What is the safest way to deal with loads of incoming PDF files, some of which could potentially be malicious?

Question

As an investigative journalist I receive each day dozens of messages, many of which contain PDF documents. But I'm worried about some of the potentially malicious consequences of blindly opening them and getting my computer compromised. In the past, before I started working in investigative journalism, I was using virustotal.com to analyze all files (including PDFs) coming to my inbox, but that's not possible in this case as the files will be sent to them when they're meant to be confidential before release. And I heard that antivirus solutions are not 100% foolproof.

What is the safest way to deal with loads of incoming PDF files, some of which could potentially be malicious?

Answer 1

I think the safest option for you would be to use Qubes OS with its built in DisposableVMs functionality, and its “Convert to Trusted PDF” tool.

What is Qubes OS?

Qubes is an operating system where it's all based on virtual machines. You can think of it as if you had different isolated ‘computers’ inside yours. So that way you can compartmentalize your digital life into different domains, so that you can have a ‘computer’ where you only do work related stuff, another ‘computer’ that is offline and where you store your password database and your PGP keys, and another ‘computer’ that is specifically dedicated for untrusted browsing... The possibilities are countless, and the only limit is your RAM and basically how much different ‘computers’ can be loaded at once. To insure that all these ‘computers’ are properly isolated from each other, and that they can't break to your host (called ‘dom0’ for domain 0) and thereby control all of your machine, Qubes uses the Xen hypervisor,^[1] which is the same piece of software that is relied upon by many major hosting providers to isolate websites and services from each other such as Amazon EC2, IBM, Linode... Another cool thing is that each one of your ‘computers’ has a special color that is reflected in the windows' borders. So you can choose red for the untrusted ‘computer’, and blue for your work ‘computer’ (see for example picture below). Thus in practice it becomes really easy to see which domain you're working at. So let's say now that some nasty malware gets into your untrusted virtual machine, then it can't break and infect other virtual machines that may contain sensitive information unless it has an exploit that can use a vulnerability in Xen to break into dom0 (which is very rare), something that significantly raises the bar of security (before one would only need to deploy malware to your machine before controlling everything), and it will protect you from most attackers except the most resourced and sophisticated ones.

What are DisposableVMs?

The other answer mentioned that you can use a burner laptop. A Disposable Virtual Machine is kind of the same except that you're not bound by physical constraints: you have infinitely many disposable VMs at your wish. All it takes to create one is a click, and after you're done the virtual machine is destroyed. Pretty cool, huh? Qubes comes with a Thunderbird extension that lets you open file attachments in DisposableVMs, so that can be pretty useful for your needs.^[2]

(Credits: Micah Lee)

What's that “Convert to Trusted PDF” you were talking about?

Let's say you found an interesting document, and let's say that you had an offline virtual machine specifically dedicated for storing and opening documents. Of course, you can directly send that document to that VM, but there could still be a chance that this document is malicious and may try for instance to delete all of your files (a behavior that you wouldn't notice in the short-lived DisposableVM). But you can also convert it into what's called a ‘Trusted PDF’. You send the file to a different VM, then you open the file manager, navigate to the directory of the file, right-click and choose “Convert to Trusted PDF”, and then send the file back to the VM where you collect your documents. But what does it exactly do? The “Convert to Trusted PDF” tool creates a new DisposableVM, puts the file there, and then transform it via a parser (that runs in the DisposableVM) that basically takes the RGB value of each pixel and leaves anything else. It's a bit like opening the PDF in an isolated environment and then ‘screenshoting it’ if you will. The file obviously gets much bigger, if I recall it transformed when I tested a 10Mb PDF into a 400Mb one. You can get much more details on that in this blogpost by security researcher and Qubes OS creator Joanna Rutkowska.

---

^{[1] : The Qubes OS team are working on making it possible to support other hypervisors (such as KVM) so that you can not only choose different systems to run on your VMs, but also the very hypervisor that runs these virtual machines.
[2] : You also additionaly need to configure an option so that the DisposableVM-that is generated once you click on “Open in DispVM”-will be offline, so that they can't get your IP address. To do that: "By default, if a DisposableVM is created (by Open in DispVM or Run in DispVM) from within a VM that is not connected to the Tor gateway, the new DisposableVM may route its traffic over clearnet. This is because DisposableVMs inherit their NetVMs from the calling VM (or the calling VM's dispvm_netvm setting if different). The dispvm_netvm setting can be configured per VM by: dom0 → Qubes VM Manager → VM Settings → Advanced → NetVM for DispVM." You'll need to set it to none so that it isn't connected to any network VM and wont have any Internet access.
[3] : Edit: This answer mentions Subgraph OS, hopefully when a Subgraph template VM is created for Qubes you could use it with Qubes, making thus exploits much harder, and thanks to the integrated sandbox it would require another sandbox escape exploit as well as a Xen exploit to compromise your entire machine.}

Answer 2

Safest would probably be a burner device. Grab a cheap laptop, and a mobile internet dongle, use it to download the documents, and manually copy across any contents to your main computer (literally retyping would be safest, if you're particularly worried). Since it's not on your network, it shouldn't be able to cause problems even if it got infected, and you'd be able to wipe it or just bin it if you have any particularly evil malware sent to you.

