Self generated files matching virus definition
54870
Created On 09/29/20 21:16 PM - Last Modified 02/05/25 21:20 PM
Symptom
Self generated files matching virus definition.
The use of applications that generate document files from information taken from a portal or web interface is wide spread and growing.
These files tend to be very susceptible to false positive triggers and more often signature collisions. This is because the application rarely cleans out the unused settings from the portal, and dumps all of the extra data into the document. It is not visible when opened or viewed by a document reader. But when the file is opened in a basic text editor the extra data is clearly visible.
Environment
This is happening in any environment using applications to create documents from entered information, such as through a portal, or a web interface.
Cause
%PDF-1.4 Sharp Scanned ImagePDF
%Sharp Non-Encryption
3 0 obj
<<
/Type /Page
/Parent 1 0 R
/Resources 4 0 R
/Contents 5 0 R
/MediaBox [0 0 613.440 792.000]
>>
endobj
4 0 obj
<<
/ProcSet [/PDF /ImageB]
/XObject << /Img1 6 0 R >>
>>
endobj
5 0 obj
<<
/Filter /FlateDecode
/Length 36
>>
stream
xœ334Ö311P AsK#=###;9—Kß37ÝPÁ%# x×#k
endstream
endobj
6 0 obj
<<
/Type /XObject
/Subtype /Image
/Name /Img1
/Filter /CCITTFaxDecode
/DecodeParms << /K -1 /Columns 1704 /Rows 2200 >>
/Width 1704
/Height 2200
/BitsPerComponent 1
/ColorSpace /DeviceGray
/Length 7 0 R
>>
stream
þX#ÿ‘×úßÿÿÿÿÿïþ?ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿòØ:ãÿü¶D#ÌÔ¸Aù#Ìf¶O#flƒGg]##¾#a<&|h—#ù=Iq#sãô#×EÃFv##í#Úi„#t’,wÒ#ê¡:#6°ƒi#FÆ�”l£cŸŠú#?óÎ�¢ùÌ&™„—ðD}.žºnž¼R…úÂ#ˆ†…Ûû¥ïÛÿûÿç·s97ÉŽ±Òß×Ç##ëHºOTÂpÓZøïú×Ü�æ#ýGÿñ ké#‚ZÌᥥüðúþ‚#ö? #HÙ0ÂT#,%ï#‚#Ð_¿ �A'c#Õ#Ì‚x"ž�Ÿý&ÈëÊ/I#‚#Ê}¡##\ËP¯_øg€�X¯^‚A$5MW2@b××ÿ£ßúM¤’H$Ž%•É.#Šv?úõ6Øa-mpE<#OJñ¬úáC#ýÿâØ#ÅG#„Õ1\|(á•š×מh5á¯Òjï…#########D#¢4< ÄDJ¿¢# „r›@ez胅….
As can be seen this type of document sets up the format, then moves to the stream, which contains the document text in an encrypted format.
In a generated document this is very different.
