Last Updated: 2010-04-08 05:49:50 UTC
by Bojan Zdrnja (Version: 1)
I know that most of you are probably already sick of malicious PDF documents, but one of our readers, Will Thomson, sent a really interesting malicious PDF document that used some more advanced obfuscation techniques that I wanted to share with everyone. So, let's get to work.
When called like this, the app.doc.getAnnots() call will return an array of objects that will contain all annotations. This is important to remember.
Take a look at the code below, which I tidied a bit for you so you can read it easier:
Especially important are lines 6-13. So, what do the attackers do here:
- First the variable n_AXr11_7Wdj is assigned value 0,
- On line 10, the h__l_S_1__f variable will contain pr[n_AXr11_7Wdj].subject. Since n_AXr11_7Wdj is 0, this equals to pr.subject. Remember what the pr array is? It contains annotations. In other words, this will use the first annotation.
While there has been a lot of words and warnings about how patching Adobe Reader installations is important, I would like to stress this out again as attackers are clearly not sleeping.