SlideShare une entreprise Scribd logo

Obfuscation and (non )detection of malicious pdf files

J
Jose Miguel Esparza

Techniques to successfully create malicious PDF files with low-detection rates, showing the weak points in actual parsers. Introduction to peepdf, a new tool that covers up the holes in the analysis of these files and which also allows their modification (obfuscation).

Technologie
1  sur  72
Obfuscation and (non-)detection of malicious PDF files Jose Miguel Esparza
Agenda • Introduction to the PDF format • Obfuscation and evasion techniques • Obfuscation vs. Antivirus • Obfuscation vs. Analysis tools • peepdf • Conclusions
Header Body Cross reference table Trailer
Introduction to the PDF format • Sequence of objects • Object types – Boolean: true false – Numbers: 123 -98 4. -.002 123.6 – Strings: (hola) <686f6c61> – Names: /Type /Filters – Dictionaries: <</Type /Catalog /Root 1 0 R>> – Arrays: [1.0 (test) <</Length 273>>] – Streams
Introduction to the PDF format
Introduction to the PDF format • Object types – Indirect objects • Reference: “object_id generation_number R”
Introduction to the PDF format • Object types – Indirect objects • Reference: “object_id generation_number R”
Introduction to the PDF format • Updatable documents – Older versions stay in the document Header Body Cross reference table Trailer Body Cross reference table Trailer Original Update
Introduction to the PDF format • Logical structure – Tree structure – Root node: /Catalog – If an element isn’t in the downward path from the /Catalog DOES NOT EXIST
Introduction to the PDF format
Introduction to the PDF format • Actions – /Launch – /Javascript – /GoToE (go to embedded) – /URI – /SubmitForm – … • Triggers – /OpenAction: global – /AA: pages, annotations
Introduction to the PDF format
Introduction to the PDF format • Actions – /Launch – /Javascript – /GoToE (go to embedded) – /URI – /SubmitForm – … • Triggers – /OpenAction: global – /AA: pages, annotations
Introduction to the PDF format
Introduction to the PDF format
Introduction to the PDF format
• Practical example – pdf.pdf (2009) Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques
• Automatic execution – Avoid /OpenAction – Use of /Catalog elements • /Names • /AcroForm – /AA: applied to pages, annotations… Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques • Strings to avoid/hide – /JavaScript /JS – More than two “unescape” in Javascript code – Characteristic metadata – /pdftk_PageNum
Obfuscation and evasion techniques
Obfuscation and evasion techniques • Strings to avoid/hide – /JavaScript /JS – More than two “unescape” in Javascript code – Characteristic metadata – /pdftk_PageNum
Obfuscation and evasion techniques
• Suspicious objects? – Strings (21/43) vs. Streams (27/43) • Filters – Avoid known filters: /FlateDecode /ASCIIHexDecode – Parameters (included default ones) – Multiple filters [ /FlateDecode /LZWDecode /RunLengthDecode ] Obfuscation and evasion techniques
Obfuscation and evasion techniques
• Suspicious objects? – Strings (21/43) vs. Streams (27/43) • Filters – Avoid known filters: /FlateDecode /ASCIIHexDecode – Parameters (included default ones) – Multiple filters [ /FlateDecode /LZWDecode /RunLengthDecode ] Obfuscation and evasion techniques
• Strings/names encoding – Names • Hexadecimal codification /Fl#61#74#65De#63#6f#64e (/FlateDecode) – Strings • Hexadecimal <7368656c6c636f6465> • Octal values 163150145154154 Obfuscation and evasion techniques
• Strings/names encoding – Names • Hexadecimal codification /Fl#61#74#65De#63#6f#64e (/FlateDecode) – Strings • Hexadecimal <7368656c6c636f6465> • Octal values 163150145154154 Obfuscation and evasion techniques NO!
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques • Splitting up Javascript code – Several objects in /Names /Names [(part1) 3 0 R (part2) 7 0 R (part3) 10 0 R] – Functions to obtain parts of the document • getAnnots() • getPageNumWords()/getPageNthWord() • this.info.* • …
Obfuscation and evasion techniques
Obfuscation and evasion techniques
