SlideShare una empresa de Scribd logo

Obfuscation and (non )detection of malicious pdf files

J
Jose Miguel Esparza

Techniques to successfully create malicious PDF files with low-detection rates, showing the weak points in actual parsers. Introduction to peepdf, a new tool that covers up the holes in the analysis of these files and which also allows their modification (obfuscation).

Tecnología
1 de 72
Obfuscation and (non-)detection of malicious PDF files Jose Miguel Esparza
Agenda • Introduction to the PDF format • Obfuscation and evasion techniques • Obfuscation vs. Antivirus • Obfuscation vs. Analysis tools • peepdf • Conclusions
Header Body Cross reference table Trailer
Introduction to the PDF format • Sequence of objects • Object types – Boolean: true false – Numbers: 123 -98 4. -.002 123.6 – Strings: (hola) <686f6c61> – Names: /Type /Filters – Dictionaries: <</Type /Catalog /Root 1 0 R>> – Arrays: [1.0 (test) <</Length 273>>] – Streams
Introduction to the PDF format
Introduction to the PDF format • Object types – Indirect objects • Reference: “object_id generation_number R”
Introduction to the PDF format • Object types – Indirect objects • Reference: “object_id generation_number R”
Introduction to the PDF format • Updatable documents – Older versions stay in the document Header Body Cross reference table Trailer Body Cross reference table Trailer Original Update
Introduction to the PDF format • Logical structure – Tree structure – Root node: /Catalog – If an element isn’t in the downward path from the /Catalog DOES NOT EXIST
Introduction to the PDF format
Introduction to the PDF format • Actions – /Launch – /Javascript – /GoToE (go to embedded) – /URI – /SubmitForm – … • Triggers – /OpenAction: global – /AA: pages, annotations
Introduction to the PDF format
Introduction to the PDF format • Actions – /Launch – /Javascript – /GoToE (go to embedded) – /URI – /SubmitForm – … • Triggers – /OpenAction: global – /AA: pages, annotations
Introduction to the PDF format
Introduction to the PDF format
Introduction to the PDF format
• Practical example – pdf.pdf (2009) Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques
• Automatic execution – Avoid /OpenAction – Use of /Catalog elements • /Names • /AcroForm – /AA: applied to pages, annotations… Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques • Strings to avoid/hide – /JavaScript /JS – More than two “unescape” in Javascript code – Characteristic metadata – /pdftk_PageNum
Obfuscation and evasion techniques
Obfuscation and evasion techniques • Strings to avoid/hide – /JavaScript /JS – More than two “unescape” in Javascript code – Characteristic metadata – /pdftk_PageNum
Obfuscation and evasion techniques
• Suspicious objects? – Strings (21/43) vs. Streams (27/43) • Filters – Avoid known filters: /FlateDecode /ASCIIHexDecode – Parameters (included default ones) – Multiple filters [ /FlateDecode /LZWDecode /RunLengthDecode ] Obfuscation and evasion techniques
Obfuscation and evasion techniques
• Suspicious objects? – Strings (21/43) vs. Streams (27/43) • Filters – Avoid known filters: /FlateDecode /ASCIIHexDecode – Parameters (included default ones) – Multiple filters [ /FlateDecode /LZWDecode /RunLengthDecode ] Obfuscation and evasion techniques
• Strings/names encoding – Names • Hexadecimal codification /Fl#61#74#65De#63#6f#64e (/FlateDecode) – Strings • Hexadecimal <7368656c6c636f6465> • Octal values 163150145154154 Obfuscation and evasion techniques
• Strings/names encoding – Names • Hexadecimal codification /Fl#61#74#65De#63#6f#64e (/FlateDecode) – Strings • Hexadecimal <7368656c6c636f6465> • Octal values 163150145154154 Obfuscation and evasion techniques NO!
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques • Splitting up Javascript code – Several objects in /Names /Names [(part1) 3 0 R (part2) 7 0 R (part3) 10 0 R] – Functions to obtain parts of the document • getAnnots() • getPageNumWords()/getPageNthWord() • this.info.* • …
Obfuscation and evasion techniques
Obfuscation and evasion techniques
