New PDF malware (May 6 / 2014) VT detection 9/61 (harmless on win-9x systems)

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

https://www.virustotal.com/en/file/28324b810f079b1e46cce41a7931864094852f6c413741e913a0dbe3a769646d/analysis/

--------------
Commtouch   JS/Pdfka.NA
DrWeb       SCRIPT.Virus
F-Prot      JS/Pdfka.NA
McAfee      Artemis!EAE0827F3801
Norman      CVE-2010-0188.DC
Qihoo-360   virus.xfa.unsafe.1
Rising      NORMAL:Hack.Exploit.MalPDF.a!
Sophos      Troj/PDFJs-AFS  
TrendMicro  TROJ_GEN.F47V0506
--------------

Attached file contain in spam email:  April invoice 341224.pdf

Foxit Reader 2.3 opens a single blank page (after about 10 seconds) -
does not crash.
Adobe Acrobat reader 6.0.2 crashes first time it opens the file, next
few times it opens (takes about 20 seconds) and also shows a single
blank page.

Spam:

-------------------
Received: from host171-94-static.107-82-b.business.telecomitalia.it
          ([82.107.94.171])  

From: slaughterhousesq121@petergoldsmithllp.co.uk
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9)
            Gecko/20101112 Thunderbird/3.1.4
Subject: Invoice 398673 April

Hello,
Please can you let me have a payment date for the attached April
Invoice?
Kind Regards
Sue Mockridge
Accounts Administrator

'(Main) 01884242626 '(Direct Dial) 01884 250764
Please consider the environment before printing
Broad Oak Toiletries Ltd, Tiverton, Tiverton Way,  
Tiverton Business Park, Tiverton, Devon, EX16 6TG

Registered No. 1971053 England & Wales
Telephone: +44 (0) 1884 242626
Facsimile: +44 (0) 1884 242602
----------------------

Re: New PDF malware (May 6 / 2014) VT detection 9/61 (harmless on win-9x systems)

Virus Guy formulated the question :

Where's the pdf file?

According to the VT results, it requires a LibTIFF vulnerable version.



Re: New PDF malware (May 6 / 2014) VT detection 9/61 (harmless on win-9x systems)

FromTheRafters wrote:

Quoted text here. Click to load it

http://filepost.com/files/1c513m4m/April_invoice_341224.rar

no pw.

Re: New PDF malware (May 6 / 2014) VT detection 9/61 (harmless on win-9x systems)

Virus Guy explained on 5/6/2014 :
Quoted text here. Click to load it

Thanks, I got one from elsewhere also.

April invoice 867984.pdf

<field name="ImageCrash">
            <ui> <imageEdit/> </ui>
            <value>
                
<image>Qk0AAAAAAAAAAAAAAABAAAAALAEAAAEAAAABAAgAAQAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAUkdC
QVJHQkEAAv8AAAL/AAA

Bitmap

I'll look at yours, but I suspect it is the same. Having trouble  
inflating such a large stream.



Re: New PDF malware (May 6 / 2014) VT detection 9/61 (harmless on win-9x systems)

FromTheRafters expressed precisely :
Quoted text here. Click to load it

Yep, same thing.



Site Timeline