PDF File Format / MS Office

Question 1

Name two main tools used to analyse PDF Files?

Answer 1

• PDF-ID counts the occurance of certain keywords
• PDF-Parser actually understands the file format.

It can decode content with “-f” option (/FlateDecode = Zlib compression). Can search for strings in PDF file with “-s”.

Both of these are command-line Python scripts.

Question 2

What does a JavaScript need to be executed in a PDF?

Answer 2

Javascript needs /OpenAction event to be executed.

Question 3

What are PDF Filters?

Answer 3

PDF Filter are applied from right to left. I.e. first /FlateDecode and then /ASCIIHexDecode.

Question 4

How can you get around JavaScript Obfuscation in PDF files?

Answer 4

• Add <scipt> tag and HTML</scipt>
• Tools like Malzilla or Revelo

Question 5

What are ObjectStreams?

Answer 5

An ObjectStream (/ObjStm) is a special type of object. It is an object, that contains a stream, that itself includes other objects. The idea is that multiple objects can be placed in one stream, and the whole stream can be compressed. In practice a document will generally have several object streams, that keep related items together – e.g. All objects for page 1, page 2 etc – this allows for the PDF to still be random accessed easily.

Can be analyzed like this: pdf-parser.py –s ObjStm –f –w 10.pdf | pdfid.py -f

Question 6

Which tool would be more useful in analyzing a PDF file – a Hex Editor or a Text Editor?

Answer 6

Text – it’s a text based file format

Question 7

What are the main part of a PDF file?

Answer 7

• Header
• Objects
• Cross Reference (Points to each object)
• Trailer (EOF, Offset to XREF)

Question 8

What are you looking for in MS Office documents?

Answer 8

• Dropped Files (via Macro or exploit)
• Shellcode (via a vulnerability)
• URL callouts (acting as downloader)
• Malicious Scripts (download / dropping a file)

Question 9

What is the approach of analysing MS Office documents?

Answer 9

1. Locate potentially malicious embedded code
2. Extract suspicious code from the file
   
   1. If shellcode - disassemble / debug
   2. If other script - deobfuscate
3. Figure out the end goal and next stage of infection chain

Question 10

Name some tools to analyse MS Office documents?

Answer 10

• OfficeMalScanner
• OleDump
• OffVis
• python-oletools

Question 11

How to run pdf-id?

Answer 11

python pdfid.py <filename></filename>

Question 12

How to run pdf-parser?

Answer 12

python pdf-parser.py <filename></filename>

Question 13

How to parse out (see content) individual objects from a PDF?

Answer 13

python pdf-parser.py -o 5 -c <pdffile></pdffile>

• -o : Object number
• -c : Prints out content

Question 14

How to parse out individual objects from a PDF that is ASCII decoded?

Answer 14

python pdf-parser.py -o 5 -f <pdffile></pdffile>

• -o : Object number
• -f : Decodes filter

Question 15

How can hackers use PDF to put in malicious code?

Answer 15

Obfuscation by using filters

Question 16

How can you search for JavaScript within a PDF file?

Answer 16

python pdf-parser.py -s Javascript <filename></filename>

• -s : searches for JS

Question 17

How to search for any OpenAction event in a PDF file?

Answer 17

python pdf-parser.py -s OpenAction <filename></filename>

Question 18

How can you analyse an ObjStm in a PDF?

Answer 18

pdf-parser.py –s ObjStm –f –w 10.pdf | python pdfid.py -f

• -s : search for string
• -f : decode filters
• -w : Output in raw data format
• -f : force

Question 19

What is a HeapSpray attack?

Answer 19

The idea of a HeapSpray is to fill the area of memory known as the heap with shellcode, so that once our vulnerability triggers – the exploit code will be run. Fill almost all of the Heap with NOP instruction.

Question 20

How can you dump an object of a PDF?

Answer 20

python pdf-parser.py -o 5 -f -d exportname.exe <pdffile></pdffile>

Question 21

How can you attach a file to a PDF?

Answer 21

1. /EmbeddedFile
2. Append file after EOF

Question 22

How to look for extra details in a PDF?

Answer 22

python pdfid.py -e filename.pdf

Question 23

How to extract a file which is appended to a pdf?

Answer 23

python pdf-parser.py -x filename.pdf

Question 24

What are AcroForms in PDFs?

Answer 24

AcroForm are designed to allow PDF to include forms just like a webpage would have. They also however can trigger JavaScript.

Question 25

What is an XML bomb?

Answer 25

An XML bomb is a message composed and sent with the intent of overloading an XML parser. The JavaScript loads the metadata of the PDF. Metadata is normally where you will find details such as the author, title, etc. but it can also include JS.

/JS (this.metadata;)

Question 26

How can you run a phising attack using a PDF?

Answer 26

By using the JS function app.fs.isFullscreen = true

Combined with AcroForms it’s perfect for a fake bank page.

Question 27

How can you embed a VBS script to a PDF and make it run when you open the PDF?

Answer 27

By using the /Launch parameter (check with pdf-id.py)

Question 28

How can you decrypt a pdf file?

Answer 28

qPDF -decrypt input.pdf output.pdf

(works with Owner password protected files)

Question 29

Name a online PDF sandbox?

Answer 29

Joes Sandbox

Question 30

Name a few advanced PDF attacks?

Answer 30

• HeapSpray
• Embedded EXE files
• AcroForm
• XML bomb
• app.fs.isFullscreen = true
• Encrypted PDF

Question 31

What are the two file formats used for Office documents?

Answer 31

• OLE file format (doc/xls/ppt)
• Office Open XML