SlideShare una empresa de Scribd logo

Analysis of malicious pdf

Descargar como PPTX, PDF
R
Raghunath G

Null HYD March 2015

Educación
1 de 18
Analysis of malicious PDF by Abdul Adil Open Info.sec Community Disclaimer: Either me or the organizers are not responsible for any damages or any sort of actions that you made with the provided information.
Who am i? • Information security enthusiast & Developer. • Certified in OCJP ,CEH. • You can reach me at: Codestudio8.wordpress.com Linkedin.com/in/abduladil02 Facebook.com/abduladil02 Twitter.com/abduladil02 Abdul.Adil@connectica.in or AbdulAdil02@gmail.com
What your going learn? • What is a pdf? • Internals of PDF. • Strings of pdf. • Scanning pdf’s with virus total. • Demo. • Conclusion.
What is a pdf? • It stands for Portable Document Format(PDF). • Extension of portable document format is “.pdf”. • Is a file format used to present documents in a manner independent of application software, hardware, and operating systems. • Developed by Adobe Systems in the year 1991. • Interactive features like acroforms , rich media… • Current version of pdf is 1.7 was released in 2011.
First Malware of PDF • PDF attachments carrying viruses were first discovered in 2001. • The virus, named OUTLOOK.PDFWorm or Peachy, uses Microsoft Outlook to send itself as an attachment to an Adobe PDF file. • It was activated with Adobe Acrobat, but not with Acrobat Reader.
Structure of pdf
Internals of pdf • Header: this probably the most simple section. It is made of a single line which specifies the PDF language version eg:1.1. • Body: which generally contains the most part of the PDF code. This section is made of a list of objects which describes how the final document will look. • cross reference table: this table contains all the data required to the PDF management software (e.g. a reader) in order to access directly any document object without having to read throughout the file to find this object. Starts with ‘Xref’. • Trailer: Any PDF software management application always begins to read from the end of the file where this last section is located. The trailer contains different essential data, which are from the top to the bottom of the trailer: a. the number of objects contained in the file (field /Size), b. the ID of the file root document (field /Root), c. the offset (in bytes) of the cross reference table (the line just above the %%EOF line).
Xref table structure 14 objects Object is free Object is in use
Take a close look before you proceed!
Tools to analyze pdf files • You can download from http://blog.didierstevens.com/programs/pdf-tools/ • Pdf-parser.py: This tool will parse a PDF document to identify the fundamental elements used in the analyzed file. It will not render a PDF document. • Pdfid.py: This tool is not a PDF parser, but it will scan a file to look for certain PDF keywords, allowing you to identify PDF documents that contain (for example) JavaScript or execute an action when opened. PDFiD will also handle name obfuscation. • Other tools:PeePdf.py • Online tools: a. Virustotal.com b. wepawet(http://wepawet.iseclab.org) c. pdfexaminer(www.malwaretracker.com) d. jsunpack.jeek.org e. pdf stream dumper.
Strings in pdf • obj,endobj,stream,endstream,xref,trailer,startxref,/Page,/Encrypt,/Obj Stm,/JS,/JavaScript,/AA,/OpenAction,/JBIG2Decode,/RichMedia,/Laun ch,/XFA. • Almost every PDF documents will contain the first 7 words (obj through startxref), and to a lesser extent stream and endstream. • /Page gives an indication of the number of pages in the PDF document. Most malicious PDF document have only one page eg.You won a lottery mail. • /Encrypt indicates that the PDF document has DRM or needs a password to be read. • /ObjStm counts the number of object streams. An object stream is a stream object that can contain other objects, and can therefore be used to obfuscate objects (by using different filters).
Strings in pdf • /JS and /JavaScript indicate that the PDF document contains JavaScript. Almost all malicious PDF documents that I’ve found in the wild contain JavaScript (to exploit a JavaScript vulnerability and/or to execute a heap spray). Of course, you can also find JavaScript in PDF documents without malicious intend. • /AA and /OpenAction indicate an automatic action to be performed when the page/document is viewed. All malicious PDF documents with JavaScript I’ve seen in the wild had an automatic action to launch the JavaScript without user interaction.
Demo • Let’s see a demo 1.Pdf-parser.py 2.pdfid.py 3.Peepdf 4.Metasploit
Just a glance malicious action snippet
Drawbacks in pdfid.py • Because PDFiD is just a string scanner (supporting name obfuscation), it will also generate false positives. For example, a simple text file starting with %PDF-1.1 and containing words from the list will also be identified as a PDF document.
What you can do? • Scan pdf files with anti-malware application. • Scan with online scanners like virustotal.com and malwr.com(cuckoo).
You can’t stop stupidity!!
Analysis of malicious pdf

