Jump to content
Tuts 4 You

very odd .fnt file, probably malware


Razz

Recommended Posts

Hi guys,

I'm learning about malware and I remember stumbling upon this cool forum some time ago. I recently downloaded a pdf of a book, because I wanted to  look up some pages in the book since it was used as a source in an article I was reading.
It's a pretty obscure book and since I couldn't find a legitimate source for it, I thought what the hell why not try one of the risky fake-looking torrent links.
To my surprise the torrent downloaded immediately and I got a .rar file. Normally with these things the rar file is either encrypted with a password or the pdf itself is fake and only contains instructions on how to complete a CPA offer to get access to the most of the time non-existing pdf file. 

But to my surprise the rar file contained this:

  • add.AcrobatPDFsomefont.bat
  • ADOBE_somefont.fnt
  • title.pdf
  • IMPORTANT.NOTICE.txt

I changed the font name to make it harder for the malware maker to stumble upon this topic using google, I'm pretty sure that wasn't needed.

Content of IMPORTANT.NOTICE.txt:

"IMPORTANT NOTICE:
Install the necessary fonts using add.AcrobatPDFsomefont.bat file."

The pdf file is 300+ pages long and is filled with gibberish. At the top it says in red letters a similar warning:
ADOBE PDF Warning: required fonts is not installed. (ADOBE_somefont.fnt)

Pretty cool, apparently they want me to click on the .bat file, this is probably malware.
the .bat file has two commands:

copy ADOBE_somefont.fnt %TEMP%
acrobat /convert fonts:UTF-8 /font:load & start %TEMP%\ADOBE_somefont.fnt

Since it was late and my curiosity got the better of me after viewing the .bat file, I decided to run it (I know).
The bat file started a commandline screen with hardcoded text telling me the supposed font had been loaded.

Now I'm really interested in how this works. Analyzing the .fnt file tells me it is a PE32 executable. Looking around with PE explorer I can see the contents of the malware , but I'm not skilled enough to actually understand what it is trying to do.

My question is, how does malware like this work?  How can that "acrobat" command execute a .fnt file and why didn't my antivirus pick up on this? Using virustotal 4-5 out of 50 virusscanners say it uses some kind of malign heuristics to do it's work, but maybe that's just because it was packed.

I'm not sure if I have earned the privilege yet to upload files, and even so I'm pretty sure uploading files will raise suspicion since I have just registered as a new user. But I can upload the rar file if anyone is interested to take a look at it.

Thanks in advance!

 

 

Link to comment
Extreme Coders
3 hours ago, Razz said:

My question is, how does malware like this work?  How can that "acrobat" command execute a .fnt file and why didn't my antivirus pick up on this? Using virustotal 4-5 out of 50 virusscanners say it uses some kind of malign heuristics to do it's work, but maybe that's just because it was packed.

Acrobat isn't executing the fnt file. If you look closely there is an & in between to chain two separate commands. 

acrobat /convert fonts:UTF-8 /font:load & start %TEMP%\ADOBE_somefont.fnt 

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...