Can a PDF File be Malware?
Вставка
- Опубліковано 6 бер 2024
- jh.live/keeper || Keeper Security offers a privileged access management solution to deliver enterprise grade protection all in one unified platform -- keep your users, your data, and your environment secure with Keeper! jh.live/keeper
PDF articles: www.mcafee.com/blogs/other-bl...
www.decalage.info/file_format...
Free Cybersecurity Education and Ethical Hacking with John Hammond
📧JOIN MY NEWSLETTER ➡ jh.live/email
🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/discord ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
🔥UA-cam ALGORITHM ➡ Like, Comment, & Subscribe!
PDFs *can* contain malware, but if you use the right PDF reader that risk is entirely eliminated. PDFs, as a format, can include scripting languages which can be a problem if your PDF reader has exploits. Given that I've never encountered a *legitimate* reason for a PDF to use any scripting, just use Sumatra. It's a PDF reader without any scripting engine to do anything with the code.
Fillable PDFs may have reasons for using (Java)Script. Maybe you want an input made on Page 1 to get copied to text on other pages, that will have to be a JS setting the text on those pages from the content of that field. Did you never do an insurance claim, open a bank account or something where you fill a PDF with your name on Page 1, and Page 422 now has your Name also stated below the signature box with some extra additional text, or in a long paragraph of a contract? That is what JS is used for in PDFs. And even linking to other resources with fancy buttons from the PDF is used by legitimate companies (sadly). So you may not be able to open every PDF in your life scriptless, if you want to use the service it is intended to register you for.
Better yet, run the PDF applications in a sandboxed environment, ie Sandboxie on Windows and Flatpak on Linux.
Browsers already have pretty good sandbox, and their JavaScript engine is the most secure because it is used by billions and it is targeted by a lot of security researchers and hackers.
false, its not. there were discovered different zero-click stackoverflow vulnerabilities in acrobat reader recent versions.
Not entirely eliminated, it definitely decreases the potential attack surface but things like buffer overflow vulnerabilities are still possible. Certainly there is more awareness of such attacks so care is taken to not introduce such vulnerabilities when developing software, do to the complex nature of software it's impossible to guarantee vulnerability free software. There are plenty of high profile cases that empirically demonstrate this.
Your argument that opening a PDF is harmless because you do not see anything happening is ignoring the potentiality of a zero-day vulnerability on PDF readers/web browsers that could potentially escape the sandbox.
💯 maybe a rare risk, but definitely a real risk as many security patches follow discovery of them already being exploited in the wild, and I would rather not be one of the victims before a patch is even available.
PDFs have been used to exploit zero day vulnerabilities in various PDF rendering engines over the years, some that don’t even include script support - sometimes they’ve been used as a vector to exploit flaws in the font rendering engine etc.
So no John, opening a PDF in a web browser is not ALWAYS safe - it has previously been used as an exploit vector with no further user interaction (just opening the PDF).
His cavalier approach to this maybe suggests he is more focused on red teaming than defending where you assume things can be malicious until proven safe.
But there is zero-day risk with pretty much anything. Just saying "potential zero-day" is not necessarily saying much.
@@fahimp3correct. But assuming a PDF is “safe” simply because you are patched, when it is inherently interpreted code, is the issue. You are not. You are opening something that will be interpreted, and that can be exploited to run arbitrary code if there is any vulnerability in the interpreter. We know this particularly with PDFs as this is not a theoretical issue, it HAS been exploited in the wild in the past to execute arbitrary code embedded in the PDF on victims computers, and the complexity of the interpreter for PDFs makes it substantially more likely an exploit will be found that with trivial file formats.
Wouw, I thought this was solved by now, this was an issue back in 2010 too. I used an alternative PDF reader in order to avoid the scripting issues and vulnerabilities, and I always disabled scripting on family members Adobe pdf file readers.
Today I only read PDF in the browser, and I haven't had problems until now, so I totally forgot about this issue.
