After reading a note on the Symantec blog about password protected malicious document attacksI was doing some lab tests to see how effective the technique could be.
In this case, the idea of protecting the document (PDF, Word, etc.) with a password is not to prevent the user from opening it, but rather prevent antivirus software from scanning it. By setting a password, the file is encrypted and it is not possible to detect hidden malware or malicious codes.
One of the tests I did was infect a PDF document with an executable Trojan (.exe) and send it to VirusTotal to see how many antivirus detected it with their signatures. The result was as follows (27/43):
Most of the engines detected that there was something strange hidden. However at protect the document with a password (It can be done in many ways, even online with sites like pdfprotect.net), the result was very different (1/43):
The same can be done by modifying the PDF with an exploit, as explained in this article with included video.
As we see, any attacker very simply can turn a malicious document into something almost undetectable. Also, using passwords adds a plus to social engineering since a protected document can give the victim some confidence or security, when in fact it is something being used against him.
I send by email:
The fact that antivirus software cannot scan the document also makes it easier to spread as attachmentsIn the following screenshots you can see the results for Hotmail and Gmail when receiving the infected document:
When the PDF is attempted to download, Hotmail warns the user that it could not be analyzed and recommends that they download it only if they are sure. Instead Gmail allows you to download it without any warning, as if the antivirus had not detected anything (a real danger):
It should be mentioned that something similar can be done with compressed files, for example, the unencrypted malicious document could be sent in a ZIP with a password. In this case Hotmail showed the same warning and Gmail at least warned that it could not be scanned:
Update: I did the same test with a PDF modified with an exploit + passwordIn this case, neither of the two webmails alerted when the attachment was downloaded. Worse, the installed antivirus also did not detect the exploit when the document was opened, allowing the computer to be infected (I did this test on Windows XP with updated Microsoft Security Essentials).
So you know, if you receive a document with a password, be very careful as with any other unsolicited attachment, If you don't know who is sending it or why, it is best to discard it (not open it!). Obviously, antivirus is very helpful, you have to have one installed but you cannot trust 100% of the security, attackers are always looking for ways to evade them and many times the difference between being infected or not in the common sense and good practices.
If you want to learn more about these topics, I recommend the talk Returning an undetectable PDF of Rooted CON 2011.
See also: Remove protection from PDF documents.