This week I have been putting the finishing touches to my presentation for the Virus Bulletin Conference in Vancouver later this month. While doing the research I have collected a large corpus of PDF files; the results of analyzing these files form the bulk of my presentation. In these last few days before the conference I will be analyzing anomalous results and pushing out detections for the malicious files.
We can see ‘0D’, ‘0A’, ’76’, ’61’, ’72’ and ’20’ at the beginning of the data. This will be transformed to ‘ var ‘ (the first space a blank line).
This particular obfuscation is being used for the “Collab.collectEmailInfo” vulnerability but other members of the family may target other vulnerabilities. Sophos is now detecting these files as Mal/PDFJs-Y.