There is a zero-day risk with everything of course and everything you run on your computer is potentially malicious. Every-time you tell your operating system to run something you are pretty much telling it that it should blindly trust and execute the thing because you as a user vetted it.
It is completely nonsensical however to say "oh it's completely safe because I am not seeing a flaw right now at this point and time so it must ALWAYS be the case".
Why ? Because zero-days exist, because there always are delays between when a vulnerability is found and when a patch is ready to install.
I cannot even fathom that John Hammond used the "I see nothing wrong ergo you are completely 100% safe, trust me bro" approach. As a security professional he is supposed to know better than anyone that a 100% safe assurance does not exist outside the day-dreaming world of marketing. @@fahimp3
They're probably harmless but the best advice is to not open attachments on obvious scam emails. You never know when it might contain a new zero day
Imagine your the secretary recieving applications.
@@neo778 dayum....nice scenario
nobody is blowing 0days on you lol
@@needabettername1559maybe not on you, but perhaps on a big company or even government you work for.
@@needabettername1559 It never happens until it does.
Excellent point made, John. This reminds me of a video LiveOverFlow made talking about how understanding the difference between a vulnerability and a weakness. In his video, he mentions that he doesn't believe plaintext passwords stored in a database is a VULNERABILITY, but rather a security weakness. If, for example, there were successful SQL injections that allowed the extraction of the passwords, then a vulnerability can be cited. The point is, for this example, is to ensure that the database storing the passwords is secure and isn't susceptible to injections in the first place, regardless of the passwords being plaintext or ciphertext.
You make a similarly great point here, and I agree with what you had to say contrary to the rest of this comment section. I believe that as security professionals, we should be careful of misidentifying something as "malware" when it might only be a catalyst for a bigger vulnerability, such as with social engineering in PDFs like you say. I feel it is imperative to be able to identify the root of the security issue rather than put a bandaid over the catalyst and call it "malware". Some commentors here harp about zero-day vulnerabilities, and as individual users (such as the person who received the email in the beginning of the video), we are less likely to be the primary targets of a zero-day if there was one. Zero-days are mostly used by APT groups and scam call centers, skids and other threat actors aren't likely to take advantage of them or even have a zero-day ready to go in their arsenal, but please correct me if I'm wrong.
Thanks John for the insights. Agree, not malware, but can be malicious if you interact with it.
Nice video. There is also a good answer from Steffen Ullrich for that question in stack exchange's post (i cannot insert here the link for some reason) "Is it still possible to embed executables in PDF in 2022?".Another typical question, which you might be able to answer in a video: Can an email infect a computer just by OPENING it (without downloading attachments, without clicking on links)? The answer has more twists and turns, more client specifics, and more historical background ;)
This would be good opportunity to have co-op video with for example kitboga
PDFs CAN be malware because PDF is an interpreted language telling a rendering engine how to draw a document on screen. If that rendering engine includes vulnerabilities (including a zero day, so the blazé idea that it’s safe because you are patched is bogus), the script can exploit those to then run actual native code that can be embedded in the PDF. And that can happen without any user interaction after opening the PDF.
Yes, having patched software reduces the risk. Yes, using a limited PDF rendering engine like in Chrome or Firefox reduces the attack surface for where vulnerabilities might be exploited by the PDF language - but it is not zero risk, and a PDF when opened with a vulnerable rendering engine can run code because every time you open a PDF you are running code.
PostScript is a /language/. It is a set of instructions for how to draw a document. Those instructions are run by an interpreter - and PDF builds off of PS and adds even more language capabilities. This has nothing to do with one of those capabilities being able to initiate running JavaScript. PDF itself is already an interpreted language.
Can that language do malicious things? It’s not supposed to be able to - but if the interpreter has a flaw, that can be exploited just as any malware exploits flaws in an OS etc.
The correct advice should be, if you get a PDF you do not expect, DO NOT OPEN IT.
If you need to investigate it, open it only in a sandbox environment that doesn’t have access to the internet and ideally, isolated from any live data environment.
