Malicious PDFs find a novel way of running JavaScript

Filed Under: Adobe, Malware, PDF, SophosLabs

Acrobat PDF
Earlier this year I gave a talk at the Virus Bulletin conference in Vancouver about malicious PDFs.

As a consequence of that paper, I received a number of enquiries from other researchers working in this field of computer security. One of the more fruitful contacts was Marco Cova of the Wepawet project.

This week, in-between other work, I have been analysing a feed of PDFs I have received from Wepawet.

One particular sample I analysed had a very small piece of JavaScript code that I hadn't seen before:


JavaScript code inside sample

where XXXX is a randomly cased string. I immediately wrote a quick detection for this construct in other PDFs. While I was waiting for the results to come back I delved further into the sample.

SHA1 => 003f00b6eeba697b00b332791337d78c3767980b
Size => 7601
obj => 8
xref => 1
trailer => 1
xref_good => 1
endstream => 2
stream => 2
JS => 1
FlateDecode => 1
Page => 5
endobj => 8
startxref => 1
JavaScript => 2

Diving into the file and looking for the string referenced by the

Inside the file

We can see another occurrence of app.setTimeOut and enough of the rest to suggest that other parts of the PDF are being referenced. After the this you can make out the beginnings of a .replace construct and an "eval". If you were to decode this then you see reference to two other streams "iuGj" and "FJHKJ". The replace is actually:

.replace(/[AB-Z)/g, "%")

Running the following command over the file:

grep -a /iuGj 003f00b6eeba697b00b332791337d78c3767980b | sed -e "s/[AB-Z]/%/g" | ../bin/

where is a simple script that transforms %hh encoded characters to their binary, gives the following:


Within the decoded iuGj stream we can see:

  • 0x0c0c0c0c - A common NOP in heapspray code.
  • app.viewerVersion - determining which version of Reader
  • util.printf - CVE-2008-2992
  • Collab.collectEmailInfo - CVE-2007-5659
  • Collab.getIcon - CVE-2009-0927

So this script will run slightly different code depending on which version of Reader is being used and will try different vulnerabilities. The payload code, below, attempts to download other malware.

Payload code

  • wininet.dll - MS API that enables applications to access standard Internet protocols, such as FTP and HTTP
  • http://....php?id-10 - A malicious site

Unfortunately, when I try to visit the sites referenced by by the "FJHKJ" I get nothing. The good thing is that over the ~20 sites I investigated yesterday the Google SafeBrowsing API blocked 90%. These URLs are also blocked via Sophos's Live Protection.

Sophos detects the malicious PDFs as Troj/PDFJs-NE.

, , , ,

You might like

6 Responses to Malicious PDFs find a novel way of running JavaScript

  1. Tomas · 1796 days ago

    Does the command line

    grep -a /iuGj 003f00b6eeba697b00b332791337d78c3767980b | sed -e "s/[AB-Z]/%/g" | ../bin/

    invoke cmd.exe behind my back on a XP system?

    I would be most thankful i anyone could give me an answer on this question.

  2. paulbaccas · 1796 days ago

    This didn't invoke cmd.exe when I ran it (some of the commands) were different as this is the command I ran on Linux.

    • Tomas · 1796 days ago

      Thanks for your answer Paul,

      So where is this or by which program is this command executed then – if not by c:windowssystem32cmd.exe – is it executed by c:programjavajre6injava.exe?

  3. paulbaccas · 1793 days ago

    Grep and sed are standard GNU tools and are available on Windows by various sources.

    • Tomas · 1793 days ago

      Well Paul,

      I have probably expressed my self a little bit foggy, if so I excuse for that, but my basic concern is if it's a good idea to turn off cmd.exe as well as java.exe to be able to execute on my XP-system?

      I have seen that some websites invoke java.exe and when I have seen that happen I don't visit them anymore.

      cmd.exe is always, as default, turned off on my computer. When I need it I turn it on.

      Am I right on here, for security reasons?

  4. John · 1793 days ago

    One more thing to point out, if you're going to start looking for app.setTimeout(...) as an eval-like function, there is also the app.setInterval(...) function that has similar functionality.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul O Baccas (aka pob) joined Sophos in 1997 after studying Engineering Science at Oxford University. After nearly 16 years, he has left Sophos to pastures new and will be writing as an independent malware researcher. Paul has: published several papers, presented at several Virus Bulletins and was a technical editor for "AVIEN Malware Defense Guide". He has contributed to Virus Bulletin and is a frequent contributor to the NakedSecurity blog.