Information Security
malware pdf documents
Updated Thu, 14 Jul 2022 04:36:29 GMT

How to safely view a malicious PDF?


I have a PDF with important information that may contain malware. What would be the best way to view it?




Solution

Document-based exploits are directed not at the document itself, but rather at some vulnerability in the viewer. If you view the document in a program that isn't vulnerable (or in a configuration that inhibits the vulnerability), then you won't be exploited.

The real issue is knowing whether or not your viewer is vulnerable, which usually means knowing specifically what the exploit is. But there are alternate PDF viewers such as foxit or even Google chrome's built-in viewer that do not necessarily have the same vulnerabilities as Adobe's official viewer. This is not necessarily true for all vulnerabilities, so it's important to understand what you're getting in to ahead of time.

EDIT
If you find yourself frequently dealing with potentially malicious materials, it would be very wise to set up a hardened virtual environment. I'd recommend booting into a Linux system and running your target OS (usually Windows) in Virtualbox or a similar environment. Save a snapshot of the virtual OS, and then revert to that snapshot after you're done interacting with the malicious content. Also, it's not a bad idea to run the host Linux environment from a read-only installation (i.e. Live-CD).





Comments (5)

  • +0 – The main vulnerability in adobe (which I don't use) is using javascript to call on an insecure undocumented API it run shellcode. I used origami to decrypt and decomporess and pdfid to check if it has javascript triggers (which it doesn't)... but I guess this doesn't even matter for anyone not using adobe viewer. — Aug 19, 2012 at 19:01  
  • +4 – Reasonably simple setup would be a VM + Sandboxie + DigiSigner — Aug 19, 2012 at 19:59  
  • +0 – I don't use foxit or adobe. I use an obscure reader. Recently, it crashed when i opened a pdf file. Can this be a malware attack? How do I check? — Feb 05, 2013 at 10:11  
  • +1 – Note about the edit - most modern Linux systems have several native PDF viewers available (including a ancient version of Adobe Reader, usually you don;t need to bother with that - I suggest using Okular, and most versions of evince and mupdf work great as well), you don't need to use a Windows VM.... — Apr 23, 2015 at 20:10  
  • +3 – @FirstNameLastName be weary of using lesser known products to avoid infection. 1: the product may use a common library and unknowingly be actively exploitable and 2: it may not be getting patched as often or as quickly as more main stream products. Hardened VM really is the only way to be sure. — Nov 30, 2016 at 10:38