We haven’t come across many malicious PDF files recently in our spam traps, so when we found this message, ostensibly from Vodafone Deutschland, we naturally took a closer look.

In this example, the cyber crooks are targeting Vodafone Deutschland customers by spamming a fake billing statement. The message claims to be from Vodafone-OnlineRechnung@vodafone.com. The spam may look harmless at first, especially given the links in the message point to the real Vodafone.de website. But the attached PDF file is indeed dangerous.

[…]

The malicious PDF file was crafted to exploit the Libtiff vulnerability (CVE-2010-0188) in Adobe Reader 9.3 and earlier. The exploit crashes Adobe Reader and executes the attacker’s malicious code.

The PDF uses two layers of JavaScript obfuscation before triggering the exploit and executing its payload. The first JavaScript was embedded inside this compressed XFA (XML Forms Architecture) form.

[…]

The shellcode’s ultimate intention is to download a couple of malicious file from the internet.

Both files are exactly the same executable from different URLs, perhaps for redundancy reasons. The malware is known as Bublik or Bebloh – a banking Trojan.

Continues at: An Analysis of a Fake Vodafone Bill PDF File – SpiderLabs Anterior.