5. Example of PDF Language Intro
String obfuscation
/JS (app.alert({cMsg: 'Hello from PDF JavaScript'});)
/JS <61 70 70 2E 61 6C 65 72 74 28 7B 63 4D 73 67 3A
20 27 48 65 6C 6C 6F 20 66 72 6F 6D 20 50 44 46
20 4A 61 76 61 53 63 72 69 70 74 27 7D 29 3B>
6. Day 1: Simple Analysis Exercises
20 simple exercises with benign PDFs*
Understanding malicious PDFs
Getting familiar with PDF analysis tools:
pdfid
pdf-parser
…
*You also get my screencasts for these simple exercises
7. Day 1: Simple Analysis Exercises
Example: extracting payload from PDF
pdf-parser.py -s /EmbeddedFile ex013.pdf
pdf-parser.py -o 8 -f -d file.exe ex013.pdf
8. Day 1: Complex Analysis Exercises
The Real Deal
Analyzing “in the wild” PDF malware
5+ exercises
9. Day 1: Complex Analysis Exercises
Example:
3-The Obama Administration and the Middle
East.pdf.zip
Learn to find the exploit, extract the shellcode and
analyze it with shellcode simulator
10. Day 2: PDF Creation
A full day learning how to
create PDFs
“For Fun and Profit”
with Python tools
11. Day 2: PDF Creation
You receive my
Private
PDF Creation Tools
12. Day 2: PDF Creation
Receive private mPDF module + documentation
Create New PDFs
Modify Existing PDFs
All from Python, no Adobe products required
13. Day 2: PDF Creation
Receive many private
PDF creation & modification tools
Example:
t-modify-pdf-incremental-update.py
Learn to modify Mandiant_APT1_Report.pdf
14. Day 2: PDF Creation
Example:
PDF fuzzer to find vulnerabilities in PDF readers
Smart Fuzzing of JPEG embedded in PDF
16. Day 2: PDF Creation
Learn how to bypass AV and IDS detection
with PDF obfuscation
17. Day 2: PDF Creation
Learn the internal details of my /Launch exploit
and use the automated creation tool
18. Summary
Learn how to analyze and create PDFs
in 2 days from a malicious pdf expert
Receive many of my private, unreleased tools
No need to be a Python expert,
just have basic skills to modify a Python script
No shellcode skills needed
Check each exercise PDF document with PDFiD and pdf-parser Password for encrypted ZIP files: infected ex001.pdf plain text PDF document without JavaScript pdf-parser.py ex001.pdf ex002.pdf PDF document without JavaScript, text is compressed (FlateDecode) pdf-parser.py -o 5 -f ex002.pdf ex003.pdf PDF document without JavaScript, text is compressed (FlateDecode & ASCIIHexDecode) pdf-parser.py -o 5 -f ex003.pdf ex004.pdf PDF document with JavaScript, without action pdf-parser.py -o 7 ex004.pdf ex005.pdf PDF document with JavaScript, with open action pdf-parser.py -o 7 ex005.pdf ex006.pdf PDF document with JavaScript, with open action, JavaScript is compressed pdf-parser.py -o 8 -f ex006.pdf ex007.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated and compressed pdf-parser.py -o 8 -f ex007.pdf ex008.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated and compressed pdf-parser.py -o 8 -f ex008.pdf ex009.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated via annotation and compressed pdf-parser.py -o 9 -f ex009.pdf ex010.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated via object stream pdf-parser.py -o 1 -f ex010.pdf ex011.pdf PDF document with JavaScript, with open action, JavaScript triggers util.printf bug pdf-parser.py -o 7 ex011.pdf ex012.pdf PDF document with JavaScript, with open action, JavaScript executes heap spray and triggers util.printf bug pdf-parser.py -o 7 ex012.pdf ex013.pdf PDF document with embedded file pdf-parser.py -o 8 -f -d file.exe ex013.pdf ex014.pdf Malformed PDF document with file appended at the end pdf-parser.py -x file.exe ex014.pdf ex015.pdf PDF document with JavaScript in AcroForm pdf-parser.py -o 8 -f ex015.pdf ex016.pdf PDF document with metadata XML-bomb (small), trigger with JavaScript pdf-parser.py -o 7 -f ex016.pdf ex017.pdf PDF document with JavaScript, with open action, JavaScript switchs to full screen pdf-parser.py -o 7 ex017.pdf secret.pdf PDF document with /Launch action and embedded executable pdf-parser.py -o 7 secret.pdf ex019.pdf PDF document with JavaScript, with open action, PDF document is encrypted with owner password qpdf --decrypt ex019.pdf ex019-decrypted.pdf pdf-parser.py -o 2 ex019-decrypted.pdf ex020.pdf PDF document with JavaScript, with open action, PDF document is encrypted with user password (password is secret) qpdf --decrypt --password=secret ex020.pdf ex020-decrypted.pdf pdf-parser.py -o 2 ex020-decrypted.pdf
