Test File: PDF With Embedded DOC Dropping EICAR

Published: 2015-08-28. Last Updated: 2015-08-28 18:24:03 UTC
by Didier Stevens (Version: 1)
4 comment(s)

My diary entry yesterday inspired me to create another test file base on the EICAR test file.

I created a PDF file (MD5 A1DDC9EBE19A3D43EC25889085AD3ED8) that contains a DOC file that drops the EICAR test file.

The PDF file contains JavaScript that extracts and opens the DOC file (with user approval). The DOC file contains a VBA script that executes upon opening of the file, and writes the EICAR test file to a temporary file in the %TEMP% folder.

You can find the PDF file on my blog here. This file will generate an anti-virus alert. Use at your own risk, with approval.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords: doc eicar pdf
4 comment(s)

Comments

Thank you! Let the social engineering testing commence.
Would it be possible to provide hashes for your test file (here on a SANS website), as a cross-check on the file?
Well done - great working example.
I included a link to VirusTotal in my diary entry. This way you can get all the information (like hashes) to identify the file without downloading it.
But I'll include the MD5 hash in the diary entry.

Diary Archives