Yesterday Steve Basford informed us of yet another type of malicious document (Sales Invoice 519658.pdf MD5 bfe397fb9b7907ab34ba83f0f086336d). It is a PDF document, containing an embedded file, with JavaScript to extract the embedded file to a temporary folder and then open it. The embedded file is a malicious Word document like we've seen many of them the last months.

When you open this PDF file with Adobe Reader, you get a warning and the embedded file is only opened when you approve it.

You can analyze such PDFs without using Adobe Reader or Microsoft Word, but with my tools pdfid, pdf-parser and oledump.

If you want to know in detail how to do this, I have a video.