Tuesday, February 24, 2015

Malware Tracker: PDF Analysis

If you're a intrusion analyst on a small team (or maybe you ARE the team), you may be the only resource that has to look at a myriad of possibly malicious files that trigger your IDS or SIEM. You may not have either the time or the forensics skills to properly inspect each PDF or Flash file or Office doc that set off an alert.
Fortunately, there are a lot of good resources available that can do at least a cursory examination of different types of files and indicate that you might need to flag that alert for investigation. That's not as good as having a forensics analyst to hand the file off to, but it's a whole lot better than ignoring the alert because you don't have the time or training to deal with it.

For PDF files, Malware Tracker allows you upload a file (free of charge), which then gets analyzed and a report of it's findings returned to you. You can supply an email to get your findings that way (handy on a busy day as it lets you move on to the next alert while that file is analyzed) and you can also mark the file private, not to be shared on the site's recent infections list, in case it's your own internal document.

Here's an example of the email report you can receive:

Filename: NBAA-Pilot-Briefing-Climb-Via-Descend-Via-Speed-Adjustments-2.00-Change-Summary-20140228.pdf
Size: 925289 bytes
MD5: e80a5be5194fb890897990bb134a48b5
Sha1: cce44e805c876e74ebac7f90b7279908580be653
Sha256: 7bca90caeafafc6c7c96c9c60941d65c9701bd950277b2bad57d46a67b42546a
ssdeep: 12288:Qo0qLEpCIOj0HEGQLPsyM9ITOEriOfhduBmwBgArBoIIFhM2E:ldy40HgtMBEeOf6FBTrBvkM2E
Type: PDF document, version 1.7
Submission: 2015-02-24 13:10:40
IP: 10.80.227.105, proxy=12.68.84.52
Email:

Detection: Clean [0]


Summary:


While you're there, there are other resources that might help you at http://malwaretracker.com/tools.php.


Blog Archive