Skip to main content
SpringerLink
Log in

Malicious URI resolving in PDF documents

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

Nowadays, PDF (Portable Document Format) is used very frequently, especially by companies and even more and more by normal users. This can be a good explanation of the rising appeal of cybercriminals for this vector of attack. PDF is also often considered as safer as other document formats like those of Microsoft Office for example. Knowing the many possibilities offered by this format, we can wonder about the question of the confidence which should be given to such a document. Indeed, the use of HTTP(Hypertext Transfert Protocol) requests allows us to execute some arbitrary code outside of the PDF. Including, for example, JavaScript in Internet Explorer. It sill works, despite the updates from Adobe, this is still a pretty good open door to malicious actions. Basically, the purpose of this paper is to show that the simple use of an HTTP request from a PDF can be a pretty good vector for an attacker. Furthermore, this paper deals about how it can be relatively easy to reuse some vulnerabilities from outside the document. In addition, we will see that it’s possible to call an external PDF from another PDF. In fact, it can allow the attacker to adapt his attack by knowing the Adobe software version of the victim even before launching any malicious PDF. Knowledge of this security problem is not new but this article aims to show in detail how the attacker could place his attack.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13

Similar content being viewed by others

References

  1. Symantec Corporation. February 2011 intelligence report: Targeted attacks favor pdf files, February 2011. http://www.symanteccloud.com/fr/fr/download.get?filename=MLI_2011_02_February_FINAL-en.pdf (2011)

  2. Schouwenberg, R.: Flash and pdf threats–adobe’s achilles’ heel. http://www.youtube.com/watch?v=4-jWkjA2bmM (2010)

  3. Filiol, E.: Les virus informatiques théorie, pratique et applications. Springer, Berlin (2009)

    Book  MATH  Google Scholar 

  4. Filiol, E.: Portable document format (pdf) security analysis and malware threats. http://www.blackhat.com/presentations/bh-europe-08/Filiol/Presentation/bh-eu-08-filiol.pdf (2008)

  5. Blonce, A., Filiol, E., Freyssignes, L.: Les nouveaux malwares de document: analyse de la menace virale dans les documents pdf. MISC 38, 56–67 (2008)

    Google Scholar 

  6. Stevens, D.: Didier stevens’ blog. http://blog.didierstevens.com/

  7. Selvaraj, K., Gutierrez, N.F.P: The rise of pdf malware. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_rise_of_pdf_malware.pdf (2010)

  8. Stevens, D.: Penetration document format. http://2012.hack.lu/archive/2009/Penetration%20Document%20Format%20Slides.pdf (2009)

  9. Raynal, F., Delugré, G., Aumaitre, D.: Malicious origami in pdf. http://esec-lab.sogeti.com/dotclear/public/publications/08-pacsec-maliciouspdf.pdf (2008)

  10. Adobe Systems Incorporated: Adobe portable document format version 1.7. http://www.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/pdf_reference_1-7.pdf (2006)

  11. Adobe Systems Incorporated: Digital signatures & rightsmanagement in the acrobatfamily of products. http://www.scribd.com/doc/37463200/Acrobat-Reader-Security-9x#outer_page_41

  12. Internet Engineering Task Force: Rfc2396: Uniform resource identifiers (uri): Generic syntax. http://tools.ietf.org/html/rfc3986

  13. Adobe Systems Incorporated: Acrobat weblink api reference. http://www.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/WeblinkAPIReference.pdf (2003)

  14. Adobe Systems Incorporated: Acrobat forms data format (fdf) toolkit. http://www.adobe.com/devnet/acrobat/fdftoolkit.html (2012)

  15. Adobe Systems Incorporated: Taking pdf security to a new level with adobe reader and adobe acrobat. http://www.adobe.com/security/pdfs/AcrobatReader_Security_Brochure_FINAL.pdf (2010)

  16. Microsoft Corporation: About url security zones. http://msdn.microsoft.com/fr-fr/library/ms537183.aspx (2012)

  17. Adobe Solutions Network: Acrobat JavaScript Guide. Adobe Systems (2005)

  18. Securitytube.net: Didier stevens at blackhat europe 2012. http://www.securitytube.net/video/3807?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SecurityTube+%28SecurityTube.Net%29 (2012)

  19. David, T.S.B., Larget, D.: Access to you. 21st Annual Conference Proceedings May 5th–May 8th 2012

Download references

Author information

Authors and Affiliations

  1. (C + V) O Laboratoire de virologie et de cryptologie opérationnelles ESIEA, 38 rue des Docteurs Calmette et Guérin, 53000 , Laval, France

    Valentin Hamon

Authors
  1. Valentin Hamon
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Valentin Hamon.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Hamon, V. Malicious URI resolving in PDF documents. J Comput Virol Hack Tech 9, 65–76 (2013). https://doi.org/10.1007/s11416-013-0179-2

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-013-0179-2

Keywords

Search

Navigation