{"id":72884,"date":"2010-05-07T07:29:48","date_gmt":"2010-05-07T07:29:48","guid":{"rendered":"https:\/\/localhost\/wordpress\/?p=72884"},"modified":"2010-05-07T07:29:48","modified_gmt":"2010-05-07T07:29:48","slug":"surviving-pdf-launch-attack","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/surviving-pdf-launch-attack\/","title":{"rendered":"Surviving PDF \u201c\/Launch\u201d attack"},"content":{"rendered":"

After Didier Stevens revealed about PDF \u201c\/Launch\u201d Social Engineering Attack<\/em> that could be used to launch applications from PDF files, we have received malicious PDF files which use this technique -doc.pdf, Royal_Mail_Delivery_Invoice_[].pdf. These PDF files modify Adobe’s Launch File warning which is prompted to the user before opening embedded non-pdf attachment. As Adobe has mentioned, default option shown is to not execute the file.<\/p>\n

\"\"<\/p>\n

If user clicks on “Open” options, it drops and executes embedded VBScript and malicious file.<\/p>\n

Below image shows the script from doc.pdf file which drops and executes game.exe.<\/p>\n

\"\"<\/p>\n

Quick Heal detects doc.pdf as Exploit.PDF.Pidief and dropped file game.exe as Trojan.Agent.pack.<\/p>\n

Users are advised to configure Adobe to disable execution of JavaScript files and opening of non-PDF file attachments with external applications.<\/p>\n

From the Preferences panel, select “JavaScript” and uncheck the “Enable Acrobat JavaScript” option as shown below.<\/p>\n

\"\"<\/p>\n

From the Preferences panel, select “Trust Manager” and uncheck the “Allow opening of non-PDF file attachments with external applications” option as shown below.<\/p>\n

\"\"<\/p>\n

References:<\/p>\n

https:\/\/blogs.adobe.com\/adobereader\/2010\/04\/didier_stevens_launch_function.html
\nhttps:\/\/blog.didierstevens.com\/2010\/03\/29\/escape-from-pdf\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

After Didier Stevens revealed about PDF \u201c\/Launch\u201d Social Engineering Attack that could be used to launch applications from PDF files, we have received malicious PDF files which use this technique -doc.pdf, Royal_Mail_Delivery_Invoice_[].pdf. These PDF files modify Adobe’s Launch File warning which is prompted to the user before opening embedded non-pdf attachment. As Adobe has mentioned, […]<\/p>\n","protected":false},"author":21,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-72884","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/72884"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/21"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=72884"}],"version-history":[{"count":0,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/72884\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=72884"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=72884"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=72884"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}