segunda-feira, 19 de julho de 2010

Malicious PDF not detected by any antivirus signature (Updated/Incorrect)

Please read the new post explaining what this post was wrong


Today I got something curious in my PDF analysis:

@2gg a friend from twitter sent me some samples and 3 of them I tried to run against VirusTotal to make sure my research isn't generating False Positives(FP). For my surprise I uploaded a file to there and I got the detection Results: 0/43 .

File name:
Submission date:
2010-07-15 15:42:59 (UTC)
Current status:

0/ 43 (0.0%)

Our Research result was:

/LABS/pdf-basics$ perl -f Malicious PDF Detected

That means that my script was generating a FP but based on analysis using Didier Stevens tools I was thinking that Antivirus failed totally against this sample.

So I ran the PDF against jsunpack-n to have a third test and I got:

$ ./ -V

[suspicious:3] [PDF]
suspicious: getAnnots CVE-2009-1492 detected

info: [decodingLevel=0] JavaScript in PDF 1298 bytes, with 1329 bytes headers
info: [decodingLevel=1] found JavaScript
info: file: saved /LABS/pdf-basics/samples/twitter2/ to (./files/original_4b088c4be0c7bfca3ccbad187f97215d5fb1b181)
file: decoding_438f8880e0e100142aae652071590ba9ea2c572a: 2627 bytes
file: original_4b088c4be0c7bfca3ccbad187f97215d5fb1b181: 1406792 bytes

Talking to Mila from she pointed me to jsunpack result online .

Another things that pointed me that it a malicious file and I needed to figured out how to comprove was based on pdfid output :

PDFiD 0.0.11
PDF Header: %PDF-1.7
obj 60
endobj 60
stream 21
endstream 22
xref 2
trailer 2
startxref 2
/Page 1
/Encrypt 0
/ObjStm 2
/JS 1 /JavaScript 2
/AA 0
/OpenAction 0
/AcroForm 0
/JBIG2Decode 0
/RichMedia 0
/URI 2
/EmbeddedFile 0
/EmbeddedFiles 1
/cmd 0
/Action 0
/Launch 0
/Colors > 2^24 0

Based on that I started to test more in deep to try to make sure about this 0/43 result isn't a false negative or my research was generating a false positive

Analyzing JSunpack detection code I found

rule getAnnots: decodedPDF
impact = 3 //Since getAnnots may be legitimate
ref = "CVE-2009-1492"
hide = true
$cve20091492 = "getAnnots" nocase fullword
1 of them

That means that those alert didn't really mean that something is trying to exploit the flaw since getAnnots is a feature (not widely or common used) at PDF .

So @snowfl0w from pointed me to a very nice check website called where I sent the sample and got the follow results:


Thank you for your recent submission to

Date: 2010-07-15 18:59:54
Web submission from

EXECUTABLE SCAN: Javascript obfuscation syncAnnotScan to hide blocks (pdfexploit/full)


Confidence ranking: 75 (2 hits).

External hash searches:
VIRUS SCAN VirusTotal: 0/42 not detected
VIRUS SCAN Threat Expert: New


As last test I sent it to and I got good results too

Joedoc (Beta) has detected the the following results:

Runtime detections:

- Successful exploit on Acrobat 9.2
- Successful exploit on Acrobat 9.0

- Successful exploit on Acrobat 8.1.2
- No exploit on Acrobat 7.0.5

Special thanks for @2gg and @snowfl0w

** About Virus Total it basically runs the sample against signatures and some AV protections have some behavior analysis among other tests that weren't realized against this sample.


Rodrigo Montoro (Sp0oKeR)

Um comentário:

cw disse...

Increasingly heavy obfuscation techniques continue to render AV detection ineffective. Reminds me of a Java exploit class using a large number of dynamic string reassembly tricks to greatly decrease detection. I've found JSUnpack and JoeDoc to be very useful in this analysis, and may obtain the Zynamics PDF tool in the near future. Thanks, @curtw