Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Test File: PDF With Embedded DOC Dropping EICAR SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Test File: PDF With Embedded DOC Dropping EICAR

My diary entry yesterday inspired me to create another test file base on the EICAR test file.

I created a PDF file (MD5 A1DDC9EBE19A3D43EC25889085AD3ED8) that contains a DOC file that drops the EICAR test file.

The PDF file contains JavaScript that extracts and opens the DOC file (with user approval). The DOC file contains a VBA script that executes upon opening of the file, and writes the EICAR test file to a temporary file in the %TEMP% folder.

You can find the PDF file on my blog here. This file will generate an anti-virus alert. Use at your own risk, with approval.

Didier Stevens
Microsoft MVP Consumer Security


579 Posts
ISC Handler
Aug 28th 2015
Thank you! Let the social engineering testing commence.
Would it be possible to provide hashes for your test file (here on a SANS website), as a cross-check on the file?

6 Posts
Well done - great working example.

1 Posts
I included a link to VirusTotal in my diary entry. This way you can get all the information (like hashes) to identify the file without downloading it.
But I'll include the MD5 hash in the diary entry.

579 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!