Are actual “malware” PDFs common in the wild? Thankfully not these days as Adobe and others have got better at patching vulnerabilities, but does that mean they don’t exist? No. Does that mean we won’t see a wide spread PDF malware campaign someday exploiting a zero day in say the Chrome PDF rendering engine? No - that’s entirely possible.
I mean by this argument, does that mean that macro embedded word documents also aren't malware? Much like javascript in a modern PDF, a macro (in MOST default configurations) requires the user to override the protective mechanism to actually get the script to fire.
By defult adobe reader does not open them in "protected view", so turning that on will help reduce risk the most IMO. But yeah most that I see are BEC attacks or QR codes / link to in the PDF's.
Don't forget, just because it looks like a PDF attachment doesn't mean it is actually a PDF file. There are unicode name tricks which make an attachment look like something, but it is actually something else, like a .exe or similar.
Also, this doesn't address 0-days. There are very likely still security vulnerabilities in readers which could execute arbitrary code, so while you may not be able to generate one by grazing pdf makers on google, it is quite possible at some point in the future there will be another serious exploit which allows for malicious payloads to be incorporated into the PDF file itself.
The best policy is to either not open attachments you can't vet the source of or open them in a secure environment, like a VM that you can discard and recreate easily if it does get infected.
I agree. Pdf in of itself is benign (that we know of now), but it's the software reading the file that determine whether the associated .pdf file is a nuke or not. NSO's Pegasus for Apple's iMessage is a great example of this.
Can John make click bait titles?
No
yes
@@vexed3185 no
Nyes
Yesn't
Finally John, I don't need to lower my volume!
The video is mixed to the same standard as the last videos, though.
Hey! We got this exact PDF at my local board games club !!
If a PDF can’t be malware by your interpretation, where it could exploit the reader, then the same could said for any executable file. PDFs are also executables in the sense that they are scripts being executed by the reader, most commonly PostScript, and may also embed other resources.
A pdf can be staged with a canary token. Some readers ask if this connection is allowed but most don't. This way some information can be gathered without user input, but not hacked.
I got one of these emails a couple days ago too. I just immediately marked it as spam
Hi John. Good explanation. We have a case with QR code in PDF and when open in google chrome with extension for reading that code can lead to troubles. Anyway I agree - PDF are safe by themselves.
another example is the canary PDF, with macros / external prompt. I don't think it needs exploit, only user interaction and Adobe.
A WEBP cannot be malware either, everyone thought. And a few months ago a giant vulnerability in libwebp allowed webp files to be/stage malware…
I'm with you. PDF may be a descendant of PS, but it's static by definition, so not malware.
PDF is an interpreted language, just as PS is- the file tells the interpreter how to render a document (it can do much more with modern PDFs but we’ll ignore that), but if there are any flaws in that interpreter, it’s possible for the instructions in the PDF to exploit that.
The flaws in the interpreter could be in any PDF rendering engine - and could be zero day exploits and could require no additional user interaction.
Definitely! You can attach a malware to a PDF, it really depends on the technique though, I've seen a lot of examples coming mostly from Russians. They are to that day still being sold on specific forums. We should train our families on how to protect against such attacks, because for us in the cybersecurity industry its not something new, but for them ...
John, yes pdf can have malware. That's how they got Sky Mavis. 800 million $ stoled
Great video, easily digestible 👌
I recently stumbled upon a strange feature of PDF files, that being automatically opening the print dialog. When opening a PDF from a "Print to PDF" from SketchUp Edu in Firefox it opens Firefox's print dialog on top, when my classmate opened one of his 3D model in Chrome it opened Chrome's print dialog.
All PDF files are inherently malicious.
It depends on how precise you want the language to be to the truth. For example hackers are always evil if you read the news medias, but in actuality, hackers by default are not evil, it is black hat hackers who are. Hackers are just very skilled programmers or engineers who know how to twist their tools into doing something else than what it was supposed to. And a hack comes from these skills, like the famous IE6 star hack used by millions of web developers when it was discovered. So by default the definition of hacker is non malicious. Hacking is also a not precise word to use about trying to get into computer systems in order to steal, corrupt, or illegitimately view data, the correct term is cracking and the one doing it is then a black hat hacker
Thanks for the video John! I would say that PDF can be malicious but not to be considered malware, as the pdf only serve as a delivery of the actual malware if handled incorrectly
If the PDF does anything to get your computer to do something you don’t want it to do, including go and get more code to do even worse things, then it’s malware.
PDF is an interpreted language to render the document - (forget the JavaScript capability - that’s a different thing) - the instructions for how to render a document can exploit vulnerabilities in the rendering interpreter and use those to then execute code embedded in the PDF - and that code could be entirely self contained to take over a machine, or it could just be a stub to go and get more malicious code.
Well the PDFs rely on the fact that you interact with them, making them Malicious. They can carry malware yes, but by definition its not considered malware. Todays standard PDF readers will not execute the scripts that are embedded in the files, unless you allow it when the popups asking for permission, therefore basically eliminating the threat that they pose. Could PDF be malware in the past? Sure thing, but for todays standards I would consider them malicious not malware
Unless the PDF has a zero day, then yes that could definitely be considered as malware
@@xer4nvidz428 you miss the point. PDF is an interpreted language. Simply opening a file to display it causes code to run. This has nothing to do with the additional ability of PDFs to also embed JavaScript in them. The language used to display a document is code. It is only intended to be used to display the document, but if the rendering interpreter includes a vulnerability, it can be exploited and allow arbitrary code execution. This is not theoretical, it has been used in the past. It does depend o. A vulnerability in the rendering engine that can be exploited to turn into code execution, but it has been found in the past and the code involved in rendering a PDF (once you factor in the exposure of the OS GDI / font rendering / language code etc) is extremely complex and vulnerabilities are being found all the time, hence why you need to keep your PDF viewer (and browser) patched - but there is always that window of time between the bad guys finding a vulnerability and exploiting it in the wild, and a patch being available, let alone you getting it installed. So absolutely PDFs can be malware - they have been in the past and not that distant past, and they almost certainly will be used in attacks again. And again, just to emphasis, this has NOTHING to do with PDFs running javascripts and that being off by default.
@@xer4nvidz428 exactly. And zero days are a thing, and we should always assume compromise. So yes, PDFs can be malware.
It just might be malware that can only execute for a short period of time in the wild until most people are patched.
great video, thank you
I think the biggest caveat here is that the security of opening a malicious PDF relies on the client software being up to date. This is an issue in most businesses, and I'd wager for the majority of home users.
I am dubious of any claims with the McAfee name attached.
I am suspicious to anything which calls itself antivirus, but I am odd that way
The scariest thing you don't know is that a pdf can be a malware, I made a rust version with pov but not disclosed anyone which I think I might.
PDF's can indeed contain scripts and active content that can be malicious.
When a PDF can compromise a system without users clicking dialogs, then i would consider that to be malware.
INTERESTING!😃👍
Yea, but only if u open it on an app such as acrobat, opening it on a browser instead, will not likely give you any sort of malware.
I use RTLO to convert a PDF into an SFX EXE file that looks like a PDF. When opened it displays the Bogus PDF and runs my "Malware" in the background. I put malware in quotes because I do this during Pen Tests that just pops up an alert box telling them they got busted.
PDF can be malware i dunno what he's explaining. Trojan
PDF can be malware i dunno what he's explaining. Trojan
hmm could be fun to see if the old microsoft word marco attacks can work in pdf form. I'm not sure if you could add macro's to a pdf file but could still be fun lol
since emails is one of the most common attack surfaces, I always run email into a VM at least. If its something shady I run qubes OS which will sandbox the PDF within a throw away sandbox. Because one of most common attack's on youtubes is a PDF/app that is label as a PDF unless it make file explore to show full names and hidden ext's. the attack will send one "clean" pdf then the second one which is just payload that loads a PDF is a info stealers. due to this? i think its more safe to run any pdf from unknown "senders" or "sponsors" within sandbox's only with the sandbox blocked from any internet because the payload can't send info or spread into root systems to steal more info then that one sandbox.
