Analyzing Malicious PDF Documents with PDF Stream Dumper


Vulnerable plugins allow attacker to run malicious code on any Internet user one of the most widely installed browser plugin is Acrobat Reader, this makes attacker focus on this plugin to have control on as much possible from victims on internet.

Attack scenario is very simple and looks as follows hackers create malicious PDF files that they spread across the Web. When a victim clicks the PDF, it executes JavaScript to leverage vulnerability in Adobe’s JavaScript implementation that uses a memory corruption attack to inject shell code.

Well known example is an obfuscated Javascript malware inside a PDF file taking advantage of CVE-2008-2992 and CVE-2009-0927analyzed by Kimberly ( on 2010.

Malicious PDFs often include JavaScript code that checks used Adobe Reader version. So if an investigator opens the PDF with a non-vulnerable version of Adobe Reader, the JavaScript will back off and not attempt the exploit. And they may report the PDF as a clean file.

For analyzing pdf file you can use PDF Stream Dumper an open source tool that can do the following:

1.      Analyzing PDF File Suspicious content      

The tool already has a signature for exploit to compare against any pdf file you want to examine.  You start by uploading the pdf file or drag and drop it. Than you select exploit scan on the top of the application interface and you will find suspicious objects within the PDF file.

2.       Analyzing PDF File Malicious Javascript 

 Adobe Reader uses a modified version of SpiderMonkey to execute JavaScript that it finds within PDF files. JavaScript within PDF files is often compressed to conceal its intentions from analysts and intrusion detection systems. PDF Stream Dumper allows you to run these scripts using the built-in interpreter, which can help you deobfuscate them.

3.       Analyzing PDF File Shellcode

PDF Stream Dumper integrates tools for analyzing shellcode , Libemu a small library written in C offering basic x86 emulation and shellcode detection using GetPC heuristics.  So instead of statically analyzing the shellcode, you can use the libemu emulation library.

Emulation makes it possible to determine which API functions a program uses without the risk of infecting your machine. Output from libemu is much different than a static disassembly, because it shows the contents of registers after each instruction and creates logs of API calls made by the shellcode.

  • Pingback: Episode 472 – ICSA Mobile, How Much Porn? & Malicious PDF | InfoSec Daily()