An interesting obfuscation method for PDF exploits (this.getPageNumWords() & this.getPageNthWord())An interesting obfuscation method for PDF exploits (this.getPageNumWords() & this.getPageNthWord())
Recently, our EdgeLogic engine detected a malicious PDF sample, reported as “exploit CVE-2013-3346“.
The sample first appeared on VirusTotal on 2017-10-06.
Although this sample is on VT for more than 1 year, most Av engines are unable to detect it.
Therefore it was brought to our attention when it was successfully detected by our engine. We analysed the sample manually. The stream of object-1 contains interesting JavaScript.
It uses PDF JS API this.getPageNumWords() and this.getPageNthWord() to “read” the Javascript contents on the PDF pages, then, it execute the Javascripts via eval(box).
We can see the object-6, object-8, and object-10 contains Javascript – but they are in “content” – used for object-1.
content of object-6
content of object-8
content of object-10
After some googling, we believe this is an exploit for PDF vulnerability CVE-2013-3346 for which FireEye had a blog in December 2013, and the exploit was not obfuscated at that time. Because of the obfuscation method, it remains largely undetected by AV engines.
The obfuscation method seems not new also, it was mentioned in a 2010 blog from F-Secure. However, as we have seen, the method is still quite effective.
When displayed on a non-vulnerable PDF reader, the PDF displays like this.
The above is for the 1st page. The PDF contains total 4 pages, the rest three pages are for the object-6, object-8, object-10, respectively. The exploit maker made the words on these three pages with very small size, but after zooming to 500% we could confirm that these are JS strings we found in object-6, object-8, and object-10.
Conclusion The obfuscation method described in this blog may not be new, but it is very effective to bypass many detection engines. More importantly, we should realize that such obfuscation method could be used to obfuscate not only this (CVE-2013-3346) exploit but many other PDF exploits including zero-days. This is another good example demonstrating the power of our EdgeLogic engine – we were able to beat the obfuscation method used in this PDF exploit. So, when you encounter some suspicious samples, no matter it is an email format (eml, msg), Office files (doc, xls, ppt), pdf, or even .zip, try edgespot.io and see what it detects!