Mal/PDFJs-RE

Category: Viruses and SpywareProtection available since:18 Apr 2011 08:17:51 (GMT)
Type: Malicious behaviorLast Updated:18 Apr 2011 08:17:51 (GMT)
Prevalence: Many Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Mal/PDFJs-RE is a family of malicious PDF that uses JavaScript to download more malware.

 

 In this instance, malicious PDFs were spammed out with the following Subject:

 

 <Company>.com Order

 

With a message similar to the following:

 

Dear customer,

 

Thank you for placing an order with us!

 

We wish to inform you that we have received your order and it will be processed very shortly. Your order number is 995471-573894 and it is expected to be delivered within 2-5 working days. Please note that in most cases, delivery is faster than stated as we want you to start enjoying your purchase as soon as possible. In the meantime, you may log into the site and check your order status at any time via the 'My Account' page.

 

 

If you have any questions about your order, please feel free to email us at support@<company>.com. As soon as order has been dispatched, our Customer Service Executive will monitor the progress and keep you updated at all times.

 

The emails had one of the following attachments:

OrderN25031104.pdf, Order_04041136.pdf, Order94.pdf, invoice17041140.pdf

 

Mal/PDFJs-RE attempts to contact the following remote location:

 

hxxp:// zkp2 . cz . cc / y / l . php

 

 

At the time of writing, Mal/PDFJs-RE may download and execute the following file:

 

<Application Data>\Hivo\myev.exe (detected as Mal/FakeAV-IK)

 

Examples of this malware have used CVE-2010-0188 and early examples also contain CVE-2011-0610 (Paul Baccas from SophosLabs sent the samples to Adobe and Adobe gave him contributor status).

Examples of Mal/PDFJs-RE include:

Example 1

File Information

Size
16K
SHA-1
432ef4b06d54080a1ac1fe420a5e999f2d16a9eb
MD5
910f2d140dc12405193dc4e21da41369
CRC-32
416f07a5
File type
application/pdf
First seen
2011-02-19

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\Acr9CCF.tmp
    Size
    358
    SHA-1
    e8b3e66dab8f56c161bdbbe9df0916973c1f67f4
    MD5
    f5eecb96e69016a433330f39a9e22cf8
    CRC-32
    274e75b9
    File type
    application/pdf
    First seen
    2011-04-18
Processes Created
  • c:\program files\adobe\reader 8.0\reader\acrord32.exe

Example 2

File Information

Size
18K
SHA-1
57dc561d4348a177224fd434a336a767be0f6461
MD5
5fc36f081383c52298144486785d566a
CRC-32
daca0992
File type
application/pdf
First seen
2011-02-17

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\Acr5EC1.tmp
    Size
    358
    SHA-1
    d8d6784931e6795e47a05bdb48b9270fef4bd49f
    MD5
    ca792bbd510234a1a80151d1ac0c9edb
    CRC-32
    b178820c
    File type
    application/pdf
    First seen
    2011-02-17
Processes Created
  • c:\program files\adobe\reader 8.0\reader\acrord32.exe

Example 3

File Information

Size
18K
SHA-1
c5b8eb7f93ddb414d9dac1dae21ef4dfdfe8659e
MD5
3f8f32f7f5606cbffe933e2c154ceb01
CRC-32
ac08fdc4
File type
application/pdf
First seen
2011-02-18

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\AcrA990.tmp
    Size
    358
    SHA-1
    79e5b8d20731dd162fdbeefc2d1e35c6a725f10e
    MD5
    1ea0912504ee4397a15365504b640089
    CRC-32
    6636dd67
    File type
    application/pdf
    First seen
    2011-04-15
Processes Created
  • c:\program files\adobe\reader 8.0\reader\acrord32.exe

Further information

There is more information about Mal/PDFJs-RE on the blog article Who ordered spam? New trick in PDF malware uncovered.