Wednesday, August 25, 2010

Malicious PDF Technical Analysis Write Up

For the 2010, i spent a bit of my time on poking with malicious PDF analysis. I came up with a technical write up for the analyzing malicious pdf. The title for the write up is "Getting Owned by Malicious PDF". I split the write up into multiple samples sorting from easy-to-moderate of challenges and obstacle when dealing with malicious pdf analysis.

It starts with an introduction on PDF structures and components. The next section is on analyzing with vanilla pdf which only have a plain and flat PDF structure. This is a good introduction to familiar audience to PDF structure and also to expose on malicious pdf threat. On this sample, the analysis focus on understanding the PDF internal and extracting interesting components such as /Root object, javascript code and shellcode (within the javascript code).

The second sample involves with compressed PDF components by utilizing PDF feature, /Filter. /Filter will allow any PDF objects to be compressed using compression algorithms and decoding method such as zlib compression for /FlatDecode filter, ascii-to-hex for /ASCIIHexDecode filter. There are many methods can be implemented. Please read a good PDF Specification  format by Adobe.

For the details on samples 3, 4 please feel free to download and read the write up from SANS's web page here