Skip to main content

Posts

Showing posts from December, 2011

PDF Malware bypasses AV with 256bit AES encryption CVE-2011-2462

We've been getting a number of 256bit AES encrypted PDFs containing the U3D zero-day CVE-2011-2462 in the past 5 days. The files are getting very low-to-no AV detection:

256 bit AESV3 used by Adobe is proposed as part of ISO 32000-2 standard and is not included in the current standard ISO 32000-1, Adobe has implemented it for developer purposes in Reader 9.4 and 10.x. As such, it's not widely used and apparently not widely checked by AV or until today, our own PDFExaminer product.

Here's a sampling of some documents submitted to PDFExaminer which weren't privately submitted:








And a samping of our PDFExaminer results:



We've added 256bit AES decryption and analysis to both our web based PDFExaminer (free online and commercial lan version) and standalone command line versions (please update now). The zero-day samples are also available to Malware Intelligence Feed customers through our customer portal.

Thanks to those that pointed out that we were missing 256bit AES.

30 APT PDFs - rapid analysis with PDFExaminer

A recent post from the awesome Contagiodump blog provided 30 APT PDFs seen in the wild for researchers to work with. We thought we'd run them all through the PDFExaminer (api info here) to get quick CVE detection for all the files, in under 10 minutes. The command line version of the PDFExaminer can be pretty handy at your mail gateway in addition to regular A/V scans.


86730A9BC3AB99503322EDA6115C1096 1104statment.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

35458535961F767E267487E39641766C 1106.pdf
39.0@952: suspicious.warning: ob…