3

I've received an email with an attached PDF which has many signs of being a malicious attachment. Lacking the time and resources to analyze it at the moment, I'd like to store it for later use, and possibly share it with another researcher. What is the recommended process for storing this potentially malicious attachment, given that at least one mail client I use may preview the attachments before I actively click on them?

Should I use a webmail client, and download the file, then promptly zip it? Should I GPG or encrypt the file in another way, to prevent the filesystem from triggering some auto-open payload? Should I create a VM with my credentials loaded into it (seems like a potentially bad idea, should the VM be compromised) for a mail client, and download the file there?

This is different from this question, as I'm looking to store (and transfer) these potentially malicious PDFs.

If it matters, I'm considering using PDF Tools by Didier Stevens for later analysis.

user3.1415927
  • 301
  • 1
  • 7
  • 1
    Don't download it on a regular machine, as various services may try to access it for indexing or for previewing, which can be exploitable. But regardless, how advanced do you expect the malicious PDF to be? Who is your adversary? The answer to that will determine whether or not the answer is just to copy it with your AV enabled, or if you need to do it on a dedicated airgapped test machine. – forest Sep 03 '18 at 03:15
  • I expect the adversary may be a reasonably skilled entity, potentially one targeting for corporate-level cyber-espionage. I doubt a nation-state level skill set, but I also can’t rule it out. – user3.1415927 Sep 03 '18 at 03:38
  • I had a previous instance of a potentially malicious pdf attached to a LinkedIn message, but after flagging the conversation, she whole thing disappeared and I lost the chance to analyze that content. – user3.1415927 Sep 03 '18 at 03:40
  • 1
    Corporate espionage is often comparable to nation-states in terms of the risks. If you are a large company or in a high-risk business, consider getting a dedicated security team that can deal with this. If in doubt, use an airgapped system for analysis. – forest Sep 03 '18 at 03:42
  • Yes, that would be great to do in a corporate environment. However, I’m looking to do this on my own time, and thus minimize my risk, in the event of a 0-day or other high-skill-level payload. For analysis, I was considering a kali box with no internal hd, loaded from read-only media or a usb drive (removed before beginning analysis). But how to get the file there in the first place is my conundrum. I’m open to improvements on that analysis setup though; I’ve never analyzed a malicious pdf before. – user3.1415927 Sep 03 '18 at 03:46
  • 1
    Do _not_ use Kali for that, it is _extremely_ insecure, far more than most distros. It is designed for pentesting, not for surviving an exploit. It has numerous setuid binaries that make privesc easy, it runs things as root by default, its configuration is not security minded, and it does not get prompt security updates. I would strongly suggest buying a burner. With Linux, you can download the attachment from the email in command line without exposing it to any services, and then transfer it to a USB where you can analyze it on an airgapped machine. – forest Sep 03 '18 at 03:55
  • Woah, thanks for the warning. I’ll look into a command line email client (is pine a good option?) for the download. I do have a burner laptop that lacks an internal drive. Any other considerations for a burner? – user3.1415927 Sep 03 '18 at 04:02
  • I haven't used pine. Honestly, if you expect a particularly sophisticated adversary, you need to do a lot more research for even the tiny things like what email client to use. If you expect the only risk is that the PDF will try to exfiltrate sensitive data, it may be enough just to use a burner even if it is connected to the internet (_not_ any company intranet!), at least initially to download the PDF. One possibility is Qubes OS, which uses disposable VMs for security. It's not perfect and a Xen 0day could escape the VMs, but if it's airgapped in addition, it can be quite secure. – forest Sep 03 '18 at 04:06
  • If you do use Qubes though, you will probably want to disable the nopasswd sudo configuration which is a... silly choice on the developer's part, to put it mildly. – forest Sep 03 '18 at 04:07
  • Is there anything else you want me to add to my answer? – forest Dec 26 '19 at 03:58
  • @forest It's an informative answer, but I'm not sure if it answers the question - specifically about *industry best practices*... Not to criticize your good information, just to have an industry-standard answer for a client/director/employer. – user3.1415927 Dec 26 '19 at 12:55

1 Answers1

2

Don't download it on a regular machine, as various services may try to access it for indexing or for previewing, which can be exploitable. But regardless, how advanced do you expect the malicious PDF to be? Who is your adversary? The answer to that will determine whether or not the answer is just to copy it with your AV enabled, or if you need to do it on a dedicated airgapped test machine.

Corporate espionage is often comparable to nation-states in terms of the risks. If you are a large company or in a high-risk business, consider getting a dedicated security team that can deal with this. If in doubt, use an airgapped system for analysis. Qubes OS uses virtualization for isolation, creating a new virtual machine for each application when necessary. Although it relies on Xen and a Xen 0day could easily break out of individual VMs, it can be quite secure when used on an airgapped machine.

PDF parsers are infamously insecure, so expect that it will not be difficult for an attacker of even moderate skill level to be able to achieve arbitrary code execution when the PDF is opened.

forest
  • 64,616
  • 20
  • 206
  • 257
  • Indexing, previewing *and* scanning for viruses - which is also a risk, the AV could have an exploit and is running with high privileges. Happened before. – Nobody Sep 03 '18 at 06:45
  • 1
    @Nobody Indeed. The best course of action depends on the adversary. For a sophisticated adversary, AV is nothing more than a privesc vector. – forest Sep 03 '18 at 08:54