Wednesday, September 29, 2010

Trick for finding the embedded exe's in PDFs

One of the common traits of a lot of PDF malware is that the embedded executable is put it to an object stream and marked with a compression filter such as FlateDecode, but the stream is rarely actually compressed. We now mark objects in the PDF Examiner online tool with a raw stream which doesn't correctly inflate as in brown to denote the potential inclusion of an executable attachment. In most cases the "fake" stream contains an XORed exe file or sometimes additional clean PDFs which are dropped at exploit time.

In the example below, you can see object 64 contains a stream which was marked as FlateDecode, but is listed in brown to denote that it did not contain a valid gzipped stream. In the hexview we can see the pattern of a 256 byte XOR key shown through the executable's whitespace (then you can use the XOR key to statically extract the executable for analysis).

No comments:

Post a Comment