Exploit.JS.Pdkfa or Pdkfa is a family of JavaScript exploits.


'Exploit.JS.Pdkfa.ddt or Pdkfa.ddt' is a JavaScript exploit, exploiting vulnerability CVE-2010-0188.


This exploit is distrubuted in infected PDF documents. These PDF documents contain XFA form. The vulnerability CVE-2010-0188 allows the exploit to run a random code on the system. This causes the XFA form to buffer overflow, allowing access to download the file from: It saves it to the directory: %Temp%\VxHc.exe.

Link is used because [at the time of writing] the link was dead and should not contain malicious code. The particular vulnerability was patched in the latest versions of Reader/Acrobat.

Technical Information

MD5: A8BFEA3809830279C829B614D54F86DC

SHA1: 0FFCE759DE0148A0A02FB1C42F3F731038A47A0C


Securelist (Kaspersky Labs), Exploit.JS.Pdfka.ddt


Exploit.JS.Pdkfa.edl or Pdkfa.edlis a JavaScript exploit, which exploits vulnerability CVE-2010-0188.


The malicious XFA form is packed inside infected PDF files. It deliberately incorrectly processes arguments in "libtiff.dll" in order to over-fill the buffer, forcing the computer to download a file from this link.


It then saves the file into the following directory.

%Temporary Internet Files%\<name of_temporary_file>

The file is then executed.

Technical Information

MD5: 6209f86a1ba16c7c1ca0008eb49dd1d6

SHA1: 80816defd9dd9b6b59aed980c75df745717f0c89


Securelist (Kaspersky Labs), Exploit.JS.Pdfka.edl


Exploit.JS.Pdkfa.dna or Pdkfa.dna is a JavaScript exploit.


Little is known of this exploit, except that it exploits Adobe Reader and Acrobat in order to implant malicious code onto the victim machine. The infected PDF would contain both XML and JavaScript plug-ins.


Securelist (Kaspersky Labs), Exploit.JS.Pdfka.dna


Exploit.JS.Pdkfa.crr or Pdkfa.crr is a JavaScript exploit that exploits vulnerability CVE-2009-4324.


The PDF document contains a packed passage of code which is unpacked when the document is opened. Once the packed information has been decrypted and executed, it attempts to exploit vulnerability CVE-2009-4324 using the util.printd(), function. For more information about the vulnerability, click here.

It will utilise this exploit to download data from the following link:


It is then copied to the %Temp% directory as "e.exe". It then executes this malicious file.

Technical Information

MD5: 18A021E8EC3686DBCE781FE35AF88A9F
SHA1: 81C41B5E0DF05E1773A267F6AF473878290A10BE


Securelist (Kaspersky Labs), Exploit.JS.Pdfka.crr


Exploit.JS.Pdkfa.crr or Pdkfa.crr is a JavaScript exploit that exploits vulnerability CVE-2010-0188 to download files from a remote server.


The PDF contains a malicious XFA form that is specially crafted to exploit the vulnerability mentioned above. The PDF would then use obfuscated malicious Java Scripts. After removing this ofuscation, the trojan will create a Buffer overflow using invalid arguments from libtiff.dll. It will then contact the following domains for the malicious files.


The trojan will then save the file to the browser's temp files.

%Temporary Internet Files%\<name of_temporary_file>

The name may vary from time to time, depending on what version is executed. After this file has been saved, it will be executed.

Technical Details

Not available


Securelist (Kaspersky Labs), Exploit.JS.Pdfka.eeo

Other variants will be added at a later date

Ad blocker interference detected!

Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.