• Duplicated objects • Updated objects • Malformed documents – Garbage bytes in the header – Bad version number (%PDF-1.0) – No xref table – No ending tags: endobj or endstream Obfuscation and evasion techniques
Obfuscation and evasion techniques
• Duplicated objects • Updated objects • Malformed documents – Garbage bytes in the header – Bad version number (%PDF-1.0) – No xref table – No ending tags: endobj or endstream Obfuscation and evasion techniques
Obfuscation and evasion techniques
• Duplicated objects • Updated objects • Malformed documents – Garbage bytes in the header – Bad version number (%PDF-1.0) – No xref table – No ending tags: endobj or endstream Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques • Compressed objects (object streams) – Incompatible with malformed documents • Encryption – /Encrypt (streams and strings) – RC4 o AES (40-128bits) – Default password • padding = “x28xBFx4Ex5Ex4Ex75x8Ax41x64x00x4Ex56xFFxFA”+ “x01x08x2Ex2Ex00xB6xD0x68x3Ex80x2Fx0CxA9xFEx64x53x69x7A” • password = password + padding[:32-(len(password))] • password = ‘’ password = padding • Nested PDFs – /EmbeddedFiles
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques • Compressed objects (object streams) – Incompatible with malformed documents • Encryption – /Encrypt (streams and strings) – RC4 o AES (40-128bits) – Default password • padding = “x28xBFx4Ex5Ex4Ex75x8Ax41x64x00x4Ex56xFFxFA”+ “x01x08x2Ex2Ex00xB6xD0x68x3Ex80x2Fx0CxA9xFEx64x53x69x7A” • password = password + padding[:32-(len(password))] • password = ‘’ password = padding • Nested PDFs – /EmbeddedFiles
Obfuscation and evasion techniques
Obfuscation and evasion techniques • Compressed objects (object streams) – Incompatible with malformed documents • Encryption – /Encrypt (streams and strings) – RC4 o AES (40-128bits) – Default password • padding = “x28xBFx4Ex5Ex4Ex75x8Ax41x64x00x4Ex56xFFxFA”+ “x01x08x2Ex2Ex00xB6xD0x68x3Ex80x2Fx0CxA9xFEx64x53x69x7A” • password = password + padding[:32-(len(password))] • password = ‘’ password = padding • Nested PDFs – /EmbeddedFiles
Obfuscation and evasion techniques
Obfuscation and evasion techniques • Mixing techniques • Summary: – Remove characteristic strings – Split up Javascript code (/Names) – If the code is in: • String octal encoding (143172) • Stream filters (not usuals, parameters) – Compress (object streams) – Encrypt (default password) – Malform (endobj, header) – Nest PDFs
Obfuscation vs. Antivirus • Better results – JS in string + octal + no characteristic strings • object stream – malformed + nested + filters with parameters (0/43) http://www.virustotal.com/file-scan/report.html?id=fbfd6df6a14f3cab3742d84af2b7d3d881ad11ef7d1344ba166092c890f47f77-1298457739 – filters with parameters + malformed (0/43) http://www.virustotal.com/file-scan/report.html?id=5a963ca0d20e12851fae7b98bc0e9bcf28cc0e43a12ef33450cf3877b170fa67-1298154940 • malformed: endobj, bad header (2/43) http://www.virustotal.com/file-scan/report.html?id=9759c500df94e2ccc243f00479967ddb77484203403b79e1523ea1148077b565-1298157405 • encrypted (5/43) http://www.virustotal.com/file-scan/report.html?id=9e2195450ee4f2c15f27b3730fb09bf004cc4bd6ef848f039291d9eea0f6b69d-1298054113 • Exploit working
Obfuscation vs. Antivirus • Updates – JS in string + octal + no characteristic strings • object stream – malformed + nested + filters with parameters (1/43) http://www.virustotal.com/file-scan/report.html?id=fbfd6df6a14f3cab3742d84af2b7d3d881ad11ef7d1344ba166092c890f47f77-1303817670 – filters with parameters + malformed (3/43) http://www.virustotal.com/file-scan/report.html?id=5a963ca0d20e12851fae7b98bc0e9bcf28cc0e43a12ef33450cf3877b170fa67-1298154940 • malformed: endobj, bad header (6/43) http://www.virustotal.com/file-scan/report.html?id=c3c50596b8deccb128f943d050a16b7652db54fe476e68db7b8c01b02ab77176-1303829263 • encrypted + nested + malformed (1/43) http://www.virustotal.com/file-scan/report.html?id=95c60679269acb4c7d7bcd3a8f0b88b1bb4fdab402a16b779a8f0d3867be7fd4-1303833454 • Exploit working
