According to email clients and anti-virus, an EXE disguised as a PDF is not suspicious?!

So seriously, why can't email clients like Outlook, as well as virus scanners, flag EXE files disguised as other things?

For instance, at work we got one the other day that was a fake Microsoft notification.

Subject: Important Changes to Microsoft Services Agreement

It basically asks you to open the attached file to see the details. The attached file is Microsoft-Services-Agreement.zip – inside that is “Microsoft Services Agreement.pdf.exe”

I scanned it with the virus scanner (with up-to-date definitions). It doesn't flag it as suspicious.

Not suspicious?! It's a frigging EXE disguised as a PDF. Windows users who have the default “Hide known extensions” on* will see it as a PDF. How is that not suspicious?

*That's a stupid default, too.

1 thought on “According to email clients and anti-virus, an EXE disguised as a PDF is not suspicious?!”

mike smith Tue 2012-10-30 at 03:28

THe short answer is, they can, and some do. When I’ve legitimately wished to email an exe, it resisted multiple levels of obfuscation. I had a exe file, with exe renamed to _exe_ inside a zip renamed to _zip_ -it still complained I was emailing an exe file, and refused. It had to be using the magic number that represents a zip (50 4B) – then opening that, looking at the contents, and realising that it was a PE format file (executable). I think this was gmail.

Comments are closed.