Earlier today I was passed an interesting PDF sample that wasn’t a proper PDF, but instead an XDP. Running the file resulted in Adobe Reader starting up and successfully exploiting my machine. The dropped files were really nothing interesting, but the method in which the file was created was due to the limited detection.
I did some reading and stumbled upon the XDP specification. XDP is essentially a wrapper for PDF files so that they can be passed around as 100% XML files. Doing this ensures that web services or other programs can pull in PDF files in a structured way. Since XML can’t handle binary data, one must encode the PDF as a base64 stream.
The sample I came across this morning was great, but it was detected by one lone anti-virus. I figured I could take the heavy pint library and make something completely undetected. Using the drop news module I was able to quickly generate an encrypted PDF file using the old 2009-4324 media.newplayer exploit with null shellcode. Uploading the file to virus total resulted 0/42 detection.
The exploit is old. The JS is not encoded. This shoud be fixed. If you are wondering how to combat against this on your network or in your inbox, then look for XDP files. Of course, one could simply change the extension and still trick the user, but only awareness can fix that. For those with DPI, look for the Adobe XDP namespace and base64 code to identify the PDF embedded inside.