Skip to content

Commit

Permalink
Reduce false positives in safe PDF analysis (Adobe Reader behaviour)
Browse files Browse the repository at this point in the history
  • Loading branch information
kevoreilly committed May 8, 2024
1 parent 5d49357 commit 43be5e3
Show file tree
Hide file tree
Showing 3 changed files with 191 additions and 30 deletions.
126 changes: 126 additions & 0 deletions data/malicioustlds.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
.link
.cam
.bar
.surf
.xyz
.click
.buzz
.gq
.ga
.rest
.ml
.cc
.cfd
.cyou
.accountant
.ar
.bg
.bid
.biz
.biz.ua
.br
.camera
.cf
.club
.co
.co.ua
.co.in
.co.mz
.co.nz
.com.au
.com.tw
.computer
.cricket
.date
.diet
.download
.email
.es
.faith
.gdn
.global
.guru
.help
.in
.info
.kz
.lol
.loan
.media
.men
.news
.ninja
.nyc
.party
.photography
.pt
.pw
.racing
.reise
.review
.rocks
.ru
.science
.site
.solutions
.space
.stream
.tech
.today
.top
.tr
.trade
.uno
.us
.vn
.webcam
.website
.win
.work
.africa
.autos
.best
.bet
.bio
.boats
.bond
.boston
.boutique
.center
.charity
.christmas
.coupons
.dance
.finance
.fishing
.giving
.hair
.haus
.homes
.icu
.kim
.lat
.llp
.loans
.love
.ltd
.mom
.motorcycles
.name
.okinawa
.promo
.rehab
.rugby
.run
.sale
.sew
.skin
.store
.sz
.tattoo
.tokyo
.voto
.wang
.wf
.yachts
.you
91 changes: 62 additions & 29 deletions modules/signatures/all/pdf_annot_urls.py
Original file line number Diff line number Diff line change
Expand Up @@ -16,36 +16,69 @@
from lib.cuckoo.common.abstracts import Signature


class PDF_Annot_URLs(Signature):
name = "pdf_annot_urls"
description = "The PDF contains a Link Annotation to a compressed archive or executable file"
severity = 3
class PDF_Annot_URLs_Checker(Signature):
name = "pdf_annot_urls_checker"
description = "The PDF contains a Link Annotation"
severity = 2 # Default severity
categories = ["static"]
authors = ["Optiv"]
minimum = "1.3"
authors = ["Wassime BATTA"]
minimum = "0.5"

filter_analysistypes = set(["file"])
filter_analysistypes = set(["file","static"])

malicious_tlds_file = "/opt/CAPEv2/data/malicioustlds.txt"

def __init__(self, *args, **kwargs):
super(PDF_Annot_URLs_Checker, self).__init__(*args, **kwargs)
self.malicious_tlds = self.load_malicious_tlds()

def load_malicious_tlds(self):
malicious_tlds = set()
with open(self.malicious_tlds_file, "r") as f:
for line in f:
line = line.strip()
if line.startswith("."):
malicious_tlds.add(line)
return malicious_tlds

def run(self):
found_URLs = False
if "static" in self.results and "pdf" in self.results["static"]:
if "PDF" in self.results["target"]["file"].get("type", ""):
if "Annot_URLs" in self.results["static"]["pdf"]:
for entry in self.results["static"]["pdf"]["Annot_URLs"]:
entrylower = entry.lower()
if entrylower.endswith(
(".zip", ".exe", ".msi", ".bat", ".scr", ".rar", ".com")
) and not entrylower.startswith(
"mailto:"
): # skip mailto: as it can't add attachments
skip = False
# skip triggering on http:// and https:// links that don't have anything after the domain name
# so http://foo.com will be skipped, but http://foo.com/malware.com will not be
if entrylower.startswith("http://") and not entrylower.find("/", 8):
skip = True
elif entrylower.startswith("https://") and not entrylower.find("/", 9):
skip = True
if skip:
self.data.append({"url": entry})
found_URLs = True
return found_URLs
found_malicious_extension = False
found_malicious_domain = False
found_domain_only = False
suspect = False

if "PDF" in self.results["target"]["file"].get("type", ""):
if "Annot_URLs" in self.results["target"]["file"]["pdf"]:
for entry in self.results["target"]["file"]["pdf"]["Annot_URLs"]:
entry_lower = entry.lower()
self.data.append({"url": entry})
if entry_lower.endswith((".exe", ".php", ".bat", ".cmd", ".js", ".jse", ".vbs", ".vbe", ".ps1", ".psm1", ".sh")) \
and not entry_lower.startswith("mailto:"):
found_malicious_extension = True

if entry_lower.startswith("http://") or entry_lower.startswith("https://"):
domain_start = entry_lower.find("//") + 2
domain_end = entry_lower.find("/", domain_start)
if domain_end == -1:
domain = entry_lower[domain_start:]
else:
domain = entry_lower[domain_start:domain_end]

for malicious_tld in self.malicious_tlds:
if domain.endswith(malicious_tld):
found_malicious_domain = True
break
else:
# If no malicious TLDs detected, set found_domain_only to True
found_domain_only = True

if found_malicious_domain or found_malicious_extension:
self.severity = 6
self.description = "The PDF contains a Malicious Link Annotation"
suspect = True
elif found_domain_only:
self.severity = 2
self.description = "The PDF contains a Link Annotation"
suspect = True

return suspect
4 changes: 3 additions & 1 deletion modules/signatures/windows/credential_dumping.py
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,9 @@ def run(self):
if match:
self.data.append({"regkey": match})
ret = True

# Tweak
if "PDF" in self.results["target"]["file"].get("type", ""):
self.severity = 1
return ret


Expand Down

0 comments on commit 43be5e3

Please sign in to comment.