Obfuscation vs. Antivirus Antivirus Weak points AntiVir JS in string, without JS strings Avast Embedded, no endobj, Flate params AVG Embedded, Flate params, characteristic strings, without JS strings BitDefender Characteristic strings, octal strings ClamAV Flate params, octal strings, bytes header Commtouch Flate params, octal strings, encrypted DrWeb Characteristic strings, octal strings F-Secure Splitted up JS code, octal strings, bytes header, object streams Fortinet Flate params, splitted up JS code, bytes header, metadata GData No endobj, Flate params Kaspersky Flate params, characteristic strings, splitted up JS code, object streams McAfee Execution with /Names, embedded, characteristic strings, hexadecimal names, octal strings, without JS strings
Obfuscation vs. Antivirus Antivirus Weak points McAfee-GW Flate params, characteristic strings, octal strings Microsoft Splitted up JS code, octal strings, bytes header, object streams NOD32 Embedded, characteristic strings, bad header (%PDF-1.0) Panda JS in string, without JS strings Prevx No detection Sophos Without JS strings, object stream + malformed endobj, encrypted Symantec Original detection as Downloader, JS in string, without JS strings TrendMicro No detection VBA32 Characteristic strings VirusBuster No detection
Tools Comments Wepawet No encryption support, identifies exploits in embeded PDF files PDFDissector Comercial, not tested PDFStreamDumper Tools to help shellcode/JS analysis, errors with encryption, does not analyse object streams pdf-parser (Didier) Search in streams not supported, 3 filters, object streams and encryption not supported OPAF Parsing framework, XML output, encryption not supported Origami Good framework (filters, object streams, encryption), it’s necessary to code your own tool (Ruby) PDFExaminer Encryption and embeded PDF files support, does not support malformed objects, octal decoding malpdfobj Based on PDFTools (Didier Stevens) Obfuscation vs. Analysis tools
Obfuscation vs. Analysis tools
Tools Comments Wepawet No encryption support, identifies exploits in embeded PDF files PDFDissector Comercial, not tested PDFStreamDumper Tools to help shellcode/JS analysis, errors with encryption, does not analyse object streams pdf-parser (Didier) Search in streams not supported, 3 filters, object streams and encryption not supported OPAF Parsing framework, XML output, encryption not supported Origami Good framework (filters, object streams, encryption), it’s necessary to code your own tool (Ruby) PDFExaminer Encryption and embeded PDF files support, does not support malformed objects, octal decoding malpdfobj Based on PDFTools (Didier Stevens) Obfuscation vs. Analysis tools
peepdf • Characteristics – Python – Command line – Interactive console – Command file option http://peepdf.eternal-todo.com
peepdf http://peepdf.eternal-todo.com
peepdf • Analysis – Encrypted files – Compressed objects – Malformed documents support – Decoding: hexadecimal, octal, names – Most used filters (5) – References in objects and to objects – Strings search (including streams)
peepdf • Analysis – Physical structure (offsets) – Tree structure (logical) – Metadata – Changes between versions (changelog) – Extraction of different versions – Javascript analysis and modification (Spidermonkey) • unescape, replace, join – Shellcode analysis (sctest, Libemu) – Variables to improve analysis (set command)
peepdf • Creation/Modification – Basic PDF creation – Creation of PDF with Javascript execution – Object compression (object streams) – Encrypted files – Nested PDFs creation – Malformed PDFs – Strings and names codification – Filters modification – Object modification
Demo time!
peepdf • TODO – Automatic analysis of embedded PDFs – Missing filters – Improve automatic Javascript analysis • Add support for PDF JS functions (getAnnots…) – GUI – ActionScript? – …
Conclusions • Very low detection when: – Nested PDFs – Compressed objects – New filters or filters with parameters – Encryption • Avoid detection by strings • Improve parsers
Thanks • People working with PDF stuff: – Julia Wolf – Didier Stevens – Felipe Manzano (feliam) – Origami team – Brandon Dixon – AV companies – …
???
Thanks!! Jose Miguel Esparza jesparza eternal-todo.com jesparza s21sec.com http://eternal-todo.com @eternaltodo

Recomendados

Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresMarco Morana
 
Paternity leave request
Paternity leave requestPaternity leave request
Paternity leave requestJohn_snow
 
ASFWS 2011 : Code obfuscation: Quid Novi ?
ASFWS 2011 : Code obfuscation: Quid Novi ?ASFWS 2011 : Code obfuscation: Quid Novi ?
ASFWS 2011 : Code obfuscation: Quid Novi ?Cyber Security Alliance
 
blur-me-recsystalk
blur-me-recsystalkblur-me-recsystalk
blur-me-recsystalkSmriti Bhagat
 
New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20Nick Galbreath
 
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruBeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruMichele Orru
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
Web attacks using obfuscated script
Web attacks using obfuscated scriptWeb attacks using obfuscated script
Web attacks using obfuscated scriptAmol Kamble
 

Recomendados

Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresMarco Morana
 
Paternity leave request
Paternity leave requestPaternity leave request
Paternity leave requestJohn_snow
 
ASFWS 2011 : Code obfuscation: Quid Novi ?
ASFWS 2011 : Code obfuscation: Quid Novi ?ASFWS 2011 : Code obfuscation: Quid Novi ?
ASFWS 2011 : Code obfuscation: Quid Novi ?Cyber Security Alliance
 
blur-me-recsystalk
blur-me-recsystalkblur-me-recsystalk
blur-me-recsystalkSmriti Bhagat
 
New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20Nick Galbreath
 
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruBeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruMichele Orru
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
Web attacks using obfuscated script
Web attacks using obfuscated scriptWeb attacks using obfuscated script
Web attacks using obfuscated scriptAmol Kamble
 
On deobfuscation in practice
On deobfuscation in practiceOn deobfuscation in practice
On deobfuscation in practiceDmitry Schelkunov
 
Code obfuscation
Code obfuscationCode obfuscation
Code obfuscationAmol Kamble
 
Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Belsoft
 
Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)ReCrypt
 
Context Driven Scalable SIEM Solution
Context Driven Scalable SIEM Solution Context Driven Scalable SIEM Solution
Context Driven Scalable SIEM Solution Ertugrul Akbas
 
Palo Alto
Palo AltoPalo Alto
Palo AltoHajar Otmani
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the databaseBernardo Damele A. G.
 
ORM Injection
ORM InjectionORM Injection
ORM InjectionSimone Onofri
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
 
IBM Security Portfolio - 2015
IBM Security Portfolio - 2015IBM Security Portfolio - 2015
IBM Security Portfolio - 2015IBM Thailand Co Ltd
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0CTruncer
 
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassObject Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassSam Thomas
 
Ha nam
Ha namHa nam
Ha namrajgurupatil
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 

Más contenido relacionado

Destacado

On deobfuscation in practice
On deobfuscation in practiceOn deobfuscation in practice
On deobfuscation in practiceDmitry Schelkunov
 
Code obfuscation
Code obfuscationCode obfuscation
Code obfuscationAmol Kamble
 
Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Belsoft
 
Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)ReCrypt
 
Context Driven Scalable SIEM Solution
Context Driven Scalable SIEM Solution Context Driven Scalable SIEM Solution
Context Driven Scalable SIEM Solution Ertugrul Akbas
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the databaseBernardo Damele A. G.
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0CTruncer
 
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassObject Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassSam Thomas
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
 

Destacado (17)

On deobfuscation in practice
On deobfuscation in practiceOn deobfuscation in practice
On deobfuscation in practice
 
Code obfuscation
Code obfuscationCode obfuscation
Code obfuscation
 
Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013
 
Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)
 
Context Driven Scalable SIEM Solution
Context Driven Scalable SIEM Solution Context Driven Scalable SIEM Solution
Context Driven Scalable SIEM Solution
 
Palo Alto
Palo AltoPalo Alto
Palo Alto
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the database
 
ORM Injection
ORM InjectionORM Injection
ORM Injection
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
 
IBM Security Portfolio - 2015
IBM Security Portfolio - 2015IBM Security Portfolio - 2015
IBM Security Portfolio - 2015
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
 
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassObject Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypass
 
