Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Test File: PDF With Embedded DOC Dropping EICAR - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Test File: PDF With Embedded DOC Dropping EICAR

My diary entry yesterday inspired me to create another test file base on the EICAR test file.

I created a PDF file (MD5 A1DDC9EBE19A3D43EC25889085AD3ED8) that contains a DOC file that drops the EICAR test file.

The PDF file contains JavaScript that extracts and opens the DOC file (with user approval). The DOC file contains a VBA script that executes upon opening of the file, and writes the EICAR test file to a temporary file in the %TEMP% folder.

You can find the PDF file on my blog here. This file will generate an anti-virus alert. Use at your own risk, with approval.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

338 Posts
ISC Handler
Thank you! Let the social engineering testing commence.
Anonymous
Would it be possible to provide hashes for your test file (here on a SANS website), as a cross-check on the file?
Landrew

6 Posts
Well done - great working example.
EdMyers

1 Posts
I included a link to VirusTotal in my diary entry. This way you can get all the information (like hashes) to identify the file without downloading it.
But I'll include the MD5 hash in the diary entry.
DidierStevens

338 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!