Explore tools and techniques for analyzing malicious PDF files in this 35-minute conference talk from nullcon Goa 2014. Delve into the presentation of phoneypdf, an open-source PDF analysis framework that builds upon existing work and introduces new methods to leverage the Adobe PDF DOM and XFA. Learn how emulating the Adobe PDF DOM provides a unique advantage over other available tools, offering fine-grained information on PDF layout, XFA, and JavaScript execution. Gain insights into how this approach allows for deeper understanding of exploitation techniques compared to pure static analysis. The talk covers topics such as Adobe Reader, code execution vulnerabilities, parsing challenges, analysis engine functionality, JavaScript handling, Adobe DOM emulation, XML Forms Architecture, PDF rendering, and open-source contributions.
Overview
Syllabus
Intro
Lightning version
Adobe Reader
Code Exec Vulns in Reader
Previous Work
Design
The Parser
Parsing is not fun
Example #1: Raw to Python
Example #2
The Analysis Engine
JavaScript #2
Adobe DOM Emulation
Adobe XML Forms Architecture / X
'Render' the PDF
Handlers
Open Source
Taught by
nullcon
