Sunday, February 21, 2010

Quickly Triage Adobe PDF Documents for Malware

If you get frequently getting asked to analyze suspicious Adobe PDF documents for potential malicious content or malware, this triage guide might be of help. Adobe PDF documents are complex things to analyze sometimes, but it is possible to get a quick answer whether or not a particular PDF merits deeper examination.

You should always conduct this type of examination on an isolated machine off of any production network. Air-gapped VMware and Deep Freeze based examination systems work fine.

The steps below DO NOT definitely determine that a particular PDF has malware or is malicious - they are just good practice to triage PDFs to see if further analysis is warranted. These triage steps should take just a few minutes to complete. Deeper analysis can take hours or days depending on the complexity of the PDF sample.

1). Submit sample to This is the most reliable multi-AV scanner site available right now.

2). Submit sample to Wepawet: (Wepawet has a good reputation, but does sometimes report malicious PDFs as harmless if an obfuscation technique is used that Wepawet doesn't detect).

3). Submit sample to (This site sometimes is a little buggy, but is worth a try).

4). Run Didier Stevens’ (For this you will need a suitable Python runtime environment installed. You can get that for Windows from

With, what you are looking for is:
- The /Page output tells you how many pages are in the PDF document. At present, most malicious PDF documents you will come across will have only one page.
- Non-zero counts for /JS and /JavaScript indicate that the PDF document contains JavaScript. Almost all malicious PDF documents that you will come across will contain Javascript. The presence of Javascript DOES NOT by itself mean that the PDF is malicious. To make that determination correctly, you must see what the Javascript does.
- Non-zero counts for triggers like /AA and /OpenAction indicate that an automatic action to be performed when the page or document is viewed. Almost all malicious PDF documents you will come across will have both JavaScript and an automatic action to launch the JavaScript without any user action required. If you see both an automatic action trigger and JavaScript, you need to do further analysis. The PDF is probably not clean.
- A non-zero value for /JBIG2Decode indicates that the PDF document uses JBIG2 compression. This is unusual and worthy of investigation given the JBIG2 vulnerability that cropped up in Adobe reader around January 2009. The existence of JBIG2 compressed content isn't necessarily proof of malicious content, but you must investigate further if you see this.
- Any number in parentheses for any counter represents the number of obfuscated occurrences of that object type that found. A normal PDFiD report looks like what is shown below. If for example the "/JavaScript 0" line instead read "/JavaScript 1(1)", that is a clear red flag that the PDF needs further analysis. Obfuscation isn't normal in the section definitions of a PDF document.

PDFiD 0.0.10 typical_clean.pdf
PDF Header: %PDF-1.4
obj 348
endobj 348
stream 40
endstream 40
xref 2
trailer 2
startxref 2
/Page 27
/Encrypt 0
/ObjStm 0
/JS 0
/JavaScript 0
/AA 0
/OpenAction 0
/AcroForm 0
/JBIG2Decode 0
/RichMedia 0
/Colors > 2^24 0

Hopefully this process will help you more quickly and accurately sift through more of your malicious Adobe PDF triage workload. If you need assistance with malicious PDF analysis, please ZIP up your PDF and sent it to david @ Normal triage for one PDF is around $100 USD, and deep dive analysis is normally around $500 USD. As always, if you aren't happy with the work we will refund 100% of what you paid.

Similarly contact sales @ for assistance with malware sample analysis, Windows RAM dump analysis for malware or incident response (XP/Vista/Windows 7/Server 2000/2003/2008), and any Windows or MSI software packaging, automation, or deployment needs you might have. All work is backed by our normal 100% money back satisfaction guarantee.

email: david @

No comments:

Post a Comment