app.alert('neonprimetime created this sample for educational purposes');
Now you have 2 ways a user could open this malicious PDF. They could open it in Acrobat Reader or in their Browser (Internet Explorer, Firefox, Chrome, etc.). The behavior of this one is different depending on your choice.
If I open in the regular Adobe Reader application it looks like this (Note: Adobe has a nice security feature that prompts you to confirm if you really want to open the webpage)
Now if you open it in a browser it behaves slightly different, a bit more deceiving actually in my opinion. The PDF is actually replaced by my webpage! Interesting to say the least.
Now I could've actually caught this ahead of time by running the process I explained in a previous blog
> .\pdfid.py .\sample.pdf
> .\pdf-parser.py .\sample.pdf
Don't trust those random emails from random nobodies!
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.