Analyzing malicious documents cheat sheet lenny zeltser. The access to this course is restricted to eforensics premium or it pack premium subscription word documents, pdfs, photos, and other types of files that are infected with viruses endanger the security of your system every day. Use this to identify pdf documents with unusualunexpected objects, or to classify pdf documents. Analyzing pdf malware part 1 trustwave spiderlabs trustwave. To launch the pdf parser type pdf parser email protected. In the below section we will see how we can use the officemalscanner to analyze such malicious documents. Attackers continue to use malicious pdf files as part of targeted attacks and massscale clientside exploitation. The approach for analyzing office documents is similar to process of examining pdf files. Automate malware pdf analysis and step through the objects of a malicious pdf. Lets see a list of my favorite tools for analyzing microsoft office and pdf files. The hakin9 magazine has made available this week for free a great introductory article on the internal formatting of pdf files and how to analyze malicious pdf documents, those exploiting a vulnerability in the embedded javascript interpreter very common, by didier stevens a well known pdf expert weve mentioned regarding previous pdf. Attackers embed malicious code into documents, excel spreadsheets or adobe acrobat pdf files. Oct 20, 2008 this starts a series of post leading up to my pdf talk at the next belgian issa and owasp chapter event.
The tool uses multiple open source tools and custom code to take a pdf and turn it into a sharable format. The file was using a different kind of technique and i was not aware about it. To get a general sense for how to analyze with malicious pdf files, take a look at my analyzing malicious documents cheat sheet. Malicious documents pdf analysis in 5 steps count upon security. Creating and analyzing a malicious pdf file with pdfparser tool. Its good to know how to analyze pdf files, but analysts first need a basic understanding of a pdf before they deem it malicious.
Jun 06, 2017 its important to have the right tools to analyze suspect documents. We have created the pdf file with an exe file embedded with it. Malicious office documents are often used in targeted attacks against individuals or organizations. This cheat sheet outlines tips and tools for analyzing malicious documents, such as.
Analyzing pdf and office documents delivered via malspam. May 01, 2018 the approach for analyzing office documents is similar to process of examining pdf files. For example, i generated statistics for 2 malicious pdf files, and although they were very different in content and size, the statistics were identical, proving that they used the same attack vector and shared the same origin. Its important to have the right tools to analyze suspect documents. For these reasons, its good to know how to analyze pdf files, but analysts first need a basic understanding of a pdf before they deem it malicious. This starts a series of post leading up to my pdf talk at the next belgian issa and owasp chapter event. This workshop will teach you the fundamentals you need to know to analyze malicious pdf documents.
I found something strange in the pdf file than the other malicious pdf files. May 14, 2019 malicious office documents are often used in targeted attacks against individuals or organizations. It is much better at protecting you from viruses and trojans that have been around for a few days. Infosec handlers diary blog sans internet storm center. So it is very important to have the right tools to analyze suspect documents. This particular type of evasion is meant to hide from analysis tools. Quick and dirty malicious pdf analysis security for real. Malicious documents pdf analysis in 5 steps reverse. For our purposes, well focus on spam that delivers malicious pdf files or microsoft office attachments to infect victims. Locate embedded code, such as shellcode, vba macros, javascript or other suspicious objects.
As well, it can be used to create onthefly customized pdfs, or to inject evil code into already existing documents. Support for basic pdf javascript obfuscation, encrypted pdfs rsa, aesv2, revision 5 aesv3. For demonstration purposes, i will generate an example malicious pdf document using metasploit, featuring the useafterfree media. Every time you feel a file is suspicious or you receive a file from an untrusted source, its recommended to scan it with one of these online services before to open it. Joe sandbox detects and analyzes potential malicious files and urls on windows, android, mac os, linux, and ios for suspicious activities. Next video shows how i use my pdf parser to analyze a malicious pdf file, and extract the shell code. By the way, having them manually analyze a file is the only way to be absolutely certain that its safe. How to tell if a file is malicious gizmos freeware. Malicious email attachments protection from infected pdf. The malicious documents were found in the wild in 2016 and were mostly distributed via phishing mails. Leveraging falcon sandbox to detect and analyze malicious. If they find it to be unknown or malicious then id advise getting rid of the file.
Creating and analyzing a malicious pdf file with pdf. To launch the pdf parser type pdfparser email protected. Put it through a pdf viewer that isnt vulnerable to the exploit. If it has been analyzed the staff will have assigned it a verdict of normal, unknown, or malicious. Their background is also to help explore malicious pdfs but i also find it useful to analyze the structure and contents of benign pdf files.
