Exploit for PDF vulnerability CVE-2018-4990 exists in the wild
Lets look into the PDF that exploits the above mentioned vulnerability.
Using pdf-parser, we see an embedded JPEG image object inside of the field button Button1.
The below stack trace is retrieved by enabling gflags.exe with page heap & user mode stack. Crash occurred due to access violation as JP2KLib.dll (JPEG2000 component) is trying to free memory that doesn’t belong to it.
It locates the base address of the dll, builds the rop chain with the given offsets, sprays them into the heap to redirect the execution flow to the arbitrary code in the heap.
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature: