Malicious PDFs find a novel way of running JavaScript

by Paul Baccas on November 12, 2010 | 6 Comments

Filed Under: Adobe, Malware, PDF, SophosLabs

Acrobat PDF
Earlier this year I gave a talk at the Virus Bulletin conference in Vancouver about malicious PDFs.

As a consequence of that paper, I received a number of enquiries from other researchers working in this field of computer security. One of the more fruitful contacts was Marco Cova of the Wepawet project.

This week, in-between other work, I have been analysing a feed of PDFs I have received from Wepawet.

One particular sample I analysed had a very small piece of JavaScript code that I hadn't seen before:

app.setTimeOut(this.info.XXXX,1)

JavaScript code inside sample

where XXXX is a randomly cased string. I immediately wrote a quick detection for this construct in other PDFs. While I was waiting for the results to come back I delved further into the sample.

SHA1 => 003f00b6eeba697b00b332791337d78c3767980b
Size => 7601
obj => 8
xref => 1
trailer => 1
xref_good => 1
endstream => 2
stream => 2
JS => 1
FlateDecode => 1
Page => 5
endobj => 8
startxref => 1
JavaScript => 2

Diving into the file and looking for the string referenced by the this.info:

Inside the file

We can see another occurrence of app.setTimeOut and enough of the rest to suggest that other this.info parts of the PDF are being referenced. After the this you can make out the beginnings of a .replace construct and an "eval". If you were to decode this then you see reference to two other this.info streams "iuGj" and "FJHKJ". The replace is actually:

.replace(/[AB-Z)/g, "%")

Running the following command over the file:

grep -a /iuGj 003f00b6eeba697b00b332791337d78c3767980b | sed -e "s/[AB-Z]/%/g" | ../bin/showhex.pl

where showhex.pl is a simple script that transforms %hh encoded characters to their binary, gives the following:

Result

Within the decoded iuGj stream we can see:

  • 0x0c0c0c0c - A common NOP in heapspray code.
  • app.viewerVersion - determining which version of Reader
  • util.printf - CVE-2008-2992
  • Collab.collectEmailInfo - CVE-2007-5659
  • Collab.getIcon - CVE-2009-0927

So this script will run slightly different code depending on which version of Reader is being used and will try different vulnerabilities. The payload code, below, attempts to download other malware.

Payload code

  • wininet.dll - MS API that enables applications to access standard Internet protocols, such as FTP and HTTP
  • http://....php?id-10 - A malicious site

Unfortunately, when I try to visit the sites referenced by by the "FJHKJ" I get nothing. The good thing is that over the ~20 sites I investigated yesterday the Google SafeBrowsing API blocked 90%. These URLs are also blocked via Sophos's Live Protection.

Sophos detects the malicious PDFs as Troj/PDFJs-NE.

Tags: , , , ,

6 Responses to Malicious PDFs find a novel way of running JavaScript

  1. Tomas says:
    November 12, 2010 at 4:04 pm

    Does the command line

    grep -a /iuGj 003f00b6eeba697b00b332791337d78c3767980b | sed -e "s/[AB-Z]/%/g" | ../bin/showhex.pl

    invoke cmd.exe behind my back on a XP system?

    I would be most thankful i anyone could give me an answer on this question.

    Reply Report comment
  2. paulbaccas says:
    November 12, 2010 at 5:20 pm

    This didn't invoke cmd.exe when I ran it (some of the commands) were different as this is the command I ran on Linux.

    Reply Report comment
    • Tomas says:
      November 12, 2010 at 7:19 pm

      Thanks for your answer Paul,

      So where is this or by which program is this command executed then – if not by c:windowssystem32cmd.exe – is it executed by c:programjavajre6injava.exe?

      Reply Report comment
  3. paulbaccas says:
    November 15, 2010 at 11:29 am

    Grep and sed are standard GNU tools and are available on Windows by various sources.

    Reply Report comment
    • Tomas says:
      November 15, 2010 at 2:36 pm

      Well Paul,

      I have probably expressed my self a little bit foggy, if so I excuse for that, but my basic concern is if it's a good idea to turn off cmd.exe as well as java.exe to be able to execute on my XP-system?

      I have seen that some websites invoke java.exe and when I have seen that happen I don't visit them anymore.

      cmd.exe is always, as default, turned off on my computer. When I need it I turn it on.

      Am I right on here, for security reasons?

      Reply Report comment
  4. John says:
    November 15, 2010 at 2:05 pm

    One more thing to point out, if you're going to start looking for app.setTimeout(...) as an eval-like function, there is also the app.setInterval(...) function that has similar functionality.

    Reply Report comment

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <pre> <q cite=""> <strike> <strong>

About the author

Paul O Baccas (aka pob) joined Sophos in 1997 after studying Engineering Science at Oxford University. After nearly 16 years, he has left Sophos to pastures new and will be writing as an independent malware researcher. Paul has: published several papers, presented at several Virus Bulletins and was a technical editor for "AVIEN Malware Defense Guide". He has contributed to Virus Bulletin and is a frequent contributor to the NakedSecurity blog.