Didier Stevens

Friday 28 August 2015

Test File: PDF With Embedded DOC Dropping EICAR

Filed under: PDF — Didier Stevens @ 9:30

Over at the SANS ISC diary I wrote a diary entry on the analysis of a PDF file that contains a malicious DOC file.

For testing purposes, I created a PDF file that contains a DOC file that drops the EICAR test file.

The PDF file contains JavaScript that extracts and opens the DOC file (with user approval). The DOC file contains a VBA script that executes upon opening of the file, and writes the EICAR test file to a temporary file in the %TEMP% folder.

20150828-00751

You can download the PDF file here. It is in a password protected ZIP file. The password is eicardropper, with eicar written in uppercase: EICAR.

This will generate an anti-virus alert. Use at your own risk, with approval.
pdf-doc-vba-eicar-dropper.zip (https)
MD5: 65928D03CDF37FEDD7C99C33240CD196
SHA256: 48258AEC3786CB9BA032CD09DB09DC66E0EC8AA19677C299678A473895E79369

14 Comments »

  1. AV is missing both macro based docs at the moment and now the PDF packed delivery should add an extra layer to bypass current detection technologies. Good for the bad … bad for the good.

    Comment by Reddevall — Friday 28 August 2015 @ 18:57

  2. I have JavaScript disabled in my Adober Reader, so of course, nothing happened. I enabled JS for this doc once only. OpenOffice then opened the doc, but as macros are disabled, nothing happened again. Only signed macros from trusted sources are allowed to run, per my settings. I’d have to go to a bit of extra work to get this macro to run. I guess my setup is reasonably secure! 🙂

    Comment by Anonymous — Saturday 29 August 2015 @ 2:00

  3. […] Here is how I created the PDF document from this blogpost. […]

    Pingback by The Making Of: PDF With Embedded DOC Dropping EICAR | Didier Stevens Videos — Monday 31 August 2015 @ 0:08

  4. Did the password change? “EICAR” doesn’t work.

    Comment by Anonymous — Tuesday 1 September 2015 @ 23:38

  5. Nevermind. I re-read the post and got the right password

    Comment by Anonymous — Tuesday 1 September 2015 @ 23:39

  6. […] was asked how one can mitigate my PDF-DOC-VBA test file in Adobe Reader. This video explains […]

    Pingback by PDF With Embedded DOC And VBA: Reader Mitigation | Didier Stevens Videos — Wednesday 2 September 2015 @ 0:02

  7. I run it: it works fine as described. I first got a pdf-macro warning and, after enabling Word Viewer to process Word-file, I got a Word macro-warning. These are 2 of my own security measures. Al last MSE said that there was no action required. Good test also. Thanks for the effort in this Didier.

    Comment by John Heijmann — Wednesday 2 September 2015 @ 8:53

  8. password eicardropper doesn’t work?

    Comment by Anonymous — Thursday 3 September 2015 @ 6:19

  9. Yes it does. Read the instructions closely.

    Comment by Didier Stevens — Thursday 3 September 2015 @ 6:20

  10. I had no question from ‘COMODO Antivirus’ at all. Nevertherless the EICAR dropper file name was like ~DF5467.tmp and file size (not on the disk) is 512 bytes all time. ‘eicar-dropper.doc’ was opened by means of ‘Microsoft Office Word Viewer (11.8420.8420) SP3’ and no macro warning was issued. Meanwhile I was not able either to get any hashes of or copy it.
    What is actual dropper so?

    Comment by Andriy — Friday 11 September 2015 @ 12:46

  11. So it worked. The eicar file was created.

    Comment by Didier Stevens — Friday 11 September 2015 @ 12:59

  12. “Nevertherless the EICAR dropper file name was like ~DF5467.tmp and file size (not on the disk) is 512 bytes all time.”

    Sorry, that was a mistake, I was wrong.
    Once again, in my case the EICAR dropper file name was like ‘rad9A2F3.tmp’ :

    CRC32: 6851cf3c
    MD5: 44d88612fea8a8f36de82e1278abb02f
    SHA-1: 3395856ce81f2b7382dee72602f798b642f14140
    SHA-256: 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f
    SHA-512: cc805d5fab1fd71a4ab352a9c533e65fb2d5b885518f4e565e68847223b8e6b85cb48f3afad842726d99239c9e36505c64b0dc9a061d9e507d833277ada336ab

    and file size 68 bytes.

    Comment by Andriy — Friday 11 September 2015 @ 14:24

  13. That’s the hash of the EICAR test file. More evidence that the EICAR test file was created on your system.

    Comment by Didier Stevens — Friday 11 September 2015 @ 22:03

  14. […] produced videos showing how I created my “Test File: PDF With Embedded DOC Dropping EICAR” and how to change the settings in Adobe Reader to mitigate […]

    Pingback by PDF + DOC + VBAs Videos | Didier Stevens — Monday 21 September 2015 @ 10:46


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: