In this case, the javascipt function VMNoZ7dbNsRz9 will automatically run when the PDF document is opened. At first glance, we couldn't find the function body of VMNoZ7dbNsRz9 in the whole file, but we soon discovered that the reason is because the function was compressed with zlib
We can decompress it with following Perl code:
The results are still encoded:
After several rounds of decoding, we discovered that the payload triggers the download of another PDF or binary file for execution depending on different variants.
Investigating deeper, we found that the exploit is related to a buffer overflow in Collab.collectEmailInfo() which is not a new discovery.
There exists a few variants of this exploit by now, and we believe that more variants will surface since all the evidence we have collected show that these samples were created by some kind of toolkit.
So far, we have only seen samples in the wild using the OpenAction tag to trigger the payload, but according to the PDF specification, there are many other ways to accomplish the same task. For example, with the Launch tag we can designate an application to be lauched when the document is opened or printed. As another example, there also exists a way to abuse the mailto scheme in the URI tag.
Security Researcher: Tim Xia