Today was the first time I was able to analyze malicious PDFs. I previously knew nothing about how to treat these potential infections, but learned the tactics through research.
Malicious PDFs usually spread through spam emails, depending on uneducated users to open the PDF attachment. The PDFs will generally execute malicious code when opened, exploiting a vulnerability in an outdated version of Adobe Reader or Java to open a backdoor into the system. From there, the infection will call home every so often, waiting for instructions by an attacker.
Therefore, handling these files are a bit different than playing around with a malicious executable or dll. Standard static analysis tools (like PE Explorer, PEiD) do not support PDF files. Uploading the file to VirusTotal also showed no results. Everything I previously had known about static analysis did not apply in this case. Fortunately, there are a series of free tools out there that will help identify what kind of PDF you’re looking at. Disclaimer: Tools used by Didier Stevens can be found here
I started off by using a tool called PDFiD by Didier Stevens. This tool is really helpful in determining the strings within a PDF. It’s a python script, so it has to be run in command line (Python also needs to be installed). In command prompt, navigating to the directory where the script is stored, running “pdfid.py filename.pdf” will give you the output (for Mac python is pre-installed, so the command would be “python pdfid.py filename.pdf“)
The timestamps are represented as yyyymmddhhmmss (so in this case, the file was created on 7/24/2012 at 00:28:27 [12:28:27am]) The PDFID’s are MD5 hash values for the information within the metadata to help identify the data. Also, in this case the Title is different than the Filename — something to keep in mind.
Even though the file was “boring”..it was still a great day learning about all this!