Hackers are becoming more sophisticated and are investing resources to evade anti-malware detection. As recent breaches have shown, hackers are already seeing the fruits of their labor. In these spear-phishing attacks, the hacker gained access by sending out files (whether PDF, Excel or Word docs) to company employees. All that was needed was a single individual to open that file – and the attacker penetrated the organization.
How do hackers hide their code in the file? A couple of months ago, we published a PDF Hack in Action which showed how the attackers embed their malicious code within a PDF file. But we left you wondering what that malicious code really does.
Tomer Bitton from our ADC provides that missing link. In this four-part analysis he shows how to pinpoint the existence of the malicious code (in hacker lingo – the shellcode), extract that shellcode, analyze its behavior, and finally, he presents the complete shellcode flow graph.
This analysis is extremely technical and complicated so a defribilator may come in useful.
Step 1: Finding the Hidden Shellcode Within a Malicious PDF
Using pdf-parser.py (Didier Stevens’s great tool) we can track down the structure of the malicious PDF.
Deobfuscating the objects:
Next, we use the Malzilla tool for running the scripts:
Great, let’s paste it to txt file:
What we see is a PDF that tries to exploit 3 vulnerabilities:
CVE-2008-2992 by function util_printf()
CVE-2007-5659 by function collab_email()
CVE-2009-0927 by function collab_geticon()
In the next entry we’ll extract that shellcode.