Recomendados

REMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documentsREMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documentsRhydham Joshi
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsRhydham Joshi
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryonePaul Melson
 
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRemnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRhydham Joshi
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
 
Ld4 l triannon
Ld4 l triannonLd4 l triannon
Ld4 l triannonNaomi Dushay
 
I Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugXI Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugXTakahiro Haruyama
 
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginFast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginTakahiro Haruyama
 

Recomendados

REMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documentsREMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documentsRhydham Joshi
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsRhydham Joshi
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryonePaul Melson
 
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRemnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRhydham Joshi
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
 
Ld4 l triannon
Ld4 l triannonLd4 l triannon
Ld4 l triannonNaomi Dushay
 
I Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugXI Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugXTakahiro Haruyama
 
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginFast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginTakahiro Haruyama
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareTakahiro Haruyama
 
"Hands Off! Best Practices for Code Hand Offs"
"Hands Off! Best Practices for Code Hand Offs""Hands Off! Best Practices for Code Hand Offs"
"Hands Off! Best Practices for Code Hand Offs"Naomi Dushay
 
Fuzzing - Part 1
Fuzzing - Part 1Fuzzing - Part 1
Fuzzing - Part 1UTD Computer Security Group
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisTakahiro Haruyama
 
Winnti Polymorphism
Winnti PolymorphismWinnti Polymorphism
Winnti PolymorphismTakahiro Haruyama
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseTakahiro Haruyama
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
 
java.io - streams and files
java.io - streams and filesjava.io - streams and files
java.io - streams and filesMarcello Thiry
 
Java I/O
Java I/OJava I/O
Java I/ODeeptiJava
 
Lucece Indexing
Lucece IndexingLucece Indexing
Lucece IndexingPrasenjit Mukherjee
 
Berlin Buzzwords 2013 - How does lucene store your data?
Berlin Buzzwords 2013 - How does lucene store your data?Berlin Buzzwords 2013 - How does lucene store your data?
Berlin Buzzwords 2013 - How does lucene store your data?Adrien Grand
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseTakahiro Haruyama
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineAndrew Case
 
Flexible Indexing in Lucene 4.0
Flexible Indexing in Lucene 4.0Flexible Indexing in Lucene 4.0
Flexible Indexing in Lucene 4.0Lucidworks (Archived)
 
Java - File Input Output Concepts
Java - File Input Output ConceptsJava - File Input Output Concepts
Java - File Input Output ConceptsVicter Paul
 
mdc_ppt
mdc_pptmdc_ppt
mdc_pptAnkit Kumar Gupta
 
CBOR - The Better JSON
CBOR - The Better JSONCBOR - The Better JSON
CBOR - The Better JSONChristoph Engelbert
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Malware analysis using volatility
Malware analysis using volatilityMalware analysis using volatility
Malware analysis using volatilityYashashree Gund
 
File Handling in Python
File Handling in PythonFile Handling in Python
File Handling in PythonInternational Institute of Information Technology (I²IT)
 
Hunting before a Known Incident
Hunting before a Known IncidentHunting before a Known Incident
Hunting before a Known IncidentEndgameInc
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the CheapEndgameInc
 

Más contenido relacionado

La actualidad más candente

Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareTakahiro Haruyama
 
"Hands Off! Best Practices for Code Hand Offs"
"Hands Off! Best Practices for Code Hand Offs""Hands Off! Best Practices for Code Hand Offs"
"Hands Off! Best Practices for Code Hand Offs"Naomi Dushay
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisTakahiro Haruyama
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseTakahiro Haruyama
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
 
java.io - streams and files
java.io - streams and filesjava.io - streams and files
java.io - streams and filesMarcello Thiry
 
Berlin Buzzwords 2013 - How does lucene store your data?
Berlin Buzzwords 2013 - How does lucene store your data?Berlin Buzzwords 2013 - How does lucene store your data?
Berlin Buzzwords 2013 - How does lucene store your data?Adrien Grand
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseTakahiro Haruyama
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineAndrew Case
 
Java - File Input Output Concepts
Java - File Input Output ConceptsJava - File Input Output Concepts
Java - File Input Output ConceptsVicter Paul
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Malware analysis using volatility
Malware analysis using volatilityMalware analysis using volatility
Malware analysis using volatilityYashashree Gund
 

La actualidad más candente (20)

Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic Software
 
"Hands Off! Best Practices for Code Hand Offs"
"Hands Off! Best Practices for Code Hand Offs""Hands Off! Best Practices for Code Hand Offs"
"Hands Off! Best Practices for Code Hand Offs"
 
Fuzzing - Part 1
Fuzzing - Part 1Fuzzing - Part 1
Fuzzing - Part 1
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic Analysis
 
Winnti Polymorphism
Winnti PolymorphismWinnti Polymorphism
Winnti Polymorphism
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
 
java.io - streams and files
java.io - streams and filesjava.io - streams and files
java.io - streams and files
 
Java I/O
Java I/OJava I/O
Java I/O
 
Lucece Indexing
Lucece IndexingLucece Indexing
Lucece Indexing
 
Berlin Buzzwords 2013 - How does lucene store your data?
Berlin Buzzwords 2013 - How does lucene store your data?Berlin Buzzwords 2013 - How does lucene store your data?
Berlin Buzzwords 2013 - How does lucene store your data?
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident Response
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual Machine
 
Flexible Indexing in Lucene 4.0
Flexible Indexing in Lucene 4.0Flexible Indexing in Lucene 4.0
Flexible Indexing in Lucene 4.0
 
Java - File Input Output Concepts
Java - File Input Output ConceptsJava - File Input Output Concepts
Java - File Input Output Concepts
 
mdc_ppt
mdc_pptmdc_ppt
mdc_ppt
 
CBOR - The Better JSON
CBOR - The Better JSONCBOR - The Better JSON
CBOR - The Better JSON
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
 
Malware analysis using volatility
Malware analysis using volatilityMalware analysis using volatility
Malware analysis using volatility
 
File Handling in Python
File Handling in PythonFile Handling in Python
File Handling in Python
 

Destacado

Hunting before a Known Incident
Hunting before a Known IncidentHunting before a Known Incident
Hunting before a Known IncidentEndgameInc
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the CheapEndgameInc
 
Heartbleed by-danish amber
Heartbleed by-danish amberHeartbleed by-danish amber
Heartbleed by-danish amberRaghunath G
 
z/OS Communications Server: z/OS Resolver
z/OS Communications Server: z/OS Resolverz/OS Communications Server: z/OS Resolver
z/OS Communications Server: z/OS ResolverzOSCommserver
 
Newsbytes_NULLHYD_Dec
Newsbytes_NULLHYD_DecNewsbytes_NULLHYD_Dec
Newsbytes_NULLHYD_DecRaghunath G
 
Nomadic Display Setup Fabri Mural
Nomadic Display Setup Fabri MuralNomadic Display Setup Fabri Mural
Nomadic Display Setup Fabri MuralNomadic Display
 
Investor alert—investment scams exploit immigrant investor program
Investor alert—investment scams exploit immigrant investor programInvestor alert—investment scams exploit immigrant investor program
Investor alert—investment scams exploit immigrant investor programJames Lavigne
 
World Cup! Young Germany Guest Blogging
World Cup! Young Germany Guest BloggingWorld Cup! Young Germany Guest Blogging
World Cup! Young Germany Guest Bloggingsteffan
 
So you want to retire in florida 1997 far
So you want to retire in florida 1997 farSo you want to retire in florida 1997 far
So you want to retire in florida 1997 farJames Lavigne
 
Xss 101 by-sai-shanthan
Xss 101 by-sai-shanthanXss 101 by-sai-shanthan
Xss 101 by-sai-shanthanRaghunath G
 
Uga Webinar Series: building credibility as a young professional
Uga Webinar Series: building credibility as a young professionalUga Webinar Series: building credibility as a young professional
Uga Webinar Series: building credibility as a young professionalsteffan
 
Buying a business in florida
Buying a business in floridaBuying a business in florida
Buying a business in floridaJames Lavigne
 
