Two obfuscation layers
A sample with file name ‘oral-b oxyjet spec.pdf’ which was submitted to VirusTotal was analyzed by EdgeSpot. The sample was detected as ‘exploit CVE-2013-3346’ by EdgeSpot reserachers. The researchers stated that the sample included two layers of obfuscation.
Attackers used ‘this.getIcon()’ and ‘util.iconStreamFromIcon()’ PDF JS APIs that, when working together, can read the stream of an image named as "icon" stored in the PDF file.
EdgeSpot researchers noted that attackers likely copied a technique called steganography which is open sourced and used this technique for the first time to hide PDF exploit.
“We were impressed by this technique, which is perfect for malicious code obfuscation for PDF exploits. By using this technique, all streams look normal, all images are viewable, everything looks legitimate. This can probably explain why almost all AV engines missed it,” EdgeSpot said.
EdgeSpot noted that this steganography technique could not only be used to obfuscate this PDF exploit (CVE-2013-3346) but could also be applied to many other PDF exploits including zero-days.