Exploit:Win32/Pdfjsc.Y

Exploit:Win32/Pdfjsc.Y is a detection for malicious PDF files that attempt to exploit the heap corruption vulnerability in a component (U3D) in Adobe Reader and Acrobat 10.1.1 and earlier, described in CVE-2011-2462. An attacker may create specially-crafted malicious PDF files to trigger the memory corruption, and possibly execute arbitrary code to run malicious JavaScript and shellcode. It may also connect to remote websites.

Installation 

Exploit:Win32/Pdfjsc.Y usually arrives on the computer when the user visits a webpage that contains a malicious PDF file, or opens an email message containing the PDF file as an attachment. In the wild, we have observed the malicious PDF being called the following:

• FY12_Per_Diem_Rates.pdf
• 2012_Federal_Employee_Pay_Calendar.pdf

When the malicious PDF is opened in a vulnerable PDF Reader, it may drop and open a clean PDF as a decoy. The malicious PDF contains JavaScript code that checks for the target PDF version on the Windows platform. If the PDF version is the target, it executes the heap-spray function, and another function to trigger the vulnerability, consequently dropping the malicious payload.

Payload 

Downloads arbitrary files

In the wild, we have observed the threat dropping the following file as payload:

%USERPROFILE%\Local Settings\pretty.exe - detected as Backdoor:Win32/Wkysol.D

Connects to remote websites

The payload may connect to a remote website for various purposes. In the wild, one sample was observed to contact the following:

prettylikeher.com

Analysis by Rex Plantado