is a malicious PDF file that exploits a vulnerability in Adobe Acrobat and Adobe Reader.
The vulnerabilities, discussed in CVE-2010-0188, allow this malware to download and run arbitrary files.
The following versions of Adobe Acrobat and Adobe Reader are vulnerable to this exploit:
Adobe Acrobat and Adobe Reader earlier than 8.2.1
Adobe Acrobat and Adobe Reader earlier than 9.3.1
Downloads arbitrary files
If Exploit:Win32/Pdfjsc.ADH successfully exploits a vulnerable computer, it attempts to download and install arbitrary files which may be detected as malware. In the wild, we have observed Exploit:Win32/Pdfjsc.ADH contacting the following host for this purpose:
Note: At the time of writing, the site was unavailable for analysis and we are unable to confirm what files are being downloaded.
We have observed Exploit:Win32/Pdfjsc.ADH downloading the file to the %TEMP% folder with the file name "wpbt<random number>.dll"; for example:
Note: %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default location for the All Users Profile folder for Windows 2000, XP, and 2003 is "C:\DOCUME~1\<user>\LOCALS~1\Temp". For Windows Vista, 7, and W8, the default location is "C:\Users\<user name>\AppData\Local\Temp".
also drops a non-malicious PDF file into the %TEMP% folder with the file name "A9R<four-character hexadecimal number>.tmp"; for example:
Analysis by Jonathan San Jose