85

Could a PDF file contain any type of malware?

schroeder
  • 123,438
  • 55
  • 284
  • 319

3 Answers3

42

There are many features in the PDF that can be used in malicious ways without exploiting a vulnerability. One example is given by Didier Stevens here. Basically he embeds an executable and has it launch when opening the file. I am not sure how today's versions of readers handle this but its a good method of using PDF features in malicious ways.

ripmalware
  • 536
  • 4
  • 2
  • 10
    Would such a PDF be dangerous only on OS'es like Windows? Would the permission system of Mac/Linux be able to prevent such PDF's from running executables automatically? – Nav Apr 26 '17 at 03:32
  • @Nav executing code has little to do with the OS, and everything to do with the reader. Executing code is allowed to execute other code. Basically you have to trust the reader to not do something stupid like allowing a PDF to execute an application. – Steve Sether Nov 26 '19 at 20:57
  • @Nav It's entirely feasible that a SELinux policy would block a pdf reader from executing _any_ programs. – Nonny Moose Mar 29 '20 at 22:27
  • The PDF links in that blog no longer work. – Jon Jun 22 '20 at 03:11
  • @SteveSether I would reword to sth like "do the standard readers that come with major OS'es guard against running executables" – Magnus Mar 24 '22 at 13:29
  • @Magnus That doesn't have a lot of meaning. I honestly don't know what a major OS is, or what a standard reader is. It's also a moving target. Maybe that's true today, but not tomorrow? – Steve Sether Mar 25 '22 at 14:23
20

Yes it can. PDF is a rich format that aside from static content, can contain dynamic elements. The latter can for example contain JavaScript, and other elements. Modern PDF viewers tend to warn the user about potential malicious activity though.

If you want an example malware, check out pidief.

And generally PDF malware will predominantly be just the dropper, not the payload itself.

To learn more on the vulnerabilities associated with pdf files and ways of detecting them before they do any damage read this kali documentation on peepdf.

Community
  • 1
Konrad Gajewski
  • 593
  • 5
  • 16
15

Yes it can.

Whether a file is malicious or not, does not depend on the file extension (in this case PDF). It depends on the vulnerabilities in the software which will be parsing it. So for example, PDF reader that you are using potentially contains a buffer overflow vulnerability, then an attacker can construct a special PDF file to exploit that vulnerability.

Consequently, to guard against such attacks is also easy, just ensure your PDF reader is up-to-date.

A simple google search landed me up on the SANS Institute's overview of PDF malware, which seems to be good to start with.

Steve Dodier-Lazaro
  • 6,798
  • 29
  • 45
Jor-el
  • 2,061
  • 17
  • 24
  • 1
    For Adobe Reader, which is likely what you use if you didn't consciously choose something else, the bulletins at http://helpx.adobe.com/security/products/reader.html list the numerous fixed vulnerabilities, with no or little detail. – dave_thompson_085 Jul 27 '14 at 20:58
  • @Jor-el unsurprisingly this page is now serving a 404 error. Would you care to re-find it and summarise it in your answer? – Steve Dodier-Lazaro Aug 31 '16 at 19:22
  • (edit: I updated the link -- still, the proper thing to do would be to summarise the content). – Steve Dodier-Lazaro Aug 31 '16 at 19:50
  • "Guarding by constantly updating" is not necessarily 'easy', nor is it a guarantee that you won't fall prey to an unpatched vulnerability. Yes, it's a good thing to do, but it requires constant discipline. Adobe Reader has so many vulnerabilities that they include an automatic updater - do you really think they've all been found yet? – John Deters Aug 31 '16 at 19:54