Skip to main content


Showing posts from February, 2013

Yara Scanning added to command line tools

We've pushed out updates to PDFExaminer and Cryptam command line versions tonight that include Yara scanning capability, unlike running the standard Yara tool, using our Yara plugin in PDFExaminer and Cryptam allow you to look deeper inside document files.

PDFExaminer CLI - Yara Related FeaturesRun Yara signatures against decoded streams such as FlateDecode, AsciiHex85, CCITTFaxDecode, and many more.Run Yara signatures against decrypted streams of RC4/AES encrypted PDFsRun Yara signatures against decrypted parameter strings.
Cryptam CLI - Yara Related FeaturesRun Yara signatures against all the subfiles of OpenXML format documents such as docx, xlsx, pptx. Run Yara signatures against decoded RTF datastreamsRun Yara signatures against automatically decrypted embedded executables and dropped clean documents. Automate your triage of incoming targeted APT attacks.  Scan a malware RTF file, extract the executables, and identify the implant or intrusion set TTP with your own Yara signat…

Using PDFExaminer to analyse Mandiant_APT2_Report.pdf

Here's a quick walkthrough on using PDFExaminer to triage the Mandiant_APT2_Report.pdf file reported by @9bplus on his blog.

We've added a new feature to specify the user password for these types of encrypted documents to our command line version of the PDFExaminer:

$ php pdfex.php  -p "hello" Mandiant_APT2_Report.pdf summary key key_length
summary=72.0@1090: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
29.0@4378: suspicious.warning: object contains JavaScript
38.0@9351: suspicious.warning: object contains JavaScript
39.0@10793: suspicious.warning: object contains JavaScript
50.0@15082: suspicious.flash addFrameScript
50.0@15082: suspicious.flash Embedded Flash
50.0@15082: suspicious.flash Embedded Flash define obj
56.0@17726: suspicious.warning: object contains JavaScript
49.0@1095: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

First - the flash file stands our pretty quickly:
$ md5 14a6e24977ff6e7e8a8661aadfa1a…

New PDF Zero Day

We are currently investigating a new Adobe Zero Day which does bypass the Sandbox protections of Reader 11.0.1 as reported by FireEye. We anticipate a patch to be released very quickly.

We recommend avoiding opening any PDF received by email or from a website until Adobe releases more information.

PDFExaminer does detect the zero day PDF as suspicious due to the use of JavaScript obfuscation techniques used such as eval.