By Corinne Smith –
Receiving malicious PDFs are common inside the corporate world. For example, an attacker will try to pose as a service provider to the business and will send a malicious PDF named “Invoice” to the Accounts Payable department. This file, when opened triggers some form of action that leads to the attacker gaining access to the employee’s computer. What happens next is that once the attack is detected, the security team needs to analyze the malicious PDF to determine what it’s impact was to see if the attack was successful or not.
NOTE: This blog post is by no means a be-all end-all to analyzing PDFs, but rather a stepping stone to start the process that can be molded to fit the requirements of the current situation.
WARNING: It is always important to note that when working with potentially malicious objects it should be done in a controlled environment (preferably a virtual machine with a snapshot to roll back to). Always be aware that when inspecting a malicious object there is the potential that your system could get infected too, and precautions should be taken against that.
Step One: Recon
Virus Total Results
Even if the tools you are using don’t turn up anything, don’t just assume the file is safe. For example, PDFiD only searches for eighteen of the possible keyword strings a PDF can contain. If you are unsatisfied with the results from your tools (maybe because you already know that the file is malicious), you can always take the time to write your own scripts to do a deeper dive on the file you are inspecting. A list of over a thousand PDF keyword strings that you can draw from can be found here(1).
Step Two: Inspection
Once you have completed your recon, the next step is to take the information collected about the file and do further analysis on the malicious PDF. There are many tools that exist online that will help you with data extraction and inspection. Lenny Zeltser’s page (4) is a great launch pad for some example tools.
Step Three: Remediation
Although this step is outside the scope of this blog post, it is still a very important step to consider. You need to take the details that you discovered in step two and figure out what steps need to be taken to resolve the issue. Are there holes in the security system that the attacker exploited? Is there a piece of out of date software that was leveraged in this attack that can be updated to prevent it from happening again? Is this something that can be avoided in the future by having employees be more aware of what a fishing email looks like? These things and more all need to be considered when remediating any security related incident.