Presentation Material

Abstract

PDF exploitation is never complete without JavaScript. Most PDF exploits that we come across are based on JavaScript. The attackers use JavaScript for various reasons - to obfuscate the payload, the shellcode or many other things. However, there are not many tools that have the capability to automatically analyze the JavaScript in a dynamic way.

This paper presents tools and techniques to analyze malicious PDF files. We also present phoneypdf, an open-source PDF analysis framework. The paper builds on existing work and presents some new work which allows us to leverage the Adobe PDF DOM and XFA. Emulating the Adobe PDF DOM gives us unique advantage over other tools that are currently available. It gives us a fine grained information on the PDF’s layout, XFA and execution of JavaScript. Having the Adobe DOM gives us the ability to get deeper insights into exploitation than just pure static analysis.

As an example, we analyze CVE-2010-0188 and how it is detected by phoneypdf. An analyst can quickly extend phoneypdf by way of signatures or code to add detecting new exploits. We discuss the technical challenges and related solutions PDF analysis in a semi-dynamic way.