Actual PDF attachments can be dangerous - especially phony Bank of America ones

by Erwin Balunsat Email SecurityMalwareSecurity Research & Analysis

We have reported about executable malware files that masquerade as PDF files to trick users into opening them - but what about actual PDF files?  Many users dismiss suggestions that these can be dangerous since they are "just text and images".  It is true that PDF files are not blocked by most email programs.  But of course they can be malicious - as shown in this example. 

Have you really ever made a request to Bank of America regarding ACH CashPro? Well if not, you just have to ignore any email messages from Bank of America (BoA) and put them straight into your junk folder. But if you are using BoA online services then be sure to validate and be vigilant about the content.

Recently, an email from Bank of America reached one of my mailboxes (see image below). At first it looks legitimate especially considering the message content.  In reality, the email is from one of your malicious email stalkers - the cybercriminal.

tl_files/assets_cyren/images/blog/bankofamerica_image1.jpg

This malcrafted email message contains a link that points to a valid site from Bank of America. What you should be wary of is the PDF attachment (securedoc.pdf). The email says it is a secure message so many email users might be tricked into believing it is really one but it's NOT! The email attachment is a specially crafted PDF malware which CYREN detects as exploit CVE100188. The PDF malware attachment attacks a known vulnerability (CVE-2010-0188) of Adobe Reader. When the affected user attempts to open the attached PDF file the embedded script in the PDF file then validates the version of the target Adobe Reader. The malware attempts to attack the following specific versions of Adobe Reader as seen in its code:

9.303, 9.304, 9.4, 9.401, 9.402, 9.403, 9.404, 9.405, 9.406, 9.407, 9.5, 9.501, 9.502, 9.503, 9.504,10.101, 10.102, 10.103, 10.104, 10.105, 10.106, 11, 11.001

(The current version is 11.0.07)

If successfully exploited the malicious PDF then executes an embedded shellcode that downloads another malicious executable Backdoor from the following link which CYREN detects as W32/Androm.AQ:

http://88.{--masked---}5.44/images/banniers1/Andr.exe

After successfully downloading the file, it then executes and installs the downloaded file into the affected system to further compromise the user and system. Well the new malware is a backdoor and a remote attacker can take full control of the affected system from anywhere, anytime without the user's knowledge.

The BoA email is probably sent out by another malware using gathered email addresses and can be received by any recipient. It makes use of clever social engineering in order to entice unsuspecting users into opening the attachment.

There are a lot of malicious emails out there and you may be a recipient of one containing a malicious attachment (even a "plain old" PDF). As a precaution, never open email attachments of any form especially from unknown senders. Should the email come from a known sender, don't hesitate to verify the validity of the email from the sender and report it to IT administrators if it is unsolicited.

Lastly, keep your software up-to-date especially for Adobe Reader to protect you from possible vulnerability attacks.

Go back