Threat Description

Exploit:​JS/Pdfka.TI

Details

Aliases:Exploit.js.pdfka.ti
Category:Malware
Type:Exploit
Platform:JS

Summary



A program or technique that takes advantage of a vulnerability to remotely access or attack a program, computer or server.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



Exploit:JS/Pdfka.TI is an exploit that can take advantage of two vulnerabilities in a single PDF file in order to download malicious binary files (usually Trojan-Downloader:W32/Bredolab variants) onto the system.

The vulnerabilities exploited are:

  • Collab.collectEmailInfo() JavaScript Overflow (CVE-2007-5659)
  • Util.printf() JavaScript Overflow (CVE-2008-2992).

Adobe Reader and Acrobat versions 8.1.2 and earlier are affected by the vulnerabilities exploited by this malware.

Activity

Once the vulnerabilities are exploited, binary files are downloaded from:

  • http://[...]/welcome.php?id=5[...]

The downloaded files are saved in the Temporary directory using the following filenames:

  • pdfupd.exe
  • crash.php

The files are then executed.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More