malicious-pdf
→ View on GitHubAI Summary: Malicious PDF is a tool designed to generate various malicious PDF files featuring phone-home capabilities for use in penetration testing and red-teaming. It supports integration with platforms like Burp Collaborator and Interact.sh, providing a diverse set of attack vectors through ten different crafted PDF examples meant for testing web applications, security products, and PDF readers. Key features include the ability to create PDFs exploiting vulnerabilities like external file access, JavaScript injection, and form data exfiltration.
README
Malicious PDF Generator ☠️
Generate ten different malicious PDF files with phone-home functionality. Can be used with Burp Collaborator or Interact.sh
Used for penetration testing and/or red-teaming etc. I created this tool because I needed a tool to generate a bunch of PDF files with various links. Educational and professional purposes only.
Usage
pip install -r requirements.txt
python3 malicious-pdf.py burp-collaborator-url
Output will be written as: test1.pdf, test2.pdf, test3.pdf etc in the current directory.
Complete Test Matrix
| Test File | Function | CVE/Reference | Attack Vector | Method | Impact |
|---|---|---|---|---|---|
| test1.pdf | create_malpdf() | CVE-2018-4993 | External file access | /GoToE action with UNC path | Network callback via file system |
| test1bis.pdf | create_malpdf() | CVE-2018-4993 | External file access | /GoToE action with HTTPS URL | Network callback via HTTPS |
| test2.pdf | create_malpdf2() | XFA form submission | Form data exfiltration | XDP form with submit event | Automatic form submission |
| test3.pdf | create_malpdf3() | JavaScript injection | Code execution | /OpenAction with app.openDoc() | External document loading |
| test4.pdf | create_malpdf4() | CVE-2019-7089 | XSLT injection | XFA with external XSLT stylesheet | UNC path callback |
| test5.pdf | create_malpdf5() | PDF101 research | URI action | /URI action type | DNS prefetching/HTTP request |
| test6.pdf | create_malpdf6() | PDF101 research | Launch action | /Launch with external URL | External resource execution |
| test7.pdf | create_malpdf7() | PDF101 research | Remote PDF | /GoToR action | Remote PDF loading |
| test8.pdf | create_malpdf8() | PDF101 research | Form submission | /SubmitForm with HTML flags | Form data submission |
| test9.pdf | create_malpdf9() | PDF101 research | Data import | /ImportData action | External data import |
| test10.pdf | create_malpdf10() | CVE-2017-10951 | JavaScript execution | JavaScript to launch Calculator | Application execution |
| test11.pdf | create_malpdf11() | EICAR test | AV detection | Embedded EICAR string | Anti-virus testing |
Purpose
- Test web pages/services accepting PDF files
- Test security products
- Test PDF readers
- Test PDF converters
Credits
- Insecure features in PDFs
- Burp Suite UploadScanner
- Bad-Pdf
- A Curious Exploration of Malicious PDF Documents
- “Portable Document Flaws 101” talk at Black Hat USA 2020
- Adobe Reader - PDF callback via XSLT stylesheet in XFA
- Foxit PDF Reader PoC, DoHyun Lee
- Eicar test file by Stas Yakobov
In Media
- Brisk Infosec
- Daily REDTeam
- Malicious PDF File | Red Team | Penetration Testing
- John Hammond - Can a PDF File be Malware?
Todo
- Adobe Acrobat PDF Reader RCE when processing TTF fonts, CVE-2023-26369
- Adobe Acrobat and Reader Use-After-Free Vulnerability, CVE-2021-28550