Malicious PDFs find a novel way of running JavaScript

Acrobat PDF
Earlier this year I gave a talk at the Virus Bulletin conference in Vancouver about malicious PDFs.

As a consequence of that paper, I received a number of enquiries from other researchers working in this field of computer security. One of the more fruitful contacts was Marco Cova of the Wepawet project.

This week, in-between other work, I have been analysing a feed of PDFs I have received from Wepawet.

One particular sample I analysed had a very small piece of JavaScript code that I hadn’t seen before:


JavaScript code inside sample

where XXXX is a randomly cased string. I immediately wrote a quick detection for this construct in other PDFs. While I was waiting for the results to come back I delved further into the sample.

SHA1 => 003f00b6eeba697b00b332791337d78c3767980b
Size => 7601
obj => 8
xref => 1
trailer => 1
xref_good => 1
endstream => 2
stream => 2
JS => 1
FlateDecode => 1
Page => 5
endobj => 8
startxref => 1
JavaScript => 2

Diving into the file and looking for the string referenced by the

Inside the file

We can see another occurrence of app.setTimeOut and enough of the rest to suggest that other parts of the PDF are being referenced. After the this you can make out the beginnings of a .replace construct and an “eval”. If you were to decode this then you see reference to two other streams “iuGj” and “FJHKJ”. The replace is actually:

.replace(/[AB-Z)/g, "%")

Running the following command over the file:

grep -a /iuGj 003f00b6eeba697b00b332791337d78c3767980b | sed -e "s/[AB-Z]/%/g" | ../bin/

where is a simple script that transforms %hh encoded characters to their binary, gives the following:


Within the decoded iuGj stream we can see:

  • 0x0c0c0c0c – A common NOP in heapspray code.
  • app.viewerVersion – determining which version of Reader
  • util.printf – CVE-2008-2992
  • Collab.collectEmailInfo – CVE-2007-5659
  • Collab.getIcon – CVE-2009-0927

So this script will run slightly different code depending on which version of Reader is being used and will try different vulnerabilities. The payload code, below, attempts to download other malware.

Payload code

  • wininet.dll – MS API that enables applications to access standard Internet protocols, such as FTP and HTTP
  • http://….php?id-10 – A malicious site

Unfortunately, when I try to visit the sites referenced by by the “FJHKJ” I get nothing. The good thing is that over the ~20 sites I investigated yesterday the Google SafeBrowsing API blocked 90%. These URLs are also blocked via Sophos’s Live Protection.

Sophos detects the malicious PDFs as Troj/PDFJs-NE.