Over the last two weeks we have noticed a high number of emails with PDF attachments in our spam traps, which is unusual. These campaigns spanned several days, and originated from the Cutwail botnet, well known for spamming out malicious executable file attachments, but not necessarily PDFs. Clearly this warranted a closer look.
Here is an example of one of the messages:
To examine the PDF attachment, the pdfid.py tool from Didier Stevens in the REMnux environment was used to quickly highlight the file's contents.
The /XFA object was of interest. XFA stands for XML Forms Architecture, and allows for the inclusion of interactive forms in a PDF document that allow a user to enter data. It also happens to support Javascript, and as such the bad guys love hiding code here. Using another tool in REMnux, pdf-parser.py, enables us to search the PDF file using the –s flag to find the / XFA object, which we can see references object 1.
Looking at object 1 in the raw file shows that it is stream object, with a bunch of data compressed with the FlateDecode (Fl) filter.
Pdf-parser.py can decompress this using its –f option, which reveals the XML code and embedded Javascript:
The decompressed output was huge, at over 90MB, and most of this appeared to be a large embedded image file.
Importing this Base64 code into 010 Hex Editor reveals the nature of the image, a bitmap with a repeating byte pattern.
At this stage we have a strong idea that this file is trying to exploit a known Adobe Reader vulnerability (CVE-2013-2729). This bug is triggered when Adobe Reader parses a bitmap (BMP) RLE encoded file embedded in an interactive PDF form. The BMP file makes use of these repeated bytes '\x00\x02\xff\x00' to exploit the vulnerability. Javascript within the XML is then used to execute code. (A detailed technical account of the vulnerability and exploit code can be found here).
The Javascript was run through jsbeautifier to make it look pretty. Below is a relevant code snippet that bears an uncanny resemblance to publically available proof-of-concept code.
Another PDF from a similar campaign a few days before showed similar, but not identical, results. The earlier example showed less obfuscation and is almost a direct cut & paste from existing proof-of-concept code. This is interesting because it shows the authors of the PDF document were experimenting with added obfuscation in later campaigns.
We tried running this malicious PDF (md5:2897c57b2f3e02412c89b6bf44e6643d) in the lab, but while it crashed Adobe Reader, it did not lead to any other malware installation. However, the folks at MalwareBytes recently analyzed a similar sample, and found payloads of Zeus and Cryptolocker. This is consistent with what we have seen from Cutwail recently.
To sum up, in a break from normal behavior, the Cutwail botnet spammed out large volumes of malicious PDFs targeting a known vulnerability in Adobe Reader. (CVE-2013-2729). The actors behind this campaign appear to be playing with code obfuscation in the file, most likely in an effort to bypass anti-virus. Alongside the PDF campaigns, Cutwail continued to pump out spam with malicious executable attachments as normal. So the PDF campaigns were perhaps an experiment. As I finish writing this, the PDFs attachments appear to have dried up – a failed experiment perhaps, or can we expect more in the future?
As usual, patching is important, ensure PDF reader software is kept up to date. Also, try and block this stuff at the gateway - the Trustwave Secure Email Gateway blocked these malicious spam campaigns up-front.