Example problems Binomial Multiplication
Example problems Binomial MultiplicationExample problems Binomial Multiplication
Example problems Binomial MultiplicationRachel Monaco
 
Security News Bytes
Security News BytesSecurity News Bytes
Security News BytesRaghunath G
 
UGA Guest Lecture: Social Media 101
UGA Guest Lecture: Social Media 101UGA Guest Lecture: Social Media 101
UGA Guest Lecture: Social Media 101steffan
 

Destacado (20)

Hunting before a Known Incident
Hunting before a Known IncidentHunting before a Known Incident
Hunting before a Known Incident
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
 
Lockout
LockoutLockout
Lockout
 
Heartbleed by-danish amber
Heartbleed by-danish amberHeartbleed by-danish amber
Heartbleed by-danish amber
 
z/OS Communications Server: z/OS Resolver
z/OS Communications Server: z/OS Resolverz/OS Communications Server: z/OS Resolver
z/OS Communications Server: z/OS Resolver
 
Newsbytes_NULLHYD_Dec
Newsbytes_NULLHYD_DecNewsbytes_NULLHYD_Dec
Newsbytes_NULLHYD_Dec
 
Nomadic Display Setup Fabri Mural
Nomadic Display Setup Fabri MuralNomadic Display Setup Fabri Mural
Nomadic Display Setup Fabri Mural
 
Función BUSCARV
Función BUSCARVFunción BUSCARV
Función BUSCARV
 
Investor alert—investment scams exploit immigrant investor program
Investor alert—investment scams exploit immigrant investor programInvestor alert—investment scams exploit immigrant investor program
Investor alert—investment scams exploit immigrant investor program
 
World Cup! Young Germany Guest Blogging
World Cup! Young Germany Guest BloggingWorld Cup! Young Germany Guest Blogging
World Cup! Young Germany Guest Blogging
 
So you want to retire in florida 1997 far
So you want to retire in florida 1997 farSo you want to retire in florida 1997 far
So you want to retire in florida 1997 far
 
Xss 101 by-sai-shanthan
Xss 101 by-sai-shanthanXss 101 by-sai-shanthan
Xss 101 by-sai-shanthan
 
Uga Webinar Series: building credibility as a young professional
Uga Webinar Series: building credibility as a young professionalUga Webinar Series: building credibility as a young professional
Uga Webinar Series: building credibility as a young professional
 
Buying a business in florida
Buying a business in floridaBuying a business in florida
Buying a business in florida
 
Example problems
Example problemsExample problems
Example problems
 
Example problems Binomial Multiplication
Example problems Binomial MultiplicationExample problems Binomial Multiplication
Example problems Binomial Multiplication
 
Null dec 2014
Null dec 2014Null dec 2014
Null dec 2014
 
Security News Bytes
Security News BytesSecurity News Bytes
Security News Bytes
 
UGA Guest Lecture: Social Media 101
UGA Guest Lecture: Social Media 101UGA Guest Lecture: Social Media 101
UGA Guest Lecture: Social Media 101
 
Raspberry pi 2
Raspberry pi 2Raspberry pi 2
Raspberry pi 2
 

Similar a Analysis of malicious pdf

Ebooks without Vendors: Using Open Source Software to Create and Share Meanin...
Ebooks without Vendors: Using Open Source Software to Create and Share Meanin...Ebooks without Vendors: Using Open Source Software to Create and Share Meanin...
Ebooks without Vendors: Using Open Source Software to Create and Share Meanin...Matt Weaver
 
How Can You Edit a PDF File and Make it More Readable?
How Can You Edit a PDF File and Make it More Readable?How Can You Edit a PDF File and Make it More Readable?
How Can You Edit a PDF File and Make it More Readable?PDF-file
 
Docs as-code-missing.-manual
Docs as-code-missing.-manualDocs as-code-missing.-manual
Docs as-code-missing.-manualMargaret Eker
 
Zero day-malware-protection-brief-2607983
Zero day-malware-protection-brief-2607983Zero day-malware-protection-brief-2607983
Zero day-malware-protection-brief-2607983saif khan
 
Client Side Exploits Using Pdf
Client Side Exploits Using PdfClient Side Exploits Using Pdf
Client Side Exploits Using Pdftitanlambda
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Subhransu Behera
 
Unified characterisation, please
Unified characterisation, pleaseUnified characterisation, please
Unified characterisation, pleaseAndy Jackson
 
