Closer Look on a PDF Exploit

As there are attacks on vulnerabilities in the most popular PDF Reader from Adobe, we regularly inspect the samples closer in our Avira VirusLab. This time we looked at an older exploit which Avira antimalware solutions detect as EXP/Pdfka.bmq. The first step is to take a look with such a simple tool as a text editor.

There you can see that the document follows the PDF specification 1.0, the root object of the document is object one and that the document contains 11 streams. As the entries show, some of those objects are compressed and also that some streams consist of JavaScript.

After inflating the compressed streams encrypted JavaScript gets visible.

Dumping the source of those streams, it is possible to analyze the JavaScript.

The first part of the inflated stream contains a lookup for EScript, which is Adobe’s JavaScript implementation. The code also checks the version of the EScript Plugin – this is done to work on more than one Adobe Version.
The second part contains the Shellcode.

The third part of the Exploit Code tries to create a MediaPlayer object using “null” as arguments for the player. Therefore we can identify the exploit as CVE-2009-4324 because of an error in doc.media.newPlayer implementation of Adobe Reader and Acrobat.

Decoding the Shellcode
To decode and dump the shellcode we have to use the variable str which results in “%u9090%u9090” getting used as padding NOP for the payload code into a 0×8000 block which is repeated by j times generating the s array: This is JavaScript Heapspraying. The Shellcode, which is contained in the variable sh, looks like this:

At this point, some suspicious strings like “urlmon.dllC:\u.exe” get visible. To see what it does exactly, we load the dump into a disassembler:


There we can see that the first instruction is a jump, where it then accesses the PEB structure. Also we can see the PEB_LDR_DATA structure accessing the InInitializationOrderModuleList member. After this it initializes the edi register and then calls the sub_2 function and uses the resulting eax register to call into API code.

Without further analysis we can see a very nice result and know what the malware tries to do:


We have now a URL which is accessed by the exploit using the classic “URLDownloadToFile” api from the Microsoft urlmon.dll library. The file is saved on the local harddrive as “C:\U.exe”.

Petre Galan
Virus Researcher

Posted on April 27, 2010, 4:04 pm
Posted in Malware Analysis | Tagged , , ,