Friday, March 27, 2015

How to Add Javascript to a PDF

I recently blogged about analyzing javascript in a PDF. I'd like to go full circle now and go back to an example of how to put javascript into a PDF, then detect that code I just put in there.

It starts with an amazing tool from Didier Stevens again called make-pdf-javascript.py

Now let's write some Adobe API javascript code (my full sample here) that displays a popup and then sends the user to my blog. Save it to a file called 'code.js'

app.alert('neonprimetime created this sample for educational purposes');
app.launchURL("http://neonprimetime.blogspot.com", true);


Then we need to run the make-pdf-javascript.py tool that we downloaded earlier and watch as it creates a new pdf.

> .\make-pdf-javascript.py -f .\code.js sample.pdf



Now you have 2 ways a user could open this malicious PDF. They could open it in Acrobat Reader or in their Browser (Internet Explorer, Firefox, Chrome, etc.). The behavior of this one is different depending on your choice.

If I open in the regular Adobe Reader application it looks like this (Note: Adobe has a nice security feature that prompts you to confirm if you really want to open the webpage)





Now if you open it in a browser it behaves slightly different, a bit more deceiving actually in my opinion. The PDF is actually replaced by my webpage! Interesting to say the least.





Now I could've actually caught this ahead of time by running the process I explained in a previous blog

> .\pdfid.py .\sample.pdf

You'll notice below that it found 1 instance of Javascript



> .\pdf-parser.py .\sample.pdf

You'll notice below that it shows my javascript



Don't trust those random emails from random nobodies!

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment