Weaponizing PDF Files: Advanced Exploitation Techniques

Okay guys, so I think I'm just checking if everyone is here. I suppose yes. So we are on we are in live right guys. So if you can see and hear us if you can type in the chat. I'm looking my right side here. Let me see you just can you are you listening me? Yes. No. Just type in the chat if it's possible. Just everything works good or not good. We are just trying to organize everything. Yes, we we're we live. Yeah, I suppose that you are listening me right guys. Let me just share my screen and you can start everything. One second. I'm just sharing sharing sharing sharing. Okay. Sharing my this one here and share.

Okay. Okay. I think one second more. So many thing to manage here. Okay. It's over here. Where is the chat? Chat is here. Okay. So, let's start. Let's talk. Okay. Thank you so much. again for for having me here in this event. Besides Gutenberg, by the way, I'm besides sport organizer and I will talk more during this no but just talk briefly about that. Uh today we we we're going to talk about this presentation that I made at Defcon this year. So if you didn't have an opportunity to be there that I know it's quite expensive to be there and um I would like to share something to you guys about this presentation that I made

at Defcon. And by the way as you can see uh I start a new job or if you not follow me on social medias I start a new uh opportunity new uh employment let's say at Scythe. It's a new company that I'm working right now and um it's more focused on adversary simulation but uh just because of that we will see more informations about that here. Okay, good, good, good, good. So who am I? Basically I'm Filipius. My name is uh is a Brazilian name. I'm Brazilian guy by the way but I'm living here in Portugal uh at this moment. I was living in the past in Poland. I was living in US in Brazil. So it's quite different for me.

I'm usually I traveling a lot and nowadays I'm a head of a technical advocacy at site site as I said is a is a company from US and basically the company responsible for providing bas solution which is rich attack simulation solution. So I'm basically responsible for helping the company to grow in Europe, Middle East and Latin America as well in the technical perspective or let's say the techy guy as you can imagine right and doing a present doing presentation about the product mainly creating simulations of attack which is very interesting and make many sense when you putting everything in the same page about our conversation today. So I explain more about how I did some

investigation using malware and how you can using this in the red team perspective. Okay. Good, good, good, good. I'm founder and investor of this company which is cross intelligence. This company we have an office in Brazil and I have an office here in Portugal. This company basically responsible for helping other organization to grow expand in the market and um in the technology and cyber security perspective and I'm the advisor partner/ uh investor in this another company which is Sherlocki company focus in Ontelligence basically is a platform and I help in this uh organization this is let's say more job you know like uh something that I can usually receive some payment and I'm very involved with many uh community

activities like this one here and besides okay so as I said I'm founder and the organizer of besides Porto that we had a first edition last year and we will have our second edition edition this year in June and um I will talk more after I'm director of the red team village as I said red team village is one of the most and respectful village at defcon and Um and not only respectful but in terms of people it's very big. It usually is more than 7 8,000 people walk around the village during the devcon. I found this red team community in Brazil just to help in the community you know to spread the message about red team

about how can be engaged with that and I'm advisor and technical education perspective at highis cyber if you see the pronunciation hiis which means root um is a Spanish wordis uh which is this specifically organization all those four initiatives are uh non proof initiatives is community as I So basically the idea of their high cyber is to helping people in the Spanish perspective and Portuguese to get inside of cyber. So you guys know that's very sometimes complicated to get inside of the the the cyber security field to get a job and our main uh u challenge is helping people you know to improve their skills not only hard skills but soft skills and to get inside

of cyber. Okay. So basically this is my um the things that I try to help and to giving back the community that I received when I start to work in this field. Okay. So as I said besides Porto we will have our second edition in June June 26 and 27th will be in Porto very near this very beautiful uh river which is and by the way invite everyone to be here with us will be the second edition. Usually it's more than 7,000 people 7,000 I'm sorry 700 people. Last year we had this 500. We expect to have this year 500 people. So we received many people from Brazil, from you know Norway, from Ireland, from UK, from

Netherlands, for Germany. It's very interesting this involvement with uh how this besides brand is involved. So enjoy uh besides Gutenberg when now it's first edition is virtually but when we have in person try to get to participate because it's very very interesting and and important and mainly for if you don't have any let's say uh um talk to share you can be involved as a volunteer because it's another very nice opportunity to get in touch with the people to know about their job to know people to be you know to have this kind of relationship with the people Okay. So that's my, you know, humble advice to you guys. Cool, cool, cool, cool. So let's talk about our main topic. I'm

just trying to let's say divide this presentations into two parts. The first part is more like [ __ ] part, but it's important. It's not [ __ ] I'm I'm kidding. But like the theorarchy part is important, but sometimes we prefer more the technical things. But anyway, but it's important as I said. Okay. So I just putting every people at the same page because again uh probably you are listening right now you have a more knowledgement the other people then less knowledgement but it's just putting every people in the same page. Okay. So usually when I >> uh just a quick comment uh Philippe uh we already enabled the chat in here and people can have chat in here as well

because before that was not anyway just we they can chat on the lobby but in here it's enabled if they have some question they can easily pop up in here. >> Thank you. >> Oh great great. Okay, no problem. Thank you so much. Um, so now I'm looking this side here as you can see my my face and because I'm looking the chat. So again, if you have any question, comments, you're just, you know, chatting there, putting there I can interact with you guys. It's a pleasure for me and talking. Let's make this presentation more interactive. Okay. So nice. Let's coming back to the presentation again. So the usually when you receive some kind of artifact or sample the first

step is just to understand if is malware which is malicious software or is maloc which is malicious document. So this is the indification stage let's say okay so after that you can go to this what is the methodology that you can apply to analyze this in terms of like statistical analysis or dynamic analysis and after that I will explain more very briefly what is each one of them it is when you need to do any you know engagement my suggestion to you guys is to create a proper report no matter what is the necessity what are the needs or whatever thing is My recommendation is to put in this thing in this way because when you put in the

report or when you describe in in this step by step you can like generate a proper let's say content that you can share with your coordinator you can share this with your manager and not only that but if you like figure something very interesting out so you can let's say share this to the community and not only that but you can create a proper article is very nice for your career career because you can create that okay Philip but if is like information or private information from the company just using this anonymization things and that's and moving forward let's let this do that and that's the the the the suggested guidance and when you create a proper

report the other thing important is to understand how each defenses mechanism works and when you understand what kind of technique was used by the attacker what kind of technique they used to bypass each sensor. This go into the sense of okay if they use any specifically technique to bypass an IGR for example and detection and point detection response it's a kind of offensive mindset you can add in your mind because this is one technique using by the attacker another is okay how kind of technique they use it to bypass the fire is the same case is another possibility so that's the way when you create a proper report you can you know describe step by step and based on that

you improve improve your defenses mechanism and of course when you collect those informations you can create this kind of CTI or cyber threat intelligence uh structure sometimes it's very complicated to apply this in a in a company let's say but uh it's important you can collecting IoC's which is indicator of compromise you can create a proper IOA which is indicator of attack so it's a kind of you know acronomics but involved with this uh security fields and of course if you working in a more executive level or manager you can work And it's a kind of uh tabletop initiatives or even in offensive perspective or or even in defensive perspective you can work in this is

training cyber resilience. So when you simulate some attack so how you can pause this attack to to see how each sensor work in defensive way how you using different tools in the offensive way. So here this is a flow about power analysis how you can work good. So what is exactly statistic analysis? Statistical analysis just a concept is usually is the first step used by the Mari studies because you will analyze everything that is not everything but the whole thing is involved with this binary what is exactly the process is involved with the program code or what kind of a structure you can finding if you find for example DLS or libs for its library on Linux or or Windows for

example it what kind of a function is imported from them this is usually the first step you can find those information and usually the program is more safe in double quotes because you you don't it doesn't run at this time the binary you just type some comments and receive kind of uh informations from that on the other hand you have uh the dynamic analysis which is basically analysis uh based on behavior and the interaction that mowers uh what they does exactly during the execution process or if using mild talk or which is like a word document or PDF document is an is a runtime analysis. Sometimes you can put in this in a proper way to

analyze and usually some people call let's sandbox which is the controll environment that you put in like let's say I'm supposing for example my hand is a sandbox you can putting your sample inside of the sandbox here as you can see my hand this is this ball here or blue ball this is the sample that you put in your um control environment but to receive a a proper information if it's malicious or not inside of this sandbox or it's again double slash or double quotes you need to have uh engines responsible for bringing to you the information if this doc is malicial or not if it's just a VM it's just a VM it's just a virtual machine okay to

receive a proper answer or you know proper information if what is the interaction of this binary you need to have this uh engine inside of this sandbox of course sometimes you can use in virtual machine just a concept about send box but to receive a proper result like for example when you putting your sample in a proper let's say uh uh online send box such as Joey sandbox for example or hybrid cloud sandboxes is a different kind of service sometimes free sometimes you need to pay for that but they have a many just a very simple example again similar not equal but similar is when you putting some artifact in the virus to you have many engines providing

from the security vendors, those engines will be responsible for bringing to you the information if that hash that binary is malicious or not. But this is just a concept. Okay. Okay. Before to talk about the logic about PDF malicious or PDF structure, let me just go to my virtual machine here. Let me just see if it works or not work. Okay, it's working. Cool. Nice. Nice. Okay, I have a bunch of samples here and let's uh pray to the lords of the demo if works good or not because I'm doing everything here in live. But we have here a bunch of samples of files. So we have it here for example Amazon Amazon docs dox we have a this

another one this is probably like pdf we have a bank fish which is the name suggest this can be a fishing uh for bank which have we have here bat uh which is a bat file for doc bin which is probably binary from windows we have a many things here we have a besides doc text which can be for us we have a a folder here and we have another bunch of other things here But my question to you guys in what do you think what kind of command I can use in here to identify the file type of the file? What do you think what kind of common I can use in here? Some some idea to the to the to

the people what kind of you know common I can use in here can type the chat if you want. What kind of common I can type here? Any suggestion an idea? What do you think guys? If you're not familiar, I know probably you are familiar, maybe you are not familiar, but let me just put in here is simple like this file. I know this is stupid question, stupid question, idiots question, but it's just to understand uh what kind of common I can use. So if I put in here for example besides and type the file here as you can see they bring to us the information about asi text file which is a simple s

super simple and you know as basically is is is a standard American standard how they convert information to the hexadimal to a text information just how human can read information. So if I try to read information inside of the file as you can see I use get another command which is is just a simple print. Okay, printed about what? Print if you see I will print something into the screen. I can using some tools is another stupid question. But if using type Python for example to read this kind of text file you see doesn't work because I need to fill everything besides do text do text. If you see doesn't works why because probably putting the word wrong exactly

this one is correct. Now it works. So this is is a not exactly is not exactly is not malicious file. I'm just trying to explain to you this is specifically information file. They will read the information inside or the the file type of the content and we share to us something. But usually in this the identification step as I said in the screen using file to identify what kind of command it is. In this case for example as we can see is a batch file which is a portable executable from Windows. I have a bunch of other files here. For example, a sample. This is another one. This is different because as you can see here, we can see the

extension which is text. But the content can be a Python script executable. But if we compare to the besides file here, for example, besides docu tax, take a look this one here. It's a different thing. Here we have this Python script here. and you have a ask text which is different which means that something is different here in this file that I need to understand better. If I read this simple information here, you will see that is a really is a Python script, right? But on the other hand, if I read this information here besides skipping being the same Python. So the question is why they share with us different information about the same Python script

but in different way. So something it's happened here with the file when I type file here. So that's the point here. So if I using for example nano just to do kind of changing here and I put here for example PDF percent one do whatever number I want I just save here as you can see here I put in yes and I save here. When I type file once again let's see what happened right now. So now we have a PDF document but you and I we know that this is a not PDF file I think but if you're using here Python script okay at the same file what do you think guys besides do text if I try to execute this command

Python they will works or not works what do you think if you have a time can you put in the chat Yes. No. Like, what do you what do you think, guys? I like this part. Let me just checking this. And uh Oh, good. Some Some guy talk no in the chat in the in the lobby chat. Yeah, I like it. I like interactions. Yeah, can be yes, can be no. But the question is works but in a wrong way. Okay. Not works. Exactly. I think no. It's a good answer. Why? But actually it works. But the problem was the syntax here. The syntax error. Why? Because this percent here. So let me just do another comment

here. PDF IG is a tool created by DJ Stevens. And um if I put in here for example PDF ID besides do text and try to execute this they will bring to us the information about strings and other informations from PDF but this keeping a text file in terms of extension but in terms of file tool they bring to us information it this file is a PDF I'm trying to complicate your mind that's correct I'm trying to confusing you that's correct. So let me just bring another example to you. PDF ID just this is another document thor it's another PDF. So as you can see here the object is 18 we have a content inside of this

PDF but with we compare to besides all content is zero here is let's say double quotes no content here. Okay good. So let me just try to complicate one more thing here. If I change besides here, let me just delete here and let me just put in three double quotes here and I will just saving in here in yes just to confirm you that I ch change this. I changed you see and let me just do another change here besides for P besides besides doc PDF and I click enter here. Uh let's see now we have a file here file besides doc PDF. So the question is what is the correct answer from file? What do you think guys? It's it's a

Python script is a text file or is uh let's say a PDF file. What do you what do you think that's the very nice >> Philippe just if somebody wants to raise just raise hand and I can give the speak to him >> but it seems that the chat this chat is not working but >> oh the question yeah yeah yeah yeah >> yeah in the question some of the people answering but if they need just raise the hand and I give them the uh voice >> yeah good and I am seeing here the the Q&A bottom yes you can put in the Q&A bottom Cool, cool, cool, cool. Yeah, I'm seeing here right now file common xxd.

