Threat Level: green Handler on Duty: Didier Stevens

SANS ISC Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Test File: PDF With Embedded DOC Dropping EICAR

Published: 2015-08-28
Last Updated: 2015-08-28 09:51:58 UTC
by Didier Stevens (Version: 1)
1 comment(s)

My diary entry yesterday inspired me to create another test file base on the EICAR test file.

I created a PDF file that contains a DOC file that drops the EICAR test file.

The PDF file contains JavaScript that extracts and opens the DOC file (with user approval). The DOC file contains a VBA script that executes upon opening of the file, and writes the EICAR test file to a temporary file in the %TEMP% folder.

You can find the PDF file on my blog here. This file will generate an anti-virus alert. Use at your own risk, with approval.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords: doc eicar pdf
1 comment(s)
ISC StormCast for Friday, August 28th 2015 http://isc.sans.edu/podcastdetail.html?id=4633

If you have more information or corrections regarding our diary, please share.

Recent Diaries

PDF + maldoc1 = maldoc2
1 day ago by DidierStevens (2 comments)

Actor that tried Neutrino exploit kit now back to Angler
2 days ago by Brad Duncan (1 comment)

Dropbox Phishing via Compromised Wordpress Site
2 days ago by Johannes (1 comment)

Are You Protecting your Backdoor ?
3 days ago by Johannes (4 comments)

A recent decline in traffic associated with Operation Windigo
6 days ago by Brad Duncan (2 comments)

View All Diaries →

Latest Discussions

Which dshield block list should I be using?
created 3 days ago by Anonymous (0 replies)

Encryption at rest, what am I missing?
created 2 weeks ago by CT (5 replies)

MS-ISAC ADVISORY NUMBER:2015-088 Mac OSX zero day
created 3 weeks ago by GeorgeMarkham (1 reply)

Archived .vbe attachments in malspam
created 3 weeks ago by Brad Duncan (0 replies)

what should be logged to the DShield sensor
created 3 weeks ago by Andrew (0 replies)

View All Forums →

Latest News

View All News →