Video Screencast Help
Security Response

PDF Container Threat

Created: 09 Aug 2010 19:51:21 GMT • Updated: 23 Jan 2014 18:25:46 GMT • Translations available: 日本語
Takashi Katsuki's picture
0 0 Votes
Login to vote

Last year I wrote a blog entry entitled The Fight Against Malicious PDFs Using the ASCII85Decode Filter, which is about a threat that uses the ASCII85Decode filter to hide itself. Since that time, some Adobe Reader vulnerabilities have been found, including a recent zero-day vulnerability. However, attackers like to use not only direct exploitation, but also social engineering. I think this is because patches can fix software vulnerabilities fairly easily, but social engineering requires us (as potential victims) to understand and know what is dangerous, which is never easy.

More recently, I have discovered a social engineering threat that uses a PDF file as a “container” file. This PDF threat contains a 7-Zip file as an attachment and displays a message dialog that tries to convince the user to open the 7-Zip file. It also switches the dialog message by using JavaScript, depending on which version of PDF reader the victim is using. If a user opens the threat with Adobe Reader version 6, he or she will see the following message in Chinese:

Rough translation: "This file contains an attachment. Please choose 'File'->'Attachment' to read the attachment." If this message were clicked through, the user would see this attachment file:

On the other hand, if the threat is opened with Adobe Reader version 7 or higher, the user will likely see the following:

In actuality, this 7-Zip file contains a malicious file that Symantec detects as Downloader. Remember that this is not an Adobe software vulnerability. But, if a user falls victim to the social engineering (trusts the message and opens the attachment), the Downloader threat will run on his or her machine. The social engineering techniques used in this situation are not new. In the past we have seen many document files used as containers, including MS-Word, Excel, and PowerPoint files.

As always, please be wary of these types of attachments that have been sent from an unknown source.