Malicious PDF spreading in the wild (Jan 20, 2011)


SonicWALL UTM Research team observed a new malicious PDF spreading in the wild. This malicious PDF is being spread through spam emails with the file in the attachment. The email with malicious PDF file is shown below:


If the user downloads the PDF file attachment and executes it, then it delivers a malicious payload using an exploit in Adobe Acrobat Reader. This malicious payload in turn downloads secondary malware.

  • The PDF contains a producer section which is encrypted. This encrypted producer section is decrypted at runtime with the script embedded in the PDF file.


  • The encrypted producer section of PDF file decrypts to a script that serves the payload. This script uses an appropriate exploit technique to deliver the payload depending on the version of Adobe Acrobat Reader being used.


  • On inspection of the payload used in the script we observed secondary malware being downloaded from a remote location.


  • On execution of the payload it downloads and executes the following malicious file

    • us01.exe [Detected as GAV: Kryptik.JKT (Trojan)]
  • The downloaded file performs the following activities on the victim’s machine:

    • It creates the following files
      • %UserProfile%Application DataMuitirfyoci.exe (Copy of itself) [Detected as GAV: Kryptik.JKT (Trojan)]
      • %UserProfile%Application DataYlaqozuzpa.lyz
    • It attempts to connect to randomly created domain names
      • screenshot

    • It creates the following registry key to ensure re-infection on system restart
      • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun: “%UserProfile%Application DataMuitirfyoci.exe”

SonicWALL Gateway AntiVirus provided protection against this threat via following signatures:

GAV: Pdfka.EML (Trojan)
GAV: Kryptik.JKT (Trojan)



Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.