Technical report | Threat Modelling Adobe PDF

Abstract

PDF documents are increasingly being used as an attack vector to compromise and execute malicious code on victim machines. Such attacks threaten the assets of any organisation which they can exploit. PDF documents appeal to attackers due to their wide spread use and because users consider them to be safe. In this paper we analyse the threats posed by PDF documents. We outline current exploits, security defences employed by the Acrobat PDF reader; obfuscation techniques used by attackers to avoid detection; and threats to Adobe Acrobat. We also describe a tool we developed to assist in the identification of potentially malicious code in PDF documents.

Executive Summary

Software exploits are a growing threat to cyber security, allowing attackers to execute malicious code on a victim's machine by taking advantage of vulnerabilities in software running on the machine. A remote attacker who gains access to client machines or servers on an organisation's network could have detrimental implications for the organisation. Due to increased security awareness of server administrators, attackers are targeting client desktop machines to gain access to networks. Typically, attackers trick users into opening a document that contains an exploit. This document could, for instance, be located on a website or received as an attachment to an email. Historically, Microsoft Office documents have been used by attackers to exploit vulnerabilities within the Office product. However, more recently a growing number of attacks have been embedded in PDF documents, primarily because these documents are widely used and users often believe that they are safe, benign, static documents which do not contain executable code, when this is in fact not the case. For instance, PDF documents can contain JavaScript code and embedded data.

The focus of this paper is to model the threats posed by PDF documents, which are commonly viewed using the Adobe Acrobat/Reader software. In this paper we analyse current PDF exploits and the future trends. We also analyse obfuscation techniques used to avoid detection by anti virus software. We model the potential threats posed by PDF documents rendered by Adobe Acrobat/Reader by outlining the component parts of Adobe Acrobat/Reader such as DLL libraries and plug-ins, data which can be embedded in PDF documents and identify undocumented JavaScript functions which may be more susceptible to exploit. Leveraging the findings in this paper we developed a PDF parser and examiner tool to help decode PDF documents and examine these for potentially malicious payloads. This tool extracts the components of a PDF document using Python Scripts. Our GUI provides functionality to navigate through the structure and contents of the PDF document and highlights potentially malicious payloads to assist in identification of potential attacks.