Since there is no obj 100, we’ll take a look at obj 8 instead. Next to XFA we see two objects referenced: obj 100 and 8. From object 21, we see the text "XFA", which stands for XML Forms Architecture, an Adobe format used for PDF forms. The AcroForm object references object 21 below. For this, we’re going to use a different tool by Stevens called pdf-parser, which will take a closer look at specific PDF objects. From those objects there are two streams, along with an AcroForm object. The output from PDFiD reports there are nine objects. Here is the output from the scan of our target file. PDFiD is the first tool we will use, and is a very simple script that searches for suspicious keywords. For this particular malware, we’ll be using Stevens’ tools along with some other tools used to de-obfuscate and debug code. Stevens’ tools are all written in Python and are very well documented. I find the PDF tools by Didier Stevens to be some of the best out there. The first thing we need is analysis tools. For reference purposes, the md5 hash of our target file is 9ba98b495d186a4452108446c7faa1ac. We’re going to observe a PDF that exploits CVE-2010-0188, a very common exploit found in the wild. Knowing that, let’s look at some PDF malware. Indirect objects are usually what we’re paying attention to when analyzing PDF malware, and can be referenced by other objects in a PDF file. The objects can either be direct or indirect, and there are eight different types of objects.ĭirect objects are inline values in the PDF (/FlatDecode, /Length, etc) while indirect objects have a unique ID and generation number (obj 20 0, obj 7 0, etc). Some PDF files don’t have a header or trailer, but that is rare. Once exploitation succeeds, a malware payload can infect a PC using elevated privileges.įor these reasons, it’s good to know how to analyze PDF files, but analysts first need a basic understanding of a PDF before they deem it malicious: here is the information you’ll need to know.Ī PDF file is essentially just a header, some objects in-between, and then a trailer. However, Adobe Reader has a history of vulnerabilities and gets exploited quite a bit. Adobe Reader-formerly Acrobat Reader-remains the number one program used to handle PDF files, despite competition from others. There are many encryption types you can choose from and two different modes to switch between.Chances are you've probably used Adobe Reader before to read Portable Document Format (PDF) files. In conclusion, JSignPDF is a piece of software that can help you protect PDF files from unauthorized usage. After all the data is entered, you can see how it is going to look with the help of the “Preview” button. The program lets you add a visible signature, be it a image or a text body, on a specified page and a custom position (by inputting values on axis X and Y). If the latter option is chosen, then you are required to input a certificate file for encryption from your hard drive and choose a certification level (not certified, no changes allowed, form filling allowed, form filling and annotations allowed). This software utility enables you to encrypt PDF files with passwords or certificates. You have the possibility of choosing from a wide range of keystore types (JKS, Windows-Root, BKS etc.), adding a file of this type and entering a password. JSignPDF enables you to add rights to all uploaded PDFs, such as allowing printing or not, copying, filling in, modifying annotations or contents. The interface is minimal and therefore, it does not get in the way of the actions you need to take. This software application has two different modes it can operate in: a simple one that consists of a few features, perfect for novice users, and an advanced view in which more experienced users can add more layers of protection to their projects. JSignPDF is a program that can help you add passwords and digital signatures to PDF documents, so as to protect your work against unauthorized usage.
0 Comments
Leave a Reply. |