The PDF specification is quite extensive and thus can be complicated to detect threats in. There are numerous features that lend themselves to malicious payloads, beyond the vulnerabilities that have been discovered over the years with rendering software for the specification. The ability to use any combination of a few different encodings also helps threats to evade simpler detection means, namely signature-based methods but more generally any detection system that doesn't fully decode all streams within the document. The particular samples investigated took advantage of this to embed the compressed Microsoft Word file into the PDF. The user is prompted by text within the PDF to open the embedded document.
The Word document itself contains a macro that attempts to download the primary payload, which is encrypted with a very simple encryption scheme to evade detection passing through firewalls, from a list of hacked sites and then executes it. The payload is the relatively new Jaff ransomware, which is being likened to Locky but is not considered a variant of it. The PDFs themselves were observed being distributed in empty-bodied emails with subjects containing a single word, such as “Document” or “PDF”, followed by an underscore and a number. It's possible this is intended to simulate inter-office communications where using only a subject to send a message or describe an attachment might not be uncommon.
Users should always be diligent in inspecting emails and files for suspicious indicators and erring on the side of caution when not certain. Attacks such as this sometimes have second chances for a cautious user to suspect malicious intent, such as being asked to open an embedded file from the PDF if the attachment has already been opened. This is not always the case, however, so caution should always be used from the start when checking emails or surfing the web. Since this practice is not always exercised, and for targeted attacks that will be crafted to not arouse suspicion, having a next-generation antivirus solution is also important. Users of Barracuda Advanced Threat Protection are protected from this threat as our ATD solution catches this threat with its combination of static and dynamic analysis.
Jonathan Tanner is a Software Engineer in our Campbell office. Connect with him on LinkedIn here.