Thursday, December 15, 2011

PDF Malware bypasses AV with 256bit AES encryption CVE-2011-2462

We've been getting a number of 256bit AES encrypted PDFs containing the U3D zero-day CVE-2011-2462 in the past 5 days. The files are getting very low-to-no AV detection:

256 bit AESV3 used by Adobe is proposed as part of ISO 32000-2 standard and is not included in the current standard ISO 32000-1, Adobe has implemented it for developer purposes in Reader 9.4 and 10.x. As such, it's not widely used and apparently not widely checked by AV or until today, our own PDFExaminer product.

Here's a sampling of some documents submitted to PDFExaminer which weren't privately submitted:








And a samping of our PDFExaminer results:



We've added 256bit AES decryption and analysis to both our web based PDFExaminer (free online and commercial lan version) and standalone command line versions (please update now). The zero-day samples are also available to Malware Intelligence Feed customers through our customer portal.

Thanks to those that pointed out that we were missing 256bit AES.

Tuesday, December 6, 2011

30 APT PDFs - rapid analysis with PDFExaminer

A recent post from the awesome Contagiodump blog provided 30 APT PDFs seen in the wild for researchers to work with. We thought we'd run them all through the PDFExaminer (api info here) to get quick CVE detection for all the files, in under 10 minutes. The command line version of the PDFExaminer can be pretty handy at your mail gateway in addition to regular A/V scans.


86730A9BC3AB99503322EDA6115C1096 1104statment.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

35458535961F767E267487E39641766C 1106.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type


92D142E08DBEF9FC6BC61A575224C3EC 111109.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

B4CB1B1182EA0B616ED6702A2B25FAC2 20111106_.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

88B884E8CE014D6B8D30B8198E048708 20111111_SexyDay.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type


C0D5B1CC0C77FCF32FF02AAC98FAC536 2012().pdf
8.0@1423: suspicious.obfuscation using unescape
8.0@1423: suspicious.string nopblock
8.0@1423: suspicious.obfuscation using eval
8.0@1423: suspicious.obfuscation using String.fromCharCode
8.0@1423: suspicious.string shellcode
8.0@1423: pdf.suspicious util.printd used to fill buffers
8.0@1423: pdf.exploit media.newPlayer CVE-2009-4324
8.0@1423: suspicious.warning: object contains JavaScript

31DD6F29F19626F8CE03D73B3F635296 2012()2.pdf
20.0@3599: pdf.exploit fontfile SING table overflow CVE-2010-2883 generic
20.0@3599: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
35.0@4896: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
26.0@5665: pdf.exploit fontfile SING table overflow CVE-2010-2883 generic
26.0@5665: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
38.0@6422: suspicious.warning: object contains JavaScript
39.0@7835: suspicious.obfuscation using String.replace
39.0@7835: suspicious.obfuscation using substring
39.0@7835: suspicious.warning: object contains JavaScript
56.0@13050: suspicious.obfuscation using unescape
56.0@13050: suspicious.warning: object contains JavaScript
49.0@16149: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
50.0@16546: flash.exploit CVE-2011-0611
50.0@16546: suspicious.flash addFrameScript
50.0@16546: suspicious.flash Embedded Flash
50.0@16546: suspicious.flash Embedded Flash define obj
29.0@53642: suspicious.string heap spray shellcode
29.0@53642: suspicious.warning: object contains JavaScript

C89D0C1DF6B4EF20E8447B11BEB77723 2012()3.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type


08CDC6213D63EA85FBCCD335579CAEC4 2015.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

57F8BC2995CA99E20B356B623FA12F29 AEO.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

61481CBCBD35034C7CF4D1930B5E63E3 ATT03306.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

CBEA315F41205B731379521C5464C134 ATT03865.pdf
8.0@1423: suspicious.obfuscation using unescape
8.0@1423: suspicious.string nopblock
8.0@1423: suspicious.obfuscation using eval
8.0@1423: suspicious.obfuscation using String.fromCharCode
8.0@1423: suspicious.string shellcode
8.0@1423: pdf.suspicious util.printd used to fill buffers
8.0@1423: pdf.exploit media.newPlayer CVE-2009-4324
8.0@1423: suspicious.warning: object contains JavaScript

452703B9292A7A5D45EB224C622D32CF ATT11990.pdf
27.0@420717: suspicious.obfuscation using unescape
27.0@420717: suspicious.string unicode nop
27.0@420717: suspicious.string heap spray shellcode
27.0@420717: suspicious.obfuscation using util.byteToChar
27.0@420717: suspicious.string Shellcode NOP sled
27.0@420717: suspicious.string shellcode
27.0@420717: suspicious.warning: object contains JavaScript
29.0@425179: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
37.0@425945: suspicious.obfuscation using charCodeAt
37.0@425945: suspicious.obfuscation using String.fromCharCode
37.0@425945: suspicious.flash Embedded Flash
37.0@425945: flash.exploit CVE-2011-0611


704D40896BF6C9EA174F4CF3B57AC562 ATT25948.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

2A0DCB1915C0465949E7AECFB06F47EA ATT41702.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

979C64214F11F72EDDDD04FFC4887BB5 ATT63950.pdf
8.0@1423: suspicious.obfuscation using unescape
8.0@1423: suspicious.string nopblock
8.0@1423: suspicious.obfuscation using eval
8.0@1423: suspicious.obfuscation using String.fromCharCode
8.0@1423: suspicious.string shellcode
8.0@1423: pdf.suspicious util.printd used to fill buffers
8.0@1423: pdf.exploit media.newPlayer CVE-2009-4324
8.0@1423: suspicious.warning: object contains JavaScript


E30D11EB28BB88681D1FB31DA88D84C6 ATT78434.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

DD7A03F4932CB86A77BD57B1C21FC18F ATT85096.pdf
20.0@3599: pdf.exploit fontfile SING table overflow CVE-2010-2883 generic
20.0@3599: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
35.0@4896: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
26.0@5665: pdf.exploit fontfile SING table overflow CVE-2010-2883 generic
26.0@5665: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
38.0@6422: suspicious.warning: object contains JavaScript
39.0@7835: suspicious.obfuscation using String.replace
39.0@7835: suspicious.obfuscation using substring
39.0@7835: suspicious.warning: object contains JavaScript
56.0@13050: suspicious.obfuscation using unescape
56.0@13050: suspicious.warning: object contains JavaScript
49.0@16149: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
50.0@16546: flash.exploit CVE-2011-0611
50.0@16546: suspicious.flash addFrameScript
50.0@16546: suspicious.flash Embedded Flash
50.0@16546: suspicious.flash Embedded Flash define obj
29.0@53642: suspicious.string heap spray shellcode
29.0@53642: suspicious.warning: object contains JavaScript

1188EA8F0D086A8860A3AAFB54A3FA76 ATT88422.pdf
34.0@929: suspicious.warning: object contains JavaScript
35.0@1406: suspicious.warning: object contains JavaScript
36.0@1752: suspicious.warning: object contains JavaScript
41.0@13100: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@18786: suspicious.flash Embedded Flash
12.0@18786: flash.suspicious jit_spray
12.0@18786: flash.exploit CVE-2011-0611
12.0@18786: suspicious.flash Embedded Flash define obj
35.0@244241: suspicious.warning: object contains JavaScript
51.0@13764: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
34.0@245038: suspicious.warning: object contains JavaScript


B4CB1B1182EA0B616ED6702A2B25FAC2 ATT93159.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type


91759CA240EECCC4C742CFF341C9A9A7 ATT93487.pdf
10.0@1946282: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
12.0@1983151: suspicious.obfuscation using unescape
12.0@1983151: suspicious.obfuscation using util.byteToChar
12.0@1983151: suspicious.warning: object contains JavaScript


