript for the heapspray. We do that the parent PDF has embedded Flash files in objects 1 and 2. We can download those two Flash files easily from within PDF examiner by clicking save Obj to File.

Now both Flash files have the CWS magic number that indicates they are compressed. Here's how we expand them using PHP:
function flashE…

PDF Slack Space

Another common way to hide an embedded executable file in a PDF is to include it's content after the end of file marker %%EOF. We're now showing any content after the last %%EOF as "Slack Space" also marked in brown. Check out all the neat features of the PDF Examiner.

Trick for finding the embedded exe's in PDFs

One of the common traits of a lot of PDF malware is that the embedded executable is put it to an object stream and marked with a compression filter such as FlateDecode, but the stream is rarely actually compressed. We now mark objects in the PDF Examiner online tool with a raw stream which doesn't correctly inflate as in brown to denote the potential inclusion of an executable attachment. In most cases the "fake" stream contains an XORed exe file or sometimes additional clean PDFs which are dropped at exploit time.

In the example below, you can see object 64 contains a stream which was marked as FlateDecode, but is listed in brown to denote that it did not contain a valid gzipped stream. In the hexview we can see the pattern of a 256 byte XOR key shown through the executable's whitespace (then you can use the XOR key to statically extract the executable for analysis).

PDF Malware Threat Overview - list of common vulnerabilities

We've created a new comprehensive Malware Tracker chart for the current state of PDF threats from Adobe Reader / Acrobat and embedded Flash exploits. Check out the chart here. We'll be keeping to page up to date with new threats as they develop and are patched. Links to analysis in our PDF Examiner tool are also included on real live malware samples.

PDF Examiner New Features

Added support for multiple objects of the same ID - objects will now be displayed by [object number].[generation number] @ file location bytes. This should enhance the way PDF files with duplicate objects are viewed. PDF Examiner

PDF Examiner New Features

Added a lot of enhancements for dealing with obfuscated JavaScript, including showing objects which may contain JavaScript but have no detected entities as orange. Check out the PDF Examiner.

Visualizing Embedded Executables Teaser and PDF Updates

Since we generally like to tease about what we're working on next as we get too excited to wait for the public release, here's something we think is pretty neat. We decided to play around with visualization for some recent cryptanalysis work on some Microsoft Office .doc, Powerpoint and Excel files.

Take a look at the lines in the below chart - the green horizontal line represents a frequency plot of the top character occurrences over a 256byte spectrum in an office document which contained a one byte XOR'ed embedded executable virus. The red line is even more interesting, it represents the same, but where 256 byte XOR key was used to hide the malware. The blue scatter is the statistical analysis of a clean document with no malware. We thought it was pretty neat that when you visualize your cryptanalysis the documents with malware came up with straight lines in a lot of cases, and clean documents look almost random. More to come in the form of blazing fast cryptanalysis and…

PDF Examiner

Added a few updates to the PDF Examiner - checking object parameters for exploits - such as /Launch etc. Working on more encryption methods - if you have any Revision 1 or 3 samples, send them over to us. Bug fixes - check streams with no encoding methods for known exploits.

PDF Revision 3 Encryption

I just wanted to give a quick shout out to i♥cabbages for their very useful post on PDF Revision 3 encryption and the mysterious unpublished algorithm. I'm currently working on bringing more of the PDF encryption methods into the PDF Examiner.

Currently Revision 4 AES V2 is working pretty well, just in the process of adding Revision 2 40-128 bit RC4 support and researching Revision 1 (40 bit RC4) and 3 (RC4+some XORing).

Thanks to those that provided samples, please flag any failures to me and I'll do my best to add them as well.

encrypted pdf part 2 - with the online pdf examiner and object dissector

A couple posts ago I talked about do-it-yourself AESV2 PDF decryption, now it's time to get into the analysis of the PDF Javascript payload. The free online PDF Examiner 1.0 is very helpful to handle the parsing of the PDF and locating the objects that have weird obfuscated Javascript (you can use our PDF analysis tool here.)

After uploading the PDF at, we get the following page which highlights that object 47 generation 0 has some javascript obfuscation going on:

In the left column you can see objects which have something bad detected in them, show up as red, objects with streams of any sort of content show up as green, and the smaller xref and document info objects are grey and of minimal value to finding the exploits. As you can see below when you click on the suspected bad object, we are presented with a hex view which clearly shows we've found a Javascript block (remember this would also normally have been tricky to t…

PDF dissector tool online

Check out our new PDF analysis platform Malware Tracker PDF Examiner 1.0 at Our new PDF dissector will process normal compressed or encrypted (AESV2) PDFs into objects for viewing, scan for known exploit CVE's or obfuscated javascript, and export decoded data to file. Upload and analyze PDFs on the go for free.

Analysing Encrypted PDF Files for malware

I recently came across a PDF 306d7e608a52121aa4508e9901e4072e which on Virus Total only has 7/42 (16.67%) detection.

The sample uses PDF Version 4 standard encryption - AES V2 with a 128 bit key which leads us to wonder if some AV vendors are not handling the decryption to peak inside at the PDF content.

PDFs can be encrypted, with a key calculated from values in the PDF so it can be opened and viewed, compliant PDF readers will dissallow certain permissions such as copy/paste or printing (some documents can have a user password to open the file, but we won't get into brute forcing that type here). While obtaining the key is a relatively trivial calculation, the encryption level is quite good and will bypass typical NIDS and apparently some AV products.

Some of the resources we can use to figure out the PDF encryption key generation is the ISO 32000-1 document on the PDF structure which is freely available from Adobe.

For older PDF Version 1/2 encryption I found this resource. But thi…