Skip to main content


Showing posts from 2011

PDF Malware bypasses AV with 256bit AES encryption CVE-2011-2462

We've been getting a number of 256bit AES encrypted PDFs containing the U3D zero-day CVE-2011-2462 in the past 5 days. The files are getting very low-to-no AV detection:

256 bit AESV3 used by Adobe is proposed as part of ISO 32000-2 standard and is not included in the current standard ISO 32000-1, Adobe has implemented it for developer purposes in Reader 9.4 and 10.x. As such, it's not widely used and apparently not widely checked by AV or until today, our own PDFExaminer product.

Here's a sampling of some documents submitted to PDFExaminer which weren't privately submitted:

And a samping of our PDFExaminer results:

We've added 256bit AES decryption and analysis to both our web based PDFExaminer (free online and commercial lan version) and standalone command line versions (please update now). The zero-day samples are also available to Malware Intelligence Feed customers through our customer portal.

Thanks to those that pointed out that we were missing 256bit AES.

30 APT PDFs - rapid analysis with PDFExaminer

A recent post from the awesome Contagiodump blog provided 30 APT PDFs seen in the wild for researchers to work with. We thought we'd run them all through the PDFExaminer (api info here) to get quick CVE detection for all the files, in under 10 minutes. The command line version of the PDFExaminer can be pretty handy at your mail gateway in addition to regular A/V scans.

86730A9BC3AB99503322EDA6115C1096 1104statment.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

35458535961F767E267487E39641766C 1106.pdf
39.0@952: suspicious.warning: ob…

Malware PDF Obfuscation Using PNG Filters and AV #fail

We recently took a look at PDF sample 218a3f6c293d67e5eef2a58742966d56 that our PDFExaminer tool was missing that had a low 4/41 detection rate in Virustotal. Object 20 in this sample had decode parameter with a Predictor 12, BitsPerComponent 8, Colors 1, and Columns 1. Normally this PNG Up filter would only be used on graphics data, however, this particular sample it was used to hide an XFA block with Javascript as well as a CVE-2011-0188 libtiff exploit (vulnerable in Adobe Reader 9.3 and earlier).

Object 20 also didn't code with

The PDF was part of attacks earlier in April, blogged about by Sophos and Symantec

Despite awareness and blogs by a couple of commercial AV providers, this particular obfuscation technique hasn't really got much attention, and continues to get very low detection rates - today it'…

PDFExaminer command line scanner

Our command line version of the PDF Examiner is pretty popular for those will a lot of malware PDFs process locally. It's a commercial product, and includes a year of our CVE identification updates. It's a PHP library and utility that can be easily customized, designed for detection from the command line where the visual walk through by object is not required. The command line version can optionally store extracted PDF objects to file in their decoded form for hex viewing the detected objects with exploits.

$ php pdfex.php 3d1fc4deb5705c750df6930550c2fc16.pdf is_malware

$ php pdfex.php 3d1fc4deb5705c750df6930550c2fc16.pdf summary
19.0@993: suspicious.obfuscation using unescape
19.0@993: suspicious.string heap spray shellcode
19.0@993: suspicious.obfuscation using substr
19.0@993: suspicious.obfuscation using substring
19.0@993: suspicious.obfuscation using util.byteToChar
24.0@3857: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
2.0@5114: flash.exploit CVE-2011-0609

PDF Malware scoring with PDFExaminer

Today we're going to talk a little about the scoring of PDF malware with the PDFExaminer tool. We're currently rating PDFs as clean, suspicious or malware based on a simple scoring algorithm.

Use of JavaScript, per object: +1
JS Obfuscation function - eval, charCodeAt, etc: +1
Strings/variables exploit, jit, shellcode etc: +1
Flash (define object, Flash block): +1
CVE Exploit detected: +10
JBig2Decode: +1

Clean = 0
Suspicious = 1-9
Malware = 10 or more

Some CVE exploit signatures may occur multiple times, as our detection engine uses REGEX signatures and some exploits may be detected two or more times with varied signatures to more broadly detect new variants of known exploits.

PDFExaminer API

Our new API tool to submit PDFs from the command line and download reports is now available.

Feel free to recode in other languages. We'll post any user submissions here as well.

Upload a PDF and receive the report:
php mwtfile.php [filename] [email address for report]
mwtfile.php source.

Download a PDFExaminer report for a hash
php mwtreport.php [hash] [report xml, text, json, php, is_malware, rating, severity]
mwtreport.php source.

php mwtfile.php China\'s\ Charm\ diplomacy\ in\ BRICS\ Summit.pdf

....php mwtreport.php ae39b747e4fe72dce6e5cdc6d0314c02 xml

XML Report:
<?xml version="1.0"?>
<pdf><filename>China's Charm diplomacy in BRICS Summit.pdf</filename>
<submitted>2011-04-21 14:46:36</submitted>

Server upgrade

We completed a server upgrade to a brand new server with double the resources, processing speed should be even better and we are looking to release our PDFExaminer API tool very soon.

API Features for the Free online PDFExaminer
Submit a PDF for analysis via PHP or scripted web post
Extract reports in XML, Text, JSON, or PHP Serialize (Hash variable)

PDFExaminer: ObjStm handling

We've rolled out a number of new features today, one of the biggest is ObjStm handling - object streams are extracted and processed as separate objects. Malware severity rating now includes the count from embedded PDFs. Our parser has also been enhanced to better process extremely malformed PDFs.

Coming soon, we'll be releasing an API to post PDFs for analysis and retrieve reporting in XML, PHP Serialize, JSON, or text.

PDFExaminer Flash Handling


We are now exploding compressed Flash embedded in PDFs to allow for additional signature scanning for better CVE identification in embedded Adobe Flash files. Uncompressed Flash will be shown on the new "Flash" tab when viewing a PDF object which contains Flash.

Check out PDFExaminer.

PDFExaminer new features

Added several new features to the PDFExaminer. Email reports are optionally issued after submitting a sample, you can also include the phishing email or a comment and mark a sample as private to prevent it from being listed in a future list of recent detected malware reports.

We've also added a detection rating - malware, suspicious or clean to distinguish between PDFs with some obfuscated JavaScript and those with a detected CVE exploit.

Check out the PDFExaminer.

CVE-2011-0611 Zero Day

Another update on CVE-2011-0611, we're seeing reports of it's use in PDF (similar to the use of CVE-2011-0609 recently), Adobe will be releasing a patch by the week of April 25th. Adobe Reader contains an internal version of Flash Player, so updating to the recent Flash player will not protect you from PDF's with embedded CVE-2011-0611 exploits.

You can scan any suspicious PDF for free with our PDF Examiner tool:

CVE-2011-0609 attacks via PDF file

We've just across a new use of CVE-2011-0609, formerly only seen in XLS files, now used in a PDF file sent in a targeted email attack.

Filename: 民進黨2012+年....pdf (translates as DPP 2012 and beyond - DPP is Taiwan's Democratic Progressive Party)
MD5: 3d1fc4deb5705c750df6930550c2fc16
sha1: 3f6b96a62ae780b8c9d4094e478388036f336188
sha256: d742293773b4c6725bed769651a36baec6cd0b06c96662c688fce0f09f5d82c4
ssdeep: 12288:5aZEUjnnntnfnPnnnnnye2MUI2caPV6BWExnfAcc2spmUL0VnJtoQhUImzaIE0sT:GfURULy6NrFASbdX

PDF Object 2 contains a SWF file MD5 40792ec6d7b7f66e71a3fdf2e58cb432 subtlety named "~CVE-2011-0609.swf". Decompressing the CWS to FWS gives the MD5 00cf8b68cce68a6254b6206f250540fd.

Object 19 contains JavaScript to load shellcode into memory.

View the sample in PDF Examiner. Updating to the latest Flash and Reader 9.4.2 mitigates this threat. We'll make the sample available to AV companies if requested.

For information on other current threats, see our PDF Threats and

Flash in Word zero-day

Adobe has announced a new Flash zero day CVE-2011-0611. Flash with an exploit and jit spray potentially. The PoC file also dropped an executable (XORed with 0x85).

MD5: 96cf54e6d7e228a2c6418aba93d6bd49
SHA1 :820699d9999ea3ba07e7f0d0c7f08fe10eae1d2d


See bulletin APSA11-02.

See our list of current document format malware threats.

Malware Tracker Document Threats List

We've released our new list of current document threats (Microsoft Office Word/Excel/Powerpoint) which will be kept up to date with the most popular document exploits we see through email gateway detection. A lot of the targeted email attacks are surprisingly using older exploits which often have patches available, however, many users do not download MS Office patches and they are not usually included in automatic updates. PDF threats are tracked separately.