This is another up for for for Peter Peter Peter put in there like to see this kind of um uh hexadimal information which is cool. Can use file some people answer about answer. Good, good, good. Okay, so now I'm keeping my eyes in the Q&A bottom which is very nice. Thank you. Thank you. Thank you. Thank you. Cool. Nice. So that that that that is the question. Um yeah some uh to be put in the chat in the lobby is is the percent about is it going to break? Yeah. So now take a look guys what happened right now here when I try to execute. So they bring to us the information that is a

python is scripty and ask key text executable. So that's complicated because when you try to use a PDF ID here they putting us that is a not PDF even if an extension is a PDF. If I try to execute Python script keys as well because they set to us this file is a PDF is a Python script executable. As you can see here, if I try to play again, it's another triple quote error. I'm drinking my my tea here. Brazilian tea. Okay. So, like you see that what what is the the main goal here guys is to bring you the idea about how each tool works. I need to really understand how it each tool works because the

question is what what tool is correct in this kind of example because I'm just managing the normal file this file is this file is not malicious but what is the correct file here uh what is the correct answer from the correct tool because sometimes when you try to use it for let's say red team perspective you just go here okay I'm just I just need to do kind of a scan. I can hear any map and that's it. And type it plow. That's it. I want to use for example W first for whatever thing and that's it. Type in here. Bam. That's it. Let me trying to But the question or the point is if I

just put in uh yeah someone type here is the Frankstein. Yeah definitely is a Frankstein. So that's the key. What is the correct tool? Because sometimes when I type to do even if for the investigation even for the offensive security I need to understand deeply what each to work. So let me just clarify to you for example if I go to the file manual I don't like to read manual as well. If you like good for you I don't like it but but it's necessary. Uh the point is when you go to the file manual we can see here where is the information they try to figure in the file um out and the information that

they can try to find there. If you go below here they there are kind of magic behind of this file if you see it's not a magic but there is a magic number that's the information. So if you go in details like this uh kind of information I brought I I I brought to this the one guy Brazilian guy that is recording a video few years ago about explain about this file uh uh how file works. They download the file uh um database basically the database file they have this database which is located over here is a compilot as you can see here in the explanation the whole database of file is compiled and is they put in here in

the system operation. So the file they have a database so each database represent for example the magical number of each file. So if you go here and see for example specifically and this not file but in this specifically besides PDF these represent basically the magical number in this case these are kind of syn or or let's say string specifically inside of the database of the file that represent the python because of that when you type file here besides bring to you this information so remember when I changed for Uh when I changed here for just type this better when I changed here the nano besides here and I cut here and I put in for example percent PDF

this information these letters and this slash here is this this specifically space actually this information represent the magic number of PDF. So that's the key why file understand that this file is a PDF. So if I just save here for example and I try type again besides they bring the PDF. If I go to nano store for example slash uh the beginning you see it's a compiler that doesn't work but I'm just going back here. If I put in for example PDF um PDF- parser um dash a for all and thor and slash last to start in the beginning. So they will I putting a a is all objects I will explain better after I'm

just putting no a is w for route data. Okay. So if I go execute right now if you see here this PDF percent here you see the beginning this is the information collected by file. This is represent basically it's not because of percent is because of this complete until until here. This is the magic number of PDF. If I try to read another PDF here I have model one the resume here. So if I just for example type PDF parser here d-w and resume yes slash less you see the same information percentfash you see this is the magic number of PDF so every PDF has this information so if I using PDF IG remember that I used for

a Thor. So you will see the header which is usually the uh that happened the magic number. If you're using for example PDF IG for resume, it's another PDF file. Um, you will see in the beginning. Cool. If I go for example PDF IG once again and bank, that's another one. Bank have a bunch of bank one. There's another fishing here. I'm just putting this one here. If I try to execute this one here is the same thing. Cool. So thinking about offensive perspective, the red team perspective. So when you're building this, you can like I know how I can building a proper document and I can you know induce some comp some tools to

identify my file has a PDF not a binary. So I can this a kind of trick that you can use when you prepare a proper uh you know weapon to try to explore environments to try to bypass some solution you know and for the fishing perspective in the red team perspective for example or even a pendest so you can try to let's say induce the user to click in your PDF because if you see here let me just go back let me just see here the the file besides once again because you in this case is a proper uh PDF. Okay, let me just open here my where is this uh malware here open. Let me just go to the besides

file. Where is besides besides besides besides is over here you see the design because they have a session because of the header. They have a let's say they have a header. We can talk more about this structure about PDF. But you see this difference. You see the the the image here. So let me just go back here to talk this the logical structure before to go uh you know before moving forward. So they have a usually four structure when you talk about PDF. One is header which is the magic number. You have a body cross reference table and trailer. So here's more the in details for each part. header is the version the version of the the the PDF that you have usually

not usually but you can see there the magic number you have the the bird the body the whole body when you have a pages image font is like like more I like to say that it's more like shiny things and you have a a reference table cross reference table which is the locations of each object in the file which is they works in a different way like this tree structure and I will explain error and and the trailer is basically is is specific location of the object if the body. Okay. So everything actually is in is inside is it in the body but you have a different uh things about locations of cross reference table

and trailer uh about reference table. So if you see here this uh when you talk about for example portable executable which is PE for uh Windows machine basically you have a proper session which is session R C or R or C or S or RS or C which is this session responsible for bringing this image about the binary there's a specific image over here so if we go back here and we change here the binary as you can see here let me delete this and I put in here for example three double quotes just to remember what happened. So now we have a be a python. So if I go back they they keeping doing like let's say the same

image. Let me just clicking enter here. Let me just go back here. Let me just go to m they keeping doing the same PDF but it's not PDF right they is a text file so let me just change again for let's say um what happened here but you see the extension keeping doing the PDF I'm just confirm here yes file besides text file If I try to use in here besides stock PDF I mean PDF is it works it works right now but if you go back here they keeping doing doc PDF why because this Linux or you know this Debian or this Kala Linux keeping looking for the extension they don't looking for the session or even for the

magic number they considering other information they are considering they are looking for other information that's the key here you see how each system identify each file in another way so this is one way that you can change you can use it for the offensive perspective because you can you need to manipulate the file but to manipulate the file you need to understand those structure here so that's the important thing okay cool let's moving forward to our main uh object here okay we have an instructor As I said in the three architecture we have the root file. Sometimes is is number one object. Sometimes is number two. It depends of each is specifically a PDF. They they work in a different way

but they have this different structure. Okay. So in this case this is the hood file number one. This two here are child from this and this number four is a child from this number three and so on and so forth. Okay cool. How it works? It is structure. Usually the PDF has the page/page. So if you go back here for example in our virtual machine, let me just go to the CD new m. No, what is this? Uh let me see here. I think is the PDF. PDF file. Okay. CD new. Okay. I have a bunch of things here. So we have uh let me just see what kind of information I can see here.

Resume okay PDF IG resume. So if you see here guys we have here this object information. We have a stream you have a X ref which is cross reference table. We have a trailer I explain I I will explain more in details but you have this another slash here slash page/ encrypted slash many other things. Here we have here open action acro acroform JavaScript. So this is the explanation page usually is the element that is a layout of number of pages you have in a PDF. Usually for the malicious perspectives just only one usually encrypt usually is when you have a kind of parameter to open the PDF when the PDF was encrypted like they require a

password to decrypt it this information or to open the content. Okay. When you have object stream, it means that object stream are used to compress multiple objects. What that means? If you see here, we have 20 object in this example here. But on the other hand, when you go to object string, you can see it's zero. Okay. So if I go back here to the another object PDF id ID I think store yeah so let's say has 18 which which is less than another if you compare but on the other hand they have a one object string and we are learning now that object string can be multiple objects together which is like you have a 18 objects but one of these

objects can be compressed by multiples other objects so that's the key so when you building your PDF for the bread team perspective or even the offensive security you can using this technique to compress objects to put executable there to put binary in there to put embedded datas there to put JavaScript embedded embedded there you can do many things you just need to embed it in the object this is one idea one one possibility to use in this okay putting malicious code. Usually when you look into that like for example if you try to figure in this is specifically mau Thor this is the name uh we cannot see any malicious think here for example if you try to get some

informations in this specifically here we cannot see any let's say uh uh object information if just an example uh if I type for example PDF PDF PDF parser here PDF PDF launch parser dash a which is the object of the file and I try to read this information I need to go for because I have a 18 remember 188 object file here this confirmation but in this specific example we have one object stream which is I can have a multiples so the question is if I just have 18. Why appears to us here 35 30 32 34 because if you multiply no multiply but if you bow in math you you can agree with me that 18

