Since people trust this blog and what I write here I always try my best. Unfortunatly sometimes we make some mistakes. My last post was about 0/43 malicious PDF not being detect by any Antivirus , since the begin I was in doubt about if it was malicious or not so I tested against some webtools as you read at my last post http://spookerlabs.blogspot.com/2010/07/malicious-pdf-not-detected-by-any.html
When I got 0/43 and analyzing the PDF structure with Didier Stevens tools I can say that the score was 1 x 1 since VirusTotal considered normal and pdfid pointed to something not common .
One point that I listed in the other post was the JSunpack Detection that just trys to find the word getAnnots (since it's not common used) . Another point that I was looking and not feel confortable was about JoeDoc results that told the PDF was exploitable at 9.2 version and CVE-2009-1492 just affects until 9.1 version
From : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1492
Based on that the real results about the tools and this analysis :
$ ./jsunpackn.py c0610pall_MPA_Kit.re.pdf -V
[suspicious:3] [PDF] c0610pall_MPA_Kit.re.pdf.maybe.vir
suspicious: getAnnots CVE-2009-1492 detected
rule getAnnots: decodedPDF
impact = 3 //Since getAnnots may be legitimate
ref = "CVE-2009-1492"
hide = true
$cve20091492 = "getAnnots" nocase fullword
1 of them
Web submission from 188.8.131.52.
Confidence ranking: 75 (2 hits).
External hash searches:
VIRUS SCAN VirusTotal: 0/42 not detected
VIRUS SCAN Threat Expert: New
VIRUS SCAN Team-CYMRU.org: New
1 Page file
JoeDoc - Failed - http://www.joedoc.org
Joedoc (Beta) has detected the the following results:
- Successful exploit on Acrobat 9.2
- Successful exploit on Acrobat 9.0
- Successful exploit on Acrobat 8.1.2
- No exploit on Acrobat 7.0.5
This sample is that kind of sample that have everything to be malicious but it's not. To make sure I installed a VM and opened this file (Adobe 8 version) and a new sample that reported as the same that @2gg shared again that make feel confortable to say that it's a False Positive .
Sorry about that but I'll always try my best and I'll triple check next time since double check failed! Anyway in my opinion is better a False Positive with this uncommon file that you can handle that a False Negative with something much similar and malicious for real .
Keep reading since we will have lot of good stuff about our research in the future and for sure with few False Positives and Negatives as any malware detection tool .
Rodrigo Montoro (Sp0oKeR)