Malicious PDF spreading in the wild

January 20, 2011

SonicWALL UTM Research team observed a new malicious PDF spreading in the wild. This malicious PDF is being spread through spam emails with the file in the attachment. The email with malicious PDF file is shown below:

screenshot

If the user downloads the PDF file attachment and executes it, then it delivers a malicious payload using an exploit in Adobe Acrobat Reader. This malicious payload in turn downloads secondary malware.

  • The PDF contains a producer section which is encrypted. This encrypted producer section is decrypted at runtime with the script embedded in the PDF file.

    screenshot

  • The encrypted producer section of PDF file decrypts to a script that serves the payload. This script uses an appropriate exploit technique to deliver the payload depending on the version of Adobe Acrobat Reader being used.

    screenshot

  • On inspection of the payload used in the script we observed secondary malware being downloaded from a remote location.

    screenshot

  • On execution of the payload it downloads and executes the following malicious file

    • us01.exe [Detected as GAV: Kryptik.JKT (Trojan)]

  • The downloaded file performs the following activities on the victim's machine:

    • It creates the following files
      • %UserProfile%Application DataMuitirfyoci.exe (Copy of itself) [Detected as GAV: Kryptik.JKT (Trojan)]
      • %UserProfile%Application DataYlaqozuzpa.lyz
    • It attempts to connect to randomly created domain names

        • screenshot

    • It creates the following registry key to ensure re-infection on system restart
      • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun: "%UserProfile%Application DataMuitirfyoci.exe"

SonicWALL Gateway AntiVirus provided protection against this threat via following signatures:

GAV: Pdfka.EML (Trojan)
GAV: Kryptik.JKT (Trojan)

screenshot

screenshot