JBIG2 Encoded Malware in PDFs

The upcoming version of Profiler 2.7 adds support for JBIG2 encoding inside PDFs. Although JBIG2 isn’t intended to encode data other than images, it can be used to do so. Quoting the PDF documentation:

The JBIG2Decode filter (PDF 1.4) decodes monochrome (1 bit per pixel) image data that has been encoded using JBIG2 encoding. JBIG stands for the Joint Bi-Level Image Experts Group, a group within the International Organization forStandardization (ISO) that developed the format. JBIG2 is the second version of a standard originally released as JBIG1.

JBIG2 encoding, which provides for both lossy and lossless compression, is useful only for monochrome images, not for color images, grayscale images, or general data. The algorithms used by the encoder, and the details of the format, are not described here. A working draft of the JBIG2 specification can be found through the Web site for the JBIG and JPEG (Joint Photographic Experts Group) committees at http://www.jpeg.org.

Here’s a PDF malware trying to conceal its XFA form by encoding it via JBIG2:

And the decoded content:

While this is in no way common in PDF malware, it’s an effective trick to prevent automatic and manual analysis, since JBIG2 is seldom supported by security tools.

2 thoughts on “JBIG2 Encoded Malware in PDFs”

  1. Could you please also set, enable Qt option for high resolution DPI ?

    Just add before first line of code: QGuiApplication::setAttribute(Qt::AA_EnableHighDpiScaling);

    1. Hello Max, that option has been introduced with Qt 5.6 and we’re still using Qt 5.4. We tried switching to Qt 5.6 when it came out but encountered some glitches on Windows due to Qt itself, so we decided to skip the adoption of 5.6. We could add this option with the next version if we update Qt. Thank you for the suggestion!

Leave a Reply

Your email address will not be published. Required fields are marked *