Can a PDF File be Malware?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

someone somewhere received an email with this attached PDF file it says wonderful news your Norton membership has been extended for another year we deeply appreciate your continuous support it includes some invoice ID the payment date and $800 almost worth of purchase now note it just doesn't include anything else that's it that is all the email with a big emphasis on the phone number that's all that's present really in this PDF file that's attached and I actually got word of this from a viewer that had shared this with me saying it was sent to them by their family members they sent me this message saying my sister got this suspicious email from Norton with a file attached saying thank you for subscribing to Norton but she didn't subscribe to anything she also checked her bank account no money was deducted so maybe it's an info stealer or some malware we told her to reset her computer just in case but can you look into it see what this is is resetting the PC good enough we see more of the email thread this is forwarded from their sister they say hey check it out I didn't make any payments and I don't don't remember being a subscribed member what do I do I check my phone but there's no transactions they also included the culprit email itself a subject thank you for your order 58375 4718 7 from Cassandra or Cassandra or cassandre that looks like an Andre it says hey there your valuable property has been handled securely and effectively we're really glad you're continuing to rely on our offerings I've included Your invoice with the PDF attached now I have opened this PDF in Firefox we can open it in Chrome we can open it in Adobe Acrobat Reader if we wanted to and I'll do that here I have the file just on my desktop we can double click and this is it it is just simply this Norton LifeLock invoice text with nothing other than the phone number so if it's not already clear to you look this is just a scam they're trying to entice the victim the target the one who received this email to call this phone number trying to refute or dispute hey the subscription and payment of $800 or so from there it goes into the usual support scam and that hey that person on the phone will try to connect to your computer with Team Viewer or any desk or screen connect whatever and from there the scammer could do real damage because they'll have access to your computer any of the technology that's accessible through that maybe your bank and could then potentially take real money $800 worth but right now as this person and their sister noted there were no transactions there is no current threat no subscription that's real and just by receiving this email or receiving the PDF does does not put you in any risk or danger so I try to respond back in the email let them know look if you don't call the number if you don't play the game then you won't be scammed or nothing will happen but it does beg the question and I know a lot of folks might wonder what about the PDF file can a PDF file be malware now with everything that we've just discussed kind of as our backdrop I will go out on a limb and I would say no a PDF can't be malware but actually kind of with a little bit of nuance there maybe uh uh uh you could have a malicious PDF file but what it could do really varies and It ultimately I think in today's day and age relies on user input it still relies on fooling the victim in that social engineering deception and scam now I know maybe not everyone will agree with that so I'm super curious for your thoughts I'd like your opinion and please let me know in the comments can a PDF be malware is it just a malicious PDF is there a distinction or a difference where do we draw the line but what is all the new in the mix here so let me show you this article look this is from maffy and this is very very recent here you can see the date uh March 1st so trying to stay current but look maffy has recently observed a significant surge in the distribution of prominent malware through PDF files malware is not solely sourced from dubious websites or downloads certain instan of malare May reside within apparently harmless emails particularly within the PDF file attachments accompany with them now I think there is a little bit of a distinction there because it is not the PDF itself that is malware but it's the vector to give malware so I don't know we can talk about this a little bit more but when they discuss the infection chain it goes down into two different RADS one the PDF file is able to be rendered opened and examined inside of an old PDF reader or an application the program like acrobat that actually displays that PDF file I think that is super duper pertinent because if it really is relying on vulnerabilities of the software that renders the file is it the file itself that is malware or is it just exploiting and taking advantage of a vulnerability from the software that's used to read it I'd go so far as to say that method only relies on old and unpatched software used to open the file however another alternative route when the PDF attachment might be able to open a malicious website given whatever prompt it'll download a file and then execute whatever actual malware it wants to run it's part of the Stager I don't mean to drill down too far into this because they get into a real sample and showcase all the interesting stuff but they note here a Booking.com PDF with a random numbers at the end here actually pops up a little JavaScript notice hey this is incompatible with your version of the software and that is just simple client side JavaScript right hey not using any exploit just kind of popping up a little alert message but then if you click it through it'll download from another URL again client side code just smuggling that through that you would have had to have granted