Ahmad Azizan and i released a challenge for Honeynet Project Forensic Challenge on our favorite topic, malicious PDF called, "Analyzing Malicious Portable Destructive Files". We implemented a few tricks on making analysis harder inside the PDF file such as JavaScript obfuscations, PDF /Root component, and PDF syntax obfuscation and many more. It will be interesting to see how people will get the wrong shellcode execution. >;). Good Luck and enjoy the challenge. We are definitely having a lot of fun while working on the challenge.
Please check out the challenge from Honeynet Project Forensic Challenge 6 page here.
Here is the challenge description:
The Challenge:
PDF format is the de-facto standard in exchanging documents online. Such popularity, however, has also attracted cyber criminals in spreading malware to unsuspecting users. The ability to generate malicious pdf files to distribute malware is functionality that has been built into many exploit kits. As users are less cautious opening PDF files, the malicious PDF file has become quite a successful attack vector.
The network traffic captured in lala.pcap contains network traffic related to a typical malicious PDF file attack, in which a unsuspecting user opens a compromised web page, which redirects the user's web browser to a URL of a malicious PDF file. As the PDF plug-in of the browser opens the PDF, the unpatched version of Adobe Acrobat Reader is exploited and, as a result, downloads and silently installs malware on the user's machine.
The network traffic captured in lala.pcap contains network traffic related to a typical malicious PDF file attack, in which a unsuspecting user opens a compromised web page, which redirects the user's web browser to a URL of a malicious PDF file. As the PDF plug-in of the browser opens the PDF, the unpatched version of Adobe Acrobat Reader is exploited and, as a result, downloads and silently installs malware on the user's machine.
- How many URL path(s) are involved in this incident? Please list down the URL path(s) found. (1pt)
- What code can you find inside the PCAP file? Explain what the code does. (2pts)
- What file(s) can you find within the PCAP file? If any files are found, please zip compress into password protected file (password infected) with file name: [your email]_Forensic Challenge 2010 – Challenge 6 – Extracted Files.zip and submit to http://www.honeynet.org/challenge2010/. (3pts)
- How many object(s) are contained inside the PDF file? (1pt)
- Using PDF dictionary and object referencing, explain in detail the flow structure of a PDF file. (1pt)
- How many filtering schemes are used for the object streams and what are they? Explain how you can decompress the stream. (1pt)
- Which object streams might contain malicious content? List the object and explain the obfuscation technique(s) used. (3pts)
- What exploit(s) are contained inside the PDF file? Which one that actually runs and triggers the vulnerability(ies)? Please provide some explanation for your answer. (4pts)
- Are there any payloads inside the PDF file? If any, list them all and explain what they do. Which payload will be executed? (2pts)
- With the understanding of the PDF format structure, please explain how we can enable other exploits to run when the PDF file is opened. (2pts)
Bonus:
- Please provide the dot graph of the PDF object’s connectivity inside the PDF file. (1pt)
- Please provide an automated solution to extract and analyze JavaScript code within the PDF file. Be creative! (describe your solution below, but submit any source code and executable in a compressed zip file with file name [your email]_Forensic Challenge 2010 – Challenge 6 – Bonus2.zip via our submission formhttp://www.honeynet.org/challenge2010/.) (1pt)
To get it started, you need to start by inspecting a PCAP file. It can be downloaded from this page.