So you want to get your feet wet?

  1. Grab Didier Stevens tools here: http://blog.didierstevens.com/programs/pdf-tools/
  2. Grab malicious PDF samples here: http://www.malwaredomainlist.com/mdl.php?search=pdf+exploit&colsearch=All&quantity=50 *Be careful, these are live samples!
  3. Video Tutorial: Didier on analyzing a PDF Document: http://www.youtube.com/v/tHVi2wKCkTc
  4. You’re going to run into some heavily obfuscated JavaScript.  Read this article: http://isc.sans.org/diary.html?storyid=2358
  5. Other deobfuscation tools: Malzilla, SpiderMonkey (need to handle document.write), debug via Rhino, Firefox add-on (haven’t tried this one)

Tags: , , , ,