Digital investigation of malicious backdoor PDF



In this post we are going to investigate a malicious PDF file , as we all know a PDF file can be infected with embedded objects,JavaScript code, encoded stream to exploit the PDF reader and these days this type of attacks are happening very often. We are getting these types of infected PDF very often through Email or from other communication services. 


Basics Of PDF Structure


Before we begin investigating our PDF we should first need to know about some basics of PDF file 

which we need to understand the analysis.

A PDF contain four parts 

1. "Header" which contains information about the PDF version.

2. "Body" which contains objects that define operations performed by the file and embedded data like scripting code,images,text etc. 

3."cross-reference table" lists the offsets inside the file which will be rendered by the PDF reader. 

4. "Trailer" describes the location of the certain objects inside the body of the PDF and location of the cross-reference table in the file . 

 Starting the analysis

For this analysis we will make a malicious PDF which will start a reverse tcp connection on opening.



Now i am gonna use peepdf for this so, type on terminal : peepdf -i "location of the PDF file" here "i" will give you a console interface for other analysis of the file.




Peepdf will automatically list all the objects inside the file which contain suspicious elements. As we can see above we have got a number of objects containing suspicious elements, /OpenAction : It defines that an action will be performed on opening the file.

 /AA : It is an optional entry that defines an action to be performed when a page is open (which is /O entry)  or closed (/C entry).

/JS :  A text string which contains a JavaScript script to be executed when the action is triggered.

/Launch :  This will launch an application or open a file.

/JavaScript : Simply say it is defined to execute a JavaScript code. 



Analyzing the object in the file

We will first analyze objects with JS code , so let's see what's there . To do this just type in the console " object 27" and press return then you will get something like below. 



Here the /S entry describes the type of action to be performed by the PDF. As we can see it's going to execute some JavaScript . 


Now let's check other suspicious element with /Launch in the file , so type Object 28.



Above we can clearly see /S tells that it's going to launch cmd prompt /D tells the location to go within the documents. As we can see above it's going to the system32 folder. Below that it's searching for the malicious pdf file and after that it will start the PDF file and will launch the embedded code inside it. 


Apart from this you can also see the metadata of the PDF file using the metadata command which will give us a lot of details about the file like modification date, author name etc. It can also give us hints about what the file contain in it. 




You can also use js_analyse with the object no to see what the JavaScript is going to execute.You can also type help in the console to see other useful commands. 




So this was some basic instruction to investigate the PDF file. If you want to dig deeper you should carefully do keyword-bases analysis to check the indirect object so that we can check the action performed by the file (JavaScript).



Comments

Popular posts from this blog

USB forensic : Find the history of every connected USB device on your computer

Crawling pastebin to find specific pastedump

Hack WinRAR password by using Brute force attack

Fileless malware Analysis with Cuckoo sandbox

Web application penetration testing: Tools and Techniques for web security auditing