PDF Payload Analysis 101

by Coleman Kane

LAB02: PDF Payload Analysis 101

During the week of 2021-02-08, we discussed the static analysis material that was reviewed the prior week. The static analysis content included some discussion around analysis of PDF and EXE file formats.

The following link contains a ZIP file that has a weaponized PDF in it. The ZIP is password-protected.

• hw02.zip [password: cs6038]

This PDF uses a simple technique to install and run an EXE on the target system. For this exercise, using only static analysis methods, analyzed PDF and extract the EXE file from the appropriate place within the PDF. Use static analysis tools on both to answer the 11 questions below:

1. How many objects in the pdf?
2. Which objects contain data streams?
3. Which object contains script code to execute the backdoor?
4. Which object contains the stream that is the EXE backdoor?
5. Describe how you determined the content is an EXE file.
6. Was this EXE encoded? What algorithm encodes it?
7. What is the address of the entry-point in the EXE?
8. What is the file size of the EXE?
9. What is the SHA256 checksum of the EXE?
10. What is the compilation time of the EXE?
11. Using strings, try to determine what IP address or domain name the EXE might connect to.

Tip: You’ll want to review use of pdf-parser, objdump, and strings. For pdf-parser, the -o, -f, -d, and -w options may be helpful.

home