Fandom

Malware Wiki

Pdfka

1,345pages on
this wiki
Add New Page
Comments0 Share

Exploit.JS.Pdkfa or Pdkfa is a family of JavaScript exploits.

Pdfka.ddt


'Exploit.JS.Pdkfa.ddt or Pdkfa.ddt' is a JavaScript exploit, exploiting vulnerability CVE-2010-0188.

Payload

This exploit is distrubuted in infected PDF documents. These PDF documents contain XFA form. The vulnerability CVE-2010-0188 allows the exploit to run a random code on the system. This causes the XFA form to buffer overflow, allowing access to download the file from: http://videoyahoo.info/tre/boba.html/yH91e5b471V03f01336002R93bf7c87102Tdcd9ec9eQ0000004c901801F0066010aJ17000601l0015329. It saves it to the directory: %Temp%\VxHc.exe.

Link is used because [at the time of writing] the link was dead and should not contain malicious code. The particular vulnerability was patched in the latest versions of Reader/Acrobat.

Technical Information

MD5: A8BFEA3809830279C829B614D54F86DC

SHA1: 0FFCE759DE0148A0A02FB1C42F3F731038A47A0C

Sources

Securelist (Kaspersky Labs), Exploit.JS.Pdfka.ddt

Pdkfa.edl


Exploit.JS.Pdkfa.edl or Pdkfa.edlis a JavaScript exploit, which exploits vulnerability CVE-2010-0188.

Payload

The malicious XFA form is packed inside infected PDF files. It deliberately incorrectly processes arguments in "libtiff.dll" in order to over-fill the buffer, forcing the computer to download a file from this link.

http://ktr***x.cc/d.php?f=360&e=6

It then saves the file into the following directory.

%Temporary Internet Files%\<name of_temporary_file>

The file is then executed.

Technical Information

MD5: 6209f86a1ba16c7c1ca0008eb49dd1d6

SHA1: 80816defd9dd9b6b59aed980c75df745717f0c89

Sources

Securelist (Kaspersky Labs), Exploit.JS.Pdfka.edl

Pdkfa.dna


Exploit.JS.Pdkfa.dna or Pdkfa.dna is a JavaScript exploit.


Payload

Little is known of this exploit, except that it exploits Adobe Reader and Acrobat in order to implant malicious code onto the victim machine. The infected PDF would contain both XML and JavaScript plug-ins.

Sources

Securelist (Kaspersky Labs), Exploit.JS.Pdfka.dna

Pdkfa.crr


Exploit.JS.Pdkfa.crr or Pdkfa.crr is a JavaScript exploit that exploits vulnerability CVE-2009-4324.

Payload

The PDF document contains a packed passage of code which is unpacked when the document is opened. Once the packed information has been decrypted and executed, it attempts to exploit vulnerability CVE-2009-4324 using the util.printd(), Doc.media.newPlayer function. For more information about the vulnerability, click here.

It will utilise this exploit to download data from the following link:

http://dru***rma.com/x/loadpdf.php?ids=AMPlayerPDF

It is then copied to the %Temp% directory as "e.exe". It then executes this malicious file.

Technical Information

MD5: 18A021E8EC3686DBCE781FE35AF88A9F
SHA1: 81C41B5E0DF05E1773A267F6AF473878290A10BE

Sources

Securelist (Kaspersky Labs), Exploit.JS.Pdfka.crr

Pdkfa.eeo

Exploit.JS.Pdkfa.crr or Pdkfa.crr is a JavaScript exploit that exploits vulnerability CVE-2010-0188 to download files from a remote server.

Payload

The PDF contains a malicious XFA form that is specially crafted to exploit the vulnerability mentioned above. The PDF would then use obfuscated malicious Java Scripts. After removing this ofuscation, the trojan will create a Buffer overflow using invalid arguments from libtiff.dll. It will then contact the following domains for the malicious files.

http://ac***ro.cz.cc/k.php?f=16&e=6
http://ce***et5.cu.cc/d.php?f=360&e=6
http://cen***et4.cu.cc/d.php?f=360&e=6
http://ce***net6.cu.cc/d.php?f=360&e=6]

The trojan will then save the file to the browser's temp files.

%Temporary Internet Files%\<name of_temporary_file>

The name may vary from time to time, depending on what version is executed. After this file has been saved, it will be executed.

Technical Details

Not available

Sources

Securelist (Kaspersky Labs), Exploit.JS.Pdfka.eeo

Other variants will be added at a later date

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.