AV Bypass for Malicious PDFs Using XML Data Package (XDP) format

Security researcher Brandon Dixon has discovered a way to bypass the Antivirus detection for malicious PDFs using the XML Data Package(XDP) format.

XDP is an XML file format created by Adobe Systems in 2003. It is intended to be an XML-based companion to PDF. It allows PDF content and/or Adobe XML Forms Architecture (XFA) resources to be packaged within an XML container.

As XDP files are opened by Adobe Reader just like a normal PDF would be , opening the malicious XDP file can result in Adobe Reader Exploit.

Dixon's test document, which uses a two-year-old security vulnerability in Adobe Reader, was only detected by one anti-virus package in his tests. After experimenting with the XDP format, he was able to create another file that fooled all 42 anti-virus engines used on VirusTotal.

"The exploit is old. The JS is not encoded. This shoud be fixed. If you are wondering how to combat against this on your network or in your inbox, then look for XDP files."Dixon said in his blog.

"Of course, one could simply change the extension and still trick the user, but only awareness can fix that. For those with DPI, look for the Adobe XDP namespace and base64 code to identify the PDF embedded inside. "
Category: / /

Share this with Your friends: