Scenario:
One of our clients informed us they recently suffered an employee data breach.
As a startup company, they had a constrained budget allocated for
security and employee training. I visited them and spoke with the
relevant stakeholders. I also collected some suspicious emails and
a USB drive an employee found on their premises. While I am analyzing
the suspicious emails, can you check the contents on the USB drive? We are given the USB files in a zip format. we unzip them and find two files. a README.pdf and autorun.inf
We can see that the ‘.inf’ file is a Microsoft Windows Autorun File.
with this in mind, opening the .inf shows us this:
this means that it is instructing it to automatically open the README.pdf and use an icon of autorun.
Opening the pdf file gives us an empty page with ‘Hello from the other side” written on it.
So now let’s start answering some of the questions.
- README.pdf
- It absolutely does not!!!
- Magic numbers are the first few bytes of a file that are unique to a particular file type. These unique bits are referred to as magic numbers, also sometimes referred to as a file signature.
- These bytes can be used by the system to “differentiate between and recognize different files” without a file extension.
We see that it has the correct magic number for a pdf file.
To see this, we can do some more analysis on the file using the virus-total upload. We can head to the behavior section to see more about the activities of the malware.
We can see from the processes that the malware is executing windows commands.
to find this, we can use our favorite tool ‘grep’ but it won't display binary data on the terminal by default. This behavior helps to avoid dumping non-printable characters which could mess up the display of your terminal.
but we can use the -a flag to bypass this and we will see that it mentions ‘cmd.exe’:
To answer this, we will a tool called ‘peepdf’. peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it’s possible to see all the objects in the document showing the suspicious elements, supports the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files.
We can clearly see that there is 1 suspicious openaction element. A “suspicious OpenAction element” in a PDF refers to the OpenAction entry in the PDF's catalog, which specifies an action to be performed when the document is opened. In legitimate PDFs, this is often used to display a specific page or set the zoom level when the document is opened. However, in the context of security, a "suspicious OpenAction element" typically refers to an action that might be malicious in nature.
The questions end here….
But I am curious to know what that OpenAction is so let’s do further investigation. using the peepdf tool. we can use this command to enter an interactive mode
then we can use the tree command to see the structure of the pdf. then,
We will then choose object 1 to be able to see the main /Catalog. after that, we will see that there is an /OpenAction entry with the object reference 27 0 R. This means that the PDF has been set up to perform a specific action defined in object 27 when it's opened.
to see that object, we will do object 27.
This code calls the exportDataObject method, which is used to export an embedded file from the PDF to the file system. Specifically, it's trying to export an embedded file named "README". The nLaunch: 0 parameter indicates that the exported file should not be automatically launched/executed after it's exported.
This kind of behavior can be considered suspicious.
