Quick PDF Analysis

malware analysis PDF
Today we show how to quickly analyze a suspicious PDF file to determine whether it contains malicious contents. Check the youtube video for the full analysis process. The analysis techniques shown in the video are standard practice when dealing with suspicious PDF documents. Thanks to the quick actions of someone, the download site this PDF reaches back to was already taken down. Good job...someone.
Filename
010820170003375296186050723708.pdf
MD5
b2fbd8077726f78884e5330979b213a1
Sample
Video

How to Perform Malware Analysis on Malicious PDF Documents

PDF documents are widely used in today's digital world for sharing and storing information. However, they can also be used to deliver malware to a target system. In this article, we will discuss how to perform malware analysis on malicious PDF documents.

Step 1: Identify the Malicious PDF Document

The first step in analyzing a malicious PDF document is to identify it. This can be done by analyzing the file extension or by using antivirus software to scan the file. Some common file extensions for PDF documents include .pdf, .pdp, and .pdfxml.

Another way to identify a malicious PDF document is to examine its size. Malicious PDF documents are often smaller than normal PDF documents because they contain compressed content. A smaller size can also indicate that the document has been optimized for malicious purposes.

Once the malicious PDF document has been identified, it is important to analyze it in a safe environment to prevent the malware from spreading to other systems.

Step 2: Examine the Document Properties

The next step is to examine the properties of the PDF document. This can be done using a tool like Adobe Acrobat Reader or a text editor. Look for suspicious properties, such as the creation date, modification date, and author name. Malicious PDF documents may contain fake or unusual metadata that can help in identifying the origin of the file.

In addition to the standard document properties, you should also examine any metadata that may be embedded in the document. This can be done using a tool like ExifTool, which can extract metadata from various file formats.

Step 3: Analyze the PDF Document with PDF Analysis Tools

Several tools are available to analyze PDF documents, such as PDFStreamDumper, PDFiD, and Origami. These tools can extract and decode objects within the PDF document, helping to identify any suspicious code or behavior. They can also help identify any embedded scripts or links that may be used to exploit vulnerabilities in the PDF reader.

PDFStreamDumper is a command-line tool that can extract objects from a PDF document and save them to a file. This can be useful in analyzing the structure of the document and identifying any suspicious code.

PDFiD is a tool that can identify PDF documents that contain suspicious JavaScript, embedded files, or links to external resources. It can also be used to determine the version of the PDF specification that the document uses, which can be useful in identifying any known vulnerabilities.

Origami is a Python library that can be used to analyze PDF documents. It provides a range of features, including parsing of the document structure, extraction of objects, and analysis of embedded scripts.

Step 4: Analyze the PDF Document with a Sandboxing Tool

Sandboxing tools like Cuckoo or Hybrid Analysis can help in analyzing the behavior of the PDF document. These tools run the PDF document in a virtual environment, allowing you to observe any malicious behavior without compromising the security of the system. This can help in identifying any malicious activity, such as the creation of new files or network connections.

Cuckoo is an open-source sandboxing tool that can analyze various types of files, including PDF documents. It provides a range of features, including analysis of network traffic, system calls, and registry changes.

Hybrid Analysis is a cloud-based sandboxing tool that can analyze PDF documents and other types of files. It provides a range of features, including static and dynamic analysis, network traffic analysis, and behavioral analysis.

Step 5: Analyze the PDF Document with Hex Editors

A hex editor is a tool that can be used to examine the binary content of a file. By examining the PDF file's binary content, you can identify if there are any suspicious strings or patterns in the PDF document.

Some of the popular hex editors include HxD and 010 Editor. When examining the PDF file with a hex editor, look for any suspicious strings, such as shellcode or encoded data.

Step 6: Analyze the PDF document's JavaScript

Many malicious PDF documents contain JavaScript that can be used to exploit vulnerabilities in PDF readers. Therefore, it is important to analyze the JavaScript code within the PDF document.

One of the best tools for analyzing JavaScript in PDF documents is PDF-JS. This tool can be used to extract and analyze the JavaScript within the PDF document.

Conclusion

In conclusion, analyzing a malicious PDF document can be a complex task, but following these steps can help you identify any potential threats. By using PDF analysis tools, examining the PDF document's metadata, using a hex editor, analyzing the JavaScript code, and using a sandbox environment to test the PDF document, you can gain a deeper understanding of the PDF document's content and identify any potential threats.