Starting to Examine the Malicious PDF File
To get a general sense for how to analyze with malicious PDF files, take a look at my Analyzing Malicious Documents Cheat Sheet. From the tools perspective, Didier Steven's pdf-parser is an all-time favorite. Another excellent tool, which sports a user-friendly GUI, is PDF Stream Dumper by "Dave".
Malicious PDF Sample
For our sample, we'll use the malicious PDF file "The Obama Administration and the Middle East.pdf" that was documented on Contagio Malware Dump. The file was sent to its targets as an attachment to an email message that looked like this:
The file name of the attachment varied. The screenshot is, again, courtesy of Contagio Malware Dump.
PDF Stream Dumper to Locate and Extract Flash Programs
We can use PDF Stream Dumper to examine the structure and contents of the malicious PDF file. Its Search_For menu allows us to quickly locate risky PDF objects, including Flash:
The tool shows that object 2 contains an embedded Flash program:
To extract the Flash program, right click on the object that contains it — that's item #2 in the left column-and select Save Decompressed Stream. You should now be able to examine the Flash program the way you would treat any other malicious Flash file (more on that below).
Pdf-parser to Locate and Extract Flash Programs
Another program that can help you locate malicious Flash objects in a PDF file is pdf-parser. For instance, you may be able to locate the object that stores the Flash program by running "pdf-parser -search flash":
You can extract the object's contents by using "pdf-parser -object 2 -raw > flash.swf". Because pdf-parser inserts additional information in the beginning of its output, you'll need to use your favorite editor to remove all text lines leading up to the start of the Flash code, which in this case begins with the letters "CWS".
You can use pdf-parser on both Linux and Windows, as long as Python is installed. For this example, I'm using REMnux, which is my Linux distribution that includes common malware analysis tools.
Analyzing the Malicious Flash Program
A number of tools can examine contents of a Flash program and extract embedded ActionScript. For instance, SWFDump, part of the free SWFTools distribution, can do the trick if you call it using "swfdump -Ddu":
SWFDump disassembles any ActionScript it locates within the Flash program. In our example, the code implements heap-spraying, presumably to transfer control to the attacker's code once the Flash vulnerability is exploited:
A promising tool for Flash analysis that might some day offer an alternative to SWFDump is SWFREtools, released by Sebastian Porst. Unfortunately, the development of this tool seems to have stalled. Another very promising tool for examining SWF files is SWF Investigator by Adobe.
Examining this code is beyond what I'd like to cover in this posting. Fortunately, Hermes Bojaxhi documented his analysis steps of the same (or very similar) sample. Take a look there if this topic interests you.
We still have much to learn for dealing with Flash programs in PDF files. If you can recommend additional tools or techniques, please leave a comment.
Lenny Zeltser focuses on safeguarding customers' IT operations at NCR Corporation. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and writes a security blog.