If you need actual contents from the files (e.g. embedded images), one option would be to install a PDF print driver on your burner device, and to print the incoming PDF files using it - this will generate PDF output, but, in theory, just the visual components. Printers don't tend to need script elements, hence they can be safely dropped. Bear in mind that some PDF printer drivers spot when you provide a PDF, and just pass it through unmodified - test before relying on it! Once you've got a clean PDF, email it back to yourself, and check with a virus scanner on your main machine before opening. Note that this doesn't completely eliminate the possibility of malware getting through, but should minimise the chances.

Answer 3

So, I try to stick with these concerns in the "land of reasonable". With every security issue there is a balance of secure v.s. safe. For example, you could buy a laptop, read one PDF loaded from the web mail side of your email provider, re type any content you need on a "main computer" then destroy the laptop starting all over again with a new laptop. That would be pretty secure. Also costly, and a giant pain.

So back to a "reasonable" approach.

First, use Linux and a up to date PDF reader. By doing so you have really reduced your exposure. There are not as many viruses written for Linux as there are for windows. That alone will protect you quite a bit. The viruses that do work on Linux are more complicated to implement. Again reducing your exposure.

Next use a Virtual machine that supports snap-shotting. The idea is that you setup your Linux OS inside a virtual machine host (like VirtualBox) get it all setup then, "Snapshot" the state.

You can then do all your "risky" work inside the virtual machine. Using isolation options, I don't know of any virus that can "escape" the virtual machine and get to the host machine (doesn't mean they're not out there, just means it's more rare, and more complicated for the attacker).

At the end of the day, or any time during the day when you think you have gotten a virus, then you "revert" the machine to the previous snapshot. All the changes and data that "happened" after your snapshot are undone, including any work, viruses, etc.

During the day, you can open a PDF, scan it with ClamAV (or the like), copy and paste what you need, or what ever you need to do with the PDF files, so long as your Virtual Machine exists in isolation. That means that you don't give the virtual machine access to the host machine. You use something like email to transfer the files. Maybe FTP between the host and the virtual machine. Something, but not direct integration. Not dropbox either. Something where if you're going to transfer the file, then you're only going to transfer that one file after you're pretty sure it's safe. If you're using a Linux host and a Linux guest then scp is a great choice.

This gives you a "pretty secure", disposable environment, to check your questionable PDFs out, with the ability to "undo" damage that may happen, without having to really change much in your work flow.

Virtual machine hosts and guests can be almost any OS including Windows. Keep in mind that if you have a Linux guest and a Windows host the Linux virtual machine may not even be susceptible to a virus that is in the PDF that a Windows machine will be susceptible to. Scanning with an anti-virus scanner is important, no matter the OS combo in use.

Answer 4

Using CubeOS and disposable VMs is a good approach.

Some other options (which can be combined with the CubeOS/DisVM one) :

Disarm the PDF

You can use ghostscript for that :

gs -dNOPAUSE -dBATCH -sDEVICE=tiffg4 \
  -dDownsampleMonoImages=false \
  -dDownsampleGrayImages=false \
  -dDownsampleColorImages=false \
  -r200 \
  -sOutputFile="$OUTFILE" -c .setpdfwrite -f "$FILE"
tiff2pdf -o "${OUTFILE%.*}.pdf" "$OUTFILE"

This pair of commands will render your PDF as an image, then embed this image in a PDF.

Detect suspicious PDF

Didier Stevens, a fellow belgian InfoSec researcher, wrote excellent tools to detect malicious PDF files. Look for one called pdfid.py

This tool analyses the content of the PDF to detect potentially malicious ones.

Basically, a PDF containing JavaScript or Auto-Open URLs should be considered suspicious.

Protect your tools

Whichever option you select, your tools can become the target of your threat agent. Patch them frequently and run them in a disposable / isolated environment.

Answer 5

Converting all the PDFs to some more "passive" format - maybe TIFF or postscript - could be done in batch, in a restricted account either on the local machine or on some linux box/VM. An exploit/malware being carried along into a different file format is very unlikely.

Files that are purely malicious will not even render that way; any exploit targeted at popular PDF viewers probably will not work with scripted conversion tools (which will mostly be based on the ghostscript engine); and the restricted account will keep a successful exploit from doing much damage.

A normal user account on an up-to-date linux machine is very difficult to "break out of" - do make sure that this machine doesn't have unregulated internet access though, since network access is the hardest to control.

