Inside Exploited PDF
This vulnerability carries a high level of risk since a successfully exploited PDF file will allow a remote code execution attack. Consequently, this will give an attacker unauthorized remote control over the victim’s machine.
Because of nature of this vulnerability , there are more and more malicious users attracted in employing this technique. Thus, we are seeing prevalence of this threat and definitely an In-the-Wild malicious PDF file.
Let’s take a deeper look …
Understanding PDF File Format [Read Adobe PDF 101]
Analysis of Exploited PDF
+ Recent malicious PDF sample.
+ Static/Strings Inspection
The strings suggest that this PDF file was created in Acrobat 6.0 and stream objects are encoded. A filter which is an optional part of the stream specification indicates that the stream must be decoded. In this case, the filter name is FlatDecode which could be decompressed using zlib/deflate compression method to reproduce the original text or binary.
1 – Stream Object we are interested to investigate
2 – “0D” and “0A” are carriage return and line feel, which explains as new line
3 – Start of compressed or encoded stream
RFC 1950 – ZLIB Compressed Data Format Specification defines zlib stream structure as follows:
Bits 0 to 3 CM Compression Method = 8 denotes deflate
Bits 4 to 7 CINFO Compression Info = 7 indicates a 32k window size
Bits 0 to 4 FCHECK (check bits for CMF and FLG) ;Check bits of 0x78DA is 30938, which is multiple of 31.
Bit 5 FDICT (present dictionary)
Bit 6 to 7 FLevel (compresion level)
Most of the PDF file are encoded for protection, this makes difficult for analyst to analyze the actual code of the exploited file. Here’s the interesting part once you successfully decoded the exploited PDF file.