• Duplicated objects • Updated objects • Malformed documents – Garbage bytes in the header – Bad version number (%PDF-1.0) – No xref table – No ending tags: endobj or endstream Obfuscation and evasion techniques
Obfuscation and evasion techniques
• Duplicated objects • Updated objects • Malformed documents – Garbage bytes in the header – Bad version number (%PDF-1.0) – No xref table – No ending tags: endobj or endstream Obfuscation and evasion techniques
Obfuscation and evasion techniques
• Duplicated objects • Updated objects • Malformed documents – Garbage bytes in the header – Bad version number (%PDF-1.0) – No xref table – No ending tags: endobj or endstream Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques • Compressed objects (object streams) – Incompatible with malformed documents • Encryption – /Encrypt (streams and strings) – RC4 o AES (40-128bits) – Default password • padding = “x28xBFx4Ex5Ex4Ex75x8Ax41x64x00x4Ex56xFFxFA”+ “x01x08x2Ex2Ex00xB6xD0x68x3Ex80x2Fx0CxA9xFEx64x53x69x7A” • password = password + padding[:32-(len(password))] • password = ‘’ password = padding • Nested PDFs – /EmbeddedFiles
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques • Compressed objects (object streams) – Incompatible with malformed documents • Encryption – /Encrypt (streams and strings) – RC4 o AES (40-128bits) – Default password • padding = “x28xBFx4Ex5Ex4Ex75x8Ax41x64x00x4Ex56xFFxFA”+ “x01x08x2Ex2Ex00xB6xD0x68x3Ex80x2Fx0CxA9xFEx64x53x69x7A” • password = password + padding[:32-(len(password))] • password = ‘’ password = padding • Nested PDFs – /EmbeddedFiles
Obfuscation and evasion techniques
Obfuscation and evasion techniques • Compressed objects (object streams) – Incompatible with malformed documents • Encryption – /Encrypt (streams and strings) – RC4 o AES (40-128bits) – Default password • padding = “x28xBFx4Ex5Ex4Ex75x8Ax41x64x00x4Ex56xFFxFA”+ “x01x08x2Ex2Ex00xB6xD0x68x3Ex80x2Fx0CxA9xFEx64x53x69x7A” • password = password + padding[:32-(len(password))] • password = ‘’ password = padding • Nested PDFs – /EmbeddedFiles
Obfuscation and evasion techniques
Obfuscation and evasion techniques • Mixing techniques • Summary: – Remove characteristic strings – Split up Javascript code (/Names) – If the code is in: • String octal encoding (143172) • Stream filters (not usuals, parameters) – Compress (object streams) – Encrypt (default password) – Malform (endobj, header) – Nest PDFs
Obfuscation vs. Antivirus • Better results – JS in string + octal + no characteristic strings • object stream – malformed + nested + filters with parameters (0/43) http://www.virustotal.com/file-scan/report.html?id=fbfd6df6a14f3cab3742d84af2b7d3d881ad11ef7d1344ba166092c890f47f77-1298457739 – filters with parameters + malformed (0/43) http://www.virustotal.com/file-scan/report.html?id=5a963ca0d20e12851fae7b98bc0e9bcf28cc0e43a12ef33450cf3877b170fa67-1298154940 • malformed: endobj, bad header (2/43) http://www.virustotal.com/file-scan/report.html?id=9759c500df94e2ccc243f00479967ddb77484203403b79e1523ea1148077b565-1298157405 • encrypted (5/43) http://www.virustotal.com/file-scan/report.html?id=9e2195450ee4f2c15f27b3730fb09bf004cc4bd6ef848f039291d9eea0f6b69d-1298054113 • Exploit working
Obfuscation vs. Antivirus • Updates – JS in string + octal + no characteristic strings • object stream – malformed + nested + filters with parameters (1/43) http://www.virustotal.com/file-scan/report.html?id=fbfd6df6a14f3cab3742d84af2b7d3d881ad11ef7d1344ba166092c890f47f77-1303817670 – filters with parameters + malformed (3/43) http://www.virustotal.com/file-scan/report.html?id=5a963ca0d20e12851fae7b98bc0e9bcf28cc0e43a12ef33450cf3877b170fa67-1298154940 • malformed: endobj, bad header (6/43) http://www.virustotal.com/file-scan/report.html?id=c3c50596b8deccb128f943d050a16b7652db54fe476e68db7b8c01b02ab77176-1303829263 • encrypted + nested + malformed (1/43) http://www.virustotal.com/file-scan/report.html?id=95c60679269acb4c7d7bcd3a8f0b88b1bb4fdab402a16b779a8f0d3867be7fd4-1303833454 • Exploit working