Ha nam
Ha namHa nam
Ha nam
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
 

Último

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 

Último (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

Obfuscation and (non )detection of malicious pdf files

  • 1. Obfuscation and (non-)detection of malicious PDF files Jose Miguel Esparza
  • 2. Agenda • Introduction to the PDF format • Obfuscation and evasion techniques • Obfuscation vs. Antivirus • Obfuscation vs. Analysis tools • peepdf • Conclusions
  • 4. Introduction to the PDF format • Sequence of objects • Object types – Boolean: true false – Numbers: 123 -98 4. -.002 123.6 – Strings: (hola) <686f6c61> – Names: /Type /Filters – Dictionaries: <</Type /Catalog /Root 1 0 R>> – Arrays: [1.0 (test) <</Length 273>>] – Streams
  • 5. Introduction to the PDF format
  • 6. Introduction to the PDF format • Object types – Indirect objects • Reference: “object_id generation_number R”
  • 7. Introduction to the PDF format • Object types – Indirect objects • Reference: “object_id generation_number R”
  • 8. Introduction to the PDF format • Updatable documents – Older versions stay in the document Header Body Cross reference table Trailer Body Cross reference table Trailer Original Update
  • 9. Introduction to the PDF format • Logical structure – Tree structure – Root node: /Catalog – If an element isn’t in the downward path from the /Catalog DOES NOT EXIST
  • 10. Introduction to the PDF format
  • 11. Introduction to the PDF format • Actions – /Launch – /Javascript – /GoToE (go to embedded) – /URI – /SubmitForm – … • Triggers – /OpenAction: global – /AA: pages, annotations
  • 12. Introduction to the PDF format
  • 13. Introduction to the PDF format • Actions – /Launch – /Javascript – /GoToE (go to embedded) – /URI – /SubmitForm – … • Triggers – /OpenAction: global – /AA: pages, annotations
  • 14. Introduction to the PDF format
  • 15. Introduction to the PDF format
  • 16. Introduction to the PDF format
  • 17. • Practical example – pdf.pdf (2009) Obfuscation and evasion techniques
  • 21. • Automatic execution – Avoid /OpenAction – Use of /Catalog elements • /Names • /AcroForm – /AA: applied to pages, annotations… Obfuscation and evasion techniques
  • 24. Obfuscation and evasion techniques • Strings to avoid/hide – /JavaScript /JS – More than two “unescape” in Javascript code – Characteristic metadata – /pdftk_PageNum
  • 26. Obfuscation and evasion techniques • Strings to avoid/hide – /JavaScript /JS – More than two “unescape” in Javascript code – Characteristic metadata – /pdftk_PageNum
  • 28. • Suspicious objects? – Strings (21/43) vs. Streams (27/43) • Filters – Avoid known filters: /FlateDecode /ASCIIHexDecode – Parameters (included default ones) – Multiple filters [ /FlateDecode /LZWDecode /RunLengthDecode ] Obfuscation and evasion techniques
  • 30. • Suspicious objects? – Strings (21/43) vs. Streams (27/43) • Filters – Avoid known filters: /FlateDecode /ASCIIHexDecode – Parameters (included default ones) – Multiple filters [ /FlateDecode /LZWDecode /RunLengthDecode ] Obfuscation and evasion techniques
  • 31. • Strings/names encoding – Names • Hexadecimal codification /Fl#61#74#65De#63#6f#64e (/FlateDecode) – Strings • Hexadecimal <7368656c6c636f6465> • Octal values 163150145154154 Obfuscation and evasion techniques
  • 32. • Strings/names encoding – Names • Hexadecimal codification /Fl#61#74#65De#63#6f#64e (/FlateDecode) – Strings • Hexadecimal <7368656c6c636f6465> • Octal values 163150145154154 Obfuscation and evasion techniques NO!
  • 37. Obfuscation and evasion techniques • Splitting up Javascript code – Several objects in /Names /Names [(part1) 3 0 R (part2) 7 0 R (part3) 10 0 R] – Functions to obtain parts of the document • getAnnots() • getPageNumWords()/getPageNthWord() • this.info.* • …
  • 40. • Duplicated objects • Updated objects • Malformed documents – Garbage bytes in the header – Bad version number (%PDF-1.0) – No xref table – No ending tags: endobj or endstream Obfuscation and evasion techniques
