Contributor: Joseph Graziano
PDF invoices sent over email have become increasingly common in today’s business world. However, that doesn’t mean that there are no complications with the file format. Addressing these invoices without requiring verification from the recipient can lead to a compromised computer with the user’s confidential data in jeopardy.
Over the past week, Symantec has observed a spam campaign involving suspicious emails that masquerade as unpaid invoices. However, these suspicious emails come with a nasty surprise attached in the form of a malicious .pdf file.
Figure 1. Malicious .pdf file attached to suspicious email
While these invoices may appear to be legitimate because the sender’s email address may be associated with a major company, the emails contain spelling errors in the subject line and the body of the email contains just one line of text. Most business emails contain a personal greeting to the recipient and the sender’s signature, but these emails have neither. These signs should serve as warnings to users that the email is not what it claims to be.
The attached .pdf file has malicious shellcode hidden inside of it that will be executed when opened with a vulnerable version of Adobe Reader.
Figure 2. Shellcode hidden inside malicious .pdf file
The attackers are trying to exploit the Adobe Acrobat and Reader Unspecified Remote Integer Overflow Vulnerability (CVE-2013-2729) by triggering the vulnerability while parsing the crafted Bitmap encoded image.
Figure 3. Bitmap encoded image
The embedded shellcode acts as a downloader which downloads a malicious executable file (Infostealer.Dyranges) from a remote location. The downloaded malware attempts to install itself as a service called “google update service” by adding the following registry entry.
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"GoogleUpdate" = “[PATH TO MALWARE]”
If successful, the malware is then able to steal confidential information entered into Web browsers by the user.
Symantec recommends that users exercise caution when opening emails and attachments from unexpected or unknown senders. We also advise that PDF viewers and security software should be kept up-to-date. Symantec detects the malicious .pdf file used in this campaign as Trojan.Pidief.