%PDF-1.6
103 0 obj
hÞ”“;k#1#…ÿÊ)“"ŒîCÒ#Œ»@À‰Yv�*¤XÌà&xͲ�øßçÌÜu“&×Õ#¤£O��‘Ž#-˜#T`ÊPX›¡##N9¼*´Â‡ƒÓÕXé¨�•#�K.*èÅa‚î�$ôyÀ3?Í1÷
«#2#�ѸY‡”ÂÑ™é##aö#Wˆr#7fã±#b¥ñ\L#ànbCáä9· JœÇã”T^ª’W›£’×JÇÍÍt·^¹`?íŽçåùòp^#Èøgä~ùs¹[^!Óþôkùv|#ϾV#^_–ép9ÿ~ÜzûÓér{»Rp7#Ö'ÜÂ"<¢F´ˆ#1Gl{¯O¸EP,(###Š#Å‚bAP<(###Š#ŃâP<(#”#”ºQ~N;ÈÖš#Óay¼Þ#eúz|~úðùþÓ÷ÃGvÞ^õ ~-ï®MI75Ý´tÓÓÍšn¶t³§›sº9ò/ÿ#IyK’×$yO’#%ÿ7õEÞºyW’—%y[’×¥y]úŽŸ*¯Kóº4¯Kó?–æmiÞ–æmiÞ–¥lý#` ¡HD
endstream
hÞ$̱
endstream
hÞ<‹Ë
Â0#Eå.+#I¡‹#J@#WBEú#±Œt #™þ½AÁÝáÞsFXL#&̳9çš#½¹°#m«ÅÝ\ý#×÷‹ÌR5p¢â\#Nèí÷ºy¡–Ž?�5P·î\#H•#�4cËéÉ#¡»Wä*ˆ##$ǃs### s(Ë
endstream
hÞtPMkÃ0ý+>n—(ÎWW(†-[K#c¡ö¡#rpSQ:Ö8Ø#dÿ~r#Øi##?IOOO#‹Yž²”#l·ƒç¾7Þ±"£ì#JÓ{ì çÅÔÄQÌÂ+xBq³¥ØÂ#^núßj-M
JaÐ#�#m‡Ž$Kóm¬#t‡#HâÅ‹˜ä,߮߄åOá+#¼Mþ ½ö¡ý#ÚÓµ°§m)§#å’™§#§-ÖrmM'Ñ7P¿îAá䡺ë+–-œ>Ï_Ø#nu§cl##QŽ&è°#¤·cç##Ž°Òg##ÔÏ€äìŠBÌFFrÈ¡R'õ�E<*#áývqÍ|Ìö¯Û ñ+À [fh#
endstream
hÞ¼–ko#9#†ÿÊù#¤ìø~™*B"\6Ñ#E@š•ª~˜‚CІ#vp²É¿ßã1I€ƒ”§`80FQ
`\à”#&©#£€)|#Á#d�}—ƒ¤osPáé£1ç°PRƒAÆzæ6‘5,¥[çÙ*¶Ê~‘/`#Õ¯E##‡‡±À¨FT#t@ëe¤6#Ãñõš‰?“Û`KÀ«Ì3¸ÂbA]G>[ú§Š¸#_v#Ïiã=Ne#p#[ ·æ#N²4êãp#Ÿy·�w|û)áæÇܦ±D#öE<KžÝˆºÖmÅ}^ÞëÛMú¾ ¿¡ÅBæ
$§I¸¼
<##Þ^¥àA×Ý,VËYY‘¶f#7`#R
endstream
hÞÔU]o›0#ý+þ##þi¤I�ö@#¶"%##é´?ß‹m##Yš—i##ƒï½'Çöõ '”0FbN˜ L##çŒ0Ex* ÓDè”hF$7ƒÉÒT’ÛÛh–5ùCU¶Ñc¾}ËÛb�E#Ëuµ)ÊŸÑ×¢üP6…ÿ~>¬Úßû<Zš#Ãg#¥ww!Ï}u¨‹¼ö,„q#m#=e»#ƒ—Ñx97³j»#g{ÌgÕ;Ù¦ˆ¶o—#-‹]ÞÜ,ª]VŽS-‹Å…š^²ý�¹)_emÓÕ¾dóÕ;d<å¿PÈ—gÜ£ÏËé“{(ꦽÍjB‘mž7ëºØ·UM#�â?e6�+Õk¨#ùÒ‰ÁBüi_›oqœ� ®(#B#¥#Q”"#5�ÄLr“ AL€`L}#Œ#wEƒç‰i#3Ÿ
j.#'ZÇ8ºw×è
÷dèGÒì'‡÷#º”�ú#ä�÷#X=Ú#c'väîˉ#¥É#n#(ˆ5,]û6psçÜH*qìFìÔ�dpDCÀBÝS#Ïi1U�Û¯§ù�)Œ## ~ûb3š‚3£i#3ú#À å#yÅ
endstream
xœ+T#TÐ#©PpòuVp#b #¬##
endstream
<?xpacket begin="" id="W5M0MpCehiHzreSzNTczkc9d"?>
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c017 91.164464, 2020/06/15-10:20:05 ">
<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
<rdf:Description rdf:about=""
xmlns:xmp="http://ns.adobe.com/xap/1.0/"
xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:pdf="http://ns.adobe.com/pdf/1.3/"
xmlns:pdfx="http://ns.adobe.com/pdfx/1.3/"
xmlns:adhocwf="http://ns.adobe.com/AcrobatAdhocWorkflow/1.0/">
<xmp:ModifyDate>2020-09-28T12:23:32-05:00</xmp:ModifyDate>
<xmp:CreateDate>2017-05-04T16:52:12-05:00</xmp:CreateDate>
<xmp:MetadataDate>2020-09-28T12:23:32-05:00</xmp:MetadataDate>
<xmp:CreatorTool>Acrobat PDFMaker 11 for Word</xmp:CreatorTool>
<xmpMM:DocumentID>uuid:16dfb-b3fb-4186-a8db-c6647d7</xmpMM:DocumentID>
<xmpMM:InstanceID>uuid:c658806f-41ac-b6f9-58064eb927</xmpMM:InstanceID>
<xmpMM:subject>
<rdf:Seq>
<rdf:li>7</rdf:li>
</rdf:Seq>
</xmpMM:subject>
<dc:format>application/pdf</dc:format>
<dc:title>
<rdf:Alt>
<rdf:li xml:lang="x-default"/>
</rdf:Alt>
</dc:title>
<dc:description>
<rdf:Alt>
<rdf:li xml:lang="x-default"/>
</rdf:Alt>
</dc:description>
<dc:creator>
<rdf:Seq>
<rdf:li></rdf:li>
</rdf:Seq>
</dc:creator>
<pdf:Producer>Adobe PDF Library 11.0; modified using iTextSharp 4.1.6 by 1T3XT</pdf:Producer>
<pdf:Keywords/>
<pdfx:SourceModified>D:20170504215149</pdfx:SourceModified>
