shift or die

security. photography. foobar.

Evading AVs using the XML Data Package (XDP) format

At work, I recently obtained a copy of iText in Action, 2nd Edition because I have been playing with PDF a bit lately and the book not only offers advice on how to use the Java PDF library iText but also some background on PDF internals and the new features in PDF 1.7.

One thing I stumbled about in the book was that there is a format called XML Data Package (XDP) which can be used to represent a PDF as XML. So of course I downloaded the specification and went to play with it a bit.

Acrobat Reader opens XDP files just fine if they have an .xdp file extension or if they are sent by a webserver with the application/vnd.adobe.xdp+xml MIME type. It was an easy exercise to write a small script to convert a given PDF to an XDP file (basically it’s just an XML header, the Base64-encoded PDF and an XML footer).

I was wondering how Antivirus products would react to a malware PDF file in disguise as a XDP. Thus, I generated a PDF containing an exploit using Metasploit and uploaded it to VirusTotal. 13 out of 43 products classified the PDF as malware. Interestingly enough, 0/43 recognized the equivalent XDP file as malware (and neither did a few mail gateways I tested).

I’ve just submitted a feature request for Metasploit to add XDP support and added my pdf2xdp.rb script as a starting point. Let’s see where this is heading.