The PDF format, created by Adobe in 1993, is one of the most used document formats in the world.

By certain estimates, there are more than 2 billion PDFs opened each year in Microsoft Outlook only.

But is this format safe? Can hackers exploit it to compromise your endpoint? And what protection measures can a company enact?

Here’s a little overview of the question.

What contributes to the security of the PDF format

The PDF format (for Portable Document File) has some characteristics that contribute to its security, when compared for example with Word documents or ISO files…

  • Not an executable: This is obvious, but a PDF is not an executable file, and therefore represents less of a risk compared to .exe files or .iso files that can be mounted and transformed into an executable file
  • More difficult to edit: Compared with files like Word (.docx) or Pages (for Apple), a PDF file is harder to modify and offers less opportunities for edition

Based on these factors, it has been easier for hackers to hide their malware in other types of files than in PDFs.

But that doesn’t mean (at all) that the PDF you just received is necessarily safe !

Can a PDF contain malware?

A PDF can be used as an attack vector for hackers. In order to do this, some techniques are available to them.

Scripts

PDFs can have scripts in order to provide for a minimum of user interaction and edition (like for example filling in fields or signing a document or to enable interaction with buttons like “print”).

These scripts can be edited in a normal fashion (via tools like Adobe Acrobat Pro) and can then be executed by the PDF readers. But hackers can also inject their own commands in these PDF files.

  • Javascript: This is probably the main threat for a PDF file: this format allows the insertion of javascript, to allow the reader to interact with the document fo example. Hackers can therefore insert their own malicious javascript code that exploits specific vulnerabilities to compromise an endpoint
  • System commands: It’s possible to insert system commands in a PDF file that will run on opening. These can be conditioned to validation by the reader (similar to the activating macros validation in an Excel, PowerPoint or Word file) but it’s possible to edit the message in order to increase the odds that the reader will activate the commands. These transform the PDF into a de facto executable file.
  • Insert malware: It’s also possible to insert malware in a PDF. This can be achieved (for example) with the Metasploit module exploit/windows/fileformat/adobe_pdf_embedded_exe (Metasploit is an open source library of exploits and malware ready to use for pen-testing teams) that exploits vulnerabilities linked to certain PDF readers (Adobe Reader for example) to open a backdoor to the target endpoint on opening

Multimedia content

A PDF with multimedia content can present a risk: videos or audio files can be corrupted and used to mask malicious code.

Objects like Word or Excel files that are integrated within a PDF can also contain malware. For example, opening a PDF can lead to a Word file being opened and the deployment of malware (like a loader) if macros are activated

Social engineering and links

Finally, there is an even simpler technique to turn a PDF into an intermediary in the compromission of an endpoint: social engineering.

The hackers’ goal here is to convince the user to click on the links that are in the PDF file. This can be achieved by leveraging certain psychological tricks (curiosity, fear, authority, personal gain…).

The links can redirect the users towards malicious sites that will harvest their credentials (fake login page) or trick them into downloading malware (drive-by-download)…

Examples of phishing links in PDFs (courtesy of Google's Unit 42 site)

What security steps can be taken to protect the use of PDFs in a company?

Nothing can completely secure a company from attacks using a certain type of file (especially when the format is used multiple times on a daily basis) but some measures can be taken to mitigate this risk.

  • Install updates: This is evident but it’s important to install operating system, PDF reader and browser updates in order to protect from known and patched vulnerabilities
  • Deactivate javascript in the PDF reader: This function is available in Acrobat Reader and protects from the execution of malicious Javascript code
  • Use protection mode: For Acrobat Reader users, activate the protection mode and prevent the opening of non-PDF files with external applications by the PDF reader
  • Teach, train and help: your teams to detect phishing and spear-phishing attacks that will use a PDF vile as an attack vector, in order to ensure that your teams have the right reflexes when faced with these attacks