Archived Blog

Complex obfuscated PDF exploit

06.02.2009 - 7:00 PM

While tracking a PDF-based threat, Websense Security Labs™ has seen complex, obfuscated JavaScript being used in both malicious Web pages and related PDF files. The intent of the obfuscated code is to infect visitors' machines via a malicious PDF file.

Since the beginning of the year, many attackers have started to use PDF exploits (see Adobe PDF Exploit Code Analysis) with injected JavaScript code. The structure of this code has been constantly evolving, adding new techniques and becoming more and more complicated. For example, JavaScript code embedded in Web pages use arguments.callee() to recall the obfuscated function, and also use the URL string as a key to decode the obfuscation. These tricks aim to protect the code form being modified. A random-generated variable and function name also make the code hard to analyze.

Screenshot of malicious JavaScript code:

The code is used to open a PDF file by appending and running a script tag using the eval() function.

Screenshot of deobfuscated JavaScript code:

Attackers have also enhanced the obfuscated code used in PDF files. In some places, the keywords in PDF tags have been randomly replaced by hex code, and the JavaScript compressed stream uses FlateDecode and is double-encoded by ASCIIHexDecode. These changes prevent many of the PDF parser engines used by virus scanners from identifying the malicious code. Many AV engines can't decode this type of obfuscation because they only support standard format and can't identify the irregular object header. They know "/FlateDecode", but don't know "/F#6cteDecod#65", and therefore can't decompress the stream.

Screenshot of PDF source code:

Screenshot of the decompressed JavaScript stream in PDF file:

After decoding the hex stream, we can see the JavaScript source code hidden in the PDF files. Unfortunately, it is still obfuscated.

Screenshot of decoded JavaScript stream from PDF file:

In the image above, we can see that the JavaScript is similar to the code used in the Web page. We deal with it in the same way, and finally end up with the source code.

Screenshot of final, deobfuscated JavaScript stream from PDF file:

As shown above, the exploit is related to a buffer overflow in the Collab.collectEmailInfo() (CVE-2007-5659) and Collab.getIcon() (CVE-2009-0927) functions.

All of this effort to hide the malicious code is an obviously evolving effort to evade detection from security solutions.

Websense Messaging and Websense Web Security customers are protected against this attack.

Security Researcher: Hermes (Lei) Li

Bookmark This Post: