This document discusses analyzing malicious PDF files. It provides an overview of PDF file structure and common strings found in PDFs. Tools are presented for parsing and scanning PDFs like pdf-parser.py, pdfid.py and Peepdf. A demo is shown using these tools to analyze a sample PDF. Limitations of only scanning for strings are noted, and it is recommended to also use antivirus and online scanning services to more thoroughly check for malware in PDFs.

1. Analysis of malicious PDF
by
Abdul Adil
Open Info.sec Community
Disclaimer: Either me or the organizers are not responsible for any damages or any sort of actions that you made with the provided information.

2. Who am i?
• Information security enthusiast & Developer.
• Certified in OCJP ,CEH.
• You can reach me at:
Codestudio8.wordpress.com
Linkedin.com/in/abduladil02
Facebook.com/abduladil02
Twitter.com/abduladil02
Abdul.Adil@connectica.in or AbdulAdil02@gmail.com

3. What your going learn?
• What is a pdf?
• Internals of PDF.
• Strings of pdf.
• Scanning pdf’s with virus total.
• Demo.
• Conclusion.

4. What is a pdf?
• It stands for Portable Document Format(PDF).
• Extension of portable document format is “.pdf”.
• Is a file format used to present documents in a manner independent
of application software, hardware, and operating systems.
• Developed by Adobe Systems in the year 1991.
• Interactive features like acroforms , rich media…
• Current version of pdf is 1.7 was released in 2011.

5. First Malware of PDF
• PDF attachments carrying viruses were first discovered in 2001.
• The virus, named OUTLOOK.PDFWorm or Peachy, uses Microsoft
Outlook to send itself as an attachment to an Adobe PDF file.
• It was activated with Adobe Acrobat, but not with Acrobat Reader.

6. Structure of pdf

7. Internals of pdf
• Header: this probably the most simple section. It is made of a single line which specifies the PDF language
version eg:1.1.
• Body: which generally contains the most part of the PDF code. This section is made of a list of objects which
describes how the final document will look.
• cross reference table: this table contains all the data required to the PDF management software (e.g. a
reader) in order to access directly any document object without having to read throughout the file to find
this object. Starts with ‘Xref’.
• Trailer: Any PDF software management application always begins to read from the end of the file where this
last section is located. The trailer contains different essential data, which are from the top to the bottom of
the trailer:
a. the number of objects contained in the file (field /Size),
b. the ID of the file root document (field /Root),
c. the offset (in bytes) of the cross reference table (the line just above the %%EOF line).

8. Xref table structure
14 objects
Object is free
Object is in use

9. Take a close look before you proceed!

10. Tools to analyze pdf files
• You can download from http://blog.didierstevens.com/programs/pdf-tools/
• Pdf-parser.py: This tool will parse a PDF document to identify the fundamental elements used in
the analyzed file. It will not render a PDF document.
• Pdfid.py: This tool is not a PDF parser, but it will scan a file to look for certain PDF keywords,
allowing you to identify PDF documents that contain (for example) JavaScript or execute an action
when opened. PDFiD will also handle name obfuscation.
• Other tools:PeePdf.py
• Online tools:
a. Virustotal.com
b. wepawet(http://wepawet.iseclab.org)
c. pdfexaminer(www.malwaretracker.com)
d. jsunpack.jeek.org
e. pdf stream dumper.

11. Strings in pdf
• obj,endobj,stream,endstream,xref,trailer,startxref,/Page,/Encrypt,/Obj
Stm,/JS,/JavaScript,/AA,/OpenAction,/JBIG2Decode,/RichMedia,/Laun
ch,/XFA.
• Almost every PDF documents will contain the first 7 words (obj
through startxref), and to a lesser extent stream and endstream.
• /Page gives an indication of the number of pages in the PDF
document. Most malicious PDF document have only one page eg.You
won a lottery mail.
• /Encrypt indicates that the PDF document has DRM or needs a
password to be read.
• /ObjStm counts the number of object streams. An object stream is a
stream object that can contain other objects, and can therefore be
used to obfuscate objects (by using different filters).

12. Strings in pdf
• /JS and /JavaScript indicate that the PDF document contains
JavaScript. Almost all malicious PDF documents that I’ve found in the
wild contain JavaScript (to exploit a JavaScript vulnerability and/or to
execute a heap spray). Of course, you can also find JavaScript in PDF
documents without malicious intend.
• /AA and /OpenAction indicate an automatic action to be performed
when the page/document is viewed. All malicious PDF documents
with JavaScript I’ve seen in the wild had an automatic action to
launch the JavaScript without user interaction.

13. Demo
• Let’s see a demo
1.Pdf-parser.py
2.pdfid.py
3.Peepdf
4.Metasploit

14. Just a glance malicious action snippet

15. Drawbacks in pdfid.py
• Because PDFiD is just a string scanner (supporting name obfuscation),
it will also generate false positives. For example, a simple text file
starting with %PDF-1.1 and containing words from the list will also be
identified as a PDF document.

16. What you can do?
• Scan pdf files with anti-malware application.
• Scan with online scanners like virustotal.com and malwr.com(cuckoo).

17. You can’t stop stupidity!!