Investigation: Malicious PDF + OSINT
This blog will help in looking into malicious PDF files utilizing a variety of techniques and resources. We will talk about how to improve our investigation using OSINT methods.
Structure of PDF:
Pdf is an object combination. Some vocabulary we must understand:
- Headers: it is first line in pdf, which tells about the version of pdf
- Objects: PDF is separated into several sections referred to as objects. To identify each thing, a number is assigned to it.
Some important objects in malicious pdf are:
- /OpenAction: is one of the key objects used by malicious PDFs, which causes malicious scripts to run instantly when opening PDF files.
- /JavaScript: facilitates the use of PDF to execute malicious JavaScript code.
⚒️Tools and Requirement:
- PdfID
- Pdf-Parser
- PeePdf
- Isolated virtual machine, recommended linux distro. (I THINK, YOU KNOW WHY)
Lets Start: 🏁
Attackers use malicious pdf in various ways, some most common ways are:
- Running malicous script on host machine
- use pdf to download malware from external domain.
We will cover both the ways in this blog. Just stay tune.
After collecting malicious pdf
Scenario 1:
- Find out all the objects present in the pdf using pdfid.
2. reading objects using peepdf:
There are several streams in this PDF, as the image above illustrates. Information about all streams and objects with JS or encoded strings must be seen.
opening encoded object one by one
lets have a better view in VScode or any other code editor tool.
In the above Javascript code we can easily understand that pdf is download stale.exe and then running that using WScript.Shell.
We now use Virustotal to verify the URL where stale.exe is downloading.
Oh Sh*t, its malicious url. lets see score of the exe now.
For that we need to see the details in Virustotal and then open the hash of the exe.
Scenario 2:
Lets take one more sample !!
A few streams are visible in this PDF. The PDF tree that is displayed to us will aid in understanding the flow.
we see uri in one of the object. Lets investigate into that:
what virustotal says about this URL:
We found a file scan report in the community section of VT.
Always check out the community tab and information on virus-total; these tools aid in more thorough malware investigation.
Samples:
- https://bazaar.abuse.ch/download/c1290b6740600c80533b4e8f8172f15ca4b3d6d4faab96b56912782a98ac5518/
- https://bazaar.abuse.ch/download/3779f1b904ee4cf41f4a266505490682559d09337deb30a2cc08793c2e69385c/
