Threat Description

Exploit:​JS/Pdfka.TI

Details

Aliases: Exploit.js.pdfka.ti
Category: Malware
Type: Exploit
Platform: JS

Summary



A program or technique that takes advantage of a vulnerability to remotely access or attack a program, computer or server.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



Exploit:JS/Pdfka.TI is an exploit that can take advantage of two vulnerabilities in a single PDF file in order to download malicious binary files (usually Trojan-Downloader:W32/Bredolab variants) onto the system.

The vulnerabilities exploited are:

  • Collab.collectEmailInfo() JavaScript Overflow (CVE-2007-5659)
  • Util.printf() JavaScript Overflow (CVE-2008-2992).

Adobe Reader and Acrobat versions 8.1.2 and earlier are affected by the vulnerabilities exploited by this malware.

Activity

Once the vulnerabilities are exploited, binary files are downloaded from:

  • http://[...]/welcome.php?id=5[...]

The downloaded files are saved in the Temporary directory using the following filenames:

  • pdfupd.exe
  • crash.php

The files are then executed.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More