permission you can see that here it tries a little popup trying to connect to an external site and then you have to click allow and let that go through now of course this relies on the social engineering the deception and scam but I would put the asterisk there and say that is social engineering and not the malware on its own they drill down into this you can see bit.ly hosting that endpoint for actual booking.com that will stage some other code to run ultimately drop in Powershell and J script lots of nonsense blah blah blah I'll link this uh article in the description below if you're interested but here is my pitch if you receive an email and that email looks weird it looks scammy it looks like something that is a hoax and it includes a PDF file look there's no danger unless you open the PDF file and then in that case if it's just a number hey it's a phone number that's a teex support call scam or if it fires off JavaScript to run client side code then hey don't click those allow and okay buttons don't interact with it unless you're using a super duper old outdated and unpatched invulnerable version of a PDF reader then honestly if you just don't interact with the PDF file you're okay you're golden now again let me add the disclaimer I know not everyone will agree with this and please let me know your thoughts in the comments below but what I would like to do is sort of a demo and test of this thing let's try to open up a bunch of different malicious PDFs or different malware PDF files if we could call it that again up to our discretion here and let's see what they will do but before we dive into that show and if I may please look I try to get out as much free education and cyber security content as I can for you without any charge to you I'm not charging you a penny or a dime but the way that we could do that is thanks to some sponsorship so if I may please I'd love to tell you about keeper security I got to be honest I look for the most Secure Solutions on the market every organization even my own phone needs to secure passwords credentials secrets and connections all to reduce the risk of cyber attacks and keeper Security offers a privileged access management solution to deliver Enterprise grade protection allinone unified platform their Pam solution enables your business to have complete visibility security control and Reporting across every user on every device so even a small it team can manage and protect their environment keeper integrates with infrastructure and identity access management stacks and works out of the box with your other Technologies for password rotation passwordless authentication seam cicd and so much more it fits right into your organization without the hassle of deployment and maintenance keeper Pam is purpose-built to protect perimeter and multicloud environments with the features and functionality that your organization needs I've seen keep personally at tons of different cyber security events and I've gotten a chance to chat with their Partners seriously it is always High Praise And proven success with their platform with over 275,000 f-star ratings in app stores users Rave about keeper with keeper you can keep your users your data and your environment secure learn more today and sign up for a demo with my link below in the video description jh. life/ keeper huge thanks thanks to keeper for sponsoring this video all right so for some show Intel let me go ahead and Google malicious PDF files on GitHub are there any repositories or code that allow me as an hey acting as the adversary putting my hacker head-on to generate and create PDF malware quote unquote or malicious PDFs here is one available malicious PDF it looks like we could generate 10 different malicious PDF files with phone home functionality could be used with Bert collaborator or hey just some uh HTTP thing to catch the result and all this is is a simple python script and it will spit out a bunch of PDFs so let's try it out I will open up a command prompt and I'm going to move into the git directory where I have stored a couple of these PDF payload generators that I want us to work with so let's go look into that malicious PDF one all this is is that Python 3 thing that we'd like to execute so I think it's Pi in Windows can I just run this oh but it will need a phone home URL so it needs something to catch requests if it makes any uh so let me go spin that up so now I've got C Linux open up on the left hand side I'll move into the temp directory make just a simple place for me to host a little HTTP server now uh I will use updog to do this because that way I can specify the port to be 443 and I'll use SSL just so I have hey a certificate and that will note look uh it's normal or a valid website over on the internet in most cases let's see if that will work for us okay looking good so my IP address that I might want to hearken back to in this test PDF file that we could generate let me try to supply that as that https URL now we'll generate a boatload of test PDF files and here I'll move my face out of the way so you can actually see them if I were to go ahead and open up Explorer let's try to see if we could open each of these either in Firefox or Chrome or Acrobat Reader and see what they do now I would think that opening this with a web browser is usually just fine if I always open PDF files with Firefox hey nothing firing off of this test one.pdf if I open up the others nothing heard same thing with two three four just about all of these however this one is interesting because this does include a link you can see my mouse hovering over it the tool tip will display just momentarily and that if I click the link will actually take me to that URL so that is something that got in the mix but again requires our connectivity and access now obviously hitting that it will load the page but hey we needed to allow and click that that