Check each exercise PDF document with PDFiD and pdf-parser Password for encrypted ZIP files: infected ex001.pdf plain text PDF document without JavaScript pdf-parser.py ex001.pdf ex002.pdf PDF document without JavaScript, text is compressed (FlateDecode) pdf-parser.py -o 5 -f ex002.pdf ex003.pdf PDF document without JavaScript, text is compressed (FlateDecode & ASCIIHexDecode) pdf-parser.py -o 5 -f ex003.pdf ex004.pdf PDF document with JavaScript, without action pdf-parser.py -o 7 ex004.pdf ex005.pdf PDF document with JavaScript, with open action pdf-parser.py -o 7 ex005.pdf ex006.pdf PDF document with JavaScript, with open action, JavaScript is compressed pdf-parser.py -o 8 -f ex006.pdf ex007.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated and compressed pdf-parser.py -o 8 -f ex007.pdf ex008.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated and compressed pdf-parser.py -o 8 -f ex008.pdf ex009.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated via annotation and compressed pdf-parser.py -o 9 -f ex009.pdf ex010.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated via object stream pdf-parser.py -o 1 -f ex010.pdf ex011.pdf PDF document with JavaScript, with open action, JavaScript triggers util.printf bug pdf-parser.py -o 7 ex011.pdf ex012.pdf PDF document with JavaScript, with open action, JavaScript executes heap spray and triggers util.printf bug pdf-parser.py -o 7 ex012.pdf ex013.pdf PDF document with embedded file pdf-parser.py -o 8 -f -d file.exe ex013.pdf ex014.pdf Malformed PDF document with file appended at the end pdf-parser.py -x file.exe ex014.pdf ex015.pdf PDF document with JavaScript in AcroForm pdf-parser.py -o 8 -f ex015.pdf ex016.pdf PDF document with metadata XML-bomb (small), trigger with JavaScript pdf-parser.py -o 7 -f ex016.pdf ex017.pdf PDF document with JavaScript, with open action, JavaScript switchs to full screen pdf-parser.py -o 7 ex017.pdf secret.pdf PDF document with /Launch action and embedded executable pdf-parser.py -o 7 secret.pdf ex019.pdf PDF document with JavaScript, with open action, PDF document is encrypted with owner password qpdf --decrypt ex019.pdf ex019-decrypted.pdf pdf-parser.py -o 2 ex019-decrypted.pdf ex020.pdf PDF document with JavaScript, with open action, PDF document is encrypted with user password (password is secret) qpdf --decrypt --password=secret ex020.pdf ex020-decrypted.pdf pdf-parser.py -o 2 ex020-decrypted.pdf
Check each exercise PDF document with PDFiD and pdf-parser Password for encrypted ZIP files: infected ex001.pdf plain text PDF document without JavaScript pdf-parser.py ex001.pdf ex002.pdf PDF document without JavaScript, text is compressed (FlateDecode) pdf-parser.py -o 5 -f ex002.pdf ex003.pdf PDF document without JavaScript, text is compressed (FlateDecode & ASCIIHexDecode) pdf-parser.py -o 5 -f ex003.pdf ex004.pdf PDF document with JavaScript, without action pdf-parser.py -o 7 ex004.pdf ex005.pdf PDF document with JavaScript, with open action pdf-parser.py -o 7 ex005.pdf ex006.pdf PDF document with JavaScript, with open action, JavaScript is compressed pdf-parser.py -o 8 -f ex006.pdf ex007.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated and compressed pdf-parser.py -o 8 -f ex007.pdf ex008.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated and compressed pdf-parser.py -o 8 -f ex008.pdf ex009.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated via annotation and compressed pdf-parser.py -o 9 -f ex009.pdf ex010.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated via object stream pdf-parser.py -o 1 -f ex010.pdf ex011.pdf PDF document with JavaScript, with open action, JavaScript triggers util.printf bug pdf-parser.py -o 7 ex011.pdf ex012.pdf PDF document with JavaScript, with open action, JavaScript executes heap spray and triggers util.printf bug pdf-parser.py -o 7 ex012.pdf ex013.pdf PDF document with embedded file pdf-parser.py -o 8 -f -d file.exe ex013.pdf ex014.pdf Malformed PDF document with file appended at the end pdf-parser.py -x file.exe ex014.pdf ex015.pdf PDF document with JavaScript in AcroForm pdf-parser.py -o 8 -f ex015.pdf ex016.pdf PDF document with metadata XML-bomb (small), trigger with JavaScript pdf-parser.py -o 7 -f ex016.pdf ex017.pdf PDF document with JavaScript, with open action, JavaScript switchs to full screen pdf-parser.py -o 7 ex017.pdf secret.pdf PDF document with /Launch action and embedded executable pdf-parser.py -o 7 secret.pdf ex019.pdf PDF document with JavaScript, with open action, PDF document is encrypted with owner password qpdf --decrypt ex019.pdf ex019-decrypted.pdf pdf-parser.py -o 2 ex019-decrypted.pdf ex020.pdf PDF document with JavaScript, with open action, PDF document is encrypted with user password (password is secret) qpdf --decrypt --password=secret ex020.pdf ex020-decrypted.pdf pdf-parser.py -o 2 ex020-decrypted.pdf