less 35 is like 17 in the minimum that you have here is a 17 other objects than this object stream you see and uh you can see here embedded file in object 28 which is funny because I should have just 18. How it's possible investigate object 28 if I cannot see any I just have a 18 you see the kind of difference here so how you can adding things here in the offensive perspective and you can manipulate that so in the objects inside of object stream so maybe they can be in the object 12 or 13 you need to go deeply for each object to see and what the other informations I can try to

figure here we have a good information here in the object 28 eight. So maybe you can see some information here. What I'd like to show you to you here guys, if I go for example to info steeler files here, I'm just to compare the same command here. PDF- parser um another is partner and I just putting the same command here a which is the same objects I would like to go and this another example I'm just bringing to you. This is two different mowers in PDF. One is this is specifically for info stealer in that Thor. I don't have any idea. I just have the name. Of course, I renamed the name just to be more funny here. But the

point here that I'd like to show you is about the difference about the hizuts of the information that you can see here. For example, they just loading here the information. One second. Let just see here. Okay. You see this specifically file they have like four URI. So maybe I should go to this URI to see if they have a kind of redirection information. But is a web web page here and this object has 47 which is a lot. But in the previously we just have we just we didn't have any URI or URL or web things reference but I know because I I I previously made some investigation that file and that file has a URL but

that URL is embedded. I can show you here like if I go to to here and click. Mhm. Yeah. You cannot see any URL here but there are URL here because it's embedded. You see that's the another way that you can and again embedded in the object file. So everything is related to how each tool works at the end of the day that's the thing that I should go you know m it's just this is for example I just allow those mowers to to presenting any events and I don't have any idea was what I can find here for example so this is the thing that I I like to do so just became here so when you have an object

stream is basically another possibility to adding malicious think or offensive security things cool. When you have a JS or JavaScript is the element you know flagged by adding embedded JavaScript here and when you have aa or open action usually is this directive was uh there are any uh automatically open opening PDF. What's that mean? Basically it's triggered when the user open to view the PDF when they have an open action you know aligned with that. when the user open the PDF they're just running something in the background. Okay. And when you have an okra form is again it's elements that you can mix this the script is and actions embedded in within the form when need to fill out

something you know and you have a stream remember when I type here for example and this this a new one here for example new let's talk about this new m uh if I go here pdf ID one for example let's see how many objects we have here so here we have a 73 we have has 19 streaming. We don't have any JavaScript. We don't have any object stream. We don't have any other important thing to go, you know, has a direction to investigate or even to create something different. But you have a 19 streaming. So what is the next step in terms of investigations or to try to figure something I need to look in those

streams? Why? because a streaming page usually is the session or contain many many pages compressed. So now we have a two informations. We had the information about object stream which is the object compressed but object stream in is a page stream which means that I can have another PDF compressed in a stream. So that's the difference. So uh can be more than objects it can be more many pages like if you have a let's let's imagine a physical thing okay you have a um three different PG PDFs so if you compress that that PDF is one single PDF you can you can have an streaming usually stream is the most part using the attackers or

the Reddit teamrers to putting content malicious there okay cool cool so let's talk very fast because my time is is finished almost I think it's finished right now but anyway Um, sorry for that. I'm just go very fast to this PDF and I have here the new one. >> No worries. We have the time. The next session will start at uh 2:00 and that's we have the >> Okay, I'm okay. More if you are with me here guys, I can explain more. >> Interesting. At least for me is interesting and good to continue. >> Okay, I keeping talk nice. So remember this is our main goal here. Our main main PDF here PDF IG PDF IG I'm I was

trying to create the whole history about PDF to explain each details before to go deeply in this one here. Okay. So guys if you see here we have we have these 20 objects. So let's suppose that you are doing the investigations or if you receive this sample or like okay how I can using this for the offensive perspective using has a headb or a penetration tester okay so I have a 20 objects I should go deeply in each one of these but of course when you build some PDF sometime is just a standard okay and but here we have a six streaming what kind of a stream I should looking for look into uh you know we have one page has As I said

in the object stream it's zero but we have a in a minimal five reference here. Okay. Of JavaScript and we have an open action here. Okay. What is the next steps? go to PDF parser as I said to you dash A to look into the objects and to see what kind of uh object are what kind of streaming are inside of each uh object or what's the best uh way to go I can see here for example some reference so are the reference here in the JS in the object 7 and 18 okay and another reference in the object at 7 9 and 18 again. So just a reference but the opening action again remember opening

action is just the action that is totally linked or attached when the user just view the PDF like this one here. If I go back to my folder where is the okay if I just click in here this is the open action activities. Okay, I just open when the user thinking in the case that you are doing a writing activities engagement operation whatever name you prefer you can attaching your malicious code to communicate with your CNC or command control you are simulating this you just putting that and you can simulate like this one here clicking this here this is a bank information requesting a transfer payment in Brazilian words this is the view of the

user so you send for some possible victims in your environment or or even if you are trying to do a kind of fishing activities where they when they just click into open the PDF this is the action used by this open action. Okay, cool. So we can see here that this opening action is object 7. So I should look into the object 7 and object 18 maybe. But when you go to the streaming you can see where is the streaming. Remember we have a six which is 1 2 3 4 5 6. So the object streams are here. Okay. So let's try to understand how the attacker/ pentester created this file actually is a real just to confirm to

you guys. Um because maybe you are think okay it's not like has no malicious file just we are talking right now we feel as we have a time just to share with you this that is a real m I'm talking about the real m um just little total we are doing live okay so one second because again we are streaming everything and by the way if you have any question guys you can type in the Q&A bottom so we can answer or you can talk if you have any question during this loading process here I'm just seeing uh okay we have I will share my I think in the in the website there are my

linkaging website and my um Twitter account as well I use them both um you can find me I just I can type in here in the chat. You can see I think the in the information in the chat but you can find me has a Philippis in this um in um Twitter and if you using for example Instagram you can follow me there Philipped. Which is another one and you can find me has a Philippis on linkage. Okay. Answering live. Cool cool cool. I'm just access this virus to here to share with you guys this uh information about this specifically sample that I'm analyzing here to you and um okay um okay good question let me just see here

does PDF and Python headers has enough agility to make a Python script that is a val PDF as well let me just see if I understand correctly your information so are Are you asking about the combinations between PDF and Python header if they uh is like separating the file or you are asking about creating a Python script to adding in the PDF for probably offensive activities. I'm supposing if this your question as well right um if is okay if this I'm just trying to clarify this you can add yes of course a python script usually um there are some ways you can try to uh let's say uh um chart some uh uh information inside I'm

just paste here and I'm just search you can um yes yeah let me just Does uh yeah actually no in this way because Peter putting another uh uh information just to combine it. He is asking about this one here. Let me just um just putting here for example. No no uh let me just see if I have another PDF here. Alas I have a collab here. Let me just No. no collab like you see like for example is this in this case specifically is a PDF file okay so uh if I change or if I putting uh some Python script inside of that should be works because you that's the way you should adding this PDF this uh

Python script uh embedded inside of PDF to works because you need to connect that with this specific simply object that you need to adding inside of this. Usually you don't know exactly where is the object when you create this. You just adding the object and they populate they chose what is the best um you know object that you adding. But once you put in let's say percent pdf/ whatever or or dash whatever um you will see that the tool will be identified this file has a pdf in the if you put in the header. Okay. uh but in the other hand if you try to execute as a PDF is a Python script it doesn't works because um the

syntax in the header it doesn't works for example you have a two things here one is the main thing is if you are running this in a PDF in a windows platform or if you are running the the Linux platform this is two difference because for example I can just can go here uh in the Linux for example and I can just you know change here for example Example uh if I try to rename here for example rename this for let's say uh docy for example and I just rename here they change the picture as you can see here but we know that the file is is not a like I can just rename here they considering some something and

even they just request a check of the information but if you try to execute this in a windows that you asking about this extension You know that when you trying to change specifically file they asking you about permission that you need to have to change that if you are allowed that you because for Windows it depends of the library that you charge for each binary this session call it or C or S yeah or CS so this session responsible for bring this image to you guys it's the same case for Linux but they don't request to you any additional uh for example ask or question Like for just change here PDF or whatever I can put in

here Philippe for example rename they didn't have any image for my extension you see and they just has the formal image for formal let's say PDF you see the brand uh the image so that's answer your question so for the offensive activities we should embed the PDF file inside of the the object and once you that you can doing the the try to do the attack. Okay, I hope that I answered your question. Okay, let's go back to this hash here just to show you is a malicious. Okay, I'm running the performance in this malicious file. So you see we don't have any idea we should look into the JavaScript or the first activities we should look into the

objects here. So if you just put in PDF- parser here dashw which is the route data for resume and I pipe less here to start in the beginning to S. So they starting to look into the beginning. So object one you see object is referring when you see this referring which is this object two and three they are a child of this guy here. You see? So that's important thing. If you go below, let's go below object two is a child. Remember they don't have any other references is is is empty. So object three, this guy has another child which is object four. So now we saw object 1 2 3 and four in the

