Postal-themed PDF Spam

The Bredo malware-spammers are back, and they’ve been reading about how to run executable files from a PDF using /Launch, a trick we’d already started to see used by malware. This latest spam campaign uses this technique (it’s not really exploiting a vulnerability as such, since PDFs were specifically designed to be able to do this) in a slightly modified format.

Messages started coming in last week targeting the Brits, with subject lines such as “IMPORTANT: Royal Mail Delivery Invoice #1092817” sent from “Royal Mail <>” and content such as:

We missed you, when trying to deliver.

Please view the invoice and contact us with any questions.

We will try to deliver again the following business day.

Royal Mail.

Later in the week we saw it change to a more Canadian theme, with subjects including “IMPORTANT: Canada Post Delivery #9381747173” from “Canada Post <>” and extremely similar content:

We missed you, when trying to deliver!

Please view the invoice and contact us with any questions.

We will try to deliver again the following business day.

(c) 2010 Canada Post Corporation.

This week they even remembered they shouldn’t be discriminating against French-speaking Canadians:

We missed you, when trying to deliver!

Please view the invoice attached to this email.

We will try to deliver again the next business day.

Nous vous avons manqué, en essayant de livrer votre colis !

Veuillez regarder la facture attachée à ce courriel.

Une seconde temptative de livraison aura lieu le prochain jour ouvrable.

(c) 2010 Canada Post Corporation.

The actual attachments are PDF files, which is quite unusual for spam containing malware, and maybe that’s what the bad guys were relying on – there are still many people out there who mistakenly think of PDF as being a “safe” format.

If you open the PDF, called a variation on “Royal_Mail_Delivery_Invoice_1092817.pdf”, “CanadaPost_April_2010_Invoice.pdf” or “Canada_Post_Delivery_102837645167.pdf”, you get presented with the following dialog box (click on the image to enlarge it):

PDF Spam 1

This is asking you if you want to save an attachment, in this case CanadaPost_Invoice_Notice_9381747173.pdf, to the same folder as you opened the original PDF. This is the step that makes these PDFs different from the previous PDF malware we’ve seen using this technique. And although it looks like you’re saving another PDF, it’s actually an executable file with a misleading filename.

After clicking through the dialog you get the following message:

PDF Spam 2

This is running an instance of cmd.exe to try and run the dropped file, looking for it on the Desktop, in My Documents, and in Documents. And because it’s being run in this manner, Windows recognises the executable and runs it, ignoring the extension. This step is the one that actually uses the in-built PDF /Launch technique.

Finally of course you’re expecting a PDF file, so it shows you one, though it’s really very boring:

PDF Spam 3

It’s worth noting that, while you have to go quite out of your way to disable /Launch altogether, this two-stage approach is much simpler to stop; the first file-saving stage is implemented in JavaScript, so disabling JavaScript in your PDF reader (instructions here) will stop this particular approach from succeeding; when the second stage tries to /Launch the dropped file, it won’t have been dropped by the first JavaScript stage. Of course, disabling JavaScript won’t turn off the general /Launch method, so you still need to remain vigilant.

Our scanner can see the executable files inside the PDFs, detecting the examples here as Mal/Koobface-B and Mal/Swrort-A. We’ve also added additional detection for this style of PDF as Mal/BredoPdf-A.