Malware Spreads Through Malicious PDF Attachments

When I blog about spam campaigns that are spreading malware, the malware is usually being spread through a malicious email attachment. Mostly, the attachment is a ZIP-Archive that contains the Trojan as executable file (file extension .exe). This is an old schema used by many cybercriminals for years but I have to admit that they are still quite successful in infecting new victims. To mitigate such threats, many organisations block or reject any email that contains an executable file (.exe) or an ZIP-Archive with an executable on their email gateway / spam filter. You do so as well? You think you are safe? Unfortunately, I do have some bad news for you.

Today I was quite surprised when I got the following spam email on one of my spamtraps:

To: spamtrap
Subject: =?utf-8?q?Abmahnung f=C3=BCr firstname lastname 04.03.2013?=
Date: Mon, 4 Mar 2013 16:48:21 GMT

Sehr geehrter Kunde X X,

im heutigen Gesch=C3=A4ftsleben hat man =E2=80=9Eviel um die Ohren=E2=80=9C=
und muss an eine Menge Dinge gleichzeitig denken. Dass einem dabei mal etw=
as entgehen kann ist ganz nat=C3=BCrlich. Soeben konnte unsere Buchhaltung =
bez=C3=BCglich der angeh=C3=A4ngten Rechnung noch keinen Zahlungseingang er=

Datum: 13.01.2013 best=C3=A4tigt von
Offene Rechnung: 448,75 Euro
Bestellnummer: 100687844
Mahnkosten: 4,00 Euro

Sofern Ihrer Aufmerksamkeit unsere Rechnung entgangen ist, haben wir Ihnen =
eine Kopie der Rechnung beigef=C3=BCgt. Wir bitten Sie, die Zahlung nachzuh=
olen und sehen dem Eingang Ihrer Zahlung bis zum 04.03.2013 entgegen. Falls=
Sie den genannten Termin nicht einhalten, werden wir Ihnen weitere Verzugs=
zinsen und Mahnkosten berechnen.

Sollte der angemahnte Betrag nicht fristgerecht bei uns gebucht werden, wer=
den wir ohne weitere Schreiben unseren Rechtsanwalt mit der Klageerhebung b=

Mit bestem Dank f=C3=BCr Ihr Vertrauen in Conrad Electronic Dominik Krause

One of the things that I noticed immediately is that the email has a clean language which is quite uncommon for such spam campaigns (it is written in German and hence most likely targeting German speaking countries exclusively). Another thing that I noticed is that the email didn’t got blocked by the my spamfilter. While looking into it, I noticed that the spam mail had a very low spam score which is based on the fact that the sending IP address isn’t blacklisted on any blacklist (DNSBL). I’m not surprised because the sending IP address is actually one of GMX’s outbound email gateways:

Received: from ( [])
by spamtrap (X) with ESMTP id X
for spamtrap; Mon, 4 Mar 2013 16:49:03 +0000 (UTC)

For those who don’t know GMX: It’s a large free email service provider in Germany owned by 1&1. So you shouldn’t block their outbound email servers. What the criminals obviously did is using stolen SMTP credentials to send out their spam campaign.

The spam email contains a malicious PDF attachment using the first- and lastname of the recipient (victim):

Filename: Mahnung X X.pdf
File size: 9’514 bytes
Virustotal: 1 / 46

The AV detection rate is very poor, only one out of 46 AV vendors currently provides a detection against this threat (Microsoft – Exploit:Win32/CVE-2010-0188). The PDF exploits a well known vulnerability in Adobe Reader that allows remote code execution. The vulnerability was already addressed by Adobe in 2010.

If the Adobe version installed on the victims computer isn’t up to date, the malicious PDF will exploit CVE-2010-0188 and downloads the malware itself from

Filename: adobe-update.exe
Filesize: 73’728 bytes
Virustotal: 3 / 46

Unfortunately, most AV-vendors fail on this file as well. Only 3 AV-vendors currently provides a detection for it (well done ESET, Kasperksy and Malwarebytes). The file is temporary being stored in the following location:

C:\Document and Settings\USERNAME\Local Settings\Temp\wpbt0.dll

Afterwards the malware installs itself into a random directory with a random filename in the victims user profile, for example:

C:\Document and Settings\USERNAME\Hyrrayn\uisdoxtmjkl.exe (same file as wpbt0.dll)
C:\Document and Settings\USERNAME\Local Settings\Temp\otnhhyskui.pre (same file as wpbt0.dll)

Once the victims computer has been successfully infected, the malware contacts a botnet C&C hosted at

GET /typo3.php?ltype=ld&ccr=1&id=XXX&stat=0&ver=XXX&loc=XXX&os=XXX HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Connection: Keep-Alive
Cache-Control: no-cache

The User-Agent string seems to be hardcoded in the binary and is using an exotic (and I believe no longer used) version of Microsoft Internet Explorer (MSIE 6.0b).

To mitigate this threat, I recommend you to:

  • Create an IDS rule that spots the user-agent used by this malware
  • Patch Adobe Reader
  • Block the associated malware distribution site / botnet C&C (see list below)

Malicious domain names / IP addresses used or related in this malware campaign (I highly recommend you to block those):

Leave a Reply

Your email address will not be published. Required fields are marked *