A common technique, used by malicious attackers to fool their victims, is using the Unicode special character U+202E known as an annulment from right to left to make the malicious file appears as a PDF document instead of a potentially dangerous executable file.

To understand this concept, let’s imagine that our malicious file is “document.exe” (see Figure 1):

Figure 1: Malicious file recently created with no changes.

Now we are going to follow the steps below to accomplish our goal:

• Open the Windows Character Map (Start, Run, charmap)
• Find and Copy the Unicode character U+202E. Notice that at the bottom left shows the ASCII value of the characters (see Figure 2).

Figure 2: Charmap with U+202E selected and copied.

• Paste (Ctrl + V) the character just before the extension point: “document[[U+202E]].exe”
• Enter the extension that you want but in reverse, for example, if we want “doc”, we need to write “cod”, or if we want “pdf”, then we need to write “fdp”.

The result will be something like the file shown in Figure 3.

Figure 3: Malicious file renamed with the special character.

(The real name of the file without the special character should be: “documentfdp.exe”)

Finally, to perfect the infection vector, a good idea would be to change the icon of the malicious file and also use a name that can trick the user, considering that the “exe” or the original extension must remain. E.g.:

Figure 4: Malicious file di