API Documentation Workshop tcworld India 2015
API Documentation Workshop tcworld India 2015API Documentation Workshop tcworld India 2015
API Documentation Workshop tcworld India 2015Tom Johnson
 
Introduction to r
Introduction to rIntroduction to r
Introduction to rgslicraf
 
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaContent Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaClubHack
 
Lesson 5 computer software
Lesson 5 computer softwareLesson 5 computer software
Lesson 5 computer softwareVishal Patyal
 
Software Development Methodologies Library Management System (Part-1)
Software Development Methodologies Library Management System (Part-1)Software Development Methodologies Library Management System (Part-1)
Software Development Methodologies Library Management System (Part-1)Totan Banik
 
DOC-20230427-WA0012..pptx
DOC-20230427-WA0012..pptxDOC-20230427-WA0012..pptx
DOC-20230427-WA0012..pptxkumarkaushal17
 

Similar a Analysis of malicious pdf (20)

Client Side Exploits using PDF
Client Side Exploits using PDFClient Side Exploits using PDF
Client Side Exploits using PDF
 
Ebooks without Vendors: Using Open Source Software to Create and Share Meanin...
Ebooks without Vendors: Using Open Source Software to Create and Share Meanin...Ebooks without Vendors: Using Open Source Software to Create and Share Meanin...
Ebooks without Vendors: Using Open Source Software to Create and Share Meanin...
 
How Can You Edit a PDF File and Make it More Readable?
How Can You Edit a PDF File and Make it More Readable?How Can You Edit a PDF File and Make it More Readable?
How Can You Edit a PDF File and Make it More Readable?
 
Docs as-code-missing.-manual
Docs as-code-missing.-manualDocs as-code-missing.-manual
Docs as-code-missing.-manual
 
Zero day-malware-protection-brief-2607983
Zero day-malware-protection-brief-2607983Zero day-malware-protection-brief-2607983
Zero day-malware-protection-brief-2607983
 
Client Side Exploits Using Pdf
Client Side Exploits Using PdfClient Side Exploits Using Pdf
Client Side Exploits Using Pdf
 
DR FAT
DR FATDR FAT
DR FAT
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
 
LoA (Librarian of Alexandria): An AI-Powered Linux-Python Tool for Comprehens...
LoA (Librarian of Alexandria): An AI-Powered Linux-Python Tool for Comprehens...LoA (Librarian of Alexandria): An AI-Powered Linux-Python Tool for Comprehens...
LoA (Librarian of Alexandria): An AI-Powered Linux-Python Tool for Comprehens...
 
Unified characterisation, please
Unified characterisation, pleaseUnified characterisation, please
Unified characterisation, please
 
ICT.docx
ICT.docx ICT.docx
ICT.docx
 
Learning Python
Learning PythonLearning Python
Learning Python
 
API Documentation Workshop tcworld India 2015
API Documentation Workshop tcworld India 2015API Documentation Workshop tcworld India 2015
API Documentation Workshop tcworld India 2015
 
Firefox-Addons
Firefox-AddonsFirefox-Addons
Firefox-Addons
 
Introduction to r
Introduction to rIntroduction to r
Introduction to r
 
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaContent Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
 
Django
DjangoDjango
Django
 
Lesson 5 computer software
Lesson 5 computer softwareLesson 5 computer software
Lesson 5 computer software
 
Software Development Methodologies Library Management System (Part-1)
Software Development Methodologies Library Management System (Part-1)Software Development Methodologies Library Management System (Part-1)
Software Development Methodologies Library Management System (Part-1)
 
DOC-20230427-WA0012..pptx
DOC-20230427-WA0012..pptxDOC-20230427-WA0012..pptx
DOC-20230427-WA0012..pptx
 

Más de Raghunath G

Securitynewsbytes
SecuritynewsbytesSecuritynewsbytes
SecuritynewsbytesRaghunath G
 
Whats app forensic
Whats app forensicWhats app forensic
Whats app forensicRaghunath G
 
Seh based exploitation
Seh based exploitationSeh based exploitation
Seh based exploitationRaghunath G
 
Securitynewsbytes april2015-150418153901-conversion-gate01
Securitynewsbytes april2015-150418153901-conversion-gate01Securitynewsbytes april2015-150418153901-conversion-gate01
Securitynewsbytes april2015-150418153901-conversion-gate01Raghunath G
 