others. Object four, we don't have any reference. Uh and here as we can see bring to us the information contain streaming. Remember rest streaming is a streaming page a page compressed which is cool let's go but one information is when you have a streaming the next step is decode it when you see this flatted decode it means that you need to decode this information inside of the streaming but here is the l which is the the sizing of the content which is very small object six object seven and this object seven referring another bunch of this is a a big family object Object seven. He has for example object 8, 9, 10, bunch of them. And here as we can

see the reference about open action in the object 7 as we read in the other comment previously. So if you go below here the open actions remember when I said the user just clicking thinking about HR team thinking about financial teams when you when you need to create your proper attack for the for for the red teamers or pentesters what should be the target ah the target should be the IT guy because they have administrator access but your financial guy they need to put invoices in a proper application, right? And this application probably requires administrator access in their machine. Yeah, you see that's a good target. So that's the point. So if remember, okay, what is the day by day of this financial

guy? Maybe sometimes can be a junior guy. So they need to open invoices and because of this freaking because I cannot say [ __ ] because this [ __ ] application requires administration access and because of that allows you to try using that user has a target. You see the high value target because they have administration access. So when they open this invoice what happened? Open action. Why is the open action? is a JavaScript embedded running behind the scenes and the user they didn't have any freaking idea what happened. So that's the key here in this attack. But we need to find where is this JavaScript Philip where is the JavaScript. If you go below, let's go below. Object 13.

Nothing. We I remember something about 9, right? Let me go to the 19 here. Let's go. 16 is another. No. Referring. Okay. Object 17 refer this one here. And object 18 referring 19, which is JavaScript. If you go here, you have a good size. So here is the malicious content. Here is the JavaScript. So now what is the next steps? We need to decode here. But okay, we don't have too much time to go deeply. Just let me go to the code uh user uh I think it's not it is code uh dash user and dash nose sandbox just because I'm using this sandbox and just open my VS code here. I think I forgot to put in something here.

Call dashy. Yeah, I I didn't. It's not necessary to add anything. I'm just trying to open this visual the the VSS code just to share you to show with you this the whole code. I have here the content I I just dump in here. I can put in here. Dump. Holy Jesus. I have three dumps. Okay, let me just go here some notes. Um where is I'm looking here in the m cool and just go to the where is the folder >> just we are getting out of the run time and the next session will be started in a few second >> yeah yeah for sure okay let me just go to here yeah so I'm just share with you

this information okay this is the information that I show in in live I'm just putting here for example PDF parser as I said to you go to object 9 here is the object as you can see here is the JavaScript offuscated used by the attacker they basically divide in two ways I'm just explaining very briefly but basically what he did here is separate in two ways I used uh a Python script to decode that as you can see I using the other tool called PDFTK just to uncompress those information here is how was uh uncompressed content okay in a JavaScript way and after that I read some important functions call and they have a kind of a string that had this

kind of string concatenations which is in this specifically letter okay when I did that I just separating first code and second code this is was the results the functions this is the second part it's very big um malicious content I separate in arrays which is part of the malicious content and after that we can see the proper payload. Payload was responsible for downloading the machine in the vicman machine in that user for financial team and when I did that I just moving my investigation to the Windows machine and I use this another platform called mouse. When I did that I just to using this convert to the UCS2 to X decimal they basically convert this

in exodimal. When I did that I just to convert once again to exodimal to file which is in binary PDF doc bin which is a binary. When I did that, I just used another tool from the steivers which is shore search to trying to figure where is the HTTP or HTPS which is the reference of the callback of command and control. When I did that I just find this IP address of the attacker if you see here is in North Holland or in the Netherlands. So this is the seat based when they should receive the call back of the victim machine. So basically the takeaways of this information PDF is still deliver reliable initial access

because as I said in example you can send it to the victman in for example financial guy or HR using this combination of JavaScript in and uh and opening actions very very relevant and using this kind of uh tool tool chain for for meaning time to thin this statistic and dynamic uh structure to creating a new attacks and defensive think. Okay. And I finish here our conversation again. So the people asking me about how how time do you need to pres to to present this. I can do this in 30 minutes. I can do in 3 hours. We can walking very fast or very slow. And again thank you so much guys for for being here with me during this time and

thank you for uh every this conversation was very very nice. Thank you for the invitation for be here and if you have any question again you can you know follow me on on linkage you can text me on linkage or whatever you need I'm here >> thank you so much thank you so much for great presentation and audience uh the next session will I think is started and you can jump to the next session thank you everybody thank you see you byebye great presentation thank you bye