Hackers are becoming more sophisticated and are investing resources to evade anti-malware detection. As recent breaches have shown, hackers are already seeing the fruits of their labor. In these spear-phishing attacks, the hacker gained access by sending out files (whether PDF, Excel or Word docs) to company employees. All that was needed was a single individual to open that file – and the attacker penetrated the organization.

How do hackers hide their code in the file? A couple of months ago, we published a PDF Hack in Action which showed how the attackers embed their malicious code within a PDF file. But we left you wondering what that malicious code really does.

Tomer Bitton from our ADC provides that missing link. In this four-part analysis he shows how to pinpoint the existence of the malicious code (in hacker lingo – the shellcode), extract that shellcode, analyze its behavior, and finally, he presents the complete shellcode flow graph.

This analysis is extremely technical and complicated so a defribilator may come in useful.

Step 1: Finding the Hidden Shellcode Within a Malicious PDF

Using pdf-parser.py (Didier Stevens’s great tool) we can track down the structure of the malicious PDF.

First, let’s look for Javascripts:

 Deobfuscating the objects:

  Next, we use the Malzilla tool for running the scripts:

 Great, let’s paste it to txt file:

What we see is a PDF that tries to exploit 3 vulnerabilities:

CVE-2008-2992 by function util_printf()

CVE-2007-5659 by function collab_email()

CVE-2009-0927 by function collab_geticon()

#1:

#2:

 #3:

In the next entry we’ll extract that shellcode.