Exploit:SWF/CVE-2012-0754.B

Exploit:SWF/CVE-2012-0754.B is a detection for a PDF file which exploits a vulnerability in Adobe Flash Player. If you view the file in Adobe Acrobat Reader, it passes a file to Adobe Flash Player; if this occurs in a vulnerable version of Adobe Flash Player, it will drop and execute malicious files on your computer.

This vulnerability affects versions of Adobe Flash Player 10.x prior to 10.3.183.15 and 11.x prior to 11.1.102.62.

This vulnerability is discussed in the following article:

CVE-2012-0754

Technical details

The PDF file contains a SWF and an MP4 files. If you open the PDF file, the SWF file is passed to Adobe Flash Player. The SWF then references the MP4 file, causing the corruption of memory in Adobe Flash Player, and execution of the shellcode which is embedded into the SWF file.

In the variants of PDF files we've seen, the shellcode attempts to drop and inject a malicious DLL which is also contained within a PDF file into a known processes such as "explorer" or "svchost". Depending on the functionality of the DLL, Exploit:SWF/CVE-2012-0754.B attempts to connect to remote sites. Some of the sites we observed it connecting to are:

• alldownloads.ftpserver.biz
• report2.proxydns01.ddns.us
• worldnews.alldownloads.ftpserver.biz 

At the time of writing, the hosts were not available.

Analysis by Oleg Petrovsky