Wednesday, April 13, 2011

CVE-2011-0609 attacks via PDF file

We've just across a new use of CVE-2011-0609, formerly only seen in XLS files, now used in a PDF file sent in a targeted email attack.

Filename: 民進黨2012+年....pdf (translates as DPP 2012 and beyond - DPP is Taiwan's Democratic Progressive Party)
MD5: 3d1fc4deb5705c750df6930550c2fc16
sha1: 3f6b96a62ae780b8c9d4094e478388036f336188
sha256: d742293773b4c6725bed769651a36baec6cd0b06c96662c688fce0f09f5d82c4
ssdeep: 12288:5aZEUjnnntnfnPnnnnnye2MUI2caPV6BWExnfAcc2spmUL0VnJtoQhUImzaIE0sT:GfURULy6NrFASbdX

PDF Object 2 contains a SWF file MD5 40792ec6d7b7f66e71a3fdf2e58cb432 subtlety named "~CVE-2011-0609.swf". Decompressing the CWS to FWS gives the MD5 00cf8b68cce68a6254b6206f250540fd.

Object 19 contains JavaScript to load shellcode into memory.

View the sample in PDF Examiner. Updating to the latest Flash and Reader 9.4.2 mitigates this threat. We'll make the sample available to AV companies if requested.

For information on other current threats, see our PDF Threats and Document Threats pages.

No comments:

Post a Comment