O SlideShare utiliza cookies para otimizar a funcionalidade e o desempenho do site, assim como para apresentar publicidade mais relevante aos nossos usuários. Se você continuar a navegar o site, você aceita o uso de cookies. Leia nosso Contrato do Usuário e nossa Política de Privacidade.
O SlideShare utiliza cookies para otimizar a funcionalidade e o desempenho do site, assim como para apresentar publicidade mais relevante aos nossos usuários. Se você continuar a utilizar o site, você aceita o uso de cookies. Leia nossa Política de Privacidade e nosso Contrato do Usuário para obter mais detalhes.
Analysis of malicious PDF
Open Info.sec Community
Disclaimer: Either me or the organizers are not responsible for any damages or any sort of actions that you made with the provided information.
Who am i?
• Information security enthusiast & Developer.
• Certified in OCJP ,CEH.
• You can reach me at:
Abdul.Adil@connectica.in or AbdulAdil02@gmail.com
What your going learn?
• What is a pdf?
• Internals of PDF.
• Strings of pdf.
• Scanning pdf’s with virus total.
What is a pdf?
• It stands for Portable Document Format(PDF).
• Extension of portable document format is “.pdf”.
• Is a file format used to present documents in a manner independent
of application software, hardware, and operating systems.
• Developed by Adobe Systems in the year 1991.
• Interactive features like acroforms , rich media…
• Current version of pdf is 1.7 was released in 2011.
First Malware of PDF
• PDF attachments carrying viruses were first discovered in 2001.
• The virus, named OUTLOOK.PDFWorm or Peachy, uses Microsoft
Outlook to send itself as an attachment to an Adobe PDF file.
• It was activated with Adobe Acrobat, but not with Acrobat Reader.
Internals of pdf
• Header: this probably the most simple section. It is made of a single line which specifies the PDF language
• Body: which generally contains the most part of the PDF code. This section is made of a list of objects which
describes how the final document will look.
• cross reference table: this table contains all the data required to the PDF management software (e.g. a
reader) in order to access directly any document object without having to read throughout the file to find
this object. Starts with ‘Xref’.
• Trailer: Any PDF software management application always begins to read from the end of the file where this
last section is located. The trailer contains different essential data, which are from the top to the bottom of
a. the number of objects contained in the file (field /Size),
b. the ID of the file root document (field /Root),
c. the offset (in bytes) of the cross reference table (the line just above the %%EOF line).
Xref table structure
Object is free
Object is in use
Tools to analyze pdf files
• You can download from http://blog.didierstevens.com/programs/pdf-tools/
• Pdf-parser.py: This tool will parse a PDF document to identify the fundamental elements used in
the analyzed file. It will not render a PDF document.
• Pdfid.py: This tool is not a PDF parser, but it will scan a file to look for certain PDF keywords,
when opened. PDFiD will also handle name obfuscation.
• Other tools:PeePdf.py
• Online tools:
e. pdf stream dumper.
Strings in pdf
• Almost every PDF documents will contain the first 7 words (obj
through startxref), and to a lesser extent stream and endstream.
• /Page gives an indication of the number of pages in the PDF
document. Most malicious PDF document have only one page eg.You
won a lottery mail.
• /Encrypt indicates that the PDF document has DRM or needs a
password to be read.
• /ObjStm counts the number of object streams. An object stream is a
stream object that can contain other objects, and can therefore be
used to obfuscate objects (by using different filters).
Strings in pdf
documents without malicious intend.
• /AA and /OpenAction indicate an automatic action to be performed
when the page/document is viewed. All malicious PDF documents
• Let’s see a demo
Drawbacks in pdfid.py
• Because PDFiD is just a string scanner (supporting name obfuscation),
it will also generate false positives. For example, a simple text file
starting with %PDF-1.1 and containing words from the list will also be
identified as a PDF document.
What you can do?
• Scan pdf files with anti-malware application.
• Scan with online scanners like virustotal.com and malwr.com(cuckoo).