Threat Description

Exploit: ​JS/Pdfka.TI


Category: Malware
Type: Exploit
Platform: JS
Aliases: Exploit.js.pdfka.ti


Exploit:JS/Pdfka.TI is an exploit that can take advantage of two vulnerabilities in a single PDF file in order to download malicious binary files (usually Trojan-Downloader:W32/Bredolab variants) onto the system.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

The vulnerabilities exploited are:

  • Collab.collectEmailInfo() JavaScript Overflow (CVE-2007-5659)
  • Util.printf() JavaScript Overflow (CVE-2008-2992).

Adobe Reader and Acrobat versions 8.1.2 and earlier are affected by the vulnerabilities exploited by this malware.


Once the vulnerabilities are exploited, binary files are downloaded from:

  • https://[...]/welcome.php?id=5[...]

The downloaded files are saved in the Temporary directory using the following filenames:

  • pdfupd.exe
  • crash.php

The files are then executed.


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More