was some user interaction but how about test 6.pdf same thing for launch okay that does the same thing takes me there how about test 7 go tour same form has nothing data test has nothing this one doesn't even load nor does that one this has an interesting document. text present what is that can I open that um document. text oh it's an iard test file good thing that Windows Defender is completely nerfed on this virtual machine now again I realize I'm just doing a simple test of hey whether or not it will call back to another website but that could open the door for again the social engineering to load and Stage another download and social engineer a little bit of deception to actually fire it off you can see hey this one immediately trying to reach out to a un C path presumably if I click allow here I'll move my face uh if I were to go ahead and click allow falling for the social engineering scheme this gives me an error the plug-in required by this go to E action is not available we'll touch on that in a little bit but we'll know that okay that's another dud that test sample didn't work in Acrobat Reader let me close all these tabs no we don't need to save them how about this that does nothing no pop ups no nothing test two that errors okay test three ooh documents trying to connect to H https again we will need to allow this connection if we want it to actually happen with the dialogue box this will complain about the certificate because it is a self sign certificate which might be common I don't know depending on how the strain is prolifica uh we'll just do it but anyway that makes those requests as we can see again I would probably harp on that social engineering not an exploit vulnerability which would be reliant on the vulnerable version of the software Acrobat Reader being used and hard pressed for me to call that malware truth be told if I click on this of course it will go to it you need to allow permission for that to be given in Acrobat Reader and I don't think we need to go down the whole list of all of these other test PDFs because you'll see when it works it is just something that needs your approval and permission say we were back on Google trying to look at some other options things that anyone just could pull off the shelf to create a malicious PDF or at least stage some of the proof of concept skeleton here this is another python library that should be pretty easy for us to install and then we could just build out any test PDF that we want with a simple JavaScript test for app. alert. JS or just a test string now note when we did this previously we weren't able to actually see uh any of the alert notifications pop up inside of Firefox or Google Chrome or whatever so if I were to create this oh it would help if I actually ran the tool malicious PDF slap that in there we go now in the current directory I have a test.pdf let me open that up in my current directory now here is my test.pdf if I were to open open that with Google Chrome again as an example just getting a browser um no alert box fires in this case if I were to open this with Firefox once again no alert box fires say I open this with Acrobat Reader again um no alert box fires so is that one just bad did we do something wrong maybe that payload just isn't sufficient and let me say I'll be the first to admit I'm not super duper smart on all the ins and outs of PDF files and their formats all the structure and everything but I was just curious what is is available at the surface what could anyone try to spit together when trying to weaponize a PDF file or turn a PDF file into malware is that even possible or are PDF files safe well this repository payloads all the PDFs actually includes a handful of PDF files that are already built and put together for us so we could actually test and validate if these are things that will trigger JavaScript client side code to run or even launch other executables you can see this will try to run remote commands on Windows trying to just pop Cal Fire open an application now let me say because I know a lot of folks might harp on this PDF files do have launch actions as capabilities where they could just run a program and that sure totally sounds like an opportunity for malware or malicious use again however in modern readers or even Firefox Chrome whatever web browser that's not going to hit but in modern readers like acrobat it will prompt you for that now let's go see if these will work I do have this repository downloaded it's in that payloads all the PDFs directory and here are a couple of those test payload files and again just exploits taking advantage of vulnerabilities for specific different kinds of PDF readers like foxit reader or others you saw that in the GitHub readme now let me just open this payload.bin Firefox and this will actually trigger an alert box so that syntax is seemingly working for Firefox and JavaScript let me hit okay there's nothing going on here you could see other things that didn't fire like hey another opportunity that's defined in the GI up read me they reference all these tests let me do this again for payload 2 that fires okay and then even trying to run the test or not that won't let me click it in this case odd what about payload 3 let's do this in Chrome that also has an alert okay so that's JavaScript still running can I click this link ooh that actually served calc.exe something that it just was able to retrieve and return as a file header right if I were to download that sure that could be used but it was just using the file schema you might be able to see it Down Below on the bottom left that's just a local file you could link that to any on the internet and that could stage a download but again requires your interaction to actually click it or JavaScript to force to download if that even runs how does payload 4 look in Chrome for click a link oh okay broken reference