- The PDF
- The shellcode
- …More shellcode, and
- The Portable Executable file
1. The PDF
The PDF file contains four malicious components:
- A malformed SWF (Shockwave Flash) file to trigger the CVE-2010-3654 vulnerability
- An encrypted PE (Portable Executable) file
2. The shellcode
The shellcode reads data from the PDF stream and decrypts it into a PE file to the disk and then executes it (as shown in Figure 1).
Figure 1: Decrypting the PE file
When the decrypted PE file is executed, it will run a shellcode contained in the resource section. Looking at the shellcode, it actually decrypts a DLL file to the disk and loads it. It runs a shellcode in the resource section. This time, the shell code is used to decrypt another PE image, and load the decrypted PE image to memory (this PE image will never be written to the disk, it is only in the memory).
Dumping the decrypted PE image from the memory, the ending to this attacker’s story becomes clear -- it is the installation of Win32/Hupigon (aka “Grey Pigeon” and “Graybird”), the notorious remote control backdoor - that is a prevalent threat in China.
Stay safe with protection for this exploit and the threats leveraging it, and don’t forget to apply the update released today by Adobe (APSB10-18 - http://www.adobe.com/support/security/bulletins/apsb10-28.html).