Skip to main content


Showing posts from October, 2010

Hiding PDF Exploits by embedding PDF files in streams and Flash ROP heapsprays

Another interesting sample that we came across (a901141662b350cd2c7d91268eddbdce) highlights one of the neat features of our online PDF Examiner. Detection and processing of streams which contain an embedded PDF file - it's quite easy now to put the exploits into an embedded PDF and compress or even encrypt the parent PDF file to avoid many AV products detecting the exploit code:

Object 3 has the embedded PDF file, which was extracted and processed automatically - it's linked to and shown to have the CVE-2010-2883 fontfile SING table description name overflow:

Now one of the very interesting things going on in this sample is that there's no javascript for the heapspray. We do that the parent PDF has embedded Flash files in objects 1 and 2. We can download those two Flash files easily from within PDF examiner by clicking save Obj to File.

Now both Flash files have the CWS magic number that indicates they are compressed. Here's how we expand them using PHP:
function flashE…

PDF Slack Space

Another common way to hide an embedded executable file in a PDF is to include it's content after the end of file marker %%EOF. We're now showing any content after the last %%EOF as "Slack Space" also marked in brown. Check out all the neat features of the PDF Examiner.