View All Spam

PDF Exploit Disguised as a Xerox Scanned Document

By Rodel Mendrez  •  February 7th, 2011  •   Spam

Most office network printers and scanners have a feature that sends scanned documents over email. Cyber crooks however, have imitated email templates used by these devices for malicious purposes. This week we noticed a malicious spam email that purports to be a scanned document sent using a Xerox WorkCentre Pro scanner.

Variations of subject lines were used like “Scan from XER0X”, “Scan from XER0X ZIP Office”, “Scan from XER0X Center Office” or “Scan from XER0X Center Office”. In the image above, the attachment is actually not a Xerox WorkCentre Pro scanned document but instead a PDF exploit file that utilizes old Adobe Acrobat Reader vulnerabilities:

  1. Collab.collectEmailInfo (CVE-2007-5659) – Adobe Reader and Acrobat Multiple Stack-based Buffer Overflow Vulnerabilities
  2. Utilprintf (CVE-2008-2992) – Adobe Reader ‘util.printf()’ JavaScript Function Stack Buffer Overflow Vulnerability
  3. Collab.getIcon  (CVE-2009-0927) – Adobe Acrobat and Reader Collab ‘getIcon()’ JavaScript Method Remote Code Execution Vulnerability
  4. mediaNewplayer (CVE-2009-4324) – Adobe Reader and Acrobat ‘newplayer()’ JavaScript Method Remote Code Execution Vulnerability

Closer look of the attached PDF exploit

The payload of the PDF exploit downloads a Trojan downloader installing additional malware such as Fake AV in the victims machine.

Cyber criminals will always strive to find ways to spread their malware. The first time we saw this Xerox spam campaign was in the middle of last year, where almost the exact same spam template was used. The only difference between the two was the malicious attachment used at that time was compressed in ZIP format. Xerox WorkCentre Pro however doesn’t send ZIP  file attachments. It’s possible that the cyber criminals realized that PDF format looks more realistic and could deceive more users especially in an office environment.

Tags:    |    |    |    |    |  

2 Responses to “PDF Exploit Disguised as a Xerox Scanned Document”

  1. [...] This post was mentioned on Twitter by Andre M. DiMino, Bill Gardner, A. Vanderslyke, Kimberly, Sandro Süffert and others. Sandro Süffert said: PDF Exploit Disguised as a Xerox Scanned Document < Creative.. [...]

  2. [...] currently spamvertised malware campaign attempts to trick the user into thinking he’s received a scanned Xerox document, whereas the [...]