Tweet

.PDF files—or their inherent features—have been used by cybercriminals in some of the most noteworthy attacks we have encountered. Modified versions of this file type have been especially notorious these past few months since they are capable of attacking user systems by initially exploiting inherent vulnerabilities found in Adobe Reader and Acrobat. TrendLabs^SM has documented a number of these attacks:

• More Adobe Exploits in the Wild
• Shanghai Expo Spam Carries Backdoor
• Spam Attack Against the U.S. Defense Department Exploits an Adobe Vulnerability

A newly spotted malformed .PDF was found to also attack flaws found in the aforementioned Adobe software products; however, this kind of .PDF contained an object that was embedded within itself using FlateDecode and ASCII85Decode, two common filters used in .PDF files to filter images before compressing them. This object turned out to be an Extensible Markup Language (XML) file bearing a malicious Tagged Image File Format (TIFF) file.

Trend Micro detects the .PDF file as TROJ_PIDIEF.AAL. It can exploit the following vulnerabilities:

• Adobe Reader ‘util.printf()’ JavaScript Function Stack Buffer Overflow Vulnerability
• Adobe TIFF File Vulnerability

Once these vulnerabilities are exploited, this Trojan connects to several URLs to download files, which were also found to be malicious. Trend Micro detects these downloaded files as TROJ_DNSCHANG.XT and TROJ_FRAUDPAC.QL.

Trend Micro protects users via the Smart Protection Network™, which blocks access to all malicious URLs via the Web reputation service and detects all related malware via the file reputation service.