PDF Analysis of Lokibot malware
This sample is from Lokibot trojan which steals the credential information from web browsser, FTP server, SMTP server. This sample is a PDF file and our purpose of this blog is how to analyze a PDF file.
Ability of a PDF file
A PDF file can impelemnt droppers, downloader, or exploit PDF reader application’s vulnerabilities.
PDF header: Contains info about the version of the PDF such as %PDF-1.6
Streams: a sequence of bytes such as images or data, which comes in encoded data.
Others such as names, dictionaries, strings, and arrays.
Cross-reference table: contains the offsets of file’s objects.
Trailer: contains the offset of xref table, and number of objects, /Root.
Dictionary entry is an item between « » and starts with slash / such as /Root which is the first object will be processed after loading the PDF file, /Root could be found in the Trailer section.
Suspecious keywords found when analyzing and their indications:
/Launch, /EmbeddedFiles: To launch exeternal or embedded files
/URI: To interact with URLs
/OpenAction, /AA: To open an action
/FlateDecode: uses the zlib/deflate decompression method.
A comment in PDF starts with %
obj 1 0: % first number is ID, second number is version type: catalog % catalog is an example, type can be empty. Referencing: 3 0 R % object 1 0 refernces to 3 0, R indicates of referencing ........ % content of the object endobj % the object ends with
For more info aboud PDF see this.
use pdfid.py or peepdf.py:
- to perform an initial assessment by summarizing risky aspects
to examine the contents of objects
to decode the stream embedded from object
to extract only the list of URL
Follow object referencing to find the goal.
If you use peepdf.py and found that it has /EmbeddedFiles, start analyzing the object where is /EmbeddedFiles belongs to.
If you find /FlateDecode, go and try to analyze it which decodes stream.
In this sample, We received a malicious PDF file which downloads Lokibot malware. So we need to start our analysis quickly using REMnux.
We first use
peepdf.py to get which object contains the /EmbeddedFiles but an error occured running.
So we will use
pdf-parser.py and to get our embedded file. We see many objects, Then start with objects which contains /FlateDecode and if we found /EmbeddedFiles go for it.
After scrolling down, we see object 12 conatins /FlateDecode. We try to decode it and dumping using
If we use
file command to see its type, it’s an ASCII text. Then we open
scite we it’s useless. Some objects are useles, it takes time to find the peyload. We examine another object. When we get to object
22, we our /EmbeddedFiles which is an indicator to that the PDF launches embedded file which has big length. Dump it to
file22 to see it’s content and its type. After that we use file command, we notice that it’s Composite Document File V2 Document CFBF is a compound document file format for storing numerous files and streams within a single file on a disk. In our case, this PDF stores an XLS file.
If we uploaded file22 to Virustotal we will find it already uploaded and it’s malicous. Our purpose is to get the main payload and that’s it.
We will open FlareVM which has our installed tools. We need to install PDF reader such as Foxit reader, and Microsoft office.
fakenet-ng, if the malicious PDF tries to connect and download from internet, this PDF sample opens an xls spredsheet.
Then open the PDF. In foxit reader, disable safe mode and run the malicious PDF in privilage mode.
Attachments, we see there’s an attachment which will be our
xls spredsheet file. You can open it manually. Double click on it and allow to open it. Then it will open an xls excel spredsheet. Save this attachment on your
Desktop from foxit reader as shown.
إلهي ، ماذا وجد من فقدك وما الذي فقد من وجدك