Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

Complex – PDF hides Malware inside XFA which is inside PNG – not an image

We recently received an email supposedly from Puremobile – a supplier of unlocked cellphones. Similar emails were also received with “order info” from Bobijou (a costume jewelry designer). The “order confirmation” included a PDF file as shown below.

Our initial analysis of the file found no Javascript. No JavaScript? This was unexpected since most PDF malware includes JavaScript. The only strange stream data that could possibly hide the exploit was the embedded PNG encoded data. PNG is usually used for image encoding – normally the decoding process would reveal an image – but not in this case. We used a decompression tool to decode the PNG data and found an XFA form.

XFA forms allow electronic form management using PDFs. This XFA form however included obfuscated JavaScript inside (see image below).

The execution of the script found above results in the exploitation of the CVE-2010-0188 vulnerability (libTiff overflow). We detect this malware as “PDF/Obfusc.Q!Camelot”. Once installed, the code download and executes other malware. Since this is a known exploit, the latest versions of Adobe Reader include protection.

To summarize:

PDF file – PNG image – not a PNG image – decodes to reveal an XFA form – includes Javascript – Javascript exploits vulnerability – etc. If you opened this file your reader would crash and execute the malware. When opened with an updated reader or a reader with Javascript disabled we see the following (uninteresting) file:

Protecting against PDF malware

We recommend downloading the latest version of Adobe Reader to protect your system from this threat. The risk from this exploit can be reduced by disabling the Javascript feature in Adobe Reader. This is done as follows:

  1. In Reader select Edit -> Preferences
  2. Select the JavaScript Category
  3. Uncheck the “Enable Acrobat JavaScript” Option
  4. Click OK.

You might also like

Phishing with QR codes

Don’t Scan or be Scammed By Maharlito Aquino, Kervin Alintanahin and Dexter To In 1994, a type of the matrix barcode known as the Quick Response code, now widely known as QR code, was invented by Masahiro Hara from a Japanese company Denso Wave. The purpose of the...