Threat Level: green Handler on Duty: Basil Alawi S.Taher

SANS ISC Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

A Malicious Word Document Inside a PDF Document

Published: 2015-04-25
Last Updated: 2015-04-25 10:29:00 UTC
by Didier Stevens (Version: 1)
1 comment(s)

Yesterday Steve Basford informed us of yet another type of malicious document (Sales Invoice 519658.pdf MD5 bfe397fb9b7907ab34ba83f0f086336d). It is a PDF document, containing an embedded file, with JavaScript to extract the embedded file to a temporary folder and then open it. The embedded file is a malicious Word document like we've seen many of them the last months.

When you open this PDF file with Adobe Reader, you get a warning and the embedded file is only opened when you approve it.

You can analyze such PDFs without using Adobe Reader or Microsoft Word, but with my tools pdfid, pdf-parser and oledump.

If you want to know in detail how to do this, I have a video.


1 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Fileless Malware
1 day ago by Basil (0 comments)

When automation does not help
2 days ago by Bojan (0 comments)

Dridex Redirecting to Malicious Dropbox Hosted File Via Google
2 days ago by Dr. J. (4 comments)

Logging Complete Requests in Apache 2.2 and 2.4
4 days ago by Dr. J. (1 comment)

Reminder: Secure Your Tomcat Admin Interface
5 days ago by Dr. J. (0 comments)

Handling Special PDF Compression Methods
6 days ago by DidierStevens (0 comments)

View All Diaries →

Latest Discussions

Need help with Framing and masking
created 1 day ago by Anonymous (0 replies)

Packet numbers different in various Dshield reports
created 6 days ago by Telserv (0 replies)

Disruption of Simda botnet
created 1 week ago by Brad Duncan (0 replies)

STUN traffic
created 1 week ago by Tom (2 replies)

DMZ Server dual NIC design
created 1 week ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →