Joe Security's Blog

Two days ago FireEye has detected a malicious PDF exploiting all major PDF readers from Adobe (FireEye, In Turn, It's PDF Time FireEye, Number of the beast).

We got the sample (MD5: f3b9663a01a73c5eca9d6b2a0519049e) and started an analysis with Joe Sandbox 7.2.0 on Windows 7 x64, Adobe Acrobat Reader 10.1.0 installed. What follow are some interesting cuttings from the report:



Striking facts:

• The exploit works well on Windows 7 x64! This is interesting since the Acrobat Reader we are using runs on WOW64 on 64bit systems.
• The sample sleeps 3600s to bypass dynamic malware analysis systems (this was already detected by FireEye)
• The sample drops two dlls, one for 32bit and one for 64bit
• The sample drops and opens a fake pdf (to trick the user believing nothing happened)
• The sample checks if it has access to the internet (get www.google.ch)
• The sample contains functionality to download additional files
• After sleeping the sample uses heavily http for its communication

We are currently analyzing the sample with our cookbooks to bypass sleeping malware (Defeating Sleeping Malware) and are going to follow with a detailed blogpost about the sample payload.


The complete report is available at:

•  Joe Sandbox Analysis Report for Visaform Turkey MD5 www.joesecurity.org/reports/report-f3b9663a01a73c5eca9d6b2a0519049e.html

Analysis of with Joe DD:

•  Joe DD Analysis Overview