John next video on wubuntu
Can’t even run this malware in it wubuntu… you’d need to install powershell using wine!
doesn't it come with PS pre installed tough? @@Batwam0
I have treated emails just like phone calls for ever..like since hotmail was the microsoft email addresses. If I didnt ask you, contact you, your not on my contact list, a solicitation, ads, or anything other than an expected email from an expected sender it goes right in the trash. I dont care what kind of deal, special, one time offer, i dont care how URGENT it is, I dont care about missing any emails. Email is not my preferred contact, its my last form of contact. I do have 3 emails each have a "level" of importance. One I use for all the tom, dic and harry's that are always asking for an email. I have one for stuff like cash app, and other account driven stuff, and the third is for family.
The white list approach does work, it is very secure, but also not the most user friendly.
I used to run NoScript, and it's the same, very secure, not the most user friendly.
I'd say if you can lose lots of money or other values by getting compromised, then high security is a must, but for my use, everything is backupped, I can easily recreate everything, and if I do get compromised there's not much they can steal. The most I can lose is the value of the computer itself. For which I will never pay ransom, I buy a new one instead.
I received that email some months ago. Ignored it and did not download the file. Those phone scams are too annoying, so deleted the email.
While the answer is "yes" , with " "... At least for what I have seen with my own eyes. The reach is limited to older software. Today software (PDF readers and browsers) validate for URL requests.
sumatraPDF
Hi John, love your videos. I have a question, maybe a newbie question but i think you could explain It well. How does a reverse shell knows which IP to contact. I mean, when i configure a reverse shell on a private network it's Easy. I have an ip, the other machine knows my ip, the traffic is routed, etc... But when i'm on a different lan over 2 different ISP, my shell will give a private ip, not the public. By the other side, the infected machine Will try to connect on his lan, which Is not what we want. But if i configure my server with my public ip, how can It be routed to me? Have i to config my router to redirect specific port to specfic IP (mine) or use a web service ? Thanks in advance for your super duper response😅
If you want a callback from a machine in a different LAN, you will need to tell that machine to connect to your attacking machine's public IP. Since your attacker machine is behind a router in your case, you will need to pass the traffic from the router back to your attacker machine. You can do this by setting up port forwarding rules. This is all assuming you're not able to set up a VPN.
First thing to point out is many users can't distinguish pdf and malicious executable/script pretending to be one. Yes it social engineering, but if such user watched this video and believes that PDF's are harmless they are fucked.
Thank you for the knowledge sharing and content! ❤
Keeper has been hacked in the past, I’m not sure if Id trust them. They also have repeatedly denied it. I understand that john probably didn’t read about this, and thats fair but I hope he’ll do a better job at selecting the sponsors in future
I just tested right now with canary token PDF, and if the user enables extensions in adobe it will auto launch a website. So I would say yes this could be weaponized
What about the safe mode of Adobe Reader? Is it works? That mode disable all of potential dangerous resources of the program that could be used for malicious reasons (at least is what they say).
Nice one, John. Thanks for posting!
I got one about a year ago, it spam trying to fish you to call their phone number.
They just want the dumb user to call the number and get scammed. Period.
I literally got the SAME pdf a week or two ago and was trying to figure out how to analyze it but I failed lol
The irony of using the Malware of the antivirus companies to discusas malware.
The transition to the promotion ^ hahahah
1990s attack that is no longer used
Jhon Almmonds
That very epic phone number!
Accidentally in a pop-up I downloaded a PDF instantly without asking me which I deleted instantly and I didn't open it and I deleted it from the trash just as quickly, am I at risk?
Malware has always included examples that require the user to interact. The proverbial trojan horse program is this.
I would get 10 or so friends and call that number repeatedly all day long until the phone number no longer worked. I wish i had a land line, i have an old auto-dialer :)
Well, you can have javascript (XSS) embeded in a PDF, so for me - yes, it can be a malware.
Do you mind if I call you John Hambone?
