Over the last two weeks we have noticed a high number of emails with PDF attachments in our spam traps, which is unusual. These campaigns spanned several days, and originated from the Cutwail botnet, well known for spamming out malicious executable file attachments, but not necessarily PDFs. Clearly this warranted a closer look.
Here is an example of one of the messages:
To examine the PDF attachment, the pdfid.py tool from Didier Stevens in the REMnux environment was used to quickly highlight the file's contents.
Looking at object 1 in the raw file shows that it is stream object, with a bunch of data compressed with the FlateDecode (Fl) filter.
Importing this Base64 code into 010 Hex Editor reveals the nature of the image, a bitmap with a repeating byte pattern.
Another PDF from a similar campaign a few days before showed similar, but not identical, results. The earlier example showed less obfuscation and is almost a direct cut & paste from existing proof-of-concept code. This is interesting because it shows the authors of the PDF document were experimenting with added obfuscation in later campaigns.
We tried running this malicious PDF (md5:2897c57b2f3e02412c89b6bf44e6643d) in the lab, but while it crashed Adobe Reader, it did not lead to any other malware installation. However, the folks at MalwareBytes recently analyzed a similar sample, and found payloads of Zeus and Cryptolocker. This is consistent with what we have seen from Cutwail recently.
To sum up, in a break from normal behavior, the Cutwail botnet spammed out large volumes of malicious PDFs targeting a known vulnerability in Adobe Reader. (CVE-2013-2729). The actors behind this campaign appear to be playing with code obfuscation in the file, most likely in an effort to bypass anti-virus. Alongside the PDF campaigns, Cutwail continued to pump out spam with malicious executable attachments as normal. So the PDF campaigns were perhaps an experiment. As I finish writing this, the PDFs attachments appear to have dried up – a failed experiment perhaps, or can we expect more in the future?
As usual, patching is important, ensure PDF reader software is kept up to date. Also, try and block this stuff at the gateway - the Trustwave Secure Email Gateway blocked these malicious spam campaigns up-front.