We came across this new variant of malicious PDF that contains a ZBot infostealer Trojan.

When a user open the PDF file, a pop up will ask the whether the user would like  to save  a file called Royal_Mail_Delivery_Notice.pdf.  The unsuspecting user might assume that the file is just a PDF file, and therefore will just save in in a local drive.

However, instead of  saving the PDF,  a Windows executable (a Zbot Trojan executable file) will be executed and consequently takes control of the computer.

This malicious PDF is actually able to execute an embedded executable without exploiting any vulnerability. It uses the PDF functionality known as  /Launch. In this particular sample, it will ask to save the file that is claimed to be a PDF file and when the users clicked “Open”, the PDF file saved will be executed.

This screen shot containing the code snippet above shows that the malicious PDF file uses /Launch action to run Windows command. The command will find the saved Royal_Mail_Delivery_Notice.pdf and execute it silently.

In the screen shot above, the function, this.exportDataObject() will open the file attachment with the specific file cName “Royal_Mail_Delivery_Notice”. Note that the second input parameter, nLaunch, which is set to 0, will cause the file to be saved on local machine.

To identify where the file is stored inside PDF file, we can trace it through the cName input parameter which happens to be at object 9.

In object 9, the file is not stored there but instead  redirected to object 10 through dictionary /EmbeddedFiles and in object 10 it once again it gets redirected to object 11 through dictionary /Names.

Following the multiple ‘redirection’, we end up  at object 11. Here we can see that object 11 was declared as Filespec object type. It indicates that this object contains the file specification details about the embedded file. According to PDF Reference (2nd Edition), within Filespec object type, the value of the dictionary key /EF is an embedded file stream containing the corresponding file, so in this case, the file stream inhabits inside object 12.

Gotcha! The file stream indeed located inside object 12. From the stream above (after inflated from FlateDecode), it is clear that it is a file stream for an executable file, specifically PE file while the /Subtype is declared as a PDF file.

From here, we can dump the stream to a file for further analysis. Happy analyzing.