Threat behavior
Exploit:Win32/Pdfjsc.CR is the detection for a malicious PDF file that exploits the vulnerability discussed in
CVE-2007-5659.
Upon execution, Exploit:Win32/Pdfjsc.CR runs a JavaScript that attempts to download and execute arbitrary files from remote servers. The remote servers it is known to try to connect to are:
- izediotia.info - at the time of this writing, this server is currently inaccessible
- odewupeotwe.com - the malware may download the trojan Trojan:Win32/Alureon.DA from this server
A file detected as Exploit:Win32/Pdfjsc.CR is composed of two encoded JavaScript streams. The first stream attempts to retrieve and handle the second stream by using the "syncAnnotScan" method to scan all annotations in the document. It then uses the "getAnnots" method to retrieve the first annotation, which it assumes to be the second stream. After decoding this stream, the result is an obfuscated JavaScript that attempts to download and execute arbitrary files from remote servers.
Analysis by Andrei Florin Saygo
Prevention
