PDF malware: how to avoid it

Postscript: "And they all lived happily ever after..."
15 January 2024

The enemy within… Source: Photopea.com

Getting your Trinity Audio player ready...
  • Malware in PDF files is commonplace.
  • Attacks via common file formats are more successful than those in uncommon formats.
  • Using same-but-different file formats aids cybersecurity.

Since its development in 1992, PDF format documents have become synonymous with a relatively immutable file – that is, it’s mostly un-editable – that’s perfect for sending and receiving static rich media content. Businesses exchange millions of PDF files daily, but the file format has been used on several notable occasions to propagate malware.

In combination with a half-decent phishing campaign, it’s relatively easy to fool users into downloading and opening PDF documents. But with the instances of malicious files of all types climbing inexorably, paying attention to the PDFs we all send and receive daily may be an important defense against being hacked or digitally compromised in some way.

Malware in PDF file clothing

When we open a PDF, we expect an application of some description to open and display the file’s contents. If the PDF is password protected, encrypted, or compressed in some way, we are also used to a secondary app, opening and performing its duties, too – like expanding the compressed file, for example. These processes, which can easily become muscle memory for users, represent a threat to unprotected PCs or mobile devices. If a malicious file prompts users to install or run some process before viewing its contents, it’s too easy to accept and comply, clicking through the warnings the operating system may throw up. Inherently insecure operating systems are particularly vulnerable, and bad actors are well aware of busy working people’s time limitations and work focus. In a statistically significant number of instances, the payload will be successfully delivered to the victim, courtesy of their impending deadlines or packed schedules.

While certain applications commonly found in most organizations, such as office suite software, come with in-built checks to prevent malicious macros from running from inside the file itself, the PDF format can be read by a large number of applications, from the ubiquitous Adobe Acrobat Reader to several popular modern web browsers. With many pieces of software able to display PDFs, there’s no practical way to protect against the deadly combination of PDF-carried malware and time-poor targets.

PDF virus checker online

However, using a software development facility called sandboxing, users can open PDFs in a safe environment and interact with the documents they receive safely and securely. PDF sandboxes allow the file to be opened in an environment that’s separated from the working operating system, preventing any malicious elements hidden in the PDF from deploying to the user’s machine at large.

PDF sandboxes can be found online, such as at https://www.hybrid-analysis.com/, but there are also standalone applications that do the same job.

By using a PDF sandbox as part of daily operating systems, companies will protect themselves against some attacks but also will be able to check the provenance of PDFs received: the sender’s details, the real source of the document, and much more. However, the existence of PDF sandboxing software and online services does not necessarily ensure their use. Each machine must be carefully configured to open the PDF document type in the sandbox environment rather than the helper app, such as Acrobat Reader. That takes time and investment by the organization’s IT department and any security staff it employs.

Move beyond malware in PDF victimhood

If we unravel the nature and history of the PDF document, we find that it is little more than a Postscript document with what was, until 2008, a proprietary wrapper. This comprises only some compression algorithms and font descriptions. These elements are not always necessary to render the document’s contents. The Postscript language was originally designed for printers to render information sent to them, faithfully representing the author’s design down to how each mark on the page was to be reproduced.

Image representing malware in PDF article.

PDFs have become as ubiquitous as clothes and furniture – but increasingly, they’re being used to deliver malware.

Sending .ps (Postscript) or .eps (encapsulated Postscript) documents instead of PDFs may, therefore, take away many of the PDF-carried menaces. The downside is filesize (Postscript files are natively uncompressed), plus many users’ devices may not have immediately obvious default applications configured to automatically interpret .ps files. Filesize itself is much less of an issue in 2024 than it was historically – the automatic compression/expansion in the PDF file format is one element of the format’s rise in popularity before the days of fast broadband and cheap storage. But many PDF reading applications can also parse Postscript files by default, so recipients can receive information as easily as they do with a PDF.

The cybersecurity argument for .eps and .ps file exchange is, therefore, one of security-by-obscurity. Hackers and bad actors will always spend their time and energy developing malware that’s carried via the most common methods. Malicious campaigns comprising corrupted Postscript files are theoretically possible but highly unlikely until a statistically significant number of organizations make them the de facto medium of rich media interchange. It’s just one way companies can keep their attack surface much smaller than that of others. And that smaller surface is often enough to remove the organization from the attackers’ definition of a ‘low hanging fruit’ target.