With the macOS stager created and the attacker's system hosting the Empire listener, the malicious AppleScript can be designed and disguised to appear as a legitimate PDF using a few Unicode and icon manipulation tricks.
A real PDF is required for the attack to work. Files over 1 MB in size would be too large and may cause the target to become suspicious. The real PDF will be downloaded every time the target opens the Trojanized AppleScript (the fake PDF), so the real PDF should be only one page and small enough to download quickly. Otherwise, the target might start wondering why it takes a few seconds for the PDF to load in Preview when it should be instantaneous.
In this follow-up to the first part on creating a malicious PDF for MacBooks, I'll show how to quickly create a PDF using the cover of a CompTIA study guide found on AllITebooks, but a higher quality image should be used during a real scenario.
[embedded content]
Step 1: Copy a PDF Cover Image
In your web browser, navigate to a site that has the PDF that's going to be cloned. In my example, that's the CompTIA study guide on AllITebooks. You don't actually need to download the PDF file, you just need the first image that appears in the preview, so right-click on that, select "Save Image As," then "Save" it with the name cover.jpg into the files/ directory.
){kind=link}