Deep Inside Malicious PDF

Jul 9, 2015

By YELIA MAMDOUH EL GHALY

When we start to check the PDF files that exist in our PC or laptop, we may use an antivirus scanner but these days, it seems they're not good enough to detect malicious PDF files that contain a shell code because an attacker will mostly encrypt its content to bypass the antivirus scanner and in many times target a zero day vulnerability that exist in Adobe Acrobat Reader or in updated version.
Before we start to analyze malicious PDFs, we are going to have a simple look at PDF structures so we can understand how the shell code works and where it;s located.

PDF components

PDF Header
The first line of a PDF shows the PDF format version. It's the most important line that gives you the basic information of the PDF file, for example “%PDF-1.4 means that file was created with the fourth version.

PDF Body
The body of the PDF file consists of objects that compose the contents of the document. These objects include fonts, images, annotations, text streams and the user can put invisible objects or elements. These objects can interact with PDF features like animation and security features. The body....



Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023