Home / malwarePDF  

Exploit.PDF-JS.Gen


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Exploit.PDF-JS.Gen is also known as Exploit:Win32/Pidief.D;, Exploit:W32/AdobeReader.QQ.

Explanation :

This is a generic detection for specially crafted PDF files which exploit different vulnerabilities found in Adobe PDF Reader's Javascript engine in order to execute malicious code on user's computer. The exploitation mainly involves the following two functions:
util.printf() - if an attacker sends a string long enough to generate a
stack-based buffer overflow he will then be able to
execute arbitrary code on user's computer with the
same level privileges as the user who opened the PDF
file
Collab.colectEmailInfo() - a stack-based buffer overflow can be
caused by passing a string long enough (at least 44952
characters) as a parameter in the msg field of this
function.

The Javascript function containing the actual exploit is specified in the OpenAction tag of the PDF file. Usually this function is encoded using zlib. After decompression sometimes the script is still obscured through one or more layers of encoding in order to avoid detection and make analysis more difficult.
The javascript code inside the PDF file is used to download and execute other malware on user's computer.

Last update 21 November 2011

 

TOP