Upload
ophelia-bryan
View
243
Download
2
Tags:
Embed Size (px)
Citation preview
PDF Forensics
Sildes by Grisha Kumar and add to by Mr Staffen
PDF (Portable Document Format)
• The PDF is a document format from Adobe Inc • PDF metadata can be stored in a document
information dictionary or as a metadata stream, sometimes both.
• The PDF standard supports embedding many types of files such as images. Embedded files may contain their own metadata.
make-pdf-javascript.py
• is a set of tools written by Didier Stevens• The make PDF javascript can be used to create a
malicious PDF• make-pdf-javascript.py allows one to create a simple
PDF document with embedded JavaScript that will execute upon opening of the PDF document.– make-pdf-javascript.py [options] pdf-file
• make-pdf-embedded.py creates a PDF file with an embedded file.– make-pdf-embedded.py [option] pdf-to-embed pfd-file
PDFiD
• PDFiD written by Didier Stevens to analyze malicious PDF’s • PDF files can be embedded with malicious code that can run
on the users system. – Eg. Javascript
• PDFiD is a python module that can analyze and sanitize PDF files. PDF files can be embedded with malicious code that can run on the user’s system, Eg. Javascript. This tool is written by Didier Stevens. We are going to analyze a simple PDF file and a malicious PDF file and also a normal exe file that has been converted to pfd extension. This tool can be very helpful in verifying if a PDF file is malicious or not.
PDFiD – String check
• obj• endobj• stream• endstream• xref• trailer• startxref• /Page• /Encrypt
• /ObjStm• /JS• /JavaScript• /AA• /OpenAction• /JBIG2Decode• /RichMedia• /Launch• /XFA
PDF (Portable Document Format) Terms:
• AA :: an additional actions dictionary defining a fields behavior in response to trigger events• AcroForm :: PDF files interactive form dictionary• endobj :: specifies the end of a object in a PDF file• endstream :: the end marker of a stream object in a PDF file• JavaScript :: javascript dictionary containing javascript scripts• JBIG2Decode :: decompresses data encoded using the JBIG2 standard• JS :: a text string or stream containing JavaScript that will be executed when the action is
triggered• Launch :: launch an application which usually opens a file• obj :: the beginning of a object in a PDF file• ObjStm :: object stream• OpenAction :: destination that shall be displayed or action that will be performed when PDF
is opened• RichMedia :: interactive PDF elements• startxref :: follows trailer keyword and is offset of the cross-reference stream• stream :: the beginning marker of a stream object PDF file• trailer :: provides a method to quickly find a cross-reference table and certain special objects• xref :: notes a cross-reference section in a PDF file
How to create a malicious PDF:• The following commands can be used: • make-pdf-javascript.py allows one to create a
simple PDF document with embedded JavaScript that will execute upon opening of the PDF document.
• make-pdf-javascript.py [options] pdf-file• make-pdf-embedded.py creates a PDF file with an
embedded file.• make-pdf-embedded.py [option] pdf-to-embed
pfd-file
PDFiD Analysis
• The PDFiD tool is run against 2 PDF documents – Pdf_white : A simple PDF document taken off the
internet without any malicious content– Pdf_black : The same PDF document is embedded
with malicious content
PDFiD – Analysis (White)
PDFiD – Analysis (Black)
PDF Phraser
• This tool will parse a PDF document to identify the fundamental elements used in the analyzed file. It will not render a PDF document.
• The commands are run against the pdf_black• Commands– pdf-parser.py --stats [pdf]– pdf-parser.py --search javascript [pdf]– pdf-parser.py --search javascript --raw [pdf]
Tools for Analyzing Adobe PDF Files
• PDFiD identifies PDFs that contain strings associated with scripts and actions.• PDF-parser and Origami’s pdfwalker examines the structure of PDF files.• Origami’s pdfextract and Jsunpack-n’s pdf.py extract JavaScript from PDF files.• PDF Stream Dumper combines many PDF analysis tools under a single
graphical user interface.• Peepdf and Origami’s pdfsh offer an interactive command-line shell for
examining PDF files.• PDF X-RAY Lite creates an HTML report containing decoded PDF file structure
and contents.• SWF mastah extracts SWF objects from PDF files.• Pyew includes commands for examining and decoding structure and content
of PDF files.