Over at the SANS ISC diary I wrote a diary entry on the analysis of a PDF file that contains a malicious DOC file.
For testing purposes, I created a PDF file that contains a DOC file that drops the EICAR test file.
The PDF file contains JavaScript that extracts and opens the DOC file (with user approval). The DOC file contains a VBA script that executes upon opening of the file, and writes the EICAR test file to a temporary file in the %TEMP% folder.
You can download the PDF file here. It is in a password protected ZIP file. The password is eicardropper, with eicar written in uppercase: EICAR.
This will generate an anti-virus alert. Use at your own risk, with approval.
pdf-doc-vba-eicar-dropper.zip (https)
MD5: 65928D03CDF37FEDD7C99C33240CD196
SHA256: 48258AEC3786CB9BA032CD09DB09DC66E0EC8AA19677C299678A473895E79369
Didier Stevens 