Documents have always been a popular attack vector. Documents, unlike executables, have been traditionally considered less suspicious and harmful. This concept made it easier for attackers using them to circumvent traditional security solutions. But, overtime and with the growing scripting and macro capabilities, documents became much more similar to executables, in a sense that they could run code, create processes and more. Recently, a new malicious PDF file was identified by ESET and Microsoft. Though it was not observed in the wild yet, it’s pretty dangerous as it exploits two previous zero day vulnerabilities: Remote code execution in Adobe Reader (CVE-2018-4990) and Privilege Escalation in Microsoft Windows (CVE-2018-8120).
The attack is carried out in 2 phases. First, a JS code that is embedded inside the PDF runs when the PDF is opened. The JS sets up a ROP chain that leads to execution of shellcode which is also embedded inside the PDF. The exploited vulnerability is CVE-2018-4990. The second phase is focused on breaking out of Adobe Reader Sandbox. It’s done by exploiting Microsoft Windows vulnerability tagged CVE-2018-8120.
Using the Behavioral AI Engine, SentinelOne agent is capable of detecting and blocking this type of malicious documents. By closely analyzing the attack behavior and monitoring the various operating system events generated through it, the engine detects an execution of shellcode and more distinct indications for malicious behavior. Watch this demo to see how it works.
In addition, with the new Nexus Embedded AI SDK, announced two months ago, customers can easily scan PDF documents before they are accessed and know in advance (and within milliseconds) whether these are threats or benign files. In Figure 1.1, it can be seen that there are some abnormalities within the PDF structure which are correlated with malicious behavior. That leads the static AI engine, which is the SDK core, to determine that this is a suspicious file.
Figure 1.1 – Nexus Embedded AI In Action
To sum it up, PDF documents gradually pose more risk, as they are trusted more than executables. However, they potentially cause similar harm. With SentinelOne, customers are fully covered against this growing threat. First, SentinelOne agent detects and blocks malicious PDF files using the Behavioral AI engine. In addition, Nexus AI SDK, a powerful SDK for static analysis also detects this threat within milliseconds.