PDF Embedded Exe

Hunt Hypothesis

Adversaries may embed malicious executables within PDF documents to evade basic detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential stealthy malware delivery vectors that could bypass traditional security controls.

YARA Rule

rule PDF_Embedded_Exe : PDF
{
	meta:
		ref = "https://github.com/jacobsoo/Yara-Rules/blob/master/PDF_Embedded_Exe.yar"
	strings:
    	$header = {25 50 44 46}
    	$Launch_Action = {3C 3C 2F 53 2F 4C 61 75 6E 63 68 2F 54 79 70 65 2F 41 63 74 69 6F 6E 2F 57 69 6E 3C 3C 2F 46}
        $exe = {3C 3C 2F 45 6D 62 65 64 64 65 64 46 69 6C 65 73}
    condition:
    	$header at 0 and $Launch_Action and $exe
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled PDF Report Generation using Adobe Acrobat Distiller
  Description: A scheduled job runs Adobe Acrobat Distiller to generate PDF reports from legacy .eps files, which may contain embedded binaries.
  Filter/Exclusion: Exclude files generated by Adobe Acrobat Distiller with a specific job name or scheduled task ID.

• Scenario: System Update via Microsoft Windows Update
  Description: A Windows update package is delivered as a PDF file containing a signed executable for compatibility with legacy systems.
  Filter/Exclusion: Exclude files with a known Windows update file signature or originating from Microsoft’s update servers.

• Scenario: Internal Documentation with Embedded Signatures
  Description: An internal tool like PDFtk or Ghostscript is used to embed digital signatures into PDFs for compliance, which may include embedded binaries.
  Filter/Exclusion: Exclude files created by PDFtk or Ghostscript with a specific metadata tag or user-agent string.

• Scenario: Admin Task: PDF Conversion via Apache PDFBox
  Description: An admin task uses Apache PDFBox to convert Word documents to PDF, which may inadvertently embed executable content during conversion.
  Filter/Exclusion: Exclude files generated by Apache PDFBox with a specific conversion script or user-agent header.

• Scenario: Legacy Software Distribution via PDF
  Description: A legacy application like AutoCAD or SolidWorks is distributed via PDF files that include embedded installers for compatibility with older systems.
  Filter/Exclusion: Exclude files with known vendor signatures or originating from internal software distribution servers.