Security for the masses

Skip to: Content | Sidebar | Footer

Facebook email scam with PDF twist

26 November, 2009 (18:26) | Diagnosis, Prognosis, Treatment. | By: Blogkeep

Another facebook email scam in my mail box today, this time with a twist. As usual it was a html email.


From – Thu Nov 26 10:23:04 2009
X-Account-Key: account3
X-UIDL: UID112-1238682728
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Delivery-date: Thu, 26 Nov 2009 07:39:15 +0000
Received: from ([]:4351)
(return-path ); Thu, 26 Nov 2009 07:39:14 +0000
Received: from by; Thu, 26 Nov 2009 08:37:41 +0100
From: “Facebook”
Subject: new login system
Date: Thu, 26 Nov 2009 08:37:41 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: Aca6QY99QN4ZD0K9XZUL7DP1EW6GO2==
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Message-ID: <000d01ca6e6b$56025570$6400a8c0@fracturek03>

End Header

I searched the source and found the following link: hxxp: //

The domain name in the email field for the fake login page did not match the email address of the recipient, so if this was an attempt to confirm active email addresses for spam or match the recipient to Facebook account it failed.

I pasted this:

hxxp: //

into a new Firefox window, I should have done this on a VM but I considered NoScript to the only protection I would need at this stage.

Before the fake login page appeared, I was prompted to download or view a pdf file, (I don’t have the browser automatically open files that could contain executable code) I saved the file under its default name of:

pdf.pdf MD5: 80758E30F8BEB7FA79F6346B85F6CF31.

More about that later.

The site finally opened and offered updatetool.exe md5:853631A285ED6DD86E81E044DCBC4C28 a zbot variant (VirusTotal Analysis) for me to download and install.

The PDF I saved, well I opened it in notepad2 and discovered this:
NOTE: I have removed most of the initialisation data for variable s, it will become clear why later.

13 0 obj
p =””;

var s = ” 10{ 118{ 97{ … 71{ 119{ 41{ 59{ 10{ 125{ 10{ 125{ 10″;
p =””;
s=s.replace(/[A-Z]/g,function (sda){}).split(“{ “);

var JknB=”f”+”o”;
var qqeerR=”r”;
var qrt=”(“+”i”;
var HHjdxc=”=”+”0″;
var uiuTW=”i”+”<"; var Vqweqwet="l"+"en"; var df="+"+"+"; var TTyreQ="=S"; var nmMJ="o"; var tyuid="o"; var YUiotr="["+"i]"+")"+";"+"}"; vk(JknB+qqeerR+qrt+HHjdxc+";"+uiuTW+"s."+Vqweqwet+"gth"+";i"+df+"){"+"p+"+TTyreQ+"tri"+"ng"+".fr"+nmMJ+"mC"+"h"+"arC"+tyuid+"de"+"(s"+YUiotr); vk(p); endstream endobj Obviously something has been obfuscated possibly to avoid AV detection: So I un-obfuscate and comment: p =""; var s = " 10,118,97,... 125,10,125,10"; ib=eval; vk=ib; p =""; s=s.replace(/[A-Z]/g,function (sda){}).split("{ "); //changes s into an array of numbers:10,118,97,... 125,10,125,10 eval(for(i=0;i<s.length;i++) { p+=String.fromCharCode(s[i]);}); //Cycles through s converting number to ascii and appends it to the string p. //Now p contains an ascii text string that has been derived from the decimal ascii codes initialised in s. eval(p); The obfuscated code was simple enough work out yet disguised well enough to get past my AV when I downloaded the PDF. Once I had the actual exploit code, after it was converted from its decimal ascii code representation (s initialisation), my AV warned of a malicious script. It took a moment for me to recognise the code was buffer overflow attempt. On closer examination, and a little searching I discovered it was code that that examines the version of Adobe in use before attempting an Adobe printf() or collectEmailInfo() exploit.

I transfered the pdf to a vm and attempted to view it using the latest version of Foxit Reader whilst running AV. First I scanned the pdf with Avast!, nothing was detected. I used Foxit Reader V3.1.4.1125 to open the file, a bank one page document was shown. No doubt if I was running a vulnerable version of this viewer I would have experienced a crash or a compromise of my vm as the obfuscation in the code was enough to fool my AV.

So two attempts at compromising a PC; One via running updatetool.exe and installing a zbot variant and one from the pdf file attempting to exploit the Adobe Reader plugin. One attempt to compromise me and gain Facebook credentials: The fake login page. And a possible attempt to verify an email address; The passing of the link embedded email address to the linked login function, all wrapped up in one email. I guess in a global recession even cyber criminals have to increase efficiency, at least that’s what one would have thought. It is hardly efficient to send the same email to the same email address 10+ times. Isn’t this kind of spamming likely to arouse suspicion?

Evidence that it is essential that applications as well as your operating system be updated asap after a security fix or update is released, after of course you have created a suitable restore route for your system should something conflict.

It isn’t very difficult to buy a domain name, get some hosting and copy paste an exploit together in the hope of stealing someones identity or bank details. In fact it is too easy.

Write a comment