Can a PDF file contain a virus?

[gregpatterson]

I have had several unknown persons send PDF attachments with email
lately. I have a policy, if I dont recognise the name of the sender,
the email is deleted. however on occasion I will email a business and
will get a reply from an address not containing the business name but
from someone that works there. In that case, if I am expecting some
reply from a business, I will read the text portion of emails that
might be from such a source, and on several occasions what looked to
be spam was actually such a reply. However, unless I know the person,
no attachments are ever opened. Anyhow, I keep getting these PDF
files lately. My guess is that they are just advertising, but I wont
open them, and just delete them. My question is whether a PDF can
contain a virus or spyware? I know that .exe files, screen savers,
..zip and other compressed files can, and I have heard of a few
occasions where pictures can contain at least some sort of bad code.
I never heard anything about PDF's one way or the other.

Thanks for replies

Greg

 

[foghollow]

I have had several unknown persons send PDF attachments with email
lately. I have a policy, if I dont recognise the name of the sender,
the email is deleted. however on occasion I will email a business and
will get a reply from an address not containing the business name but
from someone that works there. In that case, if I am expecting some
reply from a business, I will read the text portion of emails that
might be from such a source, and on several occasions what looked to
be spam was actually such a reply. However, unless I know the person,
no attachments are ever opened. Anyhow, I keep getting these PDF
files lately. My guess is that they are just advertising, but I wont
open them, and just delete them. My question is whether a PDF can
contain a virus or spyware? I know that .exe files, screen savers,
.zip and other compressed files can, and I have heard of a few
occasions where pictures can contain at least some sort of bad code.
I never heard anything about PDF's one way or the other.

Thanks for replies

Greg

Type "pdf virus" into Google and check the first hit.

 

[Beauregard T. Shagnasty]

I have had several unknown persons send PDF attachments with email
lately. ...
... Anyhow, I keep getting these PDF files lately. My guess is that
they are just advertising, but I wont open them, and just delete
them.

I've gotten a few spams recently where the spam message was a page of
PDF. It was a stock scam. Apparently, the spammers are switching from
using graphics (JPEGS) to PDFs in a further attempt to get past filters.

Save the PDF file to your hard disk and scan it.

 

[Duh_OZ]

My Yahoo account has received hundreds of those attachments. Just
delete them - they are most likely advertising for stocks, medicines
and such. The PDF's are probably obfuscated so SPAM OCR engines
can't filter them out.

 

[Charlie]

What's to keep you from doing an on-demand virus scan with your resident AV
product. It is more thorough than trying to establish unilaterally if "pdf's
contain viruses"

Charlie

 

[Virus Guy]

I have had several unknown persons send PDF attachments with
email lately.

As I don't use Outlook or OE, I'll ask this question:

Does Outlook or OE render PDF attachments in the message preview pane?

Are you sure the attachments are really PDF? A file can have a .PDF
extension but internally the file is a .jpg or .gif (or .exe), etc.

 

[Jeanette]

As I don't use Outlook or OE, I'll ask this question:

Does Outlook or OE render PDF attachments in the message preview pane?

Are you sure the attachments are really PDF? A file can have a .PDF
extension but internally the file is a .jpg or .gif (or .exe), etc.

Jeanette wrote:

http://isc.sans.org/diary.html?storyid=1718

 

[gregpatterson]

What's to keep you from doing an on-demand virus scan with your resident AV
product. It is more thorough than trying to establish unilaterally if "pdf's
contain viruses"

Charlie

Thanks for all the replies....

Yes, I could do all of this scanning and so on.....
However, my time is more valuable than wasting it on spam.
The delete key does the job.
I was just asking to find out the facts. The files were actually
..PDF, not with .exe or something else at the end. I am sure it's just
some sort of stock or drug crap as always. Not worth my time.

Good day !

 

[Vanguard]

I have had several unknown persons send PDF attachments with email
lately. I have a policy, if I dont recognise the name of the sender,
the email is deleted. however on occasion I will email a business and
will get a reply from an address not containing the business name but
from someone that works there. In that case, if I am expecting some
reply from a business, I will read the text portion of emails that
might be from such a source, and on several occasions what looked to
be spam was actually such a reply. However, unless I know the person,
no attachments are ever opened. Anyhow, I keep getting these PDF
files lately. My guess is that they are just advertising, but I wont
open them, and just delete them. My question is whether a PDF can
contain a virus or spyware? I know that .exe files, screen savers,
.zip and other compressed files can, and I have heard of a few
occasions where pictures can contain at least some sort of bad code.
I never heard anything about PDF's one way or the other.

What makes you think a .pdf attachment to an e-mail must be a PDF
document? Files can be named anything.

 

[frischmoutt]

What makes you think a .pdf attachment to an e-mail must be a PDF
document? Files can be named anything.

As a personal comment, I also received a lot of these pdf files. Those files
open normally when dregged in a foxit reader window, under a protected
environment. No alarm rings. However I suspect that double clicking on such
a file would lead to different results. Am I right or wrong ?

 

[David H. Lipman]

From: <[email protected]>

| I have had several unknown persons send PDF attachments with email
| lately. I have a policy, if I dont recognise the name of the sender,
| the email is deleted. however on occasion I will email a business and
| will get a reply from an address not containing the business name but
| from someone that works there. In that case, if I am expecting some
| reply from a business, I will read the text portion of emails that
| might be from such a source, and on several occasions what looked to
| be spam was actually such a reply. However, unless I know the person,
| no attachments are ever opened. Anyhow, I keep getting these PDF
| files lately. My guess is that they are just advertising, but I wont
| open them, and just delete them. My question is whether a PDF can
| contain a virus or spyware? I know that .exe files, screen savers,
| .zip and other compressed files can, and I have heard of a few
| occasions where pictures can contain at least some sort of bad code.
| I never heard anything about PDF's one way or the other.
|
| Thanks for replies
|
| Greg


Can an Adobe PDF contain a virus ? No !

Can an Adobe PDF be used in an Exploitation attempt of an Adobe Reader/Acrobat vulnerability
? Yes. ( Example; Cross-Site Scripting Vulnerability )

You problem is pure spam, not a virus/malware issue.

 

[Beauregard T. Shagnasty]

Yes, I could do all of this scanning and so on.....
However, my time is more valuable than wasting it on spam.
The delete key does the job.

Once would be enough, just so you see they really are spam. After that,
common sense - looking at the FROM: and the text of the Subject: line -
should tell you easily that they are spam ... whereas the Delete key
comes in to play quite easily.

The only time I bother to open a spam (and they really are obvious) is
to see what new tricks the spammers might be up to now, and if I'm not
busy, to report them to their web hosts, and/or to notify the ISP of the
clueless zombied user they came from.

 

[Virus Guy]

Can an Adobe PDF contain a virus ? No !

Can a PDF file (that is REALLY a PDF file) contain exploit code?

Apparently yes.

I still have no answer as to how a typical XP/Vista system handles a
PDF file other than to require a user to perform some action such as
to open it. For example, does XP/Vista generate thumbnails of PDF
files? Does Outlook or OE render PDF files automatically in preview
panes? Does XP/Vista open/examine PDF files as part of any
system-wide catalog or search activity?

 

[Beauregard T. Shagnasty]

As a personal comment, I also received a lot of these pdf files. Those
files open normally when dregged in a foxit reader window, under a
protected environment. No alarm rings. However I suspect that double
clicking on such a file would lead to different results. Am I right
or wrong ?

You would be wrong. In either case, you are opening the file.

Oh wait ... I'm assuming it would open in FoxIt when you double-click it
right? Not some other "default" PDF reader... there were links posted
some weeks ago about vulnerabilities in Adobe versions prior to 8. Don't
remember the details.

After all that, the PDFs this thread is about are just spam.

 

[David H. Lipman]

From: "Beauregard T. Shagnasty" <[email protected]>

< sip >
| there were links posted
| some weeks ago about vulnerabilities in Adobe versions prior to 8. Don't
| remember the details.
|


XSS Vulnerability -->
http://xforce.iss.net/xforce/xfdb/31271
http://www.ciac.org/ciac/bulletins/r-096.shtml

 

[Beauregard T. Shagnasty]

From: "Beauregard T. Shagnasty" <[email protected]>
| there were links posted some weeks ago about vulnerabilities in Adobe
| versions prior to 8. Don't remember the details.

XSS Vulnerability -->
http://xforce.iss.net/xforce/xfdb/31271
http://www.ciac.org/ciac/bulletins/r-096.shtml

Those be the ones. Adobe 7.0.8 and earlier. Thanks, David.

 

[Man-wai Chang]

I never heard anything about PDF's one way or the other.

That really depends on the PDF readers, in my opinion.

 

[Virus Guy]

That really depends on the PDF readers, in my opinion.

Nobody has addressed my questions regarding how XP/Vista interacts
with PDF's other than the case of user-initiated file viewing.

I'm talking about auto-previewing in Outlook, OE, or IE, or thumbnail
generation as part of directory browsing, or content inspection as
part of indexing and content searching.

Does XP/Vista have some sort of native PDF handling/decoding
capability (and built-in file association) "out of the box" ? Does
the installation of a PDF file handler (like Acrobat) give XP/Vista
that capability?

I'm thinking along the lines of the animated icon situation a year or
so ago, or the vector-markup VML issue.

 

[Char Jackson]

Nobody has addressed my questions regarding how XP/Vista interacts
with PDF's other than the case of user-initiated file viewing.

I'm talking about auto-previewing in Outlook, OE, or IE,

There is no PDF auto-preview in OL, OE, or IE, AFAIK.

or thumbnail
generation as part of directory browsing, or content inspection as
part of indexing and content searching.

Does XP/Vista have some sort of native PDF handling/decoding
capability (and built-in file association) "out of the box" ?

XP: No
I don't know about Vista.

Does
the installation of a PDF file handler (like Acrobat) give XP/Vista
that capability?

Yes, for XP.
I don't know about Vista.

 

[frischmoutt]

You would be wrong. In either case, you are opening the file.

Oh wait ... I'm assuming it would open in FoxIt when you double-click it
right? Not some other "default" PDF reader... there were links posted
some weeks ago about vulnerabilities in Adobe versions prior to 8. Don't
remember the details.

After all that, the PDFs this thread is about are just spam.

Sorry I just realise that I wasn't so clear.
When I have suspiscious files, I use to _drag_ them in Notepad or Quickview
or Foxit already open windows.
I always _avoid to double click_ on them in order not to launch possible
programs (renamed files for example).
These extensions correspond more or less to those listed in the Quarantined
file of Zone Alarm.

I also avoid to open .xls and .doc in Excel or Word, even by dragging the
files.