Embedded Documents In PDF Files That Can Easily Infect You

file

We have recently been seeing a newer method of infecting you by embedding macro enabled word docs into pdf files. To all intents and purposes these PDF files look quite innocent and will normally be an almost blank page with 1 line of text
These recent posts illustrate the attack method:

  • https://nftsgary.com/the-return-of-locky-ransomware-with-fake-receipts-malspam/
  • https://nftsgary.com/fake-copy-of-your-123-reg-invoice-delivers-dridex-banking-trojan/
  • https://nftsgary.com/scan-data-malspam-pretending-to-come-from-noreply-your-own-email-address-tries-to-deliver-malware/
  • https://nftsgary.com/scanned-file-with-pdf-attachment-malspam-drops-malicious-word-macro-delivers-malware/
  • https://nftsgary.com/pdf-pretending-to-come-from-your-own-email-address-delivers-jaff-ransomware/
  • https://nftsgary.com/more-fake-invoice-malspam-with-pdf-attachments-deliver-malware/
  • https://nftsgary.com/scanned-image-malspam-with-pdf-attachment-delivers-jaff-ransomware/
  • https://nftsgary.com/more-malware-via-embedded-word-macro-docs-in-pdf-attachments/

If you have Adobe reader or any other PDF reader set to default settings, then there is a high probability of you becoming infected via this method. Luckily it is relatively easy to protect yourself.
First of all go to https://nftsgary.com/infected-malformed-pdf-attachments-emails/ and follow the instructions to set PDF files to open in the Adobe Reader ( or whichever PDF reader you use) NOT to open in the browser which introduces many possible vulnerabilities.

The settings vary for this vary according to your browser:

Internet Explorer

Step1. go to tools/manage addons
Step2. Select all addons in the drop down, look for Adobe PDF reader and then press the disable button.
That way any PDF you receive will only open in Adobe reader itself and not in your browser, so cutting down the risk of any exploit infecting you.

Google Chrome

Step 1: Open Chrome and type “about:plugins” into the omnibox at the top.
Step 2: Scroll down and find Chrome PDF Viewer.
Step 3: Click the “Disable” link to prevent PDFs from loading within Chrome
Firefox see HERE (https://support.mozilla.org/en-US/kb/disable-built-pdf-viewer-and-use-another-viewer) and select use Adobe Reader ( default) or the alternative PDF reader you have installed.

Previewing PDFs in a browser is just too dangerous to take a risk with the current exploits and it is much safer to view them in the application itself which should be sand-boxed to prevent exploits slipping out.
Once you have safer settings set in Adobe reader, you are extremely unlikely to infect yourself with this sort of malware.

Trying to open a PDF with embedded content will give you this


and you can see that you cannot open or save the embedded word document so stopping you from being infected, even though you can see the word doc listed in left hand side bar

First Open Adobe reader, on the top menu bar select Edit then Preferences. This contains all the settings you need to change to make sure that this and other similar types of malware cannot infect you.
The majority of time, you don’t need JavaScript enabled. On the odd occasion that you need it to fill in forms from Governments, employers, Tax etc. you can re-enable it for that single use.

Next enable Adobe Protected Mode and Enhanced Security. This blocks most features in Adobe reader to stop anything auto opening or running. It prevents you saving or opening attachments or embedded objects like video or sound ( why anyone would want music or video in a PDF is beyond me though.)

Enable Adobe Protected ModeNext and the most important in preventing embedded objects from being used maliciously

You can read https://nftsgary.com/malformed-infected-word-docs-embedded-macro-viruses/ to learn how to set word to protect you.

Total
12
Shares
Leave a Reply

Your email address will not be published.

Related Posts