Earlier this week, my colleague Fraser pointed me at a sample we had received called libtiff.pdf. He wrote a quick detection for it (Troj/PDFJs-JN) and left me to investigate the file further. He wasn’t being lazy – it is just that I had more time to analyse the file and am currently harvesting strange PDF files like this whilst writing my paper for the forthcoming VB Conference.
I have noticed in the last few weeks a trend for exploit kits to call the files they create by the name of the exploit they are abusing so I guessed that the PDF would contain a Tiff. It had one object of interest, using FlateDecode and ASCII85Decode filters. After flate decoding, the embedded object looked like an ASCII85 stream, but was not decoding correctly. With a little perseverance however, I identified the problem (intentionally truncated), and wrote a utility to decode it.
Sure enough, once decoded I had an XML file containing an embedded Tiff:
The XML file isn’t terminated properly though:
<pageArea name=”PageArea1″ />
The next day we received another PDF with the filename libtiff.pdf, but with a different embedded object. However, upon decoding, the XML was very similar to the one from the day before. I updated the Troj/PDFJs-JN detection accordingly, and we have since seen many more files, each subtly different.
I will be expanding on the libtiff vulnerability in my VB presentation.
Some example SHAs:
The animated GIF was created via GICKR.