3173D2A0A607ECCF21707A3DC5DE30DA Bainbridge Skills.pdf
27.0@122311: suspicious.obfuscation using unescape
27.0@122311: suspicious.string unicode nop
27.0@122311: suspicious.string heap spray shellcode
27.0@122311: suspicious.obfuscation using String.replace
27.0@122311: suspicious.obfuscation using util.byteToChar
27.0@122311: suspicious.string Shellcode NOP sled
27.0@122311: pdf.exploit Collab.collectEmailInfo CVE-2008-0655
27.0@122311: suspicious.warning: object contains JavaScript
29.0@125371: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
37.0@126137: flash.exploit CVE-2011-0611
37.0@126137: suspicious.flash addFrameScript
37.0@126137: suspicious.flash Embedded Flash
37.0@126137: suspicious.flash Embedded Flash define obj

F567FFD4F7A19A469D836E5A0A9552AB Conference information for next week.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

670E22EC5EE2F8D08795BA7FF5A5D52E DOB Aug 2011.pdf
20.0@3565: pdf.exploit fontfile SING table overflow CVE-2010-2883 generic
20.0@3565: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
26.0@4783: pdf.exploit fontfile SING table overflow CVE-2010-2883 generic
26.0@4783: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
29.0@5645: suspicious.string heap spray shellcode
29.0@5645: suspicious.warning: object contains JavaScript
35.0@14244: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
38.0@14808: suspicious.warning: object contains JavaScript
39.0@16291: suspicious.obfuscation using String.replace
39.0@16291: suspicious.obfuscation using substring
39.0@16291: suspicious.warning: object contains JavaScript
49.0@22030: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
50.0@22458: flash.exploit CVE-2010-3654
50.0@22458: suspicious.flash addFrameScript
50.0@22458: suspicious.flash Embedded Flash
56.0@45932: suspicious.obfuscation using unescape
56.0@45932: suspicious.warning: object contains JavaScript
58.0@46865: suspicious.obfuscation using unescape
58.0@46865: suspicious.string heap spray shellcode
58.0@46865: suspicious.obfuscation using substring
58.0@46865: suspicious.string shellcode
58.0@46865: suspicious.warning: object contains JavaScript
68.0@50561: pdf.exploit fontfile SING table overflow CVE-2010-2883 generic
68.0@50561: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
75.0@51566: suspicious.obfuscation using unescape
75.0@51566: suspicious.string heap spray shellcode
75.0@51566: suspicious.obfuscation using substring
75.0@51566: suspicious.string shellcode
77.0@54446: suspicious.warning: object contains JavaScript

01A1CAA4BA9EC050BA8CEAFE26998577 g20 summit.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

670E22EC5EE2F8D08795BA7FF5A5D52E ID194.pdf
20.0@3565: pdf.exploit fontfile SING table overflow CVE-2010-2883 generic
20.0@3565: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
26.0@4783: pdf.exploit fontfile SING table overflow CVE-2010-2883 generic
26.0@4783: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
29.0@5645: suspicious.string heap spray shellcode
29.0@5645: suspicious.warning: object contains JavaScript
35.0@14244: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
38.0@14808: suspicious.warning: object contains JavaScript
39.0@16291: suspicious.obfuscation using String.replace
39.0@16291: suspicious.obfuscation using substring
39.0@16291: suspicious.warning: object contains JavaScript
49.0@22030: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
50.0@22458: flash.exploit CVE-2010-3654
50.0@22458: suspicious.flash addFrameScript
50.0@22458: suspicious.flash Embedded Flash
56.0@45932: suspicious.obfuscation using unescape
56.0@45932: suspicious.warning: object contains JavaScript
58.0@46865: suspicious.obfuscation using unescape
58.0@46865: suspicious.string heap spray shellcode
58.0@46865: suspicious.obfuscation using substring
58.0@46865: suspicious.string shellcode
58.0@46865: suspicious.warning: object contains JavaScript
68.0@50561: pdf.exploit fontfile SING table overflow CVE-2010-2883 generic
68.0@50561: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
75.0@51566: suspicious.obfuscation using unescape
75.0@51566: suspicious.string heap spray shellcode
75.0@51566: suspicious.obfuscation using substring
75.0@51566: suspicious.string shellcode
77.0@54446: suspicious.warning: object contains JavaScript

CDB6DCF66B7D3C5BC678378F46BA94E7 military procurement.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

C898ABCEA6EAAA3E1795322D02E95D7E NorthKorea.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

0A630BBAA1691ED10540048BD5B4CF04 Nuclear Security and Summit Diplomacy.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

DE095F05913928CF58A27F27C5BF8605 statement.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

Friday, October 28, 2011

Malware PDF Obfuscation Using PNG Filters and AV #fail

We recently took a look at PDF sample 218a3f6c293d67e5eef2a58742966d56 that our PDFExaminer tool was missing that had a low 4/41 detection rate in Virustotal. Object 20 in this sample had decode parameter with a Predictor 12, BitsPerComponent 8, Colors 1, and Columns 1. Normally this PNG Up filter would only be used on graphics data, however, this particular sample it was used to hide an XFA block with Javascript as well as a CVE-2011-0188 libtiff exploit (vulnerable in Adobe Reader 9.3 and earlier).




Object 20 also didn't code with pdf-parser.py:




The PDF was part of attacks earlier in April, blogged about by Sophos http://nakedsecurity.sophos.com/2011/04/18/orders-spam-new-trick-in-pdf-malware/ and Symantec http://www.symantec.com/connect/blogs/pdf-exploit-same-crime-different-face

Despite awareness and blogs by a couple of commercial AV providers, this particular obfuscation technique hasn't really got much attention, and continues to get very low detection rates - today it's at 14/ 42 (33.3%)- even missed by Symantec, Trend and McAfee as of publication time.



And the malicious object in PDFExaminer, updated to process the PNG Filters:

Thursday, September 22, 2011

PDFExaminer command line scanner

Our command line version of the PDF Examiner is pretty popular for those will a lot of malware PDFs process locally. It's a commercial product, and includes a year of our CVE identification updates. It's a PHP library and utility that can be easily customized, designed for detection from the command line where the visual walk through by object is not required. The command line version can optionally store extracted PDF objects to file in their decoded form for hex viewing the detected objects with exploits.

$ php pdfex.php 3d1fc4deb5705c750df6930550c2fc16.pdf is_malware
1

$ php pdfex.php 3d1fc4deb5705c750df6930550c2fc16.pdf summary
19.0@993: suspicious.obfuscation using unescape
19.0@993: suspicious.string heap spray shellcode
19.0@993: suspicious.obfuscation using substr
19.0@993: suspicious.obfuscation using substring
19.0@993: suspicious.obfuscation using util.byteToChar
24.0@3857: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
2.0@5114: flash.exploit CVE-2011-0609
2.0@5114: suspicious.string heap spray shellcode
2.0@5114: suspicious.flash Embedded Flash
30.0@4064: suspicious.flash Adobe Shockwave Flash in a PDF define obj type



$ php pdfex.php 3d1fc4deb5705c750df6930550c2fc16.pdf
Array
(
[exploit] => 1
[hits] => 4
[completed] => 1
[is_malware] => 1
[summary] => 19.0@993: suspicious.obfuscation using unescape
19.0@993: suspicious.string heap spray shellcode
19.0@993: suspicious.obfuscation using substr
19.0@993: suspicious.obfuscation using substring
19.0@993: suspicious.obfuscation using util.byteToChar
24.0@3857: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
2.0@5114: flash.exploit CVE-2011-0609
2.0@5114: suspicious.string heap spray shellcode
2.0@5114: suspicious.flash Embedded Flash
30.0@4064: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

[severity] => 70
[engine] => 56
)

Tuesday, May 17, 2011

PDF Malware scoring with PDFExaminer

Today we're going to talk a little about the scoring of PDF malware with the PDFExaminer tool. We're currently rating PDFs as clean, suspicious or malware based on a simple scoring algorithm.

Use of JavaScript, per object: +1
JS Obfuscation function - eval, charCodeAt, etc: +1
Strings/variables exploit, jit, shellcode etc: +1
Flash (define object, Flash block): +1
CVE Exploit detected: +10
JBig2Decode: +1

Clean = 0
Suspicious = 1-9
Malware = 10 or more

Some CVE exploit signatures may occur multiple times, as our detection engine uses REGEX signatures and some exploits may be detected two or more times with varied signatures to more broadly detect new variants of known exploits.

