In the last few months, we have seen many blogs on PDF exploits related to filters like “ASCIIHexDecode”, “FlateDecode”, etc., being used to avoid Antivirus detection. The idea employed by attacker’s leverages different filtering techniques to hide malicious data so that it will be difficult to understand and decode. We have encountered many PDF exploits where either “[/FlateDecode /ASCIIHexDecode]” or “[/FlateDecode /ASCII85Decode]” filters are used. As defined by gnupdf, “the ASCIIHexDecode filter decodes data that has been encoded in ASCII hexadecimal form” and “the ASCII85Decode filter decodes data that has been encoded in ASCII base-85 encoding and produces binary data”. Interestingly, we have found another case, which Zscaler blocks, whereby both of the filters are used in the same PDF on different objects. This technique can be used to hide malicious code inside the PDF.
The following sample is still live on the web. Let’s open it in notepad and search for the “ASCIIHexDecode” or “ASCII85Decode” filters to see if they are used. Here is the screenshot where the “ASCIIHexDecode” filter is used:
Let’s decode this further using “pdf-parser.py” tool. The below command is used to decode this particular object.
D:\pdf-parser.py --object=20 --raw --filter withSearch.pdf > out2.log
Here is the decoded script for this filter,
- collectEmailInfo() – CVE-2007-5659
- Collab.getIcon() – CVE-2009-0927
- .printf() – CVE-2008-2992
The above example showed that attackers are using different techniques to avoid Antivirus detection using different filtering mechanisms. Also, attackers are now splitting the scripts into parts, encoding them with different filtering techniques and putting them into different objects. Using this approach increases the complexity of decoding/detection. There are number of live PDF exploits on the web using these filtering techniques. Detection rates for the above example are very low. Only 13 antivirus vendors out of 42 detect this sample. The Virustotal results show that a number of popular Antivirus vendors are still missing the detection. This also shows that you can’t rely on a single protection mechanism like installing only an antivirus engine on your system. A combination of antivirus, IDS/IPS, URL filtering/categorization, etc is necessary in order to provide a defense-in-depth approach to security. We have seen an increase in client-side attacks like this as opposed to traditional server-side attacks. Attackers are not only targeting popular applications like PDF, Flash, etc., but they are also using a variety of techniques to deliver their malicious code as well.
That’s it for now. Be Safe.