Hello,

I've recently had some random guy email me one of those typical and obvious "this email is urgent, please open the attached pdf for more information so that we can infect your PC and install a virus on it" type of emails. I found it suspicious since I haven't given that email out to anyone. Attached was a PDF file that I saved to my home folder and uploaded to VirusTotal for checking. While there were no threats detected, I still believe it's a possible virus because someone apparently uploaded the exact same file before me.

Thing is I wanted to delete the file afterwards, so I opened Thunar, browsed to the directory where I saved the file earlier and tried to delete it only to find out that Thunar was being stupid and peeked inside the file to generate a thumbnail.

Is it possible to get local code execution like this? I immediately disabled thumbnails, rebooted the PC and checked my /boot partition and boot sector for changes. I also looked for modified and new files in folders like /var/tmp, ~/.config/autostart, but couldn't find anything.

Should I still be worried?

I presume the permissions on the file are something like 644. That would permit read and write for owner, read only for group and everyone else.
That does not permit code execution.
It would be incredibly insecure for a file browser to execute code when attempting to retrieve info about a file. I doubt there is a issue, but perhaps someone else sees a problem. Is it a accurate thumbnail or a generic pdf thumbnail?

This is a little bit why linux is more secure then windows... opening a file.pdf.sh does nothing if the permissions are (by default) set to 644. You can override this of course.

I'm sorry, I'm not worried about executing the file itself. I'm aware that the file was non-executable, and it was a PDF on its own since I opened it with hexdump. What I had in mind was that if there was a 0day exploit present within the file, could generating a thumbnail have triggered it?

In theory, yes. But I would not worry too much about it if this e-mail was not specifically directed at you: The big malware campaigns do not target linux desktop users because of too low market share and too fragmented software environments. And the typical pdf exploits use adobe reader, while the code your file manager executes to generate the thumbnail comes probably from evince or poppler.

Since a 0 day exploit rests on the fact that the exploit is unknown to the designer of the intended software, then yes, running any code anywhere on it is a risk. It could potentially have a 0 day for the file manager thunar, 0 day for gaining root privileges, etc.
After establishing that, then you touch on probability on what software.

Considering the incredibly small world of desktop linux computers ((most)linux servers don't use X right?) and that dangerous code is limited to that user account, the probability of a 0 day designed for a linux computer with a X server (gui) cannot be very high.

It's possible thunar uses another command to identify the file, like file which is used to determine file type. My man page explains how it determines file type, might be worth a read (man file)

Yeah, when I received the suspicious email I just replied and pretended I couldn't open the PDF file. I asked the lad to send me another file format in the hopes that I would be able to capture another potential 0day exploit and sent it to VirusTotal for analysis. While the lad did reply with a docx file this time, I first scanned it with VT and then opened it with a ZIP archiver to examine the XML contents. As it turned out the email was just another of those 419 scams.

I had seriously hoped that I was being targeted by som hacking company so I could fish for some new exploits. Damnit!!!!!!

Also, I never told anyone in particular I'm using linux.

Hopefully that wasn't with your real email. You just gave them something much more valuable - information that they have a live email address that responds.

Oh well, that's a derp I guess. In the worst case I'll be forced to do some more 419 scambaiting, but hopefully I won't hear from them again.