![]() ![]() But after decoding it two times using the FlateDecode method, it occupies more than 86 MB of space. This object-1 stream is 14 KB in size, which is normal. Usually object-1 (the first stream) is encoded twice with/FlateDecode format as (/Fl /Fl). The below image shows ROP offsets coded for specific versions of Adobe Reader. Here, the attackers have used the PoC written by Felipe Manzano and added more ROP offsets to cover as many as 23 different Adobe Reader versions starting from 9.3.0.3 to 11.0.0.1. In sample image 1, the PDF attachment “HSBC_Payment_9854711.pdf” contains a shellcode that downloads an executable file from a compromised website. īelow are some examples of such emails received by targeted victims: ![]() The attachments that are sent with these emails contain malicious codes that exploit the Adobe Reader vulnerability CVE-2013-2729. – Attached is your Approved Payment from RBI These emails usually arrive with the following subject lines: In the below chart, it can be noticed that 24% of such fake emails seem to have arrived from HSBC & 23% from Barclays. We have analyzed spam emails that seem like they have been sent from banks. PDF attachments contribute to 2% and DOC attachments contribute to 1% of the analyzed malicious emails. Over the last few weeks we have observed an increase in malicious emails that carry PDF or DOC attachments. Such emails are sent with malicious attachments as zip, executable or with double extension. ![]() Malware authors are still relying on email to spread malware using social engineering techniques. Quick Heal Lab has analyzed a malicious email campaign via which attackers intend to install the malicious ransomware called CryptoLocker in the infected machines.
0 Comments
Leave a Reply. |