What would you do if you saw an email in your inbox with a PDF named “U.S. ship thwarts second pirate attack November 18, 2009.pdf”? Would the title pique your curiosity? I hope not enough for you open the document!

This PDF is the latest in the ugly line of exploit- and malware-ridden embedded PDFs that damage your computer. If you were unfortunate enough to open the file, you’d see what the malware writers expect you to see: a file named “Adobe.pdf” with details on a real story about piracy off the coast of East Africa.

Bogus PDF screenshot

But behind the scenes, sinister things occur. The malicious PDF runs some JavaScript that exploits the Adobe Collab overflow (CVE-2007-5659) and Adobe getIcon (CVE-2009-0927) vulnerabilities. This screenshot shows the beginning of the compressed JavaScript stream:

Malicious JavaScript stream

In addition, two variants of ProcKill-EM are dropped into the Windows system folder, usually C:\Windows\system32.

As always, if you receive a document–PDF or otherwise–from someone you don’t know, don’t open  it. And even if you know the document’s sender, scan the file with your anti-virus program with the latest signatures before you open it.

McAfee customers are protected in the 5809 DATs against the threats mentioned above, as Exploit-PDF.aa and ProcKill-EM. Keep your signatures up to date and stay secure!