Thursday, December 15, 2011

PDF Malware bypasses AV with 256bit AES encryption CVE-2011-2462

We've been getting a number of 256bit AES encrypted PDFs containing the U3D zero-day CVE-2011-2462 in the past 5 days. The files are getting very low-to-no AV detection:

256 bit AESV3 used by Adobe is proposed as part of ISO 32000-2 standard and is not included in the current standard ISO 32000-1, Adobe has implemented it for developer purposes in Reader 9.4 and 10.x. As such, it's not widely used and apparently not widely checked by AV or until today, our own PDFExaminer product.

Here's a sampling of some documents submitted to PDFExaminer which weren't privately submitted:








And a samping of our PDFExaminer results:



We've added 256bit AES decryption and analysis to both our web based PDFExaminer (free online and commercial lan version) and standalone command line versions (please update now). The zero-day samples are also available to Malware Intelligence Feed customers through our customer portal.

Thanks to those that pointed out that we were missing 256bit AES.

Tuesday, December 6, 2011

30 APT PDFs - rapid analysis with PDFExaminer

A recent post from the awesome Contagiodump blog provided 30 APT PDFs seen in the wild for researchers to work with. We thought we'd run them all through the PDFExaminer (api info here) to get quick CVE detection for all the files, in under 10 minutes. The command line version of the PDFExaminer can be pretty handy at your mail gateway in addition to regular A/V scans.


86730A9BC3AB99503322EDA6115C1096 1104statment.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

35458535961F767E267487E39641766C 1106.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type


92D142E08DBEF9FC6BC61A575224C3EC 111109.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

B4CB1B1182EA0B616ED6702A2B25FAC2 20111106_.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

88B884E8CE014D6B8D30B8198E048708 20111111_SexyDay.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type


C0D5B1CC0C77FCF32FF02AAC98FAC536 2012().pdf
8.0@1423: suspicious.obfuscation using unescape
8.0@1423: suspicious.string nopblock
8.0@1423: suspicious.obfuscation using eval
8.0@1423: suspicious.obfuscation using String.fromCharCode
8.0@1423: suspicious.string shellcode
8.0@1423: pdf.suspicious util.printd used to fill buffers
8.0@1423: pdf.exploit media.newPlayer CVE-2009-4324
8.0@1423: suspicious.warning: object contains JavaScript

31DD6F29F19626F8CE03D73B3F635296 2012()2.pdf
20.0@3599: pdf.exploit fontfile SING table overflow CVE-2010-2883 generic
20.0@3599: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
35.0@4896: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
26.0@5665: pdf.exploit fontfile SING table overflow CVE-2010-2883 generic
26.0@5665: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
38.0@6422: suspicious.warning: object contains JavaScript
39.0@7835: suspicious.obfuscation using String.replace
39.0@7835: suspicious.obfuscation using substring
39.0@7835: suspicious.warning: object contains JavaScript
56.0@13050: suspicious.obfuscation using unescape
56.0@13050: suspicious.warning: object contains JavaScript
49.0@16149: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
50.0@16546: flash.exploit CVE-2011-0611
50.0@16546: suspicious.flash addFrameScript
50.0@16546: suspicious.flash Embedded Flash
50.0@16546: suspicious.flash Embedded Flash define obj
29.0@53642: suspicious.string heap spray shellcode
29.0@53642: suspicious.warning: object contains JavaScript

C89D0C1DF6B4EF20E8447B11BEB77723 2012()3.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type


08CDC6213D63EA85FBCCD335579CAEC4 2015.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

57F8BC2995CA99E20B356B623FA12F29 AEO.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

61481CBCBD35034C7CF4D1930B5E63E3 ATT03306.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

CBEA315F41205B731379521C5464C134 ATT03865.pdf
8.0@1423: suspicious.obfuscation using unescape
8.0@1423: suspicious.string nopblock
8.0@1423: suspicious.obfuscation using eval
8.0@1423: suspicious.obfuscation using String.fromCharCode
8.0@1423: suspicious.string shellcode
8.0@1423: pdf.suspicious util.printd used to fill buffers
8.0@1423: pdf.exploit media.newPlayer CVE-2009-4324
8.0@1423: suspicious.warning: object contains JavaScript