Sunday, May 15, 2011

PDFExaminer API

Our new API tool to submit PDFs from the command line and download reports is now available.

Feel free to recode in other languages. We'll post any user submissions here as well.

Upload a PDF and receive the report:
php mwtfile.php [filename] [email address for report]
mwtfile.php source.

Download a PDFExaminer report for a hash
php mwtreport.php [hash] [report xml, text, json, php, is_malware, rating, severity]
mwtreport.php source.

Examples:
php mwtfile.php China\'s\ Charm\ diplomacy\ in\ BRICS\ Summit.pdf user@email.com

....
php mwtreport.php ae39b747e4fe72dce6e5cdc6d0314c02 xml

XML Report:
<?xml version="1.0"?>
<pdf><filename>China's Charm diplomacy in BRICS Summit.pdf</filename>
<size>411558</size>
<submitted>2011-04-21 14:46:36</submitted>
<md5>ae39b747e4fe72dce6e5cdc6d0314c02</md5>
<sha1>18306c34c5769f66573b725dce70a353ff549857</sha1>
<sha256>f4e861eec510a0d38ae8fa54b630fdda40011891d12925e0e74da39d9280ddd8</sha256>
<ssdeep>3072:qISKk2ZxVh/tj5focZCkMyM/1lKTHzteS8i:kMVh/tpNLzk+</ssdeep>
<engine>52</engine>
<content-type>PDF document, version 1.7</content-type>
<PDFExaminer>malwaretracker.com</PDFExaminer>
<encrypted>0</encrypted>
<is_malware>1</is_malware>
<severity>44</severity>
<rating>malware</rating>
<exploit><gen_id>0</gen_id>
<obj_id>2</obj_id>
<dup_id>10882</dup_id>
<exploittype>suspicious.flash Embedded Flash</exploittype>
</exploit>
<exploit><gen_id>0</gen_id>
<obj_id>2</obj_id>
<dup_id>10882</dup_id>
<exploittype>flash.exploit CVE-2011-0611</exploittype>
</exploit>
<exploit><gen_id>0</gen_id>
<obj_id>2</obj_id>
<dup_id>10882</dup_id>
<exploittype>suspicious.flash Embedded Flash define obj</exploittype>
</exploit>
<exploit><gen_id>0</gen_id>
<obj_id>2</obj_id>
<dup_id>10882</dup_id>
<exploittype>suspicious.string heap spray shellcode</exploittype>
</exploit>
<exploit><gen_id>0</gen_id>
<obj_id>2</obj_id>
<dup_id>10882</dup_id>
<exploittype>flash.suspicious jit_spray</exploittype>
</exploit>
<exploit><gen_id>0</gen_id>
<obj_id>26</obj_id>
<dup_id>9769</dup_id>
<exploittype>suspicious.flash Adobe Shockwave Flash in a PDF define obj type</exploittype>
</exploit>
<exploit><gen_id>0</gen_id>
<obj_id>30</obj_id>
<dup_id>9920</dup_id>
<exploittype>suspicious.flash Adobe Shockwave Flash in a PDF define obj type</exploittype>
</exploit>
</pdf>


The report formats available are text, xml, json, php (Serialize hash), rating (malware, clean, suspicious), severity (hit count), is_malware (0 or 1). dup_id is the object's decimal location in the PDF file, to account for duplicate object and generations within the same file.

Tuesday, May 10, 2011

Server upgrade

We completed a server upgrade to a brand new server with double the resources, processing speed should be even better and we are looking to release our PDFExaminer API tool very soon.

API Features for the Free online PDFExaminer
Submit a PDF for analysis via PHP or scripted web post
Extract reports in XML, Text, JSON, or PHP Serialize (Hash variable)

Monday, May 2, 2011

PDFExaminer: ObjStm handling

We've rolled out a number of new features today, one of the biggest is ObjStm handling - object streams are extracted and processed as separate objects. Malware severity rating now includes the count from embedded PDFs. Our parser has also been enhanced to better process extremely malformed PDFs.

