Scenario 2: Layered (Russian Doll) in PDF

OVERVIEW: Scripted malware is used by an attacker to conceal a script in a document. Often the file looks normal - however, features of the application can be exploited to the benefit of the attacker.

BUSINESS PROBLEM: Employees may unknowingly launch malware by simply opening a file, moving a mouse over a part of the document, common in Adobe PDF, or following prompts (such as enabling Macro's).

THREAT: Scripted malware is not new. Some defences will easily stop scripted malware. However, Deep Secure has proven detection is not always a safe assurance. Many of the samples in this section have been submitted to Virus Total - and receive a "clean" score.

SAMPLE 2:

Company Report (PDF with embedded EICAR in DOCX)


TEST USING GX PLATFORM:

With CTR DISABLED
(i.e. the ICAP profile is disabled on the Web Proxy / or manually bypassed by browser)

  • Download the original file and save locally
  • Open the file with Adobe Reader and follow the screen prompts


    • With CTR ENABLED

  • Download the file and save locally
  • Open the file with Adobe Reader
  • Notice the prompts are no longer present


    • OUTCOME

  • The original file contains an embedded word file inside a PDF.
  • The word file has a macro (which prompts the user if macros are disabled) that will drop off the EICAR test file to the local machine.
  • However, when the file is transformed via the GX it will only deliver the business information inside the original PDF.
  • Comparing the file size will also show that CTR created new data - this new file is used to carry the information to the user.


    NOTES:

  • Opening in Adobe Reader is necessary to see the desired outcome.