Exploit:Win32/Pdfjsc.ZZ

Exploit:Win32/Pdfjsc.ZZ is a detection for a PDF file that contains an obfuscated malicious JavaScript that attempts to contact remote hosts in order to download arbitrary files.

Installation

These PDF files contain an embedded JavaScript, and when the malicious PDF file is opened, it executes the JavaScript in order to download other malware to the affected computer.

The JavaScript file may contain several layers of obfuscation, in an attempt to make it difficult for antivirus products to detect.

Once the JavaScript is de-obfuscated during run-time, it is detected as Exploit:JS/Mult.DJ.

This threat attempts to exploit the following vulnerabilities:

• CVE-2006-0003
• CVE-2007-5659
• CVE-2008-2992
• CVE-2009-0927
• CVE-2009-1671
• CVE-2010-0840
• CVE-2010-0842
• CVE-2010-0886
• CVE-2010-1423
• CVE-2010-1885

Payload

Downloads arbitrary files

In the wild, we have observed Exploit:Win32/Pdfjsc.ZZ contacting the following URLs in order to download malicious files:

• 188.190.98.79/s.php
• 79.132.67.141/w.php
• 81.17.24.83/w.php
• 96.41.64.177/w.phpYA
• agley.in/z.php
• brightrich.in/w.php
• exception.newyorkwineryvideos.com/w.php
• frend.convergencia.com/w.php
• gps.convergencialatina.com/w.php
• husband.mn-copywriter.com/w.php
• idea.tc-copywriting.com/w.php
• identify.bestofcheapxxxtrials.com
• ill.hollywoodforeplay.com/w.php
• illegal.hollywoodforeplay.info/w.php
• lrfooeniin.com/w.php
• lsoehocmlen.com/w.php
• perezlima.com/google/
• sovririesh.com/w.php

Analysis by Ric Robielos