Do you have a malware development course pls....shear I will buy
when in reality, all they are is extension spoofing with RTLO or the rust PDF builder. "pdf exploits" not exist without a zero day.
Wasn’t the most recent LTT hack caused by a PDF file? I thought that’s what Linus said happened in their “what happened” video. Maybe I misunderstood or am misremembering
It was a fake pdf file
I received one of these, i figured they are just wanting people to call the phone number.
host yourself a great opensource project named as "paperless" and don't worry about getting infected ever :)
Would you consider a malicious macro-enabled Word document malware if it can run shellcode with VBA?
The word document itself is not the malware the shell code is
YES!!!!!!!! because that shellcode could be anything including a virus. You can even use tools such as metasploit to generate shellcode payloads
@@fokyewtoob8835 the Word Document is to technically it would just be the stager for the virus itself because the macro in the Word Document uses VBA to run shellcode
"Can a PDF be malware?"
The fact you cant find any open source pdf-malware doesnt prove a pdf cant be malware.
a pdf file makes a CPU run code, which means it can be malware imo.
maybe not today, but can it be? sure can.
Yes a pdf can be a malware
So you just gonna leave their email address in plain view of the vudeo for everyone to see
First rule, if it makes it easy to reach refund it's a scam.
kitboga moment
If you must clarify these pdfs as a piece of malware id guess i'd call them a trojan and that is already a far stretch
before i open a pdf i run the commande pdftk file.pdf and i see if there is javascript
What’s “updog”?
heh
I follow Zero Day Initiative so I already know the answer. XD
Anybody export PowerPoint to PDF.. the code that can be slapped in PDFs clickable links.. blah blah. You wouldn’t run powershell in a pdf!
I used updog... but sometimes I wonder. what is updog...?
kitboga follower spotted
CAN CLICKING ON THIS DO ANYTHING TO YOUR DEVICE?
pdf ? yes next time open it on a sandbox or online pdf viewer if you don't trust it
@@theblackssvipssvzy8422tx
scammers team leader : phone bills are going through the roof guys, we need to make them call us instead
I have read the book called PoC | GTFO Volume 2 it shows how to make a PDF with a zip and a Wav file all in the same file. The zip could be easily be used maliciously while mascaraing as a pdf file. I'd love to know your thoughts on the book in general.
anyway, if your pc account is not an admin you are partially save
No
Actual PDF files cannot contain malware. Executable files masquerading as a PDF files can though, which is why EVERYONE should set their computer to "show file extensions". If you have your system set to show file extensions you will easily be able to see that fake PDF file is actually an .exe file!
PDF files can contain malware
@ishouldbedead4950 If you mean they can contain links to websites with malware inside the pdf file, then sure. But PDF files themselves ABSOLUTELY CANNOT have malware in them that executes on the computer when you open the PDF file.
Yes. The end.
I got one of these a few days ago. It was a .gif file. Through it into triage for a double check. It had a couple of signatures but there were no downloads or files accessed outside of the usual edge stuff
What is chat gpts opinion? I agree with the opposite whatever chat gpt says. Like holistic.
Whats updog?
team sp
thank you so much
You didnt even watch the video yet...
I don’t wanna be that guy but you often miss to link stuff in the description, like the article for example.
Thank you-- fixed!
Good video! Thanks!
Not True. PDF can totally be malware if they run dynamic Javascript and exploit a Vuln on the JS interpreter. It has been done beforez but you do need a vuln on the PDF reader.
make video on Self-extracting archives malware 🤭🤭
That is why I withdrew my 10-dollar savings recently.
this gonna work only if you always click Allow like an idiot
can a fish swim? follow me for more
For end users this may be okay advice. But in enterprise, as a defender even if you talk to the user, how can you be sure they didn't click or execute some JS in the PDF (users lie or don't know what you mean when you question them)? It ends up that you have to effectively due the same level of investigation either way once they open the file. This would probably involve scans and reviewing EDR logs to ensure that no suspicious activity came from the reader/stager.
Hello , am curious as a hacker do you pay for internet connection ??