FANDOM


Exploit-PDF.a is an exploit worm for a specially crafted PDF file that exploits the Adobe Acrobat Mailto Unspecified PDF File Security Vulnerability to execute malicious code on a computer. This exploit is known as CVE-2007-5020.

More information regarding this vulnerability can be found at the Adobe site.

Indication of Infection

The following list of malicious attachment have been observed in the wild:

  • BILL.PDF
  • INVOICE.PDF
  • STATEMET.PDF
  • YOUR_BILL.PDF

Methods of Infection

On opening the PDF attachment, code is silently run to perform the following actions, and Windows Firewall is disabled via the netsh command. It then downloads and executes a password stealer from this web address (now removed):

http://81.95.146/ldr.exe

This password stealer trojan is detected as Spy-Agent.bg.

Aliases

  • EXP/CVE-5020.A (Avira)
  • EXPL_PIDIEF.B (Trend Micro)
  • Exploit-PDF.a and Exploit.Win32.AdobeReader.b (Kaspersky)
  • PDF/Exploit.Shell.A (ESET)
  • Trojan.Pidief.A (Symantec)