Update: Turns out that the sample I was working with is not the new 0-day exploit described here. Once I get a sample of the new PDF exploit I’ll write a new post describing how it works (or read parody’s comment below for a preview).
On December 15, Adobe released a security advisory stating that a new vulnerability has been found in Adobe Reader that could potentially execute arbitrary code. Instead of studying for my last two finals, I decided to try my hand at reversing a PDF exploit and figuring out what this new vulnerability is and what the wild malware is doing with it.
So first off, I have not looked into PDF exploits before and really don’t know much about the PDF format other than skimming through previous exploit advisories. First off, by reading the advisory you can determine that this is a JavaScript exploit since disabling JavaScript is the current solution until Adobe releases a patch. I found a really useful reversing cheat sheet a few weeks ago and I started off by finding a few tools that looked useful for decoding a PDF file and extracting the JavaScript (PDF Tools Suite and Malzilla). From here I’ll proceed to extract the encoded JavaScript from the PDF and work on figuring out what the code does.
Extracting JavaScript from a PDF
The first tool we’ll be using is pdf-parser.py from the PDF Tools suite. This script will search through a PDF file’s sections, display raw data in the sections, and decode JavaScript streams if they are encoded (FlateDecode). Running pdf-parser.py on the malicious pdf without any options returns a list of all sections in the JavaScript file… which isn’t very useful to us since we are only interested in the JavaScript section that hopefully contains the exploit. Instead, you can run pdf-parser.py -s javascript malware.pdf and the script will only return the JavaScript sections. For the pdf in this example it returns:
Read more