Latest PDF Zero Day Leads to Exploit Egg Hunt

Client-side exploitation continues to be a popular attack vector. Another zero-day attack has targeted Adobe Acrobat Reader to infiltrate customer networks. The currently unpatched exploit opens the door to code execution when a victim simply reads a malicious PDF document.
This JavaScript code is viewable only if the stream had been unpacked, as can be seen in this FileInsight screenshot:

Although the content of the compressed stream may look like random data, when unpacked the JavaScript code will fill a certain memory area with malicious x86 assembly code and cause the exploited Adobe software to execute this shellcode–commonly know as a heap spray.
To determine the final intent of the shellcode, we have to remove another obfuscation layer that attempts to evade automated detection. The machine code is embedded as a “malformed” and “escaped” sequence of hex bytes. Any occurrence of the substring “XX” is replaced with “%u” before JavaScript can convert the string back into binary, executable code.

After loading it into a disassembler, we can see that the unescaped executable code is stage one of a two-stage attack. The intent of stage one is to identify the open file handle of the malicious PDF to find a particular signature (which is called an egg by exploit writers). This signature (0×0A666F65 in this example) is immediately followed by stage two of the shellcode and (continue reading...)