< 25C3: "Banking Malware 101" | 25C3: "Banking Malware 101" Slides >

Analyzing Malicious PDF Files

CWSandbox
Recently we added a new feature to cwsandbox.org: It is now also possible to upload suspicious PDF files that are then analyzed with the help of CWSandbox. Basically we open the submitted file with Acrobat Reader 8.1.1 since that version has several vulnerabilities. During runtime, we then observe the behavior of Acrobat and can detect suspicious changes such as new files on the hard disk or modified registry keys. Based on the generated report, it is then possible to detect malicious PDF files.

An example of such an analysis is available at https://cwsandbox.org/?page=details&id=520505&password=sfgpk. The PDF file 0416.pdf is malicious and has a rather good detection by AV vendors (21/38 - full details). In the CWSandbox report, we can see that the PDF file is opened with Acrobat Reader and then it drops a new file called wuweb.exe which is also executed. Afterwards, several other files are dropped and a server located in Singapore is contacted. Unfortunately this server is now offline, but presumably the server was used to download additional malware from the system
This entry was posted by Thorsten Holz on Monday, December 22. 2008 at 13:50. and is filed under CWSandbox, malware. You can leave a response, or trackback from your own blog.

Trackbacks

Trackback specific URI for this entry
  1. Dubiose PDF-Dokumente untersuchen

    Nachtrag zum Beitrag über die CWSandbox: Der kostenlose Online-Dienst protokolliert nun auch, was passiert, wenn man ein möglicherweise verseuchtes PDF-Dokument mit der veralteten Version 8.1.1 des Acrobat Readers öffnet. Dieser Beispiel-Report der...

    Weblog: Smoking Gun - Security-Weblog
    Tracked: Dec 30, 07:53
  2. Malicious PDFs Analysis Continued

    After my initial posting about the possibility to analyze PDF files with CWSandbox we received a few more such samples. In all cases the PDF file exploits a vulnerability in Acrobat Reader once the file is opened. With the help of CWSandbox it is possible

    Weblog: honeyblog
    Tracked: Jan 12, 13:18

Comments

Display comments as (Linear | Threaded)

  1. Joe says:
    #1 2008-12-28 21:47 (Reply)

    Hi Thorsten

    Have you thought about subtracting the normal acrobat behaviour from the one which has loaded the malicous file (behaviour baselines)? If you do that users only see the malicous actions and do not have to differentiate between good and bad actions.

    Cheers

    Joe

  2. Chad says:
    #1.1 2008-12-29 15:17 (Reply)

    Hi Joe,

    that 'diff' function is something we're working on actually now. The idea would be to have a library of good/clean analysis for different applications and blank docs, and be able to diff the malicious doc analysis against the baseline 'good' analysis. - Chad

  3. George Terry says:
    #2 2011-08-02 04:50 (Reply)

    One of the benefits of using Cw Sandbox is that there is no risk of infecting a network during the analysis. They are also known to provide fast and detailed reports and I would really recommend using them.


Add Comment


E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA 1CAPTCHA 2CAPTCHA 3CAPTCHA 4CAPTCHA 5