Virus total with origami?

Fri 19 June 2009 by fred

While writing the previous article, I decided to run a simple test: hide a well-known virus in a PDF file, and let's see what happens. Results are beyond expectation!

The test I made was really simple:

  • Take the EICAR test file
  • Take an innocent PDF file (it has been submitted to virus total and is considered as clean by all AV).
  • Add the EICAR file to the innocent PDF file, applying from none to multiple filters, including ciphering.

Raw EICAR in PDF

Embedding EICAR in a PDF is really easy with origami:

pdf = PDF.read( "base.pdf" )
pdf.attach_file("eicar.com",
                :Filter => []
                )
pdf.saveas("eicar-none.pdf")

You can use a nice anti-virus to spot the EICAR file: your eyes!

9 0 obj
<<
        /Length 68
        /Filter [ ]
>>stream
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
endstream
endobj

However, while it is obvious the test file is here, only 5/41 anti-virus detect it!

# eicar-none.pdf: no filter 5/41
#    AntiVir            7.9.0.191       2009.06.19      HEUR/PDF.Obfuscated
#    Authentium         5.1.2.4         2009.06.19      Trivial
#    ClamAV             0.94.1          2009.06.19      Eicar-Test-Signature
#    McAfee-GW-Edition  6.7.6           2009.06.19      Heuristic.PDF.Obfuscated
#    Panda              10.0.0.16       2009.06.19      Eicar.Mod

Using a single filer: FlateDecode

A very common filter is FlateDecode. It is the well known deflate from zlib. It is the default filter applied to attachment.

pdf = PDF.read( "base.pdf" )
pdf.attach_file("eicar.com",
                :Filter => [:ASCIIHexDecode, :LZWDecode, :ASCII85Decode]
                )
pdf.saveas("eicar-multi.pdf")

Results are as good as the previous ones: 5/41!

# eicar-flate.pdf flate decode : 5/41
#    AntiVir            7.9.0.191       2009.06.19      HEUR/PDF.Obfuscated
#    ClamAV             0.94.1          2009.06.19      Eicar-Test-Signature
#    McAfee-GW-Edition  6.7.6           2009.06.19      Heuristic.PDF.Obfuscated
#    Panda              10.0.0.16       2009.06.19      EICAR-AV-TEST-FILE
#    VirusBuster        4.6.5.0         2009.06.18      EICAR_test_file

However, you can notice Authentium fails now, whereas VirusBuster detects it (meaning it can not detect raw EICAR but compressed EICAR ... weird).

Multiple filters

Now, we chain several filters:

pdf = PDF.read( "base.pdf" )
pdf.attach_file("eicar.com",
                :Filter => [:ASCIIHexDecode, :LZWDecode, :ASCII85Decode]
                )
pdf.saveas("eicar-multi.pdf")

And ... 2/41 detections!

#eicar-multi.pdf: :ASCIIHexDecode, :LZWDecode, :ASCII85Decode
#    AntiVir            7.9.0.191       2009.06.19      HEUR/PDF.Obfuscated
#    McAfee-GW-Edition  6.7.6           2009.06.19      Heuristic.PDF.Obfuscated

One can wonder what is really detected here with such messages ...

Encryption

Last, we encrypt the file with empty passwords:

pdf = PDF.read( "base.pdf" )
pdf.attach_file("eicar.com",
                :Filter => [:ASCIIHexDecode, :LZWDecode, :ASCII85Decode]
                )
pdf.encrypt("", "", :Algorithm => :AES)
pdf.saveas("eicar-multi-enc.pdf")

Not very surprisingly, the results are the same as previously: 2/41 detections!

#eicar-multi-enc.pdf: :ASCIIHexDecode, :LZWDecode, :ASCII85Decode + encryption
#    AntiVir            7.9.0.191       2009.06.19      HEUR/PDF.Obfuscated
#    McAfee-GW-Edition  6.7.6           2009.06.19      Heuristic.PDF.Obfuscated

Anti-virus fail?