PDF document structure
In this document i'l not explain the full pdf structure, but i'l be explaining the parts that is required for the analysis. The pdf document starts with a header which looks like this %PDF-a.b.c.d, this is the version of the pdf language. Without this header the pdf readers will not accept it.
The pdf document also consists of multiple indirect objects, an example of an indirect object is shown below, the indirect objects have an object id (1 in the below example) and version number (0 in the below example) follwed by the keyword obj, endobj marks the end of the object.
%PDF-1.1 <------ PDF header 1 0 obj <-------- Indirect object, 1 is the object id and 0 is the version number ........ ..... endobj <------ This marks the end of object 1
/Richmedia indicates flash,
/AA, /OpenAction indicates an automatic action to be performed when the document is viewed.
Malicious PDF analysis Tutorial Part 1
Malicious PDF analysis Tutorial Part 2
Malicious PDF analysis Tutorial Part 4
Part 5 Malicious PDF analysis Tutorial Shellcode analysis