Obfuscation vs. Antivirus Antivirus Weak points AntiVir JS in string, without JS strings Avast Embedded, no endobj, Flate params AVG Embedded, Flate params, characteristic strings, without JS strings BitDefender Characteristic strings, octal strings ClamAV Flate params, octal strings, bytes header Commtouch Flate params, octal strings, encrypted DrWeb Characteristic strings, octal strings F-Secure Splitted up JS code, octal strings, bytes header, object streams Fortinet Flate params, splitted up JS code, bytes header, metadata GData No endobj, Flate params Kaspersky Flate params, characteristic strings, splitted up JS code, object streams McAfee Execution with /Names, embedded, characteristic strings, hexadecimal names, octal strings, without JS strings
Obfuscation vs. Antivirus Antivirus Weak points McAfee-GW Flate params, characteristic strings, octal strings Microsoft Splitted up JS code, octal strings, bytes header, object streams NOD32 Embedded, characteristic strings, bad header (%PDF-1.0) Panda JS in string, without JS strings Prevx No detection Sophos Without JS strings, object stream + malformed endobj, encrypted Symantec Original detection as Downloader, JS in string, without JS strings TrendMicro No detection VBA32 Characteristic strings VirusBuster No detection
Tools Comments Wepawet No encryption support, identifies exploits in embeded PDF files PDFDissector Comercial, not tested PDFStreamDumper Tools to help shellcode/JS analysis, errors with encryption, does not analyse object streams pdf-parser (Didier) Search in streams not supported, 3 filters, object streams and encryption not supported OPAF Parsing framework, XML output, encryption not supported Origami Good framework (filters, object streams, encryption), it’s necessary to code your own tool (Ruby) PDFExaminer Encryption and embeded PDF files support, does not support malformed objects, octal decoding malpdfobj Based on PDFTools (Didier Stevens) Obfuscation vs. Analysis tools
Obfuscation vs. Analysis tools
Tools Comments Wepawet No encryption support, identifies exploits in embeded PDF files PDFDissector Comercial, not tested PDFStreamDumper Tools to help shellcode/JS analysis, errors with encryption, does not analyse object streams pdf-parser (Didier) Search in streams not supported, 3 filters, object streams and encryption not supported OPAF Parsing framework, XML output, encryption not supported Origami Good framework (filters, object streams, encryption), it’s necessary to code your own tool (Ruby) PDFExaminer Encryption and embeded PDF files support, does not support malformed objects, octal decoding malpdfobj Based on PDFTools (Didier Stevens) Obfuscation vs. Analysis tools
peepdf • Characteristics – Python – Command line – Interactive console – Command file option http://peepdf.eternal-todo.com
peepdf http://peepdf.eternal-todo.com
peepdf • Analysis – Encrypted files – Compressed objects – Malformed documents support – Decoding: hexadecimal, octal, names – Most used filters (5) – References in objects and to objects – Strings search (including streams)
peepdf • Analysis – Physical structure (offsets) – Tree structure (logical) – Metadata – Changes between versions (changelog) – Extraction of different versions – Javascript analysis and modification (Spidermonkey) • unescape, replace, join – Shellcode analysis (sctest, Libemu) – Variables to improve analysis (set command)
peepdf • Creation/Modification – Basic PDF creation – Creation of PDF with Javascript execution – Object compression (object streams) – Encrypted files – Nested PDFs creation – Malformed PDFs – Strings and names codification – Filters modification – Object modification
Demo time!
peepdf • TODO – Automatic analysis of embedded PDFs – Missing filters – Improve automatic Javascript analysis • Add support for PDF JS functions (getAnnots…) – GUI – ActionScript? – …
Conclusions • Very low detection when: – Nested PDFs – Compressed objects – New filters or filters with parameters – Encryption • Avoid detection by strings • Improve parsers
Thanks • People working with PDF stuff: – Julia Wolf – Didier Stevens – Felipe Manzano (feliam) – Origami team – Brandon Dixon – AV companies – …
???
Thanks!! Jose Miguel Esparza jesparza eternal-todo.com jesparza s21sec.com http://eternal-todo.com @eternaltodo