If disclosure of the contents of the valid PDFs would have dire consequences, make sure only one PDF at a time is accessible to the account running the interpreter at a given time (eg by copying the file into a staging location from yet another user account, running the interpreter via su/sudo (not sudo to root!), then taking the result file away. Rinse, repeat.

Oh, and: Keep the original files away from any (especially Windows) PCs that are set up to do previews of files in Explorer, in email clients or similar frontends!

Answer 6

Depending on your threat model, even the "burner device" or virtual machine approach might not be sufficient. If an attacker is looking to identify your location, or even if a spammer wants to validate that your email address is active, then having the PDF phone home after being opened will expose you. Crafty PDFs might even contain worms to infect other machines, though I've never seen that in the wild.

Thus, after downloading the PDF, you may need to disconnect the device from the network before opening it.

Answer 7

I think Qubes OS is a great option, but you should also take a look into Subgraph OS (Note: It still is in its alpha version as of 2-2017, you should probably wait until a more stable version comes out to rely on it for strong security). It ships by default with a Linux kernel hardened with Grsecurity/PaX, and it has by default sandboxes around at-risk applications such as a PDF reader (Evince). Because of the kernel hardening, most exploits against the PDF reader would be mitigated. If however they're successful, then the attacker is still limited to the sandbox (Oz) in which the PDF runs,

The sandbox prevents Evince from accessing sensitive files on the computer, such as your encryption keys, email, personal documents, etc. Evince only requires access to the PDF(s) it is reading and some other files it needs to operate normally.

The sandbox also limits the types of actions that an attacker can do, such as limiting the system calls that an application (running in user-space) can make to ask the kernel (running in kernel-space) to do things such as read and write files, communicate over the network, etc., using a Linux feature called seccomp. Thus for example the sandbox also prevents the PDF reader (Evince) from connecting to the Internet, which protects you from an attacker who wants to get your IP address to discover your location.

You can get the full documentation on how to open PDF files in Subgraph OS here.

Answer 8

I would recommend a "isolated" device only for downloading and opening the pdfs. Ie. not connected to the rest of your network.

Then print it (paper can't transmit malware).

After that you could scan it, then you have a copy in image format. The printer should be isolated and connected only to the contaminated device aswell in this case. The scanner can be connected to the rest of your network.

If you want a faster workflow you could just transform them to images and then send them to yourself if you need to view them somewhere else, though you have to gurantee that the mail is not infected in some way. No links/images/javascript injected and the file format isn't executable or pdf.

Which means that the receiving end needs to view only text no html or javascript.

Answer 9

This is a weaker (user-level) answer using firejail and xpdf, and maybe cpulimit:

firejail [...options...] xpdf suspicious.pdf

It's unclear to me what the best options would be for suspect PDF files. These seem to work, and would probably disable most nastiness:

firejail  --caps.drop=all  --machine-id  --net=none  --nonewprivs  \
          --memory-deny-write-execute --overlay-tmpfs  --seccomp \
          xpdf suspicious.pdf

If there's worry that the suspect PDF is also a CPU hog, prefix the first line with:

cpulimit -c 1 -l 10 -m -- \

Which would further restrict firejail and its child processes to using 10% of one CPU.

Answer 10

All the answers above seem feasible, but tbh, it seems much simpler to buy a really cheap laptop that functions as a kind-of burner, remove the hard drive (hence cheap), download a non-persistent os (linux is awesome!) on a thumbdrive (from personal computer), plug in usb and configure boot sequence, access your email (from thumbdrive), download pdf, disable wifi connection (preferably physically), open pdf, do work, terminate all non-relevant processes (if you need to reconnect) or reboot, hence destroying any viruses that could have been downloaded. The reason I have you remove your hard drive is so that the virus doesn't attempt to save everything (including itself) to another drive that isn't effected by the wipe.

Answer 11

I would recommend buying a cheap Android phone (they're around 50$ nowadays) and using it to open documents. Send your files to the cloud and then download them into your Android phone. That way your computer stays remarkably safe from damage from malicious PDFs.

Answer 12

Open the files in a sandbox.

If you're infected, the infection should be contained and you can reset this virtual environment.

Edit:

A sandbox is a virtual environment which you can create and remove at will, like a virtual desktop where you can do anything and then reset it back to the initial stage.

Infected? Simply reset.

Avast antivirus (paid version) for example has a sandbox solution which allows you to right click on the file and open it in a sandbox.

There are tons of solutions like this, another example is Sandboxie

Edit 2:

Removed the MD5 suggestion, it's inferior to the sandbox solution.

Answer 13

Use OpenBSD or FreeBSD, they have been designed to be as secure as possible. They also don't require much technical knowledge. Using docker containers to handle PDF files would be ultra safe.

Answer 14

Just use an Ubuntu Touch smartphone. Unlike Android and iOS, it is not very popular, so there are fewer people looking for exploits. Thus, there is a lower probability of getting exploited by malicious PDFs. It's not just Ubuntu Touch, you can use any mobile OS that is not popular.