A variation of a class of malicious PDFs appeared in the wild. In this blog post, we will show you how to protect your systems and how to analyze these PDFs.

The PDFs embed a file type with extension .SettingContent-ms that can be used on Windows 10 to execute arbitrary code. We have observed on VirusTotal other malicious samples with this file type, for example attached to an email or embedded in an MS Office document like Word or PowerPoint.

Technical details

There is a classic type of attack with PDF documents that does not rely on vulnerabilities, but abuses the following features:

Embedding of arbitrary files inside a PDF document Embedded JavaScript to extract and launch embedded files Triggering of the embedded JavaScript by opening of the PDF document

Adobe Reader does not allow the extraction and launching of embedded executable files. Adobe Reader uses a blacklist to block executable file types based on extension, examples are .exe and .vbs. Of course, as blocking “known-bad” is not all encompassing, also this blacklist of extensions does not block all types of executable files. For a long time, for example, Adobe Reader allowed the execution of Python scripts (.py), and also MS Office documents with VBA macro code have been used in such attacks. While this blacklist is being updated on a regular basis, last month, an attack with a new file type introduced with Windows 10, was disclosed: file type .SettingContent-ms.

When this type of file is used in a PDF attack with embedded files, Adobe Reader will allow the extraction and execution of the embedded file. The attack is not executed immediately upon opening of the PDF file: the user has to accept a warning before the file is extracted and executed.

Prevention

This class of attack can be prevented in Adobe Reader with specific configurations.

A first method is to manually add a file type .SettingContent-ms to the black list used by Adobe Reader. This black list is kept inside the registry:

With this protection (value 3 prevents extraction), the embedded executable file will not be extracted upon opening of the PDF document, and the user will receive no warning:



Manual extraction is also prevented (for example, in the case of social engineering):



A second method is more generic: all embedded files are blocked (only embedded PDF and FDF files can be extracted). This too can be configured via the registry:



The user will be warned upon opening of a malicious document:



Also here, manual extraction is not possible: the menu options have been disabled:

For more technical details and options, consult Adobe’s documentation on embedded files.

A third prevention method relies on disabling JavaScript:



This is less desirable, as users can still allow JavaScript to run, or extract the embedded file manually:

Analysis

Analysis of this variant is not difficult. First with pdfid.py, the presence of /EmbeddedFile, /JavaScript and /AutoOpen are a strong indicator for such malicious documents:

Following these indicators provided by pdfid.py, we can search for the object with the embedded file using pdf-parser:

As shown in the screenshot above, object 8 contains an EmbeddedFile. The file content can be displayed with the following command:

Conclusion

This class of attacks is at least 10 years old, and you can be certain that in the future, new executable file types will be discovered that are not yet blocked by Adobe Reader. Therefore, we recommend that you block all embedded files (prevention method 2), unless you have a very specific business need. Prevention method 2 will prevent the current variant (until Adobe Reader adds extension .SettingContent-ms to de default black list) and any future variants.

Want to learn more? Please do join us at the upcoming BruCON training on malicious documents, which was authored by NVISO’s experts!

About the authors

Didier Stevens is a malware expert working for NVISO. Didier is a SANS Internet Storm Center senior handler and Microsoft MVP, and has developed numerous popular tools to assist with malware analysis. You can find Didier on Twitter and LinkedIn.

Share this: Twitter

Reddit

WhatsApp

Email