Recommandé

Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresMarco Morana
 
Paternity leave request
Paternity leave requestPaternity leave request
Paternity leave requestJohn_snow
 
ASFWS 2011 : Code obfuscation: Quid Novi ?
ASFWS 2011 : Code obfuscation: Quid Novi ?ASFWS 2011 : Code obfuscation: Quid Novi ?
ASFWS 2011 : Code obfuscation: Quid Novi ?Cyber Security Alliance
 
blur-me-recsystalk
blur-me-recsystalkblur-me-recsystalk
blur-me-recsystalkSmriti Bhagat
 
New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20Nick Galbreath
 
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruBeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruMichele Orru
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
Web attacks using obfuscated script
Web attacks using obfuscated scriptWeb attacks using obfuscated script
Web attacks using obfuscated scriptAmol Kamble
 

Recommandé

Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresMarco Morana
 
Paternity leave request
Paternity leave requestPaternity leave request
Paternity leave requestJohn_snow
 
ASFWS 2011 : Code obfuscation: Quid Novi ?
ASFWS 2011 : Code obfuscation: Quid Novi ?ASFWS 2011 : Code obfuscation: Quid Novi ?
ASFWS 2011 : Code obfuscation: Quid Novi ?Cyber Security Alliance
 
blur-me-recsystalk
blur-me-recsystalkblur-me-recsystalk
blur-me-recsystalkSmriti Bhagat
 
New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20Nick Galbreath
 
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruBeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruMichele Orru
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
Web attacks using obfuscated script
Web attacks using obfuscated scriptWeb attacks using obfuscated script
Web attacks using obfuscated scriptAmol Kamble
 
On deobfuscation in practice
On deobfuscation in practiceOn deobfuscation in practice
On deobfuscation in practiceDmitry Schelkunov
 
Code obfuscation
Code obfuscationCode obfuscation
Code obfuscationAmol Kamble
 
Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Belsoft
 
Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)ReCrypt
 
Context Driven Scalable SIEM Solution
Context Driven Scalable SIEM Solution Context Driven Scalable SIEM Solution
Context Driven Scalable SIEM Solution Ertugrul Akbas
 
Palo Alto
Palo AltoPalo Alto
Palo AltoHajar Otmani
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the databaseBernardo Damele A. G.
 
ORM Injection
ORM InjectionORM Injection
ORM InjectionSimone Onofri
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
 
IBM Security Portfolio - 2015
IBM Security Portfolio - 2015IBM Security Portfolio - 2015
IBM Security Portfolio - 2015IBM Thailand Co Ltd
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0CTruncer
 
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassObject Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassSam Thomas
 
Ha nam
Ha namHa nam
Ha namrajgurupatil
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 

Contenu connexe

En vedette

On deobfuscation in practice
On deobfuscation in practiceOn deobfuscation in practice
On deobfuscation in practiceDmitry Schelkunov
 
Code obfuscation
Code obfuscationCode obfuscation
Code obfuscationAmol Kamble
 
Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Belsoft
 
Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)ReCrypt
 
Context Driven Scalable SIEM Solution
Context Driven Scalable SIEM Solution Context Driven Scalable SIEM Solution
Context Driven Scalable SIEM Solution Ertugrul Akbas
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the databaseBernardo Damele A. G.
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0CTruncer
 
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassObject Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassSam Thomas
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
 

En vedette (17)

On deobfuscation in practice
On deobfuscation in practiceOn deobfuscation in practice
On deobfuscation in practice
 
Code obfuscation
Code obfuscationCode obfuscation
Code obfuscation
 
Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013
 
Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)
 
Context Driven Scalable SIEM Solution
Context Driven Scalable SIEM Solution Context Driven Scalable SIEM Solution
Context Driven Scalable SIEM Solution
 
Palo Alto
Palo AltoPalo Alto
Palo Alto
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the database
 
ORM Injection
ORM InjectionORM Injection
ORM Injection
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
 
IBM Security Portfolio - 2015
IBM Security Portfolio - 2015IBM Security Portfolio - 2015
IBM Security Portfolio - 2015
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
 
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassObject Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypass
 
