Hardly detected malware hides as PDF in ZIP, executes through shortcut

Posted 23 April 2014 20:59 CEST by Jan Willem Aldershoff

A new kind of malware tries to infect users through an executable hidden as a PDF file, executed through shortcuts, so far the malware is hardly picked up by anti-virus software. The files comes as an attachment with e-mails, in our case an e-mail claiming to be a bank invoice. The mail comes from the mail address Lila.Pittman@adp.com someone claiming to work at Automatic Data Processing Inc. in Roseland.

The attachment is a ZIP file that contains, what it appears, a PDF file and some shortcuts. The malware was detected and diagnosed by our forum administrator Seán.

myce-shortcut infection

 

The PDF file won’t work because it’s actually an executable (.exe) file which probably makes an user click one of the shortcuts. If the shortcut is clicked, the malware will open a command prompt that tries to run the PDF as an executable.

myce-shotcut-properties

 

When we uploaded the ZIP file to VirusTotal just 4 of 51 virus checkers showed it infected – K7AntiVirus, K7GW, Qihoo-360 and Sophos. Others such as McAfee, Symantec, AVG, etc. all showed it as clean. The malware seems to try to evade mail filters and scanners by hidden an unreadable PDF in a ZIP file and using shortcuts to infect the system.

The PDF itself was recognized by 7 of the 51 anti-virus engines of VirusTotal including McAfee and Sophos. This number will increase over time as anti-virus software companies start to recognize the files as malware.



Ibex
CDFreaks Resident
Posted on: 23 Apr 14 19:37
Interesting... Great work spotting that one Seán.

Worth remembering that any file type can contain malicious code. But, as in this case, it may not be able to execute without external help. This method is simple but ingenious.
0 Agree

kbksrb
New Member
Posted on: 31 Dec 15 00:13
how to attach virus in pdf files
0 Agree

kbksrb
New Member
Posted on: 31 Dec 15 00:13
how to attach virus in pdf files

http://bicombusiness.blogspot.com/2015/12/adobe-pdf-view.html
0 Agree

coolcolors
MyCE Resident
Posted on: 31 Dec 15 00:45
Ugh....well if you don't know where your pdf is coming from then expect to get virused/malwared. It's really simple keep your system up to date but as anything a New virus/malware is going to be missed. To think it wouldn't be caught the day it comes out is short sightness here.
0 Agree

Xercus
MyCE Senior Member
Posted on: 31 Dec 15 16:43
Quote:
Originally Posted by coolcolors
Ugh....well if you don't know where your pdf is coming from then expect to get virused/malwared. It's really simple keep your system up to date but as anything a New virus/malware is going to be missed. To think it wouldn't be caught the day it comes out is short sightness here.
In reality, the Adobe formats like PDF are containers like a zip-file and so it does not surprise me that they are used for distributing malware.

In this respect, coolcolors has an important advice for you and so I repeat it in my reply as it is crucial to your security that you read and understand it.
1 Agree

Reactions closed

Sorry, you can't comment on this item anymore. It's either too old or comments are disabled for this post.

Myce.com settings

Several settings at Myce.com can be changed, they are stored in cookies, which means they will be reset if you clear Myce.com cookies

Background

Change the background to a plain color or trianglified image (similar to the default image)

No tracking features

At Myce most social media feature are done server side and impose no privacy risk to the visitor when not used. Several features use Javascript with you can turn off here

Layout

Switch to the List layout for an index with chronologycally listed news items or Grid layout for a block based layout. To see the change you need to reload the page

×