It depends on the vulnerabilities in the software which will be parsing it. This starts a series of post leading up to my pdf talk at the next belgian issa and owasp chapter event. Creating and analyzing a malicious pdf file with pdf. This cheat sheet outlines tips and tools for analyzing malicious documents, such as microsoft office, rtf and adobe acrobat pdf files. Pdf detecting android malware by analyzing manifest files. We will analyze it using a blend of both static and dynamic methodologies. Sentinelone detects new malicious pdf file sentinelone. Next video shows how i use my pdf parser to analyze a malicious pdf file, and extract the shell.
Detecting android malware by analyzing manifest files. Malicious pdfs revealing the techniques behind the. Finally we present detail analysis of a malicious pdf file. Examine the document for anomalies, such as risky tags, scripts, or other anomalous aspects. Search for possible malicious elements and then extract and decode those elements for further analysis. In this post, well take you on a tour of the technical aspects behind malicious pdf files.
The access to this course is restricted to eforensics premium or it pack premium subscription word documents, pdfs, photos, and other types of files that are infected with viruses endanger the security of your system every day. I found something strange in the pdf file than the other malicious pdf files. We have created the pdf file with an exe file embedded with it. List of malicious pdf files you should not open make. Recently, microsoft malware protection center released a list of commonly infected pdf files that have been detected over the past few months. Analyzing malicious documents analyzing malicious documents.
Malicious documents pdf analysis in 5 steps count upon security. Analyzing malicious documents this cheat sheet outlines tips and tools for reverseengineering malicious documents, such as microsoft office doc, xls, ppt and adobe acrobat pdf files. Malicious documents pdf analysis in 5 steps count upon. Pdscan makes use of dynamic and static analysis techniques to deal with the malware. Many people dont pay enough attention to the fact that pdf files can contain viruses and open them without scanning them. Analysing malicious pdf documents using dockerized tools. Analyzing pdf malware part 1 trustwave spiderlabs trustwave. But after some googling i found that the same technique was exposed in 2010 so it was not a new technique. This cheat sheet outlines tips and tools for reverseengineering malicious documents, such as microsoft office doc, xls, ppt and adobe acrobat pdf files.
The approach for analyzing office documents is similar to process of examining pdf files. This article contains the analysis details of the malicious spreadsheet that delivered malware to its victim in a spear phishing campaign. Analyzing suspicious pdf files with peepdf attackers continue to use malicious pdf files as part of targeted attacks and massscale clientside exploitation. Header objects reference table trailer 4 malicious pdf files detecting and analyzing %pdf1. With sentinelone, customers are fully covered against this growing threat.
Yesterday, i downloaded a malicious pdf file for my regular analysis. The emails were sent with a link to a pdf file or by attaching the malicious pdf file directly to trap victim to open the files. Posted in reverse engineering on november 9, 2012 share. Weve seen that jsunpack can be a great help with decompressing the decoded pdf files and should be a mandatory tool when analyzing possibly malicious pdf documents. Analysis of malicious excel spreadsheet by monnappa k a.
To launch the pdf parser type pdfparser email protected. Whether a file is malicious or not, does not depend on the file extension in this case pdf. Tools used include pdfid, pdfparser, and pdf stream dumper. Analyzing malicious documents cheat sheet lenny zeltser. Some pdf files dont have a header or trailer, but that is rare. Pdf techniques for analysing pdf malware researchgate. So, which steps could an incident handler or malware analyst perform to analyze such files. Im sure a lot of people are familiar with receiving a strange email often times seemingly from a known person containing an attachment. This cheat sheet outlines tips and tools for analyzing malicious documents, such as. Quick and dirty malicious pdf analysis security for real. Being able to analyze pdfs to understand the associated threats is an increasingly important skill for security incident responders and digital forensic analysts. Analyzing a pdf file involves examining, decoding, and extracting the contents of suspicious pdf objects that may be used to exploit a vulnerability in adobe reader and execute a malicious payload. Malicious pdf files are frequently used as part of targeted and massscale computer attacks.
Passing stream data through filters flatedecode,asciihexdecode, ascii85decode, lzwdecode and runlengthdecode. Malicious office documents are often used in targeted attacks against individuals or organizations. The file was using a different kind of technique and i was not aware about it. Recently these files are secure, popular and reliable documents used by attackers as an instrument to attack users. For our purposes, well focus on spam that delivers malicious pdf files or microsoft office attachments to infect victims.
Hi all, in this post we will be exploring malicious pdf files and how the bad guys leverage them to infect computer systems. First, sentinelone agent detects and blocks malicious pdf files using the behavioral ai engine. Peepdf, a new tool from jose miguel esparza, is an excellent addition to the pdf analysis toolkit for examining and decoding suspicious pdfs. It is much better at protecting you from viruses and trojans that have been around for a few days. Analyzing malicious documents this cheat sheet outlines tips and tools for analyzing malicious documents, such as microsoft office, rtf and adobe acrobat pdf files. For these reasons, its good to know how to analyze pdf files, but analysts first need a basic understanding of a pdf before they deem it malicious. Mycert of cybersecurity malaysia has collected samples of malicious pdf files. In other words, a malicious pdf or ms office document received via email or opened trough a browser plugin. Analyzing weird things forwarded by friends and family is a great way to keep my dfir skills sharp. Analyzing pdf and office documents delivered via malspam. Locate potentially malicious embedded code, such as shellcode, vba macros or javascript. So for example, pdf reader that you are using potentially contains a buffer overflow vulnerability, then an attacker can construct a special pdf file to exploit that vulnerability. Next video shows how i use my pdf parser to analyze a malicious pdf file, and extract the shell code.
Malicious documents pdf analysis in 5 steps mass mailing or targeted campaigns that use common files to host or exploit code have been and are a very popular vector of attack. To sum it up, pdf documents gradually pose more risk, as they are trusted more than executables. Attackers embed malicious code into documents, excel spreadsheets or adobe acrobat pdf files. Locate embedded code, such as shellcode, vba macros, javascript or other suspicious objects.
Lets see a list of my favorite tools for analyzing microsoft office and pdf files. Analyzing malicious documents cheat sheet sans digital. Using my pdf parser to analyze a malicious pdf file and to extract the shell code. Recently these files are secure, popular and reliable documents used. A pdf file is essentially just a header, some objects inbetween, and then a trailer. Some of these have been analyzed and are discussed in this paper. Malicious pdf files are frequently used as part of targeted and massscale computer attacks for these reasons. Like other files that can come as attachments or links in an email, pdf files have received their fair share of attention from threat actors, too. This paper presents the process of analyzing and detecting malicious content which is docx files. There is an increasing number of tools that are designed to assist with this process.
1276 878 353 789 1447 629 1234 275 1143 104 109 1417 1626 504 1399 805 1453 1275 1001 1099 166 749 292 1060 651 200 890 613 1074 234 1419