Early February of this year when series of advisories has been released relating to multiple vulnerabilities found in Acrobat Reader and Acrobat before 8.1.2 – this threat is known as CVE-2008-0655.
This vulnerability carries a high level of risk since a successfully exploited PDF file will allow a remote code execution attack. Consequently, this will give an attacker unauthorized remote control over the victim’s machine.
Because of nature of this vulnerability , there are more and more malicious users attracted in employing this technique. Thus, we are seeing prevalence of this threat and definitely an In-the-Wild malicious PDF file.
Let’s take a deeper look …
Understanding PDF File Format [Read Adobe PDF 101]
Filter indicates how the data in the stream must be decoded. Here are the standard filter names: [Read PDF Reference]
* ASCIIHexDecode
* ASCII85Decode
* LZWDecode
* FlateDecode
* RunLengthDecode
* CCITTFaxDecode
* JBIG2Decode
* DCTDecode
* JPXDecode
* Crypt
Analysis of Exploited PDF
+ Recent malicious PDF sample.
MD5: 72ab6b2f311508fa5e2bc73ef147dc1c
MD5: 16105c0964a3af27838f168d97e10ffe
MD5: d3b4b6040a4849e43da0bc982f9cb69d
+ Static/Strings Inspection
The strings suggest that this PDF file was created in Acrobat 6.0 and stream objects are encoded. A filter which is an optional part of the stream specification indicates that the stream must be decoded. In this case, the filter name is FlatDecode which could be decompressed using zlib/deflate compression method to reproduce the original text or binary.
1 – Stream Object we are interested to investigate
2 – “0D” and “0A” are carriage return and line feel, which explains as new line
3 – Start of compressed or encoded stream
RFC 1950 – ZLIB Compressed Data Format Specification defines zlib stream structure as follows:
CMF
Bits 0 to 3 CM Compression Method = 8 denotes deflate
Bits 4 to 7 CINFO Compression Info = 7 indicates a 32k window size
FLG
Bits 0 to 4 FCHECK (check bits for CMF and FLG) ;Check bits of 0×78DA is 30938, which is multiple of 31.
Bit 5 FDICT (present dictionary)
Bit 6 to 7 FLevel (compresion level)
Most of the PDF file are encoded for protection, this makes difficult for analyst to analyze the actual code of the exploited file. Here’s the interesting part once you successfully decoded the exploited PDF file.
[...] Post: – Inside Exploited PDF – ASF File Specification & Recent Threats – Malicious [...]
Pingback by Non-Win32 Malicious Files « Threat Researcher — September 27, 2008 @ 9:49 am |
[...] had discussed this here , the prevalence, “util.printf()“, Virut generated PDFs and now the Zero day. This [...]
Pingback by Do you use Adobe Reader? « Threat Researcher — February 28, 2009 @ 6:32 am |
[...] also ran across another technical analysis here. As you don’t need to do anything other that drop onto an infected site, this is a pretty [...]
Pingback by More on PDF /JBIGS2Decode Issue | securosis.com — March 6, 2009 @ 12:54 am |