Category Archives: PDF

JBIG2 Encoded Malware in PDFs

The upcoming version of Profiler 2.7 adds support for JBIG2 encoding inside PDFs. Although JBIG2 isn’t intended to encode data other than images, it can be used to do so. Quoting the PDF documentation: The JBIG2Decode filter (PDF 1.4) decodes … Continue reading

Posted in PDF, Profiler | Tagged | 2 Comments

Yet another PDF/XDP Malware

Today we’re going to analyze yet another sample of PDF containing an XDP form. The difference between this sample and the one of my previous post is that this one will be less about JavaScript deobfuscation and more about anti-analysis … Continue reading

Posted in PDF, Profiler | Tagged , , , | Comments Off on Yet another PDF/XDP Malware

PDF/XDP Malware Reversing

Recently version 2.6 of Profiler has been released and among the improvements support for XDP has been introduced. For those of you who are unfamiliar with XPD, here’s the Wikipedia description: “XML Data Package (XDP) is an XML file format … Continue reading

Posted in PDF, Profiler | Tagged , , , | Comments Off on PDF/XDP Malware Reversing

CVE-2010-0188: PDF/Form/TIFF

Given the good reception of the last post, I’ve decided to dedicate more time posting use cases for the Profiler. Today we’re going to analyze a PDF exploiting CVE-2010-0188. Quite old as the name can tell, but it doesn’t really … Continue reading

Posted in PDF, Profiler, Use case | Tagged , , | Comments Off on CVE-2010-0188: PDF/Form/TIFF

XFA Interactive Form Inspection

The upcoming 0.9.2 version of the Profiler introduces detection of Acro/XFA interactive forms inside PDFs. This technology has been abused numerous times (some recent cases come to mind), so it is now being reported as a potential threat. The video … Continue reading

Posted in PDF, Profiler | Tagged , | Comments Off on XFA Interactive Form Inspection

PDF object search output

In the upcoming 0.8.0 version of the Profiler it will be possible to print out the matches of PDF object searches. This comes very handy during analysis if we want to know, for instance, all values for a given key. … Continue reading

Posted in PDF, Profiler | Tagged , | Comments Off on PDF object search output

PDF AES256 (Revision 6)

The upcoming version 0.7.9 of the Profiler features support for the still to be publicly released PDF symmetric encryption revision 6. While the PDF specifications are not yet freely available, Adobe has already started supporting the new standard. This is … Continue reading

Posted in PDF, Profiler | Tagged , , | Comments Off on PDF AES256 (Revision 6)

PDF object search

The soon to be released version 0.7.4 of the Profiler features a useful PDF object search functionality. The introduction of this feature was possible thanks to the newly introduced parameters API and format specific actions. Through this action it’s possible … Continue reading

Posted in PDF, Profiler | Tagged , , | Comments Off on PDF object search

The security of non-exec files

This article is based on a speech I gave couple of months ago at DeepSec. I wrote it during the summer, which means I would now expand on some of the paragraphs. Nonetheless, I hope you’ll enjoy the read. Introduction … Continue reading

Posted in CFBF, JPEG, PDF, Profiler, SWF | Tagged | Comments Off on The security of non-exec files