Mobile application security 101
Mobile application security 101Mobile application security 101
Mobile application security 101Raghunath G
 
Security News Bytes
Security News BytesSecurity News Bytes
Security News BytesRaghunath G
 
Is iso 27001, an answer to security
Is iso 27001, an answer to securityIs iso 27001, an answer to security
Is iso 27001, an answer to securityRaghunath G
 
Null HYD Playing with shodan null
Null HYD Playing with shodan nullNull HYD Playing with shodan null
Null HYD Playing with shodan nullRaghunath G
 
Null July - OWTF - Bharadwaj Machiraju
Null July - OWTF - Bharadwaj MachirajuNull July - OWTF - Bharadwaj Machiraju
Null July - OWTF - Bharadwaj MachirajuRaghunath G
 
Spear phishing attacks-by-hari_krishna
Spear phishing attacks-by-hari_krishnaSpear phishing attacks-by-hari_krishna
Spear phishing attacks-by-hari_krishnaRaghunath G
 
Social engineering by-rakesh-nagekar
Social engineering by-rakesh-nagekarSocial engineering by-rakesh-nagekar
Social engineering by-rakesh-nagekarRaghunath G
 
Netcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaNetcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaRaghunath G
 
The art of_firewalking-by-sujay
The art of_firewalking-by-sujayThe art of_firewalking-by-sujay
The art of_firewalking-by-sujayRaghunath G
 

Más de Raghunath G (16)

Securitynewsbytes
SecuritynewsbytesSecuritynewsbytes
Securitynewsbytes
 
Whats app forensic
Whats app forensicWhats app forensic
Whats app forensic
 
Seh based exploitation
Seh based exploitationSeh based exploitation
Seh based exploitation
 
Securitynewsbytes april2015-150418153901-conversion-gate01
Securitynewsbytes april2015-150418153901-conversion-gate01Securitynewsbytes april2015-150418153901-conversion-gate01
Securitynewsbytes april2015-150418153901-conversion-gate01
 
Mobile application security 101
Mobile application security 101Mobile application security 101
Mobile application security 101
 
Security News Bytes
Security News BytesSecurity News Bytes
Security News Bytes
 
Is iso 27001, an answer to security
Is iso 27001, an answer to securityIs iso 27001, an answer to security
Is iso 27001, an answer to security
 
Null HYD Playing with shodan null
Null HYD Playing with shodan nullNull HYD Playing with shodan null
Null HYD Playing with shodan null
 
Null HYD VRTDOS
Null HYD VRTDOSNull HYD VRTDOS
Null HYD VRTDOS
 
Metasploit
MetasploitMetasploit
Metasploit
 
Null July - OWTF - Bharadwaj Machiraju
Null July - OWTF - Bharadwaj MachirajuNull July - OWTF - Bharadwaj Machiraju
Null July - OWTF - Bharadwaj Machiraju
 
Decoy documents
Decoy documentsDecoy documents
Decoy documents
 
Spear phishing attacks-by-hari_krishna
Spear phishing attacks-by-hari_krishnaSpear phishing attacks-by-hari_krishna
Spear phishing attacks-by-hari_krishna
 
Social engineering by-rakesh-nagekar
Social engineering by-rakesh-nagekarSocial engineering by-rakesh-nagekar
Social engineering by-rakesh-nagekar
 
Netcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaNetcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beema
 
The art of_firewalking-by-sujay
The art of_firewalking-by-sujayThe art of_firewalking-by-sujay
The art of_firewalking-by-sujay
 

Último

Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptxMusic 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptxleah joy valeriano
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...Postal Advocate Inc.
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)cama23
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxVanesaIglesias10
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfTechSoup
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfVanessa Camilleri
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4MiaBumagat1
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptxmary850239
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptshraddhaparab530
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 

Último (20)

Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptxMusic 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptx
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdf
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.ppt
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 

