Empty PDF delivers nothing but pain

Exploited PDFs are becoming the new rage [1] amongst the malware authoring circles due to various factors including ease of creation, cross-platform and being web-triggerable. They are also allowed by most perimeter scanners due to the PDFs popularity as a de facto web standard.

Unlike Microsofts OLE2 format (another popular malware delivery vector [2]) – which requires much more effort to craft a malicious document, the Adobe PDF format allows for simple documents to be constructed with as little as a text editor and some off-the-shelf tools. When packaged up with stock heap-spraying javascript to trigger a known vulnerability in a particular flavor of PDF Reader a ready-made malware delivery mechanism results. The fact that code-reuse is rampant in the malware community is obvious when some samples are examined side-by-side:

Comparison of two exploited PDFs
Comparison of two exploited PDFs

Analysis of the simpler constructions are rather trivial, and are described well in Didier Stevens blog “Anatomy of malicious PDF documents“, however it can get much more complex when things like Filters are involved.

Opening the document renders an innocent blank page however the embedded JavaScript (if enabled) begins to execute, first decoding itself and then spraying the heap with shellcode in order to gain control of execution, or alternatively, visiting a site which determines the the best exploit to server to continue the infection.

Identifying a PDF as exploited when there is a large chunk of javascript in an otherwise sparse document is easy for both human and machine but this quickly changes when more realistic documents are crafted with many legal objects. The task for an AV engine is then to not only correctly parse the PDF structure but to correctly differentiate between legitimate and malicious JavaScript.

Runtime technologies play a significant part in helping detect anomalous behaviour [3,4] and can help mitigate potential threats where static file-based detection fails or is unfeasible, but the onus is still on the end users to be vigilant and conservative when playing on the net, using good judgment with a hint of paranoia and skepticism in an effort to remain uninfected.  Disabling JavaScript handling in your favourite PDF reader is also an excellent way to avoid this particular malware deployment.