When running the malicious pdf file against the last version of the tool it can show very useful information about the pdf structure, its. How to analyze malicious file downloads netwatcher. Peepdf is a tool for forensic analysis of pdf documents. Analyzing malicious documents cheat sheet sans forensics. Passing stream data through filters flatedecode,asciihexdecode, ascii85decode, lzwdecode and runlengthdecode. As previously mentioned, in march 2018 researchers discovered a pdf sample that contains two zeroday exploits targeting acrobat reader and acrobat, and older windows versions, respectively cve20184990 and cve20188120. Running javascript in pdf files needs a particular runtime library.
Being able to analyze pdfs to understand the associated threats is an increasingly important skill for security incident responders and digital forensic analysts. When the malware finds that some functions are not defined. Exefilter can filter scripts from office and pdf files. Here is an example how i would extract the uncompressed stream of pdf object no. Oct 20, 2008 using my pdf parser to analyze a malicious pdf file and to extract the shell code. Som e of these samples have been analyzed and are discussed in this paper. It performs deep malware analysis and generates comprehensive and detailed analysis reports. Tools used include pdfid, pdfparser, and pdf stream. There is an increasing number of tools that are designed to assist with this process. Some pdf files dont have a header or trailer, but that is rare. Mycert of cybersecurity malaysia has collected samples of malicious pdf files. Search for possible malicious elements and then extract and decode those elements for further analysis. May 04, 2011 this note demonstrates several steps for extracting malicious flash from pdf files, so you can analyze it for malware artifacts.
This is the very same exploit that became public knowledge on 15 december 2009, and we are still waiting for adobe to release a patch, which is due 12 january 2010. Tools used include pdfid, pdf parser, and pdf stream dumper. So for example, pdf reader that you are using potentially contains a buffer overflow vulnerability, then an attacker can construct a special pdf file to exploit that vulnerability. Dissect pdf streams to discover new and known exploits. Path path to directoryfiles to be scanned optional arguments. Sep 22, 2014 malicious documents pdf analysis in 5 steps mass mailing or targeted campaigns that use common files to host or exploit code have been and are a very popular vector of attack. Creating new pdf documents is very easy and the volume of pdf documents identi ed as malicious has grown beyond the capabilities of security researchers to analyze by hand. Best place to identify malicious software activity study running system configuration identify inconsistencies contradictions in system bypass packers, binary obfuscators, rootkits including kernel mode and other hiding tools. Malicious documents pdf analysis in 5 steps count upon. This paper presents the process of analyzing and detecting malicious content which is docx files. When running the malicious pdf file against the last version of the tool it can show very useful information about the pdf structure, its contents and even detect which vulnerability it triggers in case it has a signature for it. At this point, there are a few things i do to analyze the attachment before i go any further. Tool to help analyze pdf files 9 commits 1 branch 0 packages 0 releases fetching contributors. Examine the document for anomalies, such as risky tags, scripts, or other anomalous aspects.
Parse existing documents, modify them and recompile them. Malicious pdf analysis evasion techniques trendlabs. In case the pdf file contains javascript, the malicious code is used to trigger a vulnerability and to execute shellcode. It can also examine pdf files for malicious javascript artifacts. To get a general sense for how to analyze with malicious pdf files, take a. Nov 20, 20 malicious pdf files are frequently used as part of targeted and massscale computer attacks for these reasons. Malware online scanners here is a list with online malware analysis services, updated as needed. From 2007 onward, the pdf document has proven to be a successful vector for malware infections, making up 80% of all exploits found by cisco scansafe in 2009 1. This is a great utility as it removes the dependency on microsoft office on the system. Pdf xray is a static analysis tool that allows you to analyze pdf files through a web interface or api. Malicious documents pdf analysis in 5 steps mass mailing or targeted campaigns that use common files to host or exploit code have been and are a very popular vector of attack. Sandsprite software reverse engineering services tools.
Apr 21, 2017 peepdf is a tool to analyze pdf files, helping to show objectsstreams, encodedecode streams, modify all of them, obtain different versions, show and modify metadata, execution of javascript and shellcodes. Yesterday, i downloaded a malicious pdf file for my regular analysis. Analyzing malicious documents useful ms office analysis commands. For example, i generated statistics for 2 malicious pdf files, and although they were very different in content and size, the statistics were identical, proving that they. Malicious pdf files are frequently used as part of targeted and massscale computer attacks for these reasons. Cybercriminals use many different tactics to breach an organizations network defenses, and delivering infected pdf files, typically via email, remains a very common and dangerous threat. Malicious pdf files are frequently used as part of targeted and massscale computer attacks. Locate potentially malicious embedded code, such as shellcode, vba macros or javascript.
It aims at providing a scripting tool to generate and analyze malicious pdf files. Search for possible malicious elements and then extract and decode those elements for. Analyze and track recent activity on the system identify all recent activity in context. Didier stevens will familiarize you with pdfid and pdfparser, two essential tools for pdf analysis he authored.
Analyzing malicious documents this cheat sheet outlines tips and tools for reverseengineering malicious documents, such as microsoft office doc, xls, ppt and adobe acrobat pdf files. Whether a file is malicious or not, does not depend on the file extension in this case pdf. In other words, a malicious pdf or ms office document received via email or opened trough a browser plugin. This article contains the analysis details of the malicious spreadsheet that delivered malware to its victim in a spear phishing campaign. This cheat sheet outlines tips and tools for analyzing malicious documents, such as microsoft office, rtf and adobe acrobat pdf files.
Sans digital forensics and incident response blog how to. This note demonstrates several steps for extracting malicious flash from pdf files, so you can analyze it for malware artifacts. We start with a very simple, poc malicious pdf file you could even analyze this poc file with notepad or vi to lay out the fundamentals, and then work through more complex examples. Its features also include carving contents of network packet capture pcap files and identifying common clientside exploits. Pdf files by looking at their characteristics in order to add some intelligence into the determination of them being malicious or benign.
Analyzing a pdf file involves examining, decoding, and extracting the contents of suspicious pdf objects that may be used to exploit a vulnerability in adobe reader and execute a malicious payload. With it you can extract embedded files, scripts, view headers, etc. The discovery by security researchers in march 2018 of a pdf sample that contains exploits for two zeroday vulnerabilities has confirmed that exploiting pdf readers is still considered a viable attack vector by, presumably, more advanced threat actors. Analyzing malicious documents cheat sheet this cheat sheet outlines tips and tools for analyzing malicious documents, such as microsoft office, rtf and adobe acrobat pdf files. Peepdf, a new tool from jose miguel esparza, is an excellent addition to the pdf analysis toolkit for examining and decoding suspicious pdfs for this introductory walkthrough, i will take a quick look at the malicious pdf file that i obtained from contagio malware dump. This website gives you access to the community edition of joe sandbox cloud. This library is part of adobe reader, but most analysis tools do not contain it. Im sure that their pdf parser is extremely secure, so. Analysing malicious pdf documents using dockerized tools. Jan 10, 2010 for demonstration purposes, i will generate an example malicious pdf document using metasploit, featuring the useafterfree media.
It breaks down a pdf into its distinct elements allowing you to see into its internal structures. Pdfstreamdumper also includes a javascript interface that allows you to work live with acrobat scripts. Infected pdf files continue to plague security personnel responsible for detecting and containing malicious email attachments. Since many email systems automatically block obvious malicious programs, attackers conceal a piece of software called an exploit inside other types of commonly emailed files microsoft word documents, a zip or rar files, adobe pdf documents, or even image and video files. Detect variants of cve20075659, cve20093953, cve20093959, cve20090927, cve20082992, cve20094324, cve2009. Im sure that their pdf parser is extremely secure, so you shouldnt feel bad about possibly infecting them. Recently these files are secure, popular and reliable documents used by attackers as an instrument. For my tenth blog post, im going to analyze some malicious office documents. Didier stevens will familiarize you with pdfid and pdf parser, two essential tools for pdf analysis he authored. Currently, the main malware infection vehicle remains the classic malicious document attached to an email.
Aug 05, 20 for these reasons, its good to know how to analyze pdf files, but analysts first need a basic understanding of a pdf before they deem it malicious. We will analyze it using a blend of both static and dynamic methodologies. The goal with this tool is to centralize pdf analysis and begin sharing comments on files that are seen. Fully automated falcon sandbox analysis of a malicious pdf containing zeroday exploits. But after some googling i found that the same technique was exposed in 2010 so it was not a new technique. Peepdf is a tool to analyze pdf files, helping to show objectsstreams, encodedecode streams, modify all of them, obtain different versions, show and modify metadata, execution of javascript and shellcodes. Using my pdf parser to analyze a malicious pdf file and to extract the shell code. Automated malware analysis joe sandbox cloud basic. To analyze such malicious documents, a very popular toolkit known as officemalscanner is available. Analysis of malicious excel spreadsheet by monnappa k a. Pdfstreamdumper is a free, open source tool to analyze malicious pdf documents.
196 1580 478 1333 912 298 364 507 1537 1578 1151 544 370 177 792 835 489 1242 111 98 1531 1129 1668 1415 931 473 1119 1077 1280 133 1457 1174 1390 178 917 599 805 735 450 1400 223 673 202 709 715