Didier Stevens

Tuesday 20 May 2008

Quickpost: eicar.pdf

Filed under: PDF,Quickpost — Didier Stevens @ 8:54

I like to embed the EICAR Anti-Virus test file in usual formats and less usual formats. Today, I’m publishing a PDF document with an embedded EICAR test file (eicar.txt). This PDF document has also an annotation with a JavaScript action linked to it. Clicking the annotation will export the embedded eicar.txt file to a temporary folder and launch the default editor for .txt files. This doesn’t work with Foxit Reader, because Foxit doesn’t support the JavaScript method I’m using to export eicar.txt (exportDataObject). But you can still export the file manually if you use Foxit Reader.

eicar.pdf contains only ASCII characters, so you can use Notepad to see what I did. And I had do to something special, can you guess what? Post your comments!


Quickpost info


16 Comments »

  1. Opened the file, and clicked the button. Not a peep from AVG 8.0. Ugh.

    Comment by Mike — Tuesday 20 May 2008 @ 16:59

  2. Did Notepad start and opened eicar.txt? And will your AVG config scan txt files?

    Comment by Didier Stevens — Tuesday 20 May 2008 @ 17:49

  3. Opened the file and clicked the button… verified that I wanted to open file…. Symantec Antivirus v10.1.0.401 (with up to date DATs) AutoProtect deleted the file before Notepad could open it… therefore received a “file not found error”.

    Comment by Ilmar — Thursday 22 May 2008 @ 19:40

  4. That’s what’s your AV is supposed to do.

    Comment by Didier Stevens — Thursday 22 May 2008 @ 19:54

  5. Please read the definition of the EICAR Test File on the EICAR Web site. The file *must* be a text file, with the specified 68-character sequence at the beginning and no more than 128 bytes of whitespace after it. If you make anything else (e.g., embed this character sequence in PDF files, Word files or whatnot), then the result is no longer the EICAR Test File and you can’t reasonably expect the anti-virus programs to detect it (although some will under some circumstances).

    Comment by Vesselin Bontchev — Tuesday 27 May 2008 @ 10:16

  6. I’m very familiar with the EICAR Test File, and I didn’t write that I expected AV products to detect the EICAR.pdf file. But I expect that the AV products detect the eicar.txt that is exported when you click on the button.

    What made you believe that I wanted the eicar.pdf to be detected by AV products?

    Comment by Didier Stevens — Tuesday 27 May 2008 @ 10:23

  7. Foxit reader 2.3 did nothing when you clicked the button.

    It sure beats me why this one (lousy) PDF reader called Acrobat seems to be so much more common than the others.

    Comment by MH — Friday 6 June 2008 @ 13:04

  8. What did you use to construct the PDF?

    Comment by Venom23 — Thursday 26 June 2008 @ 18:43

  9. I just assembled the PDF file by hand, using a programmers editor.

    But now I’ve written some Python code to generate PDF files too. If there is interest, I can cleanup the code and post it.

    Comment by Didier Stevens — Thursday 26 June 2008 @ 18:57

  10. Would be nice… :)

    Comment by Venom23 — Thursday 26 June 2008 @ 20:41

  11. NOD32 flagged the .pdf as being clean – however when I clicked to export the text file it detected a potential threat and blocked the file from being opened.

    Comment by Clive Smith — Wednesday 3 December 2008 @ 20:06

  12. @Clive Smith
    That’s what’s your AV is supposed to do.

    Comment by Didier Stevens — Wednesday 3 December 2008 @ 20:25

  13. [...] The PDF specification provides ways to embed files in PDF documents. I’m releasing my Python program to create a PDF file with embedded file (I used make-pdf-embedded.py to create my EICAR.pdf). [...]

    Pingback by Embedding and Hiding Files in PDF Documents « Didier Stevens — Wednesday 1 July 2009 @ 6:28

  14. [...] The PDF specification provides ways to embed files in PDF documents. I’m releasing my Python program to create a PDF file with embedded file (I used make-pdf-embedded.py to create my EICAR.pdf). [...]

    Pingback by Embedding and Hiding Files in PDF Documents - Opsec — Wednesday 1 July 2009 @ 17:22

  15. To Vesselin Bontchev in comment #5
    Embedding files in PDFs is just like attaching a file in an email.
    Do you expect your antivirus to test attached files, no? So I expect my antivirus to search in embedded files in PDFs too. I think this could be very dangerous, and I want to thank Didier for making such an investigation.

    Very good work Didier.

    Comment by nevot — Thursday 2 July 2009 @ 19:57

  16. Thank you Didier because with this file I could realise that my antivirus had a wrong configuration. I use Avira free and now he is able to detect the pdf and of course the txt.
    Keep the good work Didier.

    Comment by Nacho — Thursday 16 July 2009 @ 9:45


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 223 other followers

%d bloggers like this: