Create Malicious Pdf
Nov 20, 2013 The steps for creating our malicious PDF file are as follows: Open msfconsole and execute the following command. Once we have all the options set the way we want, we run “exploit” to create our malicious file. We can see that our PDF file was created. You can access this PDF. Create Malicious Pdf And Run Persistence Tweet Description: In this tutorial he shows us how to create Malicious PDF using metasploit and how to set Persistence backdoor on victim computer. If your antivirus software detect your Malicious PDF then use this link.
This tool will parse a PDF document to distinguish the central components utilized as a part of analyzed file. It won’t render a PDF archive.
Features included:
- Load/parse objects and headers
- Extract metadata (author, description, …)
- Extract text from ordered pages
- Support of compressed pdf
- Support of MAC OS Roman charset encoding
- Handling of hexa and octal encoding in text sections
- PSR-0 compliant (autoloader)
- PSR-1 compliant (code styling)
You can Take the best Certified Cyber Threat Intelligence Analyst online course to learn and analyze more related cyber threats.
Analyzing a Malicious PDF File
We have created the PDF file with an EXE file embedded with it.
Step 1: To launch the PDF parser type pdf-parser
[email protected]:~# pdf-parser -hList all the options with PDFParser
Step2: To get the stats of the PDF Document.
Check If Pdf Is Malicious
[email protected]:~# pdf-parser -a /root/Desktop/template.pdfStep3: Passing stream data through Filters FlateDecode,ASCIIHexDecode, ASCII85Decode, LZWDecode and RunLengthDecode.
Dec 09, 2012 As a part of my task, I also need to access Run Advertised Programs, Configuration Manager (if RAP is not showing any programs) plus other tasks. Rather than open Control Panel every time, it would be handy to e able to create icons on the desktop of each machine I access (e.g. I alsready use VBA to create a shortcut to Windows update). Windows run advertised programs is empty.
[email protected]:~# pdf-parser -f /root/Desktop/template.pdfStep4: To get the Hashes of the PDF file.
[email protected]:~# pdf-parser -H /root/Desktop/template.pdfStep5: Case sensitive search in streams
[email protected]:~# pdf-parser –casesensitive /root/Desktop/template.pdfStep6: To get the javascripts added with the document.
pdf-parser –search javascript –raw /root/Desktop/template.pdfThe stats option show insights of the items found in the PDF report. Utilize this to recognize PDF archives with unusual/unexpected objects, or to characterize PDF records.
The search option scans for a string in indirect objects (not inside the surge of Indirect objects). The inquiry is not case-sensitive and is defenseless to obfuscation methods.
Filter option applies the filter(s) to the stream, whereas raw option makes pdf-parser output raw data.
Download: Free GDPR Comics Book – Importance of Following General Data Protection Regulation (GDPR) to protect your Company Data and user privacy
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.
Also Read:
- FIREWALK – Active Reconnaissance Network Security Tool.
- Network Reconnaissance to get Target Subdomains and IP’s with Recon-ng & Netcraft.
Summary
Using this tool you can create malicious PDF documents using known JavaScript exploits. These files can then be used in research and testing to further improve how PDF analysis is done. Releasing this library also means that it on the radar of tools that may be used by attackers to generate their documents. Knowing this, the security community can be more prepared and spend more time handling this issue rather than avoiding it.
Important Files
- details need to be cleaned up
- pulls several articles on the generation but can be adjusted to fit needs
- ran through the command line using ./caller.sh
- rips through directory for files and trys to pack them
- deletes files after attempting to pack, but could be adjusted to track progress
Everything Else
Part of the main libraries or used in the creation process. It is messy, but it is best just to leave it alone unless you do plenty of testing.
General Output
- JavaScript is obfuscated using random variables
- Version is taken into account so that exploits are not fired if the reader is not vulnerable
- Files are encrypted using RC4
- Streams are dorked by adding a corrupt GZIP stream to the JavaScript object
- Metadata is left blank in versions
Inheritance Chain (from end to start)
FPDF uses inheritance to achieve a full featureset. If you want more features, those features must then be included in the inheritance chain to be taken advantage of. These may not all be used, but by having them in the chain means you can activate them at the highest level of the construction (exploit generation).
- PDF_Exploit (pdf_exploit_generator.class.php => Provides exploit packing and building
- FPDF_Protection (protection.class.php) => Provides encryption functionality
- PDF_Invoice (invoice.class.php) => Provides JavaScript insert hook with dorked streams
- concat_pdf (concat.class.php) => Provides the ability to concatenate two different PDF files (used in packing)
- FPDI (fpdi.php) => Provides major functionality for generating documents
Using the Library in Existing Projects
Ensure all files are present at the root level and include pdf_exploit_generator.class.php.
Malicious Pdf Example
Generating the document:
$pdf = new PDF_Exploit( 'P', 'mm', 'A4' );
Setting encryption:
$pdf->SetProtection(array('print'),');
Adding an exploit (reference the class for methods):
$pdf-><exploit_to_add>(<shellcode>);
Building the object with the exploits:
$pdf->build_exploit();
Output the PDF:
Create Malicious Pdf Free
$pdf->Output();