Malicious pdf


I recently discovered that one can hide a malicious PDF from a good portion of antivirus software by embedding it into a valid executable file. For this example, I used notepad.exe from Windows XP. As you can see, the PDF file before embedding is detected by quite a lot of the AV vendors:

After wrapping it in notepad.exe, however, the detection is significantly lower. In fact, it’s detected by only 1/3 of the AVs that previously detected it:

The method used to wrap this file in notepad.exe is extremely simple. First, I insert the PDF header and the opening tags for a stream object at the end of the PE header. The size of the stream object is the size of the code from 0x401000 to the end of the PE file:

Then at the end of the PE file, I end the stream object and continue with the rest of the malicious PDF:

This leaves us with a valid, running executable file that doubles as a working PDF. You can try it yourself with a malicious or benign PDF to see that it works, but why does it work? Well, the AVs that do not detect this little trick simply pick the first file-type they detect as their only method of scanning. So, when they see the PE header, they proceed to scan the file as if it were simply an executable.

While this method of hiding malicious PDFs is still a far cry from fully undetected malicious PDFs, it’s still dangerous enough to cause problems especially with some of the most popular AVs not detecting the file. It should be easy enough to fix, so get to work AV vendors!


oh nice post that’s really a good method to hide a malicious code … thanx for ur post

very good man , and u’r topic is goodest … your english is well haha !! thankS

hihihihihi We are here for this :smiley:

hmmm , i think it’s not so hard way to get this pdf file fud while hex can do that so you can try it with hex even via partitioning the file to thousand of bytes then pick up the detected byte and edit it , i have tried that before and this way is r0x like a charm :slight_smile:

btw what was the editor you used ? it seems like dos screen !! have you opened the dos and wrote edit blabla.pdf ? or it’s another editor cuz it dont looks like notepad!

ايه ياعم كلكم قلبتوا جزائري :stuck_out_tongue:
>> عاوزين نفهم حاجه xD

مشكوور ياحج وان شاء الله تكتب علطول كده ض1

ههههههههههههه مساء الفل يا رياسه … انت شايف انه اللي مكتوب ده جزائري هههههههههههه والو نجيك نيشان خويا راهم يهدرو بالدارجه بزاف مليح :d

ههههههههههههه مساء الفل يا رياسه … انت شايف انه اللي مكتوب ده جزائري هههههههههههه والو نجيك نيشان خويا راهم يهدرو بالدارجه بزاف مليح :d


مساء الورد

لا هو انا شفت السلام عليكم مكتوبة كده
salam wa 3alaykoum
قلت خلاص جزائري :stuck_out_tongue:
ههههههههه والردود كله كده ههههههههههههه

[b]بالصلاة ع النبي ؛ إلا ما فيه حد سأل الكلام ده معناه إيه ؟!

كل اللي فهمته إنه عدل الــ PE Header (و الله أعلم بــ PE.Explorer ؟!!)و كتب فيه pdf tags علي أساس إن فيه مضاد فيروسات علي أساس الــهيدر بيقرأ الداتا علي أنها ملف pdf مش executable … بس إزاي بالظبط معرفش ؛ يا ريت اللي عنده خلفية يوضح ! و الا نجيب حد من AT4RE :slight_smile:

البرنامج المستخدم يا فيرس هيما صفحته أهي :