By: ThreatLabz

In The Wild PDF Exploits Using A Combination Of “ASCIIHexDecode” And” ASCII85Decode” Filters

Exploit

In the last few months, we have seen many blogs on PDF exploits related to filters like “ASCIIHexDecode”, “FlateDecode”, etc., being used to avoid Antivirus detection. The idea employed by attacker’s leverages different filtering techniques to hide malicious data so that it will be difficult to understand and decode. We have encountered many PDF exploits where either “[/FlateDecode /ASCIIHexDecode]” or “[/FlateDecode /ASCII85Decode]” filters are used. As defined by gnupdf, “the ASCIIHexDecode filter decodes data that has been encoded in ASCII hexadecimal form” and “the ASCII85Decode filter decodes data that has been encoded in ASCII base-85 encoding and produces binary data”. Interestingly, we have found another case, which Zscaler blocks, whereby both of the filters are used in the same PDF on different objects. This technique can be used to hide malicious code inside the PDF.

The following sample is still live on the web. Let’s open it in notepad and search for the “ASCIIHexDecode” or “ASCII85Decode” filters to see if they are used. Here is the screenshot where the “ASCIIHexDecode” filter is used:

If you look at the above image, there is something suspicious, a non-readable block of code in the 18 object with a length of 19343. The PDF is not blank and contains 4 pages text. The malicious code is injected toward the bottom of the PDF to avoid detection. Let’s decode it to see if it contains malicious JavaScript. The tool “pdf-parser.py” from PDF Tools supports both of the filters and easily decodes the code inside.

The decoded script is now shown above. The above malicious script is using special characters like @, _, ?, !, $, etc for substitution in one of the variables. If we remove these characters from the variable, you will see clear text malicious JavaScript code inside. Looking at the above JavaScript code, it does not contain any functionality to replace or remove these characters. Without such functionality, the code would be incomplete. We therefore need to look for additional functionality elsewhere in the PDF file. We later found another filter called “ASCII85Decode”, which included some additional suspicious code. Here it is:

Let’s decode this further using “pdf-parser.py” tool. The below command is used to decode this particular object.
D:\pdf-parser.py --object=20 --raw --filter withSearch.pdf > out2.log
Here is the decoded script for this filter,

That’s it. It does indeed contain additional malicious JavaScript. This is an interesting case where the script is divided into two parts, encoded using different filters and used in two different objects. This is done intentionally by the attacker to fool Antivirus engines and avoid detection. Let’s decode this script to see which PDF vulnerabilities it targets.

The above malicious JavaScript targets 3 old vulnerabilities,
  1. collectEmailInfo() – CVE-2007-5659
  2. Collab.getIcon() – CVE-2009-0927
  3. .printf() – CVE-2008-2992
The above example showed that attackers are using different techniques to avoid Antivirus detection using different filtering mechanisms. Also, attackers are now splitting the scripts into parts, encoding them with different filtering techniques and putting them into different objects. Using this approach increases the complexity of decoding/detection. There are number of live PDF exploits on the web using these filtering techniques. Detection rates for the above example are very low. Only 13 antivirus vendors out of 42 detect this sample. The Virustotal results show that a number of popular Antivirus vendors are still missing the detection. This also shows that you can’t rely on a single protection mechanism like installing only an antivirus engine on your system. A combination of antivirus, IDS/IPS, URL filtering/categorization, etc is necessary in order to provide a defense-in-depth approach to security. We have seen an increase in client-side attacks like this as opposed to traditional server-side attacks. Attackers are not only targeting popular applications like PDF, Flash, etc., but they are also using a variety of techniques to deliver their malicious code as well.

That’s it for now. Be Safe.

Umesh

Learn more about Zscaler.