Complex – PDF hides Malware inside XFA which is inside PNG – not an image

We recently received an email supposedly from Puremobile – a supplier of unlocked cellphones. Similar emails were also received with “order info” from Bobijou (a costume jewelry designer). The “order confirmation” included a PDF file as shown below. 

Our initial analysis of the file found no Javascript. No JavaScript? This was unexpected since most PDF malware includes JavaScript. The only strange stream data that could possibly hide the exploit was the embedded PNG encoded data. PNG is usually used for image encoding – normally the decoding process would reveal an image – but not in this case. We used a decompression tool to decode the PNG data and found an XFA form.

XFA forms allow electronic form management using PDFs. This XFA form however included obfuscated JavaScript inside (see image below).

The execution of the script found above results in the exploitation of the CVE-2010-0188 vulnerability (libTiff overflow). We detect this malware as “PDF/Obfusc.Q!Camelot”. Once installed, the code download and executes other malware. Since this is a known exploit, the latest versions of Adobe Reader include protection.

To summarize:

PDF file – PNG image – not a PNG image – decodes to reveal an XFA form – includes Javascript – Javascript exploits vulnerability – etc. If you opened this file your reader would crash and execute the malware. When opened with an updated reader or a reader with Javascript disabled we see the following (uninteresting) file:

Protecting against PDF malware

We recommend downloading the latest version of Adobe Reader to protect your system from this threat. The risk from this exploit can be reduced by disabling the Javascript feature in Adobe Reader. This is done as follows:

  1. In Reader select Edit -> Preferences
  2. Select the JavaScript Category
  3. Uncheck the “Enable Acrobat JavaScript” Option
  4. Click OK.