maybe oh it's St it's adding on a URI with the syntax calc.exe so that didn't work in that case payload 5 Chrome embedded alert click a link here uh that is not running JavaScript confirm to as it notes Down Below in the bottom left odd payload six oh a double clicked one to open in Acrobat Reader here now this will give me a JavaScript window again but now it's going to ask can it go reach and reference that calc.exe that it is local with the file schema here and if we were to allow this given that prompt it'll die on something else uh okay I could go back and look at a couple of the others in Acrobat Reader but again it's all the same as we have already demoed and nothing that I think is groundbreaking here alert window download that's broken that's the broken one looking at payload 3 one more time we'll open that in acrobat uh if I click that link it will now actually try to get calc.exe but it won't execute it it's just returning the content so it's not something that is part of displaying an ACR reader it's not going to fire up calc like if I open my task manager right now I don't have the calculator running if I search for calc there's nothing there and don't forget even JavaScript running in your web browser or on the client side is not the same as it triggering jscript and Microsoft's execution invoke interpreter script runtime for native code to run on your operating system okay I have one last thing to show you and then I'll shut up and stop rambling there is an article from a well-known uh security research Searcher in folks uh decalage or I don't know how to say the name I'm sorry but he has an article that is a little bit old granted this is about 2017 since the latest update so maybe a decade almost just about like but anyway weaponized PDF the payload delivery format is a joke here uh is something that is worth discussing because look it talks about some of the things that could be done with PDF files but it discusses that hey the Adobe Acrobat Reader is one that could create and edit PDF files that's probably the most common but there are a whole lot of issues with other potential readers like foxit or preview and those might be subject to their own vulnerabilities I think in today's day and age in the modern world that we live in those are patched up to a certain extent but we note it could run JavaScript Adobe Reader and possibly others contains a JavaScript engine like the ones used by web browsers Firefox and chrome Edge whatever and that could do some silly popups or send emails or make HTTP requests like a drive by download sort of thing and sometimes if vulnerability has been hit that is how they might be able to exploit that and do it again I'm curious on your thoughts does that make a PDF file malware or does that make it a malicious PDF while I'm understanding and acknowledge hey Mal is the root of both of those words alongside that there are launch actions and I mentioned those just a moment ago it could launch a command on the operating system after user confirmation from a pop-up message now there are a couple different old cves cve 2010 that would dig into that uh and make that a little bit easier but that was more than a decade ago and that is hopefully well now patch embedded files are an option the goto eactions require hey some capability where it uses a go toe extension or an action in that case that could be used to open an embedded PDF file without notifying the user and that wouldn't require interaction but that needs to be set up and configured and installed which Acrobat Reader as we saw did not not have that out of the box could do flash applications could have a password in there to try and hide the contents could be flexible in how it parses the files here and there are some things that you might be able to do to actually prevent a lot of these or clean and extract stuff out of a PDF file but I think truthfully that this article breaks down the fact that look there could be vulnerabilities that are exploited in the reader and that is just a symptom of you not patching your software or opening up a PDF file and clicking through the dialogue boxes fooling falling for the scam to allow execution of malware and that is why I make the distinction and why I would kind of go out in the limb and say that look a PDF file on its own is not malware it might be malicious and could be weaponized in some cases but you have to fall for the Trap and you have to fall through the scam deception social engineering case and because of that I would say if you just received an email and you just got a PDF attachment if you don't open it there's no risk and if you open it and there are dialogue boxes information asks and questions don't interact with those you're safe but I could be totally wrong I realize I'm doing just a surface level look at this I'm curious what you think please let me know in the comments below and hey if you haven't please do go take a look at our sponsor keeper security is always doing some incredible stuff Link in the video description and thank you so much for watching I hope you enjoyed this video if you did please do all those YouTube algorithm things like comment subscribe and I'll see you in the next video

Info

Channel: John Hammond

Views: 83,571

Rating: undefined out of 5

Keywords: cybersecurity for beginners, cybersecurity, hacking, ethical hacking, dark web, john hammond, malware, malware analysis, programming, tutorial, python programming, beginners, how-to, education, learn, learn cybersecurity, become a hacker, penetration testing, career, start a career in cybersecurity, how to hack, capture the flag, ctf, zero to hero, cybersecurity for noobs, ethical hacking for noobs, networkchuck, learn to hack, how to do cybersecurity, cybersecurity careers, pdf

Id: TP4n8fBl6DA

Channel Id: undefined

Length: 22min 25sec (1345 seconds)

Published: Thu Mar 07 2024