If you get frequently getting asked to analyze suspicious Adobe PDF documents for potential malicious content or malware, this triage guide might be of help. Adobe PDF documents are complex things to analyze sometimes, but it is possible to get a quick answer whether or not a particular PDF merits deeper examination.
You should always conduct this type of examination on an isolated machine off of any production network. Air-gapped VMware and Deep Freeze based examination systems work fine.
The steps below DO NOT definitely determine that a particular PDF has malware or is malicious - they are just good practice to triage PDFs to see if further analysis is warranted. These triage steps should take just a few minutes to complete. Deeper analysis can take hours or days depending on the complexity of the PDF sample.
1). Submit sample to http://www.virustotal.com/. This is the most reliable multi-AV scanner site available right now.
2). Submit sample to Wepawet: http://wepawet.cs.ucsb.edu/. (Wepawet has a good reputation, but does sometimes report malicious PDFs as harmless if an obfuscation technique is used that Wepawet doesn't detect).
3). Submit sample to http://mwanalysis.org/. (This site sometimes is a little buggy, but is worth a try).
4). Run Didier Stevens’ PDFiD.py. (For this you will need a suitable Python runtime environment installed. You can get that for Windows from http://www.python.org/download/windows/).
With PDFiD.py, what you are looking for is:
- The /Page output tells you how many pages are in the PDF document. At present, most malicious PDF documents you will come across will have only one page.
- A non-zero value for /JBIG2Decode indicates that the PDF document uses JBIG2 compression. This is unusual and worthy of investigation given the JBIG2 vulnerability that cropped up in Adobe reader around January 2009. The existence of JBIG2 compressed content isn't necessarily proof of malicious content, but you must investigate further if you see this.
PDFiD 0.0.10 typical_clean.pdf
PDF Header: %PDF-1.4
/Colors > 2^24 0
Hopefully this process will help you more quickly and accurately sift through more of your malicious Adobe PDF triage workload. If you need assistance with malicious PDF analysis, please ZIP up your PDF and sent it to david @ sharpesecurity.com. Normal triage for one PDF is around $100 USD, and deep dive analysis is normally around $500 USD. As always, if you aren't happy with the work we will refund 100% of what you paid.
Similarly contact sales @ sharpesecurity.com for assistance with malware sample analysis, Windows RAM dump analysis for malware or incident response (XP/Vista/Windows 7/Server 2000/2003/2008), and any Windows or MSI software packaging, automation, or deployment needs you might have. All work is backed by our normal 100% money back satisfaction guarantee.
email: david @ sharpesecurity.com