Troj/PDFJs-JN: An exploit kit encapsulating malicious TIFF files

Earlier this week, my colleague Fraser pointed me at a sample we had received called libtiff.pdf. He wrote a quick detection for it (Troj/PDFJs-JN) and left me to investigate the file further. He wasn’t being lazy – it is just that I had more time to analyse the file and am currently harvesting strange PDF files like this whilst writing my paper for the forthcoming VB Conference.

I have noticed in the last few weeks a trend for exploit kits to call the files they create by the name of the exploit they are abusing so I guessed that the PDF would contain a Tiff. It had one object of interest, using FlateDecode and ASCII85Decode filters. After flate decoding, the embedded object looked like an ASCII85 stream, but was not decoding correctly. With a little perseverance however, I identified the problem (intentionally truncated), and wrote a utility to decode it.

Sure enough, once decoded I had an XML file containing an embedded Tiff:

The XML file isn’t terminated properly though:

<pageArea name=”PageArea1″ />
</pageSet>
</subform>
</form>
</xdp:xdp

The next day we received another PDF with the filename libtiff.pdf, but with a different embedded object. However, upon decoding, the XML was very similar to the one from the day before. I updated the Troj/PDFJs-JN detection accordingly, and we have since seen many more files, each subtly different.

I will be expanding on the libtiff vulnerability in my VB presentation.

Some example SHAs:

40519f34ce2c76acb5eff9b475b68d5cd64c8bc6
43cf3e3f613f8e4320fe842ba99ad40896f03bd3
4e10d6fb8abd0c75ff388d05f7d0380d0a6e870b
75f78af1f9a978be3f718cea84910803d33132af
86cae4d8d44724565e8de8822f7fdc14639283a5
936891d1a17f3839ef2c8c79f3541443ff0be6d0
9371f75578480e24d71bc20c4051794ae577fec9
a3b0f7573b4ac68ac34cc3579da24e273c2fb0d9
a9ef769ef6da9370c029f50a2a03ceaa05a83683

The animated GIF was created via GICKR.