Friday, April 6, 2012

CCITTFaxDecode support added to PDFExaminer

With the recent Sophos report of a CCITTFaxDecode filter being used to obfuscate malware, we decided it was time to add CCITT support for Group 3 1D to PDFExaminer.

We've been aware of one malware PDF using CCITTFaxDecode being used previously, however, the use of Javascript was not obfuscated, just the content, so we still flagged the file as suspicious. After implementing the Group 3 1D protocol [pdf] in PDFExaminer and testing our previously known sample appears to have led us to having found the same file as Sophos, but from 2010-11-07 - MD5: 863f99103941a33fbbe722f0deb3afa5, so there's not a lot of these going around, and they do not appear to be current.





View the full PDFExaminer report here and the 6 / 43 Virustotal.com report from 2010-10-09.

No comments:

Post a Comment