Ha nam
Ha namHa nam
Ha nam
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
 

Dernier

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 

Dernier (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 

Obfuscation and (non )detection of malicious pdf files

  • 1. Obfuscation and (non-)detection of malicious PDF files Jose Miguel Esparza
  • 2. Agenda • Introduction to the PDF format • Obfuscation and evasion techniques • Obfuscation vs. Antivirus • Obfuscation vs. Analysis tools • peepdf • Conclusions
  • 4. Introduction to the PDF format • Sequence of objects • Object types – Boolean: true false – Numbers: 123 -98 4. -.002 123.6 – Strings: (hola) <686f6c61> – Names: /Type /Filters – Dictionaries: <</Type /Catalog /Root 1 0 R>> – Arrays: [1.0 (test) <</Length 273>>] – Streams
  • 5. Introduction to the PDF format
  • 6. Introduction to the PDF format • Object types – Indirect objects • Reference: “object_id generation_number R”
  • 7. Introduction to the PDF format • Object types – Indirect objects • Reference: “object_id generation_number R”
  • 8. Introduction to the PDF format • Updatable documents – Older versions stay in the document Header Body Cross reference table Trailer Body Cross reference table Trailer Original Update
  • 9. Introduction to the PDF format • Logical structure – Tree structure – Root node: /Catalog – If an element isn’t in the downward path from the /Catalog DOES NOT EXIST
  • 10. Introduction to the PDF format
  • 11. Introduction to the PDF format • Actions – /Launch – /Javascript – /GoToE (go to embedded) – /URI – /SubmitForm – … • Triggers – /OpenAction: global – /AA: pages, annotations
  • 12. Introduction to the PDF format
  • 13. Introduction to the PDF format • Actions – /Launch – /Javascript – /GoToE (go to embedded) – /URI – /SubmitForm – … • Triggers – /OpenAction: global – /AA: pages, annotations
  • 14. Introduction to the PDF format
  • 15. Introduction to the PDF format
  • 16. Introduction to the PDF format
  • 17. • Practical example – pdf.pdf (2009) Obfuscation and evasion techniques
  • 21. • Automatic execution – Avoid /OpenAction – Use of /Catalog elements • /Names • /AcroForm – /AA: applied to pages, annotations… Obfuscation and evasion techniques
  • 24. Obfuscation and evasion techniques • Strings to avoid/hide – /JavaScript /JS – More than two “unescape” in Javascript code – Characteristic metadata – /pdftk_PageNum
  • 26. Obfuscation and evasion techniques • Strings to avoid/hide – /JavaScript /JS – More than two “unescape” in Javascript code – Characteristic metadata – /pdftk_PageNum
  • 28. • Suspicious objects? – Strings (21/43) vs. Streams (27/43) • Filters – Avoid known filters: /FlateDecode /ASCIIHexDecode – Parameters (included default ones) – Multiple filters [ /FlateDecode /LZWDecode /RunLengthDecode ] Obfuscation and evasion techniques
  • 30. • Suspicious objects? – Strings (21/43) vs. Streams (27/43) • Filters – Avoid known filters: /FlateDecode /ASCIIHexDecode – Parameters (included default ones) – Multiple filters [ /FlateDecode /LZWDecode /RunLengthDecode ] Obfuscation and evasion techniques
  • 31. • Strings/names encoding – Names • Hexadecimal codification /Fl#61#74#65De#63#6f#64e (/FlateDecode) – Strings • Hexadecimal <7368656c6c636f6465> • Octal values 163150145154154 Obfuscation and evasion techniques
  • 32. • Strings/names encoding – Names • Hexadecimal codification /Fl#61#74#65De#63#6f#64e (/FlateDecode) – Strings • Hexadecimal <7368656c6c636f6465> • Octal values 163150145154154 Obfuscation and evasion techniques NO!
  • 37. Obfuscation and evasion techniques • Splitting up Javascript code – Several objects in /Names /Names [(part1) 3 0 R (part2) 7 0 R (part3) 10 0 R] – Functions to obtain parts of the document • getAnnots() • getPageNumWords()/getPageNthWord() • this.info.* • …
  • 40. • Duplicated objects • Updated objects • Malformed documents – Garbage bytes in the header – Bad version number (%PDF-1.0) – No xref table – No ending tags: endobj or endstream Obfuscation and evasion techniques
  • 42. • Duplicated objects • Updated objects • Malformed documents – Garbage bytes in the header – Bad version number (%PDF-1.0) – No xref table – No ending tags: endobj or endstream Obfuscation and evasion techniques
  • 44. • Duplicated objects • Updated objects • Malformed documents – Garbage bytes in the header – Bad version number (%PDF-1.0) – No xref table – No ending tags: endobj or endstream Obfuscation and evasion techniques
  • 47. Obfuscation and evasion techniques • Compressed objects (object streams) – Incompatible with malformed documents • Encryption – /Encrypt (streams and strings) – RC4 o AES (40-128bits) – Default password • padding = “x28xBFx4Ex5Ex4Ex75x8Ax41x64x00x4Ex56xFFxFA”+ “x01x08x2Ex2Ex00xB6xD0x68x3Ex80x2Fx0CxA9xFEx64x53x69x7A” • password = password + padding[:32-(len(password))] • password = ‘’ password = padding • Nested PDFs – /EmbeddedFiles
  • 50. Obfuscation and evasion techniques • Compressed objects (object streams) – Incompatible with malformed documents • Encryption – /Encrypt (streams and strings) – RC4 o AES (40-128bits) – Default password • padding = “x28xBFx4Ex5Ex4Ex75x8Ax41x64x00x4Ex56xFFxFA”+ “x01x08x2Ex2Ex00xB6xD0x68x3Ex80x2Fx0CxA9xFEx64x53x69x7A” • password = password + padding[:32-(len(password))] • password = ‘’ password = padding • Nested PDFs – /EmbeddedFiles
  • 52. Obfuscation and evasion techniques • Compressed objects (object streams) – Incompatible with malformed documents • Encryption – /Encrypt (streams and strings) – RC4 o AES (40-128bits) – Default password • padding = “x28xBFx4Ex5Ex4Ex75x8Ax41x64x00x4Ex56xFFxFA”+ “x01x08x2Ex2Ex00xB6xD0x68x3Ex80x2Fx0CxA9xFEx64x53x69x7A” • password = password + padding[:32-(len(password))] • password = ‘’ password = padding • Nested PDFs – /EmbeddedFiles
  • 54. Obfuscation and evasion techniques • Mixing techniques • Summary: – Remove characteristic strings – Split up Javascript code (/Names) – If the code is in: • String octal encoding (143172) • Stream filters (not usuals, parameters) – Compress (object streams) – Encrypt (default password) – Malform (endobj, header) – Nest PDFs
  • 55. Obfuscation vs. Antivirus • Better results – JS in string + octal + no characteristic strings • object stream – malformed + nested + filters with parameters (0/43) http://www.virustotal.com/file-scan/report.html?id=fbfd6df6a14f3cab3742d84af2b7d3d881ad11ef7d1344ba166092c890f47f77-1298457739 – filters with parameters + malformed (0/43) http://www.virustotal.com/file-scan/report.html?id=5a963ca0d20e12851fae7b98bc0e9bcf28cc0e43a12ef33450cf3877b170fa67-1298154940 • malformed: endobj, bad header (2/43) http://www.virustotal.com/file-scan/report.html?id=9759c500df94e2ccc243f00479967ddb77484203403b79e1523ea1148077b565-1298157405 • encrypted (5/43) http://www.virustotal.com/file-scan/report.html?id=9e2195450ee4f2c15f27b3730fb09bf004cc4bd6ef848f039291d9eea0f6b69d-1298054113 • Exploit working
  • 56. Obfuscation vs. Antivirus • Updates – JS in string + octal + no characteristic strings • object stream – malformed + nested + filters with parameters (1/43) http://www.virustotal.com/file-scan/report.html?id=fbfd6df6a14f3cab3742d84af2b7d3d881ad11ef7d1344ba166092c890f47f77-1303817670 – filters with parameters + malformed (3/43) http://www.virustotal.com/file-scan/report.html?id=5a963ca0d20e12851fae7b98bc0e9bcf28cc0e43a12ef33450cf3877b170fa67-1298154940 • malformed: endobj, bad header (6/43) http://www.virustotal.com/file-scan/report.html?id=c3c50596b8deccb128f943d050a16b7652db54fe476e68db7b8c01b02ab77176-1303829263 • encrypted + nested + malformed (1/43) http://www.virustotal.com/file-scan/report.html?id=95c60679269acb4c7d7bcd3a8f0b88b1bb4fdab402a16b779a8f0d3867be7fd4-1303833454 • Exploit working
  • 57. Obfuscation vs. Antivirus Antivirus Weak points AntiVir JS in string, without JS strings Avast Embedded, no endobj, Flate params AVG Embedded, Flate params, characteristic strings, without JS strings BitDefender Characteristic strings, octal strings ClamAV Flate params, octal strings, bytes header Commtouch Flate params, octal strings, encrypted DrWeb Characteristic strings, octal strings F-Secure Splitted up JS code, octal strings, bytes header, object streams Fortinet Flate params, splitted up JS code, bytes header, metadata GData No endobj, Flate params Kaspersky Flate params, characteristic strings, splitted up JS code, object streams McAfee Execution with /Names, embedded, characteristic strings, hexadecimal names, octal strings, without JS strings
  • 58. Obfuscation vs. Antivirus Antivirus Weak points McAfee-GW Flate params, characteristic strings, octal strings Microsoft Splitted up JS code, octal strings, bytes header, object streams NOD32 Embedded, characteristic strings, bad header (%PDF-1.0) Panda JS in string, without JS strings Prevx No detection Sophos Without JS strings, object stream + malformed endobj, encrypted Symantec Original detection as Downloader, JS in string, without JS strings TrendMicro No detection VBA32 Characteristic strings VirusBuster No detection
  • 59. Tools Comments Wepawet No encryption support, identifies exploits in embeded PDF files PDFDissector Comercial, not tested PDFStreamDumper Tools to help shellcode/JS analysis, errors with encryption, does not analyse object streams pdf-parser (Didier) Search in streams not supported, 3 filters, object streams and encryption not supported OPAF Parsing framework, XML output, encryption not supported Origami Good framework (filters, object streams, encryption), it’s necessary to code your own tool (Ruby) PDFExaminer Encryption and embeded PDF files support, does not support malformed objects, octal decoding malpdfobj Based on PDFTools (Didier Stevens) Obfuscation vs. Analysis tools
  • 61. Tools Comments Wepawet No encryption support, identifies exploits in embeded PDF files PDFDissector Comercial, not tested PDFStreamDumper Tools to help shellcode/JS analysis, errors with encryption, does not analyse object streams pdf-parser (Didier) Search in streams not supported, 3 filters, object streams and encryption not supported OPAF Parsing framework, XML output, encryption not supported Origami Good framework (filters, object streams, encryption), it’s necessary to code your own tool (Ruby) PDFExaminer Encryption and embeded PDF files support, does not support malformed objects, octal decoding malpdfobj Based on PDFTools (Didier Stevens) Obfuscation vs. Analysis tools
  • 62. peepdf • Characteristics – Python – Command line – Interactive console – Command file option http://peepdf.eternal-todo.com
  • 64. peepdf • Analysis – Encrypted files – Compressed objects – Malformed documents support – Decoding: hexadecimal, octal, names – Most used filters (5) – References in objects and to objects – Strings search (including streams)
  • 65. peepdf • Analysis – Physical structure (offsets) – Tree structure (logical) – Metadata – Changes between versions (changelog) – Extraction of different versions – Javascript analysis and modification (Spidermonkey) • unescape, replace, join – Shellcode analysis (sctest, Libemu) – Variables to improve analysis (set command)
  • 66. peepdf • Creation/Modification – Basic PDF creation – Creation of PDF with Javascript execution – Object compression (object streams) – Encrypted files – Nested PDFs creation – Malformed PDFs – Strings and names codification – Filters modification – Object modification
  • 68. peepdf • TODO – Automatic analysis of embedded PDFs – Missing filters – Improve automatic Javascript analysis • Add support for PDF JS functions (getAnnots…) – GUI – ActionScript? – …
  • 69. Conclusions • Very low detection when: – Nested PDFs – Compressed objects – New filters or filters with parameters – Encryption • Avoid detection by strings • Improve parsers
  • 70. Thanks • People working with PDF stuff: – Julia Wolf – Didier Stevens – Felipe Manzano (feliam) – Origami team – Brandon Dixon – AV companies – …
  • 71. ???
  • 72. Thanks!! Jose Miguel Esparza jesparza eternal-todo.com jesparza s21sec.com http://eternal-todo.com @eternaltodo