  • 42. • Duplicated objects • Updated objects • Malformed documents – Garbage bytes in the header – Bad version number (%PDF-1.0) – No xref table – No ending tags: endobj or endstream Obfuscation and evasion techniques
  • 44. • Duplicated objects • Updated objects • Malformed documents – Garbage bytes in the header – Bad version number (%PDF-1.0) – No xref table – No ending tags: endobj or endstream Obfuscation and evasion techniques
  • 47. Obfuscation and evasion techniques • Compressed objects (object streams) – Incompatible with malformed documents • Encryption – /Encrypt (streams and strings) – RC4 o AES (40-128bits) – Default password • padding = “x28xBFx4Ex5Ex4Ex75x8Ax41x64x00x4Ex56xFFxFA”+ “x01x08x2Ex2Ex00xB6xD0x68x3Ex80x2Fx0CxA9xFEx64x53x69x7A” • password = password + padding[:32-(len(password))] • password = ‘’ password = padding • Nested PDFs – /EmbeddedFiles
  • 50. Obfuscation and evasion techniques • Compressed objects (object streams) – Incompatible with malformed documents • Encryption – /Encrypt (streams and strings) – RC4 o AES (40-128bits) – Default password • padding = “x28xBFx4Ex5Ex4Ex75x8Ax41x64x00x4Ex56xFFxFA”+ “x01x08x2Ex2Ex00xB6xD0x68x3Ex80x2Fx0CxA9xFEx64x53x69x7A” • password = password + padding[:32-(len(password))] • password = ‘’ password = padding • Nested PDFs – /EmbeddedFiles
  • 52. Obfuscation and evasion techniques • Compressed objects (object streams) – Incompatible with malformed documents • Encryption – /Encrypt (streams and strings) – RC4 o AES (40-128bits) – Default password • padding = “x28xBFx4Ex5Ex4Ex75x8Ax41x64x00x4Ex56xFFxFA”+ “x01x08x2Ex2Ex00xB6xD0x68x3Ex80x2Fx0CxA9xFEx64x53x69x7A” • password = password + padding[:32-(len(password))] • password = ‘’ password = padding • Nested PDFs – /EmbeddedFiles
  • 54. Obfuscation and evasion techniques • Mixing techniques • Summary: – Remove characteristic strings – Split up Javascript code (/Names) – If the code is in: • String octal encoding (143172) • Stream filters (not usuals, parameters) – Compress (object streams) – Encrypt (default password) – Malform (endobj, header) – Nest PDFs
  • 55. Obfuscation vs. Antivirus • Better results – JS in string + octal + no characteristic strings • object stream – malformed + nested + filters with parameters (0/43) http://www.virustotal.com/file-scan/report.html?id=fbfd6df6a14f3cab3742d84af2b7d3d881ad11ef7d1344ba166092c890f47f77-1298457739 – filters with parameters + malformed (0/43) http://www.virustotal.com/file-scan/report.html?id=5a963ca0d20e12851fae7b98bc0e9bcf28cc0e43a12ef33450cf3877b170fa67-1298154940 • malformed: endobj, bad header (2/43) http://www.virustotal.com/file-scan/report.html?id=9759c500df94e2ccc243f00479967ddb77484203403b79e1523ea1148077b565-1298157405 • encrypted (5/43) http://www.virustotal.com/file-scan/report.html?id=9e2195450ee4f2c15f27b3730fb09bf004cc4bd6ef848f039291d9eea0f6b69d-1298054113 • Exploit working
  • 56. Obfuscation vs. Antivirus • Updates – JS in string + octal + no characteristic strings • object stream – malformed + nested + filters with parameters (1/43) http://www.virustotal.com/file-scan/report.html?id=fbfd6df6a14f3cab3742d84af2b7d3d881ad11ef7d1344ba166092c890f47f77-1303817670 – filters with parameters + malformed (3/43) http://www.virustotal.com/file-scan/report.html?id=5a963ca0d20e12851fae7b98bc0e9bcf28cc0e43a12ef33450cf3877b170fa67-1298154940 • malformed: endobj, bad header (6/43) http://www.virustotal.com/file-scan/report.html?id=c3c50596b8deccb128f943d050a16b7652db54fe476e68db7b8c01b02ab77176-1303829263 • encrypted + nested + malformed (1/43) http://www.virustotal.com/file-scan/report.html?id=95c60679269acb4c7d7bcd3a8f0b88b1bb4fdab402a16b779a8f0d3867be7fd4-1303833454 • Exploit working
  • 57. Obfuscation vs. Antivirus Antivirus Weak points AntiVir JS in string, without JS strings Avast Embedded, no endobj, Flate params AVG Embedded, Flate params, characteristic strings, without JS strings BitDefender Characteristic strings, octal strings ClamAV Flate params, octal strings, bytes header Commtouch Flate params, octal strings, encrypted DrWeb Characteristic strings, octal strings F-Secure Splitted up JS code, octal strings, bytes header, object streams Fortinet Flate params, splitted up JS code, bytes header, metadata GData No endobj, Flate params Kaspersky Flate params, characteristic strings, splitted up JS code, object streams McAfee Execution with /Names, embedded, characteristic strings, hexadecimal names, octal strings, without JS strings
  • 58. Obfuscation vs. Antivirus Antivirus Weak points McAfee-GW Flate params, characteristic strings, octal strings Microsoft Splitted up JS code, octal strings, bytes header, object streams NOD32 Embedded, characteristic strings, bad header (%PDF-1.0) Panda JS in string, without JS strings Prevx No detection Sophos Without JS strings, object stream + malformed endobj, encrypted Symantec Original detection as Downloader, JS in string, without JS strings TrendMicro No detection VBA32 Characteristic strings VirusBuster No detection
  • 59. Tools Comments Wepawet No encryption support, identifies exploits in embeded PDF files PDFDissector Comercial, not tested PDFStreamDumper Tools to help shellcode/JS analysis, errors with encryption, does not analyse object streams pdf-parser (Didier) Search in streams not supported, 3 filters, object streams and encryption not supported OPAF Parsing framework, XML output, encryption not supported Origami Good framework (filters, object streams, encryption), it’s necessary to code your own tool (Ruby) PDFExaminer Encryption and embeded PDF files support, does not support malformed objects, octal decoding malpdfobj Based on PDFTools (Didier Stevens) Obfuscation vs. Analysis tools
  • 61. Tools Comments Wepawet No encryption support, identifies exploits in embeded PDF files PDFDissector Comercial, not tested PDFStreamDumper Tools to help shellcode/JS analysis, errors with encryption, does not analyse object streams pdf-parser (Didier) Search in streams not supported, 3 filters, object streams and encryption not supported OPAF Parsing framework, XML output, encryption not supported Origami Good framework (filters, object streams, encryption), it’s necessary to code your own tool (Ruby) PDFExaminer Encryption and embeded PDF files support, does not support malformed objects, octal decoding malpdfobj Based on PDFTools (Didier Stevens) Obfuscation vs. Analysis tools
  • 62. peepdf • Characteristics – Python – Command line – Interactive console – Command file option http://peepdf.eternal-todo.com
  • 64. peepdf • Analysis – Encrypted files – Compressed objects – Malformed documents support – Decoding: hexadecimal, octal, names – Most used filters (5) – References in objects and to objects – Strings search (including streams)
  • 65. peepdf • Analysis – Physical structure (offsets) – Tree structure (logical) – Metadata – Changes between versions (changelog) – Extraction of different versions – Javascript analysis and modification (Spidermonkey) • unescape, replace, join – Shellcode analysis (sctest, Libemu) – Variables to improve analysis (set command)
  • 66. peepdf • Creation/Modification – Basic PDF creation – Creation of PDF with Javascript execution – Object compression (object streams) – Encrypted files – Nested PDFs creation – Malformed PDFs – Strings and names codification – Filters modification – Object modification
  • 68. peepdf • TODO – Automatic analysis of embedded PDFs – Missing filters – Improve automatic Javascript analysis • Add support for PDF JS functions (getAnnots…) – GUI – ActionScript? – …
  • 69. Conclusions • Very low detection when: – Nested PDFs – Compressed objects – New filters or filters with parameters – Encryption • Avoid detection by strings • Improve parsers
  • 70. Thanks • People working with PDF stuff: – Julia Wolf – Didier Stevens – Felipe Manzano (feliam) – Origami team – Brandon Dixon – AV companies – …
  • 71. ???
  • 72. Thanks!! Jose Miguel Esparza jesparza eternal-todo.com jesparza s21sec.com http://eternal-todo.com @eternaltodo