Coming soon, we'll be releasing an API to post PDFs for analysis and retrieve reporting in XML, PHP Serialize, JSON, or text.

Thursday, April 21, 2011

PDFExaminer Flash Handling

Hello,

We are now exploding compressed Flash embedded in PDFs to allow for additional signature scanning for better CVE identification in embedded Adobe Flash files. Uncompressed Flash will be shown on the new "Flash" tab when viewing a PDF object which contains Flash.




Check out PDFExaminer.

PDFExaminer new features

Added several new features to the PDFExaminer. Email reports are optionally issued after submitting a sample, you can also include the phishing email or a comment and mark a sample as private to prevent it from being listed in a future list of recent detected malware reports.

We've also added a detection rating - malware, suspicious or clean to distinguish between PDFs with some obfuscated JavaScript and those with a detected CVE exploit.

Check out the PDFExaminer.

Sunday, April 17, 2011

CVE-2011-0611 Zero Day

Another update on CVE-2011-0611, we're seeing reports of it's use in PDF (similar to the use of CVE-2011-0609 recently), Adobe will be releasing a patch by the week of April 25th. Adobe Reader contains an internal version of Flash Player, so updating to the recent Flash player will not protect you from PDF's with embedded CVE-2011-0611 exploits.

You can scan any suspicious PDF for free with our PDF Examiner tool: https://www.malwaretracker.com/pdf.php

Wednesday, April 13, 2011

CVE-2011-0609 attacks via PDF file

We've just across a new use of CVE-2011-0609, formerly only seen in XLS files, now used in a PDF file sent in a targeted email attack.

Filename: 民進黨2012+年....pdf (translates as DPP 2012 and beyond - DPP is Taiwan's Democratic Progressive Party)
MD5: 3d1fc4deb5705c750df6930550c2fc16
sha1: 3f6b96a62ae780b8c9d4094e478388036f336188
sha256: d742293773b4c6725bed769651a36baec6cd0b06c96662c688fce0f09f5d82c4
ssdeep: 12288:5aZEUjnnntnfnPnnnnnye2MUI2caPV6BWExnfAcc2spmUL0VnJtoQhUImzaIE0sT:GfURULy6NrFASbdX


PDF Object 2 contains a SWF file MD5 40792ec6d7b7f66e71a3fdf2e58cb432 subtlety named "~CVE-2011-0609.swf". Decompressing the CWS to FWS gives the MD5 00cf8b68cce68a6254b6206f250540fd.

Object 19 contains JavaScript to load shellcode into memory.

View the sample in PDF Examiner. Updating to the latest Flash 10.2.152.33 and Reader 9.4.2 mitigates this threat. We'll make the sample available to AV companies if requested.

For information on other current threats, see our PDF Threats and Document Threats pages.

Monday, April 11, 2011

Flash in Word zero-day

Adobe has announced a new Flash zero day CVE-2011-0611. Flash with an exploit and jit spray potentially. The PoC file also dropped an executable (XORed with 0x85).

MD5: 96cf54e6d7e228a2c6418aba93d6bd49
SHA1 :820699d9999ea3ba07e7f0d0c7f08fe10eae1d2d

Virustotal: http://www.virustotal.com/file-scan/report.html?id=1e677420d7a8160c92b2f44f1ef5eea1cf9b0b1a25353db7d3142b268893507f-1302359653

See bulletin APSA11-02.

See our list of current document format malware threats.

Wednesday, March 23, 2011

Malware Tracker Document Threats List

We've released our new list of current document threats (Microsoft Office Word/Excel/Powerpoint) which will be kept up to date with the most popular document exploits we see through email gateway detection. A lot of the targeted email attacks are surprisingly using older exploits which often have patches available, however, many users do not download MS Office patches and they are not usually included in automatic updates. PDF threats are tracked separately.

Sunday, March 13, 2011

Mila's Malware Aquarium

Our friend Mila Parkour of the Contagiodump blog has released a new collection of malware samples heavy on PDF and MS Office exploits. A number of the exploits were originally zero-day and released through her blog (which always has interesting stuff). Check out the post and downloads.