<pdfx:Company></pdfx:Company>
<adhocwf:state>1</adhof:state>
<adhocwf:version>1.1</adhof:version>
</rdf:Description>
</rdf:RDF>
</x:xmpmeta>
<?xpacket end="w"?>
endstreamAs can be seen in this example there is many more elements being set and many more unused elements many left over from fields not filled in. There is also references to multiple URLs. URL references are common to many malicious files also and is one of the more common elements to both generated documents and malware documents.
RTF
This is an example of an RTF generated from an application collecting datafrom a portal.{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times New Roman};}
{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial{\*\falt Arial};}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Courier New};}
{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Symbol};}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings;}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}
{\f37\fbidi \fswiss\fcharset0\fprq2{\*\panose 020f0502020204030204}Calibri;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times New Roman};}
{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times New Roman};}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}
{\revtim\yr2020\mo3\dy23\hr14\min10}{\printim\yr2003\mo11\dy4\hr13\min29}{\version3}{\edmins3}{\nofpages3}{\nofwords541}{\nofchars3089}{\*\company Alte Co.}{\nofcharsws3623}{\vern87}}{\*\xmlnstbl {\xmlns1 http://schemas.microsoft.com/office/
word/2003/wordml}}\paperw12240\paperh15840\margl576\margr576\margt864\margb576\gutter0\ltrsectIn this example there are many different char sets, and configuration settings being repeated. Also the url traffic, while going to a known clean site, is not something normally seen in a simple RTF.
Resolution
Conclusion
All of this extra, and abnormal data contributes to a high False Positive, and Signature collision rate.
MitigationThe best mitigation is to have the application sign these files with a digital certificate, and whitelist the certificate. It can be time consuming to get the developer to do this, but it is the safest mitigation.
Many applications that create documents will pull and place the files to multiple servers or multiple clients, making whitelisting one or the other difficult. The traffic for these generated files can sometimes be whitelisted by application. Whitelisting the application is the next safest mode, and can be accomplished with a simple rule.
If the document creation application is not seen in the logs, and the documents are generated from one internal source and/or sent to one internal destination then whitelisting the common single IP is the next best solution. This can be accomplished with another type of rule.
Keep in mind with either of these rules the AV and Wildfire profiles are left off. You must turn off inspection of these file for AV and Wildfire.