Bad “Visual” PDF

Last week a PDF document which downloaded malware fell into my hands. This is nothing new for a post, as the distribution of malware using PDF files has lately become a common practice. But there are two things that surprised me: on the one hand, the file didn’t use javascript, this time the malicious user had opted for visual basic script (vbs). On the other, the file does NOT use any Acrobat Reader vulnerability. It uses a documented “feature” of the PDF format instead, which allows any command of the operating system to be run (PDF Reference 1.7, section “8.5 Actions” and table “8.5.3 Additional entries specific to a launch action”.
This “feature” allows you to launch any executable file without using any vulnerability. In Didier Stevens’ blog (http://blog.didierstevens.com/2010/03/29/escape-from-pdf/) you can see the details of this “feature” and even watch a demo video.
Of course, the cybercrooks always try to take advantage of any opportunity to infect you, like the case of the file we received last week. The file reached the computer in an email with the subject ”Setting for your mailbox are changed” and an attached file called “doc.pdf”. When the file is run, the following screen is displayed:

In the dialog box you can read the message “Click the “open” button to view this document”. What would you do? Click the open button. And what would happen then? Let’s examine the code of the file. If we open the file with an editor, we’ll find the following code:

Bad start. The size of this array is quite big, and if we go to the end of the code, we’ll find the following functions:

Bingo!! Vbscript. Quite odd

The mechanism the malware follows is the following: when the file doc.pdf is opened, a file is created, called script.vbs, whose code is the following:

The aim of this file is to extract from the file doc.pdf the obfuscated code of the executable file that will be created, or you doubted that there wasn’t any executable, didn’t you?

The code is extracted in a file that is called batscript.vbs, and both the array and the funtions included in doc.pdf are copied to it. This file deobfuscates the array creating an executable file packed with UPX (what a clever boy) called game.exe. When this file is run, it copies itself with the name svchost.exe in “%ProgramFiles%\Microsoft Common”. And finally, it deletes the files script.vbs, batscript.vbs and game.exe. My mum has always told me: “You have to be clean and tidy”.

The executable files is detected as W32/Bezopi.C and, as always, if you have a Panda product with TruPrevent technologies installed on your computer, the pdf won’t be able to infect you .