Malicious PDF files are commonly used by attackers to spread malicious software, often targeting patched and zero-day vulnerabilities in Adobe Reader. Recent report from Symantec on the Rise of PDF Malware, authored by Karthik Selvaraj and Nino Fred Gutierrez, explores these trends from a comprehensive data-driven perspective. The report is filled with technical details and is a must-read for people combating malware threats.
The report describes attack trends across the three common methods for distributing PDF files:
- Mass-mailed PDFs
- PDFs hosted in malicious web pages
- PDFs used in targeted attacks
Symantec discusses inner-workings of exploits carries by malicious PDF documents. In most cases, such exploits have often used JavaScript to spray the heap of Adobe Reader prior to triggering the vulnerability. However, there are other techniques for getting the attacker’s shellcode into the targeted program’s memory. In particular, some malicious PDFs used an embedded Flash object that embeds ActionScript to set up the stage for the exploit.
The report also discusses common defensive methods used in malicious PDFs to complicate detection and analysis of such files. This involves JavaScript obfuscation, splitting JavaScript across several PDF streams, using various stream encoding methods and employing encryption.
On a related note, if you want to learn how to analyze malicious PDFs, take a look at my Analyzing Malicious Documents Cheat Sheet. I get into this topic in the reverse-engineering malware course I teach at SANS.