One way to execute JavaScript with a PDF file is to rely on Acrobat API which already has a subset of useful API for red team engagement or adversary simulation when your target primarily uses Adobe products as a default PDF reader.

During the past engagement, the PDF files were sent to the targets with embedded JavaScript that will ask for permission to open a check-in URL. This process could simply be done with app.launchURL() function. It also let me update URLs during the preparation phase for mass phishing because it exposes the original URL in plaintext. We can identify an existing JavaScript embedded inside a PDF file with PDF analysis tools e.g. PDFiD and pdf-parser.

I decided to use this feature again for this year’s engagement plus a trick to retrieve NTLM hash from the targets. With a trial version of Adobe Acrobat, I created the same JavaScript function and another object to make an external SMB request to the C&C. By the way, I failed to identify the embedded with the same tools. Both PDFiD and pdf-parser identify the file with and without JavaScript as no JavaScript.

So, if there’s no plaintext or JS tag, the only way to hide this object is to compress it as a data stream and decompress when use. The compressed data stream will look like the image below.

pdf-parser has a feature to extract and decompress the specified object. All I need to do is to randomly find what’s the exact object that has compressed JavaScript code and then run:

pdf-parser.py -o <object-id> -f file.pdf

The result will look like this:

I still don’t know what makes the JavaScript be compressed but it possibly happens because of features like PDF size reducing and optimization.