The Acrobat Reader is a very popular software installed on millions of computers worldwide.

Today I noticed that anytime AcroRd32.exe program starts (tested with the latest version 24.4) it checks the following folder:

c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Test_Tools\

looking for *.api files.

All these files are then loaded as DLLs.

The screenshot below shows what happens when the following 3 files are present in the aforementioned folder:

• aaFEAT.api
• Automation.api
• malware.api

The first two are named like the two legitimate *.api files that Acrobat Reader expects to find in the Test_Tools folder. The last one is just a randomly (well, not really) named DLL to show that any *.api file dropped there will be executed…