Tuesday, May 24, 2011

How to Extract Flash Objects from Malicious PDF Files

Nice post from the SANS Computer Forensics Blog that explains how to extract Flash Objects from malicious PDF  files.

Why using Flash objects on PDF files? The attackers seem to use ActionScript as an alternative to JavaScript to perform the Heap Spray.

This cheatsheet is being used in conjunction with  pdf-parser or PDF Stream Dumper to extract the objects contained in the PDF.

Once the Flash object has been extracted, SWFTools is used to dissemble it and proceed with the analysis.

At the end, the author of the post links to a real life example.

No comments:

Post a Comment