Home / malwarePDF  


First posted on 24 October 2019.
Source: Microsoft

Aliases :

Exploit:Win32/Pdfjsc.YF is also known as PDF/Exploit.ACN, Exploit.PDF-JS.BL, Exploit.Win32.Pdfjsc, Exploit.JS.Pdfka.ffs, Troj/PDFEx-ET.

Explanation :

Exploit:Win32/Pdfjsc.YF is a specially-crafted Portable Document File (PDF), which exploits a vulnerability in Adobe Acrobat and Adobe Reader discussed in the following articles:

CVE-2010-0188 APSB10-07

Exploit:Win32/Pdfjsc.YF has been observed to be hosted in the following servers:

eatingforbetterlife.net innts.info mouslik.ru

Exploit:Win32/Pdfjsc.YF contains JavaScript and is part of the "Backhole" exploit kit. When executed, it checks what version of Adobe Acrobat or Adobe Reader is running in the affected computer. If the computer is running a vulnerable version of the software, Exploit:Win32/Pdfjsc.YF connects to the same servers that it may be hosted in and attempts to download and execute certain files. A downloaded file may be named "wpbt0.dll", which is then loaded with the following command:

regsvr32 -s wpbt0.dll

The servers are unavailable as of this writing.

Analysis by Horea Coroiu

Last update 24 October 2019