Malicious Origami in PDF

Evasion Tricks

• 01-out.jpg: PDF hidden as JPG
• pdfincom.zip: PDF hidden as COM executable

Denial of service

• XX-bomb-DO-NOT-OPEN.pdf: zipbomb (475Kb->2Gb)
• moebius-named.pdf: read fast PDF
• moebius-goto.pdf: read fast PDF
• moebius-gotor[1,2].pdf: switch fast PDF

Information leakage

• calipari.pdf: official "sanitized" US report
• track.pdf: some unprivileged information
• extjs.pdf: the source of the embedded JavaScript is outside the PDF file (see file script.js)
• webbug-browser.pdf: opens default browser to connect to a site
• webbug-js.pdf: same as webbug-browser.pdf through JavaScript, then submit a form requesting a new PDF to be downloaded and opened
• webbug-reader.pdf: same as webbug-js.pdf but through Reader's embedded browser (no JavaScript inside): a remote PDF is opened, this one starting a local application
• form3.pdf: a simple form is submitted, answer contains inserted JavaScript

Dropping eggs

Code execution

• calc.pdf: starts the calc application, on Unix, MacOS X and Windwos

Virus in PDF

• virus.pdf: embed a malicious exe (which should be filtered) which compromises the user's configuration.
  This file is signed by Adobe's private key.
• r0x0r.pdf: propagation stage on a PDF virus, the file copies itself (should be embedded in virus.pdf, but not for demo purpose) thanks to invisible Usage Rights

Staged attack

• stage1.pdf: compromise the user's configuration so that it can connect to attacker's site. Create and submit the list of files in FDF format.
  This file is signed by Adobe's private key.
• stage2.pdf: automatically upload a secret file to attacker's website