Two days ago FireEye has detected a malicious PDF exploiting all major PDF readers from Adobe (
FireEye, In Turn, It's PDF Time FireEye, Number of the beast).
We got the sample (MD5: f3b9663a01a73c5eca9d6b2a0519049e) and started an analysis with Joe Sandbox 7.2.0 on Windows 7 x64, Adobe Acrobat Reader 10.1.0 installed. What follow are some interesting cuttings from the report:
Striking facts:
- The exploit works well on Windows 7 x64! This is interesting since the Acrobat Reader we are using runs on WOW64 on 64bit systems.
- The sample sleeps 3600s to bypass dynamic malware analysis systems (this was already detected by FireEye)
- The sample drops two dlls, one for 32bit and one for 64bit
- The sample drops and opens a fake pdf (to trick the user believing nothing happened)
- The sample checks if it has access to the internet (get www.google.ch)
- The sample contains functionality to download additional files
- After sleeping the sample uses heavily http for its communication
We are currently analyzing the sample with our cookbooks to bypass sleeping malware (
Defeating Sleeping Malware) and are going to follow with a detailed blogpost about the sample payload.
The complete report is available at:
Analysis of with Joe DD: