How PDF files hide malware – Example – PDF scan from Xerox


It’s early morning and I usually start my day by checking and reading emails from a few mailboxes.  In one of my mailboxes I came across a strange new message about a scanned document.  As a security specialist I was immediately suspicious and decided to investigate further.  The email is shown below:

The body of the email says that the PDF attachment comes from a “Xerox WorkCentre Pro”, a very popular copier machine widely used in offices.  We assume that this type of email and the “innocent” looking PDF attachment would convince most office recipients to open the attachment and thus install new malware on their systems.  Commtouch’s Command Antivirus detects this malicious PDF as PDF/Expl.IQ.  Recipients who actually open the file will see nothing – there is no text or image content displayed.

I opened the PDF in a text editor and saw this encrypted JavaScript code:

I modified the code a bit in order to decrypt it and got the following:

The red boxes highlight the vulnerabilities that this PDF attempts to exploit to crash vulnerable PDF reader applications:

All of these exploits have been patched in the most updated versions of Acrobat Reader.  More information about these known vulnerabilities and affected PDF applications can be found at the above links.  For example “Exploit causes multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier allowing remote attackers to execute arbitrary code”.

Once the vulnerable PDF reader application is successfully exploited, a new piece of malware is fetched from the following link: hxxp://open{BLOCKED}   This new malware is then installed on the affected system, further exposing the system to other attacks.  Command Antivirus detects this file as W32/SuspPack.DA.gen!Eldorado,

The lesson to be learned is that PDF reader software should always be kept up to date (and make sure you have an effective updated Antivirus).  As we always say, prevention is better than disinfection.

Till next time…

Go back