jpcert reported a new type of maldoc: “MalDoc in PDF – Detection bypass by embedding a malicious Word file into a PDF file –“.
These maldocs are PDF files that embed a Word document (ActiveMime) in MIME format.
ActiveMime documents can be analyzed by combining my emldump.py tool and oledump.py.
ActiveMime documents were heavily obfuscated in the past, and this is also the case here. As emldump.py version 0.0.11 was only able to handle the obfuscation of 2 of the 3 samples mentioned by jpcert, I released a new version to handle more obfuscation.
Here is an analysis example for sample 5b677d297fb862c2d223973697479ee53a91d03073b14556f421b3d74f136b9d.
Run emldump (version 0.0.12 or later) with option -F to fix the obfuscation of the mime-version header:
To find the part where the ActiveMime file was hidden, use option -E %HEADASCII% to view the first 20 characters of each part:
Here we can see that part 14 is not a JPEG file, but an ActiveMime file.
We extract it and pipe it into oledump.py:
That ActiveMime file contains VBA code:
These maldocs (at least the 3 samples shared by jpcert) can be detected by pdfid with option -e to display extra information:
There are a lot of bytes outside streams (usually for PDFs, there shouldn’t be) and the count of stream and endstream documents is different.
But like I said, these are detections for these 3 samples, it’s possible to modify those samples to remove the anomalies.
Article Link: Quickpost: Analysis of PDF/ActiveMime Polyglot Maldocs | Didier Stevens