Lets do a very short script for a play to set the scene for this one. Positions everyone:
CornerPirate: Love PDF? Love your JavaScript? Everyone’s favourite office file format and interactive code engine together!
*interlocks his finger*
CornerPirate: Let’s weave them together. What could possibly go wrong?
What could possibly go wrong indeed. No point dallying you can find out how that could go wrong at these places:
- http://resources.infosecinstitute.com/analyzing-malicious-pdf/#gref
- https://zeltser.com/analyzing-malicious-documents/
- https://www.trustwave.com/Resources/SpiderLabs-Blog/Analyzing-PDF-Malware—Part-1/
These are all way more detailed than I would choose to go on the subject and are worth a read.
Probably a great idea to make sure that your email, and Internet proxy blocks them coming inbound then isn’t it?
This post will show you a tool which can be used to inject JavaScript into a PDF so that you can evaluate your own inbound filtering system’s.
Get the tool
You can get the source and the built jar from the repository below:
https://github.com/cornerpirate/JS2PDFInjector
Download the zip or clone it down it is your choice.
Using it
Goto the “dist” directory and run the jar file. In Windows you can double click on the jar if you have the Java Runtime installed. Alternatively you can run:
java -jar JS2PDFInjector.jar
When it launches it will:
- Ask you to select a PDF file to inject into.
- Ask you to select a file containing JavaScript that you want to run when users open the PDF.
- Create the new PDF with “js_injected_” into the file name and make a new file in the same directory as the original PDF.
Pretty simple I think. It could be a command line tool. But meh I wanted file choosers for some reason that day. You have the source so go fix it if you like.
Creating Payloads
The JavaScript APIs are slightly different from those you might be familiar with in web browsers. In order to understand exactly how to create payloads you are going to need to understand the APIs here:
Click to access js_api_reference.pdf
As a pentester it is usually sufficient for me to simply evaluate the defences strip all JS from a PDF or quarantine the file on the way in. If your solution does not then I can infer that you could be doing more to protect yourself.
So for me it has been enough to go with a simple alert message like this one:
app.alert("Hello world!");
If you want to weaponize this by injecting malicious things, then you do so at your own legal risk and I am not responsible for your actions.
I just felt that if this was in anyway useful to someone then I should share it!
How to use your file legitimately
So you found this blog because you wanted to evaluate your companies defences against PDF’s with malware written in JavaScript? Awesome.
- Test your Anti-Virus [Local Only Test]
- Upload your PDF onto a server or workstation you want to test by USB or whatever works in your environment locally.
- Right click and scan with your anti-virus solution and see if it says anything.
- The chances are your PDF does not match any signature since you have made it yourself. However, if you have configured a solution which says it “warns when a PDF has JavaScript” or it “quarantines” such files. Check to see that it has found it.
- For bonus points if your AV is configured to log events centrally make sure someone has seen the log alert and has kicked off an investigation.
- Test your Email Filtering
- Use an external email address to email your PDF into a work address.
- If you have a complex system which has multiple in-line inspection points before it reaches a user. If the email arrives with the attachment intact and it triggers an alert or whatever your payload is in Adobe Reader? Then you should repeat step one (Local AV scan). Your company is at risk as you have found people can email in potentially dangerous PDF files. Repeating the AV scan manually will see if it will ever find that file. At this point the payload has already run and you have been compromised.
- If the email arrived but Adobe does not execute your payload. The chances are that you have something in-line before it hits users. This has attempted to remove the JavaScript from the PDF file but leave the original viewable content. Investigate on your filtering systems which component has done this and see if there was an appropriate alert raised and an investigation by a member of staff. This is still evidence that somebody *tried* to target your users.
- Test your Internet proxy Filtering
- Upload your PDF file to an Internet web server. It has to be the Internet because Microsoft’s various web browsers implements a “zone” model for security. The Internet zone is the least trusted so the fairest evaluation.
- Download the file in the default web browser for your users going through all Internet proxy and inspection routes.
- If the payload executes when opened in Adobe. Then you have found another route to download PDF files with JavaScript onto your target machine from an external source. Repeat step one to see if you have a last ditch defence in the AV. However, it is worth noting that the AV allowed the payload to run so…. hmmmm. You are already compromised and should look at the AV solution.
- Again. If the payload did not execute. Try to investigate where in the chain it happened, and then look for staff to have reacted to that alert.
You can take these techniques and alter them for all other routes into your organisation. A file-upload on a website? An SFTP service etc.
Hope that helps
cornerpirate.com 
Hello, is it possible to use JS2PDFInjector for batch processing of multiple PDF files? We need to inject Script to more than 1.000 of PDFs.
Thanks.
Hi Boris,
Interesting why do you need that functionality? Just out of curiosity.
Also the source is in GitHub. It was as simple as changing the source of the filename to inject into and the JS file to include from fileChooser to being a command line argument from the sys.args array. I have made an update, recompiled and tested that it works.
New command line usage:
java -jar JS2PDFInjector.jar
To do bulk file insertion (assuming the same JS file is used in every case) use a for loop in bash:
for pdf in /path/to/pdfs/*.pdf
> do
> java -jar dist/JS2PDFInjector.jar $pdf /path/to/js/inject.js
> done
Hope that helps
Hi, I need to inject multiple PDFs in one step and quite fast, so that´s why I needed the command line solution. The update is great and it works perfect. I´m not that familiar with Java, that´s why I didn´t looked at the source code yet.
Anyhow thanks a lot, it really helped me.
I know it took ages. But eventually I added in how to use this “headless”. It can now be scripted as a result because it is now command line arguments.
please does this still work? i tried it out but it doesn’t execute my .js file when injected pdf is opened. just curious to know if it still works and also the version of adobe it works on to top up my security
They may have finally killed it in Adobe. In which case a lovely part of Internet history will slowly close 😀
ok. that’s pretty nice. but I’ll like to know if other pdf readers like foxit are still prone to this
I have only used this in environments which used adobe because that was most enterprise customers. Plus I haven’t needed this project in approximately 2 years myself. Though others seem to be finding a use for it!
When I opened it in Foxit back in the day I don’t think it executed JS. Mileage varies on this one and the only place I can ever guarantee it worked was Adobe. It could well have been an Adobe specific extension.
If it is not working in the most recent Adobe then eventually it will die out as a technique. Sorry that this is not probably the answer you were looking for!
yes it’s working for me
what version of Adobe did it work on.
what version of Adobe did it work for you. I will like to know cuz I need to try this out
Thanks for this I was able to inject js code into my pdf.
But this is only my first step.
What I want to do is inject javascript into my pdf and my javascript should hide all the pdf content is that possible?
(I will actually have a text submit form and validate on my server if the text is correct then show the pdf content)
I have read some adobe javascript api but still i’m just a newbie so just want to make sure it can do what i want before i proceed.
Glad that it helped you add JS into a PDF. Unfortunately I am unable to help you go further than an alert box. I have never developed an application using Adobe’s JS. I merely needed to check if email systems removed JS or not.