Mal/PDFJs-Y: PDFs using getField

This week I have been putting the finishing touches to my presentation for the Virus Bulletin Conference in Vancouver later this month. While doing the research I have collected a large corpus of PDF files; the results of analyzing these files form the bulk of my presentation. In these last few days before the conference I will be analyzing anomalous results and pushing out detections for the malicious files.

Today, I have been looking at some JavaScript in PDFs that uses a small piece of code that evaluates (eval()) and manipulates data in the PDF using getField.

Here the JavaScript will do a search for the characters 124 (‘|’) and 65 (‘A’) and replace them with something. The data being manipulated looks like this:

We can see ‘0D’, ‘0A’, ’76’, ’61’, ’72’ and ’20’ at the beginning of the data. This will be transformed to ‘ var ‘ (the first space a blank line).

This particular obfuscation is being used for the “Collab.collectEmailInfo” vulnerability but other members of the family may target other vulnerabilities. Sophos is now detecting these files as Mal/PDFJs-Y.