MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.


Exploiting vulnerabilities with PDF files

Exploit weaknesses in certain applications for mass use, is now one of the attack vectors for malware more employees, and in this sense I have posted the exploitation of vulnerabilities through several SWF and JS.

In this case, the attacker's goal is to find computers with Adobe Acrobat and Adobe Reader vulnerable to a buffer overflow attack as described in CVE-2008-2992.

The thing is, a concrete example is the address By accessing this malicious URL is not displayed anything but in the background, the exploit code will exploit the above error if found.

In this example, download and execute arbitrary remotely and via a malware file f.pdf (MD5: 2de9de23f9db1e7b1e39d0481a372399) using the function util.printf Java Script.

The malicious code appears under the name load.exe (MD5: a6e317f29966fa9e2025f29c7d414c0a) and is discharged from

Unfortunately, the PDF file is constantly manipulated by those who spread it to avoid detection by antivirus programs, and why I say "unfortunately", because the detection rate of malicious PDF that has so far is extremely low. That which we can observe in the report that returns VirusTotal, only five (5) AV companies a total of 39 preventing its infection.

A similar situation exists with the file doc.pdf (MD5: 5fa343ebca2dd5a35b38644b81fe0485) called from, and downloading the file 1.exe (MD5: 5c581054fbce67688d2666ac18c7f540) whose detection rate is even lower than the previous (4 / 39).

There are many web addresses being used actively to spread malware:

tozxiqud .cn / nuc / spl / pdf. pdf
teirkmm .net / nuc / spl / pdf. pdf
hayboxiw .cn / nuc / spl / pdf. pdf
www.ffseik .com / nuc / spl / pdf. pdf
www.kuplon .biz / SMUN / pdf. php? id = 2435 & vis = 1
www.geodll .biz / ar / spl / pdf.pdf
setcontrol .biz / ar / spl / pdf. pdf
newprogress .tv / for / spl / pdf. pdf
eddii .ru/traffic/sploit1/getfile. php? f = pdf
google-analytics.pbtgr .ru / pdf. php? id = 48,462
hardmoviesporno .com/rf/exp/update1. pdf

You see, the odds of being victims of such strategies of infection is high, it's therefore important to patch as soon as possible, those who use, Adobe applications.

Related information
Exploiting vulnerabilities through SWF
Exploitation of vulnerabilities through JS

Jorge Mieres

0 comentarios:

Post a Comment