Malicious PDF Analysis Evasion Techniques

In many exploit kits, malicious PDF files are some of the most common threats used to try to infect users with various malicious files. Naturally, security vendors invest in efforts to detect these files properly – and their creators invest in efforts to evade those vendors.

Using feedback provided by the Smart Protection Network, we examined several commonly used techniques by PDF exploits today. These techniques are described in this blog post. Knowledge about the techniques is used to improve Trend Micro’s ability to detect these exploits.

Common JavaScript Evasion Techniques

Most PDF exploits use some form of embedded JavaScript. Because of this, common JavaScript evasion and obfuscation techniques work here as well. For example, string replacements, try-catch exceptions, fromCharCode loops all work in PDF files as well.

The following code snippet shows some of these techniques in use:

PDF-evasion-1

Figure 1. Common JavaScript evasion/obfuscation techniques in use

This particular exploit targets CVE-2010-0188.

Encoded Content And Function Name in INFO Object

This type of obfuscation saves encrypted code into parts of the INFO object (such as, title, subject, producer, etc.)  JavaScript could be used to extract and decode this encrypted malicious code.

In this sample, the Title/Creator fields in the INFO object are very strange. The creator field is a very long alphanumeric string broken by numerous exclamation points.

PDF-evasion-2

Figure 2. Encoded code in INFO object

Like the previous exploit, this also targets CVE-2010-0188.

Targeting the JavaScript Runtime

This particular type of evasion is meant to hide from analysis tools. Running JavaScript in PDF files needs a particular runtime library. This library is part of Adobe Reader, but most analysis tools do not contain it. When the malware finds that some functions are not defined or behaves incorrectly, the malicious code is not decrypted.

Functions that can be used for this include checking the file size of the file and checking the application’s version.

In the example below, app.endPriv would be checked, and if it’s not defined correctly no malicious code ends up being run.

PDF-evasion-3

Figure 3. Checking for specific function

Field Attribute and Scope Functions

Some malware use field attributes in XML Forms Architecture (XFA) to do condition checks. Like the above case, these scope functions are not “implemented” correctly by analysis tools. If certain objects and functions cannot be found (in this case, the ImageFiled1 object and the ZZA function), again, the malicious code will not be run.

In other cases, attributes such as, width and height may instead be used.

PDF-evasion-4

Figure 4. Field attribute and scope function

Namespace Control

This year, we saw a new vulnerability (CVE-2013-2729) which was paired with new evasion techniques.

We saw JavaScript code that worked in different namespaces (controlled by the name attribute). Analysis tools sometimes have difficulty with this. In this particular snippet, we see that there are two different objects – util and spray, andb how functions and variables are used in these two namespaces.

PDF-evasion-5

PDF-evasion-6

PDF-evasion-7

Figures 5-7. Namespaces and variables used

Variables Scope Changed in eval Function

This type of evasion method is based on certain specifics of the PDF JavaScript engine. Consider the following code snippet:

(function(){var v=”inner”; e=eval; e(“alert(v)”); })();

The above code functions correctly in Adobe Reader; the “inner” code is executed. With other JavaScript engines, this may not work and and an error will be returned instead. This could prevent analysis of the malicious code.

Summary

We believe that among these evasion methods, two –  checking the Javascript runtime and changing the scope of variables – will be used more widely in the future.  These represent the latest attempts at evading detections by cybercriminals.

Trend Micro’s existing web reputation service detects and blocks the websites that use these techniques. The specific samples noted above are also detected as: TROJ_PIDIEF.ERP, TROJ_PIDIEF.ERQ, TROJ_PIDIEF.SMAL, and TROJ_PIDIEF.SMAP.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Malicious PDF Analysis Evasion Techniques

Read more: Malicious PDF Analysis Evasion Techniques

Story added 6. November 2013, content source with full text you can find at link above.