Monday, March 9, 2015

0 Detection PDF with external link to malware EXE

This morning Malware Domain List tweeted a 0/57 detection malware PDF which was/is not detected as malware by any AV product on

The PDF has the following attributes:

Original filename: 2015-03-05Label.pdf
Size: 96697 bytes
md5: 0323382619193827959ee85631f6043d
sha1: f64e86177b5b5f8db8a78c346e2a165423b4a427
sha256: bc415d1f0c8d8af1b02008f03788de7e073650893eec01296c537346b42f7244
ssdeep: 1536:s3Orf9OoEPqFlpcTVrGxokqE/3wrqx8TnWOgQSawAgl4a+E7zQGBEkc4ryH:serf9nEUpOJGmTE/BaLJ4qE7EGbmH
content/type: PDF document, version 1.5

Loading the PDF into PDFExaminer does detect an exploit, which is actually more of a "feature" of PDF to link to external content, however, linking to a remote EXE is always bad and probably should be detected in the PDF:

Drilling down to the malicious object in PDFExaminer reveals an external hyperlink to an remote executable:

Now opening the PDF reveals how a user could be exploited, but they still need to click a malicious link to download and execute the malware. So while AV may not protect you from this attack vector initially, about half the AV products tested will detect the downloaded remote executable. User education to avoid clicking suspicious links is a key defence here.

The PDF contents:

AV detection for the remote executable linked to from this PDF is 25/57:

And finally, you can use PDFExaminer for free, online to detect this and other potential threats in PDF documents.

No comments:

Post a Comment