One of our Application Defense Center (ADC) members did an interesting reverse engineering to see how Adobe attachments become infected.  And this is quite relevant since "malicious PDF files now account for a larger proportion of document types used in attacks."  In fact, based on current trends, "76 percent of targeted malware could be used for PDF-based attacks by mid-2011."

How does such an attack work?  Our ADC's analysis gives a nice overview.

First, by opening the PDF file with a text editor it is possible to see that there are some encrypted objects.  Let's try to look for an object that contains Javascript:

We can see that object 11 is referencing to object 12 which contains Javascript.  We can also see that the stream is filtered with AsciiHexDecode filter. The main reason for this filter is to hide malicious code inside the PDF and avoid anti-virus detection.

#2:

Let's decode this stream and see what we get:

Hmmmm, let's take a better look with a text editor:

 Yep, Javascript!

 #3:

 Let's use Malzilla for decoding this malicious JavaScript:

Yep, we got the shellcode!

Let's have a better look:

#4:

I wonder what this shellcode does; let's convert it to an exe file:

#5:

 Let's open the exe file with IDA:

We can see that the shellcode starts with a nop sled, let's try to look for some interesting strings in the binary:

YEP! Bingo!

URLDownloadToFileA:  http://msdn.microsoft.com/en-us/library/ms775123(v=vs.85).aspx

Pdfupd.exe: the remote Trojan

hxxp://69.64.50.78/...: The infection point.