On December 14th, Symantec and Shadowserver reported a new zero day vulnerability in the wild affecting Adobe reader. This is now identified as CVE-2009-4324. Adobe acknowledged the same on their website saying they are investigating this issue. And as usual, it is not the first time that PDF’s are being targeted for exploitation. Earlier we saw that Flash files are being targeted, taking advantage of known vulnerability in the wild. This time it is an Adobe zero day vulnerability being exploited in the wild. A colleague provided me with a sample PDF file exploiting this vulnerability in the wild. I started looking into it in depth. The PDF file was obfuscated and not in the readable format. I used my favorite “pdf-parser.py” from PDF Tools. I ran the malicious PDF file through this parser and took the output of every element of PDF file in a text file. Here is how it looks:
The above screenshots show some of the interesting blocks and which were used to uncover the malicious code inside. The “pdf-parser.py” tool has some very good options to parse the certain objects inside the file. I looked at the documentation of the tool and some of the options looked valuable to me. Here are some options and documentation directly copied from PDF Tools site.
“Filter option applies the filter(s) to the stream. For the moment, only FlateDecode is supported (e.g. zlib decompression). The raw option makes pdf-parser output raw data (e.g. not the printable Python representation). Objects outputs the data of the indirect object which ID was specified. This ID is not version dependent. If more than one object have the same ID (disregarding the version), all these objects will be outputted.”
This is what we need for running against suspicious blocks or objects inside PDF file. I then ran a command against this object tag ID 110 using command like,
D:\ >pdf-parser.py --object=110 --raw –filter malicious-file.pdf > output.log
Now, from this it was easy to work. I opened Malzilla (malware hunting) tool and copied above script into decoder section of the tool. I ran the ‘Run Script’ button and found another script but it was in readable format. Here how it looked:
Let’s copy this and put it in a text file so that we can able to see whole script. This is a screenshot of full script used in the PDF file,
That’s it for now. Happy hunting!!!