Substitution of the PDF file icon to run the executable file
Here is the C++ code for creating a PDF shortcut and icon. The program creates a Windows shortcut (.lnk file) on the desktop. The shortcut points to the executable file (in this case, calc.exe ) and uses a custom icon.
The tool includes the necessary Windows API functions, Shell API, ATL classes, and C++ standard libraries. The CreateShortcut function accepts three parameters: TargetPath, Shortcut Path, and iconPath. It creates a shortcut that points to the TargetPath and saves it as a shortcut with the specified iconPath.
The program initializes the COM library to use COM objects, creates a ShellLink object (ishellink), which is used to set the properties of the shortcut, sets the path to the target file and the location of the icon, and then saves the shortcut to disk using the IPersistFile interface. After completing the operations, the program initializes the COM library.
To use this tool, you need to change two lines and recompile the application in C++.
This is how the shortcut and icon will look on the desktop.:
The PDF virus label
This is how the shortcut and icon will look in Windows Explorer.:
File Properties:
Properties of the virus label
Conclusion
The article examined the technique of disguising files under the PDF icon, a method used to deceive users and launch viruses or other malicious files. By manipulating the appearance of the file, we significantly increase the chances that an unsuspecting user will click on it, thereby compromising their system. This method can be effective for pentesters.
Disguising a malicious file as a PDF and distributing it through phishing emails or shared folders can help identify security weaknesses in an organization's network.