Analysis of malicious pdf

  • 1. Analysis of malicious PDF by Abdul Adil Open Info.sec Community Disclaimer: Either me or the organizers are not responsible for any damages or any sort of actions that you made with the provided information.
  • 2. Who am i? • Information security enthusiast & Developer. • Certified in OCJP ,CEH. • You can reach me at: Codestudio8.wordpress.com Linkedin.com/in/abduladil02 Facebook.com/abduladil02 Twitter.com/abduladil02 Abdul.Adil@connectica.in or AbdulAdil02@gmail.com
  • 3. What your going learn? • What is a pdf? • Internals of PDF. • Strings of pdf. • Scanning pdf’s with virus total. • Demo. • Conclusion.
  • 4. What is a pdf? • It stands for Portable Document Format(PDF). • Extension of portable document format is “.pdf”. • Is a file format used to present documents in a manner independent of application software, hardware, and operating systems. • Developed by Adobe Systems in the year 1991. • Interactive features like acroforms , rich media… • Current version of pdf is 1.7 was released in 2011.
  • 5. First Malware of PDF • PDF attachments carrying viruses were first discovered in 2001. • The virus, named OUTLOOK.PDFWorm or Peachy, uses Microsoft Outlook to send itself as an attachment to an Adobe PDF file. • It was activated with Adobe Acrobat, but not with Acrobat Reader.
  • 7. Internals of pdf • Header: this probably the most simple section. It is made of a single line which specifies the PDF language version eg:1.1. • Body: which generally contains the most part of the PDF code. This section is made of a list of objects which describes how the final document will look. • cross reference table: this table contains all the data required to the PDF management software (e.g. a reader) in order to access directly any document object without having to read throughout the file to find this object. Starts with ‘Xref’. • Trailer: Any PDF software management application always begins to read from the end of the file where this last section is located. The trailer contains different essential data, which are from the top to the bottom of the trailer: a. the number of objects contained in the file (field /Size), b. the ID of the file root document (field /Root), c. the offset (in bytes) of the cross reference table (the line just above the %%EOF line).
  • 8. Xref table structure 14 objects Object is free Object is in use
  • 9. Take a close look before you proceed!
  • 10. Tools to analyze pdf files • You can download from http://blog.didierstevens.com/programs/pdf-tools/ • Pdf-parser.py: This tool will parse a PDF document to identify the fundamental elements used in the analyzed file. It will not render a PDF document. • Pdfid.py: This tool is not a PDF parser, but it will scan a file to look for certain PDF keywords, allowing you to identify PDF documents that contain (for example) JavaScript or execute an action when opened. PDFiD will also handle name obfuscation. • Other tools:PeePdf.py • Online tools: a. Virustotal.com b. wepawet(http://wepawet.iseclab.org) c. pdfexaminer(www.malwaretracker.com) d. jsunpack.jeek.org e. pdf stream dumper.
  • 11. Strings in pdf • obj,endobj,stream,endstream,xref,trailer,startxref,/Page,/Encrypt,/Obj Stm,/JS,/JavaScript,/AA,/OpenAction,/JBIG2Decode,/RichMedia,/Laun ch,/XFA. • Almost every PDF documents will contain the first 7 words (obj through startxref), and to a lesser extent stream and endstream. • /Page gives an indication of the number of pages in the PDF document. Most malicious PDF document have only one page eg.You won a lottery mail. • /Encrypt indicates that the PDF document has DRM or needs a password to be read. • /ObjStm counts the number of object streams. An object stream is a stream object that can contain other objects, and can therefore be used to obfuscate objects (by using different filters).
  • 12. Strings in pdf • /JS and /JavaScript indicate that the PDF document contains JavaScript. Almost all malicious PDF documents that I’ve found in the wild contain JavaScript (to exploit a JavaScript vulnerability and/or to execute a heap spray). Of course, you can also find JavaScript in PDF documents without malicious intend. • /AA and /OpenAction indicate an automatic action to be performed when the page/document is viewed. All malicious PDF documents with JavaScript I’ve seen in the wild had an automatic action to launch the JavaScript without user interaction.
  • 13. Demo • Let’s see a demo 1.Pdf-parser.py 2.pdfid.py 3.Peepdf 4.Metasploit
  • 14. Just a glance malicious action snippet
  • 15. Drawbacks in pdfid.py • Because PDFiD is just a string scanner (supporting name obfuscation), it will also generate false positives. For example, a simple text file starting with %PDF-1.1 and containing words from the list will also be identified as a PDF document.
  • 16. What you can do? • Scan pdf files with anti-malware application. • Scan with online scanners like virustotal.com and malwr.com(cuckoo).
  • 17. You can’t stop stupidity!!