452703B9292A7A5D45EB224C622D32CF ATT11990.pdf
27.0@420717: suspicious.obfuscation using unescape
27.0@420717: suspicious.string unicode nop
27.0@420717: suspicious.string heap spray shellcode
27.0@420717: suspicious.obfuscation using util.byteToChar
27.0@420717: suspicious.string Shellcode NOP sled
27.0@420717: suspicious.string shellcode
27.0@420717: suspicious.warning: object contains JavaScript
29.0@425179: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
37.0@425945: suspicious.obfuscation using charCodeAt
37.0@425945: suspicious.obfuscation using String.fromCharCode
37.0@425945: suspicious.flash Embedded Flash
37.0@425945: flash.exploit CVE-2011-0611


704D40896BF6C9EA174F4CF3B57AC562 ATT25948.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

2A0DCB1915C0465949E7AECFB06F47EA ATT41702.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

979C64214F11F72EDDDD04FFC4887BB5 ATT63950.pdf
8.0@1423: suspicious.obfuscation using unescape
8.0@1423: suspicious.string nopblock
8.0@1423: suspicious.obfuscation using eval
8.0@1423: suspicious.obfuscation using String.fromCharCode
8.0@1423: suspicious.string shellcode
8.0@1423: pdf.suspicious util.printd used to fill buffers
8.0@1423: pdf.exploit media.newPlayer CVE-2009-4324
8.0@1423: suspicious.warning: object contains JavaScript


E30D11EB28BB88681D1FB31DA88D84C6 ATT78434.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

DD7A03F4932CB86A77BD57B1C21FC18F ATT85096.pdf
20.0@3599: pdf.exploit fontfile SING table overflow CVE-2010-2883 generic
20.0@3599: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
35.0@4896: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
26.0@5665: pdf.exploit fontfile SING table overflow CVE-2010-2883 generic
26.0@5665: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
38.0@6422: suspicious.warning: object contains JavaScript
39.0@7835: suspicious.obfuscation using String.replace
39.0@7835: suspicious.obfuscation using substring
39.0@7835: suspicious.warning: object contains JavaScript
56.0@13050: suspicious.obfuscation using unescape
56.0@13050: suspicious.warning: object contains JavaScript
49.0@16149: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
50.0@16546: flash.exploit CVE-2011-0611
50.0@16546: suspicious.flash addFrameScript
50.0@16546: suspicious.flash Embedded Flash
50.0@16546: suspicious.flash Embedded Flash define obj
29.0@53642: suspicious.string heap spray shellcode
29.0@53642: suspicious.warning: object contains JavaScript

1188EA8F0D086A8860A3AAFB54A3FA76 ATT88422.pdf
34.0@929: suspicious.warning: object contains JavaScript
35.0@1406: suspicious.warning: object contains JavaScript
36.0@1752: suspicious.warning: object contains JavaScript
41.0@13100: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@18786: suspicious.flash Embedded Flash
12.0@18786: flash.suspicious jit_spray
12.0@18786: flash.exploit CVE-2011-0611
12.0@18786: suspicious.flash Embedded Flash define obj
35.0@244241: suspicious.warning: object contains JavaScript
51.0@13764: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
34.0@245038: suspicious.warning: object contains JavaScript


B4CB1B1182EA0B616ED6702A2B25FAC2 ATT93159.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type


91759CA240EECCC4C742CFF341C9A9A7 ATT93487.pdf
10.0@1946282: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
12.0@1983151: suspicious.obfuscation using unescape
12.0@1983151: suspicious.obfuscation using util.byteToChar
12.0@1983151: suspicious.warning: object contains JavaScript


3173D2A0A607ECCF21707A3DC5DE30DA Bainbridge Skills.pdf
27.0@122311: suspicious.obfuscation using unescape
27.0@122311: suspicious.string unicode nop
27.0@122311: suspicious.string heap spray shellcode
27.0@122311: suspicious.obfuscation using String.replace
27.0@122311: suspicious.obfuscation using util.byteToChar
27.0@122311: suspicious.string Shellcode NOP sled
27.0@122311: pdf.exploit Collab.collectEmailInfo CVE-2008-0655
27.0@122311: suspicious.warning: object contains JavaScript
29.0@125371: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
37.0@126137: flash.exploit CVE-2011-0611
37.0@126137: suspicious.flash addFrameScript
37.0@126137: suspicious.flash Embedded Flash
37.0@126137: suspicious.flash Embedded Flash define obj

