Create Malicious Pdf

Posted on by

  1. Create Malicious Pdf Mac
  2. Create Malicious Pdf Online
  3. Create Malicious Pdf File
  4. Test Malicious Pdf
  5. Create Malicious Pdf Free
  6. Create Malicious Pdf Kali
  7. Create A Malicious Pdf File

This tool will parse a PDF document to distinguish the central components utilized as a part of analyzed file. It won’t render a PDF archive.

Aug 28, 2015  Over at the SANS ISC diary I wrote a diary entry on the analysis of a PDF file that contains a malicious DOC file. For testing purposes, I created a PDF file that contains a DOC file that drops the EICAR test file. The PDF file contains JavaScript that extracts and opens the DOC file. The first step, I will create a malicious PDF to use in this attack by using vulnerability in Adobe Reader: Adobe PDF Escape Exe Social Engineering No Javascript. 6 Free Local Tools for Analyzing Malicious PDF Files. There is an increasing number of tools that are designed to assist with this process, including the following: PDF Tools by Didier Stevens is the classic toolkit that established the foundation for our understanding of the PDF analysis process. Creating and Analyzing a Malicious PDF File with PDF-Parser Tool In Kali Linux By Kali Linux in: Creating and Analyzing a Malicious PDF How To kali linux pdf PDF-Parser Tool Pdf-paraser-tool: This tool will parse a PDF document to distinguish the central components utilized as a part of analyzed file. It won’t render a PDF archive. An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application or crash the application, denying service to legitimate users. So we start by creating our malicious PDF file for use in this client side exploit. Creating and Analyzing a Malicious PDF File with PDF-Parser Tool. GURUBARAN S - July 5, 2019. This tool will parse a PDF document to distinguish the central components utilized as a part of analyzed file. It won’t render a PDF archive. Features included: Load/parse objects and headers.

Features included:

  • Load/parse objects and headers
  • Extract metadata (author, description, …)
  • Extract text from ordered pages
  • Support of compressed pdf
  • Support of MAC OS Roman charset encoding
  • Handling of hexa and octal encoding in text sections
  • PSR-0 compliant (autoloader)
  • PSR-1 compliant (code styling)

You can Take the best Certified Cyber Threat Intelligence Analyst online course to learn and analyze more related cyber threats.

Analyzing a Malicious PDF File

We have created the PDF file with an EXE file embedded with it.

Step 1: To launch the PDF parser type pdf-parser

[email protected]:~# pdf-parser -h

List all the options with PDFParser

Create Malicious Pdf Mac

Step2: To get the stats of the PDF Document.

[email protected]:~# pdf-parser -a /root/Desktop/template.pdf

Step3: Passing stream data through Filters FlateDecode,ASCIIHexDecode, ASCII85Decode, LZWDecode and RunLengthDecode.

[email protected]:~# pdf-parser -f /root/Desktop/template.pdf

Step4: To get the Hashes of the PDF file.

[email protected]:~# pdf-parser -H /root/Desktop/template.pdf

Step5: Case sensitive search in streams

[email protected]:~# pdf-parser –casesensitive /root/Desktop/template.pdf

Step6: To get the javascripts added with the document.

pdf-parser –search javascript –raw /root/Desktop/template.pdf

The stats option show insights of the items found in the PDF report. Utilize this to recognize PDF archives with unusual/unexpected objects, or to characterize PDF records.

The search option scans for a string in indirect objects (not inside the surge of Indirect objects). The inquiry is not case-sensitive and is defenseless to obfuscation methods.

Filter option applies the filter(s) to the stream, whereas raw option makes pdf-parser output raw data.

Download: Free GDPR Comics Book – Importance of Following General Data Protection Regulation (GDPR) to protect your Company Data and user privacy

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Also Read:

  • FIREWALK – Active Reconnaissance Network Security Tool.
  • Network Reconnaissance to get Target Subdomains and IP’s with Recon-ng & Netcraft.

Summary

Using this tool you can create malicious PDF documents using known JavaScript exploits. These files can then be used in research and testing to further improve how PDF analysis is done. Releasing this library also means that it on the radar of tools that may be used by attackers to generate their documents. Knowing this, the security community can be more prepared and spend more time handling this issue rather than avoiding it.

Important Files

drop_invoice.php - uses the forms, lists and other information to produce an invoice packed with exploits
  • details need to be cleaned up
Create malicious pdf template
drop_news.php - uses RSS to produce PDF files with current news information packed with exploits
  • pulls several articles on the generation but can be adjusted to fit needs
drop_packed.php - takes in a directory of 'good' PDF files and packs them with exploits
  • ran through the command line using ./caller.sh
  • rips through directory for files and trys to pack them
  • deletes files after attempting to pack, but could be adjusted to track progress

Everything Else

Part of the main libraries or used in the creation process. It is messy, but it is best just to leave it alone unless you do plenty of testing.

General Output

  • JavaScript is obfuscated using random variables
  • Version is taken into account so that exploits are not fired if the reader is not vulnerable
  • Files are encrypted using RC4
  • Streams are dorked by adding a corrupt GZIP stream to the JavaScript object
  • Metadata is left blank in versions

Inheritance Chain (from end to start)

FPDF uses inheritance to achieve a full featureset. If you want more features, those features must then be included in the inheritance chain to be taken advantage of. These may not all be used, but by having them in the chain means you can activate them at the highest level of the construction (exploit generation).

Create Malicious Pdf Online

  1. PDF_Exploit (pdf_exploit_generator.class.php => Provides exploit packing and building
  2. FPDF_Protection (protection.class.php) => Provides encryption functionality
  3. PDF_Invoice (invoice.class.php) => Provides JavaScript insert hook with dorked streams
  4. concat_pdf (concat.class.php) => Provides the ability to concatenate two different PDF files (used in packing)
  5. FPDI (fpdi.php) => Provides major functionality for generating documents

Using the Library in Existing Projects

Ensure all files are present at the root level and include pdf_exploit_generator.class.php.

Generating the document:

$pdf = new PDF_Exploit( 'P', 'mm', 'A4' );

Setting encryption:

Create Malicious Pdf File

$pdf->SetProtection(array('print'),');

Adding an exploit (reference the class for methods):

Test Malicious Pdf

$pdf-><exploit_to_add>(<shellcode>);

Create Malicious Pdf Free

Building the object with the exploits:

$pdf->build_exploit();

Create Malicious Pdf Kali

Output the PDF:

Create A Malicious Pdf File

$pdf->Output();