Retired Moderator Retired Malware Specialist
- Dec 14, 2002
watch out for this new malware attack method by email
This email contains a genuine PDF which has embedded scripts that will infect you. So far none of the automatic analysis tools can find any malicious content but it is trying to send multicast messages.
I am being told that this evil pdf when opened in adobe reader drops a word document containing macros, so DO NOT SAVE OR OPEN THIS PDF FILE: Just delete the email and any attachment as soon as it appears in your inbox. There appear to be several different versions of the PDF malware dropper although all are named the same and every copy that I have seen is the same file size ( 23kb) The malicious Macro inside the dropped word document ( VirusTotal) from one of the malicious PDFs downloads and executes -> hxxp://bepminhchi.com/83/61.exe ( virus total). There will almost certainly be different download locations depending on which version of the PDF you originally received.
Luckily enough Adobe reader in recent versions has Protected view automatically enabled and unless you press the button to enable all features, you will be safe from this attack
If you do enable all features, then you have a second chance to protect yourself, by pressing either cancel or never allow opening files of this type on the pop up warning. Pressing allow WILL almost certainly automatically open the word doc and run the malicious macro so infecting you. Make sure Adobe reader ( or any other PDF reader software) is updated to the latest version to protect you. Older versions are vulnerable to these attacks. If using Adobe make sure you uncheck any additional offerings of security scans/Google chrome or toolbars that it wants to include in the download