F567FFD4F7A19A469D836E5A0A9552AB Conference information for next week.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

670E22EC5EE2F8D08795BA7FF5A5D52E DOB Aug 2011.pdf
20.0@3565: pdf.exploit fontfile SING table overflow CVE-2010-2883 generic
20.0@3565: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
26.0@4783: pdf.exploit fontfile SING table overflow CVE-2010-2883 generic
26.0@4783: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
29.0@5645: suspicious.string heap spray shellcode
29.0@5645: suspicious.warning: object contains JavaScript
35.0@14244: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
38.0@14808: suspicious.warning: object contains JavaScript
39.0@16291: suspicious.obfuscation using String.replace
39.0@16291: suspicious.obfuscation using substring
39.0@16291: suspicious.warning: object contains JavaScript
49.0@22030: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
50.0@22458: flash.exploit CVE-2010-3654
50.0@22458: suspicious.flash addFrameScript
50.0@22458: suspicious.flash Embedded Flash
56.0@45932: suspicious.obfuscation using unescape
56.0@45932: suspicious.warning: object contains JavaScript
58.0@46865: suspicious.obfuscation using unescape
58.0@46865: suspicious.string heap spray shellcode
58.0@46865: suspicious.obfuscation using substring
58.0@46865: suspicious.string shellcode
58.0@46865: suspicious.warning: object contains JavaScript
68.0@50561: pdf.exploit fontfile SING table overflow CVE-2010-2883 generic
68.0@50561: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
75.0@51566: suspicious.obfuscation using unescape
75.0@51566: suspicious.string heap spray shellcode
75.0@51566: suspicious.obfuscation using substring
75.0@51566: suspicious.string shellcode
77.0@54446: suspicious.warning: object contains JavaScript

01A1CAA4BA9EC050BA8CEAFE26998577 g20 summit.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

670E22EC5EE2F8D08795BA7FF5A5D52E ID194.pdf
20.0@3565: pdf.exploit fontfile SING table overflow CVE-2010-2883 generic
20.0@3565: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
26.0@4783: pdf.exploit fontfile SING table overflow CVE-2010-2883 generic
26.0@4783: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
29.0@5645: suspicious.string heap spray shellcode
29.0@5645: suspicious.warning: object contains JavaScript
35.0@14244: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
38.0@14808: suspicious.warning: object contains JavaScript
39.0@16291: suspicious.obfuscation using String.replace
39.0@16291: suspicious.obfuscation using substring
39.0@16291: suspicious.warning: object contains JavaScript
49.0@22030: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
50.0@22458: flash.exploit CVE-2010-3654
50.0@22458: suspicious.flash addFrameScript
50.0@22458: suspicious.flash Embedded Flash
56.0@45932: suspicious.obfuscation using unescape
56.0@45932: suspicious.warning: object contains JavaScript
58.0@46865: suspicious.obfuscation using unescape
58.0@46865: suspicious.string heap spray shellcode
58.0@46865: suspicious.obfuscation using substring
58.0@46865: suspicious.string shellcode
58.0@46865: suspicious.warning: object contains JavaScript
68.0@50561: pdf.exploit fontfile SING table overflow CVE-2010-2883 generic
68.0@50561: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
75.0@51566: suspicious.obfuscation using unescape
75.0@51566: suspicious.string heap spray shellcode
75.0@51566: suspicious.obfuscation using substring
75.0@51566: suspicious.string shellcode
77.0@54446: suspicious.warning: object contains JavaScript

CDB6DCF66B7D3C5BC678378F46BA94E7 military procurement.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

C898ABCEA6EAAA3E1795322D02E95D7E NorthKorea.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

0A630BBAA1691ED10540048BD5B4CF04 Nuclear Security and Summit Diplomacy.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

DE095F05913928CF58A27F27C5BF8605 statement.pdf
39.0@952: suspicious.warning: object contains JavaScript
40.0@1429: suspicious.warning: object contains JavaScript
41.0@1775: suspicious.warning: object contains JavaScript
47.0@13491: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
12.0@19870: suspicious.flash Embedded Flash
12.0@19870: flash.suspicious jit_spray
12.0@19870: flash.exploit CVE-2011-0611
12.0@19870: suspicious.flash Embedded Flash define obj
57.0@14195: suspicious.flash Adobe Shockwave Flash in a PDF define obj type