Before we look into PDF Exploits, we should see the basic structure of a typical PDF document. I spent quite some time to really deep into this. Basically the PDF document consists of four important parts which are the header, body, cross-reference tables (XREF tables) and also trailers.
Header are the placeholder for the document's information. The body consists of stream of objects which are actually forms the visible objects on the PDF document. They are the forms, buttons, etc. on the document. The XREF tables contain an object reference and byte offset in the body stream which provide access to the objects without the need to read the entire file. And, trailer provides the means for locating the XREF table, document root catalog dictionary, and other objects. That's the basic explanation for those elements.
What are the streams? They are objects which consist of a sequence of bytes. These bytes are the text/binary data like embedded images or any other media objects in the document. The interesting part is they can be compressed or encoded! There are several types of encoding algorithm such as
FlateDecode
ASCIIHexDecode
ASCII85Decode
LZWDecode
RunLengthDecode
CCITTFaxDecode
JBIG2Decode
DCDTDecode
, etc.
What we could see is just some raw bytes inside the streams. Flash objects also can be embedded inside the PDF documents.
So if one day you suddenly receive a PDF, don't simply open it. Scan with antivirus before opening it. Alternatively, you can use Foxit PDF Reader to view the PDF as most of the PDF exploits are targeting Adobe PDF Reader's users.
Header are the placeholder for the document's information. The body consists of stream of objects which are actually forms the visible objects on the PDF document. They are the forms, buttons, etc. on the document. The XREF tables contain an object reference and byte offset in the body stream which provide access to the objects without the need to read the entire file. And, trailer provides the means for locating the XREF table, document root catalog dictionary, and other objects. That's the basic explanation for those elements.
What are the streams? They are objects which consist of a sequence of bytes. These bytes are the text/binary data like embedded images or any other media objects in the document. The interesting part is they can be compressed or encoded! There are several types of encoding algorithm such as
FlateDecode
ASCIIHexDecode
ASCII85Decode
LZWDecode
RunLengthDecode
CCITTFaxDecode
JBIG2Decode
DCDTDecode
, etc.
Those are the filters that the malware writers will use to conceal their payloads inside the innocent PDF. These encoding algorithms also can be combined. Most of the malware writers embed shell codes inside the PDF's stream objects so that they are more difficult to be detected by antivirus.
What we could see is just some raw bytes inside the streams. Flash objects also can be embedded inside the PDF documents.
So if one day you suddenly receive a PDF, don't simply open it. Scan with antivirus before opening it. Alternatively, you can use Foxit PDF Reader to view the PDF